[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
howtos:network_services:tinc [2014/02/25 20:30 (UTC)] – created tonberry | howtos:network_services:tinc [2014/03/12 14:05 (UTC)] – spelling tonberry | ||
---|---|---|---|
Line 5: | Line 5: | ||
===== Overview ===== | ===== Overview ===== | ||
- | Tinc utilizes asymmetric | + | Tinc utilizes asymmetric |
- | Each node also runs a daemon (or multiple daemons, one for each separate VPN). Daemon listens on set port (default is 655) for incomming | + | Each node also runs a daemon (or multiple daemons, one for each separate VPN). Daemon listens on set port (default is 655) for incoming |
Public key file may contain not only key itself, but also public IP address (and port) of node to which it belongs. If set to, daemon will not wait for connections, | Public key file may contain not only key itself, but also public IP address (and port) of node to which it belongs. If set to, daemon will not wait for connections, | ||
- | Each node has its own IP address (in private address space) which, once the daemon is running, is assigned to virtual network interface. Any traffic | + | Each node has its own IP address (in private address space) which, once the daemon is running, is assigned to virtual network interface. Any traffic |
Important feature of Tinc is that daemon can (and by default does) forward traffic for other nodes, e.g. if nodes A and B are behind NAT and can directly communicate with only node C, which has unrestricted internet access, or even do not know public key of each other, but C knows them both, C will happily forward traffic between/for them. They just need to know IP addresses (in private address space). | Important feature of Tinc is that daemon can (and by default does) forward traffic for other nodes, e.g. if nodes A and B are behind NAT and can directly communicate with only node C, which has unrestricted internet access, or even do not know public key of each other, but C knows them both, C will happily forward traffic between/for them. They just need to know IP addresses (in private address space). | ||
Line 22: | Line 22: | ||
< | < | ||
- | ./configure --prefix=/ | + | # ./configure --prefix=/ |
- | make | + | # make |
- | make install | + | # make install |
</ | </ | ||
Line 30: | Line 30: | ||
< | < | ||
- | make DESTDIR=/ | + | $ make DESTDIR=/ |
</ | </ | ||
Line 38: | Line 38: | ||
< | < | ||
- | tinc -n VPNtest init node1 | + | # tinc -n VPNtest init node1 |
</ | </ | ||
Line 44: | Line 44: | ||
< | < | ||
- | tinc -c . generate-keys | + | $ tinc -c . generate-keys |
- | mkdir -p VPNtest/ | + | $ mkdir -p VPNtest/ |
- | mv *.priv VPNtest/. | + | $ mv *.priv VPNtest/. |
- | cat rsa_key.pub ecdsa_key.pub > VPNtest/ | + | $ cat rsa_key.pub ecdsa_key.pub > VPNtest/ |
- | rm rsa_key.pub ecdsa_key.pub | + | $ rm rsa_key.pub ecdsa_key.pub |
</ | </ | ||
* Fine-tune configuration in / | * Fine-tune configuration in / | ||
- | <code> | + | <file - tinc.conf> |
Name = node1 | Name = node1 | ||
ConnectTo = node2 | ConnectTo = node2 | ||
Interface = vpnNIC | Interface = vpnNIC | ||
Port = 6655 | Port = 6655 | ||
- | </code> | + | </file> |
* Configure virtual network interface in / | * Configure virtual network interface in / | ||
- | <code> | + | <file - tinc-up> |
#!/bin/sh | #!/bin/sh | ||
ip addr add 192.168.1.1/ | ip addr add 192.168.1.1/ | ||
ip link set vpnNIC up | ip link set vpnNIC up | ||
- | </code> | + | </file> |
* Fine-tune public key file in / | * Fine-tune public key file in / | ||
- | <code> | + | <file - node1> |
Address = <public IP address> [port] | Address = <public IP address> [port] | ||
Subnet = 192.168.1.1/ | Subnet = 192.168.1.1/ | ||
-----BEGIN RSA PUBLIC KEY----- | -----BEGIN RSA PUBLIC KEY----- | ||
... | ... | ||
- | </code> | + | </file> |
* Repeat process on (or for) other nodes, use different names for nodes and different private space IPs. Again, let nodes have each other' | * Repeat process on (or for) other nodes, use different names for nodes and different private space IPs. Again, let nodes have each other' | ||
Line 82: | Line 82: | ||
< | < | ||
- | tincd -n VPNtest --debug=5 --logfile=/ | + | # tincd -n VPNtest --debug=5 --logfile=/ |
</ | </ | ||
Line 98: | Line 98: | ||
< | < | ||
- | tapinstall.exe remove tap0901 | + | C:\path\to\tapinstall.exe remove tap0901 |
</ | </ | ||
Line 104: | Line 104: | ||
< | < | ||
- | tapinstall.exe install OemWin2k.inf tap0901 | + | C:\path\to\tapinstall.exe install OemWin2k.inf tap0901 |
</ | </ | ||
* Device drivers actually seem to come from OpenVPN project. Which is good, because they are signed; Windows are quite hostile towards unsigned drivers lately. | * Device drivers actually seem to come from OpenVPN project. Which is good, because they are signed; Windows are quite hostile towards unsigned drivers lately. | ||
Line 127: | Line 127: | ||
< | < | ||
- | C: | + | C: |
</ | </ | ||
Line 133: | Line 133: | ||
< | < | ||
- | net start tinc.<VPN name> | + | cmd> |
</ | </ | ||
Line 185: | Line 185: | ||
Save it as e.g. / | Save it as e.g. / | ||
- | <code> | + | <file - rc.local> |
/ | / | ||
- | </code> | + | </file> |
Line 201: | Line 201: | ||
<!-- Please do not modify anything below, except adding new tags.--> | <!-- Please do not modify anything below, except adding new tags.--> | ||
<!-- You must remove the tag-word " | <!-- You must remove the tag-word " | ||
- | {{tag> | + | {{tag> |