HOWTO 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175
  1. ==============
  2. The TINC HOWTO
  3. ==============
  4. Wessel Dankers
  5. wsl@nl.linux.org
  6. Introduction
  7. ------------
  8. Tinc is a system to create a virtual ethernet network on top of an existing
  9. infrastructure. This infrastructure can be anything from modem lines to
  10. gigabit ethernet networks, as long as they talk IP. Once you install and
  11. configure tinc, your host will get an extra IP address, just like it would
  12. when you stick an extra ethernet card into it. Using this IP address, it can
  13. communicate with all hosts in its virtual network using strong encryption.
  14. If you install Tinc on a router (and pick your numbers correctly) you can
  15. have the router forward all packets. This way you can---instead of
  16. connecting hosts---connect entire sites together! Now you need only one
  17. outgoing network connection for both internet and intranet.
  18. Architecture
  19. ------------
  20. When a few Tinc daemons are running they will try to seek contact with
  21. eachother. A daemon is all the time connected to a few other daemons,
  22. but if traffic is required with a daemon it doesn't know yet, it will
  23. instantly contact it and exchange keys. These so-called meta-connections
  24. are made over TCP, using encryption of course.
  25. When actual traffic has to be sent, a daemon checks his connection list to
  26. see if the addressee is known (and makes contact with it if neccessary).
  27. All packets are then sent using UDP to the other host, just like in a real
  28. network. If a packet gets lost, the connection layer of Linux will resend
  29. the packet, just like it would over a normal network.
  30. Once in a while the daemons will renegotiate keys so that even if a cracker
  31. breaks one, it'll be of limited use.
  32. Getting Tinc
  33. ------------
  34. Before you fetch the latest tarball, you might want to check if there's a
  35. package for your Linux distribution. One of the main authors is a Debian
  36. Developer, so you can expect the Debian packages to be very up to date.
  37. The official website for Tinc can be found at http://tinc.nl.linux.org/.
  38. There you can find Debian packages, RPM's and of course... the tarball!
  39. Since we run Doohickey Linux Pro 1.0, for which no package exists (or
  40. indeed the distribution itself) we shall compile the package ourselves.
  41. Building
  42. --------
  43. The Tinc source adheres to so many standards it makes you head spin.
  44. Even the debug messages have been localized! Amazing. Tinc also comes
  45. with a configuration script. If you like to see what is there to
  46. configure run ./configure --help | more. If you don't have time for such
  47. nonsense:
  48. ./configure --sysconfdir=/etc
  49. This will see if your system is nice enough to run tinc on, and will
  50. create some Makefiles and other stuff which will together build tinc.
  51. make
  52. make install
  53. The first will do the actual build, the second copies all files into place.
  54. The kernel
  55. ----------
  56. Next you will have to configure the kernel to support the tap device.
  57. It is important that you run a recent kernel, but anything after 2.2.16
  58. will do. You have to enable both the netlink device AND the ethertap
  59. device (in that order). Enable them as modules!
  60. Compile, install =) You don't even have to reboot.
  61. Picking your numbers
  62. --------------------
  63. The first thing we should do is pick network numbers. Tinc has a very
  64. peculiar taste for network numbers, which is caused by the way it routes
  65. traffic. However, it turns out to be really handy if you want to use
  66. your tinc host as a router for a site.
  67. The numbers have to be in a range that is not yet in use in your existing,
  68. real network! In this example we will use numbers from the 192.168.0/16
  69. range. This is standard CIDR notation for all IP addresses from 192.168.0.0
  70. to 192.168.255.255. The /16 means that the first 16 bits form the network
  71. part.
  72. It is common practice for Tinc networks to use private (RFC 1918) addresses.
  73. This is not necessary, but it would be a waste to use official addresses
  74. for a private network!
  75. In the example we will connect three machines: f00f, fdiv and hlt. We will
  76. give each an address, but not just that, also a slice of our address space
  77. to play with.
  78. Host Real address Tinc network
  79. ---------------------------------------------------
  80. f00f 126.202.37.20 192.168.1.1/24
  81. fdiv 126.202.37.81 192.168.2.1/24
  82. hlt 103.22.1.218 192.168.3.1/24
  83. It is very important that none of the Tinc netmasks overlap! Note how the
  84. 192.168.0/16 network covers the entire address space of the three hosts.
  85. We will refer to the 192.168.0/16 network as the `umbrella' from now on.
  86. As you can see we can fit 256 hosts into this umbrella this way, which is
  87. also the practical maximum for tinc. Let's name our VPN 'fubar'.
  88. The configuration file
  89. ----------------------
  90. Let's create a configuration file for f00f. We have to put it in
  91. /etc/tinc/fubar because that's how we named our VPN.
  92. MyOwnVPNIP = 192.168.1.1/24
  93. VpnMask = 255.255.0.0
  94. ConnectTo = 126.202.37.81
  95. ConnectTo = 103.22.1.218
  96. TapDevice = /dev/tap0
  97. The first two lines tell Tinc about the numbers we have chosen above.
  98. Using the ConnectTo lines, the daemon will seek contact with the rest of
  99. the umbrella. It's possible to configure any number of ConnectTo lines,
  100. you can even omit them so that it just sits and waits until someone else
  101. contacts it. Until someone does, the poor daemon won't be able to send
  102. any data because it doesn't know where everybody is.
  103. The TapDevice is where the tinc daemon will interface with the kernel.
  104. The passphrases
  105. ---------------
  106. We will have to generate keys for ourselves, and get a key from everybody
  107. we want to ConnectTo. All of these go into a directory named
  108. /etc/tinc/fubar/passphrases. PROTECT THIS DIRECTORY!
  109. mkdir -m 700 /etc/tinc/fubar/passphrases
  110. To generate our own key:
  111. genauth 1024 >/etc/tinc/fubar/passphrases/local
  112. You should then proceed to give this key to anyone who wants to ConnectTo
  113. you. DO THIS IN A SECURE MANNER! Anyone who has this number can do icky
  114. things to the umbrella network! Encrypt it using PGP, GPG or another
  115. program using asymmetric keys. Read it over the phone (without anyone
  116. listening of course). Send it by snailmail. Write the key down and bring
  117. it to your partners personally!
  118. If you get any keys from your partners, store them under their network
  119. number. For example, the key we get from fdiv's network administrator
  120. will be stored in /etc/tinc/fubar/passphrases/192.168.2.0 (note the 0).
  121. Running the daemon
  122. ------------------
  123. If you use a package manager to install Tinc, the startup scripts use a file
  124. called /etc/tinc/nets.boot to see which umbrella's exist. It has a line
  125. per VPN, and lines starting with a # are ignored. Ours will contain:
  126. # Example VPN from the HOWTO
  127. fubar
  128. In Debian, /etc/init.d/tinc start will start the daemons.
  129. If you use Doohickey Linux just like we do, you'll have to edit the systems
  130. startup scripts by hand. It should contain something along the lines of:
  131. insmod ethertap -s --name=tap0 unit=0
  132. ifconfig tap0 hw ether fe:fd:c0:a8:01:01
  133. ifconfig tap0 192.168.1.1 netmask 255.255.0.0 broadcast 192.168.255.255 -arp
  134. There are two things to note here! First, the MAC address of the ethertap
  135. device is very important. It must start with fe:fd, and end in the
  136. hexadecimal representation of the VPN IP number.
  137. Second, the netmask of the tap device is set to that of the umbrella!
  138. --
  139. $Id: HOWTO,v 1.2.2.3 2000/07/01 07:29:32 wsl Exp $