Tinc server

  • This how-to describes the method for setting up Tinc server on OpenWrt.
  • Follow Tinc client for client setup and Tinc extras for additional tuning.
  • Encrypt your internet connection to enforce security and privacy.
    • Prevent traffic leaks and spoofing on the client side.
  • Bypass regional restrictions using commercial providers.
    • Escape client side content filters and internet censorship.
  • Access your LAN services remotely without port forwarding.

Install the required packages. Specify configuration parameters for VPN server.

# Install packages
opkg update
opkg install tinc
 
# Configuration parameters
VPN_IF="vpn"
VPN_PORT="655"
VPN_ADDR="192.168.9.1/24"
VPN_ADDR6="fd00:9::1/64"

Generate and exchange keys between server and client.

# Generate keys
mkdir -p /etc/tinc/${VPN_IF}
tinc -n ${VPN_IF} generate-rsa-keys < /dev/null
tinc -n ${VPN_IF} generate-ed25519-keys < /dev/null
VPN_SPUB="$(sed -e "s/^.*\s//" /etc/tinc/${VPN_IF}/ed25519_key.pub)"
VPN_CPUB="$(sed -e "s/^.*\s//" client.pub)"

Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone.

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${VPN_IF}"
uci add_list firewall.lan.network="${VPN_IF}"
uci -q delete firewall.tinc
uci set firewall.tinc="rule"
uci set firewall.tinc.name="Allow-Tinc"
uci set firewall.tinc.src="wan"
uci set firewall.tinc.dest_port="${VPN_PORT}"
uci set firewall.tinc.proto="tcp udp"
uci set firewall.tinc.target="ACCEPT"
uci commit firewall
service firewall restart

Configure VPN service.

# Configure VPN service
uci -q delete tinc.${VPN_IF}
uci set tinc.${VPN_IF}="tinc-net"
uci set tinc.${VPN_IF}.enabled="1"
uci set tinc.${VPN_IF}.Interface="${VPN_IF}"
uci set tinc.${VPN_IF}.Name="server"
uci -q delete tinc.server
uci set tinc.server="tinc-host"
uci set tinc.server.enabled="1"
uci set tinc.server.net="${VPN_IF}"
uci set tinc.server.Name="server"
uci set tinc.server.PublicKey="1"
uci set tinc.server.Ed25519PublicKey="${VPN_SPUB}"
uci add_list tinc.server.Subnet="0.0.0.0/0"
uci add_list tinc.server.Subnet="::/0"
uci -q delete tinc.client
uci set tinc.client="tinc-host"
uci set tinc.client.enabled="1"
uci set tinc.client.net="${VPN_IF}"
uci set tinc.client.Name="client"
uci set tinc.client.PublicKey="1"
uci set tinc.client.Ed25519PublicKey="${VPN_CPUB}"
uci add_list tinc.client.Subnet="${VPN_ADDR%.*}.2/32"
uci add_list tinc.client.Subnet="${VPN_ADDR6%:*}:2/128"
uci commit tinc
service tinc restart

Set up VPN interface.

# Configure network
uci -q delete network.${VPN_IF}
uci set network.${VPN_IF}="interface"
uci set network.${VPN_IF}.proto="static"
uci set network.${VPN_IF}.ipaddr="${VPN_ADDR}"
uci set network.${VPN_IF}.ip6addr="${VPN_ADDR6}"
uci set network.${VPN_IF}.device="${VPN_IF}"
uci commit network
service network restart

Establish the VPN connection. Verify your routing with traceroute and traceroute6.

traceroute openwrt.org
traceroute6 openwrt.org

Check your IP and DNS provider.

Collect and analyze the following information.

# Restart services
service log restart; service tinc restart; sleep 10
 
# Log and status
logread -e tinc; netstat -l -n -p | grep -e tinc
 
# Runtime configuration
pgrep -f -a tinc
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset
 
# Persistent configuration
uci show network; uci show firewall; uci show tinc
head -v -n -0 /etc/tinc/*/*/*
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/10/29 20:05
  • by vgaetera