Tinc and OpenWRT
shikkc
shikkc at kirktis.net
Mon Jun 15 11:48:29 CEST 2015
I already have a package made, if anyone would like me to I could submit it.
On 2015-06-13 17:26, Florian Klink wrote:
> Hey Saverio,
>
> I'd really like the idea of a tinc-1.1-pre package for OpenWRT. I'm
> currently using tinc-1.1 with an Ed25519-only network, really like the
> new features and CLI and want to add some OpenWRT routers into the mix.
>
> How do you plan to handle things with OpenSSL?
> tinc-1.1 from git should be able to compile without it (but will then
> only support the built-in algorithms). Depending on device restrictions,
> such a version could also be very interesting.
>
> Florian
>
>
>
> Am 30.01.2015 um 14:46 schrieb Saverio Proto:
>> Hello Jonathan,
>>
>> I will probably make a tinc 1.1 OpenWrt package soon. I am already
>> maintener for th 1.0 package.
>>
>> If you want to read about how to make the package there is this very
>> good documentation:
>>
>> http://wiki.prplfoundation.org/wiki/Creating_an_OpenWrt_package_for_a_web_page
>>
>> Saverio
>>
>>
>>
>> 2015-01-29 19:02 GMT+01:00 Jonathan Clark <tinc-list at heyjonathan.com>:
>>> On Tue, Jan 27, 2015, Sandy McArthur Jr wrote:
>>>> I use the Tinc 1.0 series since I don't want to support my
>>>> own packages. <snip>
>>>> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
>>>> what I still use. Since then . . .
>>>
>>> Ok. I think I'll start with the 1.0 series packages that are already
>>> out there and get them working.
>>>
>>> and on Tue, Jan 27, 2015, Lance wrote:
>>>> The scripts used to create these binaries are here if you'd like to
>>>> recreate
>>>> them.
>>>> https://github.com/lancethepants/tinc-mipsel-static/blob/master/tinc.sh
>>>> https://github.com/lancethepants/tinc-arm-musl-static
>>>
>>> Thanks. I'll start playing with those once I succeed (or otherwise)
>>> with the pre-packaged stuff.
>>>
>>> On Tue, Jan 27, 2015 at 10:12 AM, Sandy McArthur Jr <sandy at mcarthur.org>
>>> wrote:
>>>> Jonathan,
>>>> I really like OpenWrt. I've deployed Tinc on ~12 routers with OpenWrt
>>>> installed. I use the Tinc 1.0 series since I don't want to support my
>>>> own packages.
>>>>
>>>> OpenWrt has a nice unified configuration system. Tinc has a nice
>>>> configuration directory structure. What OpenWrt has done to merge
>>>> these two concepts over complicates things, and generally sucks.
>>>>
>>>> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
>>>> what I still use. Since then I wrote the script below to help automate
>>>> adding of new hosts in a network.
>>>>
>>>> A tip I've found when putting tinc on your gateway device is to bind
>>>> to several ports so you have options with mobile devices when they are
>>>> behind firewalls that block low ports. I tend to use 655 (tinc), 1194
>>>> (openvpn), 65500 (tinc * 100 so it's a high port number) . Be careful
>>>> how you use this as some older versions of Tinc on OpenWrt crash on
>>>> startup when the .../NETWORK/hosts/NODENAME file lists multiple
>>>> "Address = .... : [port]" lines.
>>>>
>>>> Also, I like to have a backup method to find and remote to an OpenWrt
>>>> device (ddns and ssh) but if you allow ssh from the internet to your
>>>> gateway, it will get slammed on with logins by brute force all the
>>>> time. This is a good reason to make use of SSH-Keys and disallow
>>>> password authentication in the Dropbear config (option
>>>> RootPasswordAuth 'off').
>>>>
>>>> Finally, some of my Tinc deployments are at locations that are not
>>>> staffed by technical people and would take me 3+ hours to travel to. I
>>>> now always configure these devices to daily reboot and they often have
>>>> a second Tinc network configured with a minimal, known good config
>>>> that doesn't change that I can use to remotely admin and fix the main
>>>> Tinc network config if I botch it up.
>>>>
>>>>
>>>> #!/bin/sh
>>>>
>>>> for network in /etc/tinc/*/
>>>> do
>>>> netname=`basename $network`
>>>> echo Tinc Network Name: $netname
>>>>
>>>> for host in /etc/tinc/$netname/hosts/*
>>>> do
>>>> hostname=`basename $host`
>>>> echo Tinc Network $netname Host: $hostname
>>>>
>>>> if [ ! `uci get tinc.$hostname` ]
>>>> then
>>>> uci set tinc.$hostname=tinc-host
>>>> uci set tinc.$hostname.net=$netname
>>>> uci set tinc.$hostname.enabled=1
>>>> uci commit
>>>>
>>>> fi
>>>>
>>>> done # for host
>>>>
>>>> done # for network
>>>>
>>>> On Mon, Jan 26, 2015 at 6:39 PM, Jonathan Clark
>>>> <tinc-list at heyjonathan.com> wrote:
>>>>> Greetings.
>>>>>
>>>>> I'm new to tinc, but have so far managed to get a couple laptops and a
>>>>> hosted server all connected. They're working as expected, running
>>>>> Tinc 1.1-pre11, which I compiled from source.
>>>>>
>>>>> Next I want to move on to adding my home router into the mix. My
>>>>> routers run OpenWRT. I don't have experience compiling anything from
>>>>> source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged.
>>>>>
>>>>> With that in mind, which direction should I move next? I think my
>>>>> options are:
>>>>>
>>>>> (option a)
>>>>> Switch my existing/working Tinc setup to using RSA keys (instead of
>>>>> Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT,
>>>>> and then go on to figure out how to get the already-packaged Tinc
>>>>> 1.0.25 working on my router.
>>>>>
>>>>> or
>>>>> (option b)
>>>>> Take a detour and learn how to cross-compile things for OpenWRT. Use
>>>>> this new knowledge to install Tinc 1.1pre11 onto my router. Feel
>>>>> accomplished.
>>>>>
>>>>> or something else?
>>>>>
>>>>> I'm exploring this mainly for the fun of figuring it out, so there's
>>>>> no deadline or even a business reason to succeed. Does that suggest I
>>>>> should tackle option a, and then go ahead and try option b, resulting
>>>>> in twice the fun and sense of accomplishment?
>>>>>
>>>>> And, overall, how difficult are each of these options?
>>>>>
>>>>> Thanks, by the way, for all your work. From what I've seen so far,
>>>>> this project is pretty impressive.
>>>>>
>>>>> Jonathan
>>>>> Kingston, New York, USA
>>>>> _______________________________________________
>>>>> tinc mailing list
>>>>> tinc at tinc-vpn.org
>>>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>>>
>>>>
>>>>
>>>> --
>>>> Sandy McArthur, Jr.
>>>>
>>>> "No nation could preserve its freedom in the midst of continual warfare."
>>>> - Letters and Other Writings of James Madison (1865), Vol. IV, p. 491
>>> _______________________________________________
>>> tinc mailing list
>>> tinc at tinc-vpn.org
>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
--
-shikkc
More information about the tinc
mailing list