<i>You should repeat this for all nodes you ConnectTo, or which
ConnectTo you. However, remember that you do not need to ConnectTo all
nodes in the VPN; it is only necessary to create one or a few
meta-connections, after the connections are made tinc will learn about
all the other nodes in the VPN, and will automatically make other
connections as necessary. </i><br><br><br>The above is from the docs. Assuming all nodes in router mode. How does this not mean that "A trusts B. B trusts EvilNode. Does that mean A trusts EvilNode? by default?" <br>
<br>If A and EvilNode, have not exchanged public keys directly, they can still establish sockets with one another over their TINC IP addresses. <br>I know if both node A and EvilNode ConnectTo B, then EvilNode can establish internet connections with node A's tinc IP. <br>
"Forwarding=OFF" or "TunnelServer=YES" or "IndirectData=NO" are supposed to prevent this. <br> <br>EvilNode can connect and establish a tinc IP connection to A. I have to assume this happens because of Forwarding=internal by default. <br>
<br>"config get IndirectData" and "config get Forwarding" and "config get TunnelServer" all return "No matching configuration variables found." So we have to rely on documentation or source code to determine what the default values are. Default configuration parameters are in conflict but we have no way with tincctl to know what the actual parameters are for verification.<br>
<br>The default value "Forwarding=internal" contradicts both default values "IndirectData=NO" AND "TunnelServer=no", however "Forwarding=internal" WINS allowing EvilNode to connect to A.<br>
<br>Is there an option to not allow any other node to connect to your node? It could still ConnectTo Server1, but not allow any incoming connections.<br><br>Without somewhat centralized control, it is hard to know who is connecting to who, which would be a good reason to have the option to put network keys into a DNSSEC server. <br>
<br><br><a href="http://www.tinc-vpn.org/documentation-1.1/tinc_4.html#How-to-configure" target="_blank">http://www.tinc-vpn.org/documentation-1.1/tinc_4.html#How-to-configure</a><br>