Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tinc basic setup

    Scheduled Pinned Locked Moved pfSense Packages
    16 Posts 5 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GusBricker
      last edited by

      I did some more configuring and in my tinc-up script on tincclient, i set the interfaces ip as 192.168.5.20.

      I can see that on the tincrouter (pfsense box), the tun interface has ip 192.168.5.254 and on tincclient, the tun interface has ip 192.168.5.20.

      I still can't even ping the tincrouter from tinccliennt despite both showing an active connection to each other.

      @apnar:

      Do the tun interfaces on both sides get their proper IPs in ifconfig?

      You can send USR1 or USR2 signals to the tined process and it'll dump connection info into the log.

      1 Reply Last reply Reply Quote 0
      • A
        apnar
        last edited by

        You need to make sure you adjust firewall rules in PF to allow the traffic you want over and above just allowing the initial VPN traffic.

        1 Reply Last reply Reply Quote 0
        • G
          GusBricker
          last edited by

          Can you go into more detail on this?

          I've added a rule to allow port 655. Is there anything else i need to do?

          1 Reply Last reply Reply Quote 0
          • B
            bman212121
            last edited by

            ~~I think you need to point TINC at your LAN interface IP and not your WAN. It should match your Local IP as that is the interface TINC is bound to.

            So port forward 655 from outside to 192.168.5.254.~~

            EDIT: It looks like tinc binds to loopback so it should be available from all interfaces.

            Also, make sure under rules there should be a tab called tinc. I don't think that shows up until the service is started. In there you need to add a rule to allow traffic to pass as there are not default rules on the interface.

            1 Reply Last reply Reply Quote 0
            • G
              GusBricker
              last edited by

              @bman212121:

              ~~I think you need to point TINC at your LAN interface IP and not your WAN. It should match your Local IP as that is the interface TINC is bound to.

              So port forward 655 from outside to 192.168.5.254.~~

              EDIT: It looks like tinc binds to loopback so it should be available from all interfaces.

              Also, make sure under rules there should be a tab called tinc. I don't think that shows up until the service is started. In there you need to add a rule to allow traffic to pass as there are not default rules on the interface.

              Sorry for late reply but I have already done this. It didn't help :(
              Any more suggestions?

              1 Reply Last reply Reply Quote 0
              • rcfaR
                rcfa
                last edited by

                Has anyone actually gotten tinc to work?
                I can't find much about tinc anywhere here, but this thread.
                Trying to get tinc up under 2.2-RC, so far no luck.
                Posted some more detail in the 2.2-RC section, just wanted to know if anyone has it actually up and running, and if there's somewhere a 'cookbook'.

                1 Reply Last reply Reply Quote 0
                • G
                  GusBricker
                  last edited by

                  @rcfa:

                  Has anyone actually gotten tinc to work?
                  I can't find much about tinc anywhere here, but this thread.
                  Trying to get tinc up under 2.2-RC, so far no luck.
                  Posted some more detail in the 2.2-RC section, just wanted to know if anyone has it actually up and running, and if there's somewhere a 'cookbook'.

                  I never got it working so I gave up.

                  1 Reply Last reply Reply Quote 0
                  • rcfaR
                    rcfa
                    last edited by

                    Thanks for the reply.
                    Bummer, though; seemed just like what I needed…

                    1 Reply Last reply Reply Quote 0
                    • S
                      Supermule Banned
                      last edited by

                      Have you looked here??

                      http://www.tinc-vpn.org/

                      1 Reply Last reply Reply Quote 0
                      • G
                        GusBricker
                        last edited by

                        Yup I followed their documentation.

                        1 Reply Last reply Reply Quote 0
                        • rcfaR
                          rcfa
                          last edited by

                          @Supermule:

                          Have you looked here??

                          http://www.tinc-vpn.org/

                          The issues are of a different nature. The docs there describe how to set up the config files, etc.
                          But these are the things I'd expect the GUI to take care of after I enter the subnets, etc. into the relevant fields.
                          But neither the key generation happens as expected, nor goes the link ever up or does tincd run.

                          I'd figure whoever wrote the module would have gotten it to run or not have published the it. So a working sample config would be useful, as would be the knowledge if things are known to work or fail under 2.2-R

                          1 Reply Last reply Reply Quote 0
                          • S
                            Supermule Banned
                            last edited by

                            What have you running in the receaving end of your tinc side??

                            Try changing the tincclient IP (physical machine) to 10.1.1.20 for testing purposes.

                            And change the dubnets to /24 for starters.

                            1 Reply Last reply Reply Quote 0
                            • rcfaR
                              rcfa
                              last edited by

                              I have two  pfSense units.

                              Box A: has e.g. a public WAN DHCP IP given by the ISP of 1.2.3.4, and has a LAN IP subnet of 123.45.67.0/24 and a LAN IP of 123.45.67.254 which are public IPs which the ISP won't route.

                              Box B: has a single fixed IP of e.g. 5.6.7.8 which also is the routing gateway for 123.45.67.0/24. This box only has one active NIC, the WAN with the 5.6.7.8 IP address.

                              What I want to do, is to route all traffic from the internet that arrives for 123.45.67.0/24 at 5.6.7.8 through tinc to 1.2.3.4 where it's dumped onto the 123.45.67.0/24 LAN

                              While I might have assigned sub-optimal or even wrong netmasks, etc. I'm fairly certain that I know the proper local and remote IP, and that I got the public/private key stuff right (despite the fact that I had to generate it at the CLI and then paste it into the files, because the generate key pair check mark didn't do anything when selected and hitting the save button.

                              So even with no traffic flowing, I'd have expected at least tincd to come up, but no such luck. Since I'm running 2.2-RC, I don't know if the issue is with 2.2-RC, with tinc, or the combination of these, or if I just got things so wrong, it refused to even generate keys and start up the demon.

                              1 Reply Last reply Reply Quote 0
                              • S
                                Supermule Banned
                                last edited by

                                Yes but if you give the VPN the same internal IP as your own, then routing wont work afaik.

                                Thats why I wanted you to give your local subnet a different IP range. Then we can exclude the routing range.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.