AFAIK, and my setups thus far, unless you have NodeB’s public key in Nodes C-Z (with NodeB’s public/reachable IP configured in Nodes C-Z) *and* you have the PublicKeys for NodesC-z configured in NodeB, there is no way that NodesC-Z will be able to establish a connection directly with NodeB, and it’ll have to forward via NodeA (or any other node that do have a direct connection established with NodeB using it’s keys etc)
Understand it like this: for any two nodes to have a *direct* connection, they need to share the other’s Public Key to properly authenticate each other. It is a function of the security choices for TINC. > On 22 May 2017, at 11:03 AM, Keith Whyte <[email protected]> wrote: > > Hi all > > I feel like I should know the answer to this question, like I read it > someplace sometime, but it evades me right now. > > It's also an opportunity to say hello to the list and many thanks for > writing and supporting tinc vpn! We make great use of it at rhizomatica. > > So, > > Let's take this example setup. > > I have two tinc nodes (A and B) behind a firewall > > NodeA and NodeB have 192.168.1.2 and 192.168.1.3 assigned on an internal > LAN, and they both have different public IP addresses forwarded to them, > port 655 udp/tcp > > The rest of the nodes C-Z are spread out around the internet. > > NodeA is our "master" server with all the keys for all nodes, so every > node in Node C-Z group has a ConnectTo = NodeA line and has NodeA's key, > with an Address = nodea_public_ip line of course. > > Now, here's the question. > > I would like any given node in the C-Z group to be able to find Node B > on it's public IP and therefore not forward via NodeA, but I would like > to be able to do this without having to distribute NodeBs host key file > with an Address = line to every node in the C-Z group. > > Right now, if I ask any node in C-Z for > > info NodeB > > I get: > > Address: 192.168.1.3 port 655 > Reachability: none, forwarded via NodeA > > NodeA and NodeB itself have NodeB's public IP address in the Address > line in the host/key file for NodeB, and LocalDiscovery is in operation > on the 192.168.1.x LAN behind the firewall, some other nodes are > actually there too. > Node B is reachable on the publicIP from the LAN (Nat reflection is in > operation) > > Is there a way to force NodeA or NodeB to "advertise" it's public IP to > the rest of the tinc network, or did I miss something really obvious? > > > Thanks! > > > Keith. > > > > _______________________________________________ > tinc mailing list > [email protected] > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc _______________________________________________ tinc mailing list [email protected] https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
