Ubuntu Install Tinc and Set Up a Basic VPN

ADVERTISEMENTS



How To install Tinc and Set Up a Basic VPN on Ubuntu

How do I install Tinc and Set Up a Basic VPN on Ubuntu Linux 18.04/20.04 LTS server?The tinc is a free and open-source server to create a virtual private network (VPN). One Linux/Unix daemon can handle multiple connections so you can create an entire VPN. LibreSSL or OpenSSL used by tinc to encrypt the traffic and protect it. Further, automatic full mesh routing ensures that traffic is sent directly to the destination without going through intermediate hops. NAT traversal makes tinc on Ubuntu firewall-friendly as long as one node in the VPN allows incoming connections on a public/dynamic IP address. This page explains how to set up Tinc mesh VPN on Ubuntu 18.04 or 20.04 LTS server.

Our sample set up is as follows:



serverA : Our web server with public IPv4/IPv6 and eth1 with a private IP address. All apps running on this server will connect to serverB via tinc based VPN interface called vpn0 (IP: 172.16.1.1/32). We are going to encrypt all traffic. serverB : Our database server with public IPv4/IPv6 with a private IP address. Similarly, our database will only listen on a VPN interface called vpn0 (IP: 172.16.1.2/32) and will drop all traffic coming from any other interface using ufw.

Ubuntu Install Tinc using apt-get command/apt command

Type the following commands on both serverA and serverB:

sudo apt update

sudo apt upgrade

sudo apt install tinc



Create directories and config files

Type the following mkdir command:

sudo mkdir -vp /etc/tinc/vpn0/hosts/

mkdir: created directory '/etc/tinc/vpn0'

mkdir: created directory '/etc/tinc/vpn0/hosts/'



Update the /etc/hosts file

Edit the /etc/hosts, run:

sudo vi /etc/hosts

Append/edit as follows with actual IP address:

## eth1 ip address 192.168.202.30 node_01 192.168.215.155 node_02 ## tinc ip address ## 172.16.1.1 vpn1 172.16.1.2 vpn2

Tinc configuration serverA

Type the following command as root user on serverA only.

Create the config file

Use the nano command/vim command as follows:

sudo vim /etc/tinc/vpn0/tinc.conf

Append the following as per your set up:

Name = node_01 Device = /dev/net/tun ## private ip of eth1 ## BindToAddress = 192.168.202.30 AddressFamily = ipv4

Make the public and private keys

Execute the following tincd command:

sudo tincd -n vpn0 -K4096



Configure VPN IP addresses

Run the following command to configure tinc VPN IP address and port number:

sudo vi /etc/tinc/vpn0/hosts/node_01

Update it as follows:

Address = 192.168.202.30 Subnet = 172.16.1.1/32 Port = 655 -----BEGIN RSA PUBLIC KEY----- MIICCg............................................RQkc ..... ... .. 0ugK5dcFFJyO//.................................ws2zc1

Save and close the file.

Make vpn network interface control up and down scripts

Create a tinc-up shell script:

sudo vi /etc/tinc/vpn0/tinc-up

Append the following code:

#!/bin/sh # # Must use IP 172.16.1.1, which is setup in /etc/tinc/vpn0/hosts/node_01 # / sbin / ip link set $INTERFACE up / sbin / ip addr add 172.16.1.1 / 32 dev $INTERFACE / sbin / ip route add 172.16.1.0 / 24 dev $INTERFACE #!/bin/sh # # Must use IP 172.16.1.1, which is setup in /etc/tinc/vpn0/hosts/node_01 # /sbin/ip link set $INTERFACE up /sbin/ip addr add 172.16.1.1/32 dev $INTERFACE /sbin/ip route add 172.16.1.0/24 dev $INTERFACE

Next, create a tinc-down script:

sudo vi /etc/tinc/vpn0/tinc-down

Append the following script content:

#!/bin/sh # # See /etc/tinc/vpn0/hosts/node_01 for IP config # / sbin / ip route del 172.16.1.0 / 24 dev $INTERFACE / sbin / ip addr del 172.16.1.1 / 32 dev $INTERFACE / sbin / ip link set $INTERFACE down #!/bin/sh # # See /etc/tinc/vpn0/hosts/node_01 for IP config # /sbin/ip route del 172.16.1.0/24 dev $INTERFACE /sbin/ip addr del 172.16.1.1/32 dev $INTERFACE /sbin/ip link set $INTERFACE down

See the ip command documents for more information. Set up executable permission using the chmod command:

sudo chmod -v +x /etc/tinc/vpn0/tinc-{up,down}

tincd firewall configuration on Ubuntu Linux serverA

Type the following ufw command to open tcp/udp ports 655 from serverB:

sudo ufw allow from 192.168.215.155 to port 655 proto tcp comment 'Open TCP port 655 for serverA'

sudo ufw allow from 192.168.215.155 to port 655 proto udp comment 'Open UDP port 655 for serverB'

Make sure we allow vpn traffic between two IP address set using the vpn0 tunnel as follows:

sudo ufw allow from 172.16.1.2 to 172.16.1.1 comment 'Allow other vpn node to talk serverA fully'

serverB Ubuntu tinc configuration

Type the following command as root user on serverB only.

Step 1 – Create the config file

Execute the following command:

sudo vi /etc/tinc/vpn0/tinc.conf

Append the following as per your set up:

Name = node_02 Device = /dev/net/tun ## Ubuntu server name ## ConnectTo = node_01 BindToAddress = 192.168.215.155 AddressFamily = ipv4

Step 2 – Create the public and private key

sudo tincd -n vpn0 -K4096

Sample outputs:

Generating 4096 bits keys: ....................++++ p ......................................................................++++ q Done. Please enter a file to save private RSA key to [/etc/tinc/vpn0/rsa_key.priv]: Please enter a file to save public RSA key to [/etc/tinc/vpn0/hosts/node_02]:

Step 3 – Setup IP addresses for vpn0

Edit the config file:

sudo vi /etc/tinc/vpn0/hosts/node_02

Add the following IP address and port number:

Subnet = 172.16.1.2/32 Port = 655 -----BEGIN RSA PUBLIC KEY----- MIICC..........................................................0 ... .. .... 9z............................................................== -----END RSA PUBLIC KEY-----

Step 4 – Create network interface control scripts

Create a tinc-up script:

sudo vi /etc/tinc/vpn0/tinc-up

Append the following shell script to set up IP and routing when vpn0 interface comes online:

#!/bin/sh # # Must use IP 172.16.1.2, which is setup in /etc/tinc/vpn0/hosts/node_02 # / sbin / ip link set $INTERFACE up / sbin / ip addr add 172.16.1.2 / 32 dev $INTERFACE / sbin / ip route add 172.16.1.0 / 24 dev $INTERFACE #!/bin/sh # # Must use IP 172.16.1.2, which is setup in /etc/tinc/vpn0/hosts/node_02 # /sbin/ip link set $INTERFACE up /sbin/ip addr add 172.16.1.2/32 dev $INTERFACE /sbin/ip route add 172.16.1.0/24 dev $INTERFACE

Create a tinc-down script:

sudo vi /etc/tinc/vpn0/tinc-down

Append the following shell script content using ip command:

#!/bin/sh # # Remove IP and routing. IP must be from /etc/tinc/vpn0/hosts/node_02 # / sbin / ip route del 172.16.1.0 / 24 dev $INTERFACE / sbin / ip addr del 172.16.1.2 / 32 dev $INTERFACE / sbin / ip link set $INTERFACE down #!/bin/sh # # Remove IP and routing. IP must be from /etc/tinc/vpn0/hosts/node_02 # /sbin/ip route del 172.16.1.0/24 dev $INTERFACE /sbin/ip addr del 172.16.1.2/32 dev $INTERFACE /sbin/ip link set $INTERFACE down

Set up executable permission. In other words use the following chmod command:

sudo chmod -v +x /etc/tinc/vpn0/tinc-{up,down}

Sample outputs:

mode of '/etc/tinc/vpn0/tinc-up' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x) mode of '/etc/tinc/vpn0/tinc-down' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)

Step 5 – Update firewall rules

Open TCP/UDP ports using bash for loop:

for p in tcp udp do sudo ufw allow from 192.168.202.30 to port 655 proto $p comment 'Open $p port 655 for serverB' done for p in tcp udp do sudo ufw allow from 192.168.202.30 to port 655 proto $p comment 'Open $p port 655 for serverB' done

Allow full vpn traffic between two IP address:

sudo ufw allow from 172.16.1.1 to 172.16.1.2 comment 'Allow other vpn node to talk serverB fully'

Copy host files to the other hosts

You must copy /etc/tinc/vpn0/hosts/node_01 to serverB. Use the scp command on serverA:

scp /etc/tinc/vpn0/hosts/node_01 vivek@serverB:/tmp/

ssh -t vivek@serverB sudo mv -v /tmp/node_01 /etc/tinc/vpn0/hosts/

You must copy /etc/tinc/vpn0/hosts/node_02 to serverA. Use the scp command (type command on serverB):

scp /etc/tinc/vpn0/hosts/node_02 vivek@serverA:/tmp/

ssh -t vivek@serverA sudo mv -v /tmp/node_02 /etc/tinc/vpn0/hosts/

Enable and start tinc service (type it on both serverA and serverB)

Type the systemctl command to enable tinc@vpn0 to enable individual networks:

sudo systemctl enable tinc@vpn0

Start tinc:

sudo systemctl start tinc@vpn0

Stop or restart tinc:

sudo systemctl stop tinc@vpn0

sudo systemctl restart tinc@vpn0

Find the status of tinc:

sudo systemctl status tinc@vpn0

Verify it using the ps command/pgrep command and netstat command/ss command ps aux | grep tincd

ss -tulpn

Use the ping command to make sure you can reach to each node:

ping vpn1

ping vpn2

ping 172.16.1.1

ping 172.16.1.2



Conclusion

And there you have it. You learned how to install and set up a tinc VPN along with firewall configuration on Ubuntu 18.04 and 20.04 LTS. See tinc docs here.



Category List of Unix and Linux commands File Management cat Network Utilities dig • host • ip • nmap Package Manager apk • apt Processes Management bg • chroot • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time Searching grep • whereis • which User Information groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w