Possible to run a tinc node in bridge-only mode?
Hamish Moffatt
hamish at moffatt.email
Mon May 20 01:47:21 CEST 2019
On 20/5/19 2:36 am, cat big wrote:
> Hi tinc users,
>
> I have two Tinc nodes (A, B) running on trusted computers. Between A
> and B there's no direct internet connection. So I have to set up the
> third node X to bridge them:
>
> [ A ] ======= [ X ] ======= [ B ]
> trusted untrusted trusted
>
> X is on a cloud service like AWS thus it's on an untrusted third
> party. Once it's is compromised the attacker can access to the entire
> VPN through it.
>
> To prevent such attack, it's possible to deploy firewall rules to drop
> all the direct packages from X. However when the network scales up,
> it's inefficient to deploy such rules to all the machines.
>
> So my question is: is it possible to set up the tinc node on X as a
> bridge-only node? "Bridge-only" means X only serves as a bridge
> between the connected nodes. It forwards the traffic but can't read
> the traffic or send message to other nodes in the VPN.
>
> Any input would be appreciated. Thanks!
Maybe you can use iptables on X to simply forward traffic arriving from
A on to B (and vice-versa) at the packet level, rather than running
tinc. Effectively X is a proxy with no knowledge of what it's forwarding
and hence no possibility of injecting traffic.
I've never tried, but a quick google shows
http://gsoc-blog.ecklm.com/iptables-redirect-vs.-dnat-vs.-tproxy/ for
example may be helpful.
Hamish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190520/24080fe0/attachment.html>
More information about the tinc
mailing list