Open marek22k opened 8 months ago
I have now also tested the whole thing briefly with Tinc 1.1 and after I corrected one thing, everything worked.
The only thing - which I can't solve via Systemd - is that you now have to specify the pid file manually to control the VPN daemon.
tinc -n test --pidfile=/var/run/tinc/test.pid [command]
The background to why this is the case:
By ProtectSystem=strict
the (almost) whole file system becomes read-only, so also /var/run
. Now you can also make certain directories write-read. However, if I would also allow write access to /var/run
, Tinc could manipulate the files of other programs. For this reason, an extra directory /var/run/tinc
(via RuntimeDirectory=tinc
) is created for Tinc. I give this directory write access. However, since the normal Tinc daemon expects a different path, the pid file must be specified manually.
Another possibility would be to change the default path in the code itself.
Security has been improved from "9.6 UNSAFE 😨" to "2.1 OK 🙂".
systemd-analyze security tinc@
returns now:I have successfully tested the change in both router and switch mode in a GNS3 lab between two peers (running tinc from debian stable). However, it would be great if someone else could test this as well.