Can tinc traffic be identified by Deep Packet Inspection?

Guus Sliepen guus at tinc-vpn.org
Tue Sep 20 17:07:58 CEST 2011


On Tue, Sep 20, 2011 at 09:35:13AM +0800, Roger wrote:

> I'm seeing periodic packet loss with tinc (1.0.16). I have 'ReplayWindow =
> 0' in config, and ping between the hosts is perfect.

Setting ReplayWindow to zero will disable protection against replayed packets.
If you do not set ReplayWindow, what exactly happens with ping between the
hosts?

> I suspect the packets are identified and then dropped by the Great Firewall.
> 
> My question is: can it be identified by DPI? If yes, how should I improve
> tinc to avoid this?

In principle tinc packets can be identified, if you have seen the initial
handshake and can associate the UDP packets with it, or if you do statistics on
the UDP packets. If you want a firewall to not detect tinc traffic, it should
be encapsulated in another protocol that the firewall does not block. You can
run tinc over HTTPS using stunnel for example, and you should use TCPOnly = yes
to disable UDP traffic in that case.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20110920/b27ca5d6/attachment.pgp>


More information about the tinc mailing list