Tinc: Difference between revisions

Revision as of 10:09, 21 January 2018

What is Tinc

Tinc is a mesh-style VPN software that is very lightweight and easier to configure (and more flexible) than OpenVPN. Tinc is not good for large networks, but it's perfect for a small group of servers that simply need to have access to one another.

Installing Tinc

Do it the easy way...

Mac

$ brew install tinc

[...snip...]

$ which tincd
/usr/local/sbin/tincd

$ tincd --version
tinc version 1.0.33
Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen and others.
See the AUTHORS file for a complete list.

tinc comes with ABSOLUTELY NO WARRANTY.  This is free software,
and you are welcome to redistribute it under certain conditions;
see the file COPYING for details.

Debian Linux

On Linux:

$ apt-get install tinc

This will install a daemon called tincd, accessible to the root user only.

$ sudo su
[sudo] password for charles:

root@jupiter:/home/charles# which tincd
/usr/sbin/tincd

root@jupiter:/home/charles# tincd --version
tinc version 1.0.31
Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen and others.
See the AUTHORS file for a complete list.

tinc comes with ABSOLUTELY NO WARRANTY.  This is free software,
and you are welcome to redistribute it under certain conditions;
see the file COPYING for details.

Configuring Tinc

In Tinc you create different named mesh networks. One computer can be a part of multiple networks. Here we set up the network "starwars" to connect servers "vader" and "luke".

(The tinc documentation [1] also mentions that the network interface that is created will have the same name as the network.)

Configuration files that are needed:

tinc.conf to specify name of this machine and name of machine being connected to
tinc-up to instruct how to bring up the VPN network interface and what IP address to use
tinc-down to instruct how to bring down the VPN network interface

These config files should go in:

/etc/tinc on linux (using aptitude tinc)
/usr/local/etc/tinc on mac (using homebrew tinc)

On server 1 (maya, mac os x)

Following are instructions used to set up tinc on Maya, a Mac OS X laptop, using the homebrew-installed tinc.

Create a network configuration directory /usr/local/etc/tinc/

Within that, create a directory with the same name as the network, master/

mkdir -p /usr/local/etc/tinc/master/
cd /usr/local/etc/tinc/master/

Now create a tinc.conf file:

/usr/local/etc/tinc/master/tinc.conf on server "maya"

# The name of the node, must be unique for the network 
Name = maya

# Either ipv4 or ipv6
AddressFamily = any

# Use TAP
Device = /dev/net/tun

# Put Tinc in TAP mode
Mode = switch

# Nodes to connect
ConnectTo = jupiter

Now create a tinc-up file:

/usr/local/etc/tinc/master/tinc-up on server "maya"

#!/bin/sh 
ifconfig $INTERFACE 10.25.0.1 netmask 255.255.0.0

This will result in the server "maya" having the VPN IP address 10.25.0.1

Finally, create a tinc-down file:

/usr/local/etc/tinc/master/tinc-down on server "maya"

#!/bin/sh 
ifconfig $INTERFACE down

Make the up/down files executable:

chmod +x tinc-*

On server 2 (jupiter, debian linux)

Following are the configuration steps taken on Jupiter, a Debian Linux server.

Start by creating a folder with the same name as the network:

mkdir -p /etc/tinc/master/
cd /etc/tinc/master/

/etc/tinc/master/tinc.conf on server "jupiter"

# The name of the node, must be unique for the network 
Name = jupiter

# Either ipv4 or ipv6
AddressFamily = any

# Use TAP
Device = /dev/net/tun

# Put Tinc in TAP mode
Mode = switch

# Nodes to connect
ConnectTo = maya

Now create a tinc-up file:

/etc/tinc/master/tinc-up on server "jupiter"

#!/bin/sh 
ifconfig $INTERFACE 10.25.0.2 netmask 255.255.0.0

This will result in the server "jupiter" having the VPN IP address 10.25.0.2

Finally, create a tinc-down file:

/etc/tinc/master/tinc-down on server "jupiter"

#!/bin/sh 
ifconfig $INTERFACE down

Make the tinc-* files executable:

chmod +x tinc-*

Tinc Hostfiles

Last step is to create a hosts folder to hold keys and other information about this host (and other hosts).

In /etc/tinc/master/ create a directory called hosts. We will create a machine file in this directory with information about the machine's IP address, subnet, and RSA public key. This machine file can then be copied to any other machine that wants to connect to our machine.

Start by creating a hosts directory (note on Mac the location is /usr/local/etc/tinc instead of /etc/tinc but this is the only difference).

Hostfile for maya (mac os x)

$ mkdir /usr/local/etc/tinc/master/hosts/
$ cd /usr/local/etc/tinc/master/hosts/

Now edit a file called maya:

/usr/local/etc/tinc/master/hosts/maya

Address = 192.168.125.10
Subnet = 10.0.0.0/16

Now, the last step is to generate a public and private key pair for this machine, and append the public key to the end of this machine file. Do this by executing the following command:

$ sudo tincd -n master -K

This will modify the maya file to look like this:

Address = 192.168.125.10
Subnet = 10.0.0.0/16

-----BEGIN RSA PUBLIC KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PUBLIC KEY-----

This file can now be copied to other machines so that they can access maya.

$ sudo tincd -n master -K
Password:
Generating 2048 bits keys:
....+++ p
..............................................+++ q
Done.
Please enter a file to save private RSA key to [/usr/local/etc/tinc/master/rsa_key.priv]:
Warning: old key(s) found and disabled.
Please enter a file to save public RSA key to [/usr/local/etc/tinc/master/hosts/maya]:
Warning: old key(s) found and disabled.

Hostfile for jupiter (debian linux)

$ mkdir /etc/tinc/master/hosts/
$ cd /etc/tinc/master/hosts/

Now edit a file called jupiter:

/usr/local/etc/tinc/master/hosts/jupiter

Address = 192.168.125.55
Subnet = 10.0.0.0/16

Now generate public/private key pair and append to end of machine file:

$ sudo tincd -n master -K

This will modify the jupiter file to look like this:

Address = 192.168.125.55
Subnet = 10.0.0.0/16

-----BEGIN RSA PUBLIC KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PUBLIC KEY-----

This file can now be copied to other machines so that they can access jupiter.

root@jupiter:/etc/tinc/master/hosts# tincd -n master -K
Generating 2048 bits keys:
...+++ p
.................................................................................................................................+++ q
Done.
Please enter a file to save private RSA key to [/etc/tinc/master/rsa_key.priv]:
Please enter a file to save public RSA key to [/etc/tinc/master/hosts/jupiter]:

Notes

https://silvenga.com/deploy-a-tinc-mesh-vpn-running-tap/

http://www.allsundry.com/2011/04/10/tinc-better-than-openvpn/

All the setup you need:

In /etc/netname/tinc.conf:
Name = host1
ConnectTo = host2

In /etc/netname/tinc-up
ifconfig $INTERFACE 192.168.XX.1 netmask 255.255.0.0

# Generate keypairs for host
tincd -n netname -K

# Create file for this host. Prepend to /etc/netname/hosts/host1
Address = host1.full.domain.com
Subnet = 192.168.XX.0/24

Flags