tinc setup for remote support
241 views
Skip to first unread message
Pablo Piaggio
Oct 28, 2015, 7:34:02 PM10/28/15
to The HomeFrontRouter Project
Hint: if you don't feel familiar enough with the concepts and config file names, start here: tinc basic setup (https://groups.google.com/forum/#!topic/homefrontrouter/ayeyqauN1ao)
Network layout before tinc
Client (my house):
Banana PI R1 set up as a home router. Serving 10.20.30.0/24
Software:
Software:
VPN Design
VPN name: supvpn
Server:
Client setup
Create VPN directories:
Create the main configuration file as follows:
tinc.conf:
Create the host config file:
hfrouter:
The first subnet (10.0.0.100/32) defines the internal VPN address. The second (10.20.30.0/24) is exposing the LAN to the VPN. This declaration will allow tinc to route traffic to the LAN trough this node (hfrouter).
Create the keys:
Create the up and down scripts:
tinc-up:
Then:
tinc-down:
(note the use of the command "ip" instead of the good ol' "ifconfig" and "route". How modern, isn't it?)
Server setup
Create VPN directories:
Create the main configuration file as follows:
tinc.conf:
Create the host config file:
hfserver:
Create the keys:
Create the up and down scripts:
tinc-up:
Then:
tinc-down:
Technician machine setup
Create VPN directories:
Create the main configuration file as follows:
tinc.conf:
Create the host config file:
hftechsup:
Create the keys:
Create the up and down scripts:
tinc-up:
Then:
tinc-down:
Final step: exchange host files so that all nodes have all hosts files. See 'tinc basic setup'
How it works
After restarting the tinc service on each machine (server first), the technician is able to:
Network layout before tinc
Client (my house):
Banana PI R1 set up as a home router. Serving 10.20.30.0/24
Software:
- Bananian 15.08
- DNSmasq as DHCP server, and DNS
- tinc VPN
Software:
- Ubuntu Trusty 14.04
- ssh server (for the purpose of using a service to receive connections from tech support)
- VPS running Debian jessie 8.2
- tinc VPN. Public IP: 1.2.3.4 (not really).
- Ubuntu Precise 12.04
- tinc VPN.
- ssh client (for the purpose of using a client that initiates a remote connection)
VPN Design
VPN name: supvpn
Server:
- VPN name: hfserver
- VPN address: 10.0.0.1
- Server will initiate VPN and wait for connections.
- VPN name: hfrouter
- VPN address: 10.0.0.100
- Client will connect to the server.
- VPN name: hftechsup
- VPN address: 10.0.0.5
- In order to gain access to the client, it will join the VPN by connecting to the server.
Client setup
Create VPN directories:
$ sudo mkdir -p /etc/tinc/supvpn/hostsCreate the main configuration file as follows:
$ sudo vi /etc/tinc/supvpn/tinc.conftinc.conf:
Name = hfrouter
AddressFamily = ipv4
Interface = tun0
ConnectTo = hfserverCreate the host config file:
$ sudo vi /etc/tinc/supvpn/hosts/hfrouterhfrouter:
Subnet = 10.0.0.100/32
Subnet = 10.20.30.0/24
The first subnet (10.0.0.100/32) defines the internal VPN address. The second (10.20.30.0/24) is exposing the LAN to the VPN. This declaration will allow tinc to route traffic to the LAN trough this node (hfrouter).
Create the keys:
$ sudo tincd -n supvpn -K4096Create the up and down scripts:
$ sudo touch /etc/tinc/supvpn/tinc-up
$ sudo touch /etc/tinc/supvpn/tinc-down
$ sudo chmod a+x /etc/tinc/supvpn/tinc-*
$ sudo vi /etc/tinc/supvpn/tinc-up
tinc-up:
#!/bin/sh
/sbin/ip link set $INTERFACE up
/sbin/ip addr add 10.0.0.100/24 dev $INTERFACEThen:
$ sudo vi /etc/tinc/supvpn/tinc-downtinc-down:
#!/bin/sh
/sbin/ip addr delete 10.0.0.3/24 dev $INTERFACE
/sbin/ip link set $INTERFACE down(note the use of the command "ip" instead of the good ol' "ifconfig" and "route". How modern, isn't it?)
Server setup
Create VPN directories:
$ sudo mkdir -p /etc/tinc/supvpn/hostsCreate the main configuration file as follows:
$ sudo vi /etc/tinc/supvpn/tinc.conftinc.conf:
Name = hfserver
AddressFamily = ipv4
Interface = tun0
Create the host config file:
$ sudo vi /etc/tinc/supvpn/hosts/hfserverhfserver:
Address = 1.2.3.4
Subnet = 10.0.0.1/32Create the keys:
$ sudo tincd -n supvpn -K4096Create the up and down scripts:
$ sudo touch /etc/tinc/supvpn/tinc-up
$ sudo touch /etc/tinc/supvpn/tinc-down
$ sudo chmod a+x /etc/tinc/supvpn/tinc-*
$ sudo vi /etc/tinc/supvpn/tinc-uptinc-up:
#!/bin/sh
/sbin/ip link set $INTERFACE up
/sbin/ip addr add 10.0.0.1/24 dev $INTERFACE
/sbin/ip route add 10.20.30.0/24 dev $INTERFACE # client LANThen:
$ sudo vi /etc/tinc/supvpn/tinc-downtinc-down:
#!/bin/sh
/sbin/ip route delete 10.20.30.0/24 dev $INTERFACE # client LAN
/sbin/ip addr delete 10.0.0.1/24 dev $INTERFACE
/sbin/ip link set $INTERFACE down
Technician machine setup
Create VPN directories:
$ sudo mkdir -p /etc/tinc/supvpn/hostsCreate the main configuration file as follows:
$ sudo vi /etc/tinc/supvpn/tinc.conftinc.conf:
Name = hftechsup
AddressFamily = ipv4
Interface = tun0
ConnectTo = hfserverCreate the host config file:
$ sudo vi /etc/tinc/supvpn/hosts/hftechsuphftechsup:
Subnet = 10.0.0.5/32Create the keys:
$ sudo tincd -n supvpn -K4096Create the up and down scripts:
$ sudo touch /etc/tinc/supvpn/tinc-up
$ sudo touch /etc/tinc/supvpn/tinc-down
$ sudo chmod a+x /etc/tinc/supvpn/tinc-*
$ sudo vi /etc/tinc/supvpn/tinc-up
tinc-up:
#!/bin/sh
/sbin/ip link set $INTERFACE up
/sbin/ip addr add 10.0.0.5/24 dev $INTERFACE
/sbin/ip route add 10.20.30.0/24 dev $INTERFACE # client LANThen:
$ sudo vi /etc/tinc/supvpn/tinc-downtinc-down:
#!/bin/sh
/sbin/ip route delete 10.20.30.0/24 dev $INTERFACE # client LAN
/sbin/ip addr delete 10.0.0.5/24 dev $INTERFACE
/sbin/ip link set $INTERFACE down
Final step: exchange host files so that all nodes have all hosts files. See 'tinc basic setup'
How it works
After restarting the tinc service on each machine (server first), the technician is able to:
- ping and ssh to the router (BPR1).
- ping the laptop (target machine), and more importantly
- ssh directly to the laptop without island hopping into the router first *.
Reply all
Reply to author
Forward
0 new messages