Tinc and firewall

Absolute Truth requiredtruth at gmail.com
Tue Apr 23 19:53:18 CEST 2019


Yes.

On Tue, Apr 23, 2019, 1:49 PM Julien dupont <marcelvierzon at gmail.com> wrote:

> Hello,
>
> Early this year I got help here to setup tinc tunnels between users and a
> company LAN. Now I would like to try something different for a home usage
> and I have a question regarding security.
>
> The setup would look like as follows:
>
> - My home LAN has a classical topology where my ISP router is doing NAT
> and is blocking all incoming connection. I'm planning to enable port
> forwarding on the router: port 655 (tinc) and 656 (ssh) to a Raspberry Pi
> running Raspbian. It would have a static IP.
> - The ssh daemon listening on port 656 on the Rapsberry Pi will be
> hardened (only one user can login, strong password, protocol 2 only,
> fail2ban installed, etc.).
> - Tinc daemon will be listening on port 655.
> - I would use a DDNS service to find the current public IP of my router.
>
> The goal is to be able to establish a Tinc tunnel from a laptop outside
> the LAN to the Raspberry Pi and access all computers behind my router from
> that point on. Thanks to the previous help I know how to setup Tinc and the
> routing rules to achieve that.
>
> Now I'm wondering if and why I would need to implement any additional
> precaution, like a firewall on the Raspberry Pi with that specific setup.
> I'm assuming that:
>
> - It is impossible to reach any other port than 655 and 656 from the
> outside as only those two are forwarded.
> - It is impossible to directly reach any other computer than the Raspberry
> Pi so they don't need to be protected.
> - It is impossible, or very hard, to defeat ssh and tinc daemons security.
> - It is thus impossible to access the Raspberry Pi otherwise than through
> a tinc tunnel or a SSH connection so no firewall is needed.
>
> Am I right there?
>
> Thanks,
> Julien
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20190423/19ee6f21/attachment.html>


More information about the tinc mailing list