In this tutorial, we’ll guide you through the process of setting up a Tinc VPN service with a static IP. For this demonstration, we’ll assume you have one machine in the cloud with a static IP (referred to as ‘your_server’) and another machine (‘your_client’) located behind multiple NAT firewalls. Tinc is a highly versatile mesh VPN that can be used in various configurations, but we’ll use a simple client-server analogy for this tutorial.
Step 1: Update Your System
Before starting, ensure your system is up-to-date by running the following commands:
sudo apt update && sudo apt upgrade
Step 2: Install Tinc
Install Tinc on your system with the following command:
sudo apt install tinc
Step 3: Configure your_server
First, set up the configuration files and directory structure for ‘your_server’:
sudo mkdir -p /etc/tinc/labnet/hosts
sudo nano /etc/tinc/labnet/tinc.conf
Fill in the config file as follows:
Name = your_server
AddressFamily = ipv4
Interface = tun0
Next, create the host configuration file:
sudo nano /etc/tinc/labnet/hosts/your_server
Replace ‘IP_here’ with the actual static IP:
Address = IP_here
Subnet = 10.0.0.1/32
Generate the keys for ‘your_server’:
sudo tincd -n labnet -K4096
Now, create the script to enable the virtual network:
sudo nano /etc/tinc/labnet/tinc-up
Add the following lines:
#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.0.1/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE
Create the script to disable the virtual network:
sudo nano /etc/tinc/labnet/tinc-down
Add the following lines:
#!/bin/sh
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.1/32 dev $INTERFACE
ip link set $INTERFACE down
Make the scripts executable:
sudo chmod 755 /etc/tinc/labnet/tinc-*
If you’re using a firewall, allow traffic on port 655:
On a Debian based System:
sudo ufw allow 655
For a RHEL or Rocky Linux System:
sudo firewall-cmd –permanent –zone=public –add-port=655/tcp
sudo firewall-cmd –permanent –zone=public –add-port=655/udp
Please note that you may need to configure firewall rules through your cloud service provider if your machines are hosted on cloud services like AWS.
Step 4: Configure your_client
Repeat the following steps for ‘your_client’ (or additional clients with different subnets):
- Create the file structure and configuration files with a unique name, for this example we will use ‘your_client’. be sure to use a unique ip address for the client, e.g. replace
10.0.0.1/32with10.0.0.2/32in the ‘tinc-up’ ‘tinc-down’ ‘tinc.conf’ and ‘/etc/tinc/labnet/hosts/your_clinet’ files. - Generate keys for the client.
- Open port 655 if a firewall is used on the client.
Step 5: Distribute Keys
next we need to distribute the keys we generated earlier between the machines, we will use scp (secure copy) to do this
first we will copy the your_server keys to the your_client from the your_client machine
sudo scp userhere@public_ip_here:/etc/tinc/labnet/hosts/your_server /etc/tinc/labnet/hosts/
here we will copy to the your_client keys to your_server, for this example your_client does not have a public ip so we will use the your_client machine for the transfer for simplicity
scp /etc/tinc/labnet/hosts/your_client userhere@public_ip_here:/tmp
then the following command, run from the server_01 machine
sudo mv /tmp/your_client /etc/tinc/labnet/hosts/
Step 6: Test the Connection
Test the connection with:
sudo tincd -n labnet -D -d3
Step 7: Auto-start Tinc VPN
Enable Tinc VPN to start on boot:
sudo systemctl enable tinc@labnet
To disable Tinc VPN from starting on boot, use:
sudo systemctl disable tinc@labnet
Step 8: Multiple Tinc VPNs
You can create multiple Tinc VPNs by creating different directories under /etc/tinc/. Starting multiple Tinc VPNs simultaneously is possible.
To start multiple Tinc networks:
sudo systemctl start tinc@labnet tinc@network2 tinc@network3
The process for setting up additional Tinc clients for a network is straightforward. Ensure each client has a unique IP address, exchange keys, and start the service.
Leave a Reply