tinc on openBSD?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

tinc on openBSD?

Harald Dunkel-3
Hi folks,

AFAICS tinc is included in the packages for 6.1, but surely
that doesn't mean its safe to use without looking.

Are there security concerns against running tinc on an OpenBSD
gateway as an alternative to IPsec and openvpn in a +50 road
warriors setup? What is your impression of this tool in daily
usage? Which VPN solution would you prefer?


Every helpful comment is highly appreciated
Harri

Reply | Threaded
Open this post in threaded view
|

Re: tinc on openBSD?

Pierre Emeriaud
> Are there security concerns against running tinc on an OpenBSD
> gateway as an alternative to IPsec and openvpn in a +50 road
> warriors setup? What is your impression of this tool in daily
> usage? Which VPN solution would you prefer?

I'm using tinc 1.1pre14 (not the port) with hostname.if in tap mode
(mode = switch) with no issues. Tinc config is very simple, and I
really like the "any to any" approach, even though p2p/p2mp is
achievable with some additional configuration. Not sure about how it
scales on OpenBSD with such a number of nodes, but on the tinc ml
there has been reports of larger clouds.

Reply | Threaded
Open this post in threaded view
|

Re: tinc on openBSD?

Uwe Werler
In reply to this post by Harald Dunkel-3
On 27. Apr  7:51:18, Harald Dunkel wrote:

> Hi folks,
>
> AFAICS tinc is included in the packages for 6.1, but surely
> that doesn't mean its safe to use without looking.
>
> Are there security concerns against running tinc on an OpenBSD
> gateway as an alternative to IPsec and openvpn in a +50 road
> warriors setup? What is your impression of this tool in daily
> usage? Which VPN solution would you prefer?
>
>
> Every helpful comment is highly appreciated
> Harri
>

Hi Harri,

running tinc now since ~2 years for my private vpn solution - especially via
proxy out of my company from my OpenBSD vm to my OpenBSD router. Runs like a
charme. It's much easier to configure than e.g. OpenVPN. There are already
some networks running with tinc like https://dn42.net/Home e.g.

Regards Uwe

--

Reply | Threaded
Open this post in threaded view
|

Re: tinc on openBSD?

Reyk Floeter-2
In reply to this post by Harald Dunkel-3
On Thu, Apr 27, 2017 at 07:51:18AM +0200, Harald Dunkel wrote:

> Hi folks,
>
> AFAICS tinc is included in the packages for 6.1, but surely
> that doesn't mean its safe to use without looking.
>
> Are there security concerns against running tinc on an OpenBSD
> gateway as an alternative to IPsec and openvpn in a +50 road
> warriors setup? What is your impression of this tool in daily
> usage? Which VPN solution would you prefer?
>
>

I never used tinc and it is not related to OpenBSD; so I cannot judge
on the quality or usability of the software.

But a quick look at source and documentation shows me that --chroot
and --user are not enabled by default (see switchuser and do_chroot in
tind.c).  Who would do that in 2017?

Another question that you should ask yourself: do you trust tinc's
crypto protocol?  It seems a bit dated; but what really matters if you
care about security: did it get a good crypto review recently?

It does show up with examples and documentation in Wikileak's Vault7
documents, but I'm not sure if this is a good or bad thing.

Reyk