The VPN software Tinc does not need a central dial-in server, but connects several Tinc computers simultaneously. If one of the connections fails, the software delivers the network packets to the destination via the shortest path over the remaining ones. There are also dVPNs, that rely on blockchain technology (read more https://archetypal.network/smart-contracts-and-blockchain-technology/) like Orchid.

Tinc sets up a virtual private network over the Internet that encrypts and compresses data traffic between two or more computers. The software does not require a central server to manage the accesses and to handle the dial-up in contrast to more popular providers on the market like https://www.vpncomparison.org/provider/ivacy-vpn/. Instead, Tinc creates multiple connections to other VPN nodes simultaneously. If one of these connections is cut, the node reaches the VPN via the remaining connections. Regardless of the actual structure of the VPN, Tinc ensures that network packets find the shortest possible path to their destination (mesh routing).

To integrate a new computer into a Tinc VPN, the software does not need any new VPN services or interface assignments. An additional configuration file is enough, but you have to distribute it to the nodes. The software connects individual Ethernet segments so that games or applications written for the LAN work as usual. Tinc also understands Internet Protocol version 6 (IPv6), which it uses to set up VPNs and which the software can use as a transport protocol in the VPN.

VPN softwareTinc runs on Linux, Solaris, Free- and OpenBSD and is available as a package for Windows from version 2000. For the BSD Unixes and most Linux distributions Tinc can be installed via the package management. For others, such as Fedora and Red Hat Linux, an RPM package can be found on the project website. Ready-made packages for Mac OS X are not available, but according to the documentation Tinc can be compiled from source on Apple’s operating system. On all operating systems, the software requires a TUN/TAP driver, which current Linuxes usually come with and which is included in the Windows installer. Whether a TUN/TAP driver (learn more: https://www.packetflow.co.uk/virtual-networking-devices-tun-tap-and-veth-pairs-explained/) is present under Linux, the command modinfo tun reveals. With lsmod | grep tun you can see if it has been loaded, which can be done with the command modprobe tun if necessary.

On Windows systems, after the Tinc installation, change as administrator to the tap-win32/ directory, which can be found in the Tinc program directory. There the batch file addtab.bat starts the driver installation. Under Vista and Windows 7 you nod the following UAC dialog. Afterwards the Windows system has a new network connection for the device “TAP-Win32 Adapter V8”.

If the Tinc node should be able to accept connections from other nodes, it needs either an official IP address or a port forwarding at the network router, which loops TCP and UDP packets for the freely selectable Tinc port into the LAN. If the local Tinc is to connect exclusively to other nodes, but operates behind a NAT router that cannot be manipulated in this way, the respective Tinc node can transport the VPN data via TCP. For example, if Tinc connects several company networks, port forwarding is switched on at the router. Employees cannot set such defaults from outside – these Tinc nodes must therefore transport the VPN data via TCP.

It is set up

On Linux, Tinc looks for its setup files in the /etc/tinc folder. On Windows, it expects them in the program directory, which is usually found at c:\Programs\tinc\. The settings can be grouped together as profiles and called up later: To do this, create a new directory with a freely selectable name – for example MyTincVPN – and create the subdirectory hosts/ as well as the da-tei tinc.conf in which the Tinc node expects some basic parameters:

Device=/dev/net/tun
Interface=MyTincVPN-dev
AddressFamily=ipv4
Mode=switch
Name=TincNode1
PrivateKeyFile=/etc/tinc/MyTincVPN/rsa_key.priv

If you want to explicitly specify the VPN connection on Windows, you give it a unique name and tell it to Tinc using the Interface configuration variable.

The Device entry specifies the TUN/TAP pseudo-device, Interface names the VPN interface. If this option is missing under Linux, Tinc names the interface after the profile name. Windows does not need the Device entry, it searches for the appropriate interface automatically. However, if you want to specify the VPN interface, you can rename the network connection belonging to the “TAP-Win32 Adapter V8” to TINC-VPN, for example, and set the option Interface=TINC-VPN. With AddressFamily=ipv4 tinc listens exclusively at the IPv4 addresses of the computer and Mode determines how Tinc routes packets to the destination. Using the switch value, Tinc creates a routing table based on the hardware addresses (MAC). Similar to a real switch, the software forwards unicast, broadcast and multicast requests so that individual Ethernet segments can be bridged. If Tinc uses hub, however, the software does not create a routing table and all packets are sent to all other Tinc nodes via broadcast. By default, however, Tinc operates as a router, evaluating only the subnet information of each node for the routing table.

However, no broadcast or multicast requests work in this mode. The Name parameter names the Tinc node, which identifies itself to others by means of a key pair. PrivateKeyFile points to the absolute path of the private key file that Tinc creates together with the public key using the command tincd -K -n MyTincVPN. By default, the program stores the private key in the rsa_key.priv file in the profile directory (MyTincVPN). It saves the public key in a file in the hosts directory by default. Unless otherwise requested, Tinc names the file with the node name you specified earlier in the tinc.conf file.

Keys and addresses

After that, the file TincKnoten1 contains only the public key of the host, some further information about the subnet as well as the public address and the port over which the node can be reached from the internet are missing.

Address=tincknoten1.example.net
Port=54321
Subnet=192.168.0.0/16
Compression=9
—-BEGIN RSA PUBLIC KEY—-
MIG…JAgMBAAE=
—-END RSA PUBLIC KEY—-

Now Tinc, https://www.tinc-vpn.org/, needs to know how to give the VPN interface an address. This is helped by Tinc’s scripting mechanism, which can be used to perform actions when starting and stopping the VPN or logging on individual subnets or Tinc nodes.

If you want the node to get the address 192.168.98.1 with the mask 255.255.0.0 when starting the VPN, you create the file tinc-up in the profile directory, make it executable under Linux with chmod +x tinc-up and fill it with the following lines:

#!/bin/sh
/sbin/ifconfig $INTERFACE 192.168.98.1 netmask 255.255.0.0

Tinc calls scripts without options, but passes them environment variables. Besides the INTERFACE variable, these include NETNAME, NAME, DEVICE, NODE, REMOTEADDRESS, REMOTEPORT and SUBNET. Tinc also executes scripts under Windows if they end in .bat. The variables can then be addressed shell-typically with $INTERFACE or under Windows with %INTERFACE%. More details about Tinc scripts can be found in the documentation.

More nodes, more nets

The second Tinc node needs a similar setup. You create the profile directory, the file tinc.conf and the key files and extend the public key file with entries for the subnet, the real address of the node and the port number:

Address=tincknoten2.example.net
port=54321
Subnet=192.168.0.0/16
Compression=9
—-BEGIN RSA PUBLIC KEY—-
AuS…sEnsTElle=
—-END RSA PUBLIC KEY—-

The subnet entry here is set to 192.168.0.0/16, which also covers the local network of the second node with address 192.168.99.0/24. The tinc script tinc-up again takes care of assigning an IP address for the local VPN interface during VPN setup.

#!/bin/sh
/sbin/ifconfig $INTERFACE 192.168.99.1 netmask 255.255.0.0

Tinc will create matching routing entries on all other VPN nodes thanks to the network mask 255.255.0.0, further entries to be entered by hand are unnecessary.

Finally, the line “ConnectTo=tincknoten1” in the tinc.conf file tells the machine to connect to the first Tinc node. However, both sides need the file with the public key of the other side for a correct authentication as well as for the routing information, which one stores in the hosts directory of the VPN profile. If the VPN already consists of several nodes, the computer can connect to the others in parallel if the configuration file contains several ConnectTo lines.

If another LAN is to be added to the VPN, repeat these steps. However, it is important to ensure that the address and network ranges of the individual nodes do not overlap.

If an employee is to access the Tinc VPN while on the road, he does not have to bring his own subnet with him. A single address is sufficient for the mobile node, which can be expressed using the notation 192.168.99.100/32 and which you enter in the subnet entry of your own hosts file in this way.

Address=tincclient.example.net
port=54321
Subnet=192.168.99.100/32
Compression=9
ConnectTo=tincknoten2
—-BEGIN RSA PUBLIC KEY—-
HIS…LaqMMBBE=
—-END RSA PUBLIC KEY—-

Mobile computers usually connect to the Internet from a local network whose router does not allow port forwarding to the LAN. If this computer establishes a VPN to a node, both sides report a successful VPN establishment, but the VPN packets transported via UDP do not find their way to the destination. However, Tinc can tunnel the actual VPN data over TCP connections, which can be enabled with the line TCPOnly=yes in the tinc.conf file on the client.

Mode=switch
Name=mobiltincknoten1
PrivateKeyFile=c:/Programs/tinc/MyTincVPN/rsa_key.priv
ConnectTo=tincknoten2
TCPOnly=yes

After the first invocation, Tinc registers itself with the appropriate profile as a Windows service that starts automatically at boot time. Windows users set the address of the VPN adapter via the properties of the network interface. Since the VPN consists of several local networks from the range 192.168.0.0/16, the interface receives the network mask 255.255.0.0. The entries for the default gateway and the DNS servers remain empty.

Once this preliminary work is done, the mobile node exchanges the public key and settings files with its connection partners.

In action

dvpnAfterwards, all participating nodes start the VPN on an administrator console with the command tincd -D -d3 -n MyTincVPN. The parameter -D prevents Tinc from being a background process. The -d3 option increases the debug level of the software so that it also reports transmitted packets, for example, and the -n option allows Tinc to find the desired VPN profile.

Without additional parameters, Tinc is extremely silent and does not display any information about the connection setup. This can be remedied by the additional option -d.

Since the program file tincd is not automatically located in the search path on Windows, change to the program directory, usually c:\Program Files\tinc, at an administrator prompt and start the command there.

On Windows, the key combination Ctrl+c stops this test run. On Linux, however, the same keys do not stop the program, but only increase the debug level to the maximum value of 5 until the next time the key combination is entered. To terminate properly, issue the command tincd -k -n MeinTincVPN here, which terminates the Tinc process for the desired VPN profile in a controlled manner.

On Debian and Ubuntu, the Tinc VPN profiles can be started at boot time by entering their names in the file /etc/tinc/nets.boot. On Windows, a batch file handles dial-up for remote workers or the software runs as a system service in the background. Tinc registers itself as a Windows service whose properties can be set up via the Control Panel. To do this, change to the program directory and execute the command tincd -n profile name as administrator. The command tincd -k -n profile name deletes Tinc from the list of Windows services.

By admin