|
|
(13 intermediate revisions by 3 users not shown) |
Line 1: |
Line 1: |
| https://tinc-vpn.org/images/tinclogo.png | | https://tinc-vpn.org/images/tinclogo.png |
|
| |
|
| ''[https://tinc-vpn.org/ tinc] is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet. | | ''[https://tinc-vpn.org/ Tinc] is a Virtual Private Network (VPN) daemon that uses tunneling and encryption to create a secure private network between hosts on the Internet.'' |
| '' | |
|
| |
|
| And is used in XPUB to create the [[HUB]] VPN - aelectronic learning enviroment, server playground, web publishing platform, consisting of local machines (mainly raspberry pis) that sit behind firewalls, | | And is used in XPUB to create the [[HUB]] VPN - an electronic learning enviroment, server playground, web publishing platform, consisting of local machines (mainly raspberry pi's) that sit behind firewalls, |
| but through tinc are accessible from outside the firewall. | | but through Tinc are accessible from outside the firewall. |
|
| |
|
| | To add a machine to the HUB, we install Tinc from source. This is because it is required to have all the machines running the same version of Tinc. |
|
| |
|
| | ==Install Tinc Client == |
|
| |
|
| ==Install tinc Client ==
| | '''On RaspberryPi / machine that will be joining [[HUB]].''' |
| On RaspberryPi / machine that will be joining [[HUB]] | | |
| | Install dependencies: |
|
| |
|
| Install dependencies
| |
| sudo apt install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev libncurses5-dev libreadline-dev | | sudo apt install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev libncurses5-dev libreadline-dev |
|
| |
|
| | Compile <code>Tinc 1.1pre</code>: |
|
| |
|
| Compile Tinc 1.1pre :
| | cd ~ |
| | |
| cd /usr/src/ | |
|
| |
|
| wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz | | wget https://www.tinc-vpn.org/packages/tinc-1.1pre18.tar.gz |
|
| |
|
| tar xvf tinc-1.1pre17.tar.gz | | tar xvf tinc-1.1pre18.tar.gz |
|
| |
|
| cd tinc-1.1pre17 | | cd tinc-1.1pre18 |
|
| |
|
| ./configure | | ./configure |
Line 38: |
Line 38: |
| /usr/local/sbin/tinc | | /usr/local/sbin/tinc |
|
| |
|
| | ==Next steps== |
|
| |
|
| ==Add new tinc Node to [[HUB]] network ==
| | Follow [[XPUB_HUB_New_Nodes]]. |
| | |
| '''In the Pi'''
| |
| | |
| In your Pi's create a user with same username as in the sandbox. Keeping it the same as in the sandbox - will make things easier for us and gnd
| |
| | |
| Add your public ssh key to your username in the Pi (same as mentioned) to ~/.ssh/authorized_keys
| |
| There is a trick to do this with
| |
| cat ~/.ssh/id_rsa.pub | ssh local.pi.IP.addr "cat >> ~/.ssh/authorized_keys"
| |
| | |
| Install Tinc on the Pis Instructions can be found here [[Tinc]], until the creation creation of the configuration dir:
| |
| sudo mkdir -p /usr/local/etc/tinc/
| |
| | |
| * Add your chosen Node name and IP to [[HUB#IP_allocation]]
| |
| * Student project IPs last number should have 3 digits, last one is Simon's 10.0.1.103, so you can start from there
| |
| | |
| Disable ssh to your pi with password (allow ssh key only), by:
| |
| * ensuring you laptops ssh public key is in your pi ~/.ssh/authorized_keys:
| |
| cat ~/.ssh/authorized_keys
| |
| * ensuring you can login to the Pi with ssh key:
| |
| ssh username@pi.ip.add -i ~/.ssh/id_rsa
| |
| * edit /etc/ssh/sshd_config:
| |
| sudo nano /etc/ssh/sshd_config
| |
| * and uncomment the line:
| |
| #PasswordAuthentication no
| |
| to:
| |
| PasswordAuthentication no
| |
| * reload ssh:
| |
| sudo systemctl reload ssh
| |
| | |
| You up with the following info:
| |
| | |
| <pre>
| |
| username: nameoftheuser
| |
| Node IP: 10.0.0.???
| |
| Node name: nameofnode
| |
| ssh public key:
| |
| ssh-ed25519 ... ... nameoftheuser@laptop
| |
| </pre>
| |
| | |
| '''Staff: In the XVM (xpub server)'''
| |
| | |
| As root:
| |
| | |
| create an invitation node the node as described in [[HUB#Adding_a_new_thing]]
| |
| | |
| tinc -n hub invite $NAMEOFNODE
| |
| | |
| Which will generate an invitation address
| |
| | |
| | |
| '''Back In the Pi'''
| |
| | |
| User invitation to join the network ($INVITE_ADDRES)
| |
| | |
| sudo tinc join $INVITE_ADDRES
| |
| | |
| Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS):
| |
| | |
| sudo tinc -n hub add subnet $NODE.IP.ADDRS
| |
| | |
| edit the tinc-up file in /usr/local/etc/tinc/hub/: commenting the echo line and adding the line:
| |
| * Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP
| |
| ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0
| |
| * Example tinc-up file:
| |
| <source lang="bash">
| |
| #!/bin/sh
| |
| # echo 'Unconfigured tinc-up script, please edit '$0'!'
| |
| ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0
| |
| </source>
| |
| | |
| Start tincd daemon:
| |
| tincd -n hub -D -d3
| |
| | |
| In new window, ssh again to the pi and see if you can ping other tinc nodes:
| |
| ping 10.0.0.1
| |
| | |
| If so Tinc is running :) yahh
| |
| | |
| | |
| | |
| === tincd service file ===
| |
| | |
| According to [https://www.tinc-vpn.org/documentation/Linux.html tinc documentation]
| |
| | |
| Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files:
| |
| * ''tinc.service'' is used to globally enable or disable all tinc daemons managed by systemd
| |
| * ''tinc@netname.service'' is used to enable or disable specific tinc daemons.
| |
| | |
| These are located in the source directory, in the sub-directory <code>systemd/</code>
| |
| | |
| However this files, seem to give some issues, as metioned in the tinc github: [https://github.com/gsliepen/tinc/issues/133 issue 133], [https://github.com/gsliepen/tinc/issues/168 issue 168]
| |
| | |
| '''Hence we'll us the ones bellow that so far have worked fine.'''
| |
| | |
| <code>/etc/systemd/system/tinc.service</code>
| |
| | |
| <pre># This is a mostly empty service, but allows commands like stop, start, reload
| |
| # to propagate to all tinc@ service instances.
| |
| | |
| [Unit]
| |
| Description=Tinc VPN
| |
| Documentation=info:tinc
| |
| Documentation=man:tinc(8) man:tinc.conf(5)
| |
| Documentation=http://tinc-vpn.org/docs/
| |
| After=network.target
| |
| Wants=network.target
| |
| | |
| [Service]
| |
| Type=oneshot
| |
| RemainAfterExit=yes
| |
| ExecStart=/usr/local/sbin/true
| |
| ExecReload= /usr/local/sbin/true
| |
| WorkingDirectory=/usr/local/etc/tinc
| |
| | |
| [Install]
| |
| WantedBy=multi-user.target</pre>
| |
| <code>/etc/systemd/system/tinc@hub.service</code>
| |
| | |
| <pre>[Unit]
| |
| Description=Tinc net %i
| |
| Documentation=info:tinc
| |
| Documentation=man:tinc(8) man:tinc.conf(5)
| |
| Documentation=http://tinc-vpn.org/docs/
| |
| PartOf=tinc.service
| |
| ReloadPropagatedFrom=tinc.service
| |
| | |
| [Service]
| |
| Type=simple
| |
| WorkingDirectory=/usr/local/etc/tinc/%i
| |
| ExecStart=/usr/local/sbin/tincd -n %i -D
| |
| ExecReload=/usr/local/sbin/tincd -n %i -kHUP
| |
| TimeoutStopSec=5
| |
| Restart=always
| |
| RestartSec=60
| |
| | |
| [Install]
| |
| WantedBy=tinc.service</pre>
| |
| | |
| Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.
| |
| | |
| * Enable
| |
| ** <code>sudo systemctl enable tinc</code>
| |
| ** <code>sudo systemctl enable tinc@hub</code>
| |
| * Start <code>sudo systemctl start tinc@hub</code>
| |
| * Check status <code>sudo systemctl status tinc@hub</code>
| |
| | |
| Note that because <code>tinc@testvpn.service</code> requests tinc.service we don’t need to start that one, as it is started by <code>tinc@testvpn.service</code>
| |
| | |
| If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the <code>ping 10.1.0.2</code> and checking the status of tinc@hub<code>sudo systemctl status tinc@hub</code>
| |
| | |
| ==Enable SSH to tinc node==
| |
| Add a new entry to your laptop ~/.ssh/config by following this template
| |
| | |
| <pre>
| |
| Host hub.PI_NAME
| |
| User yourname
| |
| Hostname 10.0.0.10?
| |
| ProxyJump yourname@xpub.nl:2501
| |
| Identityfile ~/.ssh/id_rsa
| |
| Serveraliveinterval 30
| |
| </pre>
| |
| | |
| Note: ls ~/.ssh to know what is filename for the Identityfile(private ssh key)
| |
| | |
| '''XPUB Staff''' will need to send gnd, for each node:
| |
| * Tinc node IP
| |
| * username
| |
| * user Public key
| |
| So that he can allow ssh of that user to the new Tinc node
| |
| | |
| ==Enable HTTP to tinc node==
| |
| * The pi needs to be running a webserver
| |
| | |
| '''XPUB Staff on XVM''' will need to as '''root''':
| |
| * edit /etc/nginx/sites-available/hub.xpub.nl
| |
| * adding to it a new location to the hub.xpub.nl server block
| |
| <pre>
| |
| location /nodename {
| |
| proxy_pass http://tinc.node.ip.addr/;
| |
| client_max_body_size 200M;
| |
| }
| |
| <pre>
| |
| * test the configuration
| |
| nginx -t
| |
| * if all good restart nginx
| |
| systemctl restart nginx
| |
| * visit url https://hub.xpub.nl/nodename
| |
| | |
|
| |
|
|
| |
|
| [[Category:Cookbook]] | | [[Category:Cookbook]] |
| | [[Category:Tinc]] |
Tinc is a Virtual Private Network (VPN) daemon that uses tunneling and encryption to create a secure private network between hosts on the Internet.
And is used in XPUB to create the HUB VPN - an electronic learning enviroment, server playground, web publishing platform, consisting of local machines (mainly raspberry pi's) that sit behind firewalls,
but through Tinc are accessible from outside the firewall.
To add a machine to the HUB, we install Tinc from source. This is because it is required to have all the machines running the same version of Tinc.
Install Tinc Client
On RaspberryPi / machine that will be joining HUB.
Install dependencies:
sudo apt install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev libncurses5-dev libreadline-dev
Compile Tinc 1.1pre
:
cd ~
wget https://www.tinc-vpn.org/packages/tinc-1.1pre18.tar.gz
tar xvf tinc-1.1pre18.tar.gz
cd tinc-1.1pre18
./configure
make
sudo make install
Once installed create configuration dir:
sudo mkdir -p /usr/local/etc/tinc/
And tinc is installed in
/usr/local/sbin/tinc
Next steps
Follow XPUB_HUB_New_Nodes.