Tinc and OpenWRT
Florian Klink
flokli at flokli.de
Sat Jun 13 11:26:34 CEST 2015
Hey Saverio,
I'd really like the idea of a tinc-1.1-pre package for OpenWRT. I'm
currently using tinc-1.1 with an Ed25519-only network, really like the
new features and CLI and want to add some OpenWRT routers into the mix.
How do you plan to handle things with OpenSSL?
tinc-1.1 from git should be able to compile without it (but will then
only support the built-in algorithms). Depending on device restrictions,
such a version could also be very interesting.
Florian
Am 30.01.2015 um 14:46 schrieb Saverio Proto:
> Hello Jonathan,
>
> I will probably make a tinc 1.1 OpenWrt package soon. I am already
> maintener for th 1.0 package.
>
> If you want to read about how to make the package there is this very
> good documentation:
>
> http://wiki.prplfoundation.org/wiki/Creating_an_OpenWrt_package_for_a_web_page
>
> Saverio
>
>
>
> 2015-01-29 19:02 GMT+01:00 Jonathan Clark <tinc-list at heyjonathan.com>:
>> On Tue, Jan 27, 2015, Sandy McArthur Jr wrote:
>>> I use the Tinc 1.0 series since I don't want to support my
>>> own packages. <snip>
>>> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
>>> what I still use. Since then . . .
>>
>> Ok. I think I'll start with the 1.0 series packages that are already
>> out there and get them working.
>>
>> and on Tue, Jan 27, 2015, Lance wrote:
>>> The scripts used to create these binaries are here if you'd like to recreate
>>> them.
>>> https://github.com/lancethepants/tinc-mipsel-static/blob/master/tinc.sh
>>> https://github.com/lancethepants/tinc-arm-musl-static
>>
>> Thanks. I'll start playing with those once I succeed (or otherwise)
>> with the pre-packaged stuff.
>>
>> On Tue, Jan 27, 2015 at 10:12 AM, Sandy McArthur Jr <sandy at mcarthur.org> wrote:
>>> Jonathan,
>>> I really like OpenWrt. I've deployed Tinc on ~12 routers with OpenWrt
>>> installed. I use the Tinc 1.0 series since I don't want to support my
>>> own packages.
>>>
>>> OpenWrt has a nice unified configuration system. Tinc has a nice
>>> configuration directory structure. What OpenWrt has done to merge
>>> these two concepts over complicates things, and generally sucks.
>>>
>>> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
>>> what I still use. Since then I wrote the script below to help automate
>>> adding of new hosts in a network.
>>>
>>> A tip I've found when putting tinc on your gateway device is to bind
>>> to several ports so you have options with mobile devices when they are
>>> behind firewalls that block low ports. I tend to use 655 (tinc), 1194
>>> (openvpn), 65500 (tinc * 100 so it's a high port number) . Be careful
>>> how you use this as some older versions of Tinc on OpenWrt crash on
>>> startup when the .../NETWORK/hosts/NODENAME file lists multiple
>>> "Address = .... : [port]" lines.
>>>
>>> Also, I like to have a backup method to find and remote to an OpenWrt
>>> device (ddns and ssh) but if you allow ssh from the internet to your
>>> gateway, it will get slammed on with logins by brute force all the
>>> time. This is a good reason to make use of SSH-Keys and disallow
>>> password authentication in the Dropbear config (option
>>> RootPasswordAuth 'off').
>>>
>>> Finally, some of my Tinc deployments are at locations that are not
>>> staffed by technical people and would take me 3+ hours to travel to. I
>>> now always configure these devices to daily reboot and they often have
>>> a second Tinc network configured with a minimal, known good config
>>> that doesn't change that I can use to remotely admin and fix the main
>>> Tinc network config if I botch it up.
>>>
>>>
>>> #!/bin/sh
>>>
>>> for network in /etc/tinc/*/
>>> do
>>> netname=`basename $network`
>>> echo Tinc Network Name: $netname
>>>
>>> for host in /etc/tinc/$netname/hosts/*
>>> do
>>> hostname=`basename $host`
>>> echo Tinc Network $netname Host: $hostname
>>>
>>> if [ ! `uci get tinc.$hostname` ]
>>> then
>>> uci set tinc.$hostname=tinc-host
>>> uci set tinc.$hostname.net=$netname
>>> uci set tinc.$hostname.enabled=1
>>> uci commit
>>>
>>> fi
>>>
>>> done # for host
>>>
>>> done # for network
>>>
>>> On Mon, Jan 26, 2015 at 6:39 PM, Jonathan Clark
>>> <tinc-list at heyjonathan.com> wrote:
>>>> Greetings.
>>>>
>>>> I'm new to tinc, but have so far managed to get a couple laptops and a
>>>> hosted server all connected. They're working as expected, running
>>>> Tinc 1.1-pre11, which I compiled from source.
>>>>
>>>> Next I want to move on to adding my home router into the mix. My
>>>> routers run OpenWRT. I don't have experience compiling anything from
>>>> source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged.
>>>>
>>>> With that in mind, which direction should I move next? I think my options are:
>>>>
>>>> (option a)
>>>> Switch my existing/working Tinc setup to using RSA keys (instead of
>>>> Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT,
>>>> and then go on to figure out how to get the already-packaged Tinc
>>>> 1.0.25 working on my router.
>>>>
>>>> or
>>>> (option b)
>>>> Take a detour and learn how to cross-compile things for OpenWRT. Use
>>>> this new knowledge to install Tinc 1.1pre11 onto my router. Feel
>>>> accomplished.
>>>>
>>>> or something else?
>>>>
>>>> I'm exploring this mainly for the fun of figuring it out, so there's
>>>> no deadline or even a business reason to succeed. Does that suggest I
>>>> should tackle option a, and then go ahead and try option b, resulting
>>>> in twice the fun and sense of accomplishment?
>>>>
>>>> And, overall, how difficult are each of these options?
>>>>
>>>> Thanks, by the way, for all your work. From what I've seen so far,
>>>> this project is pretty impressive.
>>>>
>>>> Jonathan
>>>> Kingston, New York, USA
>>>> _______________________________________________
>>>> tinc mailing list
>>>> tinc at tinc-vpn.org
>>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>>
>>>
>>>
>>> --
>>> Sandy McArthur, Jr.
>>>
>>> "No nation could preserve its freedom in the midst of continual warfare."
>>> - Letters and Other Writings of James Madison (1865), Vol. IV, p. 491
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
More information about the tinc
mailing list