tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet.
- 1 Installation
- 2 Configuring a private network
- 3 Starting a private network
- 4 Using TAP devices and bridges
- 5 Automatically Starting Tinc at boot
- 6 Troubleshooting
Configuring a private network
In this example, we will create a virtual private network vpnname between two hosts alpha and beta, where the former is the entry point for the latter, so that beta tries to connect to alpha on startup.
For each virtual private network you have to create a separate directory in /etc/tinc, e.g.
# mkdir /etc/tinc/vpnname
You can also start by copying the sample configuration
# cp -r /usr/share/tinc/examples/sample-config/* /etc/tinc/vpnname
In /etc/tinc/vpnname/tinc.conf you specify the name of the hostmachine (which can differ from the actual hostname of the system) and the location of the tun/tap device.
Configuration of alpha
Name = alpha Device = /dev/net/tun
#!/bin/sh ip link set $INTERFACE up ip addr add 192.168.0.1/32 dev $INTERFACE ip route add 192.168.0.0/24 dev $INTERFACE
#!/bin/sh ip route del 192.168.0.0/24 dev $INTERFACE ip addr del 192.168.0.1/32 dev $INTERFACE ip link set $INTERFACE down
Configuration of beta
Name = beta Device = /dev/net/tun ConnectTo = alpha
#!/bin/sh ip link set $INTERFACE up ip addr add 192.168.0.2/32 dev $INTERFACE ip route add 192.168.0.0/24 dev $INTERFACE
#!/bin/sh ip route del 192.168.0.0/24 dev $INTERFACE ip addr del 192.168.0.2/32 dev $INTERFACE ip link set $INTERFACE down
Setting up the hosts
The configuration files for the different hosts are stored in /etc/tinc/vpnname/hosts/ directory. In this example we need the two files on each machine.
Address = 10.0.0.1 Port = 655 Subnet = 192.168.0.1/32
Port = 655 Subnet = 192.168.0.2/32
After creating a file for each host, you have to generate a key pair using
# tincd -n vpnname -K
which creates the private key in /etc/tinc/vpnname/tinc.rsa_key.priv and the public key in the corresponding host-file.
In the last step you need to exchange the host configuration files, so that you have both alpha and beta in /etc/tinc/vpnname/hosts/ on each host.
Starting a private network
After having created the appropriate configuration in /etc/tinc/vpnname, you can test the the new private network with
# tincd -n vpnname
If you want to enable it at startup you can enable the appropriate service
# systemctl enable tinc@vpnname
Using TAP devices and bridges
Sometimes it is reasonable to use TAP devices instead of TUN devices. For example if you want to add the tinc device to an already existing bridge. Just add the "Mode" option to your tinc.conf.
Remember to do that on every host. /etc/tinc/vpnname/tinc.conf
Name = node Mode = switch Device = /dev/net/tun ConnectTo = other
Possible tinc-up/down files could look like that:
#!/bin/sh ip link set $INTERFACE up brctl addif br0 $INTERFACE
#!/bin/sh brctl delif br0 $INTERFACE ip link set $INTERFACE down
And finally restart your tinc daemon:
# systemctl restart tinc@vpnname
Automatically Starting Tinc at boot
Tinc can be configured to automatically start at boot time using systemd units.
Firstly enable the tinc service
# systemctl enable tinc
Then for each network that you want to automatically start, enable it individually
# systemctl enable tinc@vpnname # systemctl enable tinc@another_vpnname ...
I've updated my system and now tinc won't start.
In case of a linux kernel update you have to either restart your system or reinstall the running kernel package.
I'm running a custom kernel and tinc won't start.
Make sure you have TUN/TAP support enabled.