Teltonika Networks Wiki

Changes

Tinc VPN configuration examples (view source)

Revision as of 10:50, 4 August 2023

1,226 bytes added ,  10:50, 4 August 2023
no edit summary
Line 10: Line 10:  
'''Prerequisites''':
 
'''Prerequisites''':
 
* Two RUTxxx routers or TRB gateways of any type
 
* Two RUTxxx routers or TRB gateways of any type
* At least one router must have a Public Static or Public Dynamic IP address
+
* At least one router must have a '''Public Static''' or '''Public Dynamic''' IP address
 
* At least one end device (PC, Laptop, Tablet, Smartphone) to configure the routers
 
* At least one end device (PC, Laptop, Tablet, Smartphone) to configure the routers
 
* (Optional) A second end device to configure and test remote LAN access
 
* (Optional) A second end device to configure and test remote LAN access
Line 16: Line 16:  
There will be two tinc configuration schemes presented. Although the second scheme is only an extension of the first one. Therefore, to configure the second scheme, you will have to configure the first as well.
 
There will be two tinc configuration schemes presented. Although the second scheme is only an extension of the first one. Therefore, to configure the second scheme, you will have to configure the first as well.
   −
'''Configuration scheme 1''':
+
'''Topology 1''':
   −
[[File:TincTopology1.png]]
+
[[File:Tinctopo1.png|center|border|class=tlt-border|800x600px]]
    
The figure above depicts two RUTxxx routers (RUT1 and RUT2) connected by an tinc tunnel via the Internet.
 
The figure above depicts two RUTxxx routers (RUT1 and RUT2) connected by an tinc tunnel via the Internet.
 
----
 
----
'''Configuration scheme 2''':
+
'''Topology 2''':
   −
[[File:TincTopology2.png]]
+
[[File:Tinctopo2.png|center|border|class=tlt-border|800x600px]]
   −
As mentioned earlier, configuration scheme 2 (figure above) is an extension of configuration scheme 1. While configuration scheme 1 only depicts a connection between two tinc instances, you can see that configuration scheme 2 additionally contains two end devices (END1 and END2), each connected to a separate router's LAN. When this scheme is realized, not only will the two routers be able to communicate with each other, but the end devices will also be reachable to one another and from each router.
+
As mentioned earlier, configuration scheme 2 (figure above) is an extension of configuration scheme 1. While configuration scheme 1 only depicts a connection between two tinc instances, you can see that configuration scheme 2 includes additional two end devices (END1 and END2), each connected to a separate router's LAN. When this topology is set up, not only will the two routers be able to communicate with each other, but the end devices will also be reachable to one another and from each router.
    
In addition to traffic encryption, tinc VPN also supports automatic full mesh routing -  VPN traffic is always (if possible) sent directly to the destination, without going through intermediate hops.
 
In addition to traffic encryption, tinc VPN also supports automatic full mesh routing -  VPN traffic is always (if possible) sent directly to the destination, without going through intermediate hops.
Line 42: Line 42:  
First of, lets configure a simple connection between two tinc instances, i.e., '''RUT1''' and '''RUT2''' as described above in '''configuration scheme 1'''.
 
First of, lets configure a simple connection between two tinc instances, i.e., '''RUT1''' and '''RUT2''' as described above in '''configuration scheme 1'''.
   −
* tinc is not installed on our devices, therefore, it has to be installed via the package manager. '''Services -> Package Manager -> Packages''' and search for '''tinc VPN'''.
+
1. tinc is not installed on our devices, therefore, it has to be installed via the package manager. '''Services -> Package Manager -> Packages''' and search for '''tinc VPN''' and press '''+''' to install.
   −
[[File:TincPackage.png|854x854px]]
+
[[File:TincPackage.png|border|class=tlt-border|900x700px]]
   −
* After '''successful''' installation you should see a '''new Firewall zone''' “'''<span style=color:khaki>tinc</span>'''” created:
+
2. After '''successful''' installation, package status should be changed to '''Installed.'''
   −
[[File:Tincfwzone2.png|966x966px|alt=]]
+
[[File:Tincinstallation2.png|border|class=tlt-border|900x700px]]
   −
* And a '''new traffic rule added:'''
+
* In '''Network -> Firewall -> General''' you should see a '''new Firewall zone''' “'''<span style="color:khaki">tinc</span>'''” created:
   −
[[File:Tinctraffic2.png|971x971px|alt=]]
+
[[File:Tincfwzone2.png|border|class=tlt-border|900x700px]]
    +
* Lastly, in '''Network -> Firewall -> Traffic rules''' a '''new traffic rule added:'''
   −
* From now all configuration will be made using command line interface.
+
[[File:Tinctraffic2.png|border|class=tlt-border|900x700px]]
 +
 
 +
 
 +
* From this point onwards, all configuration will be made using command line interface.
 
* Make a folder for your tinc daemon where all your configurations will be kept. This procedure is required if you’re going to run more than one tinc daemon on one PC. However, if you only need one instance, then you can keep all configuration in default directory at “'''<span style=color:limegreen>/etc/tinc/</span>'''”
 
* Make a folder for your tinc daemon where all your configurations will be kept. This procedure is required if you’re going to run more than one tinc daemon on one PC. However, if you only need one instance, then you can keep all configuration in default directory at “'''<span style=color:limegreen>/etc/tinc/</span>'''”
 
* Use <span style=color:dodgerblue>'''mkdir'''</span> to create a new folder at '''<span style=color:limegreen>/etc/tinc/</span>'''
 
* Use <span style=color:dodgerblue>'''mkdir'''</span> to create a new folder at '''<span style=color:limegreen>/etc/tinc/</span>'''
   −
[[File:Tincfolder.png]]
+
[[File:Tincfolder.png|border|class=tlt-border]]
    
* Then use your favorite text editor (I’m using vi) and create '''tinc.conf''' (If you '''skipped''' making specific folder, then you can create configs as mentioned earlier – in parent folder “'''<span style=color:dodgerblue>vi</span> <span style=color:limegreen>/etc/tinc/tinc.conf</span>'''”, otherwise do it in "'''<span style="color:dodgerblue">vi</span> <span style="color:limegreen">/etc/tinc/example/tinc.conf</span>'''"
 
* Then use your favorite text editor (I’m using vi) and create '''tinc.conf''' (If you '''skipped''' making specific folder, then you can create configs as mentioned earlier – in parent folder “'''<span style=color:dodgerblue>vi</span> <span style=color:limegreen>/etc/tinc/tinc.conf</span>'''”, otherwise do it in "'''<span style="color:dodgerblue">vi</span> <span style="color:limegreen">/etc/tinc/example/tinc.conf</span>'''"
[[File:Tincconfigfile.png]]
+
[[File:Tincconfigfile.png|border|class=tlt-border]]
    
* And on RUT2 use a different name (ex. <span style=color:limegreen>rut2</span>) and add the line “<span style=color:limegreen>ConnectTo = rut1</span>”
 
* And on RUT2 use a different name (ex. <span style=color:limegreen>rut2</span>) and add the line “<span style=color:limegreen>ConnectTo = rut1</span>”
Line 116: Line 120:  
You can do this with '''WinSCP''', or using CLI’s <span style=color:dodgerblue>'''scp'''</span> to transfer files from one device to the other.
 
You can do this with '''WinSCP''', or using CLI’s <span style=color:dodgerblue>'''scp'''</span> to transfer files from one device to the other.
   −
[[File:Tincscp1.2.png]]
+
[[File:Tincscp1.2.png|border|class=tlt-border|1100x700px]]
   −
[[File:Tincscp2.2.png]]
+
[[File:Tincscp2.2.png|border|class=tlt-border|1100x700px]]
    
Here on CLI, In 1st picture, I used scp to transfer RUT1’s host file directly to my RUT2, because RUT1 has public IP and therefore, I can directly communicate with it, and later, transferred RUT2’s host file to the RUT1 in the 2nd picture.
 
Here on CLI, In 1st picture, I used scp to transfer RUT1’s host file directly to my RUT2, because RUT1 has public IP and therefore, I can directly communicate with it, and later, transferred RUT2’s host file to the RUT1 in the 2nd picture.
Line 126: Line 130:  
'''RUT1:'''
 
'''RUT1:'''
   −
[[File:Tinccon1.png]]
+
[[File:Tinccon1.png|border|class=tlt-border]]
       
'''RUT2:'''
 
'''RUT2:'''
   −
[[File:Tinccon2.png]]
+
[[File:Tinccon2.png|border|class=tlt-border]]
    
Also, you can ping RUT1’s or 2’s VPN IP, here I ping RUT2 from RUT1, it should work both ways:
 
Also, you can ping RUT1’s or 2’s VPN IP, here I ping RUT2 from RUT1, it should work both ways:
   −
[[File:Tincping1.png]]
+
[[File:Tincping1.png|border|class=tlt-border]]
    
And you can see a new route created on tinc0 interface:
 
And you can see a new route created on tinc0 interface:
   −
[[File:Tinciface.png]]
+
[[File:Tinciface.png|border|class=tlt-border]]
    
===End-client to end-client example===
 
===End-client to end-client example===
Line 149: Line 153:  
<span style=color:limegreen>'''hosts/rut1'''</span> file:
 
<span style=color:limegreen>'''hosts/rut1'''</span> file:
   −
[[File:Tinchosts1.png]]
+
[[File:Tinchosts1.png|border|class=tlt-border]]
    
<span style=color:limegreen>'''hosts/rut2'''</span> file:
 
<span style=color:limegreen>'''hosts/rut2'''</span> file:
   −
[[File:Tinchosts2.png]]
+
[[File:Tinchosts2.png|border|class=tlt-border]]
    
* Add a route to other’s device LAN network through your tinc interface:
 
* Add a route to other’s device LAN network through your tinc interface:
Line 160: Line 164:  
on rut1 <span style="color:limegreen">'''example/tinc-up'''</span>
 
on rut1 <span style="color:limegreen">'''example/tinc-up'''</span>
   −
[[File:Tincup1.png]]
+
[[File:Tincup1.png|border|class=tlt-border]]
    
on rut2 <span style=color:limegreen>'''example/tinc-up'''</span>
 
on rut2 <span style=color:limegreen>'''example/tinc-up'''</span>
   −
[[File:Tincup2.png]]
+
[[File:Tincup2.png|border|class=tlt-border]]
    
* However, you’ll only be able to reach each other’s device LAN IP, but not the end devices. Therefore you need to change firewall rules.
 
* However, you’ll only be able to reach each other’s device LAN IP, but not the end devices. Therefore you need to change firewall rules.
    
'''FIREWALL'''
 
'''FIREWALL'''
* To achieve end-to-end client communication you need to configure the tinc zone, that was created at the installation.
  −
* Both routers should have identical zone configurations:
     −
[[File:Tincfw2.png|843x843px]]
+
1. To achieve end-to-end client communication you need to configure the tinc zone '''Network->Firewall->General''', that was created at the installation. Press the edit button to configure it.[[File:Tincfirewall1.png|border|class=tlt-border|1100x700px]]
 +
 
 +
[[File:Tincfirewall2.png|border|class=tlt-border|900x700px]]
 +
 
 +
2. Open ''Allow forward to destination zones'' list.
 +
3. Select '''lan''' zone, this will allow us to access LAN network from outside via tinc VPN.
 +
 
 +
[[File:Tincfirewall3.png|border|class=tlt-border|900x700px]]
 +
 
 +
4. Open ''Allow forward from source zones'' list.
 +
5. Select '''lan''' zone, so we can access outside networks via tinc VPN too.
 +
6. Press '''Save & Apply'''
    
We are going to allow all forwards via this interface, including '''lan''' and '''wan networks''' into this zone. This way we can communicate from END1 to RUT2’s lan as well as END2 and vice versa.
 
We are going to allow all forwards via this interface, including '''lan''' and '''wan networks''' into this zone. This way we can communicate from END1 to RUT2’s lan as well as END2 and vice versa.
 
In short '''LAN1 <-> WAN1 <-''' through tinc tunnel '''-> WAN2 <-> LAN2'''
 
In short '''LAN1 <-> WAN1 <-''' through tinc tunnel '''-> WAN2 <-> LAN2'''
   −
[[File:TincTopology3.png]]
+
[[File:TincTopology3.png|center|border|class=tlt-border|800x600px]]
 +
[[Category:VPN]]
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/96251...109884"