netname by id - possible?

Wed Jul 4 11:10:59 CEST 2012

On Wed, Jul 04, 2012 at 04:38:49PM +1000, Andrew Cowie wrote:

> On Tue, 2012-07-03 at 10:39 +0200, Guus Sliepen wrote:
> > > Node supplies id A on handshake -> netwerk abc
> > > Node supplies id X on handshake -> network xyz
> 
> > No. Why would you want to do this anyway?
> 
> For sheer east of administration? Only one net can use the default port
> 655. So at the moment, in order to manage several different nets you
> need to constantly allocate different ports, and having to set a (not
> default 655) port for every different network is somewhat tedious. After
> all, you set a name. :)

Well, the netname is not something that has to be unique across the VPN. The
--netname option is just an easy way to specify which subdirectory of /etc/tinc
should be used to read the configuration files, and what name the virtual
network interface will have.

> The current design is certainly good for security because each net's
> traffic is in a different process. Thus I don't expect you to change it,
> but it is a shame they can't all just use port 655 and be done with it.

You run into problems when you have two networks that both contain a node named
"foo". Maybe it really is the same physical node. Maybe they are two completely
different nodes that just happen to have the same name. What network should you
select when that node connects to you?

In principle it is possible to write a proxy that redirects incoming
connections on port 655 based on the connecting node's name. It might be simple
to modify sslh to do this. Any one who wants to try this?

http://www.rutschle.net/tech/sslh.shtml

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20120704/e0d1a6b5/attachment-0001.pgp>