Tinc – VPN setup in Ubuntu
Tinc is an open network protocol and software implementation used for compressed and encrypted VPNs. This project was started in 1998 by Gus Slipen, Ivo Timmermans and Wessel Dankers under the GPL.
Its main advantages include:
1) Distributed topology (no need for a powerful VPN server).
2) Works over networks of any topology, including behind NAT and over other VPNs.
3) Maintains an active connection even after switching the network (for example from wi-fi to 4g) or when entering and exiting other VPNs.
4) Works in most operating systems, including Windows XP.
To this we can add that tinc is included in all Linux distributions, that is, it can be installed and used immediately.
At the same time, tinc is not popular with the general public. One of the reasons is the very concise documentation that was created in a university environment, and therefore is more academic than accessible for quick reading.
In this post, I will describe the configuration of tinc VPN on Ubuntu operating system.
Install the sudo apt-get install tinc package.
Since the network has a mesh topology, there is no server or client software option.
In our example, there will be two cars. Let’s conditionally call the first “server” – it will be open for access from the Internet by the name alpha.example.com (or by ip address). The second machine will be in some network without having an ip address open on the Internet (4g, wi-fi, let’s conditionally call it “home computer”)
Now we need to choose a name for the network. In our example, this will be alpha.
First, we work on the “server” with the address alpha.example.com. Create a directory structure for configs sudo mkdir -p /etc/tinc/alpha/hosts.
Create the alpha network config /etc/tinc/alpha/tinc.conf:
Name = server_01
AddressFamily = ipv4
Interface = tun0
The /etc/tinc/alpha/hosts directory will store the public keys of the current machine and other machines available on the alpha network. Let’s create the /etc/tinc/alpha/hosts/server_01 file:
Address = alpha.example.com
Subnet = 10.0.0.1/32
Subnet = 0.0.0.0/0
Address is set if the machine has an available address (for example, a public address on the Internet) or a domain name.
Subnet = 10.0.0.1/32 specifies the address of the machine on the alpha network.
Subnet = 0.0.0.0/0 is enabled only if it is necessary to direct all traffic from other machines to the Internet through the current machine (this is not necessary).
Generate a public and private key with sudo tincd -n alpha -K 4096.
Let’s create files that will be executed when the network starts and stops
/etc/tinc/alpha/tinc-up:
#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.0.1/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE
/etc/tinc/alpha/tinc-down:
#!/bin/sh
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.1/32 dev $INTERFACE
ip link set $INTERFACE down
Let’s make these files executable sudo chmod 755 /etc/tinc/alpha/tinc-*
Start the alpha network on the current machine sudo tincd -n alpha -D -d5
Now let’s go to the “home computer” and repeat all the steps (with minor changes):
sudo apt-get install tinc
sudo mkdir -p /etc/tinc/alpha/hosts
/etc/tinc/alpha/tinc.conf:
Name = client_01
AddressFamily = ipv4
Interface = tun0
ConnectTo = server_01
/etc/tinc/alpha/hosts/client_01:
Subnet = 10.0.0.2/32
sudo tincd -n alpha -K 4096.
/etc/tinc/alpha/tinc-up:
#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.0.2/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE
/etc/tinc/alpha/tinc-down:
#!/bin/sh
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.2/32 dev $INTERFACE
ip link set $INTERFACE down
sudo chmod 755 /etc/tinc/alpha/tinc-*
sudo tincd -n alpha -D -d5
Now it is necessary to exchange public keys in the /etc/tinc/alpha/hosts directories so that their contents are the same on both machines.
So the network is set up. Computer 10.0.0.2 is accessible from computer 10.0.0.1 and vice versa.
Sometimes it is necessary that the traffic from the “home computer” go through the “server” (which is what VPN is used for quite often now).
Let me remind you that for this we have provided the parameter Subnet = 0.0.0.0/0 in the server config
In addition, you need to change the network configuration scripts on the “home computer:
/etc/tinc/alpha/tinc-up:
#!/bin/sh
REMOTEADDRESS=X.X.X.X
VPN_GATEWAY=10.0.0.1
ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
ip link set $INTERFACE up
ip addr add 10.0.0.2/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE
ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY
ip route add $VPN_GATEWAY dev $INTERFACE
ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
/etc/tinc/alpha/tinc-down
#!/bin/sh
REMOTEADDRESS=X.X.X.X
VPN_GATEWAY=10.0.0.1
ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
ip route del $REMOTEADDRESS $ORIGINAL_GATEWAY
ip route del $VPN_GATEWAY dev $INTERFACE
ip route del 0.0.0.0/1 dev $INTERFACE
ip route del 128.0.0.0/1 dev $INTERFACE
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.1/32 dev $INTERFACE
ip link set $INTERFACE down
After that, all your traffic will be directed to the “server”. But this does not mean that the server will forward it to other addresses. To do this, you still need to additionally configure the network on the “server”. Further actions will greatly depend on the network configuration. In the simplest case, commands that can only be executed if you know what they do will help:
### Этот код может нанести вред Вашему компьютеру ###
sudo iptables -P FORWARD DROP
sudo iptables -I FORWARD -i tun0 -o enp35s0 -j ACCEPT
sudo iptables -I FORWARD -o tun0 -i enp35s0 -j ACCEPT
sudo iptables -t nat -I POSTROUTING -o enp35s0 -j MASQUERADE
useful links
one. www.digitalocean.com/community/tutorials/how-to-install-tinc-and-set-up-a-basic-vpn-on-ubuntu-18-04-en
2. www.tinc-vpn.org/examples/windows-install
3. www.tinc-vpn.org/examples/redirect-gateway
apapacy@gmail.com
January 30, 2022
