User Tools

Site Tools


doc:howto:vpn.tinc

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
doc:howto:vpn.tinc [2013/05/02 07:22]
sandymac created
doc:howto:vpn.tinc [2013/12/31 18:15] (current)
sandymac Traffic Rule addition
Line 1: Line 1:
 ====== Tinc ====== ====== Tinc ======
- +[[wp>​Tinc (protocol)|Tinc]] is a self-routing,​ mesh networking protocol, used for compressed, encrypted, virtual private networks. ​This howto is intended as a guide to document some of the [[http://​www.tinc-vpn.org/​|Tinc]] on OpenWrt ​specifics the author stumbled on and struggled with in hopes it saves others time and effort.
-This is intended as a guide to document some of the [[http://​www.tinc-vpn.org/​|Tinc]] on OpenWRT ​specifics the author stumbled on and struggled with in hopes it saves others time and effort.+
  
 ==== UCI Configuration ==== ==== UCI Configuration ====
  
-Tinc normally makes use of a series of files and directories under /etc/tinc/ for it's configuration. On OpenWRT ​much of configuration has been moved into the [[/​doc/​UCI]] system into the file located at /​etc/​config/​tinc . The OpenWRT ​Tinc init script will use the contents of the tinc uci config along with files in the /etc/tinc directories to generate a full Tinc configuration located under /​tmp/​tinc ​+Tinc normally makes use of a series of files and directories under /etc/tinc/ for it's configuration. On OpenWrt ​much of configuration has been moved into the [[/​doc/​UCI]] system into the file located at ''​[[doc:​uci:​tinc|/​etc/​config/​tinc]]''​. The OpenWrt ​Tinc init script will use the contents of the tinc uci config along with files in the /etc/tinc directories to generate a full Tinc configuration located under /​tmp/​tinc ​
  
 The Tinc uci config file contains two types of sections: tinc-net and tinc-host. The Tinc uci config file contains two types of sections: tinc-net and tinc-host.
  
-The tinc-net sections start with "​config tinc-net NETNAME"​ followed by options that match the options described in [[http://​www.tinc-vpn.org/​documentation/​tinc.conf.5|tinc.conf.5]] with the exceptions of an "​enabled"​ option and a few for command line options. The NETNAME will be mapped to /​etc/​tinc/​NETNAME and the values in that section will be used to generate the equivalent of the /​etc/​tinc/​NETNAME/​tinc.conf file.+The tinc-net sections start with "​config tinc-net NETNAME"​ followed by options that match the options described in [[http://​www.tinc-vpn.org/​documentation/​tinc.conf.5|tinc.conf.5]] / [[man>​tinc(5)|tinc]] with the exceptions of an "​enabled"​ option and a few for command line options. The NETNAME will be mapped to /​etc/​tinc/​NETNAME and the values in that section will be used to generate the equivalent of the /​etc/​tinc/​NETNAME/​tinc.conf file.
  
 The tinc-host sections start with "​config tinc-host NODENAME"​ followed by options that will be used to generate the Tinc host files normally located at /​etc/​tinc/​NETNAME/​hosts/​NODENAME . UCI doesn'​t seem to have a place to hold the public keys that go in a host config file so you will still be expected to have files with public keys at /​etc/​tinc/​NETNAME/​hosts/​NODENAME but the other values from the UCI section will be combined when a host file is generated under /​tmp/​tinc/​NETNAME/​hosts/​NODENAME . The tinc-host sections start with "​config tinc-host NODENAME"​ followed by options that will be used to generate the Tinc host files normally located at /​etc/​tinc/​NETNAME/​hosts/​NODENAME . UCI doesn'​t seem to have a place to hold the public keys that go in a host config file so you will still be expected to have files with public keys at /​etc/​tinc/​NETNAME/​hosts/​NODENAME but the other values from the UCI section will be combined when a host file is generated under /​tmp/​tinc/​NETNAME/​hosts/​NODENAME .
Line 17: Line 16:
 ==== UCI Network/​Firewall Integration ==== ==== UCI Network/​Firewall Integration ====
  
-The following helped this author have a more reliable coexistence between Tinc and the OpenWRT ​web interface managed Network/​Firewall settings. The info below is based on my experience setting up Tinc to let me route between private lans.+The following helped this author have a more reliable coexistence between Tinc and the OpenWrt ​web interface managed Network/​Firewall settings. The info below is based on my experience setting up Tinc to let me route between private lans.
  
-Because the network management of UCI may tear down and build up the network or firewall settings I found it advantageous to use the Networking/​Firewall UCI settings as applied to the Tinc created interfaces as much as possible to prevent unexpected Tinc VPN failures.+Because the network management of UCI may tear down and build up the network or firewall settings I found it advantageous to use the Networking/​Firewall UCI settings as applied to the Tinc created interfaces as much as possible to prevent unexpected Tinc VPN failures. That said, it still isn't 100% reliable for me yet.
  
-still needed ​/​etc/​tinc/​NETNAME/​tinc-up ​containing:+I've evolved my tinc scripts into the four mostly generic scripts below. You can get away with less but for routing between networks, these work with minimal thought. 
 + 
 +/etc/tinc/[NETNAME]/​tinc-up ​contains:
  
 ''#​!/​bin/​sh ''#​!/​bin/​sh
-ifconfig $INTERFACE ​192.168.20.1 netmask 255.255.0.0''​+ip=`uci get network.lan.ipaddr` 
 +ifconfig $INTERFACE ​$ip''​
  
-but unlike some some Tinc howtos for other distributions I did not have any iptables rules in the tinc-up script.+unlike some some Tinc howtos for other distributions I did not have any iptables rules in the tinc-up script. The `uci get network.lan.ipaddr` will extract the IP address of your LAN interface. If you've renamed this interface or want something else, change here.
  
-Instead I went into the OpenWRT LuCI web interface and under ''​Network > Interfaces''​ I ''​Added a new interface...''​ which I named NETNAME ​that was of Protocol ''​unmanaged''​ and covered the NETNAME interface. This makes UCI aware of the Tinc network interface but it shouldn'​t try to manage it.+/etc/tinc/[NETNAME]/tinc-down contains:
  
-Then under ''​Network > Interfaces > NETNAME > Firewall Settings'' ​I created or assigned the zone of ''​vpn''​ .+''​#!/bin/sh 
 +ifconfig $INTERFACE down''​
  
-Finally under ''​Network > Firewall > General Settings > Zones''​ you can edit the vpn zone to enable Inter-Zone Forwarding to/from your lan zone.+/etc/​tinc/​[NETNAME]/​subnet-up contains:
  
-==== Some Links ====+''#​!/​bin/​sh 
 +[ $NODE `uci get tinc.$NETNAME.Name` ] && exit 
 +case $SUBNET in 
 + */32) targetType=-host ;; 
 + *) targetType=-net ;; 
 +esac 
 +route add $targetType $SUBNET dev $INTERFACE''​
  
-[[http://​patchwork.openwrt.org/​patch/​1576/​]] -  The start of the Tinc UCI config. +The `uci get tinc.$NETNAME.Name` extracts this host's name from the tinc config. You need to know this so the subnet-up script doesn'​t run to add a subnet for itself because that already exists. Versions of tinc newer than 1.0.19 have a better way around this but I don't recall at the moment. 
-[[http://​www.tinc-vpn.org/​docs/​]] - Tinc documentation.+ 
 + 
 +/​etc/​tinc/​[NETNAME]/​subnet-down contains: 
 + 
 +''#​!/​bin/​sh 
 +[ $NODE = `uci get tinc.$NETNAME.Name` ] && exit 
 +case $SUBNET in 
 + */32) targetType=-host ;; 
 + *) targetType=-net ;; 
 +esac 
 +route del $targetType $SUBNET dev $INTERFACE''​ 
 + 
 +Instead I went into the OpenWrt LuCI web interface and under ''​Network > Interfaces''​ I ''​Added a new interface...''​ which I named NETNAME that was of Protocol ''​unmanaged''​ and covered the NETNAME interface. This makes UCI aware of the Tinc network interface but it shouldn'​t try to manage it. 
 + 
 +Then, under ''​Network > Interfaces > NETNAME > Firewall Settings''​ I created or assigned the zone of ''​vpn''​ . 
 + 
 +Next, under ''​Network > Firewall > General Settings > Zones''​ you can edit the vpn zone to enable Inter-Zone Forwarding to/from your lan zone. 
 + 
 +Finally, under ''​Network > Firewall > Traffic Rules''​ you'l need to open the port Tinc is using, 655 by default. The summary table for me reads: "​Tinc-[NETNAME] | Any TCP, UDP From any host in wan To any router IP at port 655 on this device | Accept input"​ 
 + 
 +==== Some Links ==== 
 +  * [[http://​patchwork.openwrt.org/​patch/​1576/​]] -  The start of the Tinc UCI config. 
 +  ​* ​[[http://​www.tinc-vpn.org/​docs/​]] - Tinc documentation.
  
doc/howto/vpn.tinc.1367472163.txt.bz2 · Last modified: 2013/05/02 07:22 by sandymac