VPN with Tinc

FIXME: What's a VPN, what's Tinc

FreeBSD
sudo pkg install tinc-devel              # binary sudo portmaster -iB security/tinc-devel  # source
 * Install tinc 1.1 pre from ports

GNU/Linux (Debian based)
sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev cd /usr/src/ wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz tar xvf tinc-1.1pre17.tar.gz cd tinc-1.1pre17 ./configure make sudo make install
 * Install tinc 1.1 pre from source (or pull the deb from experimental)
 * Compile tinc 1.1pre :

sudo mkdir -p /usr/local/var/run/
 * Once installed, the configuration dir should be in .   and   are installed in
 * If needed, make a directory for pidfile and socket

Windows

 * Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/

MacOs
FIXME

FreeBSD and GNU/Linux
sudo tinc -n beernet init server sudo tinc -n beernet add subnet 10.10.10.1 sudo tinc -n beernet add address=super.domain.xxx # if you have a domain ... sudo tinc -n beernet add address=1.1.1.1          # or if you just have a public IP ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0  # leave $INTERFACE as it is and remove the echo line tincd -n beernet -D -d3
 * Initialize new VPN
 * Configure the host's own interface
 * Configure the host's public IP, or domain if you have one for the host
 * edit, so that your network interface is brought up correctly, for instance with:
 * Note: if you don't have  available on your GNU/Linux distro, see PRO tips below.
 * test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:

FreeBSD and GNU/Linux
tinc -n beernet invite ${CLIENT_NAME} tinc -n beernet join ${URL} tinc -n beernet add subnet 10.10.10.2 ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line tincd -n beernet -D -d3
 * Generate invite on the server
 * This will give you ${URL}
 * On the BSD/Linux client
 * edit, so that your network interface is brought up correctly, for instance with:
 * Note: if you don't have  available on your GNU/Linux distro, see PRO tips below.
 * test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
 * try to ping the server from the client and the other way around to make all is good

Windows
tinc -n beernet invite ${CLIENT_NAME} tinc.exe -n beernet join ${URL} tinc.exe -n beernet add subnet 10.10.10.3 netsh interface ipv4 show interfaces netsh interface set interface name = "${NAME}" newname = "tinc" netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0.
 * Generate invite on the server
 * This will give you ${URL}
 * On the windows client machine, open a terminal, locate the Tinc install folder and:
 * got to
 * run . Click yes to install the driver.
 * Find the ${NAME} of the new network adapter
 * Rename this interface
 * give it the same IP as tinc client config
 * try to ping the server from the client and the other way around to make all is good

MacOs
FIXME

iptables
-A INPUT -i tun+ -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT
 * 1) Allow Tinc VPN connections without port restrictions

-A INPUT -p tcp --sport 655 -j ACCEPT -A INPUT -p tcp --dport 655 -j ACCEPT -A OUTPUT -p tcp --sport 655 -j ACCEPT -A OUTPUT -p tcp --dport 655 -j ACCEPT

-A INPUT -p udp --sport 655 -j ACCEPT -A INPUT -p udp --dport 655 -j ACCEPT -A OUTPUT -p udp --sport 655 -j ACCEPT -A OUTPUT -p udp --dport 655 -j ACCEPT

GNU/Linux with new net interface tool
will be likely deprecated or even removed on some recent GNU/Linux distros, so the proper way to configure  and on such machines is as follow: ip addr add 10.0.1.1/24 dev $INTERFACE ip link set $INTERFACE up

Set up systemd services
[Unit] Description=Tinc VPN After=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ExecReload=/bin/true WorkingDirectory=/usr/local/etc/tinc [Install] WantedBy=multi-user.target

[Unit] Description=Tinc net %i PartOf=tinc.service ReloadPropagatedFrom=tinc.service [Service] Type=simple WorkingDirectory=/usr/local/etc/tinc/%i ExecStart=/usr/local/sbin/tincd -n %i -D ExecReload=/usr/local/sbin/tincd -n %i -kHUP KillMode=mixed TimeoutStopSec=5 Restart=always RestartSec=60 [Install] WantedBy=multi-user.target

systemctl enable tinc@lurknet sudo systemctl start tinc@lurknet sudo systemctl stop tinc@lurknet
 * enable them on boot:
 * Start / stop at will:

Switch vs Router mode
In router mode tinc runs as a Layer 3 network, while switch allows tinc to run as a Layer 2 network. By default Tinc runs in router mode and it will be fine for most of the things you may need. However, sometimes an application going through tinc may need Layer 2 to work properly, for instance some automagical network/peer discovery making use of Layer 2 broadcasts. If you need to switch to switch (haha...) then add the following in the  of all the nodes: Mode = switch

Conflict with OpenVPN on Windows
Tinc's TAP driver and OpenVPN's own TAP driver seem to confuse each other. There must be a way to make them live in harmony? As a workaround, it's possible to disable OpenVPN Tinc driver so that when Tinc is launched it properly uses its interface and not the one from OpenVPN. netsh interface set interface "Connexion au réseau local" disable

Further readings and more cool stuff

 * https://pzwiki.wdka.nl/mediadesign/Tinc
 * https://www.tinc-vpn.org/documentation-1.1