4 questions about tinc's VPN

[Graham Cobb]

On Friday 24 November 2006 15:23, Guus Sliepen wrote:
> > question n.1: I'm behind a router. This router is configurable, but I'm
> > also behind a provider's NAT (private IPs with a common public IP). Will
> > tinc work, or it will do as hamachi does (problems connecting to me)?
> > (in hamachi there is a 'yellow' indicator on me for users of the same
> > provider [passages: |private IP| -> |public IP| -> |hamachi server| ->
> >
> > |public IP| -> |private IP| -> |router's private IP|])
>
> If you are behind a NAT, you should probably add "TCPOnly = yes" to your
> tinc.conf. Once a tinc daemon behind a NAT makes a connection to another
> tinc daemon, packets can go both ways.

Note that this means that systems which are behind NAT need to be responsible 
for making outgoing connections (to systems which are not behind NAT).  In my 
setup I do use a central server (even though tinc does not require one) -- 
this is a system which is on the internet without NAT and my home system, my 
laptop, etc. all try to connect to it automatically.   This normally works 
even when using hotspots and hotels and sometimes even works from within 
corporate environments.  Because each system connects to the "central" system 
tinc then allows them to communicate as if they were connected together 
(although the traffic is actually passing through the central system).

Note that, if you have a router at home which runs linux you may be able to 
run tinc on it and have your whole home network connected into the VPN.  I do 
this on a WRT54G running OpenWRT.  Of course you have to consider the 
implications of this on your firewall rules: should tinc VPN clients be 
trusted in the same way as systems on your home network?

Graham