2397258f1815c6418c547e8aa5fc1ab07863e524
howto/tinc.md
... | ... | @@ -8,35 +8,36 @@ One advantage of tinc is that you can have multiple peering over the same VPN co |
8 | 8 | |
9 | 9 | ## Configuration |
10 | 10 | |
11 | -Example `/etc/tinc/tinc.conf`: |
|
11 | +Example `/etc/tinc/dn42_yourpeer/tinc.conf`: |
|
12 | 12 | |
13 | 13 | ``` |
14 | -Name = host1 |
|
14 | +Interface = dn42_yourpeer |
|
15 | +Name = your_host |
|
16 | +# Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own |
|
15 | 17 | Mode = switch |
16 | -# To discover other hosts, |
|
17 | -# it is required to initially |
|
18 | -# specify a number of hosts to connect to. |
|
19 | -# ConnectTo can be specified multiple times. |
|
20 | -ConnectTo = host2 |
|
18 | +# To discover other hosts, it is required to initially specify a number of hosts to connect to. ConnectTo can be specified multiple times. |
|
19 | +ConnectTo = remote_host |
|
20 | +# In newer versions (>= 1.1) you can use AutoConnect instead |
|
21 | +AutoConnect = yes |
|
21 | 22 | ``` |
22 | 23 | |
23 | -Tinc requires to add manually ip addresses and routes to the tap/tun interfaces. On startup it will execute `/etc/tinc/tinc-up` if it exists and is executable: |
|
24 | +Tinc requires to add manually ip addresses and routes to the tap/tun interfaces. On startup it will execute `/etc/tinc/tinc-up` if it exists **and** is executable: |
|
24 | 25 | |
25 | -Example `/etc/tinc/tinc-up`: |
|
26 | +Example `/etc/tinc/dn42_yourpeer/tinc-up`: |
|
27 | + |
|
28 | +**Linux/iproute2** |
|
26 | 29 | ``` |
27 | 30 | #!/bin/sh |
28 | 31 | |
29 | -# these lines differs depending on the operating system in use |
|
30 | -# on linux the following will work. |
|
31 | -# INTERFACE is an environmental variable set by tinc, when executing this script |
|
32 | +# set the interface up |
|
32 | 33 | ip link set dev $INTERFACE up |
33 | -# to peer over tinc it is convenient to an transfer net, which is exclusively on this link; |
|
34 | -# this way you don't have to specify routes for each peer. |
|
35 | -# the transfer network does not need to be part of dn42, |
|
36 | -# you can also pick a network from 192.168.0.0/14 range |
|
37 | -ip addr add dev $INTERFACE 192.168.41.1/24 scope link |
|
38 | -# for ipv6 you can use fixed link-local addresses |
|
39 | -ip addr add dev $INTERFACE fe80::1/64 |
|
34 | + |
|
35 | +# add transfer networks |
|
36 | +ip -4 addr add 172.16.0.1/30 dev $INTERFACE scope link |
|
37 | +ip -6 addr add fe80::1/64 dev $INTERFACE |
|
38 | + |
|
39 | +# add routes |
|
40 | +ip -4 route add 172.16.0.1/30 dev $INTERFACE table peers |
|
40 | 41 | ``` |
41 | 42 | |
42 | 43 | For authentication tinc uses public key authentication instead of certificates or pre-shared keys. |
... | ... | @@ -47,13 +48,12 @@ is required. To generate a public/private key pair use: |
47 | 48 | $ tincd -K |
48 | 49 | ``` |
49 | 50 | |
50 | -Import for each other party the key like this `/etc/tinc/hosts/<peername>`: |
|
51 | +Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`: |
|
51 | 52 | |
52 | 53 | ``` |
53 | -# Address and Port can be also skipped, |
|
54 | -# in this case the other side has to make an attempt to connect. |
|
55 | -Address = <ip_or_dns_name> |
|
56 | -Port = <port_if_different_from_655> |
|
54 | +# address/port are optional, in case they're missing you only expect connections from that host |
|
55 | +Address = <fqdn/ip_addr> |
|
56 | +Port = <port|655> |
|
57 | 57 | -----BEGIN RSA PUBLIC KEY----- |
58 | 58 | MIIBCgKCAQEAoGeD5b1HKW2UAFpIPayxsOOYx5qC0oHrJnvcPH33jnDBGiOYJ9ma |
59 | 59 | QZErWdF0Qsnqh/wJE6i569fzKWOUdLHrN5dVzD/Q5zjMOwJf3rmcerS0oAFTxKDj |
... | ... | @@ -64,20 +64,23 @@ P9C5dYrmVWrVAWQznlbuq/w1z+PrTYquoQIDAQAB |
64 | 64 | -----END RSA PUBLIC KEY----- |
65 | 65 | ``` |
66 | 66 | |
67 | - |
|
68 | 67 | ## Fun with tinc-pre |
69 | 68 | |
70 | -The current development version (which is pretty stable by the way), allow to bootstrap networks using invitation urls. Instead of rsa keys it uses additionally ed25519 keys. It also introduces a tinc command in addition to tincd, which allows tinc to be configured via an readline interface. |
|
69 | +The current development version (which is pretty stable by the way), allow to bootstrap networks using invitation urls. Instead of rsa keys it uses ed25519 keys. To keep backwards compatibility with the tinc 1.0 release you need rsa keys, if you don't need that only generate ed25519 keys. It also introduces the tinc binary in addition to tincd, which allows tinc to be configured via an readline interface. |
|
71 | 70 | |
72 | 71 | Installation: |
73 | 72 | * Archlinux: install [tinc-pre](https://aur.archlinux.org/packages/tinc-pre) from AUR |
74 | 73 | * Debian: follow these [instructions](https://gist.github.com/mweinelt/efff4fb7eba1ee41ef2d) to get a package |
75 | 74 | * Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc) |
76 | 75 | |
76 | +Set up a new tinc network |
|
77 | +``` |
|
78 | +# tinc init dn42_yourpeer |
|
79 | +``` |
|
77 | 80 | |
78 | -On one node which is already part of the network use: |
|
81 | +Invite your peering partner. Tinc will try print the invition which you need to copy to your peering partner. |
|
79 | 82 | ``` |
80 | -$ tinc invite foo |
|
83 | +$ tinc invite yourpeer |
|
81 | 84 | <ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB |
82 | 85 | ``` |
83 | 86 | |
... | ... | @@ -87,4 +90,6 @@ On the other node you can join by using: |
87 | 90 | $ tinc join <invitation-url> |
88 | 91 | ``` |
89 | 92 | |
90 | -This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection. |
|
... | ... | \ No newline at end of file |
0 | +This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection. |
|
1 | + |
|
2 | +Remember to still set up your **tinc-up** script. |
|
... | ... | \ No newline at end of file |