The initial directory structure, configuration files and public/private keypairs are created using the following command:
tinc -n netname init name
(You will need to run this as root, or use "sudo".) This will create the configuration directory /etc/tinc/netname., and inside it will create another directory named hosts/. In the configuration directory, it will create the file tinc.conf with the following contents:
Name = name
It will also create private RSA and Ed25519 keys, which will be stored in the files rsa_key.priv and ed25519_key.priv. It will also create a host configuration file hosts/name, which will contain the corresponding public RSA and Ed25519 keys.
Finally, on UNIX operating systems, it will create an executable script tinc-up, which will initially not do anything except warning that you should edit it.
Unless you want to use tinc in switch mode, you should now configure which range of addresses you will use on the VPN. Let’s assume you will be part of a VPN which uses the address range 192.168.0.0/16, and you yourself have a smaller portion of that range: 192.168.2.0/24. Then you should run the following command:
tinc -n netname add subnet 192.168.2.0/24
This will add a Subnet statement to your host configuration file. Try opening the file /etc/tinc/netname/hosts/name in an editor. You should now see a file containing the public RSA and Ed25519 keys (which looks like a bunch of random characters), and the following line at the bottom:
Subnet = 192.168.2.0/24
If you will use more than one address range, you can add more Subnets. For example, if you also use the IPv6 subnet fec0:0:0:2::/64, you can add it as well:
tinc -n netname add subnet fec0:0:0:2::/24
This will add another line to the file hosts/name. If you make a mistake, you can undo it by simply using ‘del’ instead of ‘add’.
If you want other tinc daemons to create meta-connections to your daemon, you should add your public IP address or hostname to your host configuration file. For example, if your hostname is foo.example.org, run:
tinc -n netname add address foo.example.org
If you already know to which daemons your daemon should make meta-connections, you should configure that now as well. Suppose you want to connect to a daemon named "bar", run:
tinc -n netname add connectto bar
Note that you specify the Name of the other daemon here, not an IP address or hostname! When you start tinc, and it tries to make a connection to "bar", it will look for a host configuration file named hosts/bar, and will read Address statements and public keys from that file.
If your daemon has a ConnectTo = bar statement in its tinc.conf file, or if bar has a ConnectTo your daemon, then you both need each other’s host configuration files. You should send hosts/name to bar, and bar should send you his file which you should move to hosts/bar. If you are on a UNIX platform, you can easily send an email containing the necessary information using the following command (assuming the owner of bar has the email address email@example.com):
tinc -n netname export | mail -s "My config file" firstname.lastname@example.org
If the owner of bar does the same to send his host configuration file to you, you can probably pipe his email through the following command, or you can just start this command in a terminal and copy&paste the email:
tinc -n netname import
If you are the owner of bar yourself, and you have SSH access to that computer, you can also swap the host configuration files using the following command:
tinc -n netname export \ | ssh bar.example.org tinc -n netname exchange \ | tinc -n netname import
You should repeat this for all nodes you ConnectTo, or which ConnectTo you. However, remember that you do not need to ConnectTo all nodes in the VPN; it is only necessary to create one or a few meta-connections, after the connections are made tinc will learn about all the other nodes in the VPN, and will automatically make other connections as necessary.