Using tinc for a simple meshed VPN network
Accessing your computers from remote at home isn't easy since you lack a public IP address in most cases. A workaround is to use a server with a public IP address as an entrance to a meshed tinc virtual private network (VPN).
In this post I describe the basic procedure to configure two Debian machines (one with a public IP address and one with a private IP address) to communicate over a tinc network. In principle, you can follow the the official configuration guide, however there are some aspects you must take care of specifically.
While the main configuration
/etc/tinc/<vpnname>/tinc.conf can remain as it
is, I had to put more energy into setting up the tunnel device. Check out the
# /etc/tinc/<vpnname>/tinc.conf Name: example_name ConnectTo: public_server Device: /dev/net/tun # for Debian
# /etc/tinc/<vpnname>/tinc-up #!/bin/sh ip link set $INTERFACE up ip addr add 10.<IP>.0.1/8 dev $INTERFACE ip addr add fd83:10d3:98f3:<IP>::1/48 dev $INTERFACE
Remember to make the previous script executable with
chmod +x tinc-up.
Further, specify the IP addresses as your network set-up requires. Ultratools
provides a convenient tool
for generating local IPv6 randomly. Remember that you are allowed to use
networks while Ultratools generates
/64 address ranges by default. Simply omit
the fourth block of the generated address.
- You must turn on the tunnel device explicitly.
- The subnets that each host provides must be smaller than the subnet you route to on the tunnel. Otherwise you would need to add routes to the foreign subnets manually. See below:
# /etc/tinc/<vpnname>/example_name Subnet: 10.<IP>.0.0/16 Subnet: fd83:10d3:98f3:<IP>::/64
In the next step, generate a key pair with
tincd -n <vpnname> -K 4096 and
interchange all public keys between the hosts.
After starting tinc on all hosts, try to
ping each host in the network. For
debugging, you can use the following command to launch
$ tincd -n <vpnname> -D
You can use
CTRL-C to toggle verbosity. In case you want to start
higher verbosity from the beginning, use the following command flag:
logging information helps a lot when debugging the network setup.
Finally, to launch
tincd when booting, enable it in
systemd with the
following command. Note that you need to provide the name of the tinc network,
<vpnname> in the following command:
$ systemctl enable tinc $ systemctl enable tinc@<vpnname>