Help me to configure Tinc VPN on Pfsense
-
Hi,
help me to configure the pfsense right to can up the tinc VPN, this is my hardware configuration.
I need to create a layer 2 VPN that can be able to transport unicast and Multicast traffic, I want to connect my Skyq box on pf1 side with my Sky mini on pf2 side.
All Pfsense run as a virtual, the first on a MS Hyper-V and the second on a Qnap VM.Wan:(hn0)192.168.1.50 Wan:(vtnet0)192.168.0.15
########### #############
# #
Pf1 # # Pf2 (server)
# === > #
# #
########### #############
Lan:(hn1)192.168.30.30 Lan:(vtnet1)192.168.30.200
I'm looking on the web but the are wery few post about and more of then is for linux shell the onlyone about tinc and pfsense and most interesting is this:
https://forum.netgate.com/topic/81221/how-to-tinc-mesh-vpn-configuration
Unfortunately form me, this post is not so clear, mt only result now is that I can up the Tinc service but there is no ping from the 2 Lan interface.
In my case the gateway of Pf1 must be Pf2.
I have configure my pfsense for tinc as these:On Pf1:
•Open tinc Tab from VPN => tinc
•Pick a unique name for ticn daemon (Pf1)
•in "Local IP" put 192.168.30.30
•in "local Subnet put "192.168.30.0/24"
•Address Family "ipv4"
•Check "Generate RSA key pair"
- in "Extra Parameters" from Advanced put this lines:
–--------------------------------------------------
Mode=switch # check tinc-vpn documents
port=1515 # server port that Pf1 connect to Pf2
-----------------------------------------------------•click "save"
•Open "Host Up Script" from Advanced Features and paste some route:
route add -host 192.168.30.200 -interface $INTERFACE route add -net 192.168.30.0/24 192.168.30.200
•click "save"
Now we add host:
•click on hosts => add new
•In "Name" you must put the exact name of servers that you want to connect. it`s "Pf2" for now.
•put your tinc-vpn server public ip address in "address" box. "192.168.0.50"
•in subnet you should add address range that you want reach to. "192.168.30.0/24
•check "Connect at Start-up"
•copy generated "RSA public key" from "Pf2" tinc-vpn, and paste in the RSA public key box
with -----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
•in "Extra Parameters" from Advanced put this lines:Mode=switch # check tinc-vpn documents
port=1515 # server port that Pf1 connect to Pf2Click "save"
On Pf2:
•Open tinc tab from VPN => tinc
•Pick a unique name for tinc daemon (Pf2)
•in "Local IP" put 192.168.30.200
•in "local Subnet put "192.168.30.0/24"
•Address Family "ipv4"
•Check "Generate RSA key pair"
•in "Advanced Features" click on "Advanced" and paste these lines:Mode=switch
port=1515 # tinc Server port•in "Host Up Script" put other side routes:
route add -host 192.168.30.30 -interface $INTERFACE
route add -net 192.168.30.0/24 192.168.30.30
-----------------------------------------------------
•click "save"Now we add host on Pf2:
•click on hosts => add new
•In "Name" you must put the exact name of the other side. it`s "Pf1" for now.
•put your tinc-vpn other side public ip address in "address" box. "192.168.1.50"
•in subnet you should add address range that you want reach to. "192.168.30.0/24"
•left "Connect at Startup" unchecked
•copy generate "RSA public key" from "Pf1" tinc-vpn and paste in the RSA public key box
with -----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
- click "save"And Done.
Don't forget to open port (TCP 1515) on both sides.
With this configuration I'm not able to ping the other lan address… what I wrong or miss in my configuration???
I also have another question: Tinc need a bridge interface like OpenVPN to work? I need to setup some rules in WAN area and in pkg_tinc scope?Thanks to all for help
-
Did you ever figure out a solution?
-
@bbell_contract said in Help me to configure Tinc VPN on Pfsense:
Did you ever figure out a solution?
No sorry.. I have abandoned the project due to lack of information on Tinc
-
What did you end up using for your Layer2 VPN solution?
-
I have been doing some research and some trial and error......but I got it working.
********This was created between two test Netgate boxes.
********Adjust specifics as needed for your network.Starting config for each Netgate.
Pf1
WAN:1.1.1.1/24
LAN:192.168.0.1/24Pf2
Wan:1.1.1.2/24
LAN:192.168.0.2/24=================
Create Bridge Interface with LAN in the Bridge and then Move the LAN IP to the BRIDGE interface
Pf1
In Interfaces-Assignments-Bridges: Create a bridge with LAN in the bridge
In Interfaces-Assignments: Use the drop down to create a new interface for the BRIDGE0 interface
In Interfaces-"new bridge interface name"(Probably OPT2 or something): rename the interface BRIDGE and enable the interface
Disable DHCP on LAN
In Interfaces-LAN - set IPv4 Configuration type to None
In Interfaces-BRIDGE - set IPv4 Configuration type Static and set to 192.168.0.1/24
Add DHCP server to Bridge interface (Services-DHCP Server)Pf2
In Interfaces-Assignments-Bridges: Create a bridge with LAN in the bridge
In Interfaces-Assignments: Use the drop down to create a new interface for the BRIDGE interface
In Interfaces-"new bridge interface name"(Probably OPT2 or something): rename the interface BRIDGE and enable the interface
Disable DHCP on LAN
In Interfaces-LAN - set IPv4 Configuration type to None
In Interfaces-BRIDGE - set IPv4 Configuration type Static and set to 192.168.0.2/24===========
Configure TINC
Install tinc from System - Package Manger - Available Packages on both Netgates (will need internet access for this)
On Pf1:
VPN - tinc
Settings Tab
Name: Pf1
Local IP: 192.168.0.1
Local Subnet: 192.168.0.0/24
Address Family: ipv4
Check "Generate RSA key pair"
Click "Show Advanced Options"- in "Extra Tinc Parameters" box put this line: Mode=switch
(RSA Key pair will be blank until you hit save and then will generate)
Save
On Pf2:
VPN - tinc
Settings Tab
Name: Pf2
Local IP: 192.168.0.2
Local Subnet: 192.168.0.0/24
Address Family: ipv4
Check "Generate RSA key pair"
Click "Show Advanced Options"- in "Extra Tinc Parameters" box put this line: Mode=switch
(RSA Key pair will be blank until you hit save and then will generate)
Save
========================================================
Add Hosts:
On Pf1:
VPN - tinc
click on Hosts
Add new
Name: Pf2 (this must match exactly with what was configured above)
Address: 1.1.1.2
Subnet: 192.168.0.0/24
check "Connect at Start-up"
copy generated "RSA public key" from "Pf2"and paste in the RSA public key box
Click "Show Advanced Options"- in "Extra Parameters" put this line: Mode=switch
Click "save"
On Pf2:
VPN - tinc
click on Hosts
Add new
Name: Pf1 (this must match exactly with what was configured above)
Address: 1.1.1.1
Subnet: 192.168.0.0/24
check "Connect at Start-up"
copy generated "RSA public key" from "Pf2"and paste in the RSA public key box
Click "Show Advanced Options"- in "Extra Parameters" put this line: Mode=switch
Click "save"
===============================
OnPf1 and Pf2
Create tap interface and add to Bridge
In Interfaces-Assignments: Use the drop down to create a new interface for the tap0 interface
In Interfaces-"new tap0 interface name"(Probably OPT2 or something): rename the interface TINCTAP and enable the interface
In Interfaces-Assignments-Bridges: Add the TINCTAP interface to the Bridge. Should have LAN, TINCTAP in the Bridge===============================
Firewall rules
On Pf1 and Pf2
Go to Firewall-Rules
WAN: Pass/ Protocol: TCP 655 / Destination: WAN interface
LAN: Pass / Protocol: ALL / Source and Destination: Any
pkg_tinc: Pass / Protocol: ALL / Source and Destination: Any
BRIDGE: Pass / Protocol: ALL / Source and Destination: Any
TINCTAP: Pass / Protocol: ALL / Source and Destination: Any***** this is in a TEST environment so PLEASE modify Firewall rules as appropriate for your environment
==================================
With this configuration I was able to plug into a switch on the Pf2 LAN side and get a DHCP address from Pf1
Good luck
- in "Extra Tinc Parameters" box put this line: Mode=switch
-
Typo on host config on Pf2. Should be copy the RSA public key from Pf1…..not Pf2