Tinc VPN

Although tinc is a mesh topology VPN without a server and a client endpoint, i.e. all endpoints are equal, for practical purposes my server is the one node where most other hosts connect to anyway, and where I do the configuration only once.

Requirements (on all endpoints)

The kernel must support 'tun', i.e. as root:

 modprobe tun

In most cases this is not a problem, except on some virtual private servers (ex: VPS with OpenVZ), where it may require extra configurations.

Server configuration

Install tinc:

apt-get install tinc

Create the configuration for the network (set of nodes):

mkdir -p /etc/tinc/mynet/hosts

Note that "mynet" is the network name. You will probably want to choose another name. You can have multiple network names, as you can join multiple VPN netwroks with tinc.

Create the tinc.conf configuration for this network/node:

vim /etc/tinc/mynetwork/hosts/myserverhostname

Contents:

Name = myserverhostname
Mode = router
Subnet = 2607:f2c0:f00f:2900::/56
# Subnet = ::/0
Interface=vpn6

The name (myserverhostname) should be set to the same hostname as your server (i.e. the output of the command 'hostname'). I guess it doesn't really need to, but keep it simple.

The subnet statement tells tinc what is routable through this node, although we will still have to set a static route on the client endpoint. Having a subnet of "::/0" is useful if you want to route all IPv6 trafic from the other client endpoint through this server (ex: working from an Internet café with a network that doesn't support IPv6 yet). In this case, 2607:f2c0:f00f:2900::/56 is my full network at home.

Create a host entry for the server node:

vim /etc/tinc/bidon/hosts/myserverhostname

Contents:

Address = myserverhostname.example.net

This is the address of your server node. You can use anything as long as it exists and points to your server. You could also use a static ipv4 address, if you have one (in my case, the 'A' DNS record for myserverhostname.example.net is a dynamic dns address).

On the server, route a specific subnet through the VPN:

Create a network script file:

vim /etc/network/if-up.d/my-network

#!/bin/sh
ip -6 route add 2607:f2c0:f00f:2920::/60 dev vpn6

Make the script executable and run it to make the changes effective:

 chmod 0755 /etc/network/if-up.d/my-network
 /etc/network/if-up.d/my-network

Generate a private/public key for the server node:

For tinc 1.0:

tincd -n mynetwork -K

For tinc 1.1:

tinc -n mynetwork generate-keys

Notice that the public key has been to /etc/tinc/mynetwork/hosts/myserverhostname.

Finally, to start tinc automatically on the server, to accept vpn connections for this netwrok, add to:

vim /etc/tinc/nets.boot

Contents:

mynetwork

Restart tinc and it will be ready to accept connections:

/etc/init.d/tinc restart

Client configuration

Very similar to the server configuration, with a few small differences:

Install tinc:

apt-get install tinc

Create the configuration for the network (set of nodes):

mkdir -p /etc/tinc/mynet/hosts

Create the tinc.conf configuration for this network/node:

vim /etc/tinc/mynetwork/hosts/myclienthostname

Contents:

Name = myclienthostname
Mode = router
ConnectTo = damas
Subnet = 2607:f2c0:f00f:2921::/64
AddressFamily = ipv4
Interface=vpn6

In the above example, 2607:f2c0:f00f:2921::/64 is the subnet locally accessible from the client. You could also assign just a single /128 address. Also, in this case, I took a subnet from my main network segment from home, since my client node does not have its own IPv6 addresses. If it did already have a static IPv6 address, I would probably have used that instead (ex: if the 'client' was another server).

When the client connects to the server node, we want to setup routing too:

Create the file:

vim /etc/tinc/mynetwork/tinc-up

Contents:

#!/bin/sh
ip -6 link set $INTERFACE up
ip -6 addr add 2607:f2c0:f00f:2921::1/64 dev $INTERFACE
ip -6 route add 2607:f2c0:f00f:2900::/56 dev $INTERFACE

# Alternatively, to route all IPv6 traffic through the VPN:
# ip -6 route add default dev $INTERFACE

Generate a private/public key for the server node:

For tinc 1.0:

tincd -n mynetwork -K

For tinc 1.1:

tinc -n mynetwork generate-keys

Now we need to exchange the keys manually:

  • copy the public key of myserverhostname (from the server /etc/tinc/mynetwork/hosts/myserverhostname) into the client's /etc/tinc/mynetwork/hosts/myserverhostname

It will look something like this in /etc/tinc/mynetwork/hosts/myserverhostname

Address = myserverhostname.example.net

-----BEGIN RSA PUBLIC KEY----
[.....]
-----END RSA PUBLIC KEY-----
  • likewise, you will want to copy the client public key into the hosts file 'myclienthostname' of the server. NB: since we do not connect to the client from the server, no need to specify the address.

To start tinc automatically on the client and connect to the server node, add to:

vim /etc/tinc/nets.boot

Contents:

mynetwork

Restart tinc and it will be ready to accept connections:

/etc/init.d/tinc restart

References

Notes