Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:tinc [2018/09/23 06:43] – [Some Links] Tags vgaeteradocs:guide-user:services:vpn:tinc [2023/10/28 21:58] – [Tinc] split to docs:guide-user:services:vpn:tinc:start vgaetera
Line 1: Line 1:
 +====== Tinc ======
 +==== UCI network/firewall integration ====
 +The following helped this author have a more reliable coexistence between Tinc and the OpenWrt web interface managed Network/Firewall settings.
 +The info below is based on my experience setting up Tinc to let me route between private LANs.
 +
 +Because the network management of UCI may tear down and build up the network or firewall settings I found it advantageous to use the Networking/Firewall UCI settings as applied to the Tinc created interfaces as much as possible to prevent unexpected Tinc VPN failures.
 +That said, it still isn't 100% reliable for me yet when making significant network changes.
 +Reboot and verify changes come back online as expected.
 +
 +I've evolved my tinc scripts into the four mostly generic scripts below.
 +You can get away with less but for routing between networks, these work with minimal thought.
 +
 +<code bash>
 +NETNAME="vpn"
 +
 +cat << "EOF" > /etc/tinc/${NETNAME}/tinc-up
 +#!/bin/sh
 +NETADDR="$(uci get network.lan.ipaddr)"
 +ip address add ${NETADDR} dev ${INTERFACE}
 +EOF
 +
 +cat << "EOF" > /etc/tinc/${NETNAME}/tinc-down
 +#!/bin/sh
 +ip link set dev ${INTERFACE} down
 +EOF
 +
 +cat << "EOF" > /etc/tinc/${NETNAME}/subnet-up
 +#!/bin/sh
 +NODENAME="$(uci get tinc.${NETNAME}.Name)"
 +if [ ${NODE} != ${NODENAME} ]
 +then ip route add ${SUBNET} dev ${INTERFACE}
 +fi
 +EOF
 +
 +cat << "EOF" > /etc/tinc/${NETNAME}/subnet-down
 +#!/bin/sh
 +NODENAME="$(uci get tinc.${NETNAME}.Name)"
 +if [ ${NODE} != ${NODENAME} ]
 +then ip route delete ${SUBNET} dev ${INTERFACE}
 +fi
 +EOF
 +</code>
 +
 +Unlike some some Tinc howtos for other distributions I did not have any iptables rules in the ''tinc-up'' script.
 +The ''uci get network.lan.ipaddr'' will extract the IP address of your LAN interface.
 +If you've renamed this interface or want something else, change here.
 +
 +The ''uci get tinc.NETNAME.Name'' extracts this host's name from the tinc config.
 +You need to know this so the ''subnet-up'' script doesn't run to add a subnet for itself because that already exists.
 +Versions of tinc newer than 1.0.19 have a better way around this but I don't recall at the moment.
 +
 +**NOTE:** I (user mbello, not the author of this guide) followed this entire guide and it worked brilliantly except for this ''uci get tinc.NETNAME.Name'' command, I had to replace it with ''netname''.
 +
 +Instead I went into the OpenWrt LuCI web interface and under ''Network > Interfaces'' I ''Added a new interface...'' which I named NETNAME that was of Protocol ''unmanaged'' and covered the NETNAME interface.
 +This makes UCI aware of the Tinc network interface but it shouldn't try to manage it.
 +
 +Then, under ''Network > Interfaces > NETNAME > Firewall Settings'' I created or assigned the zone of ''vpn''.
 +
 +Next, under ''Network > Firewall > General Settings > Zones'' you can edit the vpn zone to enable Inter-Zone Forwarding to/from your lan zone.
 +
 +Finally, under ''Network > Firewall > Traffic Rules'' you'l need to open the port Tinc is using, 655 by default.
 +The summary table for me reads: ''Tinc-[NETNAME] | Any TCP, UDP From any host in wan To any router IP at port 655 on this device | Accept input''
 +
 +**NOTE:** I (user mnlipp, neither the author of this guide) had problems (using Chaos Calmer) with the coexistence of the ''unmanaged'' interface NETNAME (really nice to have in LuCI) and tinc managing that same interface.
 +An ''unmanaged'' interface isn't completely unmanaged - it is created.
 +There seems to be a conflict (or race condition) between ''netifd'' trying to create the interface and ''tincd'' attempting to do the same.
 +Although the interface had been configured properly by ''tinc-up'' (I logged he results), I always found my ''INTERFACE'' to have no address at the end of the boot.
 +
 +I think that ''tincd'' is faster than ''netifd'' and the latter overwrites the settings of the former by re-creating the interface.
 +I could solve the problem by adding at the beginning of my ''tinc-up'' script:
 +
 +<code bash>
 +ubus -t 15 wait_for network.interface.INTERFACE
 +</code>
 +
 +**NOTE:** I (user mnlipp, neither the author of this guide) found that things stopped working with OpenWrt 21.02 (probably 21.0, but I didn't try that).
 +
 +If you want to be compatible with the new ''network'' configuration (using interfaces and devices) you have to take a different approach.
 +I don't know if this is the //intended// approach, so I'll keep the explanation to a rough sketch.
 +
 +  * Create and configure a new bride device called ''br-NETNAME'', be sure to check "Bring up empty bridge".
 +  * Configure ''DeviceType = tap'' for your network.
 +
 +The job of the up/down scripts is now to attach/detach the tap device to/from the bridge.
 +Note that PWD is the networks configuration directory.
 +
 +<code bash>
 +NETNAME="vpn"
 +
 +cat << "EOF" > /etc/tinc/${NETNAME}/tinc-up
 +#!/bin/sh
 +BRIDGE="br-$(basename "${PWD}")"
 +while ! brctl show ${BRIDGE} &> /dev/null
 +do sleep 1
 +done
 +brctl addif ${BRIDGE} ${INTERFACE}
 +ip link set ${INTERFACE} up
 +EOF
 +
 +cat << "EOF" > /etc/tinc/${NETNAME}/tinc-down
 +#!/bin/sh
 +BRIDGE="br-$(basename "${PWD}")"
 +brctl delif ${BRIDGE} ${INTERFACE}
 +ip link set ${INTERFACE} down
 +EOF
 +</code>
 +
 +==== References ====
 +  * [[http://patchwork.openwrt.org/patch/1576/|The start of the Tinc UCI config]]
 +  * [[http://www.tinc-vpn.org/docs/|Tinc documentation]]