tinc basic setup

[Pablo Piaggio]

EDIT1: Wed Oct 21 22:36:06 CDT 2015

• hide real public IP of VPS.
• correct path to file hfs001 is /etc/tinc/hfvpn001/hosts/hfs001
• minor typos

--------------------------------------------------------------------------------------------------------------------------

Server side

Install tinc on Debian or Ubuntu:

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install tinc

All relevant files are in /etc/tinc. The default installation does not include any pre configured VPN. This is how it looks right after the install.

$ tree -F /etc/tinc
/etc/tinc
`-- nets.boot

The only pre installed file is nets.boot which lists the VPN names that should be initiate when tinc is started. Right after installation the file is empty.

To create a VPN, create a directory on /etc/tinc, and all settings would be under that directory. The relevant files are:

$ tree -F /etc/tinc
/etc/tinc
|-- hfvpn001/
|   |-- hosts/
|   |   |-- hfr001
|   |   `-- hfs001
|   |-- rsa_key.priv
|   |-- tinc.conf
|   |-- tinc-down*
|   `-- tinc-up*
`-- nets.boot

• tinc.conf: basic configurtion of the VPN. Here you set if the VPN start listening for connections (default action), or connect to another node (host).
• tinc-up: script to set the VPN network settings. It is executed when the VPN service is started.
• tinc-down: script to unset VPN network settings. It is executed then the VPN service is stopped.
• rsa_key.priv: private key of the current host. If host is listening for connections it also works as the VPN private key (more on it below).
• hosts/: It is directory that contains host files. Each file is named after a node name (psudo hostnames not related to the actual host names). A host file includes particular host's settings, and the host public key (more details below).

Let's say the server host name serving the VPN is called hfs001, and the VPN's name is hfvpn001 (clever names aren't they?).

Create the VPN directories:

$ sudo mkdir /etc/tinc/hfvpn001
$ sudo mkdir /etc/tinc/hfvpn001/hosts

Create the main configuration file as follows:

$ sudo vi /etc/tinc/hfvpn001/tinc.conf

tinc.conf:

Name = hfs001
AddressFamily = ipv4
Interface = tun0

tun0 is the name of the virtual network interface that will manage the VPN connections.

Create the host config file:

$ sudo vi /etv/tinc/hfvpn001/hosts/hfs001


hfs001:

Address = 1.2.3.4
Subnet = 10.0.0.1/32

where 1.2.3.4 is the public IP of the server, and 10.0.0.1/32 is the internal VPN address.

In order to authentify hosts, tinc uses public/private keys. To create the pair:

$ sudo tincd -n hfvpn001 -K4096

That will create the file /etc/tinc/hfvpn001/rsa_key.priv with the private key, and it would append the public key to the host file. The host file should look like this now:

Address = 1.2.3.4
Subnet = 10.0.0.1/32

-----BEGIN RSA PUBLIC KEY-----
jTz67+xaxdP2s79lHeLLWhkXEYPMo3+dUfoiycbjHFP+87n38wJ2kDf56JLLAZBX
...
Wl6QC9HKNHpIcuGsg6+v6vG9Wuo0IYMopalgLpqpOxmAgAEhz5YNgockxgRNJjgy
-----END RSA PUBLIC KEY-----

Finally, create the up and down scripts:

$ sudo touch /etc/tinc/hfvpn001/tinc-up
$ sudo touch /etc/tinc/hfvpn001/tinc-down
$ sudo chmod a+x /etc/tinc/hfvpn001/tinc-*

$ sudo vi /etc/tinc/hfvpn01/tinc-up

tinc-up:

#!/bin/sh
/sbin/ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0

Then:

$ sudo vi /etc/tinc/hfvpn01/tinc-down

tinc-down:

#!/bin/sh
/sbin/ifconfig $INTERFACE down

Client side (home router side)

Let's say the client node name is hfr001. The Initial steps are similar:

Create the VPN directories:

$ sudo mkdir /etc/tinc/hfvpn001
$ sudo mkdir /etc/tinc/hfvpn001/hosts

Create the main configuration file as follows:

$ sudo vi /etc/tinc/hfvpn001/tinc.conf

tinc.conf:

Name = hfr001
AddressFamily = ipv4
Interface = tun0
ConnectTo = hfs001

Now note that the like 'ConnectTo = hfs001' changes the behaviour of the service. When this VPN is initiated on the client, it would immediately try to connect to the node hfs001 (which it hasn't been described yet on the client, but it will).

Create the host config file:

$ sudo vi /etc/tinc/hfvpn001/hosts/hfr001

hfr001:

Subnet = 10.0.0.2/32

Since the client will only be making connections, not receiving, you only need to set its internal address.

To create the keys:

$ sudo tincd -n hfvpn001 -K4096

Create the up and down scripts:

$ sudo touch /etc/tinc/hfvpn001/tinc-up
$ sudo touch /etc/tinc/hfvpn001/tinc-down
$ sudo chmod a+x /etc/tinc/hfvpn001/tinc-*
$ sudo vi /etc/tinc/hfvpn01/tinc-up

tinc-up:

#!/bin/sh
/sbin/ifconfig $INTERFACE 10.0.0.2 netmask 255.255.255.0

Then:

$ sudo vi /etc/tinc/hfvpn01/tinc-down

tinc-down:

#!/bin/sh
/sbin/ifconfig $INTERFACE down

Sharing private keys

Now that both nodes are set, the last step would be to exchange public keys. In practice means to copy each other host files so in both nodes you'll have:

$ tree /etc/tinc/hfvpn001/hosts/
/etc/tinc/hfvpn001/hosts/
|-- hfr001
`-- hfs001

This could be done from the server or the client by either pulling or pushing the files. For example, from the client:

$ scp somesudouser@1.2.3.4:/etc/tinc/hfvpn001/hosts/hfs001 .
$ sudo cp ./hfs001 /etc/tinc/hfvpn001/hosts/

$ scp /etc/tinc/hfvpn001/hosts/hfr001 somesudouser@1.2.3.4:

and then from 'somesudouser' on the server:

$ sudo cp ./hfr001 /etc/tinc/hfvpn001/hosts/

Starting the VPN connection

There are 2 alternatives:

For a permanent stable solution, you can add the name of the VPN to the 'nets.boot' file:

$ sudo bash -c 'echo hfvpn001 >> /etc/tinc/nets.boot'

and then restart the service first on the server, and then in the client:

$ sudo service tinc stop
$ sudo service tinc start

The second alternative, preferred for debugging, is to start the services manually from either a GNU screen, or a tmux session using the debugging option:

$ sudo tincd -n hfvpn001 -D -d5

[Pablo Piaggio]

This minimal setup allows both tinc nodes, server and client, to access each other over the 10.0.0.0/24 subnet.

They can ping, and most importantly ssh/sftp/scp to each other. Retrieve logs and push config files should be very easy.

Note that there's no interference with the regular traffic that flows over the other interfaces. In other words, this is not a system VPN that encapsulates all traffic. Tinc only creates a new subnet over a virtual network card (tun0) and attach each node to it.

Best Regards.

[John Fields]

Try editing it now....

This VPN behavior is exactly what I was expecting.  It creates a "management" network separate from the existing internet one.

Now consider we want the local clients to be able to have their traffic routed from the LAN interface to the TUN interface, if addressed into the VPN subnet.  It will require some thought but I think we can control DNS/DHCP to make a nice big unified subnet across multiple households.

--
You received this message because you are subscribed to the Google Groups "The HomeFrontRouter Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to homefrontrout...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/homefrontrouter/efaae202-0611-4bfb-a4f2-a2efd3c4d181%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.