Differences

This shows you the differences between two versions of the page.

doc:howto:vpn.tinc [2013/05/02 07:22]
sandymac created
doc:howto:vpn.tinc [2013/12/31 18:15] (current)
sandymac Traffic Rule addition
Line 1: Line 1:
====== Tinc ====== ====== Tinc ======
- +[[wp>Tinc (protocol)|Tinc]] is a self-routing, mesh networking protocol, used for compressed, encrypted, virtual private networks. This howto is intended as a guide to document some of the [[http://www.tinc-vpn.org/|Tinc]] on OpenWrt specifics the author stumbled on and struggled with in hopes it saves others time and effort.
-This is intended as a guide to document some of the [[http://www.tinc-vpn.org/|Tinc]] on OpenWRT specifics the author stumbled on and struggled with in hopes it saves others time and effort.+
==== UCI Configuration ==== ==== UCI Configuration ====
-Tinc normally makes use of a series of files and directories under /etc/tinc/ for it's configuration. On OpenWRT much of configuration has been moved into the [[/doc/UCI]] system into the file located at /etc/config/tinc . The OpenWRT Tinc init script will use the contents of the tinc uci config along with files in the /etc/tinc directories to generate a full Tinc configuration located under /tmp/tinc +Tinc normally makes use of a series of files and directories under /etc/tinc/ for it's configuration. On OpenWrt much of configuration has been moved into the [[/doc/UCI]] system into the file located at ''[[doc:uci:tinc|/etc/config/tinc]]''. The OpenWrt Tinc init script will use the contents of the tinc uci config along with files in the /etc/tinc directories to generate a full Tinc configuration located under /tmp/tinc
The Tinc uci config file contains two types of sections: tinc-net and tinc-host. The Tinc uci config file contains two types of sections: tinc-net and tinc-host.
-The tinc-net sections start with "config tinc-net NETNAME" followed by options that match the options described in [[http://www.tinc-vpn.org/documentation/tinc.conf.5|tinc.conf.5]] with the exceptions of an "enabled" option and a few for command line options. The NETNAME will be mapped to /etc/tinc/NETNAME and the values in that section will be used to generate the equivalent of the /etc/tinc/NETNAME/tinc.conf file.+The tinc-net sections start with "config tinc-net NETNAME" followed by options that match the options described in [[http://www.tinc-vpn.org/documentation/tinc.conf.5|tinc.conf.5]] / [[man>tinc(5)|tinc]] with the exceptions of an "enabled" option and a few for command line options. The NETNAME will be mapped to /etc/tinc/NETNAME and the values in that section will be used to generate the equivalent of the /etc/tinc/NETNAME/tinc.conf file.
The tinc-host sections start with "config tinc-host NODENAME" followed by options that will be used to generate the Tinc host files normally located at /etc/tinc/NETNAME/hosts/NODENAME . UCI doesn't seem to have a place to hold the public keys that go in a host config file so you will still be expected to have files with public keys at /etc/tinc/NETNAME/hosts/NODENAME but the other values from the UCI section will be combined when a host file is generated under /tmp/tinc/NETNAME/hosts/NODENAME . The tinc-host sections start with "config tinc-host NODENAME" followed by options that will be used to generate the Tinc host files normally located at /etc/tinc/NETNAME/hosts/NODENAME . UCI doesn't seem to have a place to hold the public keys that go in a host config file so you will still be expected to have files with public keys at /etc/tinc/NETNAME/hosts/NODENAME but the other values from the UCI section will be combined when a host file is generated under /tmp/tinc/NETNAME/hosts/NODENAME .
Line 17: Line 16:
==== UCI Network/Firewall Integration ==== ==== UCI Network/Firewall Integration ====
-The following helped this author have a more reliable coexistence between Tinc and the OpenWRT web interface managed Network/Firewall settings. The info below is based on my experience setting up Tinc to let me route between private lans.+The following helped this author have a more reliable coexistence between Tinc and the OpenWrt web interface managed Network/Firewall settings. The info below is based on my experience setting up Tinc to let me route between private lans.
-Because the network management of UCI may tear down and build up the network or firewall settings I found it advantageous to use the Networking/Firewall UCI settings as applied to the Tinc created interfaces as much as possible to prevent unexpected Tinc VPN failures.+Because the network management of UCI may tear down and build up the network or firewall settings I found it advantageous to use the Networking/Firewall UCI settings as applied to the Tinc created interfaces as much as possible to prevent unexpected Tinc VPN failures. That said, it still isn't 100% reliable for me yet.
-I still needed /etc/tinc/NETNAME/tinc-up containing:+I've evolved my tinc scripts into the four mostly generic scripts below. You can get away with less but for routing between networks, these work with minimal thought. 
 + 
 +/etc/tinc/[NETNAME]/tinc-up contains:
''#!/bin/sh ''#!/bin/sh
-ifconfig $INTERFACE 192.168.20.1 netmask 255.255.0.0''+ip=`uci get network.lan.ipaddr` 
 +ifconfig $INTERFACE $ip''
-but unlike some some Tinc howtos for other distributions I did not have any iptables rules in the tinc-up script.+unlike some some Tinc howtos for other distributions I did not have any iptables rules in the tinc-up script. The `uci get network.lan.ipaddr` will extract the IP address of your LAN interface. If you've renamed this interface or want something else, change here.
-Instead I went into the OpenWRT LuCI web interface and under ''Network > Interfaces'' I ''Added a new interface...'' which I named NETNAME that was of Protocol ''unmanaged'' and covered the NETNAME interface. This makes UCI aware of the Tinc network interface but it shouldn't try to manage it.+/etc/tinc/[NETNAME]/tinc-down contains:
-Then under ''Network > Interfaces > NETNAME > Firewall Settings'' I created or assigned the zone of ''vpn'' .+''#!/bin/sh 
 +ifconfig $INTERFACE down''
-Finally under ''Network > Firewall > General Settings > Zones'' you can edit the vpn zone to enable Inter-Zone Forwarding to/from your lan zone.+/etc/tinc/[NETNAME]/subnet-up contains:
-==== Some Links ====+''#!/bin/sh 
 +[ $NODE = `uci get tinc.$NETNAME.Name` ] && exit 
 +case $SUBNET in 
 + */32) targetType=-host ;; 
 + *) targetType=-net ;; 
 +esac 
 +route add $targetType $SUBNET dev $INTERFACE''
-[[http://patchwork.openwrt.org/patch/1576/]] -  The start of the Tinc UCI config. +The `uci get tinc.$NETNAME.Name` extracts this host's name from the tinc config. You need to know this so the subnet-up script doesn't run to add a subnet for itself because that already exists. Versions of tinc newer than 1.0.19 have a better way around this but I don't recall at the moment. 
-[[http://www.tinc-vpn.org/docs/]] - Tinc documentation.+ 
 + 
 +/etc/tinc/[NETNAME]/subnet-down contains: 
 + 
 +''#!/bin/sh 
 +[ $NODE = `uci get tinc.$NETNAME.Name` ] && exit 
 +case $SUBNET in 
 + */32) targetType=-host ;; 
 + *) targetType=-net ;; 
 +esac 
 +route del $targetType $SUBNET dev $INTERFACE'' 
 + 
 +Instead I went into the OpenWrt LuCI web interface and under ''Network > Interfaces'' I ''Added a new interface...'' which I named NETNAME that was of Protocol ''unmanaged'' and covered the NETNAME interface. This makes UCI aware of the Tinc network interface but it shouldn't try to manage it. 
 + 
 +Then, under ''Network > Interfaces > NETNAME > Firewall Settings'' I created or assigned the zone of ''vpn'' . 
 + 
 +Next, under ''Network > Firewall > General Settings > Zones'' you can edit the vpn zone to enable Inter-Zone Forwarding to/from your lan zone. 
 + 
 +Finally, under ''Network > Firewall > Traffic Rules'' you'l need to open the port Tinc is using, 655 by default. The summary table for me reads: "Tinc-[NETNAME] | Any TCP, UDP From any host in wan To any router IP at port 655 on this device | Accept input" 
 + 
 +==== Some Links ==== 
 +  * [[http://patchwork.openwrt.org/patch/1576/]] -  The start of the Tinc UCI config. 
 + * [[http://www.tinc-vpn.org/docs/]] - Tinc documentation.

Back to top

doc/howto/vpn.tinc.1367472163.txt.bz2 · Last modified: 2013/05/02 07:22 by sandymac