How To: Tinc Mesh VPN Configuration
-
how did this work out? I've had trouble getting this to work.
I noticed that on: "Now we add host on Pf2:"
you did not add the "extra parameters" for the Pf2 host setup.
Also - did you have to open port 1515 on both sides? what transport protocol?
thx
-
I noticed that on: "Now we add host on Pf2:"
you did not add the "extra parameters" for the Pf2 host setup.
in this example we try to connect from Pf1 to Pf2.
"extra parameters" on "Hosts" (Pf1) define Tinc Server configurations (Pf2) that we want to connect to.Also - did you have to open port 1515 on both sides? what transport protocol?
Yes, you must open ports on both sides. (TCP 1515)
Also you can find more detail on http://www.tinc-vpn.org/documentation/Example-configuration.html#Example-configuration
-
Thanks.
re: "mode=switch" under "extra parameters"
Why did you choose "switch" and are there other modes that would be appropriate for setting up vpn mesh for a few remote offices?
-
There are 3 different type of Mode you can use. default mode is router.
Mode = router | switch | hub (router)
This option selects the way packets are routed to other daemons.router: In this mode Subnet variables in the host configuration files will be used to form a routing table. Only
unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode.This is the default mode, and unless you really know you need another mode, don't change it.
switch: In this mode the MAC addresses of the packets on the VPN will be used to dynamically create a routing table
just like an Ethernet switch does. Unicast, multicast and broadcast packets of every protocol that runs
over Ethernet are supported in this mode at the cost of frequent broadcast ARP requests and routing table
updates.This mode is primarily useful if you want to bridge Ethernet segments.
hub: This mode is almost the same as the switch mode, but instead every packet will be broadcast to the other
daemons while no routing table is managed.http://www.tinc-vpn.org/documentation/tinc.conf.5
-
Hi,
I'm testing tinc and the throughput but I believe it should be faster.
Mode=switch
Cipher=aes-128-cbc / none
digest=sha1On one side I have a pfSense as a Hyper-V VM, i5-3570K - 2 cores assigned.
On the other side I also have a pfSense with Celeron N3050 processor (nanobsd)Both processors are supporting AES-NI and as I know I'm using a compatible cipher and tinc automatically selecting GCM if you set CBC.
With the cipher set the throughput is around 5Mb/s. Without the cipher it is around 7Mb/s. The connection should handle around 25 MB/s.
It seems to me that setting the cipher is not creating higher load on the CPU. The process on the i5 side is using 22% and on the Celeron side 35-40%.
There are no errors in tinc log.
Thanks!
-
Ive followed this and seem to have a connection. Can any one explain where the ports are opened from and to ? ive tried to the lan 192.168.1.1
-
@bigbov
Did you find any solution?
I am facing the same issue. I have connection but not being able to ping. I want to know also how the port 1515 needs to be opened. -
@dsncanada Yes i added a nat portforward rule to the lan ip 192.168.1.1 and 192.168.11.1 at my 2nd site.
Seems to work perfectly. The tinc/pfsense package would benefit from being able to set the debug. I fiddled about in pfsense to do this for local logging but not for external syslog my changes wouldnt stay as i dont know enough of how pfsense works. -
someone that are able to configure Tinc on pfsense??
I'm looking for help about the configuration -
@Mamukata If you follow the tutorial above. The little bit it doesnt explain is the opening of ports 1515 at both sites but you should be able to add the rules discussed in the comments. Ive used it for a year with no problems.