<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Definitely considered that. Running different VPNs and even
      running different instances of the daemon on different ports. But,
      as you rightly pointed out: *additional complexity*.</p>
    <p>It basically comes down to: what if you have a bad actor who
      needs credentials revoked immediately? <br>
    </p>
    <p>We have a way of doing this already, but it can take up to 5
      minutes to cycle through every machine on the network - and some
      machines, which are off, have a delay.</p>
    <p>It would be nice to just disable the key at some central point
      and then authentication / encryption / decryption just *break* for
      that bad actor.</p>
    <div class="moz-signature"><!-- EMAIL SIGNATURE STARTS HERE -->
      <br>
      <table style="background: none; border-width: 0px; border: 0px;
        margin: 0; padding: 0;" border="0" cellspacing="0"
        cellpadding="0">
        <tbody>
          <tr>
            <td style="padding-top: 0; padding-bottom: 0; padding-left:
              0; padding-right: 7px; border-top: 0; border-bottom: 0:
              border-left: 0; border-right: solid 3px #000000"
              valign="middle"><img id="preview-image-url"
                src="cid:part1.19958A85.F57A4FF2@hph.io"></td>
            <td style="padding-top: 0; padding-bottom: 0; padding-left:
              12px; padding-right: 0;">
              <table style="background: none; border-width: 0px; border:
                0px; margin: 0; padding: 0;" border="0" cellspacing="0"
                cellpadding="0">
                <tbody>
                  <tr>
                    <td colspan="2" style="padding-bottom: 5px; color:
                      #000000; font-size: 18px; font-family: Arial,
                      Helvetica, sans-serif;">Michael Munger, dCAP,
                      MCPS, MCNPS, MBSS</td>
                  </tr>
                  <tr>
                    <td colspan="2" style="color: #333333; font-size:
                      14px; font-family: Arial, Helvetica, sans-serif;"><strong>Microsoft
                        Certified Professional</strong></td>
                  </tr>
                  <tr>
                    <td colspan="2" style="color: #333333; font-size:
                      14px; font-family: Arial, Helvetica, sans-serif;"><strong>Microsoft
                        Certified Small Business Specialist</strong></td>
                  </tr>
                  <tr>
                    <td colspan="2" style="color: #333333; font-size:
                      14px; font-family: Arial, Helvetica, sans-serif;"><strong>Digium
                        Certified Asterisk Professional</strong></td>
                  </tr>
                  <tr>
                    <td colspan="2" style="color: #333333; font-size:
                      14px; font-family: Arial, Helvetica, sans-serif;"><strong>High
                        Powered Help, Inc.</strong></td>
                  </tr>
                  <tr>
                    <td style="vertical-align: top; width: 20px; color:
                      #000000; font-size: 14px; font-family: Arial,
                      Helvetica, sans-serif;" width="20" valign="top">p:</td>
                    <td style="vertical-align: top; color: #333333;
                      font-size: 14px; font-family: Arial, Helvetica,
                      sans-serif;" valign="top">678-905-8569</td>
                  </tr>
                  <tr>
                    <td style="vertical-align: top; width: 20px; color:
                      #000000; font-size: 14px; font-family: Arial,
                      Helvetica, sans-serif;" width="20" valign="top">w:</td>
                    <td style="vertical-align: top; color: #333333;
                      font-size: 14px; font-family: Arial, Helvetica,
                      sans-serif;" valign="top"><a href="https://hph.io"
                        style=" color: #1da1db; text-decoration: none;
                        font-weight: normal; font-size: 14px;">hph.io</a>  <span
                        style="color: #000000;">e: </span><a
                        href="mailto:mj@hph.io" style="color: #1da1db;
                        text-decoration: none; font-weight: normal;
                        font-size: 14px;">mj@hph.io</a></td>
                  </tr>
                </tbody>
              </table>
              <br>
              <br>
              <!-- EMAIL SIGNATURE ENDS HERE --></td>
          </tr>
        </tbody>
      </table>
    </div>
    <div class="moz-cite-prefix">On 10/02/2018 05:18 PM, Frank Myhr
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:b4745b6c-68ca-8d94-03f3-10b53dae7cf2@larkmoor.net">On
      02/10/2018 17:02, Michael Munger wrote:
      <br>
      > there might be another way to skin that cat.
      <br>
      <br>
      Additional complexity, but you could set up *four* tinc VPNs:
      <br>
      1) admin VPN
      <br>
      2) site A VPN
      <br>
      3) site B VPN
      <br>
      4) site C VPN
      <br>
      <br>
      Each of your client machines would then participate in 2 VPNs: the
      admin VPN and the appropriate site VPN. Each site VPN is NOT a
      subnet of the admin VPN, but its own separate network.
      <br>
      <br>
      Or maybe I'm missing something...?
      <br>
      <br>
      Best regards,
      <br>
      Frank
      <br>
      _______________________________________________
      <br>
      tinc mailing list
      <br>
      <a class="moz-txt-link-abbreviated" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a>
      <br>
      <a class="moz-txt-link-freetext" href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc">https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
      <br>
    </blockquote>
    <br>
  </body>
</html>