Per host key authentication

Michael Munger mj at hph.io
Tue Oct 2 23:41:29 CEST 2018


Definitely considered that. Running different VPNs and even running
different instances of the daemon on different ports. But, as you
rightly pointed out: *additional complexity*.

It basically comes down to: what if you have a bad actor who needs
credentials revoked immediately?

We have a way of doing this already, but it can take up to 5 minutes to
cycle through every machine on the network - and some machines, which
are off, have a delay.

It would be nice to just disable the key at some central point and then
authentication / encryption / decryption just *break* for that bad actor.


	
Michael Munger, dCAP, MCPS, MCNPS, MBSS
*Microsoft Certified Professional*
*Microsoft Certified Small Business Specialist*
*Digium Certified Asterisk Professional*
*High Powered Help, Inc.*
p: 	678-905-8569
w: 	hph.io <https://hph.io>  e: mj at hph.io <mailto:mj at hph.io>



On 10/02/2018 05:18 PM, Frank Myhr wrote:
> On 02/10/2018 17:02, Michael Munger wrote:
> > there might be another way to skin that cat.
>
> Additional complexity, but you could set up *four* tinc VPNs:
> 1) admin VPN
> 2) site A VPN
> 3) site B VPN
> 4) site C VPN
>
> Each of your client machines would then participate in 2 VPNs: the
> admin VPN and the appropriate site VPN. Each site VPN is NOT a subnet
> of the admin VPN, but its own separate network.
>
> Or maybe I'm missing something...?
>
> Best regards,
> Frank
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20181002/07aa9432/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpgalbdniojcajhm.png
Type: image/png
Size: 738 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20181002/07aa9432/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1757 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20181002/07aa9432/attachment.key>


More information about the tinc mailing list