Table of Contents

Tinc HOWTO

Check firewalls

Port 655 TCP and UDP must be allowed through your firewalls/routers.

Pick VPN addressing

Let's assume that inside the Tinc VPN we will use the network:

  • fd12::/64

And will have two nodes:

  • NodeA: fd12::a
  • NodeB: fd12::b

On both nodes: Name the VPN and create dirs

Pick a name for the VPN. In this example I will use “tun-rm”. Execute:

  • mkdir -p /etc/tinc/tun-rm/hosts

On both nodes: Create config files

Сreate a file named /etc/tinc/tun-rm/tinc.conf with contents: 

Mode=switch
Name=NodeA        #(NodeB on the other one)
ConnectTo=NodeB   #(NodeA on the other one)

On both nodes: Create the hostfiles

Execute:

  • tincd -n tun-rm -K

A file /etc/tinc/tun-rm/hosts/[NodeName] will be created.

Edit that file and add to the top: 

Compression=10
Address=[NodeGlobalIP]

Set the Address value to the global (Internet) address or hostname of that node, without brackets. If it does not have one (e.g. it's behind an ISP NAT), you can omit that line, but keep in mind that at least one node must have a global IP (and others should ConnectTo that one, see the config example above).

On both nodes: Create the tinc-up script

Create the file named /etc/tinc/tun-rm/tinc-up: 

#!/bin/sh
IP=fd12::a/64     #(that's for NodeA, and fd12::b/64 for NodeB)

ip -6 addr add $IP dev $INTERFACE
ifconfig $INTERFACE up

Make it executable:

  • chmod +x /etc/tinc/tun-rm/tinc-up

On both nodes: Sync the hostfiles

Copy the hostfile of NodeA to NodeB, and of NodeB to NodeA.

In other words, ensure that the contents of /etc/tinc/tun-rm/hosts/ are identical everywhere (all hostfiles exist on all nodes).

Later you can set up so that this directory is stored and maintained centrally in one place and then pushed to all nodes using rsync, or perhaps kept in a Git repository somewhere, and pulled automatically by the nodes themselves.

On both nodes: Make Tinc auto-start your VPN

Edit /etc/tinc/nets.boot. Add a new line containing just tun-rm (the network name) there.

On both nodes: (Re)start Tinc

  • /etc/init.d/tinc restart

Done

Now you can try pinging the other node:

  • ping6 fd12::a, or
  • ping6 fd12::b

If you need any other setup for the interface (e.g. IPv4 addresses, routes, firewalling, NAT), just add that into the tinc-up shell-script.

Links

Various other HOWTOs and documentation:


tinc.txt · Last modified: 2014-10-22 10:57 UTC by rm