Tinc is a self-routing, mesh networking protocol, used for compressed, encrypted, virtual private networks. This howto is intended as a guide to document some of the Tinc on OpenWrt specifics the author stumbled on and struggled with in hopes it saves others time and effort.
Tinc normally makes use of a series of files and directories under /etc/tinc/ for it's configuration. On OpenWrt much of configuration has been moved into the UCI system into the file located at
/etc/config/tinc. The OpenWrt Tinc init script will use the contents of the tinc uci config along with files in the /etc/tinc directories to generate a full Tinc configuration located under /tmp/tinc
The Tinc uci config file contains two types of sections: tinc-net and tinc-host.
The tinc-net sections start with "config tinc-net NETNAME" followed by options that match the options described in tinc.conf.5 / tinc with the exceptions of an "enabled" option and a few for command line options. The NETNAME will be mapped to /etc/tinc/NETNAME and the values in that section will be used to generate the equivalent of the /etc/tinc/NETNAME/tinc.conf file.
The tinc-host sections start with "config tinc-host NODENAME" followed by options that will be used to generate the Tinc host files normally located at /etc/tinc/NETNAME/hosts/NODENAME . UCI doesn't seem to have a place to hold the public keys that go in a host config file so you will still be expected to have files with public keys at /etc/tinc/NETNAME/hosts/NODENAME but the other values from the UCI section will be combined when a host file is generated under /tmp/tinc/NETNAME/hosts/NODENAME .
UCI also does not store the helper scripts such as tinc-up or NODENAME-up that are normally found in /etc/tinc/NETNAME/ and /etc/tinc/NETNAME/hosts/ so you will have to create them and store them there. Make sure they are executable.
The following helped this author have a more reliable coexistence between Tinc and the OpenWrt web interface managed Network/Firewall settings. The info below is based on my experience setting up Tinc to let me route between private lans.
Because the network management of UCI may tear down and build up the network or firewall settings I found it advantageous to use the Networking/Firewall UCI settings as applied to the Tinc created interfaces as much as possible to prevent unexpected Tinc VPN failures.
I still needed /etc/tinc/NETNAME/tinc-up containing:
ifconfig $INTERFACE 192.168.20.1 netmask 255.255.0.0
but unlike some some Tinc howtos for other distributions I did not have any iptables rules in the tinc-up script.
Instead I went into the OpenWrt LuCI web interface and under
Network > Interfaces I
Added a new interface… which I named NETNAME that was of Protocol
unmanaged and covered the NETNAME interface. This makes UCI aware of the Tinc network interface but it shouldn't try to manage it.
Network > Interfaces > NETNAME > Firewall Settings I created or assigned the zone of
Network > Firewall > General Settings > Zones you can edit the vpn zone to enable Inter-Zone Forwarding to/from your lan zone.
doc/howto/vpn.tinc.txt · Last modified: 2013/07/19 11:59 by lorema