Help me to configure Tinc VPN on Pfsense



  • Hi,
    help me to configure the pfsense right to can up the tinc VPN, this is my hardware configuration.
    I need to create a layer 2 VPN that can be able to transport unicast and Multicast traffic, I want to connect my Skyq box on pf1 side with my Sky mini on pf2 side.
    All Pfsense run as a virtual, the first on a MS Hyper-V and the second on a Qnap VM.

    Wan:(hn0)192.168.1.50 Wan:(vtnet0)192.168.0.15

    ########### #############

    # #

    Pf1 # # Pf2 (server)

    # === > #

    # #

    ########### #############

    Lan:(hn1)192.168.30.30 Lan:(vtnet1)192.168.30.200

    I'm looking on the web but the are wery few post about and more of then is for linux shell the onlyone about tinc and pfsense and most interesting is this:

    https://forum.netgate.com/topic/81221/how-to-tinc-mesh-vpn-configuration

    Unfortunately form me, this post is not so clear, mt only result now is that I can up the Tinc service but there is no ping from the 2 Lan interface.
    In my case the gateway of Pf1 must be Pf2.
    I have configure my pfsense for tinc as these:

    On Pf1:

    •Open tinc Tab from VPN => tinc

    •Pick a unique name for ticn daemon (Pf1)

    •in "Local IP" put 192.168.30.30

    •in "local Subnet put "192.168.30.0/24"

    •Address Family "ipv4"

    •Check "Generate RSA key pair"
    - in "Extra Parameters" from Advanced put this lines:
    –--------------------------------------------------
    Mode=switch # check tinc-vpn documents
    port=1515 # server port that Pf1 connect to Pf2
    -----------------------------------------------------

    •click "save"

    •Open "Host Up Script" from Advanced Features and paste some route:

      route add -host 192.168.30.200 -interface $INTERFACE
       route add -net 192.168.30.0/24 192.168.30.200
    

    •click "save"

    Now we add host:
    •click on hosts => add new
    •In "Name" you must put the exact name of servers that you want to connect. it`s "Pf2" for now.
    •put your tinc-vpn server public ip address in "address" box. "192.168.0.50"
    •in subnet you should add address range that you want reach to. "192.168.30.0/24
    •check "Connect at Start-up"
    •copy generated "RSA public key" from "Pf2" tinc-vpn, and paste in the RSA public key box
    with -----BEGIN RSA PUBLIC KEY-----
    -----END RSA PUBLIC KEY-----
    •in "Extra Parameters" from Advanced put this lines:

    Mode=switch # check tinc-vpn documents
    port=1515 # server port that Pf1 connect to Pf2

    Click "save"

    On Pf2:
    •Open tinc tab from VPN => tinc
    •Pick a unique name for tinc daemon (Pf2)
    •in "Local IP" put 192.168.30.200
    •in "local Subnet put "192.168.30.0/24"
    •Address Family "ipv4"
    •Check "Generate RSA key pair"
    •in "Advanced Features" click on "Advanced" and paste these lines:

    Mode=switch
    port=1515 # tinc Server port

    •in "Host Up Script" put other side routes:

    route add -host 192.168.30.30 -interface $INTERFACE
    route add -net 192.168.30.0/24 192.168.30.30
    -----------------------------------------------------
    •click "save"

    Now we add host on Pf2:
    •click on hosts => add new
    •In "Name" you must put the exact name of the other side. it`s "Pf1" for now.
    •put your tinc-vpn other side public ip address in "address" box. "192.168.1.50"
    •in subnet you should add address range that you want reach to. "192.168.30.0/24"
    •left "Connect at Startup" unchecked
    •copy generate "RSA public key" from "Pf1" tinc-vpn and paste in the RSA public key box
    with -----BEGIN RSA PUBLIC KEY-----
    -----END RSA PUBLIC KEY-----
    - click "save"

    And Done.

    Don't forget to open port (TCP 1515) on both sides.

    With this configuration I'm not able to ping the other lan address… what I wrong or miss in my configuration???
    I also have another question: Tinc need a bridge interface like OpenVPN to work? I need to setup some rules in WAN area and in pkg_tinc scope?

    Thanks to all for help


Log in to reply