On 20/5/19 2:36 am, cat big wrote:
Hi tinc users,
I have two Tinc nodes (A, B) running on trusted computers. Between A
and B there's no direct internet connection. So I have to set up the
third node X to bridge them:
[ A ] ======= [ X ] ======= [ B ]
trusted untrusted trusted
X is on a cloud service like AWS thus it's on an untrusted third
party. Once it's is compromised the attacker can access to the entire
VPN through it.
To prevent such attack, it's possible to deploy firewall rules to drop
all the direct packages from X. However when the network scales up,
it's inefficient to deploy such rules to all the machines.
So my question is: is it possible to set up the tinc node on X as a
bridge-only node? "Bridge-only" means X only serves as a bridge
between the connected nodes. It forwards the traffic but can't read
the traffic or send message to other nodes in the VPN.
Any input would be appreciated. Thanks!
Maybe you can use iptables on X to simply forward traffic arriving from
A on to B (and vice-versa) at the packet level, rather than running
tinc. Effectively X is a proxy with no knowledge of what it's forwarding
and hence no possibility of injecting traffic.
I've never tried, but a quick google shows
http://gsoc-blog.ecklm.com/iptables-redirect-vs.-dnat-vs.-tproxy/ for
example may be helpful.
Hamish
_______________________________________________
tinc mailing list
tinc@tinc-vpn.org
https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc