Exposing home hosted services on internet with tinc

Erich Eckner tinc at eckner.net
Mon Nov 25 09:13:52 CET 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, 25 Nov 2019, André Rodier wrote:

> Hello,

Hi,

> I need to build a VPN, and I am not sure if tinc is the right tool to
> use. I am more familiar with OpenVPN.

I was an openvpn user before, too, but since I encountered tinc, I really 
much like it :-)

>
> I have a few boxes at home, behind a router with a dynamic IP
> address. Those boxes host some services, like web sites, for instance.
>
> I have a server hosted online, with a few IPv4 and IPv6 addresses. All
> addresses being static, of course.
>
> I am planning to use tinc on Debian, to "expose" the services hosted on
> these "home" boxes on IPv4/IPv6 addresses, using tinc VPN. The NAT
> would occur in the tunnel. I can write the nat/masquerade rules.
>
> The big question is, does tinc need the two nodes have a static IP
> address ?

No, tinc does not need *any* static ips (openvpn does not need any either) 
- - - as long as one host can be reached by whatever means (ddns can help 
here). OTHO, it is convenient to have *one* static ip and let the other 
hosts connect to that one host by ip - pretty much
like with openvpn. But: tinc adds the advantage, that all clients will 
automatically try to send traffic to each other directly, so when you use 
the vpn in your local network, chances are good, that (besides the first 
few packages) no data packages will leave you home
net at all. Note: this happens automatically and no additional 
configuration is needed from your side.

To put this in context to Andrê's answer: (I think) he means the ips of 
the boxes *inside* tinc to be static - the outside ips can be dynamic and 
unknown.

>
> I don't want to modify the router configuration or to create nat rules
> in the home router.

- - From the router's view the home boxes are "clients" which have outgoing
connections to your outside server (assuming that one does not reside 
behind a nat, too). All the routing/nat should happen at the outside 
server. That is if you choose to run one tinc on each home box which will 
provide a service - in case you want (for whatever
reason) run only one tinc instance in your home net, that one will need to 
do some routing, too - - obviously.

>
> Thanks,
> André

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3bjUEACgkQCu7JB1Xa
e1oKgxAAspRS8Xjojf4CNB0JJHvJPp25HEvJmrbx0kzfCfWbd+j4On8TaPn8bHTK
tNIx5lGbEMlBbQKL6Iy7SZuQi1E20/ddeR79hL86tqPrSVrJhF4gzJ7dV6W3duB6
Nxm5tKhq9LAGpoju5UvUzMPS2uWOeTT5USP2+t7I/TrsPVQJKWfFkbrIOJGEWxXq
G6t6EkSIVZeUmqrKjlz15PSW6Ij2/yYyhtqyl78bHhmwkDlFwZ60KViV0NRq/sPh
H6BM9vrgqAzcpmKsNKZCjleFsvfvhjrWjbKY7eZYTdLyaI3s9Ai/CJAeP7yKLirL
ntsZjru4fxAx/iqgUaCMJulMxRW+1ndYZmsEUhuDkRrH0W1lPUeq5EpCE19sCB4l
JDH982k4j8WVZjIvL4GYGoBlBT/Mkyqu3kanbpgRFhERMaStZlY+4sTx1JZe4obx
5ekEpxFvklMvLX46hLoyWM7iseTevEKbhQiOPHnKlfQ9e8BFA8nuUp6ybkbMzJ62
7209z9GNSsELMnw93PXgO3EZbval8pm5qMkTh1dYt69gF/eMdJP7NbxKz8Dy9kWq
8lFz+4i7WnPHNQptFphWDvtWesZpR8d0kBM9fG4ZrYopZqEOYsCg5NdvDshkowxs
kHT64y40zKIvuhAFyh8AkRoHb8nIxCqpuYyFTOKbCT/TRk4/wSs=
=Nbfr
-----END PGP SIGNATURE-----

More information about the tinc mailing list