"Switch Mode" with "TunnelServer" and No Communication
Jeffrey Stiles
jbstiles at gmail.com
Thu Aug 27 19:36:33 CEST 2015
Let me start with what I'm trying to accomplish. I use tinc mainly to get
to subnets behind the daemons and I don't control those subnets and can't
guarantee overlap. I was using routing mode and reconfiguring tinc every
time i needed to get to a subnet behind a specific daemon. Then I came
across switch mode that allowed me to simply add routes based on the IP
address of the tinc daemon and not have to reconfigure tinc to get to a
different conflicting subnet (just needed to change the route).
However, due to security issues, I want to control which daemons can access
other deamons. For the most part, I just want the server to be able to
access each daemon and the subnets behind them but not have the daemons
access each other or the subnets behind them.
Everything currently connects through one central server initially, so
TunnelServer seemed like the right configuration option. If I understand
this setting correctly, it is meant to only allow traffic between nodes
that have eachother's (or at least one has the other's) host file on the
local system. However, after enabling TunnelServer, my test daemon can no
longer ping the tinc ip address of the server.
While trying to figure out what was wrong, I stumbled across this mailing
list entry; http://www.tinc-vpn.org/pipermail/tinc/2010-April/002290.html
The solution seems to be to use static mac addresses. I'm totally fine with
doing this as all config files are generated programmatically. After doing
this, the config files look something like this:
client-daemon host file:
# client1
Subnet = 7a:91:33:09:fc:d3
Subnet = 10.173.232.50/32
Subnet = 0.0.0.0/0
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
client-daemon tinc-up file:
#!/bin/bash
# client1
ip link set $INTERFACE address 7a:91:33:09:fc:d3
ip link set $INTERFACE up
ip addr add 10.173.232.20/32 dev $INTERFACE
ip route add 10.173.232.0/22 dev $INTERFACE
I'm mostly looking for guidance on whether it is possible for daemons to
only accept traffic from specific daemons in switch mode. If so, what am I
doing wrong with my subnet configurations that won't let me even ping from
one daemon to the server when TunnelMode is yes?
Thanks!
--
J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150827/a72e8365/attachment.html>
More information about the tinc
mailing list