Difference between revisions of "VPN with Tinc"
(→FreeBSD) |
(→FreeBSD and GNU/Linux) |
||
(9 intermediate revisions by the same user not shown) | |||
Line 23: | Line 23: | ||
sudo mkdir -p /usr/local/var/run/ | sudo mkdir -p /usr/local/var/run/ | ||
− | + | === Windows === | |
− | + | * Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/ | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | https:// | ||
− | |||
− | |||
=== MacOs === | === MacOs === | ||
'''FIXME''' | '''FIXME''' | ||
− | |||
− | |||
− | |||
== Setup Server(s) == | == Setup Server(s) == | ||
Line 96: | Line 40: | ||
* edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with: | * edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with: | ||
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line | ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line | ||
+ | * '''Note:''' if you don't have <code>ifconfig</code> available on your GNU/Linux distro, see PRO tips below. | ||
+ | * test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options: | ||
+ | tincd -n beernet -D -d3 | ||
+ | |||
+ | == Setup Client(s) == | ||
+ | === FreeBSD and GNU/Linux === | ||
+ | * Generate invite '''on the server''' | ||
+ | tinc -n beernet invite ${CLIENT_NAME} | ||
+ | * This will give you ${URL} | ||
+ | * '''On the BSD/Linux client''' | ||
+ | tinc -n beernet join ${URL} | ||
+ | tinc -n beernet add subnet 10.10.10.2 | ||
+ | * edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with: | ||
+ | ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line | ||
+ | * '''Note:''' if you don't have <code>ifconfig</code> available on your GNU/Linux distro, see PRO tips below. | ||
* test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options: | * test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options: | ||
tincd -n beernet -D -d3 | tincd -n beernet -D -d3 | ||
+ | * try to ping the server from the client and the other way around to make all is good | ||
− | |||
− | |||
− | |||
− | |||
=== Windows === | === Windows === | ||
− | * Generate invite on the server | + | * Generate invite '''on the server''' |
− | tinc - | + | tinc -n beernet invite ${CLIENT_NAME} |
* This will give you ${URL} | * This will give you ${URL} | ||
− | * On the windows client | + | * '''On the windows client machine''', open a terminal, locate the Tinc install folder and: |
tinc.exe -n beernet join ${URL} | tinc.exe -n beernet join ${URL} | ||
− | tinc.exe -n beernet add subnet 10.10.10. | + | tinc.exe -n beernet add subnet 10.10.10.3 |
* got to <code>C:\Program Files\tinc\tap-win64</code> | * got to <code>C:\Program Files\tinc\tap-win64</code> | ||
* run <code>addtap.bat</code>. Click yes to install the driver. | * run <code>addtap.bat</code>. Click yes to install the driver. | ||
Line 117: | Line 73: | ||
netsh interface set interface name = "${NAME}" newname = "tinc" | netsh interface set interface name = "${NAME}" newname = "tinc" | ||
* give it the same IP as tinc client config | * give it the same IP as tinc client config | ||
− | netsh interface ip set address "tinc" static 10.10.10. | + | netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0. |
+ | * try to ping the server from the client and the other way around to make all is good | ||
+ | |||
+ | === MacOs === | ||
+ | '''FIXME''' | ||
== PRO tips == | == PRO tips == | ||
+ | === Firewall === | ||
+ | ==== iptables ==== | ||
+ | <pre> | ||
+ | # Allow Tinc VPN connections without port restrictions | ||
+ | -A INPUT -i tun+ -j ACCEPT | ||
+ | -A OUTPUT -o tun+ -j ACCEPT | ||
+ | |||
+ | -A INPUT -p tcp --sport 655 -j ACCEPT | ||
+ | -A INPUT -p tcp --dport 655 -j ACCEPT | ||
+ | -A OUTPUT -p tcp --sport 655 -j ACCEPT | ||
+ | -A OUTPUT -p tcp --dport 655 -j ACCEPT | ||
+ | |||
+ | -A INPUT -p udp --sport 655 -j ACCEPT | ||
+ | -A INPUT -p udp --dport 655 -j ACCEPT | ||
+ | -A OUTPUT -p udp --sport 655 -j ACCEPT | ||
+ | -A OUTPUT -p udp --dport 655 -j ACCEPT | ||
+ | </pre> | ||
+ | |||
+ | === GNU/Linux with new net interface tool === | ||
+ | <code>ifconfig</code> will be likely deprecated or even removed on some recent GNU/Linux distros, so the proper way to configure <code>tinc-up</code> and on such machines is as follow: | ||
+ | ip addr add 10.0.1.1/24 dev $INTERFACE | ||
+ | ip link set $INTERFACE up | ||
+ | |||
=== Set up systemd services === | === Set up systemd services === | ||
− | |||
* <code>/lib/systemd/system/tinc.service</code> | * <code>/lib/systemd/system/tinc.service</code> | ||
[Unit] | [Unit] | ||
Line 161: | Line 143: | ||
sudo systemctl start tinc@lurknet | sudo systemctl start tinc@lurknet | ||
sudo systemctl stop tinc@lurknet | sudo systemctl stop tinc@lurknet | ||
+ | |||
+ | === Switch vs Router mode === | ||
+ | In router mode tinc runs as a Layer 3 network, while switch allows tinc to run as a Layer 2 network. By default Tinc runs in router mode and it will be fine for most of the things you may need. However, sometimes an application going through tinc may need Layer 2 to work properly, for instance some automagical network/peer discovery making use of Layer 2 broadcasts. If you need to switch to switch (haha...) then add the following in the <code>tinc.conf</code> of '''all the nodes''': | ||
+ | Mode = switch | ||
+ | |||
+ | == Further readings and more cool stuff == | ||
+ | * https://pzwiki.wdka.nl/mediadesign/Tinc | ||
+ | * https://www.tinc-vpn.org/documentation-1.1 | ||
[[Category: VPN]] | [[Category: VPN]] |
Revision as of 18:27, 11 June 2021
FIXME: What's a VPN, what's Tinc
Contents
Installation on Server(s) and Client(s)
FreeBSD
- Install tinc 1.1 pre from ports
sudo pkg install tinc-devel # binary sudo portmaster -iB security/tinc-devel # source
GNU/Linux (Debian based)
- Install tinc 1.1 pre from source (or pull the deb from experimental)
sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev
- Compile tinc 1.1pre :
cd /usr/src/ wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz tar xvf tinc-1.1pre17.tar.gz cd tinc-1.1pre17 ./configure make sudo make install
- Once installed, the configuration dir should be in
/usr/local/etc/tinc/
.tinc
andtincd
are installed in/usr/local/sbin/tinc
- If needed, make a directory for pidfile and socket
sudo mkdir -p /usr/local/var/run/
Windows
- Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/
MacOs
FIXME
Setup Server(s)
FreeBSD and GNU/Linux
- Initialize new VPN
sudo tinc -n beernet init server
- Configure the host's own interface
sudo tinc -n beernet add subnet 10.10.10.1
- Configure the host's public IP, or domain if you have one for the host
sudo tinc -n beernet add address=super.domain.xxx # if you have a domain ... sudo tinc -n beernet add address=1.1.1.1 # or if you just have a public IP
- edit
/usr/local/etc/tinc/beernet/tinc-up
, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line
- Note: if you don't have
ifconfig
available on your GNU/Linux distro, see PRO tips below. - test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3
Setup Client(s)
FreeBSD and GNU/Linux
- Generate invite on the server
tinc -n beernet invite ${CLIENT_NAME}
- This will give you ${URL}
- On the BSD/Linux client
tinc -n beernet join ${URL} tinc -n beernet add subnet 10.10.10.2
- edit
/usr/local/etc/tinc/beernet/tinc-up
, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0 # leave $INTERFACE as it is and remove the echo line
- Note: if you don't have
ifconfig
available on your GNU/Linux distro, see PRO tips below. - test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3
- try to ping the server from the client and the other way around to make all is good
Windows
- Generate invite on the server
tinc -n beernet invite ${CLIENT_NAME}
- This will give you ${URL}
- On the windows client machine, open a terminal, locate the Tinc install folder and:
tinc.exe -n beernet join ${URL} tinc.exe -n beernet add subnet 10.10.10.3
- got to
C:\Program Files\tinc\tap-win64
- run
addtap.bat
. Click yes to install the driver. - Find the ${NAME} of the new network adapter
netsh interface ipv4 show interfaces
- Rename this interface
netsh interface set interface name = "${NAME}" newname = "tinc"
- give it the same IP as tinc client config
netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0.
- try to ping the server from the client and the other way around to make all is good
MacOs
FIXME
PRO tips
Firewall
iptables
# Allow Tinc VPN connections without port restrictions -A INPUT -i tun+ -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT -A INPUT -p tcp --sport 655 -j ACCEPT -A INPUT -p tcp --dport 655 -j ACCEPT -A OUTPUT -p tcp --sport 655 -j ACCEPT -A OUTPUT -p tcp --dport 655 -j ACCEPT -A INPUT -p udp --sport 655 -j ACCEPT -A INPUT -p udp --dport 655 -j ACCEPT -A OUTPUT -p udp --sport 655 -j ACCEPT -A OUTPUT -p udp --dport 655 -j ACCEPT
GNU/Linux with new net interface tool
ifconfig
will be likely deprecated or even removed on some recent GNU/Linux distros, so the proper way to configure tinc-up
and on such machines is as follow:
ip addr add 10.0.1.1/24 dev $INTERFACE ip link set $INTERFACE up
Set up systemd services
/lib/systemd/system/tinc.service
[Unit] Description=Tinc VPN After=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ExecReload=/bin/true WorkingDirectory=/usr/local/etc/tinc [Install] WantedBy=multi-user.target
/lib/systemd/system/tinc@.service
[Unit] Description=Tinc net %i PartOf=tinc.service ReloadPropagatedFrom=tinc.service [Service] Type=simple WorkingDirectory=/usr/local/etc/tinc/%i ExecStart=/usr/local/sbin/tincd -n %i -D ExecReload=/usr/local/sbin/tincd -n %i -kHUP KillMode=mixed TimeoutStopSec=5 Restart=always RestartSec=60 [Install] WantedBy=multi-user.target
- enable them on boot:
systemctl enable tinc@lurknet
- Start / stop at will:
sudo systemctl start tinc@lurknet sudo systemctl stop tinc@lurknet
Switch vs Router mode
In router mode tinc runs as a Layer 3 network, while switch allows tinc to run as a Layer 2 network. By default Tinc runs in router mode and it will be fine for most of the things you may need. However, sometimes an application going through tinc may need Layer 2 to work properly, for instance some automagical network/peer discovery making use of Layer 2 broadcasts. If you need to switch to switch (haha...) then add the following in the tinc.conf
of all the nodes:
Mode = switch