Tinc
Tinc provides an open-source L2/L3 VPN implementation.
Key management
Tinc generally relies on public-key cryptography. It requires to generate a private and public key for each peer and exchange only the public keys. While the private key is best never disclosed outside the peer where it was generated.
Configuration
The Tinc init script combines both UCI settings and the contents of the /etc/tinc
directory to a full configuration located in the /tmp/tinc
directory.
The Tinc UCI config contains two types of sections:
UCI section | Mapped config | Generated config | Description |
---|---|---|---|
tinc-net | /etc/tinc/<NETNAME> | /tmp/tinc/<NETNAME>/tinc.conf | Defines the VPN network settings. |
tinc-host | /etc/tinc/<NETNAME>/hosts/<NODENAME> | /tmp/tinc/<NETNAME>/hosts/<NODENAME> | Defines the VPN peer settings. |
The Tinc keys generated by default:
Key file | Description |
---|---|
/etc/tinc/<NETNAME>/ed25519_key.priv | Ed25519 private key. |
/etc/tinc/<NETNAME>/ed25519_key.pub | Ed25519 public key. |
/etc/tinc/<NETNAME>/rsa_key.priv | RSA private key. |
/etc/tinc/<NETNAME>/rsa_key.pub | RSA public key. |
Public keys for each peer need to be stored either in UCI host sections or in host files using the same format as the generated keys.