One host for forwarding only without keys

Sat Sep 3 17:14:21 CEST 2016

On 09/03/2016 10:56 AM, Etienne Dechamps wrote:
> C will still need keys in order to establish metaconnections with A and B (as
> well as a few other things). However there is no need for C to own any
> "Subnets" at all.

If somebody breaks into C, he could get access to the vpn network, right?
Because the keys are there, it will be possible to use them to get access.
Even if A-B connections via C are not decrypted, connection A-C and B-C are
still possible, right?

Armin

> On 3 September 2016 at 06:21, Armin <armin at melware.de
> <mailto:armin at melware.de>> wrote:
> 
>     On 09/02/2016 08:51 PM, Etienne Dechamps wrote:
>     > What version of tinc are you using? tinc 1.1 already does what you want out of
>     > the box: packets sent from node A to node B through node C will use a key that
>     > A and B will negotiate between themselves. C doesn't have the key, and will
>     > act as a blind relay. C will not be able to decipher the packets flowing
>     > between A and B.
>     >
>     > This is different from tinc 1.0, where C would have to decipher the packet in
>     > order to determine what its final destination is. In tinc 1.1 that routing
>     > information is sent in cleartext so that C can forward the packet without
>     > having to decipher it.
> 
>     I am using tinc 1.0.
>     Switching to 1.1 makes sense then.
>     Can C then be completely without keys, forwarder only with not access to the
>     network at all?
> 
>     Armin
> 
>     > On 2 September 2016 at 09:40, Armin <armin at melware.de <mailto:armin at melware.de>
>     > <mailto:armin at melware.de <mailto:armin at melware.de>>> wrote:
>     >
>     >     Hello all,
>     >
>     >     as written in my other posts, I have a setup of about seven
>     >     hosts. Two of them (A and B) use StrictSubnets and an own routing via
>     >     a special host (C), because C has better connection to the A and B than a
>     >     direct A-B connection.
>     >
>     >     Host C is in a place where I need to create special security settings.
>     >     The VPN encrypted data shall not be available on host C.
>     >     There is no need for host C be in routing of tinc vpn, it just shall
>     >     forward the encrypted packets to another host when needed.
>     >
>     >     Is it possible to setup a host as part of a tinc network without the
>     >     access to the packets (decrypted)?
>     >     Or do I need to setup some other kind of tunnel for this?
>     >
>     >     Armin
>     >
>     >     _______________________________________________
>     >     tinc mailing list
>     >     tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>     <mailto:tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>>
>     >     https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>     <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc>
>     >     <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>     <https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc>>
> 
> 

-- 
Cytronics & Melware
Weinbergstrasse 39, 55296 Loerzweiler / Germany
Tel: +49 6138 99998-100
Fax: +49 6138 99998-109
VoIP: sip:info at melware.net
mailto:info at melware.de
http://www.melware.de