On Thu, 21 Jan 2016 17:18:27 -0800, Grant wrote: > > There is ZeroTier as a replacement for OpenVPN, and Syncthing for > > syncing. Both are P2P solutions and you can run your own discovery > > servers if you don't want any traffic going through a 3rd party > > (although they don't send data through the servers). > > > > I've no idea whether that would meet your security criteria but it > > certainly fulfils the "easier than OpenVPN" one. It will take only a > > few minutes to install and setup using the public servers, although, > > as I said, your network is never public, so you can check whether > > they do what you want. Then you can look at hosting your own server > > for security. > > > > https://www.zerotier.com/ > > https://syncthing.net/
> Zerotier looks especially interesting. Can I have machine A listen for
> Zerotier connections, have machine B connect to machine A via Zerotier,
> have machine C connect to machine A via Zerotier, and rsync push from B
> to C?
You set up a network and the machines all connect to that network, so A,
B and C can all talk to each other.
> Does connecting two machines via Zerotier involve any security
> considerations besides those involved when connecting those machines to
> the internet? In other words, is it a simple network connection or are
> other privelages involved with that connection?
Connections are encrypted, handled by the ZeroTier protocols, but
otherwise it behaves like a normal network connection.
> Can I somehow require the Zerotier connection between machines A and C
> in order for C to pass HTTP basic authentication on my web server which
> resides elsewhere? Maybe I can route all traffic from machine C to my
> web server through C's Zerotier connection to A and lock down basic
> authentication on my web server to machine A?
Your ZeroTier connections are on a separate network, you pick an address
block when you set up the network but that network is only accessible to
other machines connected to your ZeroTier network. You can have ZT
allocate addresses within that block, it's not dynamic addressing because
one a client is given an address, it always gets the same address, or you
can specify the address for each client. So you can include an address
requirement in your .htaccess to ensure connections are only allowed from
your ZT network.
--
Neil Bothwick
furbling, v.:
Having to wander through a maze of ropes at an airport or bank
even when you are the only person in line.
-- Rich Hall, "Sniglets"
pgpklv_NXtiAS.pgp
Description: OpenPGP digital signature
