Possible to run a tinc node in bridge-only mode?

Sefa Eyeoglu sefa6727 at gmail.com
Mon May 20 01:03:02 CEST 2019 

On Sonntag, 19. Mai 2019 18:36:38 CEST cat big wrote:
> Hi tinc users,
> 
> I have two Tinc nodes (A, B) running on trusted computers. Between A and B
> there's no direct internet connection. So I have to set up the third node X
> to bridge them:
> 
>  [ A ] ======= [ X ] ======= [ B ]
> trusted      untrusted       trusted
> 
> X is on a cloud service like AWS thus it's on an untrusted third party.
> Once it's is compromised the attacker can access to the entire VPN through
> it.
> 
> To prevent such attack, it's possible to deploy firewall rules to drop all
> the direct packages from X. However when the network scales up, it's
> inefficient to deploy such rules to all the machines.
> 
> So my question is: is it possible to set up the tinc node on X as a
> bridge-only node? "Bridge-only" means X only serves as a bridge between the
> connected nodes. It forwards the traffic but can't read the traffic or send
> message to other nodes in the VPN.
> 
> Any input would be appreciated. Thanks!
> 
> 
> h4x3rotab

I just set up a local tinc network for testing with the exact setup you have 
up there. At the moment A and B connect to X, where as X does not connect to 
anything by itself.

As far as I can tell tinc does not support your use case, as tinc is designed 
to be run in a trusted environment, similar to how traditional networking 
works. You could remove the Subnet decleration from all hosts for node X, but 
that way there is just no way to contact node X from A or B, but still from X 
to A and B. Then you could remove all Subnet declerations from the configs of 
node X, which is not at all secure, as the ip addresses could probably be 
sniffed with tcpdump on node X. 

Your best bet would probably be, to create seperate tinc networks:

[ A ] ======== [ X ] (network AX)
                        [ X ] ======== [ B ] (network BX)

Network AX:
Operates in 10.0.1.0/24
Subnets:
 X: 10.0.1.1/32 10.0.2.0/24
 A: 10.0.1.10/32

Network BX:
Operates in 10.0.2.0/24
 X: 10.0.2.1 10.0.1.0/24
 B: 10.0.2.10

Node X will forward all traffic between AX and BX with an iptables rule, that 
basically enables NAT. 
This solution is rather much for your purpose. I would consider using 
alternatives like a SOCKS proxy (which tinc supports), that sits on X and 
forwards traffic from A to the internet or B to the internet.

I hope my mail helps you with your problem.


Kind regards,

Sefa Eyeoglu
Free Software Developer
scrumplex.net[1] 


--------
[1] https://scrumplex.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190520/c6487c37/attachment.sig>

More information about the tinc mailing list