Tinc: Difference between revisions

From XPUB & Lens-Based wiki
No edit summary
Line 27: Line 27:
  /usr/local/sbin/tinc
  /usr/local/sbin/tinc


<s>tmux: attaches shell to the pi and running without your ssh connection</s>
===Add new tinc Node to [[HUB]] network ===


Adding clients
On the server:
    tinc -n hub invite $CLIENTHOSTNAME
On the client:


    tinc join $INVITEURL
'''In the Pi'''


    tinc -n hub add subnet 10.0.0.1XX
In your Pi's create a user with same username as in the sandbox. Keeping it the same as in the sandbox - will make things easier for us and gnd


edit the '''tinc-up''' file in /usr/local/etc/tinc/hub/ :
Add your public ssh key to your username in the Pi (same as mentioned) to ~/.ssh/authorized_keys
    ifconfig $INTERFACE 10.0.0.1XX netmask 255.255.255.0
There is a trick to do this with
cat ~/.ssh/id_rsa.pub | ssh local.pi.IP.addr "cat >> ~/.ssh/authorized_keys"


Install Tinc on the Pis Instructions can be found here [[Tinc]], until the creation creation of the configuration dir:
sudo mkdir -p /usr/local/etc/tinc/


    tincd -n hub -D -d3
* Add your chosen Node name and IP to [[HUB#IP_allocation]]
* Student project IPs last number should have 3 digits, last one is Simon's 10.0.1.103, so you can start from there


=== to rejoin tinc you need to ===
Disable ssh to your pi with password (allow ssh key only), by:
  1. start `tmux` and then
* ensuring you laptops ssh public key is in your pi ~/.ssh/authorized_keys:
  2. run the following command `tincd -n hub -D -d3
cat  ~/.ssh/authorized_keys
* ensuring you can login to the Pi with ssh key:
ssh username@pi.ip.add -i ~/.ssh/id_rsa
* edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_config
* and uncomment the line:
#PasswordAuthentication no
to:
PasswordAuthentication no
* reload ssh:
sudo systemctl reload ssh


= tincd service file =
You up with the following info:
 
<pre>
username: nameoftheuser
Node IP: 10.0.0.???
Node name: nameofnode
ssh public key:
ssh-ed25519 ... ... nameoftheuser@laptop
</pre>
 
'''Staff: In the XVM (xpub server)'''
 
As root:
 
create an invitation node the node as described in [[HUB#Adding_a_new_thing]]
 
tinc -n hub invite $NAMEOFNODE
 
Which will generate an invitation address
 
 
'''Back In the Pi'''
 
User invitation to join the network ($INVITE_ADDRES)
 
  sudo tinc join $INVITE_ADDRES
 
Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS):
 
  sudo tinc -n hub add subnet $NODE.IP.ADDRS
 
edit the tinc-up file in /usr/local/etc/tinc/hub/: commenting the echo line and adding the line:
* Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP
  ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0
* Example tinc-up file:
<source lang="bash">
#!/bin/sh
# echo 'Unconfigured tinc-up script, please edit '$0'!'
ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0
</source>
 
Start tincd daemon:
tincd -n hub -D -d3
 
In new window, ssh again to the pi and see if you can ping other tinc nodes:
ping 10.0.0.1
 
If so Tinc is running :) yahh
 
 
 
=== tincd service file ===


According to [https://www.tinc-vpn.org/documentation/Linux.html tinc documentation]
According to [https://www.tinc-vpn.org/documentation/Linux.html tinc documentation]


Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files: * ''tinc.service'' is used to globally enable or disable all tinc daemons managed by systemd * ''tinc@netname.service'' is used to enable or disable specific tinc daemons.
Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files:
* ''tinc.service'' is used to globally enable or disable all tinc daemons managed by systemd  
* ''tinc@netname.service'' is used to enable or disable specific tinc daemons.


These are located in the source directory, in the sub-directory <code>systemd/</code>
These are located in the source directory, in the sub-directory <code>systemd/</code>
Line 58: Line 121:
However this files, seem to give some issues, as metioned in the tinc github: [https://github.com/gsliepen/tinc/issues/133 issue 133], [https://github.com/gsliepen/tinc/issues/168 issue 168]
However this files, seem to give some issues, as metioned in the tinc github: [https://github.com/gsliepen/tinc/issues/133 issue 133], [https://github.com/gsliepen/tinc/issues/168 issue 168]


Hence it is easier to edit and simply them a bit.
'''Hence we'll us the ones bellow that so far have worked fine.'''


<code>/etc/systemd/system/tinc.service</code>
<code>/etc/systemd/system/tinc.service</code>
Line 103: Line 166:
[Install]
[Install]
WantedBy=tinc.service</pre>
WantedBy=tinc.service</pre>
Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.
Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.


Line 113: Line 177:
Note that because <code>tinc@testvpn.service</code> requests tinc.service we don’t need to start that one, as it is started by <code>tinc@testvpn.service</code>
Note that because <code>tinc@testvpn.service</code> requests tinc.service we don’t need to start that one, as it is started by <code>tinc@testvpn.service</code>


If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a connection in the other node <code>sudo tincd -n testvpn -D -d 3</code> and try pinging the node, where we are trying to run tinc as a service <code>ping 10.1.0.2</code>.
If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the <code>ping 10.1.0.2</code> and checking the status of tinc@hub<code>sudo systemctl status tinc@hub</code>
 
===Enable SSH to tinc node===
Add a new entry to your laptop ~/.ssh/config by following this template
 
<pre>
Host hub.PI_NAME
User yourname
Hostname  10.0.0.10?
ProxyJump yourname@xpub.nl:2501
Identityfile ~/.ssh/id_rsa
Serveraliveinterval 30
</pre>
 
Note: ls ~/.ssh to know what is filename for the Identityfile(private ssh key)
 
'''XPUB Staff''' will need to send gnd, for each node:
* Tinc node IP
* username
* user Public key
So that he can allow ssh of that user to the new Tinc node
 
 
===Enable HTTP to tinc node===
'''XPUB Staff on XVM''' will need to as '''root''':
* edit /etc/nginx/sites-available/hub.xpub.nl
* adding to it a new location to the hub.xpub.nl server block
<pre>
        location /nodename {
                proxy_pass http://tinc.node.ip.addr/;
                client_max_body_size 200M;
        }
<pre>
* test the configuration
nginx -t
* if all good restart nginx
systemctl restart nginx
* visit url https://hub.xpub.nl/nodename
 




[[Category:Cookbook]]
[[Category:Cookbook]]

Revision as of 16:34, 20 April 2020

Client (Raspberry Pi / laptop )

Install

Install dependencies

sudo apt install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev libncurses5-dev libreadline-dev 


Compile Tinc 1.1pre :

cd /usr/src/
wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz
tar xvf tinc-1.1pre17.tar.gz
cd tinc-1.1pre17
./configure
make
 sudo make install

Once installed create configuration dir:

sudo mkdir -p /usr/local/etc/tinc/

And tinc is installed in

/usr/local/sbin/tinc

Add new tinc Node to HUB network

In the Pi

In your Pi's create a user with same username as in the sandbox. Keeping it the same as in the sandbox - will make things easier for us and gnd

Add your public ssh key to your username in the Pi (same as mentioned) to ~/.ssh/authorized_keys There is a trick to do this with

cat ~/.ssh/id_rsa.pub | ssh local.pi.IP.addr "cat >> ~/.ssh/authorized_keys"

Install Tinc on the Pis Instructions can be found here Tinc, until the creation creation of the configuration dir:

sudo mkdir -p /usr/local/etc/tinc/
  • Add your chosen Node name and IP to HUB#IP_allocation
  • Student project IPs last number should have 3 digits, last one is Simon's 10.0.1.103, so you can start from there

Disable ssh to your pi with password (allow ssh key only), by:

  • ensuring you laptops ssh public key is in your pi ~/.ssh/authorized_keys:
cat  ~/.ssh/authorized_keys
  • ensuring you can login to the Pi with ssh key:
ssh username@pi.ip.add -i ~/.ssh/id_rsa
  • edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_config
  • and uncomment the line:
#PasswordAuthentication no

to:

PasswordAuthentication no
  • reload ssh:

sudo systemctl reload ssh

You up with the following info:

username: nameoftheuser
Node IP: 10.0.0.???
Node name: nameofnode 
ssh public key:
ssh-ed25519 ... ... nameoftheuser@laptop

Staff: In the XVM (xpub server)

As root:

create an invitation node the node as described in HUB#Adding_a_new_thing

tinc -n hub invite $NAMEOFNODE

Which will generate an invitation address


Back In the Pi

User invitation to join the network ($INVITE_ADDRES)

  sudo tinc join $INVITE_ADDRES

Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS):

 sudo tinc -n hub add subnet $NODE.IP.ADDRS

edit the tinc-up file in /usr/local/etc/tinc/hub/: commenting the echo line and adding the line:

  • Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP
  ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0
  • Example tinc-up file:
#!/bin/sh
# echo 'Unconfigured tinc-up script, please edit '$0'!'
ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0

Start tincd daemon:

tincd -n hub -D -d3

In new window, ssh again to the pi and see if you can ping other tinc nodes:

ping 10.0.0.1

If so Tinc is running :) yahh


tincd service file

According to tinc documentation

Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files:

  • tinc.service is used to globally enable or disable all tinc daemons managed by systemd
  • tinc@netname.service is used to enable or disable specific tinc daemons.

These are located in the source directory, in the sub-directory systemd/

However this files, seem to give some issues, as metioned in the tinc github: issue 133, issue 168

Hence we'll us the ones bellow that so far have worked fine.

/etc/systemd/system/tinc.service

# This is a mostly empty service, but allows commands like stop, start, reload
# to propagate to all tinc@ service instances.

[Unit]
Description=Tinc VPN
Documentation=info:tinc
Documentation=man:tinc(8) man:tinc.conf(5)
Documentation=http://tinc-vpn.org/docs/
After=network.target
Wants=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/true
ExecReload= /usr/local/sbin/true
WorkingDirectory=/usr/local/etc/tinc

[Install]
WantedBy=multi-user.target

/etc/systemd/system/tinc@hub.service

[Unit]
Description=Tinc net %i
Documentation=info:tinc
Documentation=man:tinc(8) man:tinc.conf(5)
Documentation=http://tinc-vpn.org/docs/
PartOf=tinc.service
ReloadPropagatedFrom=tinc.service

[Service]
Type=simple
WorkingDirectory=/usr/local/etc/tinc/%i
ExecStart=/usr/local/sbin/tincd -n %i -D
ExecReload=/usr/local/sbin/tincd -n %i -kHUP
TimeoutStopSec=5
Restart=always
RestartSec=60

[Install]
WantedBy=tinc.service

Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.

  • Enable
    • sudo systemctl enable tinc
    • sudo systemctl enable tinc@hub
  • Start sudo systemctl start tinc@hub
  • Check status sudo systemctl status tinc@hub

Note that because tinc@testvpn.service requests tinc.service we don’t need to start that one, as it is started by tinc@testvpn.service

If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the ping 10.1.0.2 and checking the status of tinc@hubsudo systemctl status tinc@hub

Enable SSH to tinc node

Add a new entry to your laptop ~/.ssh/config by following this template

Host hub.PI_NAME 
User yourname
Hostname  10.0.0.10?
ProxyJump yourname@xpub.nl:2501
Identityfile ~/.ssh/id_rsa
Serveraliveinterval 30

Note: ls ~/.ssh to know what is filename for the Identityfile(private ssh key)

XPUB Staff will need to send gnd, for each node:

  • Tinc node IP
  • username
  • user Public key

So that he can allow ssh of that user to the new Tinc node


Enable HTTP to tinc node

XPUB Staff on XVM will need to as root:

  • edit /etc/nginx/sites-available/hub.xpub.nl
  • adding to it a new location to the hub.xpub.nl server block
        location /nodename {
                proxy_pass http://tinc.node.ip.addr/;
                client_max_body_size 200M;
        }
* test the configuration
 nginx -t
* if all good restart nginx
 systemctl restart nginx
* visit url https://hub.xpub.nl/nodename