The initial directory structure, configuration files and public/private keypairs are created using the following command:
tinc -n netname init name
(You will need to run this as root, or use "sudo".) This will create the configuration directory /etc/tinc/netname., and inside it will create another directory named hosts/. In the configuration directory, it will create the file tinc.conf with the following contents:
Name = name
It will also create private RSA and Ed25519 keys, which will be stored in the files rsa_key.priv and ed25519_key.priv. It will also create a host configuration file hosts/name, which will contain the corresponding public RSA and Ed25519 keys.
Finally, on UNIX operating systems, it will create an executable script tinc-up, which will initially not do anything except warning that you should edit it.
Unless you want to use tinc in switch mode, you should now configure which range of addresses you will use on the VPN. Let’s assume you will be part of a VPN which uses the address range 192.168.0.0/16, and you yourself have a smaller portion of that range: 192.168.2.0/24. Then you should run the following command:
tinc -n netname add subnet 192.168.2.0/24
This will add a Subnet statement to your host configuration file. Try opening the file /etc/tinc/netname/hosts/name in an editor. You should now see a file containing the public RSA and Ed25519 keys (which looks like a bunch of random characters), and the following line at the bottom:
Subnet = 192.168.2.0/24
If you will use more than one address range, you can add more Subnets. For example, if you also use the IPv6 subnet fec0:0:0:2::/64, you can add it as well:
tinc -n netname add subnet fec0:0:0:2::/24
This will add another line to the file hosts/name. If you make a mistake, you can undo it by simply using ‘del’ instead of ‘add’.
If you want other tinc daemons to create meta-connections to your daemon, you should add your public IP address or hostname to your host configuration file. For example, if your hostname is foo.example.org, run:
tinc -n netname add address foo.example.org
In order for two tinc daemons to be able to connect to each other, they each need the other’s host configuration files. So if you want foo to be able to connect with bar, You should send hosts/name to bar, and bar should send you his file which you should move to hosts/bar. If you are on a UNIX platform, you can easily send an email containing the necessary information using the following command (assuming the owner of bar has the email address firstname.lastname@example.org):
tinc -n netname export | mail -s "My config file" email@example.com
If the owner of bar does the same to send his host configuration file to you, you can probably pipe his email through the following command, or you can just start this command in a terminal and copy&paste the email:
tinc -n netname import
If you are the owner of bar yourself, and you have SSH access to that computer, you can also swap the host configuration files using the following command:
tinc -n netname export \ | ssh bar.example.org tinc -n netname exchange \ | tinc -n netname import
You can repeat this for a few other nodes as well. It is not necessary to manually exchange host config files between all nodes; after the initial connections are made tinc will learn about all the other nodes in the VPN, and will automatically make other connections as necessary.