Advertising a Public IP address
hvjunk
hvjunk at gmail.com
Mon May 22 11:22:23 CEST 2017
AFAIK, and my setups thus far, unless you have NodeB’s public key in Nodes C-Z (with NodeB’s public/reachable IP configured in Nodes C-Z) *and* you have the PublicKeys for NodesC-z configured in NodeB, there is no way that NodesC-Z will be able to establish a connection directly with NodeB, and it’ll have to forward via NodeA (or any other node that do have a direct connection established with NodeB using it’s keys etc)
Understand it like this: for any two nodes to have a *direct* connection, they need to share the other’s Public Key to properly authenticate each other. It is a function of the security choices for TINC.
> On 22 May 2017, at 11:03 AM, Keith Whyte <keith at rhizomatica.org> wrote:
>
> Hi all
>
> I feel like I should know the answer to this question, like I read it
> someplace sometime, but it evades me right now.
>
> It's also an opportunity to say hello to the list and many thanks for
> writing and supporting tinc vpn! We make great use of it at rhizomatica.
>
> So,
>
> Let's take this example setup.
>
> I have two tinc nodes (A and B) behind a firewall
>
> NodeA and NodeB have 192.168.1.2 and 192.168.1.3 assigned on an internal
> LAN, and they both have different public IP addresses forwarded to them,
> port 655 udp/tcp
>
> The rest of the nodes C-Z are spread out around the internet.
>
> NodeA is our "master" server with all the keys for all nodes, so every
> node in Node C-Z group has a ConnectTo = NodeA line and has NodeA's key,
> with an Address = nodea_public_ip line of course.
>
> Now, here's the question.
>
> I would like any given node in the C-Z group to be able to find Node B
> on it's public IP and therefore not forward via NodeA, but I would like
> to be able to do this without having to distribute NodeBs host key file
> with an Address = line to every node in the C-Z group.
>
> Right now, if I ask any node in C-Z for
>
> info NodeB
>
> I get:
>
> Address: 192.168.1.3 port 655
> Reachability: none, forwarded via NodeA
>
> NodeA and NodeB itself have NodeB's public IP address in the Address
> line in the host/key file for NodeB, and LocalDiscovery is in operation
> on the 192.168.1.x LAN behind the firewall, some other nodes are
> actually there too.
> Node B is reachable on the publicIP from the LAN (Nat reflection is in
> operation)
>
> Is there a way to force NodeA or NodeB to "advertise" it's public IP to
> the rest of the tinc network, or did I miss something really obvious?
>
>
> Thanks!
>
>
> Keith.
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
More information about the tinc
mailing list