Tinc and OpenWRT
Jonathan Clark
tinc-list at heyjonathan.com
Thu Jan 29 19:02:58 CET 2015
On Tue, Jan 27, 2015, Sandy McArthur Jr wrote:
> I use the Tinc 1.0 series since I don't want to support my
> own packages. <snip>
> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
> what I still use. Since then . . .
Ok. I think I'll start with the 1.0 series packages that are already
out there and get them working.
and on Tue, Jan 27, 2015, Lance wrote:
> The scripts used to create these binaries are here if you'd like to recreate
> them.
> https://github.com/lancethepants/tinc-mipsel-static/blob/master/tinc.sh
> https://github.com/lancethepants/tinc-arm-musl-static
Thanks. I'll start playing with those once I succeed (or otherwise)
with the pre-packaged stuff.
On Tue, Jan 27, 2015 at 10:12 AM, Sandy McArthur Jr <sandy at mcarthur.org> wrote:
> Jonathan,
> I really like OpenWrt. I've deployed Tinc on ~12 routers with OpenWrt
> installed. I use the Tinc 1.0 series since I don't want to support my
> own packages.
>
> OpenWrt has a nice unified configuration system. Tinc has a nice
> configuration directory structure. What OpenWrt has done to merge
> these two concepts over complicates things, and generally sucks.
>
> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
> what I still use. Since then I wrote the script below to help automate
> adding of new hosts in a network.
>
> A tip I've found when putting tinc on your gateway device is to bind
> to several ports so you have options with mobile devices when they are
> behind firewalls that block low ports. I tend to use 655 (tinc), 1194
> (openvpn), 65500 (tinc * 100 so it's a high port number) . Be careful
> how you use this as some older versions of Tinc on OpenWrt crash on
> startup when the .../NETWORK/hosts/NODENAME file lists multiple
> "Address = .... : [port]" lines.
>
> Also, I like to have a backup method to find and remote to an OpenWrt
> device (ddns and ssh) but if you allow ssh from the internet to your
> gateway, it will get slammed on with logins by brute force all the
> time. This is a good reason to make use of SSH-Keys and disallow
> password authentication in the Dropbear config (option
> RootPasswordAuth 'off').
>
> Finally, some of my Tinc deployments are at locations that are not
> staffed by technical people and would take me 3+ hours to travel to. I
> now always configure these devices to daily reboot and they often have
> a second Tinc network configured with a minimal, known good config
> that doesn't change that I can use to remotely admin and fix the main
> Tinc network config if I botch it up.
>
>
> #!/bin/sh
>
> for network in /etc/tinc/*/
> do
> netname=`basename $network`
> echo Tinc Network Name: $netname
>
> for host in /etc/tinc/$netname/hosts/*
> do
> hostname=`basename $host`
> echo Tinc Network $netname Host: $hostname
>
> if [ ! `uci get tinc.$hostname` ]
> then
> uci set tinc.$hostname=tinc-host
> uci set tinc.$hostname.net=$netname
> uci set tinc.$hostname.enabled=1
> uci commit
>
> fi
>
> done # for host
>
> done # for network
>
> On Mon, Jan 26, 2015 at 6:39 PM, Jonathan Clark
> <tinc-list at heyjonathan.com> wrote:
>> Greetings.
>>
>> I'm new to tinc, but have so far managed to get a couple laptops and a
>> hosted server all connected. They're working as expected, running
>> Tinc 1.1-pre11, which I compiled from source.
>>
>> Next I want to move on to adding my home router into the mix. My
>> routers run OpenWRT. I don't have experience compiling anything from
>> source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged.
>>
>> With that in mind, which direction should I move next? I think my options are:
>>
>> (option a)
>> Switch my existing/working Tinc setup to using RSA keys (instead of
>> Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT,
>> and then go on to figure out how to get the already-packaged Tinc
>> 1.0.25 working on my router.
>>
>> or
>> (option b)
>> Take a detour and learn how to cross-compile things for OpenWRT. Use
>> this new knowledge to install Tinc 1.1pre11 onto my router. Feel
>> accomplished.
>>
>> or something else?
>>
>> I'm exploring this mainly for the fun of figuring it out, so there's
>> no deadline or even a business reason to succeed. Does that suggest I
>> should tackle option a, and then go ahead and try option b, resulting
>> in twice the fun and sense of accomplishment?
>>
>> And, overall, how difficult are each of these options?
>>
>> Thanks, by the way, for all your work. From what I've seen so far,
>> this project is pretty impressive.
>>
>> Jonathan
>> Kingston, New York, USA
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
>
> --
> Sandy McArthur, Jr.
>
> "No nation could preserve its freedom in the midst of continual warfare."
> - Letters and Other Writings of James Madison (1865), Vol. IV, p. 491
More information about the tinc
mailing list