Difference between revisions of "VPN with Tinc"
(→GNU/Linux (Debian based)) |
(→FreeBSD and GNU/Linux) |
||
(14 intermediate revisions by the same user not shown) | |||
Line 8: | Line 8: | ||
=== GNU/Linux (Debian based) === | === GNU/Linux (Debian based) === | ||
− | * Install tinc 1.1 pre from source | + | * Install tinc 1.1 pre from source (or pull the deb from experimental) |
sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev | sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev | ||
− | + | * Compile tinc 1.1pre : | |
− | Compile | ||
− | |||
cd /usr/src/ | cd /usr/src/ | ||
− | |||
wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz | wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz | ||
+ | tar xvf tinc-1.1pre17.tar.gz | ||
+ | cd tinc-1.1pre17 | ||
+ | ./configure | ||
+ | make | ||
+ | sudo make install | ||
− | + | * Once installed, the configuration dir should be in <code>/usr/local/etc/tinc/</code>. <code>tinc</code> and <code>tincd</code> are installed in <code>/usr/local/sbin/tinc</code> | |
+ | * If needed, make a directory for pidfile and socket | ||
+ | sudo mkdir -p /usr/local/var/run/ | ||
− | + | === Windows === | |
+ | * Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/ | ||
− | + | === MacOs === | |
+ | '''FIXME''' | ||
− | + | == Setup Server(s) == | |
+ | === FreeBSD and GNU/Linux === | ||
+ | * Initialize new VPN | ||
+ | sudo tinc -n beernet init server | ||
+ | * Configure the host's own interface | ||
+ | sudo tinc -n beernet add subnet 10.10.10.1 | ||
+ | * Configure the host's public IP, or domain if you have one for the host | ||
+ | sudo tinc -n beernet add address=super.domain.xxx # if you have a domain ... | ||
+ | sudo tinc -n beernet add address=1.1.1.1 # or if you just have a public IP | ||
+ | * edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with: | ||
+ | ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line | ||
+ | * '''Note:''' if you don't have <code>ifconfig</code> available on your GNU/Linux distro, see PRO tips below. | ||
+ | * test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options: | ||
+ | tincd -n beernet -D -d3 | ||
− | + | == Setup Client(s) == | |
+ | === FreeBSD and GNU/Linux === | ||
+ | * Generate invite '''on the server''' | ||
+ | tinc -n beernet invite ${CLIENT_NAME} | ||
+ | * This will give you ${URL} | ||
+ | * '''On the BSD/Linux client''' | ||
+ | tinc -n beernet join ${URL} | ||
+ | tinc -n beernet add subnet 10.10.10.2 | ||
+ | * edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with: | ||
+ | ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line | ||
+ | * '''Note:''' if you don't have <code>ifconfig</code> available on your GNU/Linux distro, see PRO tips below. | ||
+ | * test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options: | ||
+ | tincd -n beernet -D -d3 | ||
+ | * try to ping the server from the client and the other way around to make all is good | ||
− | + | === Windows === | |
− | / | + | * Generate invite '''on the server''' |
+ | tinc -n beernet invite ${CLIENT_NAME} | ||
+ | * This will give you ${URL} | ||
+ | * '''On the windows client machine''', open a terminal, locate the Tinc install folder and: | ||
+ | tinc.exe -n beernet join ${URL} | ||
+ | tinc.exe -n beernet add subnet 10.10.10.3 | ||
+ | * got to <code>C:\Program Files\tinc\tap-win64</code> | ||
+ | * run <code>addtap.bat</code>. Click yes to install the driver. | ||
+ | * Find the ${NAME} of the new network adapter | ||
+ | netsh interface ipv4 show interfaces | ||
+ | * Rename this interface | ||
+ | netsh interface set interface name = "${NAME}" newname = "tinc" | ||
+ | * give it the same IP as tinc client config | ||
+ | netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0. | ||
+ | * try to ping the server from the client and the other way around to make all is good | ||
− | + | === MacOs === | |
− | + | '''FIXME''' | |
− | + | == PRO tips == | |
+ | === Firewall === | ||
+ | ==== iptables ==== | ||
+ | <pre> | ||
+ | # Allow Tinc VPN connections without port restrictions | ||
+ | -A INPUT -i tun+ -j ACCEPT | ||
+ | -A OUTPUT -o tun+ -j ACCEPT | ||
− | + | -A INPUT -p tcp --sport 655 -j ACCEPT | |
+ | -A INPUT -p tcp --dport 655 -j ACCEPT | ||
+ | -A OUTPUT -p tcp --sport 655 -j ACCEPT | ||
+ | -A OUTPUT -p tcp --dport 655 -j ACCEPT | ||
− | + | -A INPUT -p udp --sport 655 -j ACCEPT | |
+ | -A INPUT -p udp --dport 655 -j ACCEPT | ||
+ | -A OUTPUT -p udp --sport 655 -j ACCEPT | ||
+ | -A OUTPUT -p udp --dport 655 -j ACCEPT | ||
+ | </pre> | ||
− | + | === GNU/Linux with new net interface tool === | |
+ | <code>ifconfig</code> will be likely deprecated or even removed on some recent GNU/Linux distros, so the proper way to configure <code>tinc-up</code> and on such machines is as follow: | ||
+ | ip addr add 10.0.1.1/24 dev $INTERFACE | ||
+ | ip link set $INTERFACE up | ||
+ | === Set up systemd services === | ||
+ | * <code>/lib/systemd/system/tinc.service</code> | ||
[Unit] | [Unit] | ||
Description=Tinc VPN | Description=Tinc VPN | ||
Line 55: | Line 119: | ||
WantedBy=multi-user.target | WantedBy=multi-user.target | ||
− | + | * <code>/lib/systemd/system/tinc@.service</code> | |
− | |||
− | |||
− | |||
[Unit] | [Unit] | ||
Description=Tinc net %i | Description=Tinc net %i | ||
Line 77: | Line 138: | ||
WantedBy=multi-user.target | WantedBy=multi-user.target | ||
− | + | * enable them on boot: | |
− | |||
− | |||
systemctl enable tinc@lurknet | systemctl enable tinc@lurknet | ||
− | + | * Start / stop at will: | |
− | |||
− | Start / stop at will: | ||
− | |||
sudo systemctl start tinc@lurknet | sudo systemctl start tinc@lurknet | ||
− | |||
sudo systemctl stop tinc@lurknet | sudo systemctl stop tinc@lurknet | ||
+ | === Switch vs Router mode === | ||
+ | In router mode tinc runs as a Layer 3 network, while switch allows tinc to run as a Layer 2 network. By default Tinc runs in router mode and it will be fine for most of the things you may need. However, sometimes an application going through tinc may need Layer 2 to work properly, for instance some automagical network/peer discovery making use of Layer 2 broadcasts. If you need to switch to switch (haha...) then add the following in the <code>tinc.conf</code> of '''all the nodes''': | ||
+ | Mode = switch | ||
− | ==== | + | == Further readings and more cool stuff == |
− | + | * https://pzwiki.wdka.nl/mediadesign/Tinc | |
− | + | * https://www.tinc-vpn.org/documentation-1.1 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | https | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | * | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
[[Category: VPN]] | [[Category: VPN]] |
Revision as of 18:27, 11 June 2021
FIXME: What's a VPN, what's Tinc
Contents
Installation on Server(s) and Client(s)
FreeBSD
- Install tinc 1.1 pre from ports
sudo pkg install tinc-devel # binary sudo portmaster -iB security/tinc-devel # source
GNU/Linux (Debian based)
- Install tinc 1.1 pre from source (or pull the deb from experimental)
sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev
- Compile tinc 1.1pre :
cd /usr/src/ wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz tar xvf tinc-1.1pre17.tar.gz cd tinc-1.1pre17 ./configure make sudo make install
- Once installed, the configuration dir should be in
/usr/local/etc/tinc/
.tinc
andtincd
are installed in/usr/local/sbin/tinc
- If needed, make a directory for pidfile and socket
sudo mkdir -p /usr/local/var/run/
Windows
- Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/
MacOs
FIXME
Setup Server(s)
FreeBSD and GNU/Linux
- Initialize new VPN
sudo tinc -n beernet init server
- Configure the host's own interface
sudo tinc -n beernet add subnet 10.10.10.1
- Configure the host's public IP, or domain if you have one for the host
sudo tinc -n beernet add address=super.domain.xxx # if you have a domain ... sudo tinc -n beernet add address=1.1.1.1 # or if you just have a public IP
- edit
/usr/local/etc/tinc/beernet/tinc-up
, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line
- Note: if you don't have
ifconfig
available on your GNU/Linux distro, see PRO tips below. - test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3
Setup Client(s)
FreeBSD and GNU/Linux
- Generate invite on the server
tinc -n beernet invite ${CLIENT_NAME}
- This will give you ${URL}
- On the BSD/Linux client
tinc -n beernet join ${URL} tinc -n beernet add subnet 10.10.10.2
- edit
/usr/local/etc/tinc/beernet/tinc-up
, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line
- Note: if you don't have
ifconfig
available on your GNU/Linux distro, see PRO tips below. - test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3
- try to ping the server from the client and the other way around to make all is good
Windows
- Generate invite on the server
tinc -n beernet invite ${CLIENT_NAME}
- This will give you ${URL}
- On the windows client machine, open a terminal, locate the Tinc install folder and:
tinc.exe -n beernet join ${URL} tinc.exe -n beernet add subnet 10.10.10.3
- got to
C:\Program Files\tinc\tap-win64
- run
addtap.bat
. Click yes to install the driver. - Find the ${NAME} of the new network adapter
netsh interface ipv4 show interfaces
- Rename this interface
netsh interface set interface name = "${NAME}" newname = "tinc"
- give it the same IP as tinc client config
netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0.
- try to ping the server from the client and the other way around to make all is good
MacOs
FIXME
PRO tips
Firewall
iptables
# Allow Tinc VPN connections without port restrictions -A INPUT -i tun+ -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT -A INPUT -p tcp --sport 655 -j ACCEPT -A INPUT -p tcp --dport 655 -j ACCEPT -A OUTPUT -p tcp --sport 655 -j ACCEPT -A OUTPUT -p tcp --dport 655 -j ACCEPT -A INPUT -p udp --sport 655 -j ACCEPT -A INPUT -p udp --dport 655 -j ACCEPT -A OUTPUT -p udp --sport 655 -j ACCEPT -A OUTPUT -p udp --dport 655 -j ACCEPT
GNU/Linux with new net interface tool
ifconfig
will be likely deprecated or even removed on some recent GNU/Linux distros, so the proper way to configure tinc-up
and on such machines is as follow:
ip addr add 10.0.1.1/24 dev $INTERFACE ip link set $INTERFACE up
Set up systemd services
/lib/systemd/system/tinc.service
[Unit] Description=Tinc VPN After=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ExecReload=/bin/true WorkingDirectory=/usr/local/etc/tinc [Install] WantedBy=multi-user.target
/lib/systemd/system/tinc@.service
[Unit] Description=Tinc net %i PartOf=tinc.service ReloadPropagatedFrom=tinc.service [Service] Type=simple WorkingDirectory=/usr/local/etc/tinc/%i ExecStart=/usr/local/sbin/tincd -n %i -D ExecReload=/usr/local/sbin/tincd -n %i -kHUP KillMode=mixed TimeoutStopSec=5 Restart=always RestartSec=60 [Install] WantedBy=multi-user.target
- enable them on boot:
systemctl enable tinc@lurknet
- Start / stop at will:
sudo systemctl start tinc@lurknet sudo systemctl stop tinc@lurknet
Switch vs Router mode
In router mode tinc runs as a Layer 3 network, while switch allows tinc to run as a Layer 2 network. By default Tinc runs in router mode and it will be fine for most of the things you may need. However, sometimes an application going through tinc may need Layer 2 to work properly, for instance some automagical network/peer discovery making use of Layer 2 broadcasts. If you need to switch to switch (haha...) then add the following in the tinc.conf
of all the nodes:
Mode = switch