tinc限制客户之间的通信

Question

我有一个网络：

[host] <------->[host] <----------- [workstation]
    ^   ^        ^ ^
   /     \      /   \
  /       \    /     \
[client] [client] [client] [...]

(pointers are ConnectTo directives)
(host:=linux, client:=win, workstation:={linux,win})

如何防止从客户端到另一个客户端的直接(逻辑)连接，但允许工作站访问网络中的所有内容。

有什么办法可以做到吗？

我使用tinc版本1.1到14。

Answer 1

您可以使用严格的参数，而不是在客户端之间交换密钥，然后将主机和工作站防火墙设置为不接受来自客户端子网的连接。

     StrictSubnets = yes | no (no) [experimental]
         When this option is enabled tinc will only use Subnet statements which are present in the host config files in the
         local /etc/tinc/NETNAME/hosts/ directory. Subnets learned via connections to other nodes and which are not present
         in the local host config files are ignored.

     TunnelServer = yes | no (no) [experimental]
         When this option is enabled tinc will no longer forward information between other tinc daemons, and will only allow
         connections with nodes for which host config files are present in the local /etc/tinc/NETNAME/hosts/ directory.
         Setting this options also implicitly sets StrictSubnets.