On Fri, Jan 27, 2017 at 01:24:37AM +0100, Niklas Hambüchen wrote: > I'm looking for a way to add some (Linux) participants into my tinc > network, but I want to protect them from accidentally binding a port so > that it's accessible via tinc. [...] > I imagine the easiest way would be to make it so that tinc creates no > tun device. Is the `DeviceType = raw_socket` option what I'm looking for?
You can use DeviceType = dummy to make tinc run without a tun device.
Note that the node running tinc then cannot access the VPN at all, it
then only acts as a forwarder and/or NAT helper for other nodes.
Otherwise, the best option is to add firewall rules that disallow any
new incoming connections from the VPN interface, but still allow
outgoing connections. Example commands to do this:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i <VPN interface> -j DROP
Don't forget about IPv6, where you have to add similar rules.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <[email protected]>
signature.asc
Description: Digital signature
_______________________________________________ tinc mailing list [email protected] https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
