How To: Tinc Mesh VPN Configuration



  • Hello

    here is a sample configuration for establish tinc-vpn between two PFsense,

    **** we assume Pf1 connect to Pf2****

    Wan:10.1.2.1/24                                                            Wan:10.1.3.1/24

    ###################                                      ###################
            #                                          #                                      #                                          #
            #  Pf1                                    #                                      #  Pf2 (server)                        #
            #                                          # =============>  #                                          #
            #                                          #                                      #                                          #
            ###################                                      ###################

    Lan:192.168.9.1/24                                                          Lan:192.168.120.1/24

    Install tinc from System => packages => tinc on both servers,

    On Pf1:

    • Open tinc Tab from VPN => tinc

    • Pick a unique name for ticn daemon (Pf1)

    • in "Local IP" put 192.168.9.1

    • in "local Subnet put "192.168.9.0/24"

    • Address Family "ipv4"

    • Check "Generate RSA key pair"
              - in "Extra Parameters" from Advanced put this lines:
                    –--------------------------------------------------
                    Mode=switch    # check tinc-vpn documents
                    port=1515        # server port that Pf1 connect to Pf2
                    Cipher=blowfish # optional
                    digest=sha1      # optional
                    -----------------------------------------------------

    • click "save"

    • Open "Host Up Script" from Advanced Features and paste some route:
        ----------------------------------------------------
            route add -host 192.168.120.1 -interface $INTERFACE
            route add -net 192.168.120.0/24 192.168.120.1
        ----------------------------------------------------

    • click "save"

    Now we add host:

    • click on hosts => add new
    • In "Name" you must put the exact name of servers that you want to connect. it`s "Pf2" for now.
    • put your tinc-vpn server public ip address in "address" box. "10.1.3.1"
    • in subnet you should add address range that you want reach to. "192.168.120.0/24
    • check "Connect at Start-up"
    • copy generated "RSA public key" from "Pf2" tinc-vpn, and paste in the RSA public key box
        with -----BEGIN RSA PUBLIC KEY-----
              -----END RSA PUBLIC KEY-----
    • in "Extra Parameters" from Advanced put this lines:

    Mode=switch    # check tinc-vpn documents
    port=1515        # server port that Pf1 connect to Pf2
    Cipher=blowfish # optional
    digest=sha1      # optional

    Click "save"

    On Pf2:

    • Open tinc tab from VPN => tinc
    • Pick a unique name for tinc daemon (Pf2)
    • in "Local IP" put 192.168.120.1
    • in "local Subnet put "192.168.120.0/24"
    • Address Family "ipv4"
    • Check "Generate RSA key pair"
    • in "Advanced Features" click on "Advanced" and paste these lines:

    Mode=switch
    port=1515            # tinc Server port
    Cipher=blowfish      # optional
    digest=sha1     # Optional

    • in "Host Up Script" put other side routes:

    route add -host 192.168.9.1 -interface $INTERFACE
    route add -net 192.168.9.0/24 192.168.9.1
        -----------------------------------------------------

    • click "save"

    Now we add host on Pf2:

    • click on hosts => add new
    • In "Name" you must put the exact name of the other side. it`s "Pf1" for now.
    • put your tinc-vpn other side public ip address in "address" box. "10.1.2.1"
    • in subnet you should add address range that you want reach to. "192.168.9.0/24"
    • left "Connect at Startup" unchecked
    • copy generate "RSA public key" from "Pf1" tinc-vpn and paste in the RSA public key box
        with -----BEGIN RSA PUBLIC KEY-----
                -----END RSA PUBLIC KEY-----
            - click "save"

    And Done.

    Don't forget to open port (TCP 1515) on both sides.

    If you want to use Pf2 address as gateway of Pf1, go to Interfaces and assign tap0 (whatever name). when interface assigned, set proper ip-address ( in here 192.168.120.10/24) with gateway (192.168.120.1)

    good lock



  • how did this work out? I've had trouble getting this to work.

    I noticed that on: "Now we add host on Pf2:"

    you did not add the "extra parameters" for the Pf2 host setup.

    Also - did you have to open port 1515 on both sides? what transport protocol?

    thx



  • I noticed that on: "Now we add host on Pf2:"

    you did not add the "extra parameters" for the Pf2 host setup.

    in this example we try to connect from Pf1 to Pf2.
    "extra parameters" on "Hosts" (Pf1) define Tinc Server configurations (Pf2) that we want to connect to.

    Also - did you have to open port 1515 on both sides? what transport protocol?

    Yes, you must open ports on both sides. (TCP 1515)

    Also you can find more detail on http://www.tinc-vpn.org/documentation/Example-configuration.html#Example-configuration



  • Thanks.

    re:  "mode=switch" under "extra parameters"

    Why did you choose "switch" and are there other modes that would be appropriate for setting up vpn mesh for a few remote offices?



  • There are 3 different type of  Mode you can use. default mode is router.

    Mode = router | switch | hub (router)
                This option selects the way packets are routed to other daemons.

    router: In this mode Subnet variables in the host configuration files will be used to form a routing table.  Only
                        unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode.

    This is the default mode, and unless you really know you need another mode, don't change it.

    switch:  In this mode the MAC addresses of the packets on the VPN will be used to dynamically create a routing table
                        just like an Ethernet switch does.  Unicast, multicast and broadcast packets of every protocol that runs
                        over Ethernet are supported in this mode at the cost of frequent broadcast ARP requests and routing table
                        updates.

    This mode is primarily useful if you want to bridge Ethernet segments.

    hub:    This mode is almost the same as the switch mode, but instead every packet will be broadcast to the other
                        daemons while no routing table is managed.

    http://www.tinc-vpn.org/documentation/tinc.conf.5



  • Hi,

    I'm testing tinc and the throughput but I believe it should be faster.

    Mode=switch
    Cipher=aes-128-cbc / none
    digest=sha1

    On one side I have a pfSense as a Hyper-V VM, i5-3570K - 2 cores assigned.
    On the other side I also have a pfSense with Celeron N3050 processor (nanobsd)

    Both processors are supporting AES-NI and as I know I'm using a compatible cipher and tinc automatically selecting GCM if you set CBC.

    With the cipher set the throughput is around 5Mb/s. Without the cipher it is around 7Mb/s. The connection should handle around 25 MB/s.

    It seems to me that setting the cipher is not creating higher load on the CPU. The process on the i5 side is using 22% and on the Celeron side 35-40%.

    There are no errors in tinc log.

    Thanks!



  • Ive followed this and seem to have a connection. Can any one explain where the ports are opened from and to ? ive tried to the lan 192.168.1.1



  • @bigbov
    Did you find any solution?
    I am facing the same issue. I have connection but not being able to ping. I want to know also how the port 1515 needs to be opened.



  • @dsncanada Yes i added a nat portforward rule to the lan ip 192.168.1.1 and 192.168.11.1 at my 2nd site.
    Seems to work perfectly. The tinc/pfsense package would benefit from being able to set the debug. I fiddled about in pfsense to do this for local logging but not for external syslog my changes wouldnt stay as i dont know enough of how pfsense works.



  • someone that are able to configure Tinc on pfsense??
    I'm looking for help about the configuration



  • @Mamukata If you follow the tutorial above. The little bit it doesnt explain is the opening of ports 1515 at both sites but you should be able to add the rules discussed in the comments. Ive used it for a year with no problems.


Log in to reply