[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNUnet-developers] some questions around EXIT, VPN and PT

From: Christian Grothoff
Subject: Re: [GNUnet-developers] some questions around EXIT, VPN and PT
Date: Fri, 6 May 2016 15:50:19 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.6.0

On 05/05/2016 02:29 PM, Daniel Golle wrote:
> Hi everyone!
> I got a bunch of questions about the subsystems mentioned above:
> 1. If TUNNEL_IPV? is set in [pt], how is the choice of gateway
> implemented? Is there a way to explicitely choose a specific exit peer?

Nope, the current code is supposed to find "some" peer that allows
exiting to the specified destination, but there is no way from the
outside to influence the endpoint of the tunnel.

> 2. How to implement access control for default-route exits and
> services? Other (IP-based) overlays allow using the usual netfilter
> and hosts_access mechanisms, while (obviously) this is not possible
> for gnunet-exit... So what if I want to offer a gateway to the ARPA
> internet or a specific local service only to my friends (and maybe
> or maybe not: their friends as well...)

You can restrict the EXIT by IP address. Also, you can use exit to offer
access to only very specific services. In that case, the services get a
name and you create a VPN service record in GNS. If you do that, you can
use a passphrase as the label and thereby restrict who can access the
service.  What you cannot do right now is offer an exit that isn't to a
specific address and then restrict that to friends.

> 3. I setup an EXIT service allowing to connect to IPv4 SSH service
> running on my local machine. It works fine to connect to it using
> gnunet-vpn -4 -s ssh -t -p ...
> However, when I use
> gnunet-vpn -6 -s ssh -t -p ...
> it returns an IPv6 address, however, no packets ever hit the
> gnunet-exit interface on the machine. Is that a bug or a feature?

That sounds like a bug, the code should do v6/v4 protocol translation.
There is even a test for that.

> Maybe more will follow, here at battlemesh we started playing with
> GNUnet and folks are curious to see how it can be useful for their
> daily low-bandwidth remote-access and tunneling needs.

The feature-set is admittedly still a bit, eh, limited ;-).

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]