Advertising a Public IP address

Keith Whyte keith at rhizomatica.org
Mon May 22 13:24:15 CEST 2017



On 22/05/17 11:22, hvjunk wrote:
> AFAIK, and my setups thus far, unless you have NodeB’s public key in Nodes C-Z (with NodeB’s public/reachable IP configured in Nodes C-Z) *and* you have the PublicKeys for NodesC-z configured in NodeB, there is no way that NodesC-Z will be able to establish a connection directly with NodeB, and it’ll have to forward via NodeA (or any other node that do have a direct connection established with NodeB using it’s keys etc)
Hi!
thanks for the reply.

That goes against what I am seeing.
I currently have a Node, let's call it 'G' which is also publicly
reachable on a static IP. No other node has it's key except NodeA, the
master. All tinc nodes can reach it directly. This is 100% confirmed by
watching the traffic with tcpdump.

>
> Understand it like this: for any two nodes to have a *direct* connection, they need to share the other’s Public Key to properly authenticate each other. It is a function of the security choices for TINC.
I don't mean to contradict you, but I think you misunderstand something
about key distribution and the meta connections.

https://www.tinc-vpn.org/documentation-1.1/How-connections-work.html#How-connections-work:

"Tinc daemons exchange information about all other daemon they know
about via these meta-connections."

I think the problem in my case is that my NodeA is finding NodeB by
LocalDiscovery and therefore ignoring the Address in the hosts config.
NodeA is then telling the other tinc dameons that NodeB is at
192.168.1.3, which is not very useful.



Keith.




More information about the tinc mailing list