Tinc/2018-04-12

From charlesreid1

Tincd experiment to debug all the headaches we're having:

  • Create three AWS nodes
  • Set them up with debian dotfiles
  • Install tinc

Now we have a brady bunch.

Following this guide: https://linode.com/docs/networking/vpn/how-to-set-up-tinc-peer-to-peer-vpn/

Step 0: Set Up Nodes

A bit painful. Still need to smooth this out.

Ubuntu flavor of cloud-init will accept bash scripts with a shebang. AWS cloud init will not.

More info: https://stackoverflow.com/a/17827406/463213

Need to mime-encode everything. (Maybe as simple as copying and pasting a URL?)

Cannot customize machine name for curl-pipe-to-bash (had to download, sed -i, replace blackbeard with other, etc.)

Tincd installation process does not get hostname dynamically, does not intelligently pick ip address. pick a random ip in 100-200 range. 0-100 is reserved, 200+ is the high seas

Most painful part is, we cannot SSH in. Script is supposed to check for existence of /home/ubuntu/.ssh/authorized_keys and copy it into our user's authorized keys, but this did not work. Had to manually SSH into the machine, run cat command, log out, then try again.

Real solution: have a reserved private/public key pair, hard code public key.


Step 1: Prep Nodes

Update aptitude and install the necessary packages: 

sudo apt update && sudo apt upgrade
sudo apt -y install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev

Step 2: Install Tinc

Install tinc from source: 

#!/bin/bash

cd /tmp
wget https://tinc-vpn.org/packages/tinc-1.0.33.tar.gz
tar -xf tinc-1.0.33.tar.gz
cd tinc-1.0.33
./configure --prefix=
make
sudo make install

Step 3: Set Up Tinc

Create VPN Directory

Create working directory for our network, which we'll call zombie. Then make a place for the VPN files to live. 

export LABEL="zombie"
sudo mkdir -p /etc/tinc/$LABEL/hosts

Create VPN Config

Create config file (modify): 

sudo cat > /etc/tinc/$LABEL/tinc.conf <<EOL
Name = machineX
Device = /dev/net/tun
AddressFamily = ipv4
ConnectTo = machineY
EOL

Create VPN Host Files

Make one machine host file for each machine, on the corresponding machine (modify to use real IP address and subnet IP address that matches tinc-up): 

cat > /etc/tinc/$LABEL/hosts/machineX << EOL
Address = A.B.C.D
Subnet = 10.6.0.Z
EOL

Now you will need to generate a public/private key pair using tinc. The private key will live in /etc/tinc/$LABEL/ and the public key will be added to the machine file in /etc/tinc/$LABEL/hosts. 

sudo tincd -n $LABEL -K 4096

Once you've done this on each machine, copy the completed machine file to each server.

Create VPN Control Scripts

Create control scripts to bring the VPN up/down.

Create tinc-up script (modify the IP address): 

cat > /etc/tinc/$LABEL/tinc-up <<EOL
#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.6.0.X dev $INTERFACE
ip route add 10.6.0.0/24 dev $INTERFACE
EOL

Create tinc-down script: 

cat > /etc/tinc/$LABEL/tinc-down <<EOL
#!/bin/sh
ip route del 10.6.0.0/24 dev $INTERFACE
ip addr del 10.6.0.X dev $INTERFACE
ip link set $INTERFACE down

Next Steps

Fix this script: https://git.charlesreid1.com/dotfiles/debian/src/branch/master/dotfiles/scripts/tincd_install.sh

Retrieved from "https://charlesreid1.com/w/index.php?title=Tinc/2018-04-12&oldid=24674"