Tinc and OpenWRT

shikkc shikkc at kirktis.net
Mon Jun 15 11:48:29 CEST 2015


I already have a package made, if anyone would like me to I could submit it.

On 2015-06-13 17:26, Florian Klink wrote:
> Hey Saverio,
> 
> I'd really like the idea of a tinc-1.1-pre package for OpenWRT. I'm
> currently using tinc-1.1 with an Ed25519-only network, really like the
> new features and CLI and want to add some OpenWRT routers into the mix.
> 
> How do you plan to handle things with OpenSSL?
> tinc-1.1 from git should be able to compile without it (but will then
> only support the built-in algorithms). Depending on device restrictions,
> such a version could also be very interesting.
> 
> Florian
> 
> 
> 
> Am 30.01.2015 um 14:46 schrieb Saverio Proto:
>> Hello Jonathan,
>> 
>> I will probably make a tinc 1.1 OpenWrt package soon. I am already
>> maintener for th 1.0 package.
>> 
>> If you want to read about how to make the package there is this very
>> good documentation:
>> 
>> http://wiki.prplfoundation.org/wiki/Creating_an_OpenWrt_package_for_a_web_page
>> 
>> Saverio
>> 
>> 
>> 
>> 2015-01-29 19:02 GMT+01:00 Jonathan Clark <tinc-list at heyjonathan.com>:
>>> On Tue, Jan 27, 2015, Sandy McArthur Jr wrote:
>>>> I use the Tinc 1.0 series since I don't want to support my
>>>> own packages.  <snip>
>>>> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
>>>> what I still use. Since then . . .
>>> 
>>> Ok. I think I'll start with the 1.0 series packages that are already
>>> out there and get them working.
>>> 
>>> and on Tue, Jan 27, 2015, Lance wrote:
>>>> The scripts used to create these binaries are here if you'd like to 
>>>> recreate
>>>> them.
>>>> https://github.com/lancethepants/tinc-mipsel-static/blob/master/tinc.sh
>>>> https://github.com/lancethepants/tinc-arm-musl-static
>>> 
>>> Thanks.  I'll start playing with those once I succeed (or otherwise)
>>> with the pre-packaged stuff.
>>> 
>>> On Tue, Jan 27, 2015 at 10:12 AM, Sandy McArthur Jr <sandy at mcarthur.org> 
>>> wrote:
>>>> Jonathan,
>>>> I really like OpenWrt. I've deployed Tinc on ~12 routers with OpenWrt
>>>> installed. I use the Tinc 1.0 series since I don't want to support my
>>>> own packages.
>>>> 
>>>> OpenWrt has a nice unified configuration system. Tinc has a nice
>>>> configuration directory structure. What OpenWrt has done to merge
>>>> these two concepts over complicates things, and generally sucks.
>>>> 
>>>> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
>>>> what I still use. Since then I wrote the script below to help automate
>>>> adding of new hosts in a network.
>>>> 
>>>> A tip I've found when putting tinc on your gateway device is to bind
>>>> to several ports so you have options with mobile devices when they are
>>>> behind firewalls that block low ports. I tend to use 655 (tinc), 1194
>>>> (openvpn), 65500 (tinc * 100 so it's a high port number) . Be careful
>>>> how you use this as some older versions of Tinc on OpenWrt crash on
>>>> startup when the .../NETWORK/hosts/NODENAME file lists multiple
>>>> "Address = .... : [port]" lines.
>>>> 
>>>> Also, I like to have a backup method to find and remote to an OpenWrt
>>>> device (ddns and ssh) but if you allow ssh from the internet to your
>>>> gateway, it will get slammed on with logins by brute force all the
>>>> time. This is a good reason to make use of SSH-Keys and disallow
>>>> password authentication in the Dropbear config (option
>>>> RootPasswordAuth 'off').
>>>> 
>>>> Finally, some of my Tinc deployments are at locations that are not
>>>> staffed by technical people and would take me 3+ hours to travel to. I
>>>> now always configure these devices to daily reboot and they often have
>>>> a second Tinc network configured with a minimal, known good config
>>>> that doesn't change that I can use to remotely admin and fix the main
>>>> Tinc network config if I botch it up.
>>>> 
>>>> 
>>>> #!/bin/sh
>>>> 
>>>> for network in /etc/tinc/*/
>>>> do
>>>>         netname=`basename $network`
>>>>         echo Tinc Network Name: $netname
>>>> 
>>>>         for host in /etc/tinc/$netname/hosts/*
>>>>         do
>>>>                 hostname=`basename $host`
>>>>                 echo Tinc Network $netname Host: $hostname
>>>> 
>>>>                 if [ ! `uci get tinc.$hostname` ]
>>>>                 then
>>>>                         uci set tinc.$hostname=tinc-host
>>>>                         uci set tinc.$hostname.net=$netname
>>>>                         uci set tinc.$hostname.enabled=1
>>>>                         uci commit
>>>> 
>>>>                 fi
>>>> 
>>>>         done # for host
>>>> 
>>>> done # for network
>>>> 
>>>> On Mon, Jan 26, 2015 at 6:39 PM, Jonathan Clark
>>>> <tinc-list at heyjonathan.com> wrote:
>>>>> Greetings.
>>>>> 
>>>>> I'm new to tinc, but have so far managed to get a couple laptops and a
>>>>> hosted server all connected.  They're working as expected, running
>>>>> Tinc 1.1-pre11, which I compiled from source.
>>>>> 
>>>>> Next I want to move on to adding my home router into the mix.  My
>>>>> routers run OpenWRT.  I don't have experience compiling anything from
>>>>> source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged.
>>>>> 
>>>>> With that in mind, which direction should I move next?  I think my 
>>>>> options are:
>>>>> 
>>>>> (option a)
>>>>> Switch my existing/working Tinc setup to using RSA keys (instead of
>>>>> Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT,
>>>>> and then go on to figure out how to get the already-packaged Tinc
>>>>> 1.0.25 working on my router.
>>>>> 
>>>>> or
>>>>> (option b)
>>>>> Take a detour and learn how to cross-compile things for OpenWRT.  Use
>>>>> this new knowledge to install Tinc 1.1pre11 onto my router.  Feel
>>>>> accomplished.
>>>>> 
>>>>> or something else?
>>>>> 
>>>>> I'm exploring this mainly for the fun of figuring it out, so there's
>>>>> no deadline or even a business reason to succeed.  Does that suggest I
>>>>> should tackle option a, and then go ahead and try option b, resulting
>>>>> in twice the fun and sense of accomplishment?
>>>>> 
>>>>> And, overall, how difficult are each of these options?
>>>>> 
>>>>> Thanks, by the way, for all your work.  From what I've seen so far,
>>>>> this project is pretty impressive.
>>>>> 
>>>>> Jonathan
>>>>> Kingston, New York, USA
>>>>> _______________________________________________
>>>>> tinc mailing list
>>>>> tinc at tinc-vpn.org
>>>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>>> 
>>>> 
>>>> 
>>>> --
>>>> Sandy McArthur, Jr.
>>>> 
>>>> "No nation could preserve its freedom in the midst of continual warfare."
>>>> - Letters and Other Writings of James Madison (1865), Vol. IV, p. 491
>>> _______________________________________________
>>> tinc mailing list
>>> tinc at tinc-vpn.org
>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> 
> 
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

-- 
-shikkc


More information about the tinc mailing list