How to install and configure tinc VPN on Linux

Tinc is an open-source VPN software with a number of powerful features not found in other VPN solutions.  For example, tinc allows peers behind NAT to communicate with one another via VPN directly, not through a third party.  Other features include full IPv6 support and path MTU discovery.

In this tinc example, I will show you how to set up a VPN connection between two hosts via tinc. Let’s call these hosts “alice” and “bob” respectively. Note that these are just symbolic names used by tinc, not necessarily hostnames. In this example, I assume that host “bob” will initiate a VPN connection to host “alice”.

First, install tinc on both hosts:

For CentOS system, first set up RPMforge repository. Then, do the following.

$ sudo yum install tinc -y

For Debian/Ubuntu system:

$ sudo apt-get install tinc

Now, let’s go ahead and configure tinc VPN on both hosts as follows.

On host “alice”, do the following.

$ sudo mkdir -p /etc/tinc/myvpn/hosts

Then create a tinc configuration file called tinc.conf, and host configuration file(s) as follows.

$ sudo vi /etc/tinc/myvpn/tinc.conf
Name = alice
AddressFamily = ipv4
Interface = tun0

In the above example, the directory “myvpn” under /etc/tinc is the name of the VPN network to be established between alice and bob. VPN name can be any alphanumeric name without containing “-“. In tinc.conf example, “Name” field indicates the name of tinc-running local host, which doesn’t have to be actual hostname. You can choose any generic name.

Next, create host configuration files which contain host-specific information.

$ sudo vi /etc/tinc/myvpn/hosts/alice
Address = 1.2.3.4
Subnet = 10.0.0.1/32

The name of host configuration file (e.g., alice) should be the same as the one you defined in tinc.conf. The “Address” field indicates a globally routable public IP address associated with alice. This field is required for at least one host in a given VPN network so that other hosts can initiate VPN connections to it. In this example, alice will serve as the bootstrapping server, and so has a public IP address (e.g., 1.2.3.4). The “Subnet” field indicates the VPN IP address to be assigned to alice.

The next step is to generate public/private keys.

$ sudo tincd -n myvpn -K4096

The above command will generate 4096-bit public/private keys for host “alice”. The private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and the public key will be appended to /etc/tinc/myvpn/hosts/alice.

Next, configure the scripts that will be run right after tinc daemon gets started, as well as right before tinc daemon is terminated.

$ sudo vi /etc/tinc/myvpn/tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0
$ sudo vi /etc/tinc/myvpn/tinc-down
#!/bin/sh
ifconfig $INTERFACE down
$ sudo chmod 755 /etc/tinc/myvpn/tinc-*

Now tinc configuration for host “alice’ is done. Similar to alice, configure tinc on host “bob” as follows.

$ sudo mkdir -p /etc/tinc/myvpn
$ sudo vi /etc/tinc/myvpn/tinc.conf
Name = bob
AddressFamily = ipv4
Interface = tun0
ConnectTo = alice

In the above, note that unlike host “alice”, I put “ConnectTo” field in bob’s tinc configuration, since host “bob” will initiate a VPN connection to host “alice” when tinc daemon on bob is up.

$ sudo vi /etc/tinc/myvpn/hosts/bob
Subnet = 10.0.0.2/32
$ sudo tincd -n myvpn -K4096

Similarly, the bob’s private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and its public key will be added to /etc/tinc/myvpn/hosts/bob.

$ sudo vi /etc/tinc/myvpn/tinc-up
ifconfig $INTERFACE 10.0.0.2 netmask 255.255.255.0
$ sudo vi /etc/tinc/myvpn/tinc-down
ifconfig $INTERFACE down
$ sudo chmod 755 /etc/tinc/myvpn/tinc-*

Once you are done with configuring tinc on all hosts as above, copy each host’s public key file onto the other host:

On host “alice”:

$ scp /etc/tinc/myvpn/hosts/alice root@bob:/etc/tinc/myvpn/hosts/

On host “bob”:

$ scp /etc/tinc/myvpn/hosts/bob root@alice:/etc/tinc/myvpn/hosts/

Finally, start tinc daemon on them as follows.  Since host “bob” initiates a VPN connection, you will need to start tinc daemon on host “alice” first, and then host “bob”.

$ sudo tincd -n myvpn

Two hosts should now be able to talk to each other via VPN IP addresses assigned to them.

Leave a Reply

Your email address will not be published. Required fields are marked *