Process to install Tinc and Configure a Basic VPN on Ubuntu Server

Are you having issues installing Tinc and configuring a Basic VPN on Ubuntu Linux 18.04/20.04 LTS server?


In essence,  Tinc is a free to use and Open source server which is used to create a virtual private network (VPN). With this infrastructure, a Linux/Unix daemon can handle multiple connections to enable you create an entire VPN.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform Software Installation tasks on their Ubuntu Server.
In this context we shall look into how to set up Tinc mesh VPN on Ubuntu 18.04 or 20.04 LTS server.

More about Tinc VPN?

As earlier stated, Tinc is used to create VPN. In order to encrypt and protect traffic, Tinc uses LibreSSL or OpenSSL.
Additionally, automatic full mesh routing ensures that traffic is sent directly to the destination without going through intermediate hops. NAT traversal makes tinc on Ubuntu firewall-friendly as long as one node in the VPN allows incoming connections on a public/dynamic IP address.

Steps to install Tinc and Configure a Basic VPN on Ubuntu Server?

In this setup, we are going to user two server, lets call them "serverA" and "serverB" respectively.
Therefore;


i. "serverA" : This will serve as the web server with public IPv4/IPv6 and eth1 with a private IP address. All apps running on this server will connect to serverB via tinc based VPN interface called vpn0 (IP: 172.16.1.5/32). We are going to encrypt all traffic.
ii. "serverB" : This represents the database server with public IPv4/IPv6 with a private IP address. Similarly, our database will only listen on a VPN interface called vpn0 (IP: 172.16.1.6/32) and will drop all traffic coming from any other interface using ufw.

How to install Tinc VPN on Ubuntu 18.04/20.04 LTS server using apt-get command/apt command?

On both serverA and serverB, execute the following commands;

sudo apt update
sudo apt upgrade
sudo apt install tinc


How to create directories and Configuration files for TINC VPN?

To do this, execute the following commands;

sudo mkdir -vp /etc/tinc/vpn0/hosts/
mkdir: created directory '/etc/tinc/vpn0'
mkdir: created directory '/etc/tinc/vpn0/hosts/'


How to Update the hosts file at "/etc/hosts" ?

Now, modify the hosts file , by executing the following command;

sudo vi /etc/hosts


In this file, set the following attributes as per the IP address;

## eth1 ip address
192.168.202.30    node_01
192.168.215.155    node_02
## tinc ip address ##
172.16.1.5 vpn1
172.16.1.6 vpn2


1. How to configure Tinc for "serverA"?

To set Tinc configuration for "serverA", as the root user of this server execute the command below.

To create the config file, run the command;

sudo vim /etc/tinc/vpn0/tinc.conf


Then once opened, append the following according to the set up;

Name = node_01
Device = /dev/net/tun
## private ip of eth1 ##
BindToAddress = 192.168.202.30
AddressFamily = ipv4


i. How to create the public and private keys?

To do this, execute the tincd command;

sudo tincd -n vpn0 -K4096


ii. How to configure the VPN IP addresses?

You can configure tinc VPN IP address and port number by executing the following command;

sudo vi /etc/tinc/vpn0/hosts/node_01


Then add the following attributes as shown below;

Address = 192.168.202.30
Subnet = 172.16.1.5/32
Port = 655

-----BEGIN RSA PUBLIC KEY-----
xxxxx............................................xxxxx
.....
...
..
xxxxx//.................................xxxxx


After adding accordingly, save and close the file.

iii. How to create vpn network interface control up and down scripts?

To create a tinc-up shell script, execute;

sudo vi /etc/tinc/vpn0/tinc-up


Then append the following attributes;

#!/bin/sh
#
# Must use IP 172.16.1.5, which is setup in /etc/tinc/vpn0/hosts/node_01
#
/sbin/ip link set $INTERFACE up
/sbin/ip addr add  172.16.1.5/32 dev $INTERFACE
/sbin/ip route add 172.16.1.0/24 dev $INTERFACE


Next, you need to create a tinc-down script, by running the command;

sudo vi /etc/tinc/vpn0/tinc-down


Then, append the following script as shown below;

#!/bin/sh
#
# See /etc/tinc/vpn0/hosts/node_01 for IP config 
#
/sbin/ip route del 172.16.1.0/24 dev $INTERFACE
/sbin/ip addr del 172.16.1.5/32 dev $INTERFACE
/sbin/ip link set $INTERFACE down


The next step is to set up executable permission using the chmod command;

sudo chmod -v +x /etc/tinc/vpn0/tinc-{up,down}


iv. How to set tincd firewall configuration on Ubuntu Linux for "serverA"?

On serverB, execute the following ufw commands as shown below;

sudo ufw allow from 192.168.215.155 to port 655 proto tcp comment 'Open TCP port 655 for serverA'
sudo ufw allow from 192.168.215.155 to port 655 proto udp comment 'Open UDP port 655 for serverB' 


Then, ensure that we allow vpn traffic between two IP address set using the vpn0 tunnel as shown below:

sudo ufw allow from 172.16.1.6 to 172.16.1.5 comment 'Allow other vpn node to talk serverA fully'


2. How to configure Tinc for "serverB"?

On "serverB", You will execute the command in the following processes.
i. Creating the config file
To create the config file, run the following command;

sudo vi /etc/tinc/vpn0/tinc.conf


Then in this file, append the following accordingly;

Name = node_02
Device = /dev/net/tun
## Ubuntu server name ##
ConnectTo = node_01  
BindToAddress = 192.168.215.155
AddressFamily = ipv4


ii. How to create the public and private key?

To do this, run the following command;

sudo tincd -n vpn0 -K4096


You will see the following output;

Generating 4096 bits keys:
....................++++ p
......................................................................++++ q
Done.
Please enter a file to save private RSA key to [/etc/tinc/vpn0/rsa_key.priv]: 
Please enter a file to save public RSA key to [/etc/tinc/vpn0/hosts/node_02]: 


iii. How to set up IP addresses for vpn0?

To do this, run the following file to edit the config file;

sudo vi /etc/tinc/vpn0/hosts/node_02


Then in this file, add the following IP address and port number:

Subnet = 172.16.1.6/32
Port = 655

-----BEGIN RSA PUBLIC KEY-----
MIICC..........................................................0
...
..
....
9z............................................................==
-----END RSA PUBLIC KEY-----


iv. How to create network interface control scripts?

To create a tinc-up script, execute the following command;

sudo vi /etc/tinc/vpn0/tinc-up


Then append the following shell script to set up IP and routing when vpn0 interface comes online:

#!/bin/sh
#
# Must use IP 172.16.1.6, which is setup in /etc/tinc/vpn0/hosts/node_02
#
/sbin/ip link set $INTERFACE up
/sbin/ip addr add  172.16.1.6/32 dev $INTERFACE
/sbin/ip route add 172.16.1.0/24 dev $INTERFACE


Next, create a tinc-down script by running the following command;

sudo vi /etc/tinc/vpn0/tinc-down


Then in this file, append the following shell script content using ip command:

#!/bin/sh
#
# Remove IP and routing. IP must be from /etc/tinc/vpn0/hosts/node_02
# 
/sbin/ip route del 172.16.1.0/24 dev $INTERFACE
/sbin/ip addr del 172.16.1.6/32 dev $INTERFACE
/sbin/ip link set $INTERFACE down


Now set up executable permission. What this means is that you can use the following chmod command to set permission:

sudo chmod -v +x /etc/tinc/vpn0/tinc-{up,down}


You will get an output such as this;

mode of '/etc/tinc/vpn0/tinc-up' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)
mode of '/etc/tinc/vpn0/tinc-down' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)


v. How to update firewall rules?

To create firewall rules, open the TCP/UDP ports using bash for loop;

for p in tcp udp

do

 sudo ufw allow from 192.168.202.30 to port 655 proto $p comment 'Open $p port 655 for serverB'

done


Then allow full vpn traffic between two IP address:

sudo ufw allow from 172.16.1.5 to 172.16.1.6 comment 'Allow other vpn node to talk serverB fully'

vi. How to copy host files to the other hosts?

To do this, copy /etc/tinc/vpn0/hosts/node_01 to serverB. Use the scp command on serverA;
scp /etc/tinc/vpn0/hosts/node_01 vivek@serverB:/tmp/

ssh -t root@serverB sudo mv -v /tmp/node_01 /etc/tinc/vpn0/hosts/


Then, copy /etc/tinc/vpn0/hosts/node_02 to serverA. Use the scp command (type command on serverB):

scp /etc/tinc/vpn0/hosts/node_02 vivek@serverA:/tmp/
ssh -t root@serverA sudo mv -v /tmp/node_02 /etc/tinc/vpn0/hosts/


How to enable and start tinc service (type it on both serverA and serverB)?

To do this, Type the systemctl command to enable tinc@vpn0 to enable individual networks:

sudo systemctl enable tinc@vpn0


To Start tinc, execute:

sudo systemctl start tinc@vpn0


To Stop or restart tinc, execute:

sudo systemctl stop tinc@vpn0
sudo systemctl restart tinc@vpn0


To Find the status of tinc, execute:

sudo systemctl status tinc@vpn0


Finally, Verify it using the ps command/pgrep command and netstat command/ss command;

ps aux | grep tincd
ss -tulpn


You can use the ping command to make sure you can reach to each node;

ping vpn1
ping vpn2
ping 172.16.1.5
ping 172.16.1.6


[Need additional support to set up Tinc VPN on your Linux Server? We are available to help you today.]

This article will guide you on how to install and set up a tinc VPN along with firewall configuration on Ubuntu 18.04 and 20.04 LTS.

Related Posts