Difference between revisions of "VPN with Tinc"

From Run Your Own
Jump to: navigation, search
(FreeBSD and GNU/Linux)
Line 22: Line 22:
 
* If needed, make a directory for pidfile and socket
 
* If needed, make a directory for pidfile and socket
 
  sudo mkdir -p /usr/local/var/run/
 
  sudo mkdir -p /usr/local/var/run/
 
 
 
 
==== Configure Server ====
 
 
sudo tinc -n lurknet init servername
 
 
sudo tincd -n lurknet
 
 
sudo tinc -n lurknet add subnet 10.0.1.1
 
 
sudo tinc -n lurknet add address=public.IP.address
 
 
==== Set up interface scripts ====
 
 
sudo vim  /usr/local/etc/tinc/lurknet/tinc-up
 
 
#!/bin/bash
 
ip addr add 10.0.1.1/24 dev $INTERFACE
 
ip link set $INTERFACE up
 
 
sudo vim /usr/local/etc/tinc/VPNNAME/tinc-down
 
 
#!/bin/bash
 
ip route del 10.0.1.1/24 dev $INTERFACE
 
ifconfig $INTERFACE down
 
 
Make them executable
 
 
cd /usr/local/etc/tinc/lurknet/ && chmod +x tinc-*
 
 
==== Configure client ====
 
 
For the client (given gnu/linux) compile the software as instructed above. Also make the systemD scripts and set up the interface scripts (using a different IP-address).
 
 
'''On the server''' then generate an invitation url:
 
 
tinc -n lurknet invite $CLIENTHOSTNAME
 
 
This will give you an invite URL so you can join the network '''on the client''':
 
 
tinc join $INVITEURL
 
 
tinc -n lurknet add subnet 10.0.1.3
 
 
 
==== Further reading ====
 
 
The above is an amalgam from and may provide further details:
 
 
https://zingmars.info/2018/07/14/Tinc-1.1-setup-instructions/
 
 
https://www.tinc-vpn.org/documentation-1.1/
 
 
http://pzwiki.wdka.nl/mediadesign/Tinc
 
  
 
=== MacOs ===
 
=== MacOs ===
Line 100: Line 44:
 
  tincd -n beernet -D -d3
 
  tincd -n beernet -D -d3
  
== Setup Client ==
+
== Setup Client(s) ==
=== FreeBSD ===
+
=== FreeBSD and GNU/Linux ===
=== GNU/Linux ===
+
* Generate invite '''on the server'''
=== MacOs ===
+
tinc -b beernet invite ${CLIENT_NAME}
 +
* This will give you ${URL}
 +
* '''On the BSD/Linux client'''
 +
tinc.exe -n beernet join ${URL}
 +
tinc.exe -n beernet add subnet 10.10.10.2
 +
* edit <code>/usr/local/etc/tinc/beernet/tinc-up</code>, so that your network interface is brought up correctly, for instance with:
 +
ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0  # leave $INTERFACE as it is and remove the echo line
 +
* '''Note:''' if you don't have <code>ifconfig</code> available on your GNU/Linux distro, see PRO tips below.
 +
* test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
 +
tincd -n beernet -D -d3
 +
* try to ping the server from the client and the other way around to make all is good
 +
 
 
=== Windows ===
 
=== Windows ===
* Generate invite on the server
+
* Generate invite '''on the server'''
 
  tinc -b beernet invite ${CLIENT_NAME}
 
  tinc -b beernet invite ${CLIENT_NAME}
 
* This will give you ${URL}
 
* This will give you ${URL}
* On the windows client
+
* '''On the windows client machine''', open a terminal, locate the Tinc install folder and:
 
  tinc.exe -n beernet join ${URL}
 
  tinc.exe -n beernet join ${URL}
  tinc.exe -n beernet add subnet 10.10.10.2
+
  tinc.exe -n beernet add subnet 10.10.10.3
 
* got to <code>C:\Program Files\tinc\tap-win64</code>
 
* got to <code>C:\Program Files\tinc\tap-win64</code>
 
* run <code>addtap.bat</code>. Click yes to install the driver.
 
* run <code>addtap.bat</code>. Click yes to install the driver.
Line 118: Line 73:
 
  netsh interface set interface name = "${NAME}" newname = "tinc"
 
  netsh interface set interface name = "${NAME}" newname = "tinc"
 
* give it the same IP as tinc client config
 
* give it the same IP as tinc client config
  netsh interface ip set address "tinc" static 10.10.10.2 255.255.255.0.
+
  netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0.
 +
* try to ping the server from the client and the other way around to make all is good
 +
 
 +
=== MacOs ===
 +
'''FIXME'''
  
 
== PRO tips ==
 
== PRO tips ==
Line 127: Line 86:
  
 
=== Set up systemd services ===
 
=== Set up systemd services ===
 
 
* <code>/lib/systemd/system/tinc.service</code>
 
* <code>/lib/systemd/system/tinc.service</code>
 
  [Unit]
 
  [Unit]
Line 167: Line 125:
 
  sudo systemctl start tinc@lurknet
 
  sudo systemctl start tinc@lurknet
 
  sudo systemctl stop tinc@lurknet
 
  sudo systemctl stop tinc@lurknet
 +
 +
== Further readings and more cool stuff ==
 +
* https://pzwiki.wdka.nl/mediadesign/Tinc
 +
* https://www.tinc-vpn.org/documentation-1.1
  
  
 
[[Category: VPN]]
 
[[Category: VPN]]

Revision as of 00:38, 19 February 2021

FIXME: What's a VPN, what's Tinc

Installation on Server(s) and Client(s)

FreeBSD

  • Install tinc 1.1 pre from ports
sudo pkg install tinc-devel               # binary
sudo portmaster -iB security/tinc-devel   # source

GNU/Linux (Debian based)

  • Install tinc 1.1 pre from source (or pull the deb from experimental)
sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev
  • Compile tinc 1.1pre :
cd /usr/src/
wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz
tar xvf tinc-1.1pre17.tar.gz
cd tinc-1.1pre17
./configure
make
sudo make install
  • Once installed, the configuration dir should be in /usr/local/etc/tinc/. tinc and tincd are installed in /usr/local/sbin/tinc
  • If needed, make a directory for pidfile and socket
sudo mkdir -p /usr/local/var/run/

MacOs

FIXME

Windows

Setup Server(s)

FreeBSD and GNU/Linux

  • Initialize new VPN
sudo tinc -n beernet init server
  • Configure the host's own interface
sudo tinc -n beernet add subnet 10.10.10.1
  • Configure the host's public IP, or domain if you have one for the host
sudo tinc -n beernet add address=super.domain.xxx  # if you have a domain ...
sudo tinc -n beernet add address=1.1.1.1           # or if you just have a public IP
  • edit /usr/local/etc/tinc/beernet/tinc-up, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.255.0  # leave $INTERFACE as it is and remove the echo line
  • Note: if you don't have ifconfig available on your GNU/Linux distro, see PRO tips below.
  • test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3

Setup Client(s)

FreeBSD and GNU/Linux

  • Generate invite on the server
tinc -b beernet invite ${CLIENT_NAME}
  • This will give you ${URL}
  • On the BSD/Linux client
tinc.exe -n beernet join ${URL}
tinc.exe -n beernet add subnet 10.10.10.2
  • edit /usr/local/etc/tinc/beernet/tinc-up, so that your network interface is brought up correctly, for instance with:
ifconfig $INTERFACE 10.10.10.2 netmask 255.255.255.0  # leave $INTERFACE as it is and remove the echo line
  • Note: if you don't have ifconfig available on your GNU/Linux distro, see PRO tips below.
  • test if your VPN works nicely for the time being by running it directly in a shell with extra verbose options:
tincd -n beernet -D -d3
  • try to ping the server from the client and the other way around to make all is good

Windows

  • Generate invite on the server
tinc -b beernet invite ${CLIENT_NAME}
  • This will give you ${URL}
  • On the windows client machine, open a terminal, locate the Tinc install folder and:
tinc.exe -n beernet join ${URL}
tinc.exe -n beernet add subnet 10.10.10.3
  • got to C:\Program Files\tinc\tap-win64
  • run addtap.bat. Click yes to install the driver.
  • Find the ${NAME} of the new network adapter
netsh interface ipv4 show interfaces
  • Rename this interface
netsh interface set interface name = "${NAME}" newname = "tinc"
  • give it the same IP as tinc client config
netsh interface ip set address "tinc" static 10.10.10.3 255.255.255.0.
  • try to ping the server from the client and the other way around to make all is good

MacOs

FIXME

PRO tips

GNU/Linux with new net interface tool

ifconfig will be likely deprecated or even removed on some recent GNU/Linux distros, so the proper way to configure tinc-up and on such machines is as follow:

ip addr add 10.0.1.1/24 dev $INTERFACE
ip link set $INTERFACE up

Set up systemd services

  • /lib/systemd/system/tinc.service
[Unit]
Description=Tinc VPN
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/usr/local/etc/tinc

[Install]
WantedBy=multi-user.target
  • /lib/systemd/system/tinc@.service
[Unit]
Description=Tinc net %i
PartOf=tinc.service
ReloadPropagatedFrom=tinc.service

[Service]
Type=simple
WorkingDirectory=/usr/local/etc/tinc/%i
ExecStart=/usr/local/sbin/tincd -n %i -D
ExecReload=/usr/local/sbin/tincd -n %i -kHUP
KillMode=mixed
TimeoutStopSec=5
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target
  • enable them on boot:
systemctl enable tinc@lurknet
  • Start / stop at will:
sudo systemctl start tinc@lurknet
sudo systemctl stop tinc@lurknet

Further readings and more cool stuff