FreshTomato Wiki

User Tools

Site Tools

Trace:
vpn-tinc

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
vpn-tinc [2022/02/11 00:14] – [Tinc Configuration]-clarity, formatting hogwildvpn-tinc [2023/09/10 20:04] (current) rs232
Line 1: Line 1:
-====== Tinc Daemon ======+====== Tinc ======
  
 Tinc is a newer VPN technology that allows you to create partial/full mesh VPN connections without having to define every endpoint, as you'd have to with other VPN protocols. A minimum amount of configuration is still needed for each site. However, it's the quickest way to develop a mesh VPN between network sites. Tinc is a newer VPN technology that allows you to create partial/full mesh VPN connections without having to define every endpoint, as you'd have to with other VPN protocols. A minimum amount of configuration is still needed for each site. However, it's the quickest way to develop a mesh VPN between network sites.
Line 5: Line 5:
 The Tinc Daemon menu is divided into tabbed sections, including Tinc Configuration, and (VPN) Hosts. The Tinc Daemon menu is divided into tabbed sections, including Tinc Configuration, and (VPN) Hosts.
  
- +===== Config Tab =====
-===== Tinc Configuration =====+
  
 {{:pasted:20220204-091455.png}} {{:pasted:20220204-091455.png}}
Line 12: Line 11:
  \\  \\
  
-**Start with WAN:** Enabling this will cause the tinc daemon to start as part of the wanup (WAN interface initialization) process.+**Start with WAN:** Enabling this will cause the Tinc daemon to start as part of the wanup (WAN interface initialization) process.
  
-**Interface type:** TUN/TAP: Here, you specify the communication protocol used within your VPN. TUN is routed, and runs at the network (IP) layer. TAP is switched, and runs at the datalink layer. Generally, you should choose TUN. For more information on these protocols, see the "Interface Type" section of the [[:vpn-server|OpenVPN Server]] wiki page. For even more details, see: \\ [[https://en.wikipedia.org/wiki/TUN/TAP|https://en.wikipedia.org/wiki/TUN/TAP]]+**Interface type:** TUN/TAP: Here, you specify the communication protocol used within your VPN. TUN is routed, and runs at the network (IP) layer. TAP is switched, and runs at the datalink layer. Generally, you should choose TUN. For more information on these protocols, see the "Interface Type" section of the [[:vpn-server|OpenVPN Server]] wiki page.
  
 **VPN Netmask:** Here, specify the (sub)netmask to be used for intra-site communications. **VPN Netmask:** Here, specify the (sub)netmask to be used for intra-site communications.
Line 20: Line 19:
 **Host Name:** This is the unique identifier of the OpenVPN device. This is NOT the same as the device's DHCP/DNS Hostnames. **Host Name:** This is the unique identifier of the OpenVPN device. This is NOT the same as the device's DHCP/DNS Hostnames.
  
-**Poll interval:** This enables hello packets on the VPNHello packets are sent back and forth periodically between routers to establish adjacency (presence for communication).+**Poll interval:** If set greater than zero, a watchdog polls whether Tinc is running every n minutes to verify that it has not crashed. If it finds that Tinc is not running, it will restart the Tinc serviceIf set to zero, the watchdog is disabled.
  
- \\+ \\  \\
  
 {{:pasted:20220204-091557.png}} {{:pasted:20220204-091557.png}}
Line 28: Line 27:
  \\  \\
  
-**Ed25519 Private Key: **In this field, you enter your private Ed25519 key. This key is necessary for the encryption process.+**Ed25519 Private Key: **In this field, enter your private Ed25519 encryption key. This key is needed for the encryption process.
  
-**RSA Private Key : **This field is where you enter your private RSA key. The RSA encryption protocol uses much more CPU power than the Ed25519 protocol. The RSA key is optional and is only needed for communication with hosts using tinc version 1.0 or lower.+**RSA Private Key: *  **Here, enter the private RSA key. RSA encryption uses much more CPU power than the Ed25519 protocol. \\ The RSA key is optional and is needed only for communication with hosts using Tinc version 1.0 or lower.
  
-**Custom: **This field allows you to specify any custom tinc daemon parameters you might want.  \\   \\   \\+**Custom: **This field allows you to specify any custom Tinc daemon parameters you might want.  \\   \\
  
  
-===== Hosts =====+===== Hosts Tab =====
  
-Most of the hosts in your network should be defined on this page. Tinc doesn't need all the hosts to be defined. It's able to use a relay to reach secondary hosts if the end devices are not able to communicate with each other because of NAT or some other reason. You do, however, need to define "yourself" on each tinc device.+Most of the hosts on your network should be defined on this page. Tinc doesn't need all hosts to be defined. It can use a relay to reach secondary hosts if the end devices can't (yet) communicate. Hosts may not be able to communicate for various reasons, including the presence of NAT devices between them.
  
-{{:pasted:20220204-091804.png}}+However, you do need to define "yourself" on each Tinc device.
  
-**ConnectTo:** This is a flag and can be set to On or left blank. This tells the local tinc daemon whether or not it should attempt a direct connection with another host (not including relaying a connection to another host).+ \\
  
-**Name:** As on the Config tab, this is the unique tinc identifier defined under the Host Name field.+{{:pasted:20230111-110422.png?800}}
  
-**Address: **This is used only when direct reachability is possible and defines the IP or FQDN (fully qualified domain name) where the host can be found. Direct reachability means without relay.+ \\
  
-**Port: **An empty value configures the default setting (both TCP/UDP port 655). You might need to tweak this value if you include direclty windows devices in your tinc communication. <Fix Me!> Needs clarification.+**ConnectTo:**  This flag can be set "On" or left blank. This tells the local Tinc daemon to try connecting directly to another host (without using a relay).
  
-**Compression:** Compression can, in some cases, increase VPN speeds. Here, the default of 0 (disabled) can be tweaked to as high as 11. All the nodes must be configured with the same compresssion settting. Since most VPN traffic is already compressed/encrypted at the application layerthink carefully about whether you need this enabled or not. Enabling compression will also add extra workload to the CPU, and may not increase speeds.+**Name:**  As on the Config tab, this is the unique Tinc identifier defined in the Host Name field.
  
-**Subnet:** Defines the primary subnet reachable via the host being defined.+**Address **This is used only when direct communication is possible. It defines the IP address (or FQDN) where the host can be found. This means without a relay.
  
-{{:pasted:20220204-091844.png}}+**Port **If left blank, this configures the default setting (TCP/UDP, port 655). You might need to tune this for network devices without root/Administrator privileges (but not FreshTomato).
  
-**Ed25519 Public Key:** This is where you enter your Ed25519 encryption Public Key.+**Compression:**  In some cases, compression may increase VPN speeds. The default of "0" (disabled) can be adjusted as high as "11". All nodes must be configured with the same setting. Since most VPN traffic is already compressed at the application layer, think carefully whether you need this enabled. Enabling compression adds extra workload to the CPU, and may not increase throughput.
  
-**RSA Public Key *:** In case of RSA key you must define the public on on a host basis here. RSA is optional in tinc 1.0++**Subnet:**  This defines the primary subnet reachable via the host being defined. It's published to the tinc peers so they know which peer hosts the subnet. 
 + 
 +**Ed25519 Public Key:**  Here is where you enter your Ed25519 encryption Public Key. 
 + 
 +**RSA Public Key: * ** If you're using RSA encryption, you must define each host's public key here. RSA is optional in Tinc versions 1.0 and later. 
 + 
 +You must provide minimal information for every host defined before you can click OK and go to the next row. Clicking OK **does not** save settings. Only after you've defined all hosts, clicked "OK" for each, and clicked "Save" at the bottom. will all host settings be saved. 
 + 
 +**Custom:**  In this field, you can define custom settings for each host. 
 + 
 +For example, if a host communicates with with another subnet, you could add: 
 + 
 +//  Subnet = 10.10.8.0/24//
 + 
 +You must ensure these settings are consistent with the host IP/subnet config-page "netmask" setting. 
 + 
 + \\
  
-For every host you define, you must provide the minimum info before being able to click OK and proceed to the next row. OK doesn't save the settings. After all the hosts are defined (and having clicked OK for each) you must then click the Save button at the bottom of the menu. Only then will all your host settings be saved. 
  
-**Custom:** In this field, you are free to define custom configuration settings for each host. For example, if a host is providing reachability to a second subnet you could add something like: //Subnet = 10.10.8.0/24// . Make certain this is consistent with the host IP/subnet + config-page "netmask" setting. 
vpn-tinc.1644538461.txt.gz · Last modified: 2022/02/11 00:14 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki