<div dir="ltr"><div><div><div><div><div>Thanks I will look into StrictSubnets,<br><br></div>while digging through the mailling list I came across this:<br><a href="https://github.com/siblynx/tinc-1.0.16_hostupd/blob/master/README.hostupd">https://github.com/siblynx/tinc-1.0.16_hostupd/blob/master/README.hostupd</a><br><br></div>which is pretty close to what I need<br><br></div>That looks to be a fork on its own, with no PR raises for addding that functionality to the main tinc, unless I missed it out.<br></div>Are there any plans to bring that functionality in ?<br><br></div>-azul<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 13 March 2016 at 17:52, Guus Sliepen <span dir="ltr"><<a href="mailto:guus@tinc-vpn.org" target="_blank">guus@tinc-vpn.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Sun, Mar 13, 2016 at 04:57:12PM +0000, Azul wrote:<br>
<br>
> Tinc 1.0<br>
> 3 control masters<br>
> Many service hosts<br>
> Laptop (road warrior)<br>
><br>
> The control masters have the public keys for the service hosts and the<br>
> laptop so that they can join the network.<br>
><br>
> How can I prevent the laptop user to connect additional boxes to the<br>
> network?<br>
<br>
</span>There are several ways. One can be to have two VPNs, one for trusted<br>
nodes, and one for untrusted nodes like your laptop user. Another option<br>
is to use the TunnelServer or the StrictSubnets options to restrict what<br>
other nodes can do.<br>
<br>
But even if you could prevent the laptop user from introducing foreign<br>
hosts using tinc, he can simply use a separate VPN to have foreign nodes<br>
connect to his laptop, and then use NAT to give them access your VPN. So<br>
in short, if you don't trust someone to behave, you shouldn't allow him<br>
access at all.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Met vriendelijke groet / with kind regards,<br>
Guus Sliepen <<a href="mailto:guus@tinc-vpn.org">guus@tinc-vpn.org</a>><br>
</font></span><br>_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
<br></blockquote></div><br></div>