:: Setting up VPN using Tinc ::
HOME

Click Here for Comparison Chart for different VPN solutions


TO SET UP A VPN USING Tinc
  1. Tinc might compete to be the best solution for a VPN. I wanted a solution that will have inbuilt routing mechanism, and tinc is the only one, that fits it. The configuration and installion was a bit difficult, but it was a time well spent. It will be fun to explore more on the routing part of tinc.
  2. Here I will try to describe two different ways to use tinc.
    1. The conventional way of having a seperate subnet (I use 192.168.254.0/24 for most of my VPN's) for VPN server/client and adding appropriate routes to the routing table at both the client and server. I have been using this method for all my previous configuration.Apparently tinc does not require (and does not WANT) allocation of this seperate subnet. Of course you could have the tunnel endpoints on the same seperate subnet, but this requires some tricky route manipulation, to reach the other end. I have tried using this, but repeatedly failed. I will show how this can be done, once i suceed.
    2. The second method is a better one. Here each end of the vpn tunnel belongs to the subnet that it is trying to reach (Hence you don't need a seperate subnet like above). Thus the two endpoints lie in different subnets. This leads to a very scalable solution. I am going to explain this method here.
  3. Before starting, download the tarball and compile it. I had a problem using the latest version (1.08pre8) on ReHat 9.0. Hence I used the CVS version (branch CABAL). Instructions for checkingout the CVS version can be found here, repeated for tcsh below: 
    #>setenv CVSROOT :pserver:cvs@nl.linux.org:/home/CVS 
#>cvs login
#>cvs checkout -r CABAL tinc
    After downloading I followed the normal ./configure;make; make install commands.
    NOTE: Tinc will be installed in the directory relative to /usr/local
  4. I am asssuming that we are using the following setup with mia as the client and zidler as the server .

  5. The first thing that one needs to do is generate keys on both mia and zidler. This can be done using the command: 
    [shashank@mia shashank]# tincd -K
tinc: Cannot open config file /usr/local/etc/tinc/tinc.conf: No such file or directory
Generating 1024 bits keys:
...........................................................++++++ p
..................................++++++ q
Done.
Please enter a file to save public RSA key to [/usr/local/etc/tinc/rsa_key.pub]: 
Please enter a file to save private RSA key to [/usr/local/etc/tinc/rsa_key.priv]:
    Note the directory that tinc prompts: /usr/local/etc/tinc/. This is the default directory that tinc looks for everything, by default, unless you have configured something else while running the configure script before compiling tinc. (take a look at ./configure --help).

    Keep a note of the private and public keys, as they are used afterwards.
  6. Let us start with the configuration on zidler. With tinc it is preferrable to name the VPN. I always follow the convention of using the same name as the host on which tinc is executed. Hence on zidler, I will use the name the vpn as "zidler". To do this, you need to have a directory name called "zidler" in /usr/local/etc/tinc/, where all the configuration files (and public/private keys) should go. So here it is: 
    shashank@zidler:/usr/local/etc/tinc# tincd -K
tinc: Cannot open config file /usr/local/etc/tinc/tinc.conf: No such file or directory
Generating 1024 bits keys:
.............................++++++ p
................................................................++++++ q
Done.
Please enter a file to save public RSA key to [/usr/local/etc/tinc/rsa_key.pub]: 
Please enter a file to save private RSA key to [/usr/local/etc/tinc/rsa_key.priv]: 
shashank@zidler:/usr/local/etc/tinc# ls
rsa_key.priv  rsa_key.pub
shashank@zidler:/usr/local/etc/tinc# mkdir zidler
shashank@zidler:/usr/local/etc/tinc# cp rsa_key.p* zidler
shashank@zidler:/usr/local/etc/tinc# cd zidler
shashank@zidler:/usr/local/etc/tinc/zidler# ls
rsa_key.priv  rsa_key.pub
  7. Copy the following to /usr/local/etc/tinc/zidler/tinc.conf 
    shashank@zidler:/usr/local/etc/tinc/zidler# cat tinc.conf 
Name = zidler                           #The Name of the VPN

#Names of VPN's That u want to connect. A file with the 
#name /usr/local/etc/tinc/zidler/hosts/mia must be present. 
#ConnectTo = mia         
#ConnectTo = AnotherName                

# The tap device tinc will use. Required.
# Default is /dev/tap0 for ethertap or FreeBSD,
# /dev/tun0 for Solaris and OpenBSD,
# and /dev/net/tun for Linux tun/tap device.
Device = /dev/net/tun

# The file in which the private key for this host is stored. Required.
PrivateKeyFile = /usr/local/etc/tinc/zidler/rsa_key.priv
    Note the ConnectTo parameter. If this paramter is left without value, the tincd will assume the role of a server and wait for incoming connections. If, on the other hand, it is set to "mia" (Say), the tincd will try to find a file named /usr/local/etc/tinc/zidler/hosts/mia. This file, actually belongs to a vpn named "mia" , and must be sent by the admin of mia, to us. It contains, among other things, the public key of VPN mia. and must be distributed to all other VPN's that need If we want other sites to connect to zidler, we must create a similar file for our VPN zidler. This file can be placed anywhere, but for conveneince purpose, i place it in /usr/local/etc/tinc/zidler/hosts/zidler and is shown below: 
    shashank@zidler:/usr/local/etc/tinc/zidler# cat hosts/zidler
Address = 131.193.50.184
#cipher = blowfish
#Compression = 9
#Digest = sha1
#IndirectData = no
Subnet = 192.168.2.0/24
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAJzbuQRKc5a4AXb8c/C5QeIf4w2BOBaSsCYjCjrD7wFrmbHzFkdik57K
TiQybXG8CemOOiLWn7hCPpsqRLv0AIv+J08ggq0UTrQ4MsONh+vnWmWVb78EWil0
-----END RSA PUBLIC KEY-----
    You must distribute this file to all other sites and ask them to place this file at appropriate location (usually /usr/local/etc/tinc/vpn-name/hosts/zidler)
  8. Two scripts tinc-up and tinc-down also need to be placed in /usr/local/etc/tinc/zidler/ directory, which will be executed to manipulate the virtual interface during startup and shutdown of the tinc daemon. Both the scripts have been show below. 
    shashank@zidler:/usr/local/etc/tinc/zidler# cat tinc-up
#!/bin/sh

# Set hardware ethernet address, needed on Linux when in router mode
ifconfig $INTERFACE hw ether fe:fd:0:0:0:0

# Give it the right ip and netmask. Remember, the subnet of the
# tap device must be larger than that of the individual Subnets
# as defined in the host configuration file!
ifconfig $INTERFACE 192.168.2.2 netmask 255.255.255.0

# Disable ARP, needed on Linux when in router mode
ifconfig $INTERFACE -arp

#Add a route to the other network
route add -net 192.168.0.0 netmask 255.255.255.0 dev $INTERFACE
    NOTE: DO not change the hardware address of the virtual interface. Let it remain to fe:fd:0:0:0:0. tinc refuses to work, if it is changed. Also the option -arp is required to be specified. 
    shashank@zidler:/usr/local/etc/tinc/zidler# cat tinc-down
#!/bin/sh
# This file closes down the tap device.
#Delete the route
route del -net 192.168.0.0 netmask 255.255.255.0 dev $INTERFACE

ifconfig $INTERFACE down
  9. Make sure that u have all the above files. below shows a listing: 
    shashank@zidler:/usr/local/etc/tinc/zidler# ls -alR
.:
total 32
drwxr-xr-x    3 root     root         4096 Jun 11 00:06 .
drwxr-xr-x    4 root     root         4096 Jun 10 22:52 ..
drwxr-xr-x    2 root     root         4096 Jun 10 23:56 hosts
-rw-------    1 root     root          887 Jun 10 22:52 rsa_key.priv
-rw-------    1 root     root          251 Jun 10 22:52 rsa_key.pub
-rwxr-xr-x    1 root     root          158 Jun 11 00:05 tinc-down
-rwxr-xr-x    1 root     root          858 Jun 11 00:05 tinc-up
-rw-------    1 root     root          806 Jun 10 23:04 tinc.conf

./hosts:
total 16
drwxr-xr-x    2 root     root         4096 Jun 10 23:56 .
drwxr-xr-x    3 root     root         4096 Jun 11 00:06 ..
-rw-r--r--    1 root     root          372 Jun 10 23:56 zidler
  10. Similarly proceed on mia to create all the above with appropriate options. Below I have listed all such files on mia. 
    [shashank@mia mia]# cat tinc.conf
Name = mia
ConnectTo = zidler
Device = /dev/net/tun
PrivateKeyFile = /usr/local/etc/tinc/mia/rsa_key.priv
-------------------------------------------------------------------------------
[shashank@mia mia]# cat hosts/mia
Address = 131.193.50.165
#cipher = blowfish
#Compression = 9
#Digest = sha1
#IndirectData = no
Subnet = 192.168.0.0/24
-----BEGIN RSA PUBLIC KEY-----
ETQwrVzpc7cl9nXZGgxKU4MPT4DOhvMAJnVSmUCz9+gu+R6WALFL2UTQ0XL+iJA0
IufuSOb/7v/NsEEE0LnM6I4HaZMdc5aLRq470e2xh2Fn9FR2BOMFAgMA//8=
-----END RSA PUBLIC KEY-----
-------------------------------------------------------------------------------
[shashank@mia mia]# cat tinc-up
#!/bin/sh
ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
ifconfig $INTERFACE 192.168.0.2 netmask 255.255.255.0
ifconfig $INTERFACE -arp

#Add a route to the other network
route add -net 192.168.2.0 netmask 255.255.255.0 dev $INTERFACE
-------------------------------------------------------------------------------

[shashank@mia mia]# cat tinc-down
#!/bin/sh
#Add a route to the other network
route add -net 192.168.2.0 netmask 255.255.255.0 dev $INTERFACE

ifconfig $INTERFACE down
[shashank@mia mia]#
    Note the ConnectTo paramter here. Since we have specified as zidler, we have to get the public file from the zidler admin and place it in ./hosts/zidler. We have done this and the listing of the whole directory structure on mia is shownb below. 
    [shashank@mia mia]# ls -alR
.:
total 32
drwxr-xr-x    3 root     root         4096 Jun 11 00:07 .
drwxr-xr-x    4 root     root         4096 Jun 11 00:00 ..
drwxr-xr-x    2 root     root         4096 Jun 11 00:07 hosts
-rw-------    1 root     root          887 Jun 11 00:00 rsa_key.priv
-rw-------    1 root     root          251 Jun 11 00:00 rsa_key.pub
-rwxr-xr-x    1 root     root          100 Jun 11 00:02 tinc-down
-rwxr-xr-x    1 root     root          235 Jun 11 00:02 tinc-up
-rw-------    1 root     root          106 Jun 11 00:01 tinc.conf

./hosts:
total 20
drwxr-xr-x    2 root     root         4096 Jun 11 00:07 .
drwxr-xr-x    3 root     root         4096 Jun 11 00:07 ..
-rw-r--r--    1 root     root          372 Jun 11 00:03 mia
-rw-r--r--    1 root     root          372 Jun 11 00:07 zidler
  11. Now start the tincd on both zidler and mia (no matter what is started first, but i prefer to start zidler). 
    shashank@zidler:/usr/local/etc/tinc/zidler# tincd -n zidler --debug=5
-----------------------------------------------------------------------
[shashank@mia mia]# tincd -n mia --debug=5
  12. Use ifconfig to see the virtual interface: 
    shashank@zidler:/usr/local/etc/tinc/zidler# ifconfig 
--SNIP--
zidler    Link encap:Ethernet  HWaddr FE:FD:00:00:00:00  
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:196 (196.0 b)  TX bytes:196 (196.0 b)
-----------------------------------------------------------------------
[shashank@mia mia]# ifconfig
--SNIP--
mia       Link encap:Ethernet  HWaddr FE:FD:00:00:00:00  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:196 (196.0 b)  TX bytes:196 (196.0 b)
  13. Also check if the routes have been established properly using netstat -rn commad and ping.
  14. To kill tinc, just use killall tincd.
  15. Now begins the experimentation.
Comments and corrections are appreciated and can be sent to papers@mia.ece.uic.edu. Click here for ©opyright information.