10 Apr, 2011  |  Written by  |  under Uncategorized

I’ve been using the wonderful OpenVPN for ages to securely connect my work network to my home network. This also had the advantage in that I could setup a VPN into my internal network when I was away from home and work.

While it’s a nice system, it was very complicated to setup and I always had issues setting up the routing between the two locations. Once we closed the office location, I didn’t bother with it again because I had no need.

I always wanted to have a VPN to my servers located in the US, and have them linking to each other securely.

OpenVPN has a spoke layout, so all communication would need to route through the main server. Not an option for me when I pay for all traffic to and from my mail server (the only Australian server with a large pipe).

Enter Tinc

Tinc solves all these problems. It is a cloud VPN allowing each node to communicate with any other node directly. And it’s dead simple to configure, to boot. Now after just a few hours, I have a VPN between my home network, the network at my old house, the two US servers, and my Australian mail server.

And it’s wonderful! I’ve always been annoyed that I haven’t been able to SCP files from my US servers to my development server inside my home network (I always had to go the other way because of NAT). Now I can!

Setup of Tinc

Here are my setup steps:

In /etc/netname/tinc.conf:
Name = host1
ConnectTo = host2

In /etc/netname/tinc-up
ifconfig $INTERFACE 192.168.XX.1 netmask 255.255.0.0

# Generate keypairs for host
tincd -n netname -K

# Create file for this host. Prepend to /etc/netname/hosts/host1
Address = host1.full.domain.com
Subnet = 192.168.XX.0/24

Start tincd as a service, and you’re all done!

netname is a unique identifier for this VPN. Tinc allows multiple virtual networks, and separates each configuration through a different netname.

I’m using 192.168.XX.0/24 as the virtual networks, one subnet per machine/internal network. The subnet line in hosts tells other clients connecting to this computer which address to add a route for.

Note how the netmask shows a /16 address, whereas we’re using /24 for each network? That’s so that one route can be used to route into the VPN and tinc will work out the details of which node to send it to. And the beauty is that I can have another interface for the local network with the same IP address. It just needs a separate netmask – 192.168.XX.0/24.

The ConnectTo line tells which other hosts this hosts will directly connect to. If this host doesn’t connect directly, say to host3, tinc will find a route through other hosts that DO connect to host3. Add as many ConnectTo lines as you need.

In Tinc, all points need to have a copy of the hosts/host1 file for all hosts, but that’s simply kept in by placing all files in that directory under version control – git being my tool of choice.