注意:

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "Tinc"

From Funtoo
Jump to navigation Jump to search
Line 56: Line 56:
This is going to init the files on both servers and generate secret/public keypairs, the files are stored in /etc/tinc/funvpn. First, let's edit tinc.conf on the serverA:
This is going to init the files on both servers and generate secret/public keypairs, the files are stored in /etc/tinc/funvpn. First, let's edit tinc.conf on the serverA:


{{console|body=
###i## cat /etc/tinc/funvpn/tinc.conf
  Name=serverA
  Name=serverA
  Mode=switch
  Mode=switch
   
   
  ConnectTo=serverB
  ConnectTo=serverB
}}


And on the serverB:
And on the serverB:
{{console|body=
###i## cat /etc/tinc/funvpn/tinc.conf


  Name=serverB
  Name=serverB
Line 67: Line 73:
   
   
  ConnectTo=serverA
  ConnectTo=serverA
}}


Now we have to edit /etc/tinc/funvpn/hosts/serverA serverB files. Put the address of serverA in hosts/serverA and do the same for serverB. Leave the rest of the file intact.
Now we have to edit /etc/tinc/funvpn/hosts/serverA serverB files. Put the address of serverA in hosts/serverA and do the same for serverB. Leave the rest of the file intact.
{{console|body=
###i## cat /etc/tinc/funvpn/hosts/serverA


  Address=YOUR IP
  Address=YOUR IP


}}


Next you need to copy the hosts/server{A,B} files so both nodes have both files. That's everything directly Tinc related complete!
Next you need to copy the hosts/server{A,B} files so both nodes have both files. That's everything directly Tinc related complete!

Revision as of 00:14, January 21, 2018

Tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet.

Here are main features at a glance:

  • Encryption, authentication and compression
    • All traffic is optionally compressed using zlib or LZO, and LibreSSL or OpenSSL is used to encrypt the traffic and protect it from alteration with message authentication codes and sequence numbers.
  • Automatic full mesh routing
    • Regardless of how you set up the tinc daemons to connect to each other, VPN traffic is always (if possible) sent directly to the destination, without going through intermediate hops.
  • NAT traversal
    • As long as one node in the VPN allows incoming connections on a public IP address (even if it is a dynamic IP address), tinc will be able to do NAT traversal, allowing direct communication between peers.
  • Easily expand your VPN
    • When you want to add nodes to your VPN, all you have to do is add an extra configuration file, there is no need to start new daemons or create and configure new devices or network interfaces.
  • Ability to bridge ethernet segments
    • You can link multiple ethernet segments together to work like a single segment, allowing you to run applications and games that normally only work on a LAN over the Internet.
  • Runs on many operating systems and supports IPv6
    • Currently Linux, FreeBSD, OpenBSD, NetBSD, OS X, Solaris, Windows 2000, XP, Vista and Windows 7 and 8 platforms are supported.

Required Kernel Options

Network device support
<M> Universal tun/tap device driver support

Installing tinc

in Funtoo Linux as easy as:

root # emerge -av net-vpn/tinc
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  N     ] dev-libs/lzo-2.10:2::dev-kit  USE="-examples -static-libs" ABI_X86="32 (64) (-x32)" 587 KiB
[ebuild  N     ] net-vpn/tinc-1.1_pre15::net-kit  USE="lzo ncurses readline ssl zlib -gui -libressl -uml -upnp -vde" PYTHON_TARGETS="python2_7" 688 KiB

Total: 2 packages (2 new), Size of downloads: 1,275 KiB

Would you like to merge these packages? [Yes/No]

Configuring tincd

Basic two node setup

We're going to deploy two servers to talk to each other via tinc vpn, let's call them serverA and serverB for now. Note that technically tinc is a mesh network, so there's no 'master' server, simply a node which doesn't connect to any others, but is connected to. This is great because we can use multiple ConnectTo statements in tinc.conf to achieve a highly-available VPN. We will be using 10.10.0.0/24 as VPN network. We will set the serverA on 10.10.0.1 and the serverB on 10.10.0.2.

We're going to call our VPN interface funvpn, so on both servers install Tinc as per the above instructions and then let's init some directories/files:

root # tinc -n funvpn init
Enter the Name you want your tinc node to have: serverA
Generating 2048 bits keys:
..............................+++ p
............+++ q
Done.
Generating Ed25519 keypair:
Done.

This is going to init the files on both servers and generate secret/public keypairs, the files are stored in /etc/tinc/funvpn. First, let's edit tinc.conf on the serverA:

root # cat /etc/tinc/funvpn/tinc.conf
 Name=serverA
 Mode=switch
 
 ConnectTo=serverB

And on the serverB:

root # cat /etc/tinc/funvpn/tinc.conf

 Name=serverB
 Mode=switch
 
 ConnectTo=serverA

Now we have to edit /etc/tinc/funvpn/hosts/serverA serverB files. Put the address of serverA in hosts/serverA and do the same for serverB. Leave the rest of the file intact.

root # cat /etc/tinc/funvpn/hosts/serverA

 Address=YOUR IP

Next you need to copy the hosts/server{A,B} files so both nodes have both files. That's everything directly Tinc related complete!

However, the network won't run yet, we need to edit tinc-up and tinc-down scripts on each node to setup the interface. These files will look very similar on both servers, only the IP of the interface will change:

root # cat tinc-up
root #!/bin/sh
IP=`which ip`
user $IP link set dev $INTERFACE up
user $IP addr add dev $INTERFACE 10.10.0.1/24 broadcast 10.10.0.255 scope link

All you do is replace <10.10.0.1 OR 10.10.0.2> with the IP of whichever node you are on. Finally:

root # cat tinc-down:
root #!/bin/sh
IP=`which ip`
user $IP addr del dev $INTERFACE 10.10.0.1/24 broadcast 10.10.0.255 scope link
user $IP link set dev $INTERFACE down

We are almost done. Now we need to do just couple of last config changes.

Modify /etc/conf.d/tinc.networks:

NETWORK: funvpn

And add tincd to default group of startup scripts.

root # rc-update add tincd
root # rc

And, that should be it! Now you should be able to ping each of the servers.