- 10.0.0.0/8
- fd00::/8
-Make sure the [IP range](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing)
-you are choosing is large enough for all the nodes you want to add to the VPN,
-and also consider that some of these private address ranges might also be used
-on local area networks, so check in advance that you won't conflict with any
-range that is already in use by any of the participants. When in doubt, just
-pick one and try it out. For this quickstart guide, we will use 172.16.0.0/16
-as the range of the VPN.
+Make sure the [IP range](https://en.wikipedia.org/wiki/CIDR) you are choosing is
+large enough for all the nodes you want to add to the VPN, and also consider
+that some of these private address ranges might also be used on local area
+networks, so check in advance that you won't conflict with any range that is
+already in use by any of the participants. When in doubt, just pick one and try
+it out. For this quickstart guide, we will use 172.16.0.0/16 as the range of the
+VPN.
Also think of a name for your whole VPN. This will be used as the "netname"
parameter for tinc, and on Linux this will then also automatically be used as
contain letters, numbers and underscores. Apart from that you can choose
whatever you want. Now we can create the first node:
-```
+```sh
sudo tinc -n myvpn init first
```
This creates the initial configuration for the node, but has not started tinc
yet. Before we do that, two things have to be done first. We have to tell tinc
-which part of the IP range of the VPN belongs to *this* particular node. We
-will use 172.168.1.0/24 for this example. We then have to give this command:
+which part of the IP range of the VPN belongs to *this* particular node. We will
+use 172.168.1.0/24 for this example. We then have to give this command:
-```
+```sh
sudo tinc -n myvpn add Subnet 172.168.1.0/24
```
However, tinc itself will not actually configure the virtual network interface
-for you. You have to create a script named `tinc-up` that does this. To do
-this, run the command:
+for you. You have to create a script named `tinc-up` that does this. To do this,
+run the command:
-```
+```sh
sudo tinc -n myvpn edit tinc-up
```
-This should start an editor. When you ran the `init` command, a dummy script
-was already created. Edit it to make sure it looks like this:
+This should start an editor. When you ran the `init` command, a dummy script was
+already created. Edit it to make sure it looks like this:
-```
+```sh
#!/bin/sh
ifconfig $INTERFACE 172.168.1.1/16
```
Note that the literal text `$INTERFACE` should be in the script, tinc will make
sure that environment variable is set correctly when the script is run. The
-address should be that of the node itself, but the netmask or prefix length
-(the `/16` in this case) you provide must be that of the *whole* VPN. This
-tells the kernel that everything for the VPN's IP range should go to tinc's
-virtual network interface, from then on tinc will handle it and route it to the
-right node based on the `Subnet`s that you configured.
+address should be that of the node itself, but the netmask or prefix length (the
+`/16` in this case) you provide must be that of the *whole* VPN. This tells the
+kernel that everything for the VPN's IP range should go to tinc's virtual
+network interface, from then on tinc will handle it and route it to the right
+node based on the `Subnet`s that you configured.
To start tinc run:
-```
+```sh
sudo tinc -n myvpn start
```
This will start running tinc in the background. You can also run it in the
foreground with debugging enabled using this command:
-```
+```sh
sudo tinc -n myvpn start -d5 -D
```
One way to do it is to create a second node just like you created the first
node. Just make sure it has a different name (let's call it "second"), and that
-it gets a different IP range for itself (let's use 172.168.2.0/24). So on the second node run:
+it gets a different IP range for itself (let's use 172.168.2.0/24). So on the
+second node run:
-```
+```sh
sudo tinc -n myvpn init second
sudo tinc -n myvpn add Subnet 172.168.2.0/24
sudo tinc -n myvpn edit tinc-up
And make sure the second node's tinc up contains:
-```
+```sh
#!/bin/sh
ifconfig $INTERFACE 172.168.2.1/16
```
have a public IP address. Let's assume the first node has public IP address
93.184.216.34. You would then give this command on the first node:
-```
+```sh
sudo tinc -n myvpn add Address 93.184.216.34
```
Note that if you have a public domain name, you can also use that domain name
instead of a numeric IP address. Now run the following on the first node:
-```
+```sh
sudo tinc -n myvpn export
```
-This outputs a small amount of text that contains the node's public keys and
-the public address. On the second node, run this:
+This outputs a small amount of text that contains the node's public keys and the
+public address. On the second node, run this:
-```
+```sh
sudo tinc -n myvpn import
```
And copy&paste the output from the first node, then press ctrl-D on a new line.
-If done correctly it should tell you that it has imported the host
-configuration file. Now you have to do the same but in the other direction: use
-the `export` command on the second node, and then use `import` on the first
-node. Now that both nodes know each other, they should be able to connect. This
-should happen automatically after a while.
+If done correctly it should tell you that it has imported the host configuration
+file. Now you have to do the same but in the other direction: use the `export`
+command on the second node, and then use `import` on the first node. Now that
+both nodes know each other, they should be able to connect. This should happen
+automatically after a while.
Note that instead of copy&pasting the text manually, you could also redirect it
-to a text file, send it via email, pipe it through an SSH connection, or use
-any other way to exchange the host config files. For more information, see the
+to a text file, send it via email, pipe it through an SSH connection, or use any
+other way to exchange the host config files. For more information, see the
[manual](https://www.tinc-vpn.org/documentation-1.1/How-to-configure.html).
## Using invitations
Another way to add more nodes is to have an existing node generate an
-[invitation](https://www.tinc-vpn.org/documentation-1.1/Invitations.html)
-for another node. A prerequisite is that the node generating the invitation
-should have a public IP address to the invitee will be able to connect to it.
-Again, let's assume the first node has public IP address 93.184.216.34:
+[invitation](https://www.tinc-vpn.org/documentation-1.1/Invitations.html) for
+another node. A prerequisite is that the node generating the invitation should
+have a public IP address to the invitee will be able to connect to it. Again,
+let's assume the first node has public IP address 93.184.216.34:
-```
+```sh
sudo tinc -n myvpn add Address 93.184.216.34
```
Then on the first node, generate in invitation for the second node:
-```
+```sh
sudo tinc -n myvpn invite second
```
On the second node, don't using `init` to create the initial configuration.
Instead, run the following command:
-```
+```sh
sudo tinc -n myvpn join 93.184.216.34:655/R4BU9VMzdY4S_EIuAhW1-B0XV50HqooyEv6EUfl4k6Z9_zrq
```
asking tinc the status of a given node. So for example, on the first node, you
can run:
-```
+```sh
sudo tinc -n myvpn info second
```
You can also dump a list of connections:
-```
+```sh
sudo tinc -n myvpn dump connections
```
-Or `dump nodes` to get a list of known nodes, `dump subnets` to see all
-subnets. If you ran tinc in the background, you can get still get log output
-like so:
+Or `dump nodes` to get a list of known nodes, `dump subnets` to see all subnets.
+If you ran tinc in the background, you can get still get log output like so:
-```
+```sh
sudo tinc -n myvpn log 5
```
-Finally, if the problem is not with tinc, using `tcpdump` to look at the
-traffic on your real and virtual interfaces might help determine what the
-problem is.
+Finally, if the problem is not with tinc, using `tcpdump` to look at the traffic
+on your real and virtual interfaces might help determine what the problem is.
projects / tinc / blobdiff