VPN with Tinc: Difference between revisions
No edit summary |
No edit summary |
||
(13 intermediate revisions by the same user not shown) | |||
Line 23: | Line 23: | ||
sudo mkdir -p /usr/local/var/run/ | sudo mkdir -p /usr/local/var/run/ | ||
=== Windows === | |||
* Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/ | |||
https:// | |||
=== MacOs === | === MacOs === | ||
'''FIXME''' | '''FIXME''' | ||
== Setup Server(s) == | == Setup Server(s) == | ||
=== FreeBSD === | === FreeBSD and GNU/Linux === | ||
* Initialize new VPN | * Initialize new VPN | ||
sudo tinc -n beernet init server | sudo tinc -n beernet init server | ||
Line 95: | Line 39: | ||
sudo tinc -n beernet add address=1.1.1.1 # or if you just have a public IP | sudo tinc -n beernet add address=1.1.1.1 # or if you just have a public IP | ||
* edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with: | * edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with: | ||
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is | ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line | ||
* '''Note:''' if you don't have <code>ifconfig</code> available on your GNU/Linux distro, see PRO tips below. | |||
* test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options: | * test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options: | ||
tincd -n beernet -D -d3 | tincd -n beernet -D -d3 | ||
== Setup Client == | == Setup Client(s) == | ||
=== FreeBSD === | === FreeBSD and GNU/Linux === | ||
* Generate invite '''on the server''' | |||
tinc -n beernet invite ${CLIENT_NAME} | |||
* This will give you ${URL} | |||
* '''On the BSD/Linux client''' | |||
tinc -n beernet join ${URL} | |||
tinc -n beernet add subnet 10.10.10.2 | |||
* edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with: | |||
ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line | |||
* '''Note:''' if you don't have <code>ifconfig</code> available on your GNU/Linux distro, see PRO tips below. | |||
* test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options: | |||
tincd -n beernet -D -d3 | |||
* try to ping the server from the client and the other way around to make all is good | |||
=== Windows === | === Windows === | ||
* Generate invite on the server | * Generate invite '''on the server''' | ||
tinc - | tinc -n beernet invite ${CLIENT_NAME} | ||
* This will give you ${URL} | * This will give you ${URL} | ||
* On the windows client | * '''On the windows client machine''', open a terminal, locate the Tinc install folder and: | ||
tinc.exe -n beernet join ${URL} | tinc.exe -n beernet join ${URL} | ||
tinc.exe -n beernet add subnet 10.10.10. | tinc.exe -n beernet add subnet 10.10.10.3 | ||
* got to <code>C:\Program Files\tinc\tap-win64</code> | * got to <code>C:\Program Files\tinc\tap-win64</code> | ||
* run <code>addtap.bat</code>. Click yes to install the driver. | * run <code>addtap.bat</code>. Click yes to install the driver. | ||
Line 117: | Line 73: | ||
netsh interface set interface name = "${NAME}" newname = "tinc" | netsh interface set interface name = "${NAME}" newname = "tinc" | ||
* give it the same IP as tinc client config | * give it the same IP as tinc client config | ||
netsh interface ip set address "tinc" static 10.10.10. | netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0. | ||
* try to ping the server from the client and the other way around to make all is good | |||
=== MacOs === | |||
'''FIXME''' | |||
== PRO tips == | == PRO tips == | ||
=== Firewall === | |||
==== iptables ==== | |||
<pre> | |||
# Allow Tinc VPN connections without port restrictions | |||
-A INPUT -i tun+ -j ACCEPT | |||
-A OUTPUT -o tun+ -j ACCEPT | |||
-A INPUT -p tcp --sport 655 -j ACCEPT | |||
-A INPUT -p tcp --dport 655 -j ACCEPT | |||
-A OUTPUT -p tcp --sport 655 -j ACCEPT | |||
-A OUTPUT -p tcp --dport 655 -j ACCEPT | |||
-A INPUT -p udp --sport 655 -j ACCEPT | |||
-A INPUT -p udp --dport 655 -j ACCEPT | |||
-A OUTPUT -p udp --sport 655 -j ACCEPT | |||
-A OUTPUT -p udp --dport 655 -j ACCEPT | |||
</pre> | |||
=== GNU/Linux with new net interface tool === | |||
<code>ifconfig</code> will be likely deprecated or even removed on some recent GNU/Linux distros, so the proper way to configure <code>tinc-up</code> and on such machines is as follow: | |||
ip addr add 10.0.1.1/24 dev $INTERFACE | |||
ip link set $INTERFACE up | |||
=== Set up systemd services === | === Set up systemd services === | ||
* <code>/lib/systemd/system/tinc.service</code> | * <code>/lib/systemd/system/tinc.service</code> | ||
[Unit] | [Unit] | ||
Line 161: | Line 143: | ||
sudo systemctl start tinc@lurknet | sudo systemctl start tinc@lurknet | ||
sudo systemctl stop tinc@lurknet | sudo systemctl stop tinc@lurknet | ||
=== Switch vs Router mode === | |||
In router mode tinc runs as a Layer 3 network, while switch allows tinc to run as a Layer 2 network. By default Tinc runs in router mode and it will be fine for most of the things you may need. However, sometimes an application going through tinc may need Layer 2 to work properly, for instance some automagical network/peer discovery making use of Layer 2 broadcasts. If you need to switch to switch (haha...) then add the following in the <code>tinc.conf</code> of '''all the nodes''': | |||
Mode = switch | |||
=== Conflict with OpenVPN on Windows === | |||
Tinc's TAP driver and OpenVPN's own TAP driver seem to confuse each other. There must be a way to make them live in harmony? As a workaround, it's possible to disable OpenVPN Tinc driver so that when Tinc is launched it properly uses its interface and not the one from OpenVPN. | |||
netsh interface set interface "Connexion au réseau local" disable | |||
== Further readings and more cool stuff == | |||
* https://pzwiki.wdka.nl/mediadesign/Tinc | |||
* https://www.tinc-vpn.org/documentation-1.1 | |||
[[Category: VPN]] | [[Category: VPN]] |
Latest revision as of 23:26, 8 January 2022
FIXME: What's a VPN, what's Tinc
Installation on Server(s) and Client(s)
FreeBSD
- Install tinc 1.1 pre from ports
sudo pkg install tinc-devel # binary sudo portmaster -iB security/tinc-devel # source
GNU/Linux (Debian based)
- Install tinc 1.1 pre from source (or pull the deb from experimental)
sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev
- Compile tinc 1.1pre :
cd /usr/src/ wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz tar xvf tinc-1.1pre17.tar.gz cd tinc-1.1pre17 ./configure make sudo make install
- Once installed, the configuration dir should be in
/usr/local/etc/tinc/
.tinc
andtincd
are installed in/usr/local/sbin/tinc
- If needed, make a directory for pidfile and socket
sudo mkdir -p /usr/local/var/run/
Windows
- Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/
MacOs
FIXME
Setup Server(s)
FreeBSD and GNU/Linux
- Initialize new VPN
sudo tinc -n beernet init server
- Configure the host's own interface
sudo tinc -n beernet add subnet 10.10.10.1
- Configure the host's public IP, or domain if you have one for the host
sudo tinc -n beernet add address=super.domain.xxx # if you have a domain ... sudo tinc -n beernet add address=1.1.1.1 # or if you just have a public IP
- edit
/usr/local/etc/tinc/beernet/tinc-up
, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line
- Note: if you don't have
ifconfig
available on your GNU/Linux distro, see PRO tips below. - test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3
Setup Client(s)
FreeBSD and GNU/Linux
- Generate invite on the server
tinc -n beernet invite ${CLIENT_NAME}
- This will give you ${URL}
- On the BSD/Linux client
tinc -n beernet join ${URL} tinc -n beernet add subnet 10.10.10.2
- edit
/usr/local/etc/tinc/beernet/tinc-up
, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line
- Note: if you don't have
ifconfig
available on your GNU/Linux distro, see PRO tips below. - test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3
- try to ping the server from the client and the other way around to make all is good
Windows
- Generate invite on the server
tinc -n beernet invite ${CLIENT_NAME}
- This will give you ${URL}
- On the windows client machine, open a terminal, locate the Tinc install folder and:
tinc.exe -n beernet join ${URL} tinc.exe -n beernet add subnet 10.10.10.3
- got to
C:\Program Files\tinc\tap-win64
- run
addtap.bat
. Click yes to install the driver. - Find the ${NAME} of the new network adapter
netsh interface ipv4 show interfaces
- Rename this interface
netsh interface set interface name = "${NAME}" newname = "tinc"
- give it the same IP as tinc client config
netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0.
- try to ping the server from the client and the other way around to make all is good
MacOs
FIXME
PRO tips
Firewall
iptables
# Allow Tinc VPN connections without port restrictions -A INPUT -i tun+ -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT -A INPUT -p tcp --sport 655 -j ACCEPT -A INPUT -p tcp --dport 655 -j ACCEPT -A OUTPUT -p tcp --sport 655 -j ACCEPT -A OUTPUT -p tcp --dport 655 -j ACCEPT -A INPUT -p udp --sport 655 -j ACCEPT -A INPUT -p udp --dport 655 -j ACCEPT -A OUTPUT -p udp --sport 655 -j ACCEPT -A OUTPUT -p udp --dport 655 -j ACCEPT
GNU/Linux with new net interface tool
ifconfig
will be likely deprecated or even removed on some recent GNU/Linux distros, so the proper way to configure tinc-up
and on such machines is as follow:
ip addr add 10.0.1.1/24 dev $INTERFACE ip link set $INTERFACE up
Set up systemd services
/lib/systemd/system/tinc.service
[Unit] Description=Tinc VPN After=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ExecReload=/bin/true WorkingDirectory=/usr/local/etc/tinc [Install] WantedBy=multi-user.target
/lib/systemd/system/tinc@.service
[Unit] Description=Tinc net %i PartOf=tinc.service ReloadPropagatedFrom=tinc.service [Service] Type=simple WorkingDirectory=/usr/local/etc/tinc/%i ExecStart=/usr/local/sbin/tincd -n %i -D ExecReload=/usr/local/sbin/tincd -n %i -kHUP KillMode=mixed TimeoutStopSec=5 Restart=always RestartSec=60 [Install] WantedBy=multi-user.target
- enable them on boot:
systemctl enable tinc@lurknet
- Start / stop at will:
sudo systemctl start tinc@lurknet sudo systemctl stop tinc@lurknet
Switch vs Router mode
In router mode tinc runs as a Layer 3 network, while switch allows tinc to run as a Layer 2 network. By default Tinc runs in router mode and it will be fine for most of the things you may need. However, sometimes an application going through tinc may need Layer 2 to work properly, for instance some automagical network/peer discovery making use of Layer 2 broadcasts. If you need to switch to switch (haha...) then add the following in the tinc.conf
of all the nodes:
Mode = switch
Conflict with OpenVPN on Windows
Tinc's TAP driver and OpenVPN's own TAP driver seem to confuse each other. There must be a way to make them live in harmony? As a workaround, it's possible to disable OpenVPN Tinc driver so that when Tinc is launched it properly uses its interface and not the one from OpenVPN.
netsh interface set interface "Connexion au réseau local" disable