X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=doc%2FHOWTO;h=e1b6edfe24ec91fa6392ed080d4a8b58066fb711;hb=7c75090025a4b06290663e0033a62414f3368f7c;hp=f6511bf0c7b0d59de6fd1e624024dfd2f32ef04d;hpb=6f5aac4e39cd6fb2fb76c0121de3f3782f72f18e;p=tinc diff --git a/doc/HOWTO b/doc/HOWTO index f6511bf0..e1b6edfe 100644 --- a/doc/HOWTO +++ b/doc/HOWTO @@ -19,6 +19,23 @@ have the router forward all packets. This way you can---instead of connecting hosts---connect entire sites together! Now you need only one outgoing network connection for both internet and intranet. +Architecture +------------ +When a few Tinc daemons are running they will try to seek contact with +eachother. A daemon is all the time connected to a few other daemons, +but if traffic is required with a daemon it doesn't know yet, it will +instantly contact it and exchange keys. These so-called meta-connections +are made over TCP, using encryption of course. + +When actual traffic has to be sent, a daemon checks his connection list to +see if the addressee is known (and makes contact with it if neccessary). +All packets are then sent using UDP to the other host, just like in a real +network. If a packet gets lost, the connection layer of Linux will resend +the packet, just like it would over a normal network. + +Once in a while the daemons will renegotiate keys so that even if a cracker +breaks one, it'll be of limited use. + Getting Tinc ------------ Before you fetch the latest tarball, you might want to check if there's a @@ -50,10 +67,14 @@ The first will do the actual build, the second copies all files into place. The kernel ---------- -FIXME +Next you will have to configure the kernel to support the tap device. +It is important that you run a recent kernel, but anything after 2.2.16 +will do. You have to enable both the netlink device AND the ethertap +device (in that order). Enable them as modules! +Compile, install =) You don't even have to reboot. -Configuring ------------ +Picking your numbers +-------------------- The first thing we should do is pick network numbers. Tinc has a very peculiar taste for network numbers, which is caused by the way it routes traffic. However, it turns out to be really handy if you want to use @@ -65,6 +86,10 @@ range. This is standard CIDR notation for all IP addresses from 192.168.0.0 to 192.168.255.255. The /16 means that the first 16 bits form the network part. +It is common practice for Tinc networks to use private (RFC 1918) addresses. +This is not necessary, but it would be a waste to use official addresses +for a private network! + In the example we will connect three machines: f00f, fdiv and hlt. We will give each an address, but not just that, also a slice of our address space to play with. @@ -79,7 +104,72 @@ It is very important that none of the Tinc netmasks overlap! Note how the 192.168.0/16 network covers the entire address space of the three hosts. We will refer to the 192.168.0/16 network as the `umbrella' from now on. As you can see we can fit 256 hosts into this umbrella this way, which is -also the practical maximum for tinc. +also the practical maximum for tinc. Let's name our VPN 'fubar'. + +The configuration file +---------------------- +Let's create a configuration file for f00f. We have to put it in +/etc/tinc/fubar because that's how we named our VPN. + + MyOwnVPNIP = 192.168.1.1/24 + VpnMask = 255.255.0.0 + ConnectTo = 126.202.37.81 + ConnectTo = 103.22.1.218 + TapDevice = /dev/tap0 + +The first two lines tell Tinc about the numbers we have chosen above. +Using the ConnectTo lines, the daemon will seek contact with the rest of +the umbrella. It's possible to configure any number of ConnectTo lines, +you can even omit them so that it just sits and waits until someone else +contacts it. Until someone does, the poor daemon won't be able to send +any data because it doesn't know where everybody is. +The TapDevice is where the tinc daemon will interface with the kernel. + +The passphrases +--------------- +We will have to generate keys for ourselves, and get a key from everybody +we want to ConnectTo. All of these go into a directory named +/etc/tinc/fubar/passphrases. PROTECT THIS DIRECTORY! + + mkdir -m 700 /etc/tinc/fubar/passphrases + +To generate our own key: + + genauth 1024 >/etc/tinc/fubar/passphrases/local + +You should then proceed to give this key to anyone who wants to ConnectTo +you. DO THIS IN A SECURE MANNER! Anyone who has this number can do icky +things to the umbrella network! Encrypt it using PGP, GPG or another +program using asymmetric keys. Read it over the phone (without anyone +listening of course). Send it by snailmail. Write the key down and bring +it to your partners personally! + +If you get any keys from your partners, store them under their network +number. For example, the key we get from fdiv's network administrator +will be stored in /etc/tinc/fubar/passphrases/192.168.2.0 (note the 0). + +Running the daemon +------------------ +If you use a package manager to install Tinc, the startup scripts use a file +called /etc/tinc/nets.boot to see which umbrella's exist. It has a line +per VPN, and lines starting with a # are ignored. Ours will contain: + + # Example VPN from the HOWTO + fubar + +In Debian, /etc/init.d/tinc start will start the daemons. + +If you use Doohickey Linux just like we do, you'll have to edit the systems +startup scripts by hand. It should contain something along the lines of: + + insmod ethertap -s --name=tap0 unit=0 + ifconfig tap0 hw ether fe:fd:c0:a8:01:01 + ifconfig tap0 192.168.1.1 netmask 255.255.0.0 broadcast 192.168.255.255 -arp + +There are two things to note here! First, the MAC address of the ethertap +device is very important. It must start with fe:fd, and end in the +hexadecimal representation of the VPN IP number. +Second, the netmask of the tap device is set to that of the umbrella! -Let's create a configuration file for f00f. We have to put it in /etc/tinc, -unless you participate in multiple umbrella's (more on that later). +-- +$Id: HOWTO,v 1.6 2002/04/12 08:25:01 guus Exp $