Site Tools


Table of Contents

Tinc Daemon

Tinc is a newer VPN technology that allows you to create partial/full mesh VPN connections without having to define each and every end point as you'd have to do with other VPN protocols, such as OpenVPN. A minimum amount of configuration is still needed for each site, but it's the quickest way to develop a mesh VPN between network sites.

The Tinc Daemon menu is divided into tabbed sections, including Configuration, and (VPN) Hosts.


Start with WAN: Enabling this will start the tinc daemon as part of the wanup (initialize WAN interface) process.

Interface type: TUN/TAP: This chooses the communication protocol used within your VPN. TUN is routed, and runs at the network (IP) layer. TAP is switched, and runs at the datalink layer. You should generally choose TUN. See here for more information:

VPN Netmask: Defines the (sub)netmask to be used within the intra-site communications.

Host Name: The unique identifier of the device. Note this is different from the device's DHCP/DNS Hostnames.

Poll interval: This enables hello packets on the VPN. Hello packets are sent back and forth periodically between 2 routers to establish adjacency.

Ed25519 Private Key: In this field, you enter your private Ed25519 key. This is necessary for the encryption process.

RSA Private Key * : This field is where you enter your private RSA key. Note that RSA uses much more CPU power than Ed25519. The RSA key is optional and is only needed for communication with hosts using tinc version 1.0 or lower.

Custom: This field allows you to specify any custom tinc daemon parameters.


Most of the hosts in your network should be defined on this page. Tinc doesn't need all the hosts to be defined. It's able to use a relay to reach secondary hosts if the end devices are not able to communicate with each other because of NAT or some other reason. You do, however, need to define “yourself” on each tinc device.

ConnectTo: This is a flag and can be set to On or left blank. This tells the local tinc daemon whether or not it should attempt a direct connection with another host (not including relaying a connection to another host).

Name: As on the Config tab, this is the unique tinc identifier defined under the Host Name field.

Address: This is used only when direct reachability is possible and defines the IP or FQDN (fully qualified domain name) where the host can be found. Direct reachability means without relay.

Port: An empty value configures the default setting (both TCP/UDP port 655). You might need to tweak this value if you include direclty windows devices in your tinc communication. <Fix Me!> Needs clarification.

Compression: Compression can, in some cases, increase VPN speeds. Here, the default of 0 (disabled) can be tweaked to as high as 11. All the nodes must be configured with the same compresssion settting. Since most VPN traffic is already compressed/encrypted at the application layer, think carefully about whether you need this enabled or not. Enabling compression will also add extra workload to the CPU, and may not increase speeds.

Subnet: Defines the primary subnet reachable via the host being defined.

Ed25519 Public Key: This is where you enter your Ed25519 encryption Public Key.

RSA Public Key *: In case of RSA key you must define the public on on a host basis here. RSA is optional in tinc 1.0+

For every host you define, you must provide the minimum info before being able to click OK and proceed to the next row. OK doesn't save the settings. After all the hosts are defined (and having clicked OK for each) you must then click the Save button at the bottom of the menu. Only then will all your host settings be saved.

Custom: In this field, you are free to define custom configuration settings for each host. For example, if a host is providing reachability to a second subnet you could add something like: Subnet = . Make certain this is consistent with the host IP/subnet + config-page “netmask” setting.

tinc_daemon.txt · Last modified: 2021/09/15 22:57 by hogwild