Tinc is a newer VPN technology that allows you to create partial/full mesh VPN connections without having to define every endpoint, as you'd have to with other VPN protocols. A minimum amount of configuration is still needed for each site. However, it's the quickest way to develop a mesh VPN between network sites.

The Tinc Daemon menu is divided into tabbed sections, including Tinc Configuration, and (VPN) Hosts.

Start with WAN: Enabling this will cause the Tinc daemon to start as part of the wanup (WAN interface initialization) process.

Interface type: TUN/TAP: Here, you specify the communication protocol used within your VPN. TUN is routed, and runs at the network (IP) layer. TAP is switched, and runs at the datalink layer. Generally, you should choose TUN. For more information on these protocols, see the “Interface Type” section of the OpenVPN Server wiki page.

VPN Netmask: Here, specify the (sub)netmask to be used for intra-site communications.

Host Name: This is the unique identifier of the OpenVPN device. This is NOT the same as the device's DHCP/DNS Hostnames.

Poll interval: If set greater than zero, a watchdog polls whether Tinc is running every n minutes to verify that it has not crashed. If it finds that Tinc is not running, it will restart the Tinc service. If set to zero, the watchdog is disabled.

Ed25519 Private Key: In this field, enter your private Ed25519 encryption key. This key is needed for the encryption process.

RSA Private Key: * Here, enter the private RSA key. RSA encryption uses much more CPU power than the Ed25519 protocol.
The RSA key is optional and is needed only for communication with hosts using Tinc version 1.0 or lower.

Custom: This field allows you to specify any custom Tinc daemon parameters you might want.

Most of the hosts on your network should be defined on this page. Tinc doesn't need all hosts to be defined. It can use a relay to reach secondary hosts if the end devices can't (yet) communicate. This can be happen for various reasons, including the presence of NAT devices between hosts.

However, you do need to define “yourself” on each Tinc device.

ConnectTo: This flag can be set “On” or left blank. This tells the local Tinc daemon to attempt a direct connection to another host (not including a relayed connection ).

Name: As on the Config tab, this is the unique Tinc identifier defined in the Host Name field.

Address: This is used only when direct communication is possible and defines the IP address or (fully qualified domain name) where the host can be found. Direct communication means without relay.

Port: An empty value configures the default setting (TCP/UDP, port 655). You might need to tune this for network devices that don't have root/administrator privileges (not applicable to FreshTomato).

Compression: In some cases, compression may increase VPN speeds. The default of “0” (disabled) can be adjusted as high as “11”. All nodes must be configured with the same setting. Since most VPN traffic is already compressed at the application layer, think carefully about whether you need this enabled. Enabling compression will add extra workload to the CPU, and may not increase speed/throughput.

Subnet: This defines the primary subnet reachable via the host being defined.

Ed25519 Public Key: This is where you enter your Ed25519 encryption Public Key.

RSA Public Key: * If you're using an RSA key, you must define the public key for each host here. RSA is optional in Tinc versions 1.0 and later.

You must provide minimum information for every host defined before you can click OK and proceed to the next row. Clicking OK does not save settings. After you've defined all hosts, and clicked “OK” for each, you must click “Save” at the bottom. Only then will all host settings be saved.

Custom: In this field, you can define custom settings for each host.

For example, if a host communicates with with another subnet, you could add:

Subnet = 10.10.8.0/24 .

You must ensure these settings are consistent with the host IP/subnet + config-page “netmask” setting.