One host for forwarding only without keys

Etienne Dechamps etienne at edechamps.fr
Sat Sep 3 10:56:33 CEST 2016 

C will still need keys in order to establish metaconnections with A and B
(as well as a few other things). However there is no need for C to own any
"Subnets" at all.

On 3 September 2016 at 06:21, Armin <armin at melware.de> wrote:

> On 09/02/2016 08:51 PM, Etienne Dechamps wrote:
> > What version of tinc are you using? tinc 1.1 already does what you want
> out of
> > the box: packets sent from node A to node B through node C will use a
> key that
> > A and B will negotiate between themselves. C doesn't have the key, and
> will
> > act as a blind relay. C will not be able to decipher the packets flowing
> > between A and B.
> >
> > This is different from tinc 1.0, where C would have to decipher the
> packet in
> > order to determine what its final destination is. In tinc 1.1 that
> routing
> > information is sent in cleartext so that C can forward the packet without
> > having to decipher it.
>
> I am using tinc 1.0.
> Switching to 1.1 makes sense then.
> Can C then be completely without keys, forwarder only with not access to
> the
> network at all?
>
> Armin
>
> > On 2 September 2016 at 09:40, Armin <armin at melware.de
> > <mailto:armin at melware.de>> wrote:
> >
> >     Hello all,
> >
> >     as written in my other posts, I have a setup of about seven
> >     hosts. Two of them (A and B) use StrictSubnets and an own routing via
> >     a special host (C), because C has better connection to the A and B
> than a
> >     direct A-B connection.
> >
> >     Host C is in a place where I need to create special security
> settings.
> >     The VPN encrypted data shall not be available on host C.
> >     There is no need for host C be in routing of tinc vpn, it just shall
> >     forward the encrypted packets to another host when needed.
> >
> >     Is it possible to setup a host as part of a tinc network without the
> >     access to the packets (decrypted)?
> >     Or do I need to setup some other kind of tunnel for this?
> >
> >     Armin
> >
> >     _______________________________________________
> >     tinc mailing list
> >     tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
> >     https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> >     <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160903/6aa23a31/attachment.html>

More information about the tinc mailing list