|
|
| (8 intermediate revisions by one other user not shown) |
| Line 1: |
Line 1: |
| https://tinc-vpn.org/images/tinclogo.png | | https://tinc-vpn.org/images/tinclogo.png |
|
| |
|
| ''[https://tinc-vpn.org/ tinc] is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet. | | ''[https://tinc-vpn.org/ Tinc] is a Virtual Private Network (VPN) daemon that uses tunneling and encryption to create a secure private network between hosts on the Internet.'' |
| '' | |
|
| |
|
| And is used in XPUB to create the [[HUB]] VPN - aelectronic learning enviroment, server playground, web publishing platform, consisting of local machines (mainly raspberry pis) that sit behind firewalls, | | And is used in XPUB to create the [[HUB]] VPN - an electronic learning enviroment, server playground, web publishing platform, consisting of local machines (mainly raspberry pi's) that sit behind firewalls, |
| but through tinc are accessible from outside the firewall. | | but through Tinc are accessible from outside the firewall. |
|
| |
|
| | To add a machine to the HUB, we install Tinc from source. This is because it is required to have all the machines running the same version of Tinc. |
|
| |
|
| | ==Install Tinc Client == |
|
| |
|
| ==Install tinc Client ==
| | '''On RaspberryPi / machine that will be joining [[HUB]].''' |
| On RaspberryPi / machine that will be joining [[HUB]] | | |
| | Install dependencies: |
|
| |
|
| Install dependencies
| |
| sudo apt install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev libncurses5-dev libreadline-dev | | sudo apt install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev libncurses5-dev libreadline-dev |
|
| |
|
| | | Compile <code>Tinc 1.1pre</code>: |
| Compile Tinc 1.1pre : | |
|
| |
|
| cd ~ | | cd ~ |
|
| |
|
| wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz | | wget https://www.tinc-vpn.org/packages/tinc-1.1pre18.tar.gz |
|
| |
|
| tar xvf tinc-1.1pre17.tar.gz | | tar xvf tinc-1.1pre18.tar.gz |
|
| |
|
| cd tinc-1.1pre17 | | cd tinc-1.1pre18 |
|
| |
|
| ./configure | | ./configure |
| Line 38: |
Line 38: |
| /usr/local/sbin/tinc | | /usr/local/sbin/tinc |
|
| |
|
| ==Add new tinc Node to [[HUB]] network == | | ==Next steps== |
| | |
| '''In the Pi'''
| |
| | |
| In your Pi's create a user with same username as in the sandbox. Keeping it the same as in the sandbox - will make things easier for us and gnd
| |
| | |
| Add your public ssh key to your username in the Pi (same as mentioned) to ~/.ssh/authorized_keys
| |
| On some systems, there is a script (already installed) to do this, called ssh-copy-id:
| |
| | |
| ssh-copy-id local.pi.IP.addr
| |
| | |
| Otherwise, the following attempts to do the same (basically you are just adding the contents of your public key as a new line to the file authorized_keys on the pi:
| |
|
| |
| cat ~/.ssh/id_rsa.pub | ssh local.pi.IP.addr "cat >> ~/.ssh/authorized_keys"
| |
| | |
| | |
| Install Tinc on the Pis Instructions can be found here [[Tinc]], until the creation creation of the configuration dir:
| |
| sudo mkdir -p /usr/local/etc/tinc/
| |
| | |
| * Add your chosen Node name and IP to [[HUB#IP_allocation]]
| |
| * Student project IPs last number should have 3 digits, last one is Simon's 10.0.1.103, so you can start from there
| |
| | |
| Disable ssh to your pi with password (allow ssh key only), by:
| |
| * ensuring you laptops ssh public key is in your pi ~/.ssh/authorized_keys:
| |
| cat ~/.ssh/authorized_keys
| |
| * ensuring you can login to the Pi with ssh key:
| |
| ssh username@pi.ip.add -i ~/.ssh/id_rsa
| |
| * edit /etc/ssh/sshd_config:
| |
| sudo nano /etc/ssh/sshd_config
| |
| * and uncomment the line:
| |
| #PasswordAuthentication no
| |
| to:
| |
| PasswordAuthentication no
| |
| * reload ssh:
| |
| sudo systemctl reload ssh
| |
| | |
| You up with the following info:
| |
| | |
| <pre>
| |
| username: nameoftheuser
| |
| Node IP: 10.0.0.???
| |
| Node name: nameofnode
| |
| ssh public key:
| |
| ssh-ed25519 ... ... nameoftheuser@laptop
| |
| </pre>
| |
| | |
| '''Staff: In the XVM (xpub server)'''
| |
| | |
| As root:
| |
| | |
| create an invitation node the node as described in [[HUB#Adding_a_new_thing]]
| |
| | |
| tinc -n hub invite $NAMEOFNODE
| |
| | |
| Which will generate an invitation address
| |
| | |
| | |
| '''Back In the Pi'''
| |
| | |
| User invitation to join the network ($INVITE_ADDRES)
| |
| | |
| sudo tinc join $INVITE_ADDRES
| |
| | |
| Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS):
| |
| | |
| sudo tinc -n hub add subnet $NODE.IP.ADDRS
| |
| | |
| edit the tinc-up file in /usr/local/etc/tinc/hub/tinc-up: commenting the echo line and adding the line:
| |
| * Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP
| |
| ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0
| |
| * Example tinc-up file:
| |
| <source lang="bash">
| |
| #!/bin/sh
| |
| # echo 'Unconfigured tinc-up script, please edit '$0'!'
| |
| ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0
| |
| </source>
| |
| | |
| Start tincd daemon:
| |
| tincd -n hub -D -d3
| |
| | |
| In new window, ssh again to the pi and see if you can ping other tinc nodes:
| |
| ping 10.0.0.1
| |
| | |
| If so Tinc is running :) yahh
| |
| | |
| | |
| | |
| === tincd service file ===
| |
| | |
| According to [https://www.tinc-vpn.org/documentation/Linux.html tinc documentation]
| |
| | |
| Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files:
| |
| * ''tinc.service'' is used to globally enable or disable all tinc daemons managed by systemd
| |
| * ''tinc@netname.service'' is used to enable or disable specific tinc daemons.
| |
| | |
| These are located in the source directory, in the sub-directory <code>systemd/</code>
| |
| | |
| However this files, seem to give some issues, as metioned in the tinc github: [https://github.com/gsliepen/tinc/issues/133 issue 133], [https://github.com/gsliepen/tinc/issues/168 issue 168]
| |
| | |
| '''Hence we'll us the ones bellow that so far have worked fine.'''
| |
| | |
| <code>/etc/systemd/system/tinc.service</code>
| |
| | |
| <pre># This is a mostly empty service, but allows commands like stop, start, reload
| |
| # to propagate to all tinc@ service instances.
| |
| | |
| [Unit]
| |
| Description=Tinc VPN
| |
| Documentation=info:tinc
| |
| Documentation=man:tinc(8) man:tinc.conf(5)
| |
| Documentation=http://tinc-vpn.org/docs/
| |
| After=network.target
| |
| Wants=network.target
| |
| | |
| [Service]
| |
| Type=oneshot
| |
| RemainAfterExit=yes
| |
| ExecStart=/usr/local/sbin/true
| |
| ExecReload= /usr/local/sbin/true
| |
| WorkingDirectory=/usr/local/etc/tinc
| |
| | |
| [Install]
| |
| WantedBy=multi-user.target</pre>
| |
| <code>/etc/systemd/system/tinc@hub.service</code>
| |
| | |
| <pre>[Unit]
| |
| Description=Tinc net %i
| |
| Documentation=info:tinc
| |
| Documentation=man:tinc(8) man:tinc.conf(5)
| |
| Documentation=http://tinc-vpn.org/docs/
| |
| PartOf=tinc.service
| |
| ReloadPropagatedFrom=tinc.service
| |
| | |
| [Service]
| |
| Type=simple
| |
| WorkingDirectory=/usr/local/etc/tinc/%i
| |
| ExecStart=/usr/local/sbin/tincd -n %i -D
| |
| ExecReload=/usr/local/sbin/tincd -n %i -kHUP
| |
| TimeoutStopSec=5
| |
| Restart=always
| |
| RestartSec=60
| |
| | |
| [Install]
| |
| WantedBy=tinc.service</pre>
| |
| | |
| Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.
| |
| | |
| * Enable
| |
| ** <code>sudo systemctl enable tinc</code>
| |
| ** <code>sudo systemctl enable tinc@hub</code>
| |
| * Start <code>sudo systemctl start tinc@hub</code>
| |
| * Check status <code>sudo systemctl status tinc@hub</code>
| |
| | |
| Note that because <code>tinc@testvpn.service</code> requests tinc.service we don’t need to start that one, as it is started by <code>tinc@testvpn.service</code>
| |
| | |
| If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the <code>ping 10.1.0.2</code> and checking the status of tinc@hub<code>sudo systemctl status tinc@hub</code>
| |
| | |
| ==Enable SSH to tinc node==
| |
| Add a new entry to your laptop ~/.ssh/config by following this template
| |
| | |
| <pre>
| |
| Host hub.PI_NAME
| |
| User yourname
| |
| Hostname 10.0.0.10?
| |
| ProxyJump yourname@xpub.nl:2501
| |
| Identityfile ~/.ssh/id_rsa
| |
| Serveraliveinterval 30
| |
| </pre>
| |
| | |
| | |
| Note: ls ~/.ssh to know what is filename for the Identityfile(private ssh key)
| |
| ==enable to ssh jump to RPI on XVM==
| |
| XPUB Staff:
| |
| use <code>jumpuser</code> script to enable to ssh jump to RPI
| |
| | |
| If user's username and its ssh publickey is XVM's /home/
| |
| jumpuser add_ip username 10.0.0.XYZ
| |
| | |
| If not, also add the user with
| |
| jumpuser create <USERNAME> <PI-INTERNAL_IP> <USER-PUBKEY> [COMMENT]
| |
| | |
| log you changes with:
| |
| rtlg
| |
| | |
| ==Enable HTTP to tinc node==
| |
| * The pi needs to be running a webserver
| |
| | |
| '''XPUB Staff on XVM''' will need to as '''root''':
| |
| * edit /etc/nginx/sites-available/hub.xpub.nl
| |
| * adding to it a new location to the hub.xpub.nl server block
| |
| <pre>
| |
| location /nodename {
| |
| proxy_pass http://tinc.node.ip.addr/;
| |
| client_max_body_size 200M;
| |
| }
| |
| <pre>
| |
| * test the configuration
| |
| nginx -t
| |
| * if all good restart nginx
| |
| systemctl restart nginx
| |
| * visit url https://hub.xpub.nl/nodename
| |
|
| |
|
| | Follow [[XPUB_HUB_New_Nodes]]. |
|
| |
|
|
| |
|
| [[Category:Cookbook]] | | [[Category:Cookbook]] |
| | [[Category:Tinc]] |
