Tinc
From Gentoo Linux Wiki
| Please format this article according to the Style Guidelines and Wikification suggestions, then remove this notice {{Wikify}} from the article.
Reason(s):
|
Contents |
[edit] Introduction
[edit] What is TINC?
TINC is a light VPN software that is easy to setup, secure, and is low on maintenance. In this guide, it will be used to setup a VPN between two home networks.
The deamon has some great features, like the management of unresponsive nodes. If one side of the VPN goes down, the deamon on the other side will keep running and when it detects the other side coming back up, it will reestablish the connection.
It is also very easy to add has many nodes to the VPN, as tinc will forward to every nodes the subnet it knows about.
For more informations about TINC, visit the project web page
[edit] Scope, prerequisites and assumptions
This guide scope is to build a VPN between two sites network. It is assumed that the routers on the two sites are using Gentoo with iptables and NAT forwarding.
You will require root access on the two routers.
If you have a dynamic IP address (check with your ISP), it is strongly advised that you setup a DNS service beforehand. (eg: Dyndns)
[edit] Network topology
The network topology used in this guide will be the following, and you should adapt accordingly to your network setup.
Network A : 192.168.0.0/24 Network B : 10.1.1.0/24 Gateway A : 192.168.0.1 Gateway B : 10.1.1.1 FQDN A : networka.dyndns.org FQDN B : networkb.dyndns.org
Both gateways are iptables firewalls doing NAT. They will be running the tinc daemon so each network will be accessible from inside the other network.
[edit] Installation
[edit] Configuring the kernel
Tinc uses the Linux TUN/TAP network device, so you will have to add it to the kernel of both gateways.
Linux Kernel Configuration: TUN/TAP device
| Linux Kernel Configuration: TUN/TAP device |
Device Drivers --->
Network device support --->
<*> Universal TUN/TAP device driver support
|
Recompile your kernel and reboot with it.
[edit] Installing tinc
The tinc ebuild does not take any USE flags, and it will pull in OpenSSL, lzo, and zlib as dependencies if you do not already have them, so simply merge it:
[edit] Setting up the VPN
[edit] Configuring tinc on gateway A
First of all, you need to give a name to your vpn network. This guide will use the name vpn. Tinc needs a directory to host all the configuration files for that network, create it like this:
Create the main configuration file with the following content, adapted to your network:
Name = networka AddressFamily = ipv4 BindToInterface = eth0 ConnectTo = networkb Device = /dev/net/tun Mode = router KeyExpire = 3600 PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv
You then need to define the hosts in the VPN. Start by creating the directory:
Then edit the two files and configure them like this, again adapting for your network:
Address = networka.dyndns.org Subnet = 192.168.0.0/24
Address = networkb.dyndns.org Cipher = blowfish Digest = sha1 IndirectData = yes Subnet = 10.1.1.0/24
You then need to create a script that tinc will call when the VPN goes up:
#!/bin/sh ifconfig vpn 192.168.0.1 netmask 255.255.0.0 up route add -net 10.1.1.0/24 vpn
Notice that the netmask on the interface is not the same as the netmask of the home network. That is because you do not want to interfere with the local network routing. It must be a larger subnet than the local network.
This next step is facultative, but still is a good idea. Create another script to execute when the VPN goes down:
#!/bin/sh ifconfig vpn down
Do not forget to set the execute permission on those two files!
Now make the init script aware of the networks you want it to start.
NETWORK: vpn
Then, generate the keypair for this host:
Accept the defaults for the file names and get to work on the next host.
[edit] Configuring tinc on gateway B
You will now be doing essentially the same thing as on host A, but with some things simply reversed. Here are the steps.
Create the VPN directory:
Create the main configuration file:
Name = networkb AddressFamily = ipv4 BindToInterface = eth0 ConnectTo = networka Device = /dev/net/tun Mode = router KeyExpire = 3600 PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv
Define the hosts in the VPN:
Address = networkb.dyndns.org Subnet = 10.1.1.0/24
Address = networka.dyndns.org Cipher = blowfish Digest = sha1 IndirectData = yes Subnet = 192.168.0.0/24
Create the two scripts:
#!/bin/sh ifconfig vpn 10.1.1.1 netmask 255.255.0.0 up route add -net 192.168.0.0/24 vpn
#!/bin/sh ifconfig vpn down
Set the permissions:
Set the network to start with the init script:
NETWORK: vpn
Generate the keypair for this host:
Accept the defaults for the file names.
[edit] Exchanging keypairs
You need to make each host aware of the public key of the other host. Notice how on each host, their own host file now contains their public key. For example on host A:
Address = networka.dyndns.org Subnet = 192.168.0.0/24 -----BEGIN RSA PUBLIC KEY----- MIGJAoGBAODloYJYBspV/9odnYa6qiscVd61X3gb3h9ypa0+RPXJF5MbC+Ve/7BZ umWmWLr9jzFY9NWAk5pu5kyjcZMfCYQtP0Xf7bS2q/jrevEZfV8WX0oYdQFDyHgg UTsOt/5xM555vGhIY7ZurmqE5Br26zJbxY8OALWIcbwpd060B8mrAgMBAAE= -----END RSA PUBLIC KEY-----
You only need to copy the part of the key (including the BEGIN and END line), and paste it in the other host's file for that host.
Example, on host B:
Address = networka.dyndns.org Cipher = blowfish Digest = sha1 IndirectData = yes Subnet = 192.168.0.0/24 -----BEGIN RSA PUBLIC KEY----- MIGJAoGBAODloYJYBspV/9odnYa6qiscVd61X3gb3h9ypa0+RPXJF5MbC+Ve/7BZ umWmWLr9jzFY9NWAk5pu5kyjcZMfCYQtP0Xf7bS2q/jrevEZfV8WX0oYdQFDyHgg UTsOt/5xM555vGhIY7ZurmqE5Br26zJbxY8OALWIcbwpd060B8mrAgMBAAE= -----END RSA PUBLIC KEY-----
Do this for each hosts.
[edit] Setting up firewalls to allow VPN traffic
We need to let our VPN traffic through our firewall, so we will add some simple rules. These rules will open the ports used by tinc to the world (it does not matter, since we are using key authentication) and will let everything through on the VPN. Of course, you can write stricter rules if you prefer.
First, we will open the port 665 UDP and TCP to the world, assuming $EXTIF is your external interface and $EXTIP is your external IP:
We will also let everything in and out on interface vpn:
The rules are needed on the two gateways.
There is still one problem with our firewalls though, in that they will not let packets coming from inside the home networks through the vpn, or the opposite. Those rules will fix this:
Replace all $INTIF with the respective internal interface.
[edit] Setting up firewalls to allow VPN traffic
Enable IP_Forwarding in the Kernel, this is only necessary if your tinc server is not the default gateway**
Tell The kernel that IP Forwarding is OK
Add/Uncomment the following lines in the /etc/sysctl.conf <br />net.ipv4.ip_forward = 1 <br />net.ipv4.conf.default.rp_filter = 1}}
If you have a dynamic internet address you probably want to enable this <br />net.ipv4.ip_dynaddr = 1
Add a static route to the remote subnet in your default gateway with the tinc server as its gateway.
[edit] Start the services and test
The only thing left to do is to launch the services on both gateways:
You can now test by pinging addresses on the other side of the VPN.
