Thursday 27 August 2015

TINC the forgotten VPN

Okay,  tinc vpn is NOT the easiest to setup VPN... but it is perhaps the simplest and easiest when it gets to meshing up the network... pun intended ;) BUT lacking in decent examples and documentation

Quick list of things to remember with tinc and it's installation gotchas (from a non-pfSense perspective, ie. on your Linux server ;)

  1. You NEED to have the "Subnet=" entry for ALL the IPs and networks that needs to get to this_host, in this_host's <tinc_vpn_name>/hosts/<this_host> file.
  2. Be aware of the 10.0.0.0/8 examples in the "tinc-up" scripts.
    • Personally I prefer to have a subnet-up to: "ip route add $SUBNET dev $INTERFACE metric $WEIGHT"
    • The idea is to have those vpn IPs and networks getting routed to the correct <tinc_vpn_name>'s $INTERFACE
  3. You DO need a host file describing a node, on the node(s) that will accept connections from that node, else the ConnectTo node won't have a public-key to authenticate your private key.
    1. In addition you also need the ConnectTo node's host file with public key on this conect from node.
    • This IS different from example OpenVPN, as OpenVPN depends on the certificate being signed by a CA and the server not caring about the client's keys, other than the client's certificate needs to be signed by the CA. Okay, there is a few other certs and keys, but the gist are the CA needs to be trusted and less files the server needs to operate
    • This is the nature of mesh networks and nodes without CAs involved ;)
  4. the simplest tinc module that thus far works is the script + .playbook in the gist of fclairamb. However, there are a few "bugs" like the rm host/* -Rf that needs to swap around, the apt-get needs to change to "apt:" lines, the fetch needs to be "dest=hosts/ simple=yes" and my preference of the tinc-up/sudbnet-up/subnet-down as mentioned previous point above.
Otherwise, tinc WORKS ;)