Quick list of things to remember with tinc and it's installation gotchas (from a non-pfSense perspective, ie. on your Linux server ;)
- You NEED to have the "Subnet=" entry for ALL the IPs and networks that needs to get to this_host, in this_host's <tinc_vpn_name>/hosts/<this_host> file.
- Be aware of the 10.0.0.0/8 examples in the "tinc-up" scripts.
- Personally I prefer to have a subnet-up to: "ip route add $SUBNET dev $INTERFACE metric $WEIGHT"
- The idea is to have those vpn IPs and networks getting routed to the correct <tinc_vpn_name>'s $INTERFACE
- In addition you also need the ConnectTo node's host file with public key on this conect from node.
- This IS different from example OpenVPN, as OpenVPN depends on the certificate being signed by a CA and the server not caring about the client's keys, other than the client's certificate needs to be signed by the CA. Okay, there is a few other certs and keys, but the gist are the CA needs to be trusted and less files the server needs to operate
- This is the nature of mesh networks and nodes without CAs involved ;)