--- /dev/null
+ ==============
+ The TINC HOWTO
+ ==============
+
+ Wessel Dankers
+ wsl@nl.linux.org
+\f
+Introduction
+------------
+Tinc is a system to create a virtual ethernet network on top of an existing
+infrastructure. This infrastructure can be anything from modem lines to
+gigabit ethernet networks, as long as they talk IP. Once you install and
+configure tinc, your host will get an extra IP address, just like it would
+when you stick an extra ethernet card into it. Using this IP address, it can
+communicate with all hosts in its virtual network using strong encryption.
+
+If you install Tinc on a router (and pick your numbers correctly) you can
+have the router forward all packets. This way you can---instead of
+connecting hosts---connect entire sites together! Now you need only one
+outgoing network connection for both internet and intranet.
+\f
+Architecture
+------------
+When a few Tinc daemons are running they will try to seek contact with
+eachother. A daemon is all the time connected to a few other daemons,
+but if traffic is required with a daemon it doesn't know yet, it will
+instantly contact it and exchange keys. These so-called meta-connections
+are made over TCP, using encryption of course.
+
+When actual traffic has to be sent, a daemon checks his connection list to
+see if the addressee is known (and makes contact with it if neccessary).
+All packets are then sent using UDP to the other host, just like in a real
+network. If a packet gets lost, the connection layer of Linux will resend
+the packet, just like it would over a normal network.
+
+Once in a while the daemons will renegotiate keys so that even if a cracker
+breaks one, it'll be of limited use.
+\f
+Getting Tinc
+------------
+Before you fetch the latest tarball, you might want to check if there's a
+package for your Linux distribution. One of the main authors is a Debian
+Developer, so you can expect the Debian packages to be very up to date.
+
+The official website for Tinc can be found at http://tinc.nl.linux.org/.
+There you can find Debian packages, RPM's and of course... the tarball!
+Since we run Doohickey Linux Pro 1.0, for which no package exists (or
+indeed the distribution itself) we shall compile the package ourselves.
+\f
+Building
+--------
+The Tinc source adheres to so many standards it makes you head spin.
+Even the debug messages have been localized! Amazing. Tinc also comes
+with a configuration script. If you like to see what is there to
+configure run ./configure --help | more. If you don't have time for such
+nonsense:
+
+ ./configure --sysconfdir=/etc
+
+This will see if your system is nice enough to run tinc on, and will
+create some Makefiles and other stuff which will together build tinc.
+
+ make
+ make install
+
+The first will do the actual build, the second copies all files into place.
+\f
+The kernel
+----------
+Next you will have to configure the kernel to support the tap device.
+It is important that you run a recent kernel, but anything after 2.2.16
+will do. You have to enable both the netlink device AND the ethertap
+device (in that order). Enable them as modules!
+Compile, install =) You don't even have to reboot.
+\f
+Picking your numbers
+--------------------
+The first thing we should do is pick network numbers. Tinc has a very
+peculiar taste for network numbers, which is caused by the way it routes
+traffic. However, it turns out to be really handy if you want to use
+your tinc host as a router for a site.
+
+The numbers have to be in a range that is not yet in use in your existing,
+real network! In this example we will use numbers from the 192.168.0/16
+range. This is standard CIDR notation for all IP addresses from 192.168.0.0
+to 192.168.255.255. The /16 means that the first 16 bits form the network
+part.
+
+It is common practice for Tinc networks to use private (RFC 1918) addresses.
+This is not necessary, but it would be a waste to use official addresses
+for a private network!
+
+In the example we will connect three machines: f00f, fdiv and hlt. We will
+give each an address, but not just that, also a slice of our address space
+to play with.
+
+ Host Real address Tinc network
+ ---------------------------------------------------
+ f00f 126.202.37.20 192.168.1.1/24
+ fdiv 126.202.37.81 192.168.2.1/24
+ hlt 103.22.1.218 192.168.3.1/24
+
+It is very important that none of the Tinc netmasks overlap! Note how the
+192.168.0/16 network covers the entire address space of the three hosts.
+We will refer to the 192.168.0/16 network as the `umbrella' from now on.
+As you can see we can fit 256 hosts into this umbrella this way, which is
+also the practical maximum for tinc. Let's name our VPN 'fubar'.
+\f
+The configuration file
+----------------------
+Let's create a configuration file for f00f. We have to put it in
+/etc/tinc/fubar because that's how we named our VPN.
+
+ MyOwnVPNIP = 192.168.1.1/24
+ VpnMask = 255.255.0.0
+ ConnectTo = 126.202.37.81
+ ConnectTo = 103.22.1.218
+ TapDevice = /dev/tap0
+
+The first two lines tell Tinc about the numbers we have chosen above.
+Using the ConnectTo lines, the daemon will seek contact with the rest of
+the umbrella. It's possible to configure any number of ConnectTo lines,
+you can even omit them so that it just sits and waits until someone else
+contacts it. Until someone does, the poor daemon won't be able to send
+any data because it doesn't know where everybody is.
+The TapDevice is where the tinc daemon will interface with the kernel.
+\f
+The passphrases
+---------------
+We will have to generate keys for ourselves, and get a key from everybody
+we want to ConnectTo. All of these go into a directory named
+/etc/tinc/fubar/passphrases. PROTECT THIS DIRECTORY!
+
+ mkdir -m 700 /etc/tinc/fubar/passphrases
+
+To generate our own key:
+
+ genauth 1024 >/etc/tinc/fubar/passphrases/local
+
+You should then proceed to give this key to anyone who wants to ConnectTo
+you. DO THIS IN A SECURE MANNER! Anyone who has this number can do icky
+things to the umbrella network! Encrypt it using PGP, GPG or another
+program using asymmetric keys. Read it over the phone (without anyone
+listening of course). Send it by snailmail. Write the key down and bring
+it to your partners personally!
+
+If you get any keys from your partners, store them under their network
+number. For example, the key we get from fdiv's network administrator
+will be stored in /etc/tinc/fubar/passphrases/192.168.2.0 (note the 0).
+\f
+Running the daemon
+------------------
+If you use a package manager to install Tinc, the startup scripts use a file
+called /etc/tinc/nets.boot to see which umbrella's exist. It has a line
+per VPN, and lines starting with a # are ignored. Ours will contain:
+
+ # Example VPN from the HOWTO
+ fubar
+
+In Debian, /etc/init.d/tinc start will start the daemons.
+
+If you use Doohickey Linux just like we do, you'll have to edit the systems
+startup scripts by hand. It should contain something along the lines of:
+
+ insmod ethertap -s --name=tap0 unit=0
+ ifconfig tap0 hw ether fe:fd:c0:a8:01:01
+ ifconfig tap0 192.168.1.1 netmask 255.255.0.0 broadcast 192.168.255.255 -arp
+
+There are two things to note here! First, the MAC address of the ethertap
+device is very important. It must start with fe:fd, and end in the
+hexadecimal representation of the VPN IP number.
+Second, the netmask of the tap device is set to that of the umbrella!
+
+--
+$Id: HOWTO,v 1.6 2002/04/12 08:25:01 guus Exp $
projects / tinc / blobdiff