On Thu, Apr 27, 2017 at 07:51:18AM +0200, Harald Dunkel wrote: > Hi folks, > > AFAICS tinc is included in the packages for 6.1, but surely > that doesn't mean its safe to use without looking. > > Are there security concerns against running tinc on an OpenBSD > gateway as an alternative to IPsec and openvpn in a +50 road > warriors setup? What is your impression of this tool in daily > usage? Which VPN solution would you prefer? > >
I never used tinc and it is not related to OpenBSD; so I cannot judge on the quality or usability of the software. But a quick look at source and documentation shows me that --chroot and --user are not enabled by default (see switchuser and do_chroot in tind.c). Who would do that in 2017? Another question that you should ask yourself: do you trust tinc's crypto protocol? It seems a bit dated; but what really matters if you care about security: did it get a good crypto review recently? It does show up with examples and documentation in Wikileak's Vault7 documents, but I'm not sure if this is a good or bad thing. Reyk
