Setting up a VPN with tinc
These instructions will create a routed mesh network with multiple protected networks behind each node. While it is possible to set up separate tinc daemons with separate vpn names, we will "trunk" all the traffic over a single tinc vpn. These instructions do not create an extended bridged "ethernet LAN" - it creates a set of routed networks.
Our example network topology looks like the following chart. Example.com has three offices: Aspen, Boulder, and Carbondale. Each office has two networks. Alpine Linux is used as the firwall/router/gateway at each office, and tinc will be installed on the gateway.
ASPEN [10.1.0.1] --------------\ | 192.168.10.0/24 | 126.96.36.199/24 [INTERNET]------------------ [10.3.0.1] CARBONDALE | | 192.168.30.0/24 BOULDER [10.2.0.1] --------------/ 192.168.130.0/24 192.168.20.0/24 192.168.120.0/24
The Tinc VPN itself will use the dedicated network 192.168.0.0/29.
Install And Configure Common Tinc Settings
On all three routers:
Load Tun module
Create the directory tree For Tinc Configuration
We need to create a name for our VPN. In this example, we will call it "mesh". A network interface will be created with the network name.
Tell the tinc daemon which network(s) to load
Install And Configure Per Server Settings
On each router, create a /etc/tinc/mesh/tinc.conf file. This example is for Aspen:
Change the Name to be Boulder and Carbondale on the other servers.
On each router, create a /etc/tinc/mesh/tinc-up script. Again for Aspen:
# This is for Aspen ip link set $INTERFACE up ip addr add 192.168.0.1/29 dev $INTERFACE # route TO Aspen (leave commented out on Aspen # uncomment on the other two) # ip route add 192.168.10.0/24 dev $INTERFACE # ip route add 192.168.110.0/24 dev $INTERFACE # route TO Boulder (leave commented out on Boulder # uncomment on the other two) ip route add 192.168.20.0/24 dev $INTERFACE ip route add 192.168.120.0/24 dev $INTERFACE # route TO Carbondale (leave commented out on Carbondale # uncomment on the other two) ip route add 192.168.30.0/24 dev $INTERFACE ip route add 192.168.130.0/24 dev $INTERFACE
The ip route statements tells the local gateway to route traffic bound for the other two campuses through the tinc VPN interface.
Make the script executable:
Create the site specific configuration file
Each site has a specific configuration file that is shared will all other sites.
Subnet = 192.168.0.1/32 Address = 10.1.0.1 ConnectTo = boulder ConnectTo = carbondale Subnet = 192.168.10.0/24 Subnet = 192.168.110.0/24
Subnet = 192.168.0.2/32 Address = 10.2.0.1 ConnectTo = aspen ConnectTo = carbondale Subnet = 192.168.20.0/24 Subnet = 192.168.120.0/24
Subnet = 192.168.0.3/32 Address = 10.3.0.1 ConnectTo = aspen ConnectTo = boulder
Subnet = 192.168.30.0/24 Subnet = 192.168.130.0/24
Note that while in the tinc-up script we specify a /29 mask (entire broadcast domain) the host file contains a /32 mask. This may be counterintuitive, but it is what allows the tinc daemon to know which broadcast packets are for this instance.
Also note that while we add the routes for all the other networks in the tinc-up script, we add only the subnets for this instance in the host file.
The ConnectTo statements connect to both of the other nodes. This creates a mesh network. If there are explicit ConnectTo statements between all nodes, then if, for instance, connectivity between Aspen and Carbondale is lost, traffic will flow Aspen->Boulder->Carbondale.
Create the public and private keys
On each node, run:
It will generate the public and private RSA keys, and prompt you if its ok to put them in:
This is acceptable.
Copy the host file to the other hosts
For each node, scp (or other means) the /etc/tinc/mesh/hosts/hostname file to the other node. In the end, the hosts directory on all three nodes will have three identical files.
Directory tree for a running tinc configuration
/etc/tinc /etc/tinc/mesh /etc/tinc/mesh/rsa_key.priv <- unique to each host /etc/tinc/mesh/tinc.conf <- unique to each host /etc/tinc/mesh/tinc-up <- unique to each host /etc/tinc/mesh/hosts /etc/tinc/mesh/hosts/aspen <- same on all hosts /etc/tinc/mesh/hosts/boulder <- same on all hosts /etc/tinc/mesh/hosts/carbondale <- same on all hosts
rc-update add tincd openrc lbu ci
If the gateways forward ipv4, and there are no other firewall rules between sites, you should be able to ping any host from any other site.