|
|
|
|
|
|
by GekkePrutser
2171 days ago
|
|
|
Oh thanks, I wasn't aware of that change in Tinc 1.1, I'll try it out. I'm indeed using the distro version, I compliled 1.1 once to have that network view (where you see which nodes are connected) but it wasn't that useful so I didn't bother with it. Didn't realise they simplified the joining also. Though I never thought the joining and revocation was all that difficult anyway. I just have 2 central servers which carry every key, and the others just need to have the server keys. Everything else gets distributed automatically. So keys for clients you can keep on your servers only. You don't have to delete it from all of your clients! I know tinc doesn't really have a client/server concept but I consider clients those devices that aren't publicly reachable (behind NAT) and not used in a ConnectTo statement. And yeah the centralised VL1 "Planet" server in ZeroTier also bothers me. I know it plays no part in the actual access rights to the network and it can't see the traffic content, but still. I just want to run it myself. |
|
|
As for revocation, I have a similar setup and I agree. My worry is that in a theoretical situation an attacker could get access to a network and then spread his key to the entire network and there's little you can do about it. For personal use it's fine (I use it), but because of this, I would be vary of using Tinc for some sort of production use (although I've heard of people doing it). Even if it's a big IF since you need to actually have an access to a node to generate an invite, the attack surface is still there and there's no good way to undo it.