tinc icon indicating copy to clipboard operation
tinc copied to clipboard

Published 20 hours ago verified publisher icon gsliepen

Tinc 1.1 on OpenWRT 21.02 fails to connect tinc 1.0 on Debian

Open fangfufu opened this issue 2 years ago • 1 comments

The latest version of OpenWRT (21.02) only ships with tinc 1.1. I have never used Tinc 1.1 before. The copy running on my router is giving me interesting errors that I am not sure about.

root@hermes:/tmp/log# tincd -n tinc -D
tincd UNKNOWN (Sep  1 2021 19:53:58) starting, debug level 0
Error reading Ed25519 private key file `/etc/tinc/tinc/ed25519_key.priv': No such file or directory
Create an Ed25519 keypair with `tinc -n tinc generate-ed25519-keys'.
Support for SPTPS disabled.
Warning: insecure file permissions for RSA private key file `/etc/tinc/tinc/rsa_key.priv'!
/dev/net/tun is a Linux tun/tap device (tap mode)
Ready
Unknown digest nid 1056!
Node bethany (151.80.32.71 port 655) uses unknown digest!
Error while processing ANS_KEY from bethany (151.80.32.71 port 655)
Unknown digest nid 1056!
Node gabriel (142.4.213.77 port 655) uses unknown digest!
Error while processing ANS_KEY from gabriel (142.4.213.77 port 655)
Unknown digest nid 1056!
Node gabriel (142.4.213.77 port 655) uses unknown digest!
Error while processing ANS_KEY from bethany (151.80.32.71 port 655)
Unknown digest nid 1056!
Node gabriel (142.4.213.77 port 655) uses unknown digest!
Error while processing ANS_KEY from gabriel (142.4.213.77 port 655)
Unknown digest nid 1056!
Node bethany (151.80.32.71 port 655) uses unknown digest!
Error while processing ANS_KEY from bethany (151.80.32.71 port 655)
Unknown digest nid 1056!
Node gabriel (142.4.213.77 port 655) uses unknown digest!
Error while processing ANS_KEY from gabriel (142.4.213.77 port 655)
^CGot Interrupt signal
Terminating
root@hermes:/tmp/log#

Is this due to the way tinc is compiled? Does that mean this particular copy of tinc does not support 1.0 protocol? Should I go and report this to the package maintainer at OpenWRT?

Also the way they do the versioning is kind of "interesting" too - the binary package has the name tinc_1.1-git-2 (https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/packages/), and tincd reports version UNKNOWN.

fangfufu avatar Sep 12 '21 23:09 fangfufu

nid 1056 is used for blake2.

https://github.com/openssl/openssl/blob/d1460afdfcb3c90df612896d40d35c6627a5967c/include/openssl/obj_mac.h#L2295-L2297

I'm guessing your 1.0 node uses blake2, which isn't supported by openssl on the 1.1 node.

Could you post the output of

$ openssl dgst -list

from your router?

If blake2 is missing, this isn't really relevant to tinc, although we could add a better error message.

hg avatar May 25 '22 09:05 hg

I can't actually run $ openssl dgst -list on OpenWRT, because it doesn't have OpenSSL installed. It has wolfSSL installed. It turns out the solution is to change the node to use AES - this has to be done on the node itself, under the node's host file. Doing it on the connecting node is not enough.

For example, let's say a network is named tinc, and has node A and node B, if node A complains about node B, you have to change the Cipher and Digest in /etc/tinc/tinc/hosts/B.

fangfufu avatar Jul 24 '23 23:07 fangfufu