在 macOS 和 Linux 之间搭建 tinc vpn

一直听说 tinc 比较科学，所以尝试自己用 tinc 搭建一个vpn网络。这里，macOS机器没有固定的IP地址，Linux机器有固定的IP地址 linux_ip 。假设网络名称为example , macOS端名为macos ，地址为 192.168.0.2； linux端名为linux，地址为 192.168.0.1。

在 macOS 上配置：

brew install tinc
mkdir -p /usr/local/etc/tinc/example

新建 /usr/local/etc/tinc/example/tinc.conf:

Name = macos
Device = utun0 # use an unused number
ConnectTo = linux

编辑 /usr/local/etc/tinc/example/tinc-up:

#!/bin/sh
ifconfig $INTERFACE 192.168.0.2 192.168.0.1 mtu 1500 netmask 255.255.255.255

和 /usr/local/etc/tinc/example/tinc-down:

#!/bin/sh
ifconfig $INTERFACE down

还有 /usr/local/etc/tinc/example/subnet-up:

#!/bin/sh
[ "$NAME" = "$NODE" ] && exit 0
/usr/local/opt/iproute2mac/bin/ip route add $SUBNET dev $INTERFACE

以及 /usr/local/etc/tinc/example/subnet-down:

#!/bin/sh
[ "$NAME" = "$NODE" ] && exit 0
/usr/local/opt/iproute2mac/bin/ip route del $SUBNET dev $INTERFACE

然后将它们都设为可执行的：

chmod 755 tinc-up
chmod 755 tinc-down
chmod 755 subnet-up
chmod 755 subnet-down

编辑 /usr/local/etc/tinc/example/macos:

Port = 655
Subnet = 192.168.0.1/24

执行 tincd -n example -K 生成密钥。

到 Linux 机器上： 编辑以下文件：

$ mkdir -p /etc/tinc/example/hosts
$ cat /etc/tinc/example/tinc.conf
Name = linux
$ cat /etc/tinc/example/tinc-up
$!/bin/sh
ip link set $INTERFACE up
ip addr add 192.168.0.1/24 dev $INTERFACE
$ cat /etc/tinc/example/tinc-down
$!/bin/sh
ip addr del 192.168.0.1/24 dev $INTERFACE
ip link set $INTERFACE down
$ cat /etc/tinc/example/hosts/linux
Address = linux_ip
Port = 655
Subnet = 192.168.0.1/24
$ tincd -n example -K

接着，把 linux 上 /etc/tinc/example/hosts/linux 拷贝到 macos 的 /usr/local/etc/tinc/example/hosts/linux ，然后把 macos 上 /usr/local/etc/tinc/example/hosts/macos 拷贝到 /etc/tinc/example/hosts/macos 。在两台机器上都 tinc -n example -D -d3 即可看到连接的建立，通过 ping 即可验证网络建立成功。

2018-05-29 Update: Android 上，利用 Tinc GUI 也可以把 Tinc 运行起来，只是配置不大一样：

$ cat tinc.conf
Name = example
Device = /dev/tun
Mode = switch
ConnectTo = remote
ScriptsInterpreter = /system/bin/sh
$ cat tinc-up
#!/bin/sh
ip link set $INTERFACE up
ip addr add local_ip/24 dev $INTERFACE
$ cat tinc-down
#!/bin/sh
ip addr del local_ip/24 dev $INTERFACE
ip link set $INTERFACE down
$ cat subnet-up
$!/bin/bash
[ "$NAME" = "$NODE" ] && exit 0
ip route add $SUBNET dev $INTERFACE metric $WEIGHT table local
$ cat subnet-down
#!/bin/bash
[ "$NAME" = "$NODE" ] && exit 0
ip route del $SUBNET dev $INTERFACE table local

注意 table local 的使用。需要 Root 。

-----------------------------------------------------------------------------------------------

Step by step guide to setup tinc VPN

Tinc is a peer to peer VPN software to create a mesh network. (https://www.tinc-vpn.org)

In this gudie, I will show you how to setup an Azure VPS act as a server named tiger and a local client named howard.

Server installation

1. sudo apt install tinc

2. sudo vi /etc/sysctl.conf

uncommend: net.ipv4.ip_forward=1

3. sudo sysctl -p

4. cd /etc/tinc

5. sudo mkdir -p tiger/hosts

6. cd tiger

7. sudo vi tinc.conf

Write below content.

Name = tiger
AddressFamily = ipv4
Interface = tun0

8. sudo vi tinc-up

Write below content.

#!/bin/sh
ip link set $INTERFACE up
ip addr add 192.168.60.1/24 dev $INTERFACE
iptables -A POSTROUTING -t nat -s 192.168.60.0/24 -j MASQUERADE -o eth0

9. sudo chmod +x tinc-up
10. sudo vi tinc-down

Write below content.

#!/bin/sh
ip link set $INTERFACE down
iptables -D POSTROUTING -t nat -s 192.168.60.0/24 -j MASQUERADE -o eth0

11. sudo chmod +x tinc-down
12. cd hosts
13. sudo vi tiger

Write below content. Replace <server-public-ip> with the server's public IP address.

Address = <server-public-ip>
Port = 443
Subnet = 0.0.0.0/0

14. sudo tincd -n tiger -K4096
15. sudo vi /etc/tinc/nets.boot

Append a new line.

tiger

16. sudo systemctl enable tinc@tiger
17. sudo systemctl start tinc@tiger

Client installation

1. sudo apt install tinc
2. cd /etc/tinc
3. sudo mkdir -p howard/hosts
4. cd howard
5. sudo vi tinc.conf

Write below content.

Name = howard
AddressFamily = ipv4
Interface = tun0
ConnectTo = tiger

6. sudo vi tinc-up

Write below content. Replace <server-public-ip> with the server's public IP address.

#!/bin/sh
ip link set $INTERFACE up
ip addr add 192.168.60.2/24 dev $INTERFACE
ip route add 192.168.60.254/24 dev $INTERFACE

VPN_GATEWAY=192.168.60.1
REMOTEADDRESS=<server-public-ip>
ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`

ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY
ip route add $VPN_GATEWAY dev $INTERFACE
ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE

7. sudo chmod +x tinc-up
8. sudo vi tinc-down

Write below content. Replace <server-public-ip> with the server's public IP address.

#!/bin/sh
ip link set $INTERFACE down

VPN_GATEWAY=192.168.60.1
ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
REMOTEADDRESS=<server-public-ip>

ip route del $REMOTEADDRESS $ORIGINAL_GATEWAY
ip route del $VPN_GATEWAY dev $INTERFACE
ip route del 0.0.0.0/1 dev $INTERFACE
ip route del 128.0.0.0/1 dev $INTERFACE

9. sudo chmod +x tinc-down
10. cd hosts
11. sudo vi howard

Write below content.

Subnet = 192.168.60.2/32

12. sudo tincd -n howard -K4096

13. Exchange host files.

Copy the file tiger from the folder /etc/tinc/tiger/hosts on the server to the folder /etc/tinc/howard/hosts on the client.
Copy the file howard from the folder /etc/tinc/howard/hosts on the client to the folder /etc/tinc/tiger/hosts on the server.

14. Launch tinc on demand with command sudo tincd -n howard -D

Use command line sudo pkill tincd to stop.

15. Customize DNS

You may want to specify an external DNS server to resolve some blocked domain names in some countries.

sudo vi /etc/systemd/resolved.conf  

Set below settings.

[Resolve]
DNS=8.8.8.8 8.8.4.4
Domains=~.

sudo systemctl restart systemd-resolved  

from https://github.com/tianhu/bigpipe

---------------------------------------------- 

related posts:

https://briteming.blogspot.com/2012/10/how-to-install-and-configure-tinc-vpn.html

https://briteming.blogspot.com/2011/11/tinc-vpn.html