Tinc and OpenWRT

Florian Klink flokli at flokli.de
Mon Jun 15 13:34:40 CEST 2015 


Is your package built with or without OpenSSL? How do you intergrate
with UCI?

Can I view the makefile somewhere?

Florian

Am 15.06.2015 um 11:48 schrieb shikkc:
> I already have a package made, if anyone would like me to I could submit
> it.
> 
> On 2015-06-13 17:26, Florian Klink wrote:
>> Hey Saverio,
>>
>> I'd really like the idea of a tinc-1.1-pre package for OpenWRT. I'm
>> currently using tinc-1.1 with an Ed25519-only network, really like the
>> new features and CLI and want to add some OpenWRT routers into the mix.
>>
>> How do you plan to handle things with OpenSSL?
>> tinc-1.1 from git should be able to compile without it (but will then
>> only support the built-in algorithms). Depending on device restrictions,
>> such a version could also be very interesting.
>>
>> Florian
>>
>>
>>
>> Am 30.01.2015 um 14:46 schrieb Saverio Proto:
>>> Hello Jonathan,
>>>
>>> I will probably make a tinc 1.1 OpenWrt package soon. I am already
>>> maintener for th 1.0 package.
>>>
>>> If you want to read about how to make the package there is this very
>>> good documentation:
>>>
>>> http://wiki.prplfoundation.org/wiki/Creating_an_OpenWrt_package_for_a_web_page
>>>
>>>
>>> Saverio
>>>
>>>
>>>
>>> 2015-01-29 19:02 GMT+01:00 Jonathan Clark
>>> <tinc-list-fc5DsTjUV5eaXpRTH7SBZA at public.gmane.org>:
>>>> On Tue, Jan 27, 2015, Sandy McArthur Jr wrote:
>>>>> I use the Tinc 1.0 series since I don't want to support my
>>>>> own packages.  <snip>
>>>>> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
>>>>> what I still use. Since then . . .
>>>>
>>>> Ok. I think I'll start with the 1.0 series packages that are already
>>>> out there and get them working.
>>>>
>>>> and on Tue, Jan 27, 2015, Lance wrote:
>>>>> The scripts used to create these binaries are here if you'd like to
>>>>> recreate
>>>>> them.
>>>>> https://github.com/lancethepants/tinc-mipsel-static/blob/master/tinc.sh
>>>>>
>>>>> https://github.com/lancethepants/tinc-arm-musl-static
>>>>
>>>> Thanks.  I'll start playing with those once I succeed (or otherwise)
>>>> with the pre-packaged stuff.
>>>>
>>>> On Tue, Jan 27, 2015 at 10:12 AM, Sandy McArthur Jr
>>>> <sandy-VS8MnoN11Rtg9hUCZPvPmw at public.gmane.org> wrote:
>>>>> Jonathan,
>>>>> I really like OpenWrt. I've deployed Tinc on ~12 routers with OpenWrt
>>>>> installed. I use the Tinc 1.0 series since I don't want to support my
>>>>> own packages.
>>>>>
>>>>> OpenWrt has a nice unified configuration system. Tinc has a nice
>>>>> configuration directory structure. What OpenWrt has done to merge
>>>>> these two concepts over complicates things, and generally sucks.
>>>>>
>>>>> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
>>>>> what I still use. Since then I wrote the script below to help automate
>>>>> adding of new hosts in a network.
>>>>>
>>>>> A tip I've found when putting tinc on your gateway device is to bind
>>>>> to several ports so you have options with mobile devices when they are
>>>>> behind firewalls that block low ports. I tend to use 655 (tinc), 1194
>>>>> (openvpn), 65500 (tinc * 100 so it's a high port number) . Be careful
>>>>> how you use this as some older versions of Tinc on OpenWrt crash on
>>>>> startup when the .../NETWORK/hosts/NODENAME file lists multiple
>>>>> "Address = .... : [port]" lines.
>>>>>
>>>>> Also, I like to have a backup method to find and remote to an OpenWrt
>>>>> device (ddns and ssh) but if you allow ssh from the internet to your
>>>>> gateway, it will get slammed on with logins by brute force all the
>>>>> time. This is a good reason to make use of SSH-Keys and disallow
>>>>> password authentication in the Dropbear config (option
>>>>> RootPasswordAuth 'off').
>>>>>
>>>>> Finally, some of my Tinc deployments are at locations that are not
>>>>> staffed by technical people and would take me 3+ hours to travel to. I
>>>>> now always configure these devices to daily reboot and they often have
>>>>> a second Tinc network configured with a minimal, known good config
>>>>> that doesn't change that I can use to remotely admin and fix the main
>>>>> Tinc network config if I botch it up.
>>>>>
>>>>>
>>>>> #!/bin/sh
>>>>>
>>>>> for network in /etc/tinc/*/
>>>>> do
>>>>>         netname=`basename $network`
>>>>>         echo Tinc Network Name: $netname
>>>>>
>>>>>         for host in /etc/tinc/$netname/hosts/*
>>>>>         do
>>>>>                 hostname=`basename $host`
>>>>>                 echo Tinc Network $netname Host: $hostname
>>>>>
>>>>>                 if [ ! `uci get tinc.$hostname` ]
>>>>>                 then
>>>>>                         uci set tinc.$hostname=tinc-host
>>>>>                         uci set tinc.$hostname.net=$netname
>>>>>                         uci set tinc.$hostname.enabled=1
>>>>>                         uci commit
>>>>>
>>>>>                 fi
>>>>>
>>>>>         done # for host
>>>>>
>>>>> done # for network
>>>>>
>>>>> On Mon, Jan 26, 2015 at 6:39 PM, Jonathan Clark
>>>>> <tinc-list-fc5DsTjUV5eaXpRTH7SBZA at public.gmane.org> wrote:
>>>>>> Greetings.
>>>>>>
>>>>>> I'm new to tinc, but have so far managed to get a couple laptops
>>>>>> and a
>>>>>> hosted server all connected.  They're working as expected, running
>>>>>> Tinc 1.1-pre11, which I compiled from source.
>>>>>>
>>>>>> Next I want to move on to adding my home router into the mix.  My
>>>>>> routers run OpenWRT.  I don't have experience compiling anything from
>>>>>> source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged.
>>>>>>
>>>>>> With that in mind, which direction should I move next?  I think my
>>>>>> options are:
>>>>>>
>>>>>> (option a)
>>>>>> Switch my existing/working Tinc setup to using RSA keys (instead of
>>>>>> Ed25519) so they can talk to the 1.0.25 packages available on
>>>>>> OpenWRT,
>>>>>> and then go on to figure out how to get the already-packaged Tinc
>>>>>> 1.0.25 working on my router.
>>>>>>
>>>>>> or
>>>>>> (option b)
>>>>>> Take a detour and learn how to cross-compile things for OpenWRT.  Use
>>>>>> this new knowledge to install Tinc 1.1pre11 onto my router.  Feel
>>>>>> accomplished.
>>>>>>
>>>>>> or something else?
>>>>>>
>>>>>> I'm exploring this mainly for the fun of figuring it out, so there's
>>>>>> no deadline or even a business reason to succeed.  Does that
>>>>>> suggest I
>>>>>> should tackle option a, and then go ahead and try option b, resulting
>>>>>> in twice the fun and sense of accomplishment?
>>>>>>
>>>>>> And, overall, how difficult are each of these options?
>>>>>>
>>>>>> Thanks, by the way, for all your work.  From what I've seen so far,
>>>>>> this project is pretty impressive.
>>>>>>
>>>>>> Jonathan
>>>>>> Kingston, New York, USA
>>>>>> _______________________________________________
>>>>>> tinc mailing list
>>>>>> tinc-NnCthlHDAqpg9hUCZPvPmw at public.gmane.org
>>>>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> Sandy McArthur, Jr.
>>>>>
>>>>> "No nation could preserve its freedom in the midst of continual
>>>>> warfare."
>>>>> - Letters and Other Writings of James Madison (1865), Vol. IV, p. 491
>>>> _______________________________________________
>>>> tinc mailing list
>>>> tinc-NnCthlHDAqpg9hUCZPvPmw at public.gmane.org
>>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc-NnCthlHDAqpg9hUCZPvPmw at public.gmane.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>

More information about the tinc mailing list