On 22/05/17 11:22, hvjunk wrote: > AFAIK, and my setups thus far, unless you have NodeB’s public key in Nodes > C-Z (with NodeB’s public/reachable IP configured in Nodes C-Z) *and* you have > the PublicKeys for NodesC-z configured in NodeB, there is no way that > NodesC-Z will be able to establish a connection directly with NodeB, and > it’ll have to forward via NodeA (or any other node that do have a direct > connection established with NodeB using it’s keys etc) Hi! thanks for the reply.
That goes against what I am seeing. I currently have a Node, let's call it 'G' which is also publicly reachable on a static IP. No other node has it's key except NodeA, the master. All tinc nodes can reach it directly. This is 100% confirmed by watching the traffic with tcpdump. > > Understand it like this: for any two nodes to have a *direct* connection, > they need to share the other’s Public Key to properly authenticate each > other. It is a function of the security choices for TINC. I don't mean to contradict you, but I think you misunderstand something about key distribution and the meta connections. https://www.tinc-vpn.org/documentation-1.1/How-connections-work.html#How-connections-work: "Tinc daemons exchange information about all other daemon they know about via these meta-connections." I think the problem in my case is that my NodeA is finding NodeB by LocalDiscovery and therefore ignoring the Address in the hosts config. NodeA is then telling the other tinc dameons that NodeB is at 192.168.1.3, which is not very useful. Keith. _______________________________________________ tinc mailing list [email protected] https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
