Introduction

Here’s an account of the method I used to install tinc on two hosts to establish a VPN between them. For the Windows side, these instructions are an extension of the official windows install instructions. For the Linux side, these instructions are the general instructions contained in the tinc manual applied specifically to an Ubuntu 10.10 system.

In this page I will use names for each computer (Hanford, Omaha) to keep clear which one I’m talking about. These names are arbitrary.

Setup

  • Client “Hanford”
    • OS : Windows 7 Ultimate 64bit
    • Location : Home network behind DSL/Cable NAT
    • Private home network : 192.168.1.0/24
    • Static Private IP : 192.168.1.50
    • Dynamic Public IP : 76.187.12.29
    • Dynamic DNS name : hanford.dyndns.org
    • Able to forward inbound ports? : Yes
    • Tinc VPN IP address : 172.20.20.100
  • Client “Omaha”
    • OS : Ubuntu 10.10 Maverick Meerkat Linux
    • Location : Office network behind NAT
    • Private office network : 10.0.3.0/22
    • Dynamic Private IP : 10.0.3.33
    • Static Public IP : 206.12.20.2
    • Able to forward inbound ports? : No
    • Tinc VPN IP address : 172.20.20.200
  • Other settings
    • Name of the tinc VPN : “vpn”
    • Name of the Windows virtual ethernet adapter : “tincVPN”
    • Network we’ll use for the VPN : 172.20.20.0/24

Client Hanford

  1. Log into http://www.dyndns.com/ and create an account
  2. Create a dyndns host name : “hanford.dyndns.org”
  3. Log into the web interface of your home router and configure port forwading. Here are instructionsfor most every router
  4. Port forward port 655 for UDP and TCP in to the IP address of Hanford : 192.168.1.50
  5. If your router supports dyndns.org names, configure your router with your dyndns account information and dns name : hanford.dyndns.org
    • If your router doesn’t support dyndns, then install the dyndns client on Hanford and configure it to run
    • at all times
  6. Download tinc for Windows
  7. Install tinc into a standard location : C:\Program Files (x86)\tinc
    • I’m running 64bit windows so I selected the “TAP-Win64 Virtual Ethernet Adapter” and de-selected “TAP-Win32 Virtual Ethernet Adapter”
  8. In Windows Click “Start…” “All Programs…” “Accessories…”
  9. Right click “Command Prompt” and in the context menu choose “Run as Administrator”
    • This will allow us to work with the files in Program Files (x86) without being blocked by UAC
  10. In the Command Prompt winow run these commands. These are intended to be copied and pasted into the command window interactively. If you put these into a BAT file, a few changes would be required :
    cd "C:\Program Files (x86)\tinc"
    mkdir vpn
    REM We won't set "ConnectTo" since omaha is behind a NAT and we are unable to forward ports to it
    echo "Name = hanford" > vpn\tinc.conf
    echo "# ConnectTo = omaha" >> vpn\tinc.conf
    echo "Interface = tincVPN" >> vpn\tinc.conf
    mkdir vpn\hosts
    echo "Subnet = 172.20.20.100/32" > vpn\hosts\hanford
    echo "Address = hanford.dyndns.org" >> vpn\hosts\hanford
    REM Next we generate keys for hanford with tincd. Accept the default file locations that tinc suggests (by hitting enter at each prompt)
    tincd -n vpn -K
    
    C:\Program Files (x86)\tinc>tincd -n vpn -K
    Generating 2048 bits keys:
    ........................+++ p
    ......................................................+++ q
    Done.
    Please enter a file to save private RSA key to [C:\Program Files (x86)\tinc/vpn/rsa_key.priv]:
    Please enter a file to save public RSA key to [C:\Program Files (x86)\tinc/vpn/hosts/hanford]:
    
    SET hanfordIP=172.20.20.100
    SET tincVPNSubnet=255.255.255.0
    tap-win64\addtap.bat
    REM Let's find out the name of the interface that addtap just created. Sorry this is so complicated, Windows scripting is weak
    FOR /F "tokens=1 delims=:" %A IN ('ipconfig /all ^| findstr /N "TAP-Win"') DO SET linenum=%A
    SET /A linenum = %linenum% - 3
    FOR /F "tokens=2*" %A IN ('ipconfig /all ^| findstr /N ".*" ^| findstr /B "%linenum%:"') DO set interfaceName=%B
    SET interfaceName=%interfaceName:~0,-1%
    REM Now let's change it to "tincVPN"
    netsh interface set interface name="%interfaceName%" newname="tincVPN"
    netsh interface ip set address name="tincVPN" source=static address=%hanfordIP% mask=%tincVPNSubnet% gateway=none
    
  11. We’ll come back to hanford after setting up omaha to finish the setup

Client Omaha

  1. Install tinc on Ubuntu
    1. If you haven’t enabled the “Universe” repository for Ubuntu which contains “Community maintained open source software”, enable the Universe repository
    2. Run this command
      sudo apt-get install tinc
      
  2. Now run these commands to set everything up :
    omaha=omaha
    hanford=hanford
    cd /etc/tinc
    sudo mkdir -p vpn/hosts
    echo "Name = $omaha" | sudo tee -a vpn/tinc.conf
    echo "ConnectTo = $hanford" | sudo tee -a vpn/tinc.conf
    echo "#Interface =" | sudo tee -a vpn/tinc.conf
    echo "#Mode = switch" | sudo tee -a vpn/tinc.conf
    # Since we can't forward ports into omaha, the "Address" value below is probably unecessary
    echo "Subnet = 172.20.20.200/32" | sudo tee -a vpn/hosts/$omaha
    echo "Address = 206.12.20.2" | sudo tee -a vpn/hosts/$omaha
    # Next we generate keys for omaha with tincd. Accept the default file locations that tinc suggests (by hitting enter at each prompt)
    sudo tincd -n vpn -K
    
    user@omaha:/etc/tinc$ sudo tincd -n vpn -K
    Generating 2048 bits keys:
    .............+++ p
    .............................+++ q
    Done.
    Please enter a file to save private RSA key to [/etc/tinc/vpn/rsa_key.priv]:
    Please enter a file to save public RSA key to [/etc/tinc/vpn/hosts/omaha]:
    
    echo "vpn" | sudo tee -a nets.boot
    echo '#!/bin/sh' | sudo tee -a vpn/tinc-up vpn/tinc-down
    echo 'ifconfig $INTERFACE 172.20.20.200 netmask 255.255.255.0' | sudo tee -a vpn/tinc-up
    echo 'ifconfig $INTERFACE down' | sudo tee -a vpn/tinc-down
    sudo chmod 755 vpn/tinc-up vpn/tinc-down
    

Share keys between clients

  1. At this point you want to share the host configurations containing the public keys you generated on each host with the other host. This will involve either copying files between the hosts, or copy and pasting the contents of the files between hosts. Since the goal of the whole exersise is to establish a VPN between two hosts, you may not have a simple means to copy these files between hosts. An alternative is to email the contents of each file to yourself so that you can copy and paste it.
  2. Copy the file /etc/tinc/vpn/hosts/omaha from omaha to “C:\Program Files (x86)\tinc\vpn\omaha” on hanford
  3. Copy the file “C:\Program Files (x86\tinc\vpn\hanford” from hanford to /etc/tinc/vpn/hosts/hanford on omaha

Start services on each client

Start Services on Hanford

  1. Under Windows, tincd.exe will install itself as a service and start. This way it will always run in the background whenever the client boots. Run this command to install tinc as a service and start it
    tincd -n vpn
    
    C:\Program Files (x86)\tinc>tincd -n vpn
    tinc.vpn service installed
    tinc.vpn service started
    

Start Services on Omaha

  1. Under Linux, the tinc package has installed an init script and enabled it in the various rc.d directories. You can confirm that it’s set to start on boot by running this :
    sudo sysv-rc-conf --list tinc
    
  2. To start the service run :
    sudo service tinc start
    

What if we want to run Centos on the home machine instead of Windows 7

  • Client “Salem”
    • OS : Centos 5.6
    • Location : Home network behind DSL/Cable NAT
    • Private home network : 192.168.1.0/24
    • Static Private IP : 192.168.1.60
    • Dynamic Public IP : 76.187.12.29
    • Dynamic DNS name : salem.dyndns.org
    • Able to forward inbound ports? : Yes
    • Tinc VPN IP address : 172.20.20.150

Client Salem

  1. Install tinc on Centos
    1. Install the repoforge RPM repository
    2. Run this command
      wget -O /tmp/rpmforge-release-0.5.2-2.el5.rf.`uname -i`.rpm http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.`uname -i`.rpm
      sudo rpm -ivh /tmp/rpmforge-release-0.5.2-2.el5.rf.`uname -i`.rpm
      
    3. Install tinc itself
      sudo yum -y install tinc
      
  2. Now run these commands to set everything up :
    sudo mkdir -p /etc/tinc/vpn/hosts
    cd /etc/tinc
    # We won't set "ConnectTo" since omaha is behind a NAT and we are unable to forward ports to it
    echo "Name = salem" | sudo tee -a vpn/tinc.conf
    echo "#ConnectTo = omaha" | sudo tee -a vpn/tinc.conf
    echo "Interface = tincVPN" | sudo tee -a vpn/tinc.conf
    echo "Subnet = 172.20.20.150/32" | sudo tee -a vpn/hosts/salem
    echo "Address = salem.dyndns.org" | sudo tee -a vpn/hosts/salem
    # Next we generate keys for salem with tincd. Accept the default file locations that tinc suggests (by hitting enter at each prompt)
    sudo tincd -n vpn -K
    
    user@salem:/etc/tinc$ sudo tincd -n vpn -K
    Generating 2048 bits keys:
    .............+++ p
    .............................+++ q
    Done.
    Please enter a file to save private RSA key to [/etc/tinc/vpn/rsa_key.priv]:
    Please enter a file to save public RSA key to [/etc/tinc/vpn/hosts/salem]:
    
    echo "vpn" >>nets.boot
    echo '#!/bin/sh' | sudo tee -a vpn/tinc-up vpn/tinc-down
    echo 'ifconfig $INTERFACE 172.20.20.150 netmask 255.255.255.0' | sudo tee -a vpn/tinc-up
    echo 'ifconfig $INTERFACE down' | sudo tee -a vpn/tinc-down
    sudo chmod 755 vpn/tinc-up vpn/tinc-down
    
  3. Now we find an init script and set it to match the rpmforge rpm format. The init script comes from this redhat ticket which is mirrored over on pastebin
    cd /tmp/
    wget -O tinc.init https://bugzilla.redhat.com/attachment.cgi?id=483052
    cat | patch -p0 <<EOF
    --- tinc.init.orig  2011-08-18 17:02:44.000000000 -0700
    +++ tinc.init   2011-08-18 17:02:59.000000000 -0700
    @@ -43,12 +43,9 @@
     #############################################################################
     # configuration & sanity checks
        
    -#TINCD=/usr/sbin/tincd
    -TINCD=/usr/local/sbin/tincd
    -#TCONF=/etc/tinc
    -TCONF=/usr/local/etc/tinc
    -#TPIDS=/var/run
    -TPIDS=/usr/local/var/run
    +TINCD=/usr/sbin/tincd
    +TCONF=/etc/tinc
    +TPIDS=/var/run
     #DEBUG=-dddd
     #DEBUG=
     #DEBUG=--debug=5
    EOF
    sudo install -o root -g root -m 755 tinc.init /etc/init.d/tinc
    rm tinc.init
    

Share keys between clients

  1. At this point you want to share the host configurations containing the public keys you generated on each host with the other host. This will involve either copying files between the hosts, or copy and pasting the contents of the files between hosts. Since the goal of the whole exersise is to establish a VPN between two hosts, you may not have a simple means to copy these files between hosts. An alternative is to email the contents of each file to yourself so that you can copy and past it.
  2. Copy the file /etc/tinc/vpn/hosts/salem from salem to /etc/tinc/vpn/hosts/salem on omaha
  3. Copy the file /etc/tinc/vpn/hosts/omaha from omaha to /etc/tinc/vpn/hosts/omaha on salem

Start services on each client

Start services on Salem

  1. Set tincd to start on boot
    sudo chkconfig tinc on
    
  2. To start the service run :
    sudo service tinc start
    

Troubleshooting

  1. The best way to troubleshoot tinc is to stop the services on both clients, then start them directly to see the output.
  2. On Hanford under Windows run :
    cd "C:\Program Files (x86)\tinc"
    net stop tinc.vpn
    tincd -D -n vpn
    
  3. On Omaha under Linux run :
    sudo service tinc stop
    sudo tincd -D -n vpn