How to set up Tinc mesh VPN on Ubuntu 18.04 LTS
I've been using tinc for a while now across my Tomato routers. Unlike other VPNs, it's probably one that I use on a daily basis. It allows me to access my LAN from any trusted node without having to maintain a single point of failure or manually connect nodes. As such, I thought it would be useful to follow up my initial article on tinc with a step by step guide on how to set it up on Ubuntu 18.04 LTS (Bionic Beaver).
As such, in this how to guide, we'll be covering how to connect 2 Ubuntu boxes on a private LAN through the tinc Virtual Private Network (VPN) software. In this case, we'll be using Ubuntu 18.04 LTS (Bionic Beaver)
The key advantage of using tinc is that it'll automatically configure all your nodes as soon as you connect a new one, effectively creating a mesh network of VPN endpoints. This also means that if one of the nodes fails, your remaining nodes in the mesh should continue to function without any issues. If you followed my initial how to on using tinc on Tomato, you'll be able to add a Ubuntu node to your existing tinc setup.
Prerequisites
In order to complete this tutorial, you'll need 2 Ubuntu Linux machines:
- ams.florianjensen.com (ams)
- sfo.florianjensen.com (sfo)
Both of these machines are connected to the internet and are able to reach eachother.
The Goal
Our goal is to have both of these machines talk to each-other through a private network as if they were on the same LAN, thanks to tinc. As the connection is encrypted, this will allow your services across these 2 nodes to talk to each other in a secure fashion without you having to worry about encryption as it's effectively on a private network.
We'll have both nodes connect to each other on startup.
Install tinc
So let's get started by installing tinc on all the machines.
sudo apt-get update
sudo apt-get install tinc
It's as easy as that. Next up is the hard part, configuration.
Configuring tinc
One of the great features of tinc is that you can configure multiple VPNs with ease, by using multiple network names (netnames). As such, you can have multiple folders with different network configurations running on multiple interfaces. Simples.
For simplicity sake in this example, let's call our network netname
.
Configure ams
Let's start off with configuring the ams node.
sudo mkdir -p /etc/tinc/netname/hosts
Now let's edit tinc.conf:
sudo vi /etc/tinc/netname/tinc.conf
Let's add the following lines:
Name = ams
AddressFamily = ipv4
Interface = tun0
That's it. This will simply name the node ams and will use IPv4 on tun0. Save and quit the file.
Next up we'll create the ams host file configuration.
sudo vi /etc/tinc/netname/hosts/ams
Add the following lines to it (substitute the public IP address of your server here):
Address = ams_public_IP
Subnet = 10.0.0.1/32
This file will tell the mesh network what the host will serve. In the case above, it will only serve the IP address 10.0.0.1/32. Save and quit that file too.
Next up, we'll need to create a public/private key pair. We can do this by executing:
sudo tincd -n netname -K4096
This creates the private key (/etc/tinc/netname/rsa_key.priv) and appends the public key to the ams hosts configuration file that we recently created (/etc/tinc/netname/hosts/ams).
Next, we'll need to create a tinc-up
file. This will execute every time the netname
VPN is launched.
sudo vi /etc/tinc/netname/tinc-up
We'll just add a single line:
ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0
This will tell our machine to configure the interface with the IP address 10.0.0.1
when it launches.
Next up we'll add a script to clean everything up when the VPN shuts down.
ifconfig $INTERFACE down
Lastly, we'll need to make sure these scripts are executable.
sudo chmod 755 /etc/tinc/netname/tinc-*
That's it for now on the ams
node.
Configure sfo
This part is very similar to the one above, mainly just changing the IP address. As such, I'll just share the commands needed.
sudo mkdir -p /etc/tinc/netname/hosts
sudo vi /etc/tinc/netname/tinc.conf
Here we'll add:
Name = sfo
AddressFamily = ipv4
Interface = tun0
ConnectTo = ams
This will ask tinc to connect to our previously configured ams node.
Next up, we'll configure sfo too.
sudo vi /etc/tinc/netname/hosts/sfo
Here we'll add:
Address = sfo_public_IP
Subnet = 10.0.0.2/32
And we'll generate keys once more:
sudo tincd -n netname -K4096
And create the launch files:
sudo vi /etc/tinc/netname/tinc-up
adding:
ifconfig $INTERFACE 10.0.0.2 netmask 255.255.255.0
and:
sudo vi /etc/tinc/netname/tinc-down
adding:
ifconfig $INTERFACE down
That's it for this node.
Sharing the keys
In order for our 2 hosts to trust each other, we'll need to share the keys and configuration files.
On ams
:
scp /etc/tinc/netname/hosts/ams user@sfo:/tmp/
Next up, on sfo
:
sudo cp /tmp/ams /etc/tinc/netname/hosts/
Now let's do the same the other way around on sfo
:
scp /etc/tinc/netname/hosts/sfo user@ams:/tmp/
Again, let's put it in the right place on ams:
sudo cp /tmp/sfo /etc/tinc/netname/hosts/
Test the configuration
The moment of truth has come. Let's see if the configuration works.
On each node, simply run:
sudo tincd -n netname -D -d3
You should now be able to ping both nodes, from each other.
Launch the service
Once you're done testing, simply run the following command to launch the service.
systemctl enable tinc@netname
That's it
That is it. You should now have a running tinc service and should be able to communicate between your two nodes, ams
and sfo
.
Enjoy your private tinc mesh network!