<div dir="ltr"><div>What version of tinc are you using? tinc 1.1 already does what you want out of the box: packets sent from node A to node B through node C will use a key that A and B will negotiate between themselves. C doesn't have the key, and will act as a blind relay. C will not be able to decipher the packets flowing between A and B.<br><br></div>This is different from tinc 1.0, where C would have to decipher the packet in order to determine what its final destination is. In tinc 1.1 that routing information is sent in cleartext so that C can forward the packet without having to decipher it.<br><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 2 September 2016 at 09:40, Armin <span dir="ltr"><<a href="mailto:armin@melware.de" target="_blank">armin@melware.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello all,<br>
<br>
as written in my other posts, I have a setup of about seven<br>
hosts. Two of them (A and B) use StrictSubnets and an own routing via<br>
a special host (C), because C has better connection to the A and B than a direct A-B connection.<br>
<br>
Host C is in a place where I need to create special security settings.<br>
The VPN encrypted data shall not be available on host C.<br>
There is no need for host C be in routing of tinc vpn, it just shall<br>
forward the encrypted packets to another host when needed.<br>
<br>
Is it possible to setup a host as part of a tinc network without the access to the packets (decrypted)?<br>
Or do I need to setup some other kind of tunnel for this?<br>
<br>
Armin<br>
<br>
______________________________<wbr>_________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a><br>
<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" target="_blank">https://www.tinc-vpn.org/cgi-b<wbr>in/mailman/listinfo/tinc</a><br>
</blockquote></div><br></div>