Quick list of things to remember with tinc and it's installation gotchas (from a non-pfSense perspective, ie. on your Linux server ;)
- You NEED to have the "Subnet=" entry for ALL the IPs and networks that needs to get to this_host, in this_host's <tinc_vpn_name>/hosts/<this_host> file.
- Be aware of the 10.0.0.0/8 examples in the "tinc-up" scripts.
- Personally I prefer to have a subnet-up to: "ip route add $SUBNET dev $INTERFACE metric $WEIGHT"
- The idea is to have those vpn IPs and networks getting routed to the correct <tinc_vpn_name>'s $INTERFACE
- You DO need a host file describing a node, on the node(s) that will accept connections from that node, else the ConnectTo node won't have a public-key to authenticate your private key.
- In addition you also need the ConnectTo node's host file with public key on this conect from node.
- This IS different from example OpenVPN, as OpenVPN depends on the certificate being signed by a CA and the server not caring about the client's keys, other than the client's certificate needs to be signed by the CA. Okay, there is a few other certs and keys, but the gist are the CA needs to be trusted and less files the server needs to operate
- This is the nature of mesh networks and nodes without CAs involved ;)
- the simplest tinc module that thus far works is the script + .playbook in the gist of fclairamb. However, there are a few "bugs" like the rm host/* -Rf that needs to swap around, the apt-get needs to change to "apt:" lines, the fetch needs to be "dest=hosts/ simple=yes" and my preference of the tinc-up/sudbnet-up/subnet-down as mentioned previous point above.