Ubuntu Install Tinc and Set Up a Basic VPN

last updated in Categories , ,

How do I install Tinc and Set Up a Basic VPN on Ubuntu Linux 18.04/20.04 LTS server?

The tinc is a free and open-source server to create a virtual private network (VPN). One Linux/Unix daemon can handle multiple connections so you can create an entire VPN. LibreSSL or OpenSSL used by tinc to encrypt the traffic and protect it. Further, automatic full mesh routing ensures that traffic is sent directly to the destination without going through intermediate hops. NAT traversal makes tinc on Ubuntu firewall-friendly as long as one node in the VPN allows incoming connections on a public/dynamic IP address. This page explains how to set up Tinc mesh VPN on Ubuntu 18.04 or 20.04 LTS server.

How To install Tinc and Set Up a Basic VPN on Ubuntu

Our sample set up is as follows:
How To Install Tinc and Set Up a Basic VPN on Ubuntu 18.04 or 20.04 Linux

  1. serverA : Our web server with public IPv4/IPv6 and eth1 with a private IP address. All apps running on this server will connect to serverB via tinc based VPN interface called vpn0 (IP: 172.16.1.1/32). We are going to encrypt all traffic.
  2. serverB : Our database server with public IPv4/IPv6 with a private IP address. Similarly, our database will only listen on a VPN interface called vpn0 (IP: 172.16.1.2/32) and will drop all traffic coming from any other interface using ufw.

Ubuntu Install Tinc using apt-get command/apt command

Type the following commands on both serverA and serverB:
sudo apt update
sudo apt upgrade
sudo apt install tinc

Ubuntu Install Tinc using apt-get command
Installing a VPN with Tinc on Ubuntu 18.04/20.04 LTS server

Create directories and config files

Type the following mkdir command:
sudo mkdir -vp /etc/tinc/vpn0/hosts/
mkdir: created directory '/etc/tinc/vpn0'
mkdir: created directory '/etc/tinc/vpn0/hosts/'

Update the /etc/hosts file

Edit the /etc/hosts, run:
sudo vi /etc/hosts
Append/edit as follows with actual IP address:

## eth1 ip address
192.168.202.30	node_01
192.168.215.155	node_02
## tinc ip address ##
172.16.1.1 vpn1
172.16.1.2 vpn2

Tinc configuration serverA

Type the following command as root user on serverA only.

Create the config file

Use the nano command/vim command as follows:
sudo vim /etc/tinc/vpn0/tinc.conf
Append the following as per your set up:

Name = node_01
Device = /dev/net/tun
## private ip of eth1 ##
BindToAddress = 192.168.202.30
AddressFamily = ipv4

Make the public and private keys

Execute the following tincd command:
sudo tincd -n vpn0 -K4096
How to generate the public and private keypair for tincd

Configure VPN IP addresses

Run the following command to configure tinc VPN IP address and port number:
sudo vi /etc/tinc/vpn0/hosts/node_01
Update it as follows:

Address = 192.168.202.30
Subnet = 172.16.1.1/32
Port = 655

-----BEGIN RSA PUBLIC KEY-----
MIICCg............................................RQkc
.....
...
..
0ugK5dcFFJyO//.................................ws2zc1

Save and close the file.

Make vpn network interface control up and down scripts

Create a tinc-up shell script:
sudo vi /etc/tinc/vpn0/tinc-up
Append the following code:

#!/bin/sh
#
# Must use IP 172.16.1.1, which is setup in /etc/tinc/vpn0/hosts/node_01
#
/sbin/ip link set $INTERFACE up
/sbin/ip addr add  172.16.1.1/32 dev $INTERFACE
/sbin/ip route add 172.16.1.0/24 dev $INTERFACE

Next, create a tinc-down script:
sudo vi /etc/tinc/vpn0/tinc-down
Append the following script content:

#!/bin/sh
#
# See /etc/tinc/vpn0/hosts/node_01 for IP config 
#
/sbin/ip route del 172.16.1.0/24 dev $INTERFACE
/sbin/ip addr del 172.16.1.1/32 dev $INTERFACE
/sbin/ip link set $INTERFACE down

See the ip command documents for more information. Set up executable permission using the chmod command:
sudo chmod -v +x /etc/tinc/vpn0/tinc-{up,down}

tincd firewall configuration on Ubuntu Linux serverA

Type the following ufw command to open tcp/udp ports 655 from serverB:
sudo ufw allow from 192.168.215.155 to port 655 proto tcp comment 'Open TCP port 655 for serverA'
sudo ufw allow from 192.168.215.155 to port 655 proto udp comment 'Open UDP port 655 for serverB'

Make sure we allow vpn traffic between two IP address set using the vpn0 tunnel as follows:
sudo ufw allow from 172.16.1.2 to 172.16.1.1 comment 'Allow other vpn node to talk serverA fully'

serverB Ubuntu tinc configuration

Type the following command as root user on serverB only.

Step 1 – Create the config file

Execute the following command:
sudo vi /etc/tinc/vpn0/tinc.conf
Append the following as per your set up:

Name = node_02
Device = /dev/net/tun
## Ubuntu server name ##
ConnectTo = node_01  
BindToAddress = 192.168.215.155
AddressFamily = ipv4

Step 2 – Create the public and private key

sudo tincd -n vpn0 -K4096
Sample outputs:

Generating 4096 bits keys:
....................++++ p
......................................................................++++ q
Done.
Please enter a file to save private RSA key to [/etc/tinc/vpn0/rsa_key.priv]: 
Please enter a file to save public RSA key to [/etc/tinc/vpn0/hosts/node_02]: 

Step 3 – Setup IP addresses for vpn0

Edit the config file:
sudo vi /etc/tinc/vpn0/hosts/node_02
Add the following IP address and port number:

Subnet = 172.16.1.2/32
Port = 655

-----BEGIN RSA PUBLIC KEY-----
MIICC..........................................................0
...
..
....
9z............................................................==
-----END RSA PUBLIC KEY-----

Step 4 – Create network interface control scripts

Create a tinc-up script:
sudo vi /etc/tinc/vpn0/tinc-up
Append the following shell script to set up IP and routing when vpn0 interface comes online:

#!/bin/sh
#
# Must use IP 172.16.1.2, which is setup in /etc/tinc/vpn0/hosts/node_02
#
/sbin/ip link set $INTERFACE up
/sbin/ip addr add  172.16.1.2/32 dev $INTERFACE
/sbin/ip route add 172.16.1.0/24 dev $INTERFACE

Create a tinc-down script:
sudo vi /etc/tinc/vpn0/tinc-down
Append the following shell script content using ip command:

#!/bin/sh
#
# Remove IP and routing. IP must be from /etc/tinc/vpn0/hosts/node_02
# 
/sbin/ip route del 172.16.1.0/24 dev $INTERFACE
/sbin/ip addr del 172.16.1.2/32 dev $INTERFACE
/sbin/ip link set $INTERFACE down

Set up executable permission. In other words use the following chmod command:
sudo chmod -v +x /etc/tinc/vpn0/tinc-{up,down}
Sample outputs:

mode of '/etc/tinc/vpn0/tinc-up' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)
mode of '/etc/tinc/vpn0/tinc-down' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)

Step 5 – Update firewall rules

Open TCP/UDP ports using bash for loop:

for p in tcp udp
do
 sudo ufw allow from 192.168.202.30 to port 655 proto $p comment 'Open $p port 655 for serverB'
done

Allow full vpn traffic between two IP address:
sudo ufw allow from 172.16.1.1 to 172.16.1.2 comment 'Allow other vpn node to talk serverB fully'

Copy host files to the other hosts

You must copy /etc/tinc/vpn0/hosts/node_01 to serverB. Use the scp command on serverA:
scp /etc/tinc/vpn0/hosts/node_01 vivek@serverB:/tmp/
ssh -t vivek@serverB sudo mv -v /tmp/node_01 /etc/tinc/vpn0/hosts/

You must copy /etc/tinc/vpn0/hosts/node_02 to serverA. Use the scp command (type command on serverB):
scp /etc/tinc/vpn0/hosts/node_02 vivek@serverA:/tmp/
ssh -t vivek@serverA sudo mv -v /tmp/node_02 /etc/tinc/vpn0/hosts/

Enable and start tinc service (type it on both serverA and serverB)

Type the systemctl command to enable tinc@vpn0 to enable individual networks:
sudo systemctl enable tinc@vpn0
Start tinc:
sudo systemctl start tinc@vpn0
Stop or restart tinc:
sudo systemctl stop tinc@vpn0
sudo systemctl restart tinc@vpn0

Find the status of tinc:
sudo systemctl status tinc@vpn0
Verify it using the ps command/pgrep command and netstat command/ss command
ps aux | grep tincd
ss -tulpn

Use the ping command to make sure you can reach to each node:
ping vpn1
ping vpn2
ping 172.16.1.1
ping 172.16.1.2

How to Set up tinc, a Peer-to-Peer VPN and test it
We Set up tinc, a Peer-to-Peer VPN and tested it on Ubuntu server

Conclusion

And there you have it. You learned how to install and set up a tinc VPN along with firewall configuration on Ubuntu 18.04 and 20.04 LTS. See tinc docs here.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Join the discussion at www.nixcraft.com

Historical Comment Archive