Although tinc is a mesh topology VPN without a server and a client endpoint, i.e. all endpoints are equal, for practical purposes my server is the one node where most other hosts connect to anyway, and where I do the configuration only once.
Requirements (on all endpoints)
The kernel must support 'tun', i.e. as root:
modprobe tun
In most cases this is not a problem, except on some virtual private servers (ex: VPS with OpenVZ), where it may require extra configurations.
Server configuration
Install tinc:
apt-get install tinc
Create the configuration for the network (set of nodes):
mkdir -p /etc/tinc/mynet/hosts
Note that "mynet" is the network name. You will probably want to choose another name. You can have multiple network names, as you can join multiple VPN netwroks with tinc.
Create the tinc.conf configuration for this network/node:
vim /etc/tinc/mynetwork/hosts/myserverhostname
Contents:
Name = myserverhostname
Mode = router
Subnet = 2607:f2c0:f00f:2900::/56
# Subnet = ::/0
Interface=vpn6
The name (myserverhostname) should be set to the same hostname as your server (i.e. the output of the command 'hostname'). I guess it doesn't really need to, but keep it simple.
The subnet statement tells tinc what is routable through this node, although we will still have to set a static route on the client endpoint. Having a subnet of "::/0" is useful if you want to route all IPv6 trafic from the other client endpoint through this server (ex: working from an Internet café with a network that doesn't support IPv6 yet). In this case, 2607:f2c0:f00f:2900::/56 is my full network at home.
Create a host entry for the server node:
vim /etc/tinc/bidon/hosts/myserverhostname
Contents:
Address = myserverhostname.example.net
This is the address of your server node. You can use anything as long as it exists and points to your server. You could also use a static ipv4 address, if you have one (in my case, the 'A' DNS record for myserverhostname.example.net is a dynamic dns address).
On the server, route a specific subnet through the VPN:
Create a network script file:
vim /etc/network/if-up.d/my-network
#!/bin/sh
ip -6 route add 2607:f2c0:f00f:2920::/60 dev vpn6
Make the script executable and run it to make the changes effective:
chmod 0755 /etc/network/if-up.d/my-network
/etc/network/if-up.d/my-network
Generate a private/public key for the server node:
For tinc 1.0:
tincd -n mynetwork -K
For tinc 1.1:
tinc -n mynetwork generate-keys
Notice that the public key has been to /etc/tinc/mynetwork/hosts/myserverhostname.
Finally, to start tinc automatically on the server, to accept vpn connections for this netwrok, add to:
vim /etc/tinc/nets.boot
Contents:
mynetwork
Restart tinc and it will be ready to accept connections:
/etc/init.d/tinc restart
Client configuration
Very similar to the server configuration, with a few small differences:
Install tinc:
apt-get install tinc
Create the configuration for the network (set of nodes):
mkdir -p /etc/tinc/mynet/hosts
Create the tinc.conf configuration for this network/node:
vim /etc/tinc/mynetwork/hosts/myclienthostname
Contents:
Name = myclienthostname
Mode = router
ConnectTo = damas
Subnet = 2607:f2c0:f00f:2921::/64
AddressFamily = ipv4
Interface=vpn6
In the above example, 2607:f2c0:f00f:2921::/64 is the subnet locally accessible from the client. You could also assign just a single /128 address. Also, in this case, I took a subnet from my main network segment from home, since my client node does not have its own IPv6 addresses. If it did already have a static IPv6 address, I would probably have used that instead (ex: if the 'client' was another server).
When the client connects to the server node, we want to setup routing too:
Create the file:
vim /etc/tinc/mynetwork/tinc-up
Contents:
#!/bin/sh ip -6 link set $INTERFACE up ip -6 addr add 2607:f2c0:f00f:2921::1/64 dev $INTERFACE ip -6 route add 2607:f2c0:f00f:2900::/56 dev $INTERFACE # Alternatively, to route all IPv6 traffic through the VPN: # ip -6 route add default dev $INTERFACE
Generate a private/public key for the server node:
For tinc 1.0:
tincd -n mynetwork -K
For tinc 1.1:
tinc -n mynetwork generate-keys
Now we need to exchange the keys manually:
- copy the public key of myserverhostname (from the server /etc/tinc/mynetwork/hosts/myserverhostname) into the client's /etc/tinc/mynetwork/hosts/myserverhostname
It will look something like this in /etc/tinc/mynetwork/hosts/myserverhostname
Address = myserverhostname.example.net
-----BEGIN RSA PUBLIC KEY----
[.....]
-----END RSA PUBLIC KEY-----
- likewise, you will want to copy the client public key into the hosts file 'myclienthostname' of the server. NB: since we do not connect to the client from the server, no need to specify the address.
To start tinc automatically on the client and connect to the server node, add to:
vim /etc/tinc/nets.boot
Contents:
mynetwork
Restart tinc and it will be ready to accept connections:
/etc/init.d/tinc restart