Setting up a VPN with tinc

From Alpine Linux
Jump to: navigation, search

These instructions will create a routed mesh network with multiple protected networks behind each node. While it is possible to set up separate tinc daemons with separate vpn names, we will "trunk" all the traffic over a single tinc vpn. These instructions do not create an extended bridged "ethernet LAN" - it creates a set of routed networks.

Network Topology

Our example network topology looks like the following chart. Example.com has three offices: Aspen, Boulder, and Carbondale. Each office has two networks. Alpine Linux is used as the firwall/router/gateway at each office, and tinc will be installed on the gateway.

  ASPEN  [10.1.0.1] --------------\
                                  |
192.168.10.0/24                   |
192.160.110.0/24              [INTERNET]------------------ [10.3.0.1] CARBONDALE
                                  |
                                  |                            192.168.30.0/24
 BOULDER [10.2.0.1] --------------/                            192.168.130.0/24
 
192.168.20.0/24
192.168.120.0/24

The Tinc VPN itself will use the dedicated network 192.168.0.0/29.


Install And Configure Common Tinc Settings

On all three routers:

Install Tinc

apk add tinc

Load Tun module

modprobe tun

echo "tun" >> /etc/modules

Create the directory tree For Tinc Configuration

 We need to create a name for our VPN.  In this example, we will call it "mesh".  A network interface will be created with the network name.

mkdir -p /etc/tinc/mesh/hosts

Tell the tinc daemon which network(s) to load

echo NETWORK: mesh > /etc/conf.d/tinc.networks

Install And Configure Per Server Settings

On each router, create a /etc/tinc/mesh/tinc.conf file. This example is for Aspen:

Name=aspen
Device=/dev/net/tun

Change the Name to be Boulder and Carbondale on the other servers.

On each router, create a /etc/tinc/mesh/tinc-up script. Again for Aspen:

# This is for Aspen
ip link set $INTERFACE up
ip addr add 192.168.0.1/29 dev $INTERFACE

# route TO Aspen (leave commented out on Aspen
#    uncomment on the other two)
# ip route add 192.168.10.0/24 dev $INTERFACE
# ip route add 192.168.110.0/24 dev $INTERFACE

# route TO Boulder (leave commented out on Boulder
#    uncomment on the other two)
ip route add 192.168.20.0/24 dev $INTERFACE
ip route add 192.168.120.0/24 dev $INTERFACE

# route TO Carbondale (leave commented out on Carbondale
#    uncomment on the other two)
ip route add 192.168.30.0/24 dev $INTERFACE
ip route add 192.168.130.0/24 dev $INTERFACE

The ip route statements tells the local gateway to route traffic bound for the other two campuses through the tinc VPN interface.


Make the script executable:

chmod a+x /etc/tinc/mesh/tinc-up


Create the site specific configuration file

Each site has a specific configuration file that is shared will all other sites.

Aspen

Create /etc/tinc/mesh/hosts/aspen:

Subnet = 192.168.0.1/32
Address = 10.1.0.1
ConnectTo = boulder
ConnectTo = carbondale

Subnet = 192.168.10.0/24
Subnet = 192.168.110.0/24

Boulder

Create /etc/tinc/mesh/hosts/boulder:

Subnet = 192.168.0.2/32
Address = 10.2.0.1
ConnectTo = aspen
ConnectTo = carbondale

Subnet = 192.168.20.0/24
Subnet = 192.168.120.0/24

Carbondale

Create /etc/tinc/mesh/hosts/carbondale:

Subnet = 192.168.0.3/32
Address = 10.3.0.1
ConnectTo = aspen
ConnectTo = boulder
Subnet = 192.168.30.0/24
Subnet = 192.168.130.0/24


Note that while in the tinc-up script we specify a /29 mask (entire broadcast domain) the host file contains a /32 mask. This may be counterintuitive, but it is what allows the tinc daemon to know which broadcast packets are for this instance.

Also note that while we add the routes for all the other networks in the tinc-up script, we add only the subnets for this instance in the host file.

The ConnectTo statements connect to both of the other nodes. This creates a mesh network. If there are explicit ConnectTo statements between all nodes, then if, for instance, connectivity between Aspen and Carbondale is lost, traffic will flow Aspen->Boulder->Carbondale.


Create the public and private keys

On each node, run:

tincd -n mesh -K

It will generate the public and private RSA keys, and prompt you if its ok to put them in:

/etc/tinc/mesh/rsa_key.priv
/etc/tinc/mesh/hosts/hostname

This is acceptable.

Copy the host file to the other hosts

For each node, scp (or other means) the /etc/tinc/mesh/hosts/hostname file to the other node. In the end, the hosts directory on all three nodes will have three identical files.

Directory tree for a running tinc configuration

/etc/tinc
/etc/tinc/mesh
/etc/tinc/mesh/rsa_key.priv               <- unique to each host
/etc/tinc/mesh/tinc.conf                  <- unique to each host
/etc/tinc/mesh/tinc-up                    <- unique to each host
/etc/tinc/mesh/hosts 
/etc/tinc/mesh/hosts/aspen                <- same on all hosts
/etc/tinc/mesh/hosts/boulder              <- same on all hosts
/etc/tinc/mesh/hosts/carbondale           <- same on all hosts

Start tincd

rc-update add tincd
openrc
lbu ci

If the gateways forward ipv4, and there are no other firewall rules between sites, you should be able to ping any host from any other site.