tinc started from /etc/network/interfaces and not from /etc/tinc/nets.boot

[Phooraalai]

Hello Guus,

>>> Why did you use converted tinc-up/down scripts at all? You can put
>>> everything that is in those inside /etc/network/interfaces.

truth to be told I was not aware of the fact that I could put multiple
pre-up, post-up etc statements in /etc/network/interfaces. As an age old
habit I always used an extra external script. However your comment about
putting everything in one place certainly has merits ;)

I was not using the traditional tinc-up and tinc-down scripts because of
the chroot to /etc/tinc/VPN/. It would let me keep tinc-up, but not
tinc-down. And I was too lazy to setup a full chroot jail with
iptables/ip6tables and dash and the necessary device files and
libraries. Plus I would not be able to log vpn connections
establishments and drops to syslog. That's why I chose to use
/etc/network/interfaces, because it lets me use all the security
features while still giving me all the features I want.

> 
> That way your VPN also works correctly if you decide to start tinc by hand or
> using nets.boot.
For myself I can live without nets.boot.

> 
> Not exactly; as it says in the manual, it will only look at Subnet definitions
> in its local host configuration files. It can still use hosts for which you
> don't have a host file for forwarding in case the destination host is not
> directly reachable.
> 

So is there an options that lets me tell the tinc vpn daemon to only
accept connections from hosts that it has in the /etc/tinc/VPN/hosts
directory and only forward for hosts that it has in that directory too ?
The way I understand IndirectData=yes from the man page is that it will
disallow everything which does not come over a connection specified by
ConnectTo in tinc.conf, which is not what I'd like, because then the vpn
will not mesh between the machines that I want in the vpn.

BR
P.