Difference between revisions of "VPN with Tinc"
(→GNU/Linux (Debian based)) |
(→FreeBSD and GNU/Linux) |
||
(17 intermediate revisions by 2 users not shown) | |||
Line 8: | Line 8: | ||
=== GNU/Linux (Debian based) === | === GNU/Linux (Debian based) === | ||
− | * Install tinc 1.1 pre from source | + | * Install tinc 1.1 pre from source (or pull the deb from experimental) |
sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev | sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev | ||
− | + | * Compile tinc 1.1pre : | |
− | Compile | ||
− | |||
cd /usr/src/ | cd /usr/src/ | ||
− | |||
wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz | wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz | ||
− | |||
tar xvf tinc-1.1pre17.tar.gz | tar xvf tinc-1.1pre17.tar.gz | ||
− | |||
cd tinc-1.1pre17 | cd tinc-1.1pre17 | ||
− | |||
./configure | ./configure | ||
− | |||
make | make | ||
− | |||
sudo make install | sudo make install | ||
− | Once installed the configuration dir should be in | + | * Once installed, the configuration dir should be in <code>/usr/local/etc/tinc/</code>. <code>tinc</code> and <code>tincd</code> are installed in <code>/usr/local/sbin/tinc</code> |
− | /usr/local/ | + | * If needed, make a directory for pidfile and socket |
+ | sudo mkdir -p /usr/local/var/run/ | ||
− | + | === Windows === | |
− | + | * Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/ | |
=== MacOs === | === MacOs === | ||
'''FIXME''' | '''FIXME''' | ||
− | |||
− | |||
− | |||
== Setup Server(s) == | == Setup Server(s) == | ||
− | === FreeBSD === | + | === FreeBSD and GNU/Linux === |
* Initialize new VPN | * Initialize new VPN | ||
sudo tinc -n beernet init server | sudo tinc -n beernet init server | ||
Line 49: | Line 39: | ||
sudo tinc -n beernet add address=1.1.1.1 # or if you just have a public IP | sudo tinc -n beernet add address=1.1.1.1 # or if you just have a public IP | ||
* edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with: | * edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with: | ||
− | ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is | + | ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line |
+ | * '''Note:''' if you don't have <code>ifconfig</code> available on your GNU/Linux distro, see PRO tips below. | ||
* test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options: | * test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options: | ||
tincd -n beernet -D -d3 | tincd -n beernet -D -d3 | ||
− | == Setup Client == | + | == Setup Client(s) == |
− | === FreeBSD === | + | === FreeBSD and GNU/Linux === |
− | === | + | * Generate invite '''on the server''' |
+ | tinc -n beernet invite ${CLIENT_NAME} | ||
+ | * This will give you ${URL} | ||
+ | * '''On the BSD/Linux client''' | ||
+ | tinc -n beernet join ${URL} | ||
+ | tinc -n beernet add subnet 10.10.10.2 | ||
+ | * edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with: | ||
+ | ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line | ||
+ | * '''Note:''' if you don't have <code>ifconfig</code> available on your GNU/Linux distro, see PRO tips below. | ||
+ | * test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options: | ||
+ | tincd -n beernet -D -d3 | ||
+ | * try to ping the server from the client and the other way around to make all is good | ||
+ | |||
+ | === Windows === | ||
+ | * Generate invite '''on the server''' | ||
+ | tinc -n beernet invite ${CLIENT_NAME} | ||
+ | * This will give you ${URL} | ||
+ | * '''On the windows client machine''', open a terminal, locate the Tinc install folder and: | ||
+ | tinc.exe -n beernet join ${URL} | ||
+ | tinc.exe -n beernet add subnet 10.10.10.3 | ||
+ | * got to <code>C:\Program Files\tinc\tap-win64</code> | ||
+ | * run <code>addtap.bat</code>. Click yes to install the driver. | ||
+ | * Find the ${NAME} of the new network adapter | ||
+ | netsh interface ipv4 show interfaces | ||
+ | * Rename this interface | ||
+ | netsh interface set interface name = "${NAME}" newname = "tinc" | ||
+ | * give it the same IP as tinc client config | ||
+ | netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0. | ||
+ | * try to ping the server from the client and the other way around to make all is good | ||
+ | |||
=== MacOs === | === MacOs === | ||
− | === | + | '''FIXME''' |
+ | |||
+ | == PRO tips == | ||
+ | === Firewall === | ||
+ | ==== iptables ==== | ||
+ | <pre> | ||
+ | # Allow Tinc VPN connections without port restrictions | ||
+ | -A INPUT -i tun+ -j ACCEPT | ||
+ | -A OUTPUT -o tun+ -j ACCEPT | ||
+ | |||
+ | -A INPUT -p tcp --sport 655 -j ACCEPT | ||
+ | -A INPUT -p tcp --dport 655 -j ACCEPT | ||
+ | -A OUTPUT -p tcp --sport 655 -j ACCEPT | ||
+ | -A OUTPUT -p tcp --dport 655 -j ACCEPT | ||
+ | |||
+ | -A INPUT -p udp --sport 655 -j ACCEPT | ||
+ | -A INPUT -p udp --dport 655 -j ACCEPT | ||
+ | -A OUTPUT -p udp --sport 655 -j ACCEPT | ||
+ | -A OUTPUT -p udp --dport 655 -j ACCEPT | ||
+ | </pre> | ||
+ | |||
+ | === GNU/Linux with new net interface tool === | ||
+ | <code>ifconfig</code> will be likely deprecated or even removed on some recent GNU/Linux distros, so the proper way to configure <code>tinc-up</code> and on such machines is as follow: | ||
+ | ip addr add 10.0.1.1/24 dev $INTERFACE | ||
+ | ip link set $INTERFACE up | ||
+ | |||
+ | === Set up systemd services === | ||
+ | * <code>/lib/systemd/system/tinc.service</code> | ||
+ | [Unit] | ||
+ | Description=Tinc VPN | ||
+ | After=network.target | ||
+ | |||
+ | [Service] | ||
+ | Type=oneshot | ||
+ | RemainAfterExit=yes | ||
+ | ExecStart=/bin/true | ||
+ | ExecReload=/bin/true | ||
+ | WorkingDirectory=/usr/local/etc/tinc | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | |||
+ | * <code>/lib/systemd/system/tinc@.service</code> | ||
+ | [Unit] | ||
+ | Description=Tinc net %i | ||
+ | PartOf=tinc.service | ||
+ | ReloadPropagatedFrom=tinc.service | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | WorkingDirectory=/usr/local/etc/tinc/%i | ||
+ | ExecStart=/usr/local/sbin/tincd -n %i -D | ||
+ | ExecReload=/usr/local/sbin/tincd -n %i -kHUP | ||
+ | KillMode=mixed | ||
+ | TimeoutStopSec=5 | ||
+ | Restart=always | ||
+ | RestartSec=60 | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | * enable them on boot: | ||
+ | systemctl enable tinc@lurknet | ||
+ | * Start / stop at will: | ||
+ | sudo systemctl start tinc@lurknet | ||
+ | sudo systemctl stop tinc@lurknet | ||
+ | === Switch vs Router mode === | ||
+ | In router mode tinc runs as a Layer 3 network, while switch allows tinc to run as a Layer 2 network. By default Tinc runs in router mode and it will be fine for most of the things you may need. However, sometimes an application going through tinc may need Layer 2 to work properly, for instance some automagical network/peer discovery making use of Layer 2 broadcasts. If you need to switch to switch (haha...) then add the following in the <code>tinc.conf</code> of '''all the nodes''': | ||
+ | Mode = switch | ||
+ | == Further readings and more cool stuff == | ||
+ | * https://pzwiki.wdka.nl/mediadesign/Tinc | ||
+ | * https://www.tinc-vpn.org/documentation-1.1 | ||
[[Category: VPN]] | [[Category: VPN]] |
Revision as of 17:27, 11 June 2021
FIXME: What's a VPN, what's Tinc
Contents
Installation on Server(s) and Client(s)
FreeBSD
- Install tinc 1.1 pre from ports
sudo pkg install tinc-devel # binary sudo portmaster -iB security/tinc-devel # source
GNU/Linux (Debian based)
- Install tinc 1.1 pre from source (or pull the deb from experimental)
sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev
- Compile tinc 1.1pre :
cd /usr/src/ wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz tar xvf tinc-1.1pre17.tar.gz cd tinc-1.1pre17 ./configure make sudo make install
- Once installed, the configuration dir should be in
/usr/local/etc/tinc/
.tinc
andtincd
are installed in/usr/local/sbin/tinc
- If needed, make a directory for pidfile and socket
sudo mkdir -p /usr/local/var/run/
Windows
- Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/
MacOs
FIXME
Setup Server(s)
FreeBSD and GNU/Linux
- Initialize new VPN
sudo tinc -n beernet init server
- Configure the host's own interface
sudo tinc -n beernet add subnet 10.10.10.1
- Configure the host's public IP, or domain if you have one for the host
sudo tinc -n beernet add address=super.domain.xxx # if you have a domain ... sudo tinc -n beernet add address=1.1.1.1 # or if you just have a public IP
- edit
/usr/local/etc/tinc/beernet/tinc-up
, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line
- Note: if you don't have
ifconfig
available on your GNU/Linux distro, see PRO tips below. - test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3
Setup Client(s)
FreeBSD and GNU/Linux
- Generate invite on the server
tinc -n beernet invite ${CLIENT_NAME}
- This will give you ${URL}
- On the BSD/Linux client
tinc -n beernet join ${URL} tinc -n beernet add subnet 10.10.10.2
- edit
/usr/local/etc/tinc/beernet/tinc-up
, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line
- Note: if you don't have
ifconfig
available on your GNU/Linux distro, see PRO tips below. - test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3
- try to ping the server from the client and the other way around to make all is good
Windows
- Generate invite on the server
tinc -n beernet invite ${CLIENT_NAME}
- This will give you ${URL}
- On the windows client machine, open a terminal, locate the Tinc install folder and:
tinc.exe -n beernet join ${URL} tinc.exe -n beernet add subnet 10.10.10.3
- got to
C:\Program Files\tinc\tap-win64
- run
addtap.bat
. Click yes to install the driver. - Find the ${NAME} of the new network adapter
netsh interface ipv4 show interfaces
- Rename this interface
netsh interface set interface name = "${NAME}" newname = "tinc"
- give it the same IP as tinc client config
netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0.
- try to ping the server from the client and the other way around to make all is good
MacOs
FIXME
PRO tips
Firewall
iptables
# Allow Tinc VPN connections without port restrictions -A INPUT -i tun+ -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT -A INPUT -p tcp --sport 655 -j ACCEPT -A INPUT -p tcp --dport 655 -j ACCEPT -A OUTPUT -p tcp --sport 655 -j ACCEPT -A OUTPUT -p tcp --dport 655 -j ACCEPT -A INPUT -p udp --sport 655 -j ACCEPT -A INPUT -p udp --dport 655 -j ACCEPT -A OUTPUT -p udp --sport 655 -j ACCEPT -A OUTPUT -p udp --dport 655 -j ACCEPT
GNU/Linux with new net interface tool
ifconfig
will be likely deprecated or even removed on some recent GNU/Linux distros, so the proper way to configure tinc-up
and on such machines is as follow:
ip addr add 10.0.1.1/24 dev $INTERFACE ip link set $INTERFACE up
Set up systemd services
/lib/systemd/system/tinc.service
[Unit] Description=Tinc VPN After=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ExecReload=/bin/true WorkingDirectory=/usr/local/etc/tinc [Install] WantedBy=multi-user.target
/lib/systemd/system/tinc@.service
[Unit] Description=Tinc net %i PartOf=tinc.service ReloadPropagatedFrom=tinc.service [Service] Type=simple WorkingDirectory=/usr/local/etc/tinc/%i ExecStart=/usr/local/sbin/tincd -n %i -D ExecReload=/usr/local/sbin/tincd -n %i -kHUP KillMode=mixed TimeoutStopSec=5 Restart=always RestartSec=60 [Install] WantedBy=multi-user.target
- enable them on boot:
systemctl enable tinc@lurknet
- Start / stop at will:
sudo systemctl start tinc@lurknet sudo systemctl stop tinc@lurknet
Switch vs Router mode
In router mode tinc runs as a Layer 3 network, while switch allows tinc to run as a Layer 2 network. By default Tinc runs in router mode and it will be fine for most of the things you may need. However, sometimes an application going through tinc may need Layer 2 to work properly, for instance some automagical network/peer discovery making use of Layer 2 broadcasts. If you need to switch to switch (haha...) then add the following in the tinc.conf
of all the nodes:
Mode = switch