Changes in 2397258: Updated tinc (markdown)

howto/tinc.md

@@ -8,35 +8,36 @@ One advantage of tinc is that you can have multiple peering over the same VPN co

 ## Configuration

-Example `/etc/tinc/tinc.conf`:

+Example `/etc/tinc/dn42_yourpeer/tinc.conf`:

 ```

-Name = host1

+Interface = dn42_yourpeer

+Name = your_host

+# Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own

 Mode = switch

-# To discover other hosts, 

-# it is required to initially 

-# specify a number of hosts to connect to.

-# ConnectTo can be specified multiple times.

-ConnectTo = host2

+# To discover other hosts, it is required to initially specify a number of hosts to connect to. ConnectTo can be specified multiple times.

+ConnectTo = remote_host

+# In newer versions (>= 1.1) you can use AutoConnect instead

+AutoConnect = yes

 ```

-Tinc requires to add manually ip addresses and routes to the tap/tun interfaces. On startup it will execute `/etc/tinc/tinc-up` if it exists and is executable:

+Tinc requires to add manually ip addresses and routes to the tap/tun interfaces. On startup it will execute `/etc/tinc/tinc-up` if it exists **and** is executable:

-Example `/etc/tinc/tinc-up`:

+Example `/etc/tinc/dn42_yourpeer/tinc-up`:

+

+**Linux/iproute2**

 ```

 #!/bin/sh

-# these lines differs depending on the operating system in use

-# on linux the following will work.

-# INTERFACE is an environmental variable set by tinc, when executing this script

+# set the interface up

 ip link set dev $INTERFACE up

-# to peer over tinc it is convenient to an transfer net, which is exclusively on this link;

-# this way you don't have to specify routes for each peer.

-# the transfer network does not need to be part of dn42, 

-# you can also pick a network from 192.168.0.0/14 range

-ip addr add dev $INTERFACE 192.168.41.1/24 scope link

-# for ipv6 you can use fixed link-local addresses 

-ip addr add dev $INTERFACE fe80::1/64

+

+# add transfer networks

+ip -4 addr add 172.16.0.1/30 dev $INTERFACE scope link

+ip -6 addr add fe80::1/64 dev $INTERFACE

+

+# add routes

+ip -4 route add 172.16.0.1/30 dev $INTERFACE table peers

 ```

 For authentication tinc uses public key authentication instead of certificates or pre-shared keys.

@@ -47,13 +48,12 @@ is required. To generate a public/private key pair use:

 $ tincd -K

 ```

-Import for each other party the key like this `/etc/tinc/hosts/<peername>`:

+Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`:

 ```

-# Address and Port can be also skipped,

-# in this case the other side has to make an attempt to connect.

-Address = <ip_or_dns_name>

-Port = <port_if_different_from_655>

+# address/port are optional, in case they're missing you only expect connections from that host

+Address = <fqdn/ip_addr>

+Port = <port|655>

 -----BEGIN RSA PUBLIC KEY-----

 MIIBCgKCAQEAoGeD5b1HKW2UAFpIPayxsOOYx5qC0oHrJnvcPH33jnDBGiOYJ9ma

 QZErWdF0Qsnqh/wJE6i569fzKWOUdLHrN5dVzD/Q5zjMOwJf3rmcerS0oAFTxKDj

@@ -64,20 +64,23 @@ P9C5dYrmVWrVAWQznlbuq/w1z+PrTYquoQIDAQAB

 -----END RSA PUBLIC KEY-----

 ```

-

 ## Fun with tinc-pre

-The current development version (which is pretty stable by the way), allow to bootstrap networks using invitation urls. Instead of rsa keys it uses additionally ed25519 keys. It also introduces a tinc command in addition to tincd, which allows tinc to be configured via an readline interface.

+The current development version (which is pretty stable by the way), allow to bootstrap networks using invitation urls. Instead of rsa keys it uses ed25519 keys. To keep backwards compatibility with the tinc 1.0 release you need rsa keys, if you don't need that only generate ed25519 keys. It also introduces the tinc binary in addition to tincd, which allows tinc to be configured via an readline interface.

 Installation:

 * Archlinux: install [tinc-pre](https://aur.archlinux.org/packages/tinc-pre) from AUR

 * Debian: follow these [instructions](https://gist.github.com/mweinelt/efff4fb7eba1ee41ef2d) to get a package

 * Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc)

+Set up a new tinc network

+```

+# tinc init dn42_yourpeer

+```

-On one node which is already part of the network use:

+Invite your peering partner. Tinc will try print the invition which you need to copy to your peering partner.

 ```

-$ tinc invite foo

+$ tinc invite yourpeer

 <ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB

 ```

@@ -87,4 +90,6 @@ On the other node you can join by using:

 $ tinc join <invitation-url>

 ```

-This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection.

\ No newline at end of file

+This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection.

+

+Remember to still set up your **tinc-up** script.

\ No newline at end of file

...	...	@@ -8,35 +8,36 @@ One advantage of tinc is that you can have multiple peering over the same VPN co
8	8
9	9	## Configuration
10	10
11		-Example `/etc/tinc/tinc.conf`:
	11	+Example `/etc/tinc/dn42_yourpeer/tinc.conf`:
12	12
13	13	```
14		-Name = host1
	14	+Interface = dn42_yourpeer
	15	+Name = your_host
	16	+# Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own
15	17	Mode = switch
16		-# To discover other hosts,
17		-# it is required to initially
18		-# specify a number of hosts to connect to.
19		-# ConnectTo can be specified multiple times.
20		-ConnectTo = host2
	18	+# To discover other hosts, it is required to initially specify a number of hosts to connect to. ConnectTo can be specified multiple times.
	19	+ConnectTo = remote_host
	20	+# In newer versions (>= 1.1) you can use AutoConnect instead
	21	+AutoConnect = yes
21	22	```
22	23
23		-Tinc requires to add manually ip addresses and routes to the tap/tun interfaces. On startup it will execute `/etc/tinc/tinc-up` if it exists and is executable:
	24	+Tinc requires to add manually ip addresses and routes to the tap/tun interfaces. On startup it will execute `/etc/tinc/tinc-up` if it exists and is executable:
24	25
25		-Example `/etc/tinc/tinc-up`:
	26	+Example `/etc/tinc/dn42_yourpeer/tinc-up`:
	27	+
	28	+Linux/iproute2
26	29	```
27	30	#!/bin/sh
28	31
29		-# these lines differs depending on the operating system in use
30		-# on linux the following will work.
31		-# INTERFACE is an environmental variable set by tinc, when executing this script
	32	+# set the interface up
32	33	ip link set dev $INTERFACE up
33		-# to peer over tinc it is convenient to an transfer net, which is exclusively on this link;
34		-# this way you don't have to specify routes for each peer.
35		-# the transfer network does not need to be part of dn42,
36		-# you can also pick a network from 192.168.0.0/14 range
37		-ip addr add dev $INTERFACE 192.168.41.1/24 scope link
38		-# for ipv6 you can use fixed link-local addresses
39		-ip addr add dev $INTERFACE fe80::1/64
	34	+
	35	+# add transfer networks
	36	+ip -4 addr add 172.16.0.1/30 dev $INTERFACE scope link
	37	+ip -6 addr add fe80::1/64 dev $INTERFACE
	38	+
	39	+# add routes
	40	+ip -4 route add 172.16.0.1/30 dev $INTERFACE table peers
40	41	```
41	42
42	43	For authentication tinc uses public key authentication instead of certificates or pre-shared keys.
...	...	@@ -47,13 +48,12 @@ is required. To generate a public/private key pair use:
47	48	$ tincd -K
48	49	```
49	50
50		-Import for each other party the key like this `/etc/tinc/hosts/<peername>`:
	51	+Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`:
51	52
52	53	```
53		-# Address and Port can be also skipped,
54		-# in this case the other side has to make an attempt to connect.
55		-Address = <ip_or_dns_name>
56		-Port = <port_if_different_from_655>
	54	+# address/port are optional, in case they're missing you only expect connections from that host
	55	+Address = <fqdn/ip_addr>
	56	+Port = <port\|655>
57	57	-----BEGIN RSA PUBLIC KEY-----
58	58	MIIBCgKCAQEAoGeD5b1HKW2UAFpIPayxsOOYx5qC0oHrJnvcPH33jnDBGiOYJ9ma
59	59	QZErWdF0Qsnqh/wJE6i569fzKWOUdLHrN5dVzD/Q5zjMOwJf3rmcerS0oAFTxKDj
...	...	@@ -64,20 +64,23 @@ P9C5dYrmVWrVAWQznlbuq/w1z+PrTYquoQIDAQAB
64	64	-----END RSA PUBLIC KEY-----
65	65	```
66	66
67		-
68	67	## Fun with tinc-pre
69	68
70		-The current development version (which is pretty stable by the way), allow to bootstrap networks using invitation urls. Instead of rsa keys it uses additionally ed25519 keys. It also introduces a tinc command in addition to tincd, which allows tinc to be configured via an readline interface.
	69	+The current development version (which is pretty stable by the way), allow to bootstrap networks using invitation urls. Instead of rsa keys it uses ed25519 keys. To keep backwards compatibility with the tinc 1.0 release you need rsa keys, if you don't need that only generate ed25519 keys. It also introduces the tinc binary in addition to tincd, which allows tinc to be configured via an readline interface.
71	70
72	71	Installation:
73	72	* Archlinux: install [tinc-pre](https://aur.archlinux.org/packages/tinc-pre) from AUR
74	73	* Debian: follow these [instructions](https://gist.github.com/mweinelt/efff4fb7eba1ee41ef2d) to get a package
75	74	* Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc)
76	75
	76	+Set up a new tinc network
	77	+```
	78	+# tinc init dn42_yourpeer
	79	+```
77	80
78		-On one node which is already part of the network use:
	81	+Invite your peering partner. Tinc will try print the invition which you need to copy to your peering partner.
79	82	```
80		-$ tinc invite foo
	83	+$ tinc invite yourpeer
81	84	<ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB
82	85	```
83	86
...	...	@@ -87,4 +90,6 @@ On the other node you can join by using:
87	90	$ tinc join <invitation-url>
88	91	```
89	92
90		-This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection.
...	...	\ No newline at end of file
	0	+This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection.
	1	+
	2	+Remember to still set up your tinc-up script.
...	...	\ No newline at end of file