Isolating a subnet on demand
Etienne Dechamps
etienne at edechamps.fr
Mon May 4 21:50:09 CEST 2015
Whatever you do, keep in mind that tinc will always trust all nodes as
long as they are part of the graph. It is not currently designed to
deal with insider threats. Most importantly, that means anyone can
impersonate any Subnet on a tinc network, just by changing the Subnet
declaration in their node file.
The only way around that is to use StrictSubnets, but that requires
every node to be statically configured with the subnet of every other
node.
On 4 May 2015 at 20:42, Anne-Gwenn Kettunen <anwen at asphodelium.eu> wrote:
> And we'll take a look at Pf & IPTables :)
>
> Good evening!
>
>>> There is no centralized way to remove a subnet or block a user. A user
>>> is authorized to be on the network by other nodes that have his/her
>>> public key. If you delete the offending host config files and let tinc
>>> reload its configuration, you can remove a bad node from the network.
>>>
>>> If you have one or a few central nodes where all other nodes ConnectTo,
>>> then it is easy to do. Another option is to use a tool like ChaosVPN to
>>> centrally manage your tinc configuration and host config files. See:
>>>
>>> https://github.com/ryd/chaosvpn
>>>
>>> You can adapt it for your own VPN. Windows support is lacking though.
>>>
>>>
>>>
>>> _______________________________________________
>>> tinc mailing list
>>> tinc at tinc-vpn.org
>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
More information about the tinc
mailing list