tinc for all your mesh needs

3 minute read

Tinc is both a protocol and a tool to create your own mesh network.
Mesh network VPN’s are in the truest sense a Virtual Network, instead of connecting to one server, everyone participating in the network connect to each other.
It circumvents NAT, uses ED25519 for auth, backwards compatible, works on all major oses including openwrt.

At the time of writing there are 2 versions of tinc 1.0.x and 1.1.x.
1.1 is the pre release version and some features are backported to the 1.0.x version.
I will be talking about the 1.1 version as I find this has the best tools.

Although it’s a meshing network and no one node is a server it’s easiest to get started when you have an external server that is connected directly to the net, it makes getting around NAT easier.

Installing tinc 1.1

Some distros have it in their user repos or experimental versions, but you can also just compile, it’s been made quite easy.

sudo apt-get install -y make gcc libssl-dev zlib1g-dev liblzo2-dev libncurses5-dev libreadline6-dev # Build Dependencies
wget https://www.tinc-vpn.org/packages/tinc-1.1pre15.tar.gz
tar xf tinc-1.1pre15.tar.gz
cd tinc-1.1pre15
./configure --with-systemd --prefix=/usr --sysconfdir=/etc --localstatedir=/var --sbindir=/usr/sbin --with-systemdsystemunitdir=/usr/lib/systemd/system # Default flags for most distros
./make # Make bins
./make install # Install Tinc 1.1

Creating your first node

First you will want to create a node, lets call it Alice.

tinc -n mynet init alice # Generates node config under /etc/tinc/mynet
cd /etc/tinc/mynet

You should see:

File Purpose
ed25519_key.priv Eliptic Curve private key
rsa_key.priv RSA Private key, for use with 1.0 tinc nodes
hosts/ Contains all the references to nodes
tinc-up Is run when the tinc interface is brough up, set ip and routing here
tinc.conf Main config file for this node, who to connect to, binding etc

Next we want to tell tinc which Subnet Alice will be using.

tinc -n mynet add Subnet 10.100.10.1/32 # Sets subnet entry for Alice host under hosts/

Tinc uses the Subnet entries to build the routing table. You can decide how big you want each hosts Subnet, as long it’s a valid CIDR tinc will accept it. For the most part I set each host to use /32 which means Tinc only sends traffic to that one ip, but you can bridge whole sites i.e./16 networks.

Next edit tinc-up and you will see:

#!/bin/sh
echo 'Unconfigured tinc-up script, please edit '$0'!'

#ifconfig $INTERFACE <your vpn IP address> netmask <netmask of whole VPN>

Replace it with:

#!/bin/sh
ip link set $INTERFACE up
ip addr replace 10.100.10.1/24 dev $INTERFACE

Keep in mind the /24 here in respect to the host Subnet mask you set earlier. Usually I subtract 8 from that so that you get 10.100.10.0/24

Add bob node

Before inviting Bob we need to make sure the Address directive is set in the Alice host file.

tinc -n mynet set Address `curl icanhazip.com` # Set external ip entry, this can also be a hostname i.e.example.com

This is so when the host file is exchanged with other nodes they can connect to the external address of Alice. This only really makes sense where you have a server on the internet, or are lucky enough to have a static IP if your doing this from home. If you have a dyndns to your home net, or a domain set up for your server you will want to use that when setting the address.

On Alice run tinc -n mynet invite bob this will output a string you can use on Bob to join. Keep this string safe momentarily as you will need it again.

Under /etc/tinc/mynet/invitations you should see a random file name, edit this file and at the top you will see

Name = Bob
NetName = mynet
ConnectTo = alice
#---------------------------------------------------------------#

Right below the ConnectTo add Subnet = 10.100.10.2/32 and below that Ifconfig = 10.100.10.2/24. This will configure Bob’s host file and tinc-up script.

You should end up with

Name = Bob
NetName = mynet
ConnectTo = alice
Subnet = 10.100.10.2/32
Ifconfig = 10.100.10.2/24
#---------------------------------------------------------------#

Make sure Alice is running, either systemctl start [email protected] or tinc -n mynet start I prefer the systemctl so that I can add it to boot time.

On Bob run tinc -n join <string> where ** is the string output from Alice when you invited Bob. Answer yes to using the imported `tinc-up` config.

Now that Bob has joined the network that Alice is in the two sides should be able to ping each other using their tinc ip.

Categories:

Updated:

Leave a Comment

Your email address will not be published. Required fields are marked *

Loading...