How does tinc server handle the case one client's key file is removed after connection

Heng Wang jason.wangh at gmail.com
Mon Jul 25 18:56:45 CEST 2016 

Thanks Guus for the quick answer, I will give a try now.

Рысь,
In my case we don't want to restart tinc "server" at all, therefore what
might
happen is that the client is still connected to server while its public key
was already
removed from server.
I will try the signal approach.
Heng



On Mon, Jul 25, 2016 at 12:42 PM, <tinc-request at tinc-vpn.org> wrote:

> Send tinc mailing list submissions to
>         tinc at tinc-vpn.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> or, via email, send a message with subject or body 'help' to
>         tinc-request at tinc-vpn.org
>
> You can reach the person managing the list at
>         tinc-owner at tinc-vpn.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of tinc digest..."
>
> Today's Topics:
>
>    1. How does tinc server handle the case one client's key file is
>       removed after connection (Heng Wang)
>    2. Re: How does tinc server handle the case one client's key
>       file is removed after connection (Guus Sliepen)
>    3. Re: Tinc and FIPS mode fails to connect. (Guus Sliepen)
>    4. Re: Tinc 1.0.24 regulary disconnected (Guus Sliepen)
>    5. Re: How does tinc server handle the case one client's key
>       file is removed after connection (Рысь)
>
>
> ---------- Forwarded message ----------
> From: Heng Wang <jason.wangh at gmail.com>
> To: tinc at tinc-vpn.org
> Cc:
> Date: Mon, 25 Jul 2016 12:16:36 -0400
> Subject: How does tinc server handle the case one client's key file is
> removed after connection
> Hi Guys,
>
> Say when tinc is running all good, the "server" contains all the key files
> of clients.
> If we remove the key file for client A during run, how long before does
> server find out the key
> file is gone? I see a "KeyExpire" option in the conf file, is this the
> time?
>
> In my own experiment, the client will still be able to connect to the tinc
> network even if the key file is being removed. Of course the connection
> will be gone if I restart tinc server on the client side.
>
> Thank you.
> Heng
>
>
> ---------- Forwarded message ----------
> From: Guus Sliepen <guus at tinc-vpn.org>
> To: tinc at tinc-vpn.org
> Cc:
> Date: Mon, 25 Jul 2016 18:28:23 +0200
> Subject: Re: How does tinc server handle the case one client's key file is
> removed after connection
> On Mon, Jul 25, 2016 at 12:16:36PM -0400, Heng Wang wrote:
>
> > Say when tinc is running all good, the "server" contains all the key
> files
> > of clients.
> > If we remove the key file for client A during run, how long before does
> > server find out the key
> > file is gone? I see a "KeyExpire" option in the conf file, is this the
> time?
>
> KeyExpire is the time used for session keys, it doesn't apply to public
> keys loaded from config files.
>
> Normally tinc should reread the host config file each time a connection
> is made. But existing connections will normally be kept alive. To force
> tinc to disconnect peers when their host config file is removed, send
> the server tincd the HUP signal:
>
> tincd -n <netname> -kHUP
>
> --
> Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at tinc-vpn.org>
>
>
> ---------- Forwarded message ----------
> From: Guus Sliepen <guus at tinc-vpn.org>
> To: tinc at tinc-vpn.org
> Cc:
> Date: Mon, 25 Jul 2016 18:37:20 +0200
> Subject: Re: Tinc and FIPS mode fails to connect.
> On Wed, Jul 20, 2016 at 04:38:02PM -0500, Boris Reisig wrote:
>
> > I am using the latest Tinc 1.1 from git (tinc version
> 1.1pre14-17-g2784a17
> > (built Jul 14 2016 14:18:09, protocol 17.7) on a CentOS 7.2 64bit with
> both
> > test servers set it FIPS mode (cat /proc/sys/crypto/fips_enabled to
> verify
> > or add fips=1 to your grub2 command line ).  We need our test servers
> > running in FIPS mode due to a minimum requirement for our project.
> OpenSSL
> > in CentOS/RHEL has FIPS support compiled in OpenSSL. FIPS will *only*
> allow
> > high end encryption to be used and fail for one's that aren't FIPS
> > compatible. When having the server set in FIPS mode,  I have the
> following
> > set in tinc.conf
>
> Unfortunately, the protocol for tinc 1.0 requires Blowfish to be used
> during authentication, regardless of the Cipher setting. However, if you
> only have 1.1 nodes, you should not get this problem.
>
> However, I should warn you that the new protocol in tinc 1.1 will work
> regardless of what OpenSSL supports, because it includes its own copy of
> Ed25519 and Chacha-Poly1305. But those algorithms are not in FIPS as far
> as I know.
>
> So in short, tinc is not FIPS compatible.
>
> --
> Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at tinc-vpn.org>
>
>
> ---------- Forwarded message ----------
> From: Guus Sliepen <guus at tinc-vpn.org>
> To: tinc at tinc-vpn.org
> Cc:
> Date: Mon, 25 Jul 2016 18:41:40 +0200
> Subject: Re: Tinc 1.0.24 regulary disconnected
> On Sat, Jul 16, 2016 at 07:04:08AM +0700, John Lewis wrote:
>
> > Promox 4.2 running on 2 nodes + 1 quorum = total 3 servers.
> > All of them have tinc 1.0.24 running.
> >
> > On very rare occasions (every few days or 1~2 weeks), my website hosted
> on
> > this proxmox node will throw cloudflare 522 connection timed out for few
> > seconds or few minutes:
> >
> https://support.cloudflare.com/hc/en-us/articles/200171906-Error-522-Connection-timed-out
> >
> > This problem has been driving me crazy. I'm not sure, but I suspect this
> is
> > caused by tinc vpn that somehow got disconnected.
>
> I don't see anything wrong with your configuration. I'd first make sure
> that it is actually tinc that got disconnected. Start tinc with
> debugging enabled (at least debug level 1, which logs (dis)connections,
> although level 3 may be more informative). If there is no disconnection
> going on when you get the connection timeouts, then try to find out what
> is going on during that time.
>
> --
> Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at tinc-vpn.org>
>
>
> ---------- Forwarded message ----------
> From: "Рысь" <lynx at lynxlynx.tk>
> To: tinc at tinc-vpn.org
> Cc:
> Date: Mon, 25 Jul 2016 23:32:57 +0700
> Subject: Re: How does tinc server handle the case one client's key file is
> removed after connection
> On Mon, 25 Jul 2016 12:16:36 -0400
> Heng Wang <jason.wangh at gmail.com> wrote:
>
> > Hi Guys,
> >
> > Say when tinc is running all good, the "server" contains all the key
> > files of clients.
> > If we remove the key file for client A during run, how long before
> > does server find out the key
> > file is gone? I see a "KeyExpire" option in the conf file, is this
> > the time?
> >
> > In my own experiment, the client will still be able to connect to the
> > tinc network even if the key file is being removed. Of course the
> > connection will be gone if I restart tinc server on the client side.
> >
> > Thank you.
> > Heng
>
> Usually you manually tell tinc that a particular client has gone by
> sending a SIGHUP signal to it. There probably no configurable option to
> automatically remove a client from network once it's config (key) file
> was removed.
>
> But does not it happen automatically? Tinc tries to open
> config file on next connection attempt, and if that fails - denies it.
> At least on 1.0.x.
>
> --
> http://lynxlynx.tk/
> Power electronics made simple
> Unix and simple KISS C code
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160725/25ce3cb0/attachment-0001.html>

More information about the tinc mailing list