How to install and configure tinc VPN on Linux

Last updated on September 28, 2020 by Dan Nanni

tinc is an open-source VPN software with a number of powerful features not found in other VPN solutions.  For example, tinc VPN allows peers behind NAT to communicate with one another via VPN directly, not through a third party server. This makes tinc a type of peer-to-peer VPN solution.  Other features include full IPv6 support and path MTU discovery.

In this tinc example, I will show you how to set up a VPN connection between two hosts via tinc. Let's call these hosts alice and bob respectively. Note that these are just symbolic names used by tinc, not necessarily hostnames. In this example, I assume that host bob will initiate a VPN connection to host alice.

Install tinc on Linux

First, install tinc on both hosts.

For CentOS system, first set up RepoForge repository, and then do the following.

$ sudo yum install tinc -y

For Debian/Ubuntu system:

$ sudo apt-get install tinc

Configure tinc

Now, let's go ahead and configure tinc VPN on both hosts as follows.

On host alice, do the following.

$ sudo mkdir -p /etc/tinc/myvpn/hosts

Then create a tinc configuration file called tinc.conf, and host configuration file(s) as follows.

$ sudo vi /etc/tinc/myvpn/tinc.conf
Name = alice
AddressFamily = ipv4
Interface = tun0

In the above example, the directory myvpn under /etc/tinc is the name of the VPN network to be established between alice and bob. VPN name can be any alphanumeric name without containing -. In tinc.conf, the Name field indicates the name of tinc-running local host, which doesn't have to be actual hostname. You can choose any generic name.

Next, create host configuration files which contain host-specific information.

$ sudo vi /etc/tinc/myvpn/hosts/alice
Address = 1.2.3.4
Subnet = 10.0.0.1/32

The name of host configuration file (e.g., alice) should be the same as the one you defined in tinc.conf. The Address field indicates a globally routable public IP address associated with alice. This field is required for at least one host in a given VPN network so that other hosts can initiate VPN connections to it. In this example, alice will serve as the bootstrapping server, and so has a public IP address (e.g., 1.2.3.4). The Subnet field indicates the VPN IP address to be assigned to alice.

The next step is to generate public/private keys.

$ sudo tincd -n myvpn -K4096

The above command will generate 4096 bit public/private keys for host alice. The private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and the public key will be appended to /etc/tinc/myvpn/hosts/alice.

Next, configure the scripts that will be run right after tinc daemon gets started, as well as right before tinc daemon is terminated.

$ sudo vi /etc/tinc/myvpn/tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0
$ sudo vi /etc/tinc/myvpn/tinc-down
#!/bin/sh
ifconfig $INTERFACE down
$ sudo chmod 755 /etc/tinc/myvpn/tinc-*

Now tinc configuration for host alice is done. Similar to alice, configure tinc on host bob as follows.

$ sudo mkdir -p /etc/tinc/myvpn
$ sudo vi /etc/tinc/myvpn/tinc.conf
Name = bob
AddressFamily = ipv4
Interface = tun0
ConnectTo = alice

In the above, note that unlike host alice, I place ConnectTo field in bob's tinc configuration, since host bob will initiate a VPN connection to host alice when tinc daemon on host bob is up.

$ sudo vi /etc/tinc/myvpn/hosts/bob
Subnet = 10.0.0.2/32
$ sudo tincd -n myvpn -K4096

Similarly, the bob's private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and its public key will be added to /etc/tinc/myvpn/hosts/bob.

$ sudo vi /etc/tinc/myvpn/tinc-up
ifconfig $INTERFACE 10.0.0.2 netmask 255.255.255.0
$ sudo vi /etc/tinc/myvpn/tinc-down
ifconfig $INTERFACE down
$ sudo chmod 755 /etc/tinc/myvpn/tinc-*

Once you are done with configuring tinc on all hosts as above, copy each host's public key file onto the other host:

On host alice:

$ scp /etc/tinc/myvpn/hosts/alice root@bob:/etc/tinc/myvpn/hosts/

On host bob:

$ scp /etc/tinc/myvpn/hosts/bob root@alice:/etc/tinc/myvpn/hosts/

Finally, start tinc daemon on them as follows.  Since host bob initiates a VPN connection, you will need to start tinc daemon on host alice first, and then host bob.

$ sudo tincd -n myvpn

Two hosts should now be able to talk to each other via VPN IP addresses assigned to them.

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal or credit card

Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean