Tinc

This was supposed to be simple. 15 pages of notes later...

TODO: Clarify what commands are being run on which machine. give the high level overview of what machine uses which host files.

What is Tinc

Tinc is a mesh-style VPN software that is very lightweight and easier to configure (and more flexible) than OpenVPN. Tinc is not good for large networks, but it's perfect for a small group of servers that simply need to have access to one another.

Installing Tinc

Do it the easy way...

Mac

$ brew install tinc

[...snip...]

$ which tincd
/usr/local/sbin/tincd

$ tincd --version
tinc version 1.0.33
Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen and others.
See the AUTHORS file for a complete list.

tinc comes with ABSOLUTELY NO WARRANTY.  This is free software,
and you are welcome to redistribute it under certain conditions;
see the file COPYING for details.

Debian Linux

On Linux:

$ apt-get install tinc

This will install a daemon called tincd, accessible to the root user only.

$ sudo su
[sudo] password for charles:

root@jupiter:/home/charles# which tincd
/usr/sbin/tincd

root@jupiter:/home/charles# tincd --version
tinc version 1.0.31
Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen and others.
See the AUTHORS file for a complete list.

tinc comes with ABSOLUTELY NO WARRANTY.  This is free software,
and you are welcome to redistribute it under certain conditions;
see the file COPYING for details.

Configuring Tinc

In Tinc you create different named mesh networks. One computer can be a part of multiple networks. Here we set up the network "starwars" to connect servers "vader" and "luke".

(The tinc documentation [1] also mentions that the network interface that is created will have the same name as the network.)

Configuration files that are needed:

tinc.conf to specify name of this machine and name of machine being connected to
tinc-up to instruct how to bring up the VPN network interface and what IP address to use
tinc-down to instruct how to bring down the VPN network interface

These config files should go in:

/etc/tinc on linux (using aptitude tinc)
/usr/local/etc/tinc on mac (using homebrew tinc)

On server 1 (maya, mac os x)

Following are instructions used to set up tinc on Maya, a Mac OS X laptop, using the homebrew-installed tinc.

Create a network configuration directory /usr/local/etc/tinc/

Within that, create a directory with the same name as the network, master/

mkdir -p /usr/local/etc/tinc/master/
cd /usr/local/etc/tinc/master/

Now create a tinc.conf file:

/usr/local/etc/tinc/master/tinc.conf on server "maya"

Name = maya
AddressFamily = any
Mode = switch
ConnectTo = jupiter

Now create a tinc-up file:

/usr/local/etc/tinc/master/tinc-up on server "maya"

#!/bin/sh 
ifconfig $INTERFACE 10.6.0.2 netmask 255.255.0.0

This will result in the server "maya" having the VPN IP address 10.6.0.2

Finally, create a tinc-down file:

/usr/local/etc/tinc/master/tinc-down on server "maya"

#!/bin/sh 
ifconfig $INTERFACE down

Make the up/down files executable:

chmod +x tinc-*

On server 2 (jupiter, debian linux)

Following are the configuration steps taken on Jupiter, a Debian Linux server.

Start by creating a folder with the same name as the network:

mkdir -p /etc/tinc/master/
cd /etc/tinc/master/

/etc/tinc/master/tinc.conf on server "jupiter"

Name = jupiter
AddressFamily = any
Mode = switch
ConnectTo = maya

Now create a tinc-up file:

/etc/tinc/master/tinc-up on server "jupiter"

#!/bin/sh 
ifconfig $INTERFACE 10.6.0.1 netmask 255.255.0.0

This will result in the server "jupiter" having the VPN IP address 10.6.0.1

Finally, create a tinc-down file:

/etc/tinc/master/tinc-down on server "jupiter"

#!/bin/sh 
ifconfig $INTERFACE down

Make the tinc-* files executable:

chmod +x tinc-*

Tinc Hostfiles

Last step is to create a hosts folder to hold keys and other information about this host (and other hosts).

In /etc/tinc/master/ create a directory called hosts. We will create a machine file in this directory with information about the machine's IP address, subnet, and RSA public key. This machine file can then be copied to any other machine that wants to connect to our machine.

Start by creating a hosts directory (note on Mac the location is /usr/local/etc/tinc instead of /etc/tinc but this is the only difference).

Hostfile for maya (mac os x)

Link: https://git.charlesreid1.com/charlesreid1/tinc-hosts

mkdir /usr/local/etc/tinc/master/hosts/
cd /usr/local/etc/tinc/master/hosts/

Now edit a file called maya:

/usr/local/etc/tinc/master/hosts/maya

Address = 192.168.125.10
Subnet = 10.0.0.0/16

Now, the last step is to generate a public and private key pair for this machine, and append the public key to the end of this machine file. Do this by executing the following command:

$ sudo tincd -n master -K
Password:
Generating 2048 bits keys:
....+++ p
..............................................+++ q
Done.
Please enter a file to save private RSA key to [/usr/local/etc/tinc/master/rsa_key.priv]:
Warning: old key(s) found and disabled.
Please enter a file to save public RSA key to [/usr/local/etc/tinc/master/hosts/maya]:
Warning: old key(s) found and disabled.

This will modify the maya file to look like this:

Address = 192.168.125.10
Subnet = 10.0.0.0/16

-----BEGIN RSA PUBLIC KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PUBLIC KEY-----

This file can now be copied to other machines so that they can access maya.

Hostfile for jupiter (debian linux)

Link: https://git.charlesreid1.com/charlesreid1/tinc-hosts

$ mkdir /etc/tinc/master/hosts/
$ cd /etc/tinc/master/hosts/

Now edit a file called jupiter:

/usr/local/etc/tinc/master/hosts/jupiter

Address = 192.168.125.55
Subnet = 10.0.0.0/16

Now generate public/private key pair and append to end of machine file:

$ sudo tincd -n master -K

This will modify the jupiter file to look like this:

Address = 192.168.125.55
Subnet = 10.0.0.0/16

-----BEGIN RSA PUBLIC KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PUBLIC KEY-----

This file can now be copied to other machines so that they can access jupiter.

root@jupiter:/etc/tinc/master/hosts# tincd -n master -K
Generating 2048 bits keys:
...+++ p
.................................................................................................................................+++ q
Done.
Please enter a file to save private RSA key to [/etc/tinc/master/rsa_key.priv]:
Please enter a file to save public RSA key to [/etc/tinc/master/hosts/jupiter]:

Enable Tunneling and Tapping

On Mac OS X:

brew tap caskroom/cask
brew cask install tuntap

On Debian:

modprobe tun
mkdir -p /dev/net
mknod /dev/net/tun c 10 200

as per [2].

Start Tinc

Normal

Now you can start tinc:

sudo tincd -n master

To stop tinc, pass the -k flag:

sudo tincd -n master -k

On a Mac, you may have to create the following directory first:

mkdir -p /usr/local/Cellar/tinc/1.0.33/var/run/

Debug

To run tinc in the foreground, use the -D flag. Add a number to specify the log level (3 by default):

sudo tincd -n master -D

To turn on tinc's debug log, specify a logfile on the command line:

sudo tincd -n master -d5 --logfile

On a mac you may have to create the following directory first:

mkdir -p /usr/local/Cellar/tinc/1.0.33/var/log/

On mac, the log file location is:

/usr/local/Cellar/tinc/1.0.33/var/log/tinc.master.log

On Debian Linux, the log file location is:

/var/log/tinc.master.log

Start on Boot - Mac

Via this page: https://www.tinc-vpn.org/examples/osx-install/

To start up the master VPN on boot, you will need to create a property list (plist) file for the launch control daemon. This will specify command line arguments to pass to the program:

/Library/LaunchDaemons/master.tinc.plist

where "master" is replaced by the name of your tinc VPN.

CREATE/EDIT THIS FILE AS ROOT.

The contents of this file are as follows:

$ cat /Library/LaunchDaemons/master.tinc.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!--
     https://www.tinc-vpn.org/examples/osx-install/
-->
<plist version="1.0">
<dict>
    <key>KeepAlive</key>
    <true/>
    <key>Label</key>
    <string>tinc.master</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/sbin/tincd</string>
        <string>-n</string>
        <string>master</string>
        <string>-D</string>
    </array>
</dict>
</plist>

To load/enable (resp. unload/disable) it from launchctl:

launchctl load -w /Library/LaunchDaemons/master.tinc.plist

launchctl unload -w /Library/LaunchDaemons/master.tinc.plist

To start the service:

launchctl start tinc.master

To stop the service from running (but not unload/disable it):

launchctl stop tinc.master

To verify it is running:

launchctl list

Start on Boot - Linux

Edit the file /etc/tinc/nets.boot:

# This file contains all names of the networks to be started on system startup
master

Errors

Check if tinc started

If you need to check if tinc started, just do a

ps aux | grep tin[c]

If you see nothing, tinc failed to start. It's a good idea to start tinc with the options -d5 --logfile

Debug Log

To find the debug log on Mac OS X look for this file:

/usr/local/Cellar/tinc/1.0.33/var/log/tinc.master.log

Problems with Tunnels and Taps

If you experience the following issue with tunnel tap devices not being created, you need to get the tunnel-tap package in Mac OS X:

$ cat /usr/local/Cellar/tinc/1.0.33/var/log/tinc.master.log
2018-01-21 05:08:37 tinc.master[82854]: tincd 1.0.33 starting, debug level 5
2018-01-21 05:08:37 tinc.master[82854]: Could not open /dev/tap0: No such file or directory
2018-01-21 05:08:37 tinc.master[82854]: Terminating

Install tuntap:

brew tap caskroom/cask
brew cask install tuntap

Problems Connecting

Tinc will continually try and connect to the other node. If it is down, you'll see this in the log file:

$ tail -f /usr/local/Cellar/tinc/1.0.33/var/log/tinc.master.log
2018-01-21 05:32:50 tinc.master[89799]: Broadcasting packet of 326 bytes from maya (MYSELF)
2018-01-21 05:32:53 tinc.master[89799]: Read packet of 605 bytes from Generic BSD tap device
2018-01-21 05:32:53 tinc.master[89799]: Broadcasting packet of 605 bytes from maya (MYSELF)
2018-01-21 05:32:59 tinc.master[89799]: Read packet of 326 bytes from Generic BSD tap device
2018-01-21 05:32:59 tinc.master[89799]: Broadcasting packet of 326 bytes from maya (MYSELF)
2018-01-21 05:33:00 tinc.master[89799]: Trying to connect to jupiter (192.168.125.55 port 655)
2018-01-21 05:33:00 tinc.master[89799]: Error while connecting to jupiter (192.168.125.55 port 655): Connection refused
2018-01-21 05:33:00 tinc.master[89799]: Could not set up a meta connection to jupiter
2018-01-21 05:33:00 tinc.master[89799]: Trying to re-establish outgoing connection in 15 seconds
2018-01-21 05:33:00 tinc.master[89799]: Purging unreachable nodes
2018-01-21 05:33:06 tinc.master[89799]: Read packet of 210 bytes from Generic BSD tap device
2018-01-21 05:33:06 tinc.master[89799]: Packet looping back to maya (MYSELF)!

This means that the two nodes cannot see one another.

Notes

https://silvenga.com/deploy-a-tinc-mesh-vpn-running-tap/

http://www.allsundry.com/2011/04/10/tinc-better-than-openvpn/

All the setup you need:

In /etc/netname/tinc.conf:
Name = host1
ConnectTo = host2

In /etc/netname/tinc-up
ifconfig $INTERFACE 192.168.XX.1 netmask 255.255.0.0

# Generate keypairs for host
tincd -n netname -K

# Create file for this host. Prepend to /etc/netname/hosts/host1
Address = host1.full.domain.com
Subnet = 192.168.XX.0/24

References

https://linode.com/docs/networking/vpn/how-to-set-up-tinc-peer-to-peer-vpn/

Flags