Tinc VPN on OpenBSD and Linux

Install tinc package:

OpenBSD/NetBSD

pkg_add tinc

Debian/Ubuntu

apt-get install tinc

Choose a name for your private network. I named it home.

Create directory for storing virtual networks configuration:

[ $(uname) == NetBSD ] && export VPN_DIR=/usr/pkg/etc/tinc/home || export VPN_DIR=/etc/tinc/home

test -d "${VPN_DIR}/hosts" || mkdir -p "${VPN_DIR}/hosts"

/usr/pkg/etc/tinc/home/

Put tinc.conf file within created directory:

cat > /etc/tinc/home/tinc.conf << EOF
Name = client1
ConnectTo = orange.svyrydiuk.eu
EOF

Generate private/public key pair:

tincd -n home -K

It will show the message like this one:

Generating 2048 bits keys:
..........................................................+++++ p
......+++++ q
Done.
Please enter a file to save private RSA key to [/etc/tinc/home/rsa_key.priv]:<Press Enter>
Please enter a file to save public RSA key to [/etc/tinc/home/hosts/client1]:<Press Enter>

Copy host configuration file from your VPN server to the client host. In my case, the VPN server host is orange.svyrydiuk.eu.

Configuration file is /etc/tinc/home/hosts/orange on both server and client.

Address = orange.svyrydiuk.eu
Subnet = 10.0.0.0/24

-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAvpQDmw2xTwmBq65hBkoEIGjtfRfLGPDj1+Y0PbLLZQ/GZSdevcii
....
....
EyoSBS6xle/uvuoRDa57Pj366EZVzTm1a0dFLZmtQVOgxOPmpQ4jVTUCAwEAAQ==
-----END RSA PUBLIC KEY-----

Do the same with the host configuration file you have on your client host. Copy it to VPN server.

Create tinc-up and tinc-down scripts on the client host and put them into /etc/tinc/home:

tinc-up script

#!/bin/sh
# /etc/tinc/home/tinc-up
ifconfig $INTERFACE 10.0.0.2 netmask 255.255.255.0

10.0.0.2 above is the client’s internal IP address on your VPN. If you want to join more than a few hosts into your private network, probably it will be good to set up DHCP server. It will automatically assign an IP address and other network configuration parameters to each host on your VPN.

tinc-down script

#!/bin/sh
# /etc/tinc/home/tinc-down
ifconfig $INTERFACE down

Set the executable flag on both scripts:

chmod +x /etc/tinc/home/tinc-[ud]*

Permanently enable and start tinc service:

OpenBSD

rcctl enable tincd
rcctl set tincd flags "-U _tinc --chroot --net=home"
rcctl start tincd

Debian/Ubuntu

systemctl enable tinc@home
systemctl start tinc@home

Test the configuration

OpenBSD

rcctl check tincd

If you get a message that says ‘tincd(ok)’ - your VPN is probably ready to use. Otherwise, work on configuration errors and try again.

Debian/Ubuntu

systemctl status tinc@home

* tinc@home.service - Tinc net home
   Loaded: loaded (/lib/systemd/system/tinc@.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-08-26 09:47:44 CEST; 4h 2min ago
     Docs: info:tinc
           man:tinc(8)
           man:tinc.conf(5)
           http://tinc-vpn.org/docs/
 Main PID: 16836 (tincd)
    Tasks: 1 (limit: 2229)
   Memory: 748.0K
   CGroup: /system.slice/system-tinc.slice/tinc@home.service
           `-16836 /usr/sbin/tincd -n home -D -c /etc/tinc/home

In case of errors have a look at log records or run tincd as a foreground process with debug enabled:

tincd --no-detach -d 3 --net home