Tinc/2018-04-12

From charlesreid1

Tincd experiment to debug all the headaches we're having:

  • Create three AWS nodes
  • Set them up with debian dotfiles
  • Install tinc

Now we have a brady bunch.

Following this guide: https://linode.com/docs/networking/vpn/how-to-set-up-tinc-peer-to-peer-vpn/

Step 0: Set Up Nodes

A bit painful. Still need to smooth this out.

Ubuntu flavor of cloud-init will accept bash scripts with a shebang. AWS cloud init will not.

More info: https://stackoverflow.com/a/17827406/463213

Need to mime-encode everything. (Maybe as simple as copying and pasting a URL?)

Cannot customize machine name for curl-pipe-to-bash (had to download, sed -i, replace blackbeard with other, etc.)

Tincd installation process does not get hostname dynamically, does not intelligently pick ip address. pick a random ip in 100-200 range. 0-100 is reserved, 200+ is the high seas

Most painful part is, we cannot SSH in. Script is supposed to check for existence of /home/ubuntu/.ssh/authorized_keys and copy it into our user's authorized keys, but this did not work. Had to manually SSH into the machine, run cat command, log out, then try again.

Real solution: have a reserved private/public key pair, hard code public key.

On AWS, also needed to open port 655 to the world for the security group.

Step 1: Prep Nodes

Update aptitude and install the necessary packages: 

sudo apt update && sudo apt upgrade
sudo apt -y install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev

Step 2: Install Tinc

Install tinc from source: 

#!/bin/bash

cd /tmp
wget https://tinc-vpn.org/packages/tinc-1.0.33.tar.gz
tar -xf tinc-1.0.33.tar.gz
cd tinc-1.0.33
./configure --prefix=
make
sudo make install

Step 3: Set Up Tinc

Create VPN Directory

Create working directory for our network, which we'll call zombie. Then make a place for the VPN files to live. The regular user should own the hosts directory, otherwise you'll be dealing with some major pain-in-the-ass yak shaving. 

export LABEL="zombie"
sudo mkdir -p /etc/tinc/$LABEL/hosts
sudo chown -R charles:charles /etc/tinc/$LABEL/hosts

Create VPN Config

Create config file (modify):

/etc/tinc/$LABEL/tinc.conf: 

Name = machineX
Device = /dev/net/tun
AddressFamily = ipv4
ConnectTo = machineY

Create VPN Host Files

Make one machine host file for each machine, on the corresponding machine (modify to use real IP address and subnet IP address that matches tinc-up):

/etc/tinc/$LABEL/hosts/machineX: 

Address = A.B.C.D
Subnet = 10.6.0.W

Note: 10.6.0.W is the unique IP address for machine X on the VPN.

Now you will need to generate a public/private key pair using tinc. The private key will live in /etc/tinc/$LABEL/ and the public key will be added to the machine file in /etc/tinc/$LABEL/hosts. 

sudo tincd -n $LABEL -K 4096

Use the default location for both keys. For example, on machine 1: 

Please enter a file to save private RSA key to [/etc/tinc/zombie/rsa_key.priv]:
Please enter a file to save public RSA key to [/etc/tinc/zombie/hosts/machine1]:

Aside: Setting Up Passwordless Scp

One of the things you'll need to do is copy the key files from each machine to each other machine.

AWS uses private keys by default, which is a pain in the ass. But with the debian dotfiles and the cloud init script, each node already has a regular user and a private/public key pair for that user, so we're ready to go with passwordless access.

From Machine A: 

cat ~/.ssh/id_rsa.pub

Copy this text

On Machine B: 

echo "ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA charles@machine1" >> ~/.ssh/authorized_keys

Now you can ssh from Machine A into Machine B.

SCP Across Servers

Before you scp host files among machines, make sure everything in hosts/ is owned by a regular user on ALL machines: 

sudo chown -R charles:charles /etc/tinc/$LABEL/hosts

Copy the completed machine file to each other machine server: 

scp /etc/tinc/$LABEL/hosts/machineX charles@IP-OF-MACHINE-Y:/etc/tinc/$LABEL/hosts/.

Create VPN Control Scripts

Create control scripts to bring the VPN up/down.

Create tinc-up script (modify the IP address):

/etc/tinc/$LABEL/tinc-up: 

#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.6.0.X dev $INTERFACE
ip route add 10.6.0.0/24 dev $INTERFACE

Create tinc-down script:

/etc/tinc/$LABEL/tinc-down 

#!/bin/sh
ip route del 10.6.0.0/24 dev $INTERFACE
ip addr del 10.6.0.X dev $INTERFACE
ip link set $INTERFACE down

Make executable: 

sudo chmod +x /etc/tinc/$LABEL/tinc-{up,down}

Step 4: Give It A Whirl

From each machine, run tinc VPN in the foreground: 

sudo tincd -n zombie --no-detach --debug=5

Now, open a separate window and log into machine 1. Ping the VPN IP address of machine 2 and machine 3 from machine 1: 

ping 10.6.0.2


ping 10.6.0.3

Both should be reachable, and you should see activity in the windows of both machines when the ping action occurs.

Next Steps

Fix this script: https://git.charlesreid1.com/dotfiles/debian/src/branch/master/dotfiles/scripts/tincd_install.sh

Retrieved from "https://charlesreid1.com/w/index.php?title=Tinc/2018-04-12&oldid=24696"