# Company: PowerCraft Technology
# Author: Copyright Jelle de Jong <jelledejong@powercraft.nl>
# Note: Please send me an email if you enhanced the document
# Date: 2010-05-24 / 2010-07-04
# License: CC-BY-SA
# This document is free documentation; you can redistribute it and/or
# modify it under the terms of the Creative Commons Attribution Share
# Alike as published by the Creative Commons Foundation; either version
# 3.0 of the License, or (at your option) any later version.
#
# This document is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# Creative Commons BY-SA License for more details.
#
# https://creativecommons.org/licenses/by-sa/
#-----------------------------------------------------------------------
# for commercial support contact me, part of the revenue go back to tinc
#-----------------------------------------------------------------------
# https://www.tinc-vpn.org/
# https://www.tinc-vpn.org/documentation/tinc_toc
#-----------------------------------------------------------------------
# this is the configuration of the roxy system
#-----------------------------------------------------------------------
unset LANG LANGUAGE LC_ALL
apt-get update; apt-get dist-upgrade
apt-cache show tinc
apt-get install tinc/testing
#-----------------------------------------------------------------------
/etc/init.d/tinc stop
#-----------------------------------------------------------------------
# ls -hal /dev/net/tun
crw------- 1 root root 10, 200 May 24 15:53 /dev/net/tun
# grep tinc /etc/services
tinc 655/tcp # tinc control port
tinc 655/udp
# getent services tinc/udp
tinc 655/udp
# getent services tinc/tcp
tinc 655/tcp
cat /usr/share/doc/tinc/README.Debian
zcat /usr/share/doc/tinc/README.gz | less
zcat /usr/share/doc/tinc/NEWS.gz | less
cat /usr/share/doc/tinc/examples/tinc-up
w3m /usr/share/doc/tinc/tinc_0.html
#-----------------------------------------------------------------------
vim /etc/default/tinc
EXTRA="-d"
cat /etc/default/tinc
# less /etc/init.d/tinc
#-----------------------------------------------------------------------
ifconfig -a
route -n
#-----------------------------------------------------------------------
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6c
inet addr:84.245.9.246 Bcast:84.245.9.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4863 errors:0 dropped:0 overruns:0 frame:0
TX packets:2958 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4302418 (4.1 MiB) TX bytes:303100 (295.9 KiB)
Interrupt:10 Base address:0x1000
eth1 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6d
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:11 Base address:0x1400
eth2 Link encap:Ethernet HWaddr 00:0d:b9:1a:44:6e
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:15 Base address:0x1800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1200 errors:0 dropped:0 overruns:0 frame:0
TX packets:1200 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:96572 (94.3 KiB) TX bytes:96572 (94.3 KiB)
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0
#-----------------------------------------------------------------------
# client01 configuration
cat /etc/tinc/nets.boot
echo 'powercraft01' | sudo tee --append /etc/tinc/nets.boot
cat /etc/tinc/nets.boot
#-----------------------------------------------------------------------
sudo mkdir --verbose /etc/tinc/powercraft01/
sudo mkdir --verbose /etc/tinc/powercraft01/hosts/
sudo touch /etc/tinc/powercraft01/tinc.conf
#-----------------------------------------------------------------------
# on server
cat /etc/tinc/powercraft01/hosts/server01
# on client, copy cert data of server to client
sudo vim /etc/tinc/powercraft01/hosts/server01
# on client, add on head of file
Address = powercraft.nl 656
Address = 84.245.3.195 656
Address = tinc-vpn.powercraft.nl 656
Address = powercraft.nl 655
Address = 84.245.3.195 655
Address = tinc-vpn.powercraft.nl 655
#-----------------------------------------------------------------------
echo 'ConnectTo = server01
Device = /dev/net/tun
Interface = tun1
Mode = switch
Name = client01' | sudo tee /etc/tinc/powercraft01/tinc.conf
sudo cat /etc/tinc/powercraft01/tinc.conf
sudo chmod 644 /etc/tinc/powercraft01/tinc.conf
ls -hal /etc/tinc/powercraft01/tinc.conf
echo '#!/bin/sh
ifconfig $INTERFACE 0.0.0.0' | tee /etc/tinc/powercraft01/tinc-up
sudo cat /etc/tinc/powercraft01/tinc-up
sudo chmod 755 /etc/tinc/powercraft01/tinc-up
ls -hal /etc/tinc/powercraft01/tinc-up
echo '#!/bin/sh
# ifconfig tun1 hw ether 00:ff:5d:ea:b4:ec
ifup $INTERFACE &' | sudo tee /etc/tinc/powercraft01/hosts/server01-up
sudo cat /etc/tinc/powercraft01/hosts/server01-up
sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-up
ls -hal /etc/tinc/powercraft01/hosts/server01-up
echo '#!/bin/sh
ifconfig $INTERFACE down' | sudo tee /etc/tinc/powercraft01/tinc-down
sudo cat /etc/tinc/powercraft01/tinc-down
sudo chmod 755 /etc/tinc/powercraft01/tinc-down
ls -hal /etc/tinc/powercraft01/tinc-down
echo '#!/bin/sh
ifdown $INTERFACE' | sudo tee /etc/tinc/powercraft01/hosts/server01-down
sudo cat /etc/tinc/powercraft01/hosts/server01-down
sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-down
ls -hal /etc/tinc/powercraft01/hosts/server01-down
#-----------------------------------------------------------------------
sudo rm /etc/tinc/powercraft01/rsa_key.priv
sudo rm /etc/tinc/powercraft01/hosts/client10
sudo tincd -n powercraft01 -K
#-----------------------------------------------------------------------
# on client add on head of file
sudo vim /etc/tinc/powercraft01/hosts/client01
Compression = 9
PMTU = 1492
PMTUDiscovery = yes
Port = 656
# Cipher = aes-128-cbc
# on client
sudo cat /etc/tinc/powercraft01/hosts/client01
# on server, copy cert data of client to server
vim /etc/tinc/powercraft01/hosts/client01
#-----------------------------------------------------------------------
# watch out when using multiple dhcp clients there can be conflicts
echo 'interface "tun1" {
request subnet-mask, broadcast-address, time-offset,
host-name, netbios-scope, interface-mtu, ntp-servers;
}' | tee --append /etc/dhcp3/dhclient.conf
cat /etc/dhcp3/dhclient.conf
#-----------------------------------------------------------------------
vim /etc/network/interfaces
iface tun1 inet dhcp
pre-up ifconfig tun1 down || true
pre-up ifconfig tun1 hw ether 9a:f6:50:3b:c0:48 || true
post-up route del default dev tun1 || true
# pre-down /etc/init.d/munin-node stop || true
# post-up /etc/init.d/munin-node restart || true
# optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/tun1/proxy_arp || true
# optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/vlan4/proxy_arp || true
# optional # post-up route add -net 192.168.2.0 netmask 255.255.255.0 tun1 || true
# optional # pre-down route del -net 192.168.2.0 netmask 255.255.255.0 tun1 || true
#-----------------------------------------------------------------------
ifdown tun1; ifdown tun1
#-----------------------------------------------------------------------
sudo /etc/init.d/tinc stop
fg
sudo /usr/sbin/tincd --net powercraft01 --no-detach --debug=5
#-----------------------------------------------------------------------
sudo /etc/init.d/tinc start
#-----------------------------------------------------------------------
# tincd --version
tinc version 1.0.13 (built Apr 13 2010 10:27:56, protocol 17)
#-----------------------------------------------------------------------
tincd -n powercraft01 -kUSR2
tail -n 100 /var/log/syslog
#-----------------------------------------------------------------------
May 24 19:43:59 roxy tinc.powercraft01[5104]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun:
May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes in: 830
May 24 19:43:59 roxy tinc.powercraft01[5104]: total bytes out: 914
May 24 19:43:59 roxy tinc.powercraft01[5104]: Nodes:
May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options c status 0018 nexthop client01 via client01 pmtu 1518 (min 0 max 1518)
May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 at 84.245.3.195 port 656 cipher 91 digest 64 maclength 4 compression 9 options c status 001a nexthop server01 via server01 pmtu 1416 (min 1416 max 1416)
May 24 19:43:59 roxy tinc.powercraft01[5104]: End of nodes.
May 24 19:43:59 roxy tinc.powercraft01[5104]: Edges:
May 24 19:43:59 roxy tinc.powercraft01[5104]: client01 to server01 at 84.245.3.195 port 656 options c weight 413
May 24 19:43:59 roxy tinc.powercraft01[5104]: server01 to client01 at 84.245.9.246 port 655 options c weight 413
May 24 19:43:59 roxy tinc.powercraft01[5104]: End of edges.
May 24 19:43:59 roxy tinc.powercraft01[5104]: Subnet list:
May 24 19:43:59 roxy tinc.powercraft01[5104]: 0:1b:21:61:af:d7#10 owner server01
May 24 19:43:59 roxy tinc.powercraft01[5104]: 56:fc:c2:fd:69:10#10 owner server01
May 24 19:43:59 roxy tinc.powercraft01[5104]: ea:3:e7:3d:46:20#10 owner client01
May 24 19:43:59 roxy tinc.powercraft01[5104]: End of subnet list.
#-----------------------------------------------------------------------
# ifconfig -a
ifconfig tun1
route -n
#-----------------------------------------------------------------------
# ifconfig tun1
tun1 Link encap:Ethernet HWaddr ea:03:e7:3d:46:20
inet addr:192.168.3.201 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:9342 (9.1 KiB) TX bytes:9088 (8.8 KiB)
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
84.245.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1
0.0.0.0 84.245.9.1 0.0.0.0 UG 0 0 0 eth0
#-----------------------------------------------------------------------
ping -c 2 192.168.3.1
ping -c 2 -M dont -s 1500 192.168.3.1
#-----------------------------------------------------------------------
lsof -i :655
lsof -i :656
#-----------------------------------------------------------------------
# Accept new connections for fordwarding designated from our virtual private netwerk to the local network
/sbin/iptables --append FORWARD --in-interface ${VPN01} --out-interface ${LAN01} --jump ACCEPT
/sbin/iptables --append FORWARD --in-interface ${LAN01} --out-interface ${VPN01} --jump ACCEPT
# Use masquerade so the outside world sees only one ip source for all outgoing trafic
/sbin/iptables --table nat --append POSTROUTING --out-interface ${VPN01} --jump MASQUERADE
#-----------------------------------------------------------------------