Sunday, January 6, 2013

Private VPN with TINC

I have two computers at home on 100Mbps broadband internet connection, a very powerful computer at work and a Samsung Galaxy S2 i9100 smartphone on unlimited mobile broadband (21 Mbps).

What i wanted to have is a secure and seamless connection between these devices to share things, RDP, Crashplan backup, LAN gaming, etc. Also option to connect my home in Kosovo where my parents live into this network.

DISCLAIMER: My knowledge in networking is very very limited and setting up TINC requires quite a knowledge in networking and this was my biggest struggle getting it up and running. While if you have questions I'll try to help you as much as i can but the help might be limited.

To make this work you will need to have at least one public IP address and able to forward a port 655 to machine running the TINC.

Okay let's start.

Install TINC VPN on Microsoft Windows

First download Tinc http://www.tinc-vpn.org/download/. You have two options, Stable and Pre-Release. I started with Pre-Release but there was one bug that after a while the tinc went into a loop and stopped working (also consuming CPU) so i suggest you go with Stable, also they are slightly differently configured. After all, you want to set this up and forget it.

Install TINC, http://www.tinc-vpn.org/examples/windows-install/ there you'll find instructions how to install and even configure but the part at configuring we'll handle here.

After you have installed Tinc, install virtual network device by running addtap.bat as administrator (right click and choose Run as Administrator), depending on you operating system you can find it in C:\Program Files (x86)\tinc\tap-win64 or C:\Program Files (x86)\tinc\tap-win32 or if you have 32 bit OS C:\Program Files\tinc\tap-win32.


Configure TINC VPN on Microsoft Windows

Note: the Tinc uses configuration files in same location as it's installed making a little bit harder to work with configuration files if you have UAC on.

In this post we will use CMD to make most of the configuration but feel free to use plain old Notepad or your text editor of your choice (probably Notepad++).

To Run CMD.exe as Administrator click start menu (win key) and type cmd then right click and choose Run as Administrator (important)



Now begin by typing only the commands in Italic
I assume that this will be the computer which will have port 655 open on public IP and other computers/devices behind NAT will connect to it.

cd "c:\Program Files (x86)\tinc"
mkdir base - i will call this 1st computer "base"
echo Name = base > base\tinc.conf - This will give the name to this vpn
echo Interface = tincvpn >> base\tinc.conf - If you have created multiple network devices then you write here which one will this configuration use (because you can have multiple vpns :) )

Now we need to create a folder in "base" called "hosts" where we will put information about this computer and other we will connect latter.
mkdir base\hosts
echo Subnet = 172.20.1.1/32 > base\hosts\base

echo Address = 1.2.3.4 >> base\hosts\base

or
echo Address = mybase.dyndns.org >> base\hosts\base

Address here should be your public IP address, don't use 1.2.3.4. If you don't have static IP then i really recommend using one of many free dynamic dns providers and add that instead of IP.


Next step is to generate keypair for security so that only to the ones we trust and give host file with key will be able to connect to our network.

tincd.exe -n base -K

and accept the defaults by pressing enter twice.


It should look something like this:


If you open base\hosts\base with text editor it will look something like this:

Subnet = 172.20.1.1/32 
Address = mybase.dyndns.org 

-----BEGIN RSA PUBLIC KEY-----

MIIBCgKCAQEA83RaNhLW0YzwpVQ2094qMRCtxRyhSrLmQSxKXox5BjaK8lqz4FSx
RMWbwUjl66YhIczUkV8PvXIlVRXknjsKkwlHyQxWY2lZQjdl7mrKgON64LQDF1SJ
7o8PWMV2a4Pe5vV8EdStEP9Z/17azF4vG0OKcIsKmXrd4eMdlWLb+TZJ1UA9Lp/G
4kxLIE/KJDdXye/cmnp+xX2Rl3Pgid8CAlIlMST3mh8q9reYKwNvH9dzNtzESBwp
R1tO/TrH+1Mx0p66vaZL4WWiwSf20VZFibOMDZlNG29ow4K96OtqoqsTzdY9UOhy
w0tYr75zrhub06yB99+q3Kzrqvpu4nIlbwIDAQAB
-----END RSA PUBLIC KEY-----


And base\tinc.conf something like this:

Name = base 
Interface = tincvpn 

Those who don't want to type into CMD you can create all these configurations using a notepad then copy into correct location (our example "C:\Program Files (x86)\tinc\base\"). Thou, you will still need to generate keypair because using my Public Key won't work if you don't have the Private Key.

Now we have to configure the network interface which we created at the very beginning after we installed Tinc.
Go to Control Panel\Network and Internet\Network Connections and rename the device TAP-Win32 Adapter with name Local Area Connection x to "tincvpn".
Right click it and choose properties, select Internet Protocol Version 4 (TCP/IPv4) and click Properties
Enter IP: 172.20.1.1
Subnet: 255.255.255.0

I have used this subnet 172.20.1.0/24 because 192 and 10 was causing all kind of trouble due to being used at work and home.
OK our first machine is done. Lets install and configure the second machine.

Second Machine

Install Tinc and fire up CMD

cd "c:\Program Files (x86)\tinc"
mkdir homeserver
echo Name = homeserver > homeserver\tinc.conf
echo ConnectTo = base >> homeserver\tinc.conf
echo Interface = tincvpn >> homeserver\tinc.conf
mkdir homeserver\hosts
echo Subnet = 172.20.1.2/32 > homeserver\hosts\homeserver
tincd.exe -n homeserver -K

If you observed well we omitted the last command echo Address = mybase.dyndns.org >> base\hosts\base because this option "Address" defines the public IP and this computer is behind NAT. And, added a new one "ConnectTo = base" so that this will connect to our base vpn.


Configure the Networking device you created after installation by first renaming it to "tincvpn" then use the following IP:

IP: 172.20.1.2
Subnet: 255.255.255.0

Exchange

Copy hosts from base computer to homeserver and vice versa.
Copy the file "C:\Program Files (x86)\tinc\base\hosts\base" from 1st computer to "C:\Program Files (x86)\tinc\homeserver\hosts\" in 2nd computer
And copy the file "C:\Program Files (x86)\tinc\homesever\hosts\homeserver" from 2nd computer to "C:\Program Files (x86)\tinc\homeserver\hosts\" in 1st computer.
So each computer has both hosts file.

Run the TINCD

We are done, the last command we will run on 1st computer is
tincd.exe -n base

This will create the service and start it. (It will automatically start vpn when computer is started or rebooted) :)


And the ~same in 2nd computer
tincd.exe -n homeserver 

Voila! you should be up and running.

Troubleshooting

Ping, unless your firewall is blocking ICMP packets (ping) it's the best tool to check the connection. Temporary disable firewall on each computer and ping each computers to check if everything is OK. We are using IPs 172.20.1.1 and 172.20.1.2 so ping both IP from both computers.

While troubleshooting i strongly suggest you run tinc in debug mode so you can see whats going on.
Stop the service if it's running and run tinc like this:

tincd.exe -n base -d3 -D

You will find how to troubleshoot, configure, documentation, examples and much more straight from TINC-VPN's documentation http://www.tinc-vpn.org/documentation/tinc_toc.html#SEC_Contents

Android

I'm running +CyanogenMod 10 on my Galaxy S2 i9100 and it works very well, I'm not sure how it will work on other devices/roms.

Since it'll be cumbersome to create all the configurations in the Android device itself we will use our "base" machine to do that.

cd "c:\Program Files (x86)\tinc"
mkdir android

echo ScriptsInterpreter = /system/bin/sh > android\tinc.conf

echo Device = /dev/tun >> android\tinc.conf
echo Name = android >> android\tinc.conf
echo ConnectTo = base >> android\tinc.conf

mkdir android\hosts

echo Subnet = 172.20.1.3/32 > android\hosts\android

tincd.exe -n android -K

Create tinc-up file (android's network device configuration)

echo #!/bin/sh > android\tinc-up

echo ifconfig $INTERFACE 172.20.1.3 netmask 255.255.255.0 >> android\tinc-up

Important exchange host files between this one "android" and "base" then copy the whole "android" folder from computer to your android phone.


Get Tinc GUI from Google Play Store on you device, open it, press the Wrench icon (settings), select Configuration path and select the folder where you copied the "C:\Program Files (x86)\tinc\android" folder, press OK, Execute as Super User and go back.

Press Start enjoy the new world.

If you get error about the device /dev/tun remove that line and try again.

Linux

I could test on a Debian server which luckily happens to have a public IP which will help us increase redundancy if one of the hosts is down. However, i barely tested it and cannot say the configuration is foolproof.

apt-get update
apt-get install tinc
press enter
mkdir -p /etc/tinc/debsrv/hosts
cd /etc/tinc/

echo Name = debsrv > debsrv/tinc.conf
echo ConnectTo = base >> debsrv/tinc.conf
echo Interface = tincvpn >> debsrv/tinc.conf

echo Subnet = 172.20.1.6/32 > debsrv/hosts/debsrv
echo Address = nfsserver.dyndns.org >> debsrv/hosts/debsrv

tincd -n debsrv -K

echo debsrv >> /etc/tinc/nets.boot
echo '#!/bin/sh' | tee -a tinc-up tinc-down
echo 'ifconfig $INTERFACE 172.20.1.6 netmask 255.255.255.0' | tee -a tinc-up
echo 'ifconfig $INTERFACE down' | tee -a tinc-down
chmod 755 tinc-up tinc-down

Don't forget to exchange hosts file between this server and base and actually with any of the other device.

If we have two hosts with public IP we can have two ConnectTo lines on each nodes so that if one goes down they will still be connected to the other one.
ConnectTo = base
ConnectTo = debsrv

Taking advantage of the Cloud

I love +Dropbox and have it installed on all my computers and use it everywhere. Since i have it on all my computers it has really come to use when it came to Tinc configuration files.

I have created a folder Tinc and sub folders for each computer's tinc configurations. Then i created symlink (shortcut) to tinc folder in C:\Program Files (x86)\tinc\ using command:
1st computer: mklink /D C:\Program Files (x86)\tinc\base C:\Users\Ilir\Dropbox\Tinc\base
2nd computer: mklink /D C:\Program Files (x86)\tinc\homeserver C:\Users\Ilir\Dropbox\Tinc\homeserver

Using this i have everything centralized so if i make a change that affects many hosts i don't have to go to each computer and do that i do everything from one computer. Efficiency!

You can use any of the cloud storage actually, like +Google Drive, AeroFS, Skydrive, Box...

Final thoughts

I'm far far from a competent person in this area, i just got into private networks. TINC impressed me so much that i thought if i can do it anyone can, so let's write a tutorial.
Regarding Tinc itself, so far so good, but remember I've been running it only couple of days in time of writing this, there could be problems, better, easier configurations and what not. I'm looking forward to having more time to experiment with Tinc and why not experiment with other solutions either.

Until next article or tutorial.

4 comments:

Unknown said...

Is there a way for the host to talk on the VPN Network when the "base" Computer went off or a connectivity issue occurs?

RealGangsta said...

Don't leave your online privacy at risk, get an Ivacy VPN subscription for 0.99 USD and stay secure online!

Mehtab Kanju said...


So nice I am enjoying for that post as for u latest version of this Security tool Available
free-netflix-download-2022
privatevpn-Keygen
panda-dome-premium-crack
fireshot-pro-crack
kerio-control-crack

gocrack said...

Your style is so unique compared to other people I have read stuff from. Many thanks forposting when you have the opportunity, Guess I will just bookmark this site DebutPrivateVPN