You can open another terminal (i.e., from appserver) and check the active interfaces: sudo ip a If everything was configured successfully, you should see an output similar to this: Start the tincd daemon on the application server: sudo tincd -n linodeVPN -D -d3ĭo the same on database server: sudo tincd -n linodeVPN -D -d3 It’s time to test your newly configured VPN. There are many ways to accomplish this, but we’ll use scp here.įrom the application server: scp /etc/tinc/linodeVPN/hosts/appserver -t sudo mv -v /tmp/appserver /etc/tinc/linodeVPN/hosts/įrom the database server: scp /etc/tinc/linodeVPN/hosts/dbserver -t sudo mv -v /tmp/dbserver /etc/tinc/linodeVPN/hosts/ Because of tinc’s P2P nature, the last thing you need to do is interchange host files between nodes. Host Files InterchangeĪt this point, you have configuration files created on each server. See the tincd documentation for more information about debug levels. This will log all requests from other daemons and include an authentication chain between them. Let’s start with the application server’s file:Ī debug level of 3 was chosen in the tincd command. The default location for this file is the root of the working directory. You will be required to set up a main configuration file titled nf on each server. You also need to use the same structure across the servers, which means you need to create the working directory on both: sudo mkdir -p /etc/tinc/linodeVPN/hosts The name of the folder must match the designated name for your VPN, in this case: linodeVPN. You can implement as many tinc networks as you need as long as you create a unique working directory for each one (gaming VPN, backups VPN, etc). Get the latest version of tinc from the developer’s site: wget Įxtract the archive in a temporary folder: tar -xf tinc-1.0.33.tar.gzĬompile tinc on your system: cd tinc-1.0.33 Install the necessary dependencies for building tinc: sudo apt install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev Ubuntu’s repositories use an older version, so you will have to build from source: At the time of this writing, the latest stable version of tinc is 1.0.33. Ubuntu 16.04 will be used for all of the Linodes in this guide. Throughout this guide, replace the IP address for each server with the public IP address of the corresponding Linode. For the current use case, the following information will be used for tinc configuration: VPN and daemon names must be unique and can’t contain any spaces or special symbols. The VPN address can be an arbitrary private network IPv4 address, the only rule to follow (if you want to avoid extra routing work) is that they must have the same network prefix, just like a typical LAN. Each instance will run on a separate Linode:īefore getting started, it’s a good idea to make a cheat sheet for yourself listing each node’s public IPv4 address, desired VPN address, VPN network name designation, and tinc-daemon name. This is a straightforward setup involving only two instances, an application server (which we’ll call appserver) and a database server ( dbserver). There are no active firewalls on any server.Įach server is connected directly to the Internet (no router or proxy is involved).Įach server is running the same version of tinc.Ī typical use case for a two-node tinc is web-based invoicing software, where the database should be on a separate server (for security and disaster recovery), and needs to communicate sensitive data to the application server through the internet. In order to focus on tinc configuration, three assumptions are made: Update your packages: sudo apt update & sudo apt upgrade Please ensure you have access to privileged user rights. This guide will use sudo wherever possible. Complete the following steps for each one:įollow the Setting Up and Securing a Compute Instance guide to create a standard user account, harden SSH access and remove unnecessary network services. You will need at least two Linodes for this guide. The design allows tinc users a great deal of flexibility, especially when planning a mesh-type network.įrom a clear two-server connection to complex mesh private network, this guide will show you how to configure tinc VPN in three different use-case scenarios. All VPNs behave as a secure tunnel between two points, but tinc stands out for its “Peer-to-Peer” design. There are many open-source VPN options but one of them shines above the others: tinc. Virtual Private Networks (VPN) are an essential part of any serious network security deployment plan.
0 Comments
Leave a Reply. |