Docs:03.2 Tinc server side prep

This page was last edited on 19 February 2025, at 15:18.

Tinc: creating the initial network and inviting nodes

Use UFW to open a firewall

In this step, you will set up the default firewall ufw on all your server. You’ll add OpenSSH service, tinc VPN port, then start and enable ufw firewall.

If it isn’t installed you can install with: 

sudo apt-get install ufw

First, add the OpenSSH service using the ufw command below. An output ‘Rules updated’ confirms that the new rule was added to ufw. 

sudo ufw allow OpenSSH

Add the port 655 that will be used by tinc VPN by entering the following command. 

sudo ufw allow 655

Now run the following ufw command to start and enable the ufw firewall. When prompted, input y to confirm and press ENTER to proceed. 

sudo ufw enable

Check its status with 

sudo ufw status

It should now show: - OpenSSH - 655 - maybe other ports

Configuring Tinc

Tinc stores all configuration in /usr/local/etc/tinc.

Tinc allows multiple private networks to be defined, each is a subfolder with the name of the network, e.g. /usr/local/etc/tinc/<net-name> (If you mess something up, you can restart by deleting the files that are there).

This step only has to happen once on the server hosting the vpn. In our case, it was performed on systerserver’s Jean.

We will: 1. Create a virtual network, our’s was named systerserver on the public node. 2. Get the public node to create invite links for other nodes. 3. Add those new nodes with tinc’s join command to use the invite link.

Syntax: 

sudo tinc -n <NETNAME> init <NODENAME>

So we did: 

sudo tinc -n systerserver init servpub

Add a subnet IP for you hub

Then on the server we will set the VPN ip address in the 10.10.12.x subnet, using the command below and the IP assigned to them.

Syntax: 

sudo tinc -n <NETWORK NAME> add subnet <IP>

So we did: 

sudo tinc -n systerserver add subnet 10.10.12.0

Edit tinc-up:

This will setup you IP and visibility on the network.

On your machine, go to the configuration folder if you’re not already there: 

cd /usr/local/etc/tinc/<NETNAME>

you can use ls -a to see all files in there, then edit the file called tinc-up. We are using nano to do our text editing.

via nano: 

sudo nano tinc-up

Once the file is open, edit it so it looks like this, filling in the correct details: 

#!/bin/sh
echo 'Unconfigured tinc-up script, please edit '$0'!'
#ifconfig $INTERFACE <your vpn IP address> netmask <netmask of whole VPN>

For Servepub it would look like: 

#!/bin/sh 
#echo 'Unconfigured tinc-up script, please edit '$0'!' 
ifconfig $INTERFACE 10.10.12.0 netmask 255.255.255.0

Test

To test and run the service with debug: 

sudo tincd -n systerserver -D

Invite nodes to network

To add a new node to the network you need to assign them a subnet IP for the VPN. From our settings our VPN IP will be 10.10.12.x (i.e. 10.10.12.1)

Create a file to keep your list of private addresses. We use a file called vpn-records in /usr/local/etc/tinc/

Your file might look something like: 

10.10.12.0 ---- Hub
10.10.12.1 ---- servpub
10.12.12.2---- wiki4

Make invite link

TO mak an invite link we name the net we want to add it to and the name of that new node.

Syntax: 

sudo tinc -n <NETNAME> invite <NODENAME>

So we did: 

sudo tinc -n systerserver invite servepub

It will ask for your host’s external IP, press enter to use the default.

The invite generated will be a long string of letters and numbers. It can then be used on the new node to be added to the network.

Example of given code: 79.91.202.97/SVuslahX7LapWXJdBzd03jNn48bPuN83jVE_23VnL

Retrieved from "http://10.10.12.4/index.php?title=Docs:03.2_Tinc_server_side_prep&oldid=2419"