tinc is an
open-source VPN software with a number of powerful features not found in
other VPN solutions. For example, tinc allows peers behind NAT to
communicate with one another via VPN directly, not through a third
party. Other features include full IPv6 support and path MTU discovery.
In this tinc example, I will show you how to set up a VPN connection between two hosts via tinc. Let's call these hosts "alice" and "bob" respectively. Note that these are just symbolic names used by tinc, not necessarily hostnames. In this example, I assume that host "bob" will initiate a VPN connection to host "alice".
First, install tinc on both hosts:
For CentOS system:
For Debian/Ubuntu system:
Now, let's go ahead and configure tinc VPN on both hosts as follows.
On host "alice", do the following.
First, create tinc configuration file called.
In the above tinc.conf example, "myvpn" is the name of the VPN network to be established between alice and bob. You can choose your own name.
Next, generate public/private keys:
The above command will generate 4096-bit public/private keys for host "alice". The private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and the public key will be located in /etc/tinc/myvpn/hosts/alice.
Next, configure the scripts that will be run right after tinc daemon has been started, as well as right before tinc daemon is terminated.
Similar to host "alice", configure tinc on host "bob" as follows.
In the above, note that unlike host "alice", we put "ConnectTo" field in bob's tinc configuration, since host "bob" will initiate a VPN connection to host "alice" when tinc daemon is up.
Similarly, the bob's private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and its public key will be located in /etc/tinc/myvpn/hosts/bob
Once you are done with configuring tinc on all hosts as above, copy each host's public key file onto the other host:
Finally, start tinc daemon on them as follows. Since host "bob" initiates a VPN connection, you will need to start tinc daemon on host "alice" first.
Two hosts should now be able to talk to each other via VPN.
from http://xmodulo.blogspot.co.uk/2012/05/how-to-install-and-configure-tinc-vpn.html
related post: http://briteming.blogspot.co.uk/2011/11/tinc-vpn.html
----------------------------------------------------------
说起这稀奇古怪的VPN有个Tinc一直感觉好玩,可惜国内搜索不到搭建教程,搜到个国外的(http://xmodulo.blogspot.com/2012/05/how-to-install-and-configure-tinc-vpn.html)也不怎么懂,有没有高人能根据其官方文档写一个Linux上搭建服务器端和Windows系统上使用Tinc VPN的教程啊。这个Tinc VPN支持IPv6,有Windows客户端和Android客户端,mac、Linux、BSD、iOS也都有支持。
Tinc-VPN官网:http://www.tinc-vpn.org/
Android客户端下载:https://play.google.com/store/apps/details?id=org.poirsouille.tinc_gui
另外还有连个项目感觉也可以看看https://github.com/ptrhere/tincie(据称可以实现无tun设备的VPN)和https://github.com/geniedb/tinc-tailor(简化tinc vpn)
---------------------
tinc vpn的搭建
In this tinc example, I will show you how to set up a VPN connection between two hosts via tinc. Let's call these hosts "alice" and "bob" respectively. Note that these are just symbolic names used by tinc, not necessarily hostnames. In this example, I assume that host "bob" will initiate a VPN connection to host "alice".
First, install tinc on both hosts:
For CentOS system:
$ wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
$ rpm -ivh rpmforge-release-0.5.2-2.el5.rf.i386.rpm
$ yum install tinc -y
For Debian/Ubuntu system:
$ apt-get install tinc
Now, let's go ahead and configure tinc VPN on both hosts as follows.
On host "alice", do the following.
First, create tinc configuration file called.
$ mkdir -p /etc/tinc/myvpn/hosts
$ vi /etc/tinc/myvpn/tinc.conf
Name = alice
AddressFamily = ipv4
Interface = tun0
$ vi /etc/tinc/myvpn/hosts/alice
Address = 1.2.3.4 (globally reachable IP address of alice)
Subnet = 10.0.0.1/32 (VPN IP address to be assigned to alice)
In the above tinc.conf example, "myvpn" is the name of the VPN network to be established between alice and bob. You can choose your own name.
Next, generate public/private keys:
$ tincd -n myvpn -K4096
The above command will generate 4096-bit public/private keys for host "alice". The private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and the public key will be located in /etc/tinc/myvpn/hosts/alice.
Next, configure the scripts that will be run right after tinc daemon has been started, as well as right before tinc daemon is terminated.
$ vi /etc/tinc/myvpn/tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0
$ vi /etc/tinc/myvpn/tinc-down
#!/bin/sh
ifconfig $INTERFACE down
$ chmod 755 /etc/tinc/myvpn/tinc-*
Similar to host "alice", configure tinc on host "bob" as follows.
$ mkdir -p /etc/tinc/myvpn
$ vi /etc/tinc/myvpn/tinc.conf
Name = bob
AddressFamily = ipv4
ConnectTo = alice
Interface = tun0
In the above, note that unlike host "alice", we put "ConnectTo" field in bob's tinc configuration, since host "bob" will initiate a VPN connection to host "alice" when tinc daemon is up.
$ vi /etc/tinc/myvpn/hosts/bob
Subnet = 10.0.0.2/32 (VPN IP address to be assigned to bob)
$ tincd -n myvpn -K4096
Similarly, the bob's private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and its public key will be located in /etc/tinc/myvpn/hosts/bob
$ scp /etc/tinc/myvpn/hosts/bob alice:/etc/tinc/myvpn/hosts/
$ vi /etc/tinc/myvpn/tinc-up
ifconfig $INTERFACE 10.0.0.2 netmask 255.255.255.0
$ vi /etc/tinc/myvpn/tinc-down
ifconfig $INTERFACE down
$ chmod 755 /etc/tinc/myvpn/tinc-*
Once you are done with configuring tinc on all hosts as above, copy each host's public key file onto the other host:
On host "alice": scp /etc/tinc/myvpn/hosts/alice bob:/etc/tinc/myvpn/hosts/
On host "bob": scp /etc/tinc/myvpn/hosts/bob alice:/etc/tinc/myvpn/hosts/
Finally, start tinc daemon on them as follows. Since host "bob" initiates a VPN connection, you will need to start tinc daemon on host "alice" first.
$ tincd --config /etc/tinc/myvpn
Two hosts should now be able to talk to each other via VPN.
from http://xmodulo.blogspot.co.uk/2012/05/how-to-install-and-configure-tinc-vpn.html
related post: http://briteming.blogspot.co.uk/2011/11/tinc-vpn.html
----------------------------------------------------------
说起这稀奇古怪的VPN有个Tinc一直感觉好玩,可惜国内搜索不到搭建教程,搜到个国外的(http://xmodulo.blogspot.com/2012/05/how-to-install-and-configure-tinc-vpn.html)也不怎么懂,有没有高人能根据其官方文档写一个Linux上搭建服务器端和Windows系统上使用Tinc VPN的教程啊。这个Tinc VPN支持IPv6,有Windows客户端和Android客户端,mac、Linux、BSD、iOS也都有支持。
Tinc-VPN官网:http://www.tinc-vpn.org/
Android客户端下载:https://play.google.com/store/apps/details?id=org.poirsouille.tinc_gui
另外还有连个项目感觉也可以看看https://github.com/ptrhere/tincie(据称可以实现无tun设备的VPN)和https://github.com/geniedb/tinc-tailor(简化tinc vpn)
---------------------
tinc vpn的搭建
tinc
vpn有很多种做法,ppp、openvpn、ipsec等,还有一种就是tinc了,为什么要用这个呢?
之前是一直用openvpn和ppp,但是openvpn有个毛病,就是客户端的ip不连续,简单说就是服务器ip是192.168.0.1的话,第一台客户端ip是192.168.0.2,那么第二台客户端就不能是192.168.0.3,因为每台客户端占了一对ip,而且运行ifconfig查看网卡的话,会显示一个无比难看的mac地址,真是接受不能:HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00,而且要固定ip的话也很麻烦,需要写个文件。
ppp就更不用说了,链接根本不可控,经常性的断线。比来比去还是tinc比较自由,ip都是可控的,静态路由也是可以写脚本控制的。而且是有iphone客户端的。
OK,下载tinc,编译安装:
wget http://www.rendoumi.com/soft/tinc-1.0.26.tar.gz
tar -xf tinc-1.0.26.tar.gz
cd tinc-1.0.26
./configure
make
make install
注意上面configure的时候没有指定prefix路径,所以缺省配置目录是在/etc/tinc下。
我们的网络架构,其中比较麻烦的是服务器前面是有防火墙的,防火墙做了端口映射,防火墙开放的端口和服务器开放的端口是不一样的:
tinc的配置文件架构如下图所示,其中interface_name就是vpn连接成功后,系统中多出的那块vpn网卡的名称,在这里我们起名叫做dock,hosts下放置服务器和所有客户端端的配置:
我们的网卡是dock,两个客户端client01和client02,服务器是dockserver,所以目录结构就是下面这样:
以下文件均需要手动生成!!!
一、服务器端的配置文件,需要手动编辑:
/etc/tinc/dock/tinc.conf
Name=dockserver
Interface=dock
Mode=switch
TCPOnly=yes
Port=12345
PrivateKeyFile=/etc/tinc/dock/rsa_key.priv
注意上面:Port=12345指的是服务器内网本地监听的端口12345.
/etc/tinc/dock/dockserver
Compression=9
Subnet=192.168.0.1/32
Address=114.22.31.77
Port=54321
注意:Subnet是vpn的地址。而Address和Port需要填写通过firewall映射出去的公网ip和端口。
/etc/tinc/dock/tinc-up,权限是755,需要可执行
#!/bin/sh
ifconfig $INTERFACE 192.168.0.1 netmask 255.255.255.0
/etc/tinc/dock/tinc-down,权限也是755
#!/bin/sh
ifconfig $INTERFACE down
都建立好之后,运行:
tincd -n dock -K
会自动生成服务器的秘钥文件(/etc/tinc/dock/rsa_key.priv),并且把公钥追加到配置文件(/etc/tinc/dock/dockserver)中,服务器就配好了。
二、客户端的配置,也需要手动编辑:
同样安装好tinc,注意是有windows版本的客户端可用的。
/etc/tinc/dock/tinc.conf
Name=client01
ConnectTo=dockserver
Interfce=dock
Mode=switch
TCPOnly=yes
PrivateKeyFile=/etc/tinc/dock/rsa_key.priv
注意上面跟服务器端的配置不同之处:没有Port=这行了,客户端缺省监听655,多了个ConnectTo连接到服务器。 /etc/tinc/dock/client01
Compression=9
Subnet=192.168.0.2/32
注意:Subnet是vpn建立成功后的地址。
把服务器端的文件dockserver拷贝到客户端的/etc/tinc/dock/hosts下并做修改:
/etc/tinc/dock/dockserver
Compression=9
Subnet=192.168.0.1/32
Address=114.22.31.77
Port=54321
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAnrPrxnmSfx1OHkK5k+cxPCv+VFXJvYkVuOQIBibWlAMnQR4L9+qe
xM/c5avNWtTvRRXSYlN2vV6ibbzpWgZN1EiTDNEC00hkGexiXBPoT/KHQ5Hnc/4i
ZzQ6gyn0dVJ7zwu7c/vzkey0cTrW10jAKuyBzZzAweNKjh8oMJe8V92zQgQ+kBCA
tbczZ3G26WwbT1QsBM37LPb6Bqivn0Hj2QN0jsOB1f+dpqYZ4bOMcXbQlMHz+fN7
ZmrMe3ro/qXP3eEZBclnqtx44orCYWfRhWCD58LMIETTpX4thHwdYKsUg1J4EkaE
NRCYH11rqhrlbK/VPXQbcc9sAdANWulD0QIDAQAB
-----END RSA PUBLIC KEY-----
注意:生成的公钥已经追加到了文件最后,客户端的Port必须改成服务器的外网IP的port=54321。
/etc/tinc/dock/tinc-up,权限是755
#!/bin/sh
ifconfig $INTERFACE 192.168.0.2 netmask 255.255.255.0
/etc/tinc/dock/tinc-down,权限是755
#!/bin/sh
ifconfig $INTERFACE down
都建立好之后,运行
tincd -n dock -K
会自动生成客户端的秘钥和公钥放到文件中,客户端就配好了。
同样把带着公钥的client01文件拷贝到服务器上/etc/tinc/dock/hosts/client01
三、运行并调试
分别在服务器和客户端运行:
tincd -n dock
看看进程是否正常运行,服务器端查看一下,多了一块dock网卡,ip是192.168.0.1:
dock Link encap:Ethernet HWaddr 4A:20:E7:17:82:F9
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::4820:e7ff:fe17:82f9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1361 errors:0 dropped:0 overruns:0 frame:0
TX packets:1292 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:561551 (548.3 KiB) TX bytes:96678 (94.4 KiB)
如果要调试的话,前台运行,这样就可以看到输出的调试信息:
tincd -n dock -D -d 5
在客户端同样查看ifconfig, 可以看到起来一块网卡dock,ip是192.168.0.2,就成功了。
------------
相关帖子:
http://briteming.blogspot.com/2013/09/tinc-vpnlibrevpn.html
http://briteming.blogspot.com/2015/04/p2p-vpn_16.html
http://briteming.blogspot.com/2011/11/tinc-vpn.html
