tinc is an open-source VPN software with a number of powerful features not found in other VPN solutions. For example, tinc allows peers behind NAT to communicate with one another via VPN directly, not through a third party. Other features include full IPv6 support and path MTU discovery.
In this tinc example, I will show you how to set up a VPN connection between two hosts via tinc. Let's call these hosts "alice" and "bob" respectively. Note that these are just symbolic names used by tinc, not necessarily hostnames. In this example, I assume that host "bob" will initiate a VPN connection to host "alice".
First, install tinc on both hosts:
For CentOS system, first set up RPMforge repository. Then, do the following.
For Debian/Ubuntu system:
Now, let's go ahead and configure tinc VPN on both hosts as follows.
On host "alice", do the following.
Then create a tinc configuration file called tinc.conf, and host configuration file(s) as follows.
Name = alice AddressFamily = ipv4 Interface = tun0
In the above example, the directory "myvpn" under /etc/tinc is the name of the VPN network to be established between alice and bob. VPN name can be any alphanumeric name without containing "-". In tinc.conf example, "Name" field indicates the name of tinc-running local host, which doesn't have to be actual hostname. You can choose any generic name.
Next, create host configuration files which contain host-specific information.
Address = 220.127.116.11 Subnet = 10.0.0.1/32
The name of host configuration file (e.g., alice) should be the same as the one you defined in tinc.conf. The "Address" field indicates a globally routable public IP address associated with alice. This field is required for at least one host in a given VPN network so that other hosts can initiate VPN connections to it. In this example, alice will serve as the bootstrapping server, and so has a public IP address (e.g., 18.104.22.168). The "Subnet" field indicates the VPN IP address to be assigned to alice.
The next step is to generate public/private keys.
The above command will generate 4096-bit public/private keys for host "alice". The private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and the public key will be appended to /etc/tinc/myvpn/hosts/alice.
Next, configure the scripts that will be run right after tinc daemon gets started, as well as right before tinc daemon is terminated.
#!/bin/sh ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0
#!/bin/sh ifconfig $INTERFACE down
Now tinc configuration for host "alice' is done. Similar to alice, configure tinc on host "bob" as follows.
$ sudo vi /etc/tinc/myvpn/tinc.conf
Name = bob AddressFamily = ipv4 Interface = tun0 ConnectTo = alice
In the above, note that unlike host "alice", I put "ConnectTo" field in bob's tinc configuration, since host "bob" will initiate a VPN connection to host "alice" when tinc daemon on bob is up.
Subnet = 10.0.0.2/32
Similarly, the bob's private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and its public key will be added to /etc/tinc/myvpn/hosts/bob.
ifconfig $INTERFACE 10.0.0.2 netmask 255.255.255.0
ifconfig $INTERFACE down
Once you are done with configuring tinc on all hosts as above, copy each host's public key file onto the other host:
On host "alice":
On host "bob":
Finally, start tinc daemon on them as follows. Since host "bob" initiates a VPN connection, you will need to start tinc daemon on host "alice" first, and then host "bob".
Two hosts should now be able to talk to each other via VPN IP addresses assigned to them.
Subscribe to Xmodulo
Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.
Did you find this tutorial helpful? Then please be generous and support Xmodulo!
Latest posts by Dan Nanni (see all)
- How to install Suricata intrusion detection system on Linux - September 3, 2015
- How to switch from NetworkManager to systemd-networkd on Linux - August 31, 2015
- How to set up a system status page of your infrastructure - August 25, 2015