Tinc: Difference between revisions

From XPUB & Lens-Based wiki
No edit summary
No edit summary
 
(13 intermediate revisions by 3 users not shown)
Line 1: Line 1:
https://tinc-vpn.org/images/tinclogo.png
https://tinc-vpn.org/images/tinclogo.png


''[https://tinc-vpn.org/ tinc] is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet.
''[https://tinc-vpn.org/ Tinc] is a Virtual Private Network (VPN) daemon that uses tunneling and encryption to create a secure private network between hosts on the Internet.''
''


And is used in XPUB to create the [[HUB]] VPN - aelectronic learning enviroment, server playground, web publishing platform, consisting of local machines (mainly raspberry pis) that sit behind firewalls,
And is used in XPUB to create the [[HUB]] VPN - an electronic learning enviroment, server playground, web publishing platform, consisting of local machines (mainly raspberry pi's) that sit behind firewalls,
but through tinc are accessible from outside the firewall.
but through Tinc are accessible from outside the firewall.


To add a machine to the HUB, we install Tinc from source. This is because it is required to have all the machines running the same version of Tinc.


==Install Tinc Client ==


==Install tinc Client ==
'''On RaspberryPi / machine that will be joining [[HUB]].'''
On RaspberryPi / machine that will be joining [[HUB]]
 
Install dependencies:


Install dependencies
  sudo apt install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev libncurses5-dev libreadline-dev  
  sudo apt install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev libncurses5-dev libreadline-dev  


Compile <code>Tinc 1.1pre</code>:


Compile Tinc 1.1pre :
  cd ~
 
  cd /usr/src/


  wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz
  wget https://www.tinc-vpn.org/packages/tinc-1.1pre18.tar.gz


  tar xvf tinc-1.1pre17.tar.gz
  tar xvf tinc-1.1pre18.tar.gz


  cd tinc-1.1pre17
  cd tinc-1.1pre18


  ./configure
  ./configure
Line 38: Line 38:
  /usr/local/sbin/tinc
  /usr/local/sbin/tinc


==Next steps==


==Add new tinc Node to [[HUB]] network ==
Follow [[XPUB_HUB_New_Nodes]].
 
'''In the Pi'''
 
In your Pi's create a user with same username as in the sandbox. Keeping it the same as in the sandbox - will make things easier for us and gnd
 
Add your public ssh key to your username in the Pi (same as mentioned) to ~/.ssh/authorized_keys
There is a trick to do this with
cat ~/.ssh/id_rsa.pub | ssh local.pi.IP.addr "cat >> ~/.ssh/authorized_keys"
 
Install Tinc on the Pis Instructions can be found here [[Tinc]], until the creation creation of the configuration dir:
sudo mkdir -p /usr/local/etc/tinc/
 
* Add your chosen Node name and IP to [[HUB#IP_allocation]]
* Student project IPs last number should have 3 digits, last one is Simon's 10.0.1.103, so you can start from there
 
Disable ssh to your pi with password (allow ssh key only), by:
* ensuring you laptops ssh public key is in your pi ~/.ssh/authorized_keys:
cat  ~/.ssh/authorized_keys
* ensuring you can login to the Pi with ssh key:
ssh username@pi.ip.add -i ~/.ssh/id_rsa
* edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_config
* and uncomment the line:
#PasswordAuthentication no
to:
PasswordAuthentication no
* reload ssh:
sudo systemctl reload ssh
 
You up with the following info:
 
<pre>
username: nameoftheuser
Node IP: 10.0.0.???
Node name: nameofnode
ssh public key:
ssh-ed25519 ... ... nameoftheuser@laptop
</pre>
 
'''Staff: In the XVM (xpub server)'''
 
As root:
 
create an invitation node the node as described in [[HUB#Adding_a_new_thing]]
 
tinc -n hub invite $NAMEOFNODE
 
Which will generate an invitation address
 
 
'''Back In the Pi'''
 
User invitation to join the network ($INVITE_ADDRES)
 
  sudo tinc join $INVITE_ADDRES
 
Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS):
 
  sudo tinc -n hub add subnet $NODE.IP.ADDRS
 
edit the tinc-up file in /usr/local/etc/tinc/hub/: commenting the echo line and adding the line:
* Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP
  ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0
* Example tinc-up file:
<source lang="bash">
#!/bin/sh
# echo 'Unconfigured tinc-up script, please edit '$0'!'
ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0
</source>
 
Start tincd daemon:
tincd -n hub -D -d3
 
In new window, ssh again to the pi and see if you can ping other tinc nodes:
ping 10.0.0.1
 
If so Tinc is running :) yahh
 
 
 
=== tincd service file ===
 
According to [https://www.tinc-vpn.org/documentation/Linux.html tinc documentation]
 
Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files:
* ''tinc.service'' is used to globally enable or disable all tinc daemons managed by systemd
* ''tinc@netname.service'' is used to enable or disable specific tinc daemons.
 
These are located in the source directory, in the sub-directory <code>systemd/</code>
 
However this files, seem to give some issues, as metioned in the tinc github: [https://github.com/gsliepen/tinc/issues/133 issue 133], [https://github.com/gsliepen/tinc/issues/168 issue 168]
 
'''Hence we'll us the ones bellow that so far have worked fine.'''
 
<code>/etc/systemd/system/tinc.service</code>
 
<pre># This is a mostly empty service, but allows commands like stop, start, reload
# to propagate to all tinc@ service instances.
 
[Unit]
Description=Tinc VPN
Documentation=info:tinc
Documentation=man:tinc(8) man:tinc.conf(5)
Documentation=http://tinc-vpn.org/docs/
After=network.target
Wants=network.target
 
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/true
ExecReload= /usr/local/sbin/true
WorkingDirectory=/usr/local/etc/tinc
 
[Install]
WantedBy=multi-user.target</pre>
<code>/etc/systemd/system/tinc@hub.service</code>
 
<pre>[Unit]
Description=Tinc net %i
Documentation=info:tinc
Documentation=man:tinc(8) man:tinc.conf(5)
Documentation=http://tinc-vpn.org/docs/
PartOf=tinc.service
ReloadPropagatedFrom=tinc.service
 
[Service]
Type=simple
WorkingDirectory=/usr/local/etc/tinc/%i
ExecStart=/usr/local/sbin/tincd -n %i -D
ExecReload=/usr/local/sbin/tincd -n %i -kHUP
TimeoutStopSec=5
Restart=always
RestartSec=60
 
[Install]
WantedBy=tinc.service</pre>
 
Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.
 
* Enable
** <code>sudo systemctl enable tinc</code>
** <code>sudo systemctl enable tinc@hub</code>
* Start <code>sudo systemctl start tinc@hub</code>
* Check status <code>sudo systemctl status tinc@hub</code>
 
Note that because <code>tinc@testvpn.service</code> requests tinc.service we don’t need to start that one, as it is started by <code>tinc@testvpn.service</code>
 
If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the <code>ping 10.1.0.2</code> and checking the status of tinc@hub<code>sudo systemctl status tinc@hub</code>
 
==Enable SSH to tinc node==
Add a new entry to your laptop ~/.ssh/config by following this template
 
<pre>
Host hub.PI_NAME
User yourname
Hostname  10.0.0.10?
ProxyJump yourname@xpub.nl:2501
Identityfile ~/.ssh/id_rsa
Serveraliveinterval 30
</pre>
 
Note: ls ~/.ssh to know what is filename for the Identityfile(private ssh key)
 
'''XPUB Staff''' will need to send gnd, for each node:
* Tinc node IP
* username
* user Public key
So that he can allow ssh of that user to the new Tinc node
 
==Enable HTTP to tinc node==
* The pi needs to be running a webserver
 
'''XPUB Staff on XVM''' will need to as '''root''':
* edit /etc/nginx/sites-available/hub.xpub.nl
* adding to it a new location to the hub.xpub.nl server block
<pre>
        location /nodename {
                proxy_pass http://tinc.node.ip.addr/;
                client_max_body_size 200M;
        }
<pre>
* test the configuration
nginx -t
* if all good restart nginx
systemctl restart nginx
* visit url https://hub.xpub.nl/nodename
 




[[Category:Cookbook]]
[[Category:Cookbook]]
[[Category:Tinc]]

Latest revision as of 09:53, 1 October 2024

tinclogo.png

Tinc is a Virtual Private Network (VPN) daemon that uses tunneling and encryption to create a secure private network between hosts on the Internet.

And is used in XPUB to create the HUB VPN - an electronic learning enviroment, server playground, web publishing platform, consisting of local machines (mainly raspberry pi's) that sit behind firewalls, but through Tinc are accessible from outside the firewall.

To add a machine to the HUB, we install Tinc from source. This is because it is required to have all the machines running the same version of Tinc.

Install Tinc Client

On RaspberryPi / machine that will be joining HUB.

Install dependencies:

sudo apt install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev libncurses5-dev libreadline-dev 

Compile Tinc 1.1pre:

cd ~
wget https://www.tinc-vpn.org/packages/tinc-1.1pre18.tar.gz
tar xvf tinc-1.1pre18.tar.gz
cd tinc-1.1pre18
./configure
make
 sudo make install

Once installed create configuration dir:

sudo mkdir -p /usr/local/etc/tinc/

And tinc is installed in

/usr/local/sbin/tinc

Next steps

Follow XPUB_HUB_New_Nodes.