Tinc is both a protocol and a tool to create your own mesh network.
Mesh network VPN’s are in the truest sense a Virtual Network, instead of connecting to one server, everyone participating in the network connect to each other.
It circumvents NAT, uses ED25519 for auth, backwards compatible, works on all major oses including openwrt.
At the time of writing there are 2 versions of tinc 1.0.x and 1.1.x.
1.1 is the pre release version and some features are backported to the 1.0.x version.
I will be talking about the 1.1 version as I find this has the best tools.
Although it’s a meshing network and no one node is a server it’s easiest to get started when you have an external server that is connected directly to the net, it makes getting around NAT easier.
Installing tinc 1.1
Some distros have it in their user repos or experimental versions, but you can also just compile, it’s been made quite easy.
sudo apt-get install -y make gcc libssl-dev zlib1g-dev liblzo2-dev libncurses5-dev libreadline6-dev # Build Dependencies wget https://www.tinc-vpn.org/packages/tinc-1.1pre15.tar.gz tar xf tinc-1.1pre15.tar.gz cd tinc-1.1pre15 ./configure --with-systemd --prefix=/usr --sysconfdir=/etc --localstatedir=/var --sbindir=/usr/sbin --with-systemdsystemunitdir=/usr/lib/systemd/system # Default flags for most distros ./make # Make bins ./make install # Install Tinc 1.1
Creating your first node
First you will want to create a node, lets call it Alice.
tinc -n mynet init alice # Generates node config under /etc/tinc/mynet cd /etc/tinc/mynet
You should see:
|ed25519_key.priv||Eliptic Curve private key|
|rsa_key.priv||RSA Private key, for use with 1.0 tinc nodes|
|hosts/||Contains all the references to nodes|
|tinc-up||Is run when the tinc interface is brough up, set ip and routing here|
|tinc.conf||Main config file for this node, who to connect to, binding etc|
Next we want to tell tinc which
Subnet Alice will be using.
tinc -n mynet add Subnet 10.100.10.1/32 # Sets subnet entry for Alice host under hosts/
Tinc uses the
Subnet entries to build the routing table.
You can decide how big you want each hosts
Subnet, as long it’s a valid CIDR tinc will accept it.
For the most part I set each host to use
/32 which means Tinc only sends traffic to that one ip, but you can bridge whole sites i.e.
tinc-up and you will see:
#!/bin/sh echo 'Unconfigured tinc-up script, please edit '$0'!' #ifconfig $INTERFACE <your vpn IP address> netmask <netmask of whole VPN>
Replace it with:
#!/bin/sh ip link set $INTERFACE up ip addr replace 10.100.10.1/24 dev $INTERFACE
Keep in mind the
/24 here in respect to the host
Subnet mask you set earlier. Usually I subtract 8 from that so that you get
Add bob node
Before inviting Bob we need to make sure the Address directive is set in the Alice host file.
tinc -n mynet set Address `curl icanhazip.com` # Set external ip entry, this can also be a hostname i.e.example.com
This is so when the host file is exchanged with other nodes they can connect to the external address of Alice. This only really makes sense where you have a server on the internet, or are lucky enough to have a static IP if your doing this from home. If you have a dyndns to your home net, or a domain set up for your server you will want to use that when setting the address.
On Alice run
tinc -n mynet invite bob this will output a string you can use on Bob to join.
Keep this string safe momentarily as you will need it again.
/etc/tinc/mynet/invitations you should see a random file name, edit this file and at the top you will see
Name = Bob NetName = mynet ConnectTo = alice #---------------------------------------------------------------#
Right below the
Subnet = 10.100.10.2/32 and below that
Ifconfig = 10.100.10.2/24.
This will configure Bob’s host file and
You should end up with
Name = Bob NetName = mynet ConnectTo = alice Subnet = 10.100.10.2/32 Ifconfig = 10.100.10.2/24 #---------------------------------------------------------------#
Make sure Alice is running, either
systemctl start [email protected] or
tinc -n mynet start
I prefer the systemctl so that I can add it to boot time.
On Bob run
tinc -n join <string> where *
Now that Bob has joined the network that Alice is in the two sides should be able to ping each other using their tinc ip.
Leave a Comment
Your email address will not be published. Required fields are marked *