Tinc VPN on Turris Omnia

This tutorial will walk you through on how to install Tinc on your Turris Omnia.

Tinc VPN on Turris Omnia

With the Turris Omnia being the hot new router, I thought I'd give it a try. That did mean though that I had to get Tinc up and running on it - one of the main reasons why I didn't go for the Ubiquiti Dream Machine Pro.

This tutorial will walk you through on how to install Tinc on your Turris Omnia.

Installing Tinc

We'll start off in LuCI and head to System > Software. If you've just set up your Turris Omnia, you'll need to update the package lists by hitting Update lists... as otherwise you won't see any packages.

Once you've got the up to date package lists, you can enter tinc in the Filter section and hit enter. This should bring up the following results.

tinc package in LuCI

Just select Install ... and confirm. Tinc has now been installed on your Turris Omnia.

Generate Keys

Now that you have tinc installed, you'll have to generate the keys for this tinc node. All the following commands will happen over SSH, so log in to your Turris. In my case, my network is called examplenet, as such, I'll create a folder for it's data: mkdir /etc/tinc/examplenet/.

Please note the network name doesn't support special characters such as -.

Next I'll generate the keys: tincd --net=examplenet -K. If you didn't create the folder, the key generation will fail.

Edit configuration file

Tinc normally makes use of a series of files and directories under /etc/tinc/ for it's configuration. On OpenWrt much of configuration has been moved into the uci system into the file located at /etc/config/tinc. The OpenWrt Tinc init script will use the contents of the tinc uci config along with files in the /etc/tinc directories to generate a full Tinc configuration located under /tmp/tinc.

We'll use the /etc/config/tinc file for our basic configuration needs.

You'll notice 2 main sections, one for tinc-net and the other one for tinc-host.

tinc-net

Let's start with replacing the NETNAME with our network name, in my case examplenet. This will need to be done in 3 locations under tinc-net.

Next we'll enable it: option enabled 1 and configure some of the other options. My enabled options under tinc-net are - for node lux:

config tinc-net examplenet
        option enabled 1

        list ConnectTo bcn
        option Interface examplenet
        option Mode router
        option Name lux
        option PrivateKeyFile /etc/tinc/examplenet/rsa_key.priv

tinc-host

Under tinc-host, I configured the host itself, lux and also a second one called bcn to which it'll connect to.

Again, here's a summary of my configurations that aren't commented:

config tinc-host lux
        option enabled 1

        option net examplenet

        list Address lux.example.net
        option Compression 0
        option Subnet 10.10.0.0/24

config tinc-host bcn
        option enabled 1

        option net examplenet

        list Address bcn.example.net
        option Compression 0
        option Subnet 10.0.0.0/24

These configurations will be used to generate the Tinc host files normally located at /etc/tinc/NETNAME/hosts/NODENAME.

UCI doesn't seem to have a place to hold the public keys that go in a host config file so you will still be expected to have files with public keys at /etc/tinc/NETNAME/hosts/NODENAME but the other values from the UCI section will be combined when a host file is generated under /tmp/tinc/NETNAME/hosts/NODENAME.

Adding public keys

As such, we'll add the public keys manually to the tinc configuration directory. Let's create the hosts directory: mkdir /etc/tinc/examplenet/hosts and then let's create the host files for lux and bcn in that folder, just containing the keys.

For lux, we generated the key, so it's as easy as: cat /etc/tinc/examplenet/rsa_key.pub > /etc/tinc/examplenet/hosts/lux

Just use your favourite text editor to add the public key to a bcn file in the same folder.

Routing

Now that we have our network and node configuration ready, let's add some finishing touches, such as the routing.

tinc-up

In order for the interface to be brought up correctly, we'll add the following tinc-up file in our /etc/tinc/examplenet/ folder:

#!/bin/sh
ubus -t 15 wait_for network.interface.$INTERFACE
ip=`uci get network.lan.ipaddr`
ifconfig $INTERFACE $ip

tinc-down

Similar for tinc-down

#!/bin/sh
ifconfig $INTERFACE down

subnet-up

Let's add the routes. In my case, I am routing all of 10.0.0.0/8 as I have networks across this range in my Tinc scope.

#!/bin/sh
route add -net 10.0.0.0/8 dev $INTERFACE

subnet-down

And let's remove this route when we're done with it.

#!/bin/sh
route del -net 10.0.0.0/8 dev $INTERFACE

Executable permissions

We'll need to set permissions to allow these files to be executed.

chmod +x /etc/tinc/examplenet/tinc-up
chmod +x /etc/tinc/examplenet/tinc-down
chmod +x /etc/tinc/examplenet/subnet-up
chmod +x /etc/tinc/examplenet/subnet-down

Create Network in LuCI

Next we'll create the network in LuCI for easier management. Head over to Network > Interfaces and click Add new interface.... I called mine examplenet

Under protocol select Unmanaged and under interface select Ethernet Adapter: examplenet and confirm.

Then go to Firewall Settings in the popup that opened and create a new zone called vpn.

Firewall settings

Now you'll be able to go to Network > Firewall > General Settings > Zones and allow routing to/from this network. My resulting Firewall Zone configuration is:

Next under Network > Firewall > General Settings > Traffic Rules you'll need to add a rule to route port 655 (both TCP and UDP) for tinc to the Turris router itself.

In my case, with my router having the IP 10.10.0.254, the configuration looks like the one above.

Wrapping it up

Now all that's left to do is to start Tinc. For this, in LuCI head over to System > Startup and Enable and Start tinc.

You should now be connected to your other nodes through tinc!

I would not have been able to get this up and running without the great write-up by everyone who contributed to the article here.