Possible to run a tinc node in bridge-only mode?

Hamish Moffatt hamish at moffatt.email
Mon May 20 01:47:21 CEST 2019


On 20/5/19 2:36 am, cat big wrote:
> Hi tinc users,
>
> I have two Tinc nodes (A, B) running on trusted computers. Between A 
> and B there's no direct internet connection. So I have to set up the 
> third node X to bridge them:
>
>  [ A ] ======= [ X ] ======= [ B ]
> trusted      untrusted       trusted
>
> X is on a cloud service like AWS thus it's on an untrusted third 
> party. Once it's is compromised the attacker can access to the entire 
> VPN through it.
>
> To prevent such attack, it's possible to deploy firewall rules to drop 
> all the direct packages from X. However when the network scales up, 
> it's inefficient to deploy such rules to all the machines.
>
> So my question is: is it possible to set up the tinc node on X as a 
> bridge-only node? "Bridge-only" means X only serves as a bridge 
> between the connected nodes. It forwards the traffic but can't read 
> the traffic or send message to other nodes in the VPN.
>
> Any input would be appreciated. Thanks!


Maybe you can use iptables on X to simply forward traffic arriving from 
A on to B (and vice-versa) at the packet level, rather than running 
tinc. Effectively X is a proxy with no knowledge of what it's forwarding 
and hence no possibility of injecting traffic.

I've never tried, but a quick google shows 
http://gsoc-blog.ecklm.com/iptables-redirect-vs.-dnat-vs.-tproxy/ for 
example may be helpful.



Hamish


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190520/24080fe0/attachment.html>


More information about the tinc mailing list