Tinc basic setup



  • Hi,

    I'm using the new Tinc package (1.0.21 v1.1) that was released in pfSense 2.1.

    I'm having some issues getting it working. My setup is as follows:
    General Router Config
    Routers LAN IP: 192.168.5.254
    Router DHCP Range: 192.168.5.100 - 192.168.5.200

    Tinc Router Config:
    Name: tincrouter
    Local IP: 192.168.5.254
    Local Subnet: 192.168.5.0/24
    VPN Netmask: 255.255.0.0
    Address Family: Any

    Tinc Router Config, for tincclient host:
    Name: tincclient
    Address: Whatever the address of the client is
    Subnet: 192.168.254.0/24

    Tinc Client Config:
    Name: tincclient
    Address Family: ipv4
    ConnectTo: tincrouter
    Interface: tun0
    Device: /dev/net/tun
    OS: Ubuntu 12.04LTS

    Tinc Client Config, for tincrouter host:
    Address: Whatever the router address is
    Subnet: 192.168.254.0/24

    I've also added a firewall rule on the WAN interface for port 655. I can see my connection in the log, but i cannot access any devices on the remote tincrouter via the tincclient? I feel like i'm just missing that final little step :/

    Any thoughts?



  • Do the tun interfaces on both sides get their proper IPs in ifconfig?

    You can send USR1 or USR2 signals to the tined process and it'll dump connection info into the log.



  • I did some more configuring and in my tinc-up script on tincclient, i set the interfaces ip as 192.168.5.20.

    I can see that on the tincrouter (pfsense box), the tun interface has ip 192.168.5.254 and on tincclient, the tun interface has ip 192.168.5.20.

    I still can't even ping the tincrouter from tinccliennt despite both showing an active connection to each other.

    @apnar:

    Do the tun interfaces on both sides get their proper IPs in ifconfig?

    You can send USR1 or USR2 signals to the tined process and it'll dump connection info into the log.



  • You need to make sure you adjust firewall rules in PF to allow the traffic you want over and above just allowing the initial VPN traffic.



  • Can you go into more detail on this?

    I've added a rule to allow port 655. Is there anything else i need to do?



  • ~~I think you need to point TINC at your LAN interface IP and not your WAN. It should match your Local IP as that is the interface TINC is bound to.

    So port forward 655 from outside to 192.168.5.254.~~

    EDIT: It looks like tinc binds to loopback so it should be available from all interfaces.

    Also, make sure under rules there should be a tab called tinc. I don't think that shows up until the service is started. In there you need to add a rule to allow traffic to pass as there are not default rules on the interface.



  • @bman212121:

    ~~I think you need to point TINC at your LAN interface IP and not your WAN. It should match your Local IP as that is the interface TINC is bound to.

    So port forward 655 from outside to 192.168.5.254.~~

    EDIT: It looks like tinc binds to loopback so it should be available from all interfaces.

    Also, make sure under rules there should be a tab called tinc. I don't think that shows up until the service is started. In there you need to add a rule to allow traffic to pass as there are not default rules on the interface.

    Sorry for late reply but I have already done this. It didn't help :(
    Any more suggestions?



  • Has anyone actually gotten tinc to work?
    I can't find much about tinc anywhere here, but this thread.
    Trying to get tinc up under 2.2-RC, so far no luck.
    Posted some more detail in the 2.2-RC section, just wanted to know if anyone has it actually up and running, and if there's somewhere a 'cookbook'.



  • @rcfa:

    Has anyone actually gotten tinc to work?
    I can't find much about tinc anywhere here, but this thread.
    Trying to get tinc up under 2.2-RC, so far no luck.
    Posted some more detail in the 2.2-RC section, just wanted to know if anyone has it actually up and running, and if there's somewhere a 'cookbook'.

    I never got it working so I gave up.



  • Thanks for the reply.
    Bummer, though; seemed just like what I needed…


  • Banned

    Have you looked here??

    http://www.tinc-vpn.org/



  • Yup I followed their documentation.



  • @Supermule:

    Have you looked here??

    http://www.tinc-vpn.org/

    The issues are of a different nature. The docs there describe how to set up the config files, etc.
    But these are the things I'd expect the GUI to take care of after I enter the subnets, etc. into the relevant fields.
    But neither the key generation happens as expected, nor goes the link ever up or does tincd run.

    I'd figure whoever wrote the module would have gotten it to run or not have published the it. So a working sample config would be useful, as would be the knowledge if things are known to work or fail under 2.2-R


  • Banned

    What have you running in the receaving end of your tinc side??

    Try changing the tincclient IP (physical machine) to 10.1.1.20 for testing purposes.

    And change the dubnets to /24 for starters.



  • I have two  pfSense units.

    Box A: has e.g. a public WAN DHCP IP given by the ISP of 1.2.3.4, and has a LAN IP subnet of 123.45.67.0/24 and a LAN IP of 123.45.67.254 which are public IPs which the ISP won't route.

    Box B: has a single fixed IP of e.g. 5.6.7.8 which also is the routing gateway for 123.45.67.0/24. This box only has one active NIC, the WAN with the 5.6.7.8 IP address.

    What I want to do, is to route all traffic from the internet that arrives for 123.45.67.0/24 at 5.6.7.8 through tinc to 1.2.3.4 where it's dumped onto the 123.45.67.0/24 LAN

    While I might have assigned sub-optimal or even wrong netmasks, etc. I'm fairly certain that I know the proper local and remote IP, and that I got the public/private key stuff right (despite the fact that I had to generate it at the CLI and then paste it into the files, because the generate key pair check mark didn't do anything when selected and hitting the save button.

    So even with no traffic flowing, I'd have expected at least tincd to come up, but no such luck. Since I'm running 2.2-RC, I don't know if the issue is with 2.2-RC, with tinc, or the combination of these, or if I just got things so wrong, it refused to even generate keys and start up the demon.


  • Banned

    Yes but if you give the VPN the same internal IP as your own, then routing wont work afaik.

    Thats why I wanted you to give your local subnet a different IP range. Then we can exclude the routing range.


Log in to reply