TINC config files layout not human or script friendly

Mon Jan 12 13:15:16 CET 2015

On Sun, Jan 11, 2015 at 10:05:44PM -0600, md at rpzdesign.com wrote:

> I would say the weakest part of the TINC design is the configuration file
> layout.
> 
> There is no way to split out the essentially static configuration for all
> nodes in the cluster and isolate the node specific settings to one
> configuration file.
[...]
> So that makes it difficult to use a batch script and SSH and just update all
> the nodes with a new public/private key pair.

Since 1.0.14 you can put all host configuration variables for the local
node in tinc.conf as well. You can then have a hosts/ directory with
files that only contain Address statements and public keys.

Note that there exist projects to manage tinc configuration for large
numbers of unattended nodes, like the one used by ChaosVPN
(https://github.com/ryd/chaosvpn).

> Better yet, an option for a new key pair to autogenerate every N days or
> hours and then self deliver the public keys across the net via VPN.

The whole idea of public keys is that they last a long time. They are
not used directly to encrypt traffic, instead they are used to securely
exchange session keys which in turn are used to encrypt all your VPN
traffic. The session keys are already changed every hour by default.
You wouldn't create a new certificate for a website every N hours
either, right?

> Also, in tinc-up script, I use the $INTERFACE for dynamic device name, but I
> would love if more config files, tinc.conf and the host config files could
> make more use of the $VARIABLE mechanism
> and maybe have a variables config file per node.
> 
> That way my tinc-up file would be the same for every node. And my tinc.conf
> file.

There are only a few environment variables that tinc sets, and I don't
think any of those would make sense for host config files. For
tinc.conf, you can actually use Name = $HOST, and it will use the local
hostname as Name.

In tinc-up you can use $NAME to find out what the Name of the local tinc
daemon is. You can use this to read information from the local node's
host config file, like this:

#!/bin/sh
MyAddress=`grep ^MyAddress /etc/tinc/$NETNAME/hosts/$NAME | cut -d= -f2`
ip addr add $MyAddress dev $INTERFACE
ip link set $INTERFACE up

This example allows you to put "MyAddress = 192.168.1.1/24" in host config
files, and then it will be used to configure the VPN interface. Since
MyAddress is not a valid configuration variable, tinc itself will ignore
it.

Granted, it doesn't look nice and on Windows it will be even harder to
do something equivalent.

If you still can't do what you want to do, or maybe you can but you
think it's awful, please let me know how you would like your
configuration to be; provide a mock-up of your desired tinc
configuration directory.

> This message is part rant, part request, sorry if I offend anyone.

No offence taken :)

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150112/7149cfa8/attachment.sig>