Are you having issues installing Tinc and configuring a Basic VPN on Ubuntu Linux 18.04/20.04 LTS server?
In essence, Tinc is a free to use and Open source server which is used to create a virtual private network (VPN). With this infrastructure, a Linux/Unix daemon can handle multiple connections to enable you create an entire VPN.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform Software Installation tasks on their Ubuntu Server.
In this context we shall look into how to set up Tinc mesh VPN on Ubuntu 18.04 or 20.04 LTS server.
As earlier stated, Tinc is used to create VPN. In order to encrypt and protect traffic, Tinc uses LibreSSL or OpenSSL.
Additionally, automatic full mesh routing ensures that traffic is sent directly to the destination without going through intermediate hops. NAT traversal makes tinc on Ubuntu firewall-friendly as long as one node in the VPN allows incoming connections on a public/dynamic IP address.
In this setup, we are going to user two server, lets call them "serverA" and "serverB" respectively.
Therefore;
i. "serverA" : This will serve as the web server with public IPv4/IPv6 and eth1 with a private IP address. All apps running on this server will connect to serverB via tinc based VPN interface called vpn0 (IP: 172.16.1.5/32). We are going to encrypt all traffic.
ii. "serverB" : This represents the database server with public IPv4/IPv6 with a private IP address. Similarly, our database will only listen on a VPN interface called vpn0 (IP: 172.16.1.6/32) and will drop all traffic coming from any other interface using ufw.
On both serverA and serverB, execute the following commands;
sudo apt update
sudo apt upgrade
sudo apt install tinc
To do this, execute the following commands;
sudo mkdir -vp /etc/tinc/vpn0/hosts/
mkdir: created directory '/etc/tinc/vpn0'
mkdir: created directory '/etc/tinc/vpn0/hosts/'
Now, modify the hosts file , by executing the following command;
sudo vi /etc/hosts
In this file, set the following attributes as per the IP address;
## eth1 ip address
192.168.202.30 node_01
192.168.215.155 node_02
## tinc ip address ##
172.16.1.5 vpn1
172.16.1.6 vpn2
To set Tinc configuration for "serverA", as the root user of this server execute the command below.
To create the config file, run the command;
sudo vim /etc/tinc/vpn0/tinc.conf
Then once opened, append the following according to the set up;
Name = node_01
Device = /dev/net/tun
## private ip of eth1 ##
BindToAddress = 192.168.202.30
AddressFamily = ipv4
To do this, execute the tincd command;
sudo tincd -n vpn0 -K4096
You can configure tinc VPN IP address and port number by executing the following command;
sudo vi /etc/tinc/vpn0/hosts/node_01
Then add the following attributes as shown below;
Address = 192.168.202.30
Subnet = 172.16.1.5/32
Port = 655
-----BEGIN RSA PUBLIC KEY-----
xxxxx............................................xxxxx
.....
...
..
xxxxx//.................................xxxxx
After adding accordingly, save and close the file.
To create a tinc-up shell script, execute;
sudo vi /etc/tinc/vpn0/tinc-up
Then append the following attributes;
#!/bin/sh
#
# Must use IP 172.16.1.5, which is setup in /etc/tinc/vpn0/hosts/node_01
#
/sbin/ip link set $INTERFACE up
/sbin/ip addr add 172.16.1.5/32 dev $INTERFACE
/sbin/ip route add 172.16.1.0/24 dev $INTERFACE
Next, you need to create a tinc-down script, by running the command;
sudo vi /etc/tinc/vpn0/tinc-down
Then, append the following script as shown below;
#!/bin/sh
#
# See /etc/tinc/vpn0/hosts/node_01 for IP config
#
/sbin/ip route del 172.16.1.0/24 dev $INTERFACE
/sbin/ip addr del 172.16.1.5/32 dev $INTERFACE
/sbin/ip link set $INTERFACE down
The next step is to set up executable permission using the chmod command;
sudo chmod -v +x /etc/tinc/vpn0/tinc-{up,down}
On serverB, execute the following ufw commands as shown below;
sudo ufw allow from 192.168.215.155 to port 655 proto tcp comment 'Open TCP port 655 for serverA'
sudo ufw allow from 192.168.215.155 to port 655 proto udp comment 'Open UDP port 655 for serverB'
Then, ensure that we allow vpn traffic between two IP address set using the vpn0 tunnel as shown below:
sudo ufw allow from 172.16.1.6 to 172.16.1.5 comment 'Allow other vpn node to talk serverA fully'
On "serverB", You will execute the command in the following processes.
i. Creating the config file
To create the config file, run the following command;
sudo vi /etc/tinc/vpn0/tinc.conf
Then in this file, append the following accordingly;
Name = node_02
Device = /dev/net/tun
## Ubuntu server name ##
ConnectTo = node_01
BindToAddress = 192.168.215.155
AddressFamily = ipv4
To do this, run the following command;
sudo tincd -n vpn0 -K4096
You will see the following output;
Generating 4096 bits keys:
....................++++ p
......................................................................++++ q
Done.
Please enter a file to save private RSA key to [/etc/tinc/vpn0/rsa_key.priv]:
Please enter a file to save public RSA key to [/etc/tinc/vpn0/hosts/node_02]:
To do this, run the following file to edit the config file;
sudo vi /etc/tinc/vpn0/hosts/node_02
Then in this file, add the following IP address and port number:
Subnet = 172.16.1.6/32
Port = 655
-----BEGIN RSA PUBLIC KEY-----
MIICC..........................................................0
...
..
....
9z............................................................==
-----END RSA PUBLIC KEY-----
To create a tinc-up script, execute the following command;
sudo vi /etc/tinc/vpn0/tinc-up
Then append the following shell script to set up IP and routing when vpn0 interface comes online:
#!/bin/sh
#
# Must use IP 172.16.1.6, which is setup in /etc/tinc/vpn0/hosts/node_02
#
/sbin/ip link set $INTERFACE up
/sbin/ip addr add 172.16.1.6/32 dev $INTERFACE
/sbin/ip route add 172.16.1.0/24 dev $INTERFACE
Next, create a tinc-down script by running the following command;
sudo vi /etc/tinc/vpn0/tinc-down
Then in this file, append the following shell script content using ip command:
#!/bin/sh
#
# Remove IP and routing. IP must be from /etc/tinc/vpn0/hosts/node_02
#
/sbin/ip route del 172.16.1.0/24 dev $INTERFACE
/sbin/ip addr del 172.16.1.6/32 dev $INTERFACE
/sbin/ip link set $INTERFACE down
Now set up executable permission. What this means is that you can use the following chmod command to set permission:
sudo chmod -v +x /etc/tinc/vpn0/tinc-{up,down}
You will get an output such as this;
mode of '/etc/tinc/vpn0/tinc-up' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)
mode of '/etc/tinc/vpn0/tinc-down' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)
To create firewall rules, open the TCP/UDP ports using bash for loop;
for p in tcp udp
do
sudo ufw allow from 192.168.202.30 to port 655 proto $p comment 'Open $p port 655 for serverB'
done
Then allow full vpn traffic between two IP address:
sudo ufw allow from 172.16.1.5 to 172.16.1.6 comment 'Allow other vpn node to talk serverB fully'
To do this, copy /etc/tinc/vpn0/hosts/node_01 to serverB. Use the scp command on serverA;
scp /etc/tinc/vpn0/hosts/node_01 vivek@serverB:/tmp/
ssh -t root@serverB sudo mv -v /tmp/node_01 /etc/tinc/vpn0/hosts/
Then, copy /etc/tinc/vpn0/hosts/node_02 to serverA. Use the scp command (type command on serverB):
scp /etc/tinc/vpn0/hosts/node_02 vivek@serverA:/tmp/
ssh -t root@serverA sudo mv -v /tmp/node_02 /etc/tinc/vpn0/hosts/
To do this, Type the systemctl command to enable tinc@vpn0 to enable individual networks:
sudo systemctl enable tinc@vpn0
To Start tinc, execute:
sudo systemctl start tinc@vpn0
To Stop or restart tinc, execute:
sudo systemctl stop tinc@vpn0
sudo systemctl restart tinc@vpn0
To Find the status of tinc, execute:
sudo systemctl status tinc@vpn0
Finally, Verify it using the ps command/pgrep command and netstat command/ss command;
ps aux | grep tincd
ss -tulpn
You can use the ping command to make sure you can reach to each node;
ping vpn1
ping vpn2
ping 172.16.1.5
ping 172.16.1.6