Tinc server
Introduction
- This how-to describes the method for setting up Tinc server on OpenWrt.
- Follow Tinc client for client setup and Tinc extras for additional tuning.
Goals
- Encrypt your internet connection to enforce security and privacy.
- Prevent traffic leaks and spoofing on the client side.
- Bypass regional restrictions using commercial providers.
- Escape client side content filters and internet censorship.
- Access your LAN services remotely without port forwarding.
Command-line instructions
1. Preparation
Install the required packages. Specify configuration parameters for VPN server.
# Install packages opkg update opkg install tinc # Configuration parameters VPN_IF="vpn" VPN_PORT="655" VPN_ADDR="192.168.9.1/24" VPN_ADDR6="fd00:9::1/64"
2. Key management
Generate and exchange keys between server and client.
# Generate keys mkdir -p /etc/tinc/${VPN_IF} tinc -n ${VPN_IF} generate-rsa-keys < /dev/null tinc -n ${VPN_IF} generate-ed25519-keys < /dev/null VPN_SPUB="$(sed -e "s/^.*\s//" /etc/tinc/${VPN_IF}/ed25519_key.pub)" VPN_CPUB="$(sed -e "s/^.*\s//" client.pub)"
3. Firewall
Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone.
# Configure firewall uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[1]="wan" uci del_list firewall.lan.network="${VPN_IF}" uci add_list firewall.lan.network="${VPN_IF}" uci -q delete firewall.tinc uci set firewall.tinc="rule" uci set firewall.tinc.name="Allow-Tinc" uci set firewall.tinc.src="wan" uci set firewall.tinc.dest_port="${VPN_PORT}" uci set firewall.tinc.proto="tcp udp" uci set firewall.tinc.target="ACCEPT" uci commit firewall service firewall restart
4. VPN service
Configure VPN service.
# Configure VPN service uci -q delete tinc.${VPN_IF} uci set tinc.${VPN_IF}="tinc-net" uci set tinc.${VPN_IF}.enabled="1" uci set tinc.${VPN_IF}.Interface="${VPN_IF}" uci set tinc.${VPN_IF}.Name="server" uci -q delete tinc.server uci set tinc.server="tinc-host" uci set tinc.server.enabled="1" uci set tinc.server.net="${VPN_IF}" uci set tinc.server.Name="server" uci set tinc.server.PublicKey="1" uci set tinc.server.Ed25519PublicKey="${VPN_SPUB}" uci add_list tinc.server.Subnet="0.0.0.0/0" uci add_list tinc.server.Subnet="::/0" uci -q delete tinc.client uci set tinc.client="tinc-host" uci set tinc.client.enabled="1" uci set tinc.client.net="${VPN_IF}" uci set tinc.client.Name="client" uci set tinc.client.PublicKey="1" uci set tinc.client.Ed25519PublicKey="${VPN_CPUB}" uci add_list tinc.client.Subnet="${VPN_ADDR%.*}.2/32" uci add_list tinc.client.Subnet="${VPN_ADDR6%:*}:2/128" uci commit tinc service tinc restart
5. Network
Set up VPN interface.
# Configure network uci -q delete network.${VPN_IF} uci set network.${VPN_IF}="interface" uci set network.${VPN_IF}.proto="static" uci set network.${VPN_IF}.ipaddr="${VPN_ADDR}" uci set network.${VPN_IF}.ip6addr="${VPN_ADDR6}" uci set network.${VPN_IF}.device="${VPN_IF}" uci commit network service network restart
Testing
Establish the VPN connection. Verify your routing with traceroute and traceroute6.
traceroute openwrt.org traceroute6 openwrt.org
Check your IP and DNS provider.
On router:
- Go to LuCI > Status > Wireguard and look for peer device connected with an IPv4 or IPv6 address and with a recent handshake time
- Go to LuCI > Network > Diagnostics and ipv4 ping client device IP eg. 10.0.0.10
On client device depending on wireguard software:
- Check transfer traffic for tx & rx
- Ping router internal lan IP
- Check public IP address in a browser – https://whatsmyip.com – should see public IP address of ISP for the router
Troubleshooting
Collect and analyze the following information.
# Restart services service log restart; service tinc restart; sleep 10 # Log and status logread -e tinc; netstat -l -n -p | grep -e tinc # Runtime configuration pgrep -f -a tinc ip address show; ip route show table all ip rule show; ip -6 rule show; nft list ruleset # Persistent configuration uci show network; uci show firewall; uci show tinc head -v -n -0 /etc/tinc/*/*/*