注意:

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Tinc

From Funtoo
Revision as of 23:47, January 20, 2018 by Palica (talk | contribs)
Jump to navigation Jump to search

Tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet.

Here are main features at a glance:

  • Encryption, authentication and compression
    • All traffic is optionally compressed using zlib or LZO, and LibreSSL or OpenSSL is used to encrypt the traffic and protect it from alteration with message authentication codes and sequence numbers.
  • Automatic full mesh routing
    • Regardless of how you set up the tinc daemons to connect to each other, VPN traffic is always (if possible) sent directly to the destination, without going through intermediate hops.
  • NAT traversal
    • As long as one node in the VPN allows incoming connections on a public IP address (even if it is a dynamic IP address), tinc will be able to do NAT traversal, allowing direct communication between peers.
  • Easily expand your VPN
    • When you want to add nodes to your VPN, all you have to do is add an extra configuration file, there is no need to start new daemons or create and configure new devices or network interfaces.
  • Ability to bridge ethernet segments
    • You can link multiple ethernet segments together to work like a single segment, allowing you to run applications and games that normally only work on a LAN over the Internet.
  • Runs on many operating systems and supports IPv6
    • Currently Linux, FreeBSD, OpenBSD, NetBSD, OS X, Solaris, Windows 2000, XP, Vista and Windows 7 and 8 platforms are supported.

Required Kernel Options

Network device support
<M> Universal tun/tap device driver support

Installing tinc

in Funtoo Linux as easy as:

root # emerge -av net-vpn/tinc
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  N     ] dev-libs/lzo-2.10:2::dev-kit  USE="-examples -static-libs" ABI_X86="32 (64) (-x32)" 587 KiB
[ebuild  N     ] net-vpn/tinc-1.1_pre15::net-kit  USE="lzo ncurses readline ssl zlib -gui -libressl -uml -upnp -vde" PYTHON_TARGETS="python2_7" 688 KiB

Total: 2 packages (2 new), Size of downloads: 1,275 KiB

Would you like to merge these packages? [Yes/No]

Configuring tincd

Basic two node setup

We're going to deploy two servers to talk to each other via tinc vpn, let's call them serverA and serverB for now. Note that technically tinc is a mesh network, so there's no 'master' server, simply a node which doesn't connect to any others, but is connected to. This is great because we can use multiple ConnectTo statements in tinc.conf to achieve a highly-available VPN. We will be using 10.10.0.0/24 as VPN network. We will set the serverA on 10.10.0.1 and the serverB on 10.10.0.2.

We're going to call our VPN interface funvpn, so on both servers install Tinc as per the above instructions and then lets create some directories/files we're going to use:

root # tinc -n funvpn init
Generating 2048 bits keys:
.................................................................................................................................................+++ p
......................................................................................................................................................................................................
...................................................+++ q
Done.
Generating Ed25519 keypair:
Done.

This is going to init the files on both servers and generate secret/public keypairs, the files are stored in /etc/tinc/funvpn. First, let's edit tinc.conf on the serverA:

Name=serverA
Mode=switch

ConnectTo=serverB

And on the serverB:

Name=serverB
Mode=switch

ConnectTo=serverA