tinc [1] serves as the backbone mesh network daemon in BluVPN for the time being. In short, the program:

• Creates a network device (equivalent of (for example) eth0)
• Listens for incoming vpn connections
• Connects to configured tinc endpoints (The other servers)
• Manages a list of MAC addresses and decides where to send a packet with a given destination MAC address.

Contents 1 Getting the packages 1.1 Arch Linux 1.2 Debian 2 Configuring tinc 2.1 tinc.conf 2.2 tinc-down 2.3 tinc-up 2.4 hosts/<servername> 2.5 Security is key 2.6 Let's talk 3 Starting this at boot 3.1 Arch Linux 3.1.1 /etc/rc.local 3.2 Debian 4 Testing 5 Next

[edit] Getting the packages

[edit] Arch Linux

This package is found in AUR (See BluVPN:BGP#Arch for instructions on how to install yaourt)

yaourt -S tinc

[edit] Debian

Just run

apt-get install tinc

And you're done ;)

[edit] Configuring tinc

Files are found in /etc/tinc When tinc is started, you specify a profile to start it with. This enables you to have multiple instances running at once.

Substitute <servername> for the name of the box you are currently configuring (gamma/bluserv/heretech/...)

cd /etc/tinc
mkdir -p bluvpn/hosts
cd bluvpn
touch tinc.conf tinc-{down,up} hosts/<servername>
chmod +x tinc-{down,up}

This creates the files we need to begin with. Files and directories:

• bluvpn: The bluvpn profile
• bluvpn/hosts: Folder containing known hosts (We are going to add more files here later, one for each server to connect to)
• tinc.conf: Tinc's main configuration file
• tinc-down: What to do when tinc is going down
• tinc-up: What to do when tinc has started
• bluvpn/hosts/<servername>: Configuration file for your server. This file will be put in all the other tinc endpoints so that they know about you as well.

Alright, let's put something in the files:

[edit] tinc.conf

For every server to connect to, add a ConnectTo line. This tells tinc to take the initiative to connect, so list all the servers which are not firewalled away. You have to figure out which servers are active at the time you set this up. Some ways to figure that out is:

• 1: Ask people
• 2: Login to every server and try to figure out what's connected with what

Device = /dev/net/tun tells tinc the path to the file it can use to open up a virtual interface (In this case, a tap device). Mode = switch makes tinc behave as a switch, and not as a router. The router functionality is handed off to BGP.

Name = <servername>
ConnectTo = bluserv
ConnectTo = gamma
ConnectTo = rei
ConnectTo = htech
Device = /dev/net/tun
Mode = switch

[edit] tinc-down

#!/bin/sh
# This file closes down the tap device.
ifconfig $INTERFACE down

[edit] tinc-up

#!/bin/sh
# The interface is already up, and zebra (from BGP) takes care of addressing, so don't do anything here... :P

[edit] hosts/<servername>

The address will be the hostname or IP to lookup for other servers, whenever they want to connect to you. This means that if you haven't done it already, figure out your external IP address, and somehow make a DNS entry point to you. The port is by default 655, please do not change this unless you cannot use 655.

Address = <hostname>
Port = 655

[edit] Security is key

Now that we have configured most of the stuff, let tinc generate some public/private keys for us.

tincd -n bluvpn -K

This tells tincd to use the bluvpn profile, and to generate keys. The first question it asks, is where to put the private key. This is all right by default, so just click enter The second question is which file to put the public key in. This should also be OK by default, but make sure it points to hosts/<servername>.

[edit] Let's talk

Now, you have to do a little exchange with the other server owners. You have to trade a copy of your key, for a copy of all the other keys. The goal is that everyone should have the exact same contents under the hosts/-directory. This is not going to be published on the wiki, for obvious reasons.

Other than that, the interface will be called "bluvpn"

[edit] Starting this at boot

[edit] Arch Linux

In Arch linux, there is no init script for tinc, which means that we have to be creative. This little hack for /etc/rc.local should do the job.

[edit] /etc/rc.local

Add a few lines to the file, do not replace the whole of it for this data ;) Please note that you should use proper indentation (NOT the silly one-space indents I used in this article ;))

. /etc/rc.conf
. /etc/rc.d/functions
stat_busy "Starting tincd"
if tincd -n bluvpn &>/dev/null; then
  stat_done
else
  stat_fail
fi

[edit] Debian

There is a file called /etc/tinc/nets.boot.

echo bluvpn >> /etc/tinc/nets.boot

This should do the trick. After that, just use /etc/init.d/tinc

[edit] Testing

Since we don't have any IP addresses assigned by tinc, the interface will show up without any IP. So, just for testing, run

tincd -n bluvpn
ifconfig bluvpn 10.159.0.250 netmask 255.255.255.0

This should bring up the backend subnet, and make you able to ping 10.159.0.1 and 10.159.0.2, and all the others. When you are done, just

pkill tinc

and that's it :P

[edit] Next

Next up is BluVPN:BGP We will configure the IP address of bluvpn and set up bgp there.