<div dir="ltr">C will still need keys in order to establish metaconnections with A and B (as well as a few other things). However there is no need for C to own any "Subnets" at all.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 3 September 2016 at 06:21, Armin <span dir="ltr"><<a href="mailto:armin@melware.de" target="_blank">armin@melware.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 09/02/2016 08:51 PM, Etienne Dechamps wrote:<br>
> What version of tinc are you using? tinc 1.1 already does what you want out of<br>
> the box: packets sent from node A to node B through node C will use a key that<br>
> A and B will negotiate between themselves. C doesn't have the key, and will<br>
> act as a blind relay. C will not be able to decipher the packets flowing<br>
> between A and B.<br>
><br>
> This is different from tinc 1.0, where C would have to decipher the packet in<br>
> order to determine what its final destination is. In tinc 1.1 that routing<br>
> information is sent in cleartext so that C can forward the packet without<br>
> having to decipher it.<br>
<br>
</span>I am using tinc 1.0.<br>
Switching to 1.1 makes sense then.<br>
Can C then be completely without keys, forwarder only with not access to the<br>
network at all?<br>
<br>
Armin<br>
<span class=""><br>
> On 2 September 2016 at 09:40, Armin <<a href="mailto:armin@melware.de">armin@melware.de</a><br>
</span><span class="">> <mailto:<a href="mailto:armin@melware.de">armin@melware.de</a>>> wrote:<br>
><br>
> Hello all,<br>
><br>
> as written in my other posts, I have a setup of about seven<br>
> hosts. Two of them (A and B) use StrictSubnets and an own routing via<br>
> a special host (C), because C has better connection to the A and B than a<br>
> direct A-B connection.<br>
><br>
> Host C is in a place where I need to create special security settings.<br>
> The VPN encrypted data shall not be available on host C.<br>
> There is no need for host C be in routing of tinc vpn, it just shall<br>
> forward the encrypted packets to another host when needed.<br>
><br>
> Is it possible to setup a host as part of a tinc network without the<br>
> access to the packets (decrypted)?<br>
> Or do I need to setup some other kind of tunnel for this?<br>
><br>
> Armin<br>
><br>
> ______________________________<wbr>_________________<br>
> tinc mailing list<br>
</span>> <a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a> <mailto:<a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a>><br>
> <a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" target="_blank">https://www.tinc-vpn.org/cgi-<wbr>bin/mailman/listinfo/tinc</a><br>
> <<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" target="_blank">https://www.tinc-vpn.org/cgi-<wbr>bin/mailman/listinfo/tinc</a>><br>
</blockquote></div><br></div>