Difference between revisions of "VPN with Tinc"

From Run Your Own
Jump to: navigation, search
(Windows)
 
(15 intermediate revisions by the same user not shown)
Line 8: Line 8:
  
 
=== GNU/Linux (Debian based) ===
 
=== GNU/Linux (Debian based) ===
* Install tinc 1.1 pre from source
+
* Install tinc 1.1 pre from source (or pull the deb from experimental)
 
  sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev
 
  sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev
 
+
* Compile tinc 1.1pre :
Compile Tinc 1.1pre :
 
 
 
 
  cd /usr/src/
 
  cd /usr/src/
 
 
  wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz
 
  wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz
 +
tar xvf tinc-1.1pre17.tar.gz
 +
cd tinc-1.1pre17
 +
./configure
 +
make
 +
sudo make install
  
  tar xvf tinc-1.1pre17.tar.gz
+
* Once installed, the configuration dir should be in <code>/usr/local/etc/tinc/</code>. <code>tinc</code> and <code>tincd</code> are installed in <code>/usr/local/sbin/tinc</code>
 +
* If needed, make a directory for pidfile and socket
 +
  sudo mkdir -p /usr/local/var/run/
  
cd tinc-1.1pre17
+
=== Windows ===
 +
* Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/
  
./configure
+
=== MacOs ===
 +
'''FIXME'''
  
  make
+
== Setup Server(s) ==
 +
=== FreeBSD and GNU/Linux ===
 +
* Initialize new VPN
 +
  sudo tinc -n beernet init server
 +
* Configure the host's own interface
 +
sudo tinc -n beernet add subnet 10.10.10.1
 +
* Configure the host's public IP, or domain if you have one for the host
 +
sudo tinc -n beernet add address=super.domain.xxx  # if you have a domain ...
 +
sudo tinc -n beernet add address=1.1.1.1          # or if you just have a public IP
 +
* edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with:
 +
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0  # leave $INTERFACE as it is and remove the echo line
 +
* '''Note:''' if you don't have <code>ifconfig</code> available on your GNU/Linux distro, see PRO tips below.
 +
* test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
 +
tincd -n beernet -D -d3
  
  sudo make install
+
== Setup Client(s) ==
 +
=== FreeBSD and GNU/Linux ===
 +
* Generate invite '''on the server'''
 +
  tinc -n beernet invite ${CLIENT_NAME}
 +
* This will give you ${URL}
 +
* '''On the BSD/Linux client'''
 +
tinc -n beernet join ${URL}
 +
tinc -n beernet add subnet 10.10.10.2
 +
* edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with:
 +
ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0  # leave $INTERFACE as it is and remove the echo line
 +
* '''Note:''' if you don't have <code>ifconfig</code> available on your GNU/Linux distro, see PRO tips below.
 +
* test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
 +
tincd -n beernet -D -d3
 +
* try to ping the server from the client and the other way around to make all is good
  
Once installed the configuration dir should be in:
+
=== Windows ===
  /usr/local/etc/tinc/
+
* Generate invite '''on the server'''
 +
tinc -n beernet invite ${CLIENT_NAME}
 +
* This will give you ${URL}
 +
* '''On the windows client machine''', open a terminal, locate the Tinc install folder and:
 +
  tinc.exe -n beernet join ${URL}
 +
tinc.exe -n beernet add subnet 10.10.10.3
 +
* got to <code>C:\Program Files\tinc\tap-win64</code>
 +
* run <code>addtap.bat</code>. Click yes to install the driver.
 +
* Find the ${NAME} of the new network adapter
 +
netsh interface ipv4 show interfaces
 +
* Rename this interface
 +
netsh interface set interface name = "${NAME}" newname = "tinc"
 +
* give it the same IP as tinc client config
 +
netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0.
 +
* try to ping the server from the client and the other way around to make all is good
  
And tinc is installed in
+
=== MacOs ===
/usr/local/sbin/tinc
+
'''FIXME'''
  
Make a directory for pidfile and socket
+
== PRO tips ==
 +
=== Firewall ===
 +
==== iptables ====
 +
<pre>
 +
# Allow Tinc VPN connections without port restrictions
 +
-A INPUT -i tun+ -j ACCEPT
 +
-A OUTPUT -o tun+ -j ACCEPT
  
sudo mkdir -p /usr/local/var/run/
+
-A INPUT -p tcp --sport 655 -j ACCEPT
 +
-A INPUT -p tcp --dport 655 -j ACCEPT
 +
-A OUTPUT -p tcp --sport 655 -j ACCEPT
 +
-A OUTPUT -p tcp --dport 655 -j ACCEPT
  
==== Set up systemd serivces ====
+
-A INPUT -p udp --sport 655 -j ACCEPT
 +
-A INPUT -p udp --dport 655 -j ACCEPT
 +
-A OUTPUT -p udp --sport 655 -j ACCEPT
 +
-A OUTPUT -p udp --dport 655 -j ACCEPT
 +
</pre>
  
sudo vim /lib/systemd/system/tinc.service
+
=== GNU/Linux with new net interface tool ===
 +
<code>ifconfig</code> will be likely deprecated or even removed on some recent GNU/Linux distros, so the proper way to configure <code>tinc-up</code> and on such machines is as follow:
 +
ip addr add 10.0.1.1/24 dev $INTERFACE
 +
ip link set $INTERFACE up
  
 +
=== Set up systemd services ===
 +
* <code>/lib/systemd/system/tinc.service</code>
 
  [Unit]
 
  [Unit]
 
  Description=Tinc VPN
 
  Description=Tinc VPN
Line 55: Line 119:
 
  WantedBy=multi-user.target
 
  WantedBy=multi-user.target
  
and
+
* <code>/lib/systemd/system/tinc@.service</code>
 
 
sudo vim /lib/systemd/system/tinc@.service
 
 
 
 
  [Unit]
 
  [Unit]
 
  Description=Tinc net %i
 
  Description=Tinc net %i
Line 77: Line 138:
 
  WantedBy=multi-user.target
 
  WantedBy=multi-user.target
  
 
+
* enable them on boot:
Enable them on boot:
 
 
 
 
  systemctl enable tinc@lurknet
 
  systemctl enable tinc@lurknet
 
+
* Start / stop at will:
 
 
Start / stop at will:
 
 
 
 
  sudo systemctl start tinc@lurknet
 
  sudo systemctl start tinc@lurknet
 
 
  sudo systemctl stop tinc@lurknet
 
  sudo systemctl stop tinc@lurknet
  
 +
=== Switch vs Router mode ===
 +
In router mode tinc runs as a Layer 3 network, while switch allows tinc to run as a Layer 2 network. By default Tinc runs in router mode and it will be fine for most of the things you may need. However, sometimes an application going through tinc may need Layer 2 to work properly, for instance some automagical network/peer discovery making use of Layer 2 broadcasts. If you need to switch to switch (haha...) then add the following in the <code>tinc.conf</code> of '''all the nodes''':
 +
Mode = switch
  
==== Configure Server ====
+
=== Conflict with OpenVPN on Windows ===
 +
Tinc's TAP driver and OpenVPN's own TAP driver seem to confuse each other. There must be a way to make them live in harmony? As a workaround, it's possible to disable OpenVPN Tinc driver so that when Tinc is launched it properly uses its interface and not the one from OpenVPN.
 +
netsh interface set interface "Connexion au réseau local" disable
  
sudo tinc -n lurknet init servername
+
== Further readings and more cool stuff ==
 
+
* https://pzwiki.wdka.nl/mediadesign/Tinc
sudo tincd -n lurknet
+
* https://www.tinc-vpn.org/documentation-1.1
 
 
sudo tinc -n lurknet add subnet 10.0.1.1
 
 
 
sudo tinc -n lurknet add address=public.IP.address
 
 
 
==== Set up interface scripts ====
 
 
 
sudo vim  /usr/local/etc/tinc/lurknet/tinc-up
 
 
 
#!/bin/bash
 
ip addr add 10.0.1.1/24 dev $INTERFACE
 
ip link set $INTERFACE up
 
 
 
sudo vim /usr/local/etc/tinc/VPNNAME/tinc-down
 
 
 
#!/bin/bash
 
ip route del 10.0.1.1/24 dev $INTERFACE
 
ifconfig $INTERFACE down
 
 
 
Make them executable
 
 
 
cd /usr/local/etc/tinc/lurknet/ && chmod +x tinc-*
 
 
 
==== Configure client ====
 
 
 
For the client (given gnu/linux) compile the software as instructed above. Also make the systemD scripts and set up the interface scripts (using a different IP-address).
 
 
 
'''On the server''' then generate an invitation url:
 
 
 
tinc -n lurknet invite $CLIENTHOSTNAME
 
 
 
This will give you an invite URL so you can join the network '''on the client''':
 
 
 
tinc join $INVITEURL
 
 
 
tinc -n lurknet add subnet 10.0.1.3
 
 
 
 
 
==== Further reading ====
 
 
 
The above is an amalgam from and may provide further details:
 
 
 
https://zingmars.info/2018/07/14/Tinc-1.1-setup-instructions/
 
 
 
https://www.tinc-vpn.org/documentation-1.1/
 
 
 
http://pzwiki.wdka.nl/mediadesign/Tinc
 
 
 
=== MacOs ===
 
'''FIXME'''
 
 
 
=== Windows ===
 
* Install tinc 1.1 pre win binaries from upstream at https://tinc-vpn.org/download/
 
 
 
== Setup Server(s) ==
 
=== FreeBSD ===
 
* Initialize new VPN
 
sudo tinc -n beernet init server
 
* Configure the host's own interface
 
sudo tinc -n beernet add subnet 10.10.10.1
 
* Configure the host's public IP, or domain if you have one for the host
 
sudo tinc -n beernet add address=super.domain.xxx  # if you have a domain ...
 
sudo tinc -n beernet add address=1.1.1.1          # or if you just have a public IP
 
* edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with:
 
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0  # leave $INTERFACE as it is
 
* test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
 
tincd -n beernet -D -d3
 
 
 
== Setup Client ==
 
=== FreeBSD ===
 
=== GNU/Linux ===
 
=== MacOs ===
 
=== Windows ===
 
* Generate invite on the server
 
tinc -b bucheronnage invite ${CLIENT_NAME}
 
* This will give you ${URL}
 
* On the windows client
 
tinc.exe -n beernet join ${URL}
 
tinc.exe -n beernet add subnet 10.10.10.2
 
  
  
  
 
[[Category: VPN]]
 
[[Category: VPN]]

Latest revision as of 00:26, 9 January 2022

FIXME: What's a VPN, what's Tinc

Installation on Server(s) and Client(s)

FreeBSD

  • Install tinc 1.1 pre from ports
sudo pkg install tinc-devel               # binary
sudo portmaster -iB security/tinc-devel   # source

GNU/Linux (Debian based)

  • Install tinc 1.1 pre from source (or pull the deb from experimental)
sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev
  • Compile tinc 1.1pre :
cd /usr/src/
wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz
tar xvf tinc-1.1pre17.tar.gz
cd tinc-1.1pre17
./configure
make
sudo make install
  • Once installed, the configuration dir should be in /usr/local/etc/tinc/. tinc and tincd are installed in /usr/local/sbin/tinc
  • If needed, make a directory for pidfile and socket
sudo mkdir -p /usr/local/var/run/

Windows

MacOs

FIXME

Setup Server(s)

FreeBSD and GNU/Linux

  • Initialize new VPN
sudo tinc -n beernet init server
  • Configure the host's own interface
sudo tinc -n beernet add subnet 10.10.10.1
  • Configure the host's public IP, or domain if you have one for the host
sudo tinc -n beernet add address=super.domain.xxx  # if you have a domain ...
sudo tinc -n beernet add address=1.1.1.1           # or if you just have a public IP
  • edit /usr/local/etc/tinc/beernet/tinc-up, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0  # leave $INTERFACE as it is and remove the echo line
  • Note: if you don't have ifconfig available on your GNU/Linux distro, see PRO tips below.
  • test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3

Setup Client(s)

FreeBSD and GNU/Linux

  • Generate invite on the server
tinc -n beernet invite ${CLIENT_NAME}
  • This will give you ${URL}
  • On the BSD/Linux client
tinc -n beernet join ${URL}
tinc -n beernet add subnet 10.10.10.2
  • edit /usr/local/etc/tinc/beernet/tinc-up, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0  # leave $INTERFACE as it is and remove the echo line
  • Note: if you don't have ifconfig available on your GNU/Linux distro, see PRO tips below.
  • test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3
  • try to ping the server from the client and the other way around to make all is good

Windows

  • Generate invite on the server
tinc -n beernet invite ${CLIENT_NAME}
  • This will give you ${URL}
  • On the windows client machine, open a terminal, locate the Tinc install folder and:
tinc.exe -n beernet join ${URL}
tinc.exe -n beernet add subnet 10.10.10.3
  • got to C:\Program Files\tinc\tap-win64
  • run addtap.bat. Click yes to install the driver.
  • Find the ${NAME} of the new network adapter
netsh interface ipv4 show interfaces
  • Rename this interface
netsh interface set interface name = "${NAME}" newname = "tinc"
  • give it the same IP as tinc client config
netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0.
  • try to ping the server from the client and the other way around to make all is good

MacOs

FIXME

PRO tips

Firewall

iptables

# Allow Tinc VPN connections without port restrictions
-A INPUT -i tun+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT

-A INPUT -p tcp --sport 655 -j ACCEPT
-A INPUT -p tcp --dport 655 -j ACCEPT
-A OUTPUT -p tcp --sport 655 -j ACCEPT
-A OUTPUT -p tcp --dport 655 -j ACCEPT

-A INPUT -p udp --sport 655 -j ACCEPT
-A INPUT -p udp --dport 655 -j ACCEPT
-A OUTPUT -p udp --sport 655 -j ACCEPT
-A OUTPUT -p udp --dport 655 -j ACCEPT

GNU/Linux with new net interface tool

ifconfig will be likely deprecated or even removed on some recent GNU/Linux distros, so the proper way to configure tinc-up and on such machines is as follow:

ip addr add 10.0.1.1/24 dev $INTERFACE
ip link set $INTERFACE up

Set up systemd services

  • /lib/systemd/system/tinc.service
[Unit]
Description=Tinc VPN
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/usr/local/etc/tinc

[Install]
WantedBy=multi-user.target
  • /lib/systemd/system/tinc@.service
[Unit]
Description=Tinc net %i
PartOf=tinc.service
ReloadPropagatedFrom=tinc.service

[Service]
Type=simple
WorkingDirectory=/usr/local/etc/tinc/%i
ExecStart=/usr/local/sbin/tincd -n %i -D
ExecReload=/usr/local/sbin/tincd -n %i -kHUP
KillMode=mixed
TimeoutStopSec=5
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target
  • enable them on boot:
systemctl enable tinc@lurknet
  • Start / stop at will:
sudo systemctl start tinc@lurknet
sudo systemctl stop tinc@lurknet

Switch vs Router mode

In router mode tinc runs as a Layer 3 network, while switch allows tinc to run as a Layer 2 network. By default Tinc runs in router mode and it will be fine for most of the things you may need. However, sometimes an application going through tinc may need Layer 2 to work properly, for instance some automagical network/peer discovery making use of Layer 2 broadcasts. If you need to switch to switch (haha...) then add the following in the tinc.conf of all the nodes:

Mode = switch

Conflict with OpenVPN on Windows

Tinc's TAP driver and OpenVPN's own TAP driver seem to confuse each other. There must be a way to make them live in harmony? As a workaround, it's possible to disable OpenVPN Tinc driver so that when Tinc is launched it properly uses its interface and not the one from OpenVPN.

netsh interface set interface "Connexion au réseau local" disable

Further readings and more cool stuff