Tinc and OpenWRT
Saverio Proto
zioproto at gmail.com
Fri Jan 30 14:46:20 CET 2015
Hello Jonathan,
I will probably make a tinc 1.1 OpenWrt package soon. I am already
maintener for th 1.0 package.
If you want to read about how to make the package there is this very
good documentation:
http://wiki.prplfoundation.org/wiki/Creating_an_OpenWrt_package_for_a_web_page
Saverio
2015-01-29 19:02 GMT+01:00 Jonathan Clark <tinc-list at heyjonathan.com>:
> On Tue, Jan 27, 2015, Sandy McArthur Jr wrote:
>> I use the Tinc 1.0 series since I don't want to support my
>> own packages. <snip>
>> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
>> what I still use. Since then . . .
>
> Ok. I think I'll start with the 1.0 series packages that are already
> out there and get them working.
>
> and on Tue, Jan 27, 2015, Lance wrote:
>> The scripts used to create these binaries are here if you'd like to recreate
>> them.
>> https://github.com/lancethepants/tinc-mipsel-static/blob/master/tinc.sh
>> https://github.com/lancethepants/tinc-arm-musl-static
>
> Thanks. I'll start playing with those once I succeed (or otherwise)
> with the pre-packaged stuff.
>
> On Tue, Jan 27, 2015 at 10:12 AM, Sandy McArthur Jr <sandy at mcarthur.org> wrote:
>> Jonathan,
>> I really like OpenWrt. I've deployed Tinc on ~12 routers with OpenWrt
>> installed. I use the Tinc 1.0 series since I don't want to support my
>> own packages.
>>
>> OpenWrt has a nice unified configuration system. Tinc has a nice
>> configuration directory structure. What OpenWrt has done to merge
>> these two concepts over complicates things, and generally sucks.
>>
>> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
>> what I still use. Since then I wrote the script below to help automate
>> adding of new hosts in a network.
>>
>> A tip I've found when putting tinc on your gateway device is to bind
>> to several ports so you have options with mobile devices when they are
>> behind firewalls that block low ports. I tend to use 655 (tinc), 1194
>> (openvpn), 65500 (tinc * 100 so it's a high port number) . Be careful
>> how you use this as some older versions of Tinc on OpenWrt crash on
>> startup when the .../NETWORK/hosts/NODENAME file lists multiple
>> "Address = .... : [port]" lines.
>>
>> Also, I like to have a backup method to find and remote to an OpenWrt
>> device (ddns and ssh) but if you allow ssh from the internet to your
>> gateway, it will get slammed on with logins by brute force all the
>> time. This is a good reason to make use of SSH-Keys and disallow
>> password authentication in the Dropbear config (option
>> RootPasswordAuth 'off').
>>
>> Finally, some of my Tinc deployments are at locations that are not
>> staffed by technical people and would take me 3+ hours to travel to. I
>> now always configure these devices to daily reboot and they often have
>> a second Tinc network configured with a minimal, known good config
>> that doesn't change that I can use to remotely admin and fix the main
>> Tinc network config if I botch it up.
>>
>>
>> #!/bin/sh
>>
>> for network in /etc/tinc/*/
>> do
>> netname=`basename $network`
>> echo Tinc Network Name: $netname
>>
>> for host in /etc/tinc/$netname/hosts/*
>> do
>> hostname=`basename $host`
>> echo Tinc Network $netname Host: $hostname
>>
>> if [ ! `uci get tinc.$hostname` ]
>> then
>> uci set tinc.$hostname=tinc-host
>> uci set tinc.$hostname.net=$netname
>> uci set tinc.$hostname.enabled=1
>> uci commit
>>
>> fi
>>
>> done # for host
>>
>> done # for network
>>
>> On Mon, Jan 26, 2015 at 6:39 PM, Jonathan Clark
>> <tinc-list at heyjonathan.com> wrote:
>>> Greetings.
>>>
>>> I'm new to tinc, but have so far managed to get a couple laptops and a
>>> hosted server all connected. They're working as expected, running
>>> Tinc 1.1-pre11, which I compiled from source.
>>>
>>> Next I want to move on to adding my home router into the mix. My
>>> routers run OpenWRT. I don't have experience compiling anything from
>>> source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged.
>>>
>>> With that in mind, which direction should I move next? I think my options are:
>>>
>>> (option a)
>>> Switch my existing/working Tinc setup to using RSA keys (instead of
>>> Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT,
>>> and then go on to figure out how to get the already-packaged Tinc
>>> 1.0.25 working on my router.
>>>
>>> or
>>> (option b)
>>> Take a detour and learn how to cross-compile things for OpenWRT. Use
>>> this new knowledge to install Tinc 1.1pre11 onto my router. Feel
>>> accomplished.
>>>
>>> or something else?
>>>
>>> I'm exploring this mainly for the fun of figuring it out, so there's
>>> no deadline or even a business reason to succeed. Does that suggest I
>>> should tackle option a, and then go ahead and try option b, resulting
>>> in twice the fun and sense of accomplishment?
>>>
>>> And, overall, how difficult are each of these options?
>>>
>>> Thanks, by the way, for all your work. From what I've seen so far,
>>> this project is pretty impressive.
>>>
>>> Jonathan
>>> Kingston, New York, USA
>>> _______________________________________________
>>> tinc mailing list
>>> tinc at tinc-vpn.org
>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>>
>> --
>> Sandy McArthur, Jr.
>>
>> "No nation could preserve its freedom in the midst of continual warfare."
>> - Letters and Other Writings of James Madison (1865), Vol. IV, p. 491
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
More information about the tinc
mailing list