4 questions about tinc's VPN

EleGoS elegos at fastwebnet.it
Fri Nov 24 18:23:26 CET 2006 

Guus Sliepen ha scritto:
> On Fri, Nov 24, 2006 at 12:05:23PM +0100, EleGoS wrote:
>
>   
>> I'm totally new to the concept 'self-made VPNs' :P
>>     
>
> What do you mean by "self-made"?
>   
I mean non self-extraction plug'n'play as hamachi :P
>   
>> question n.1: I'm behind a router. This router is configurable, but I'm 
>> also behind a provider's NAT (private IPs with a common public IP). Will 
>> tinc work, or it will do as hamachi does (problems connecting to me)? 
>> (in hamachi there is a 'yellow' indicator on me for users of the same 
>> provider [passages: |private IP| -> |public IP| -> |hamachi server| -> 
>> |public IP| -> |private IP| -> |router's private IP|])
>>     
>
> If you are behind a NAT, you should probably add "TCPOnly = yes" to your
> tinc.conf. Once a tinc daemon behind a NAT makes a connection to another
> tinc daemon, packets can go both ways.
>
>   
"TCPOnly = yes" must be put in the tinc.conf, right? but only for the 
NATted PC? Will UDP programs run other this net?
>> question n.2: a tinc VPN uses the server's bandwidth (so all the 
>> transmissions pass from the server) or is a P2P system (the server only 
>> re-addresses the connections)?
>>     
>
> It's peer-to-peer. There is no central server with tinc. Tinc also does
> not make a distinction between "client" and "server".
>
>   
1. As said by Graham Cobb, will the connections to the NATted PC grave 
to the 'external'-liked PC? As I'm going to create a server-game, and 
there must be high bandwidth (fibre VS ADSL to say)
2. Must I connect to another PC and the same for the opposite PC or not? 
(i.e. PC1 <--> PC2 or simply PC --> PC2)
>> question n.3: if a client enters a server, does the client 'see' all the 
>> others connected to the server?
>>     
>
> Yes, each tinc daemon knows about all other tinc daemons in the same
> VPN.
>
>   
>> question n.4: what about the public and private keys? What to give to 
>> the clients? What the clients must generate?
>>     
>
> You typically let every tinc daemon generate its own public/private
> keypair. You then exchange public keys with those other tinc daemons for
> which you have a ConnectTo line in your tinc.conf. You don't have to
> ConnectTo all other daemons in the VPN, just a few is enough, tinc will
> create a full mesh network itself from there on.
>
>   
Can I connect all the PCs only to one VPN-linked daemon? Does this 
changes anything?

Another question: can I create pre-made rsa_key.priv and hosts to 
distribute, or they are PC-linked?

Thanks very much ^^

More information about the tinc mailing list