Tinc and OpenWRT
Sandy McArthur Jr
sandy at mcarthur.org
Tue Jan 27 16:12:27 CET 2015
Jonathan,
I really like OpenWrt. I've deployed Tinc on ~12 routers with OpenWrt
installed. I use the Tinc 1.0 series since I don't want to support my
own packages.
OpenWrt has a nice unified configuration system. Tinc has a nice
configuration directory structure. What OpenWrt has done to merge
these two concepts over complicates things, and generally sucks.
I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
what I still use. Since then I wrote the script below to help automate
adding of new hosts in a network.
A tip I've found when putting tinc on your gateway device is to bind
to several ports so you have options with mobile devices when they are
behind firewalls that block low ports. I tend to use 655 (tinc), 1194
(openvpn), 65500 (tinc * 100 so it's a high port number) . Be careful
how you use this as some older versions of Tinc on OpenWrt crash on
startup when the .../NETWORK/hosts/NODENAME file lists multiple
"Address = .... : [port]" lines.
Also, I like to have a backup method to find and remote to an OpenWrt
device (ddns and ssh) but if you allow ssh from the internet to your
gateway, it will get slammed on with logins by brute force all the
time. This is a good reason to make use of SSH-Keys and disallow
password authentication in the Dropbear config (option
RootPasswordAuth 'off').
Finally, some of my Tinc deployments are at locations that are not
staffed by technical people and would take me 3+ hours to travel to. I
now always configure these devices to daily reboot and they often have
a second Tinc network configured with a minimal, known good config
that doesn't change that I can use to remotely admin and fix the main
Tinc network config if I botch it up.
#!/bin/sh
for network in /etc/tinc/*/
do
netname=`basename $network`
echo Tinc Network Name: $netname
for host in /etc/tinc/$netname/hosts/*
do
hostname=`basename $host`
echo Tinc Network $netname Host: $hostname
if [ ! `uci get tinc.$hostname` ]
then
uci set tinc.$hostname=tinc-host
uci set tinc.$hostname.net=$netname
uci set tinc.$hostname.enabled=1
uci commit
fi
done # for host
done # for network
On Mon, Jan 26, 2015 at 6:39 PM, Jonathan Clark
<tinc-list at heyjonathan.com> wrote:
> Greetings.
>
> I'm new to tinc, but have so far managed to get a couple laptops and a
> hosted server all connected. They're working as expected, running
> Tinc 1.1-pre11, which I compiled from source.
>
> Next I want to move on to adding my home router into the mix. My
> routers run OpenWRT. I don't have experience compiling anything from
> source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged.
>
> With that in mind, which direction should I move next? I think my options are:
>
> (option a)
> Switch my existing/working Tinc setup to using RSA keys (instead of
> Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT,
> and then go on to figure out how to get the already-packaged Tinc
> 1.0.25 working on my router.
>
> or
> (option b)
> Take a detour and learn how to cross-compile things for OpenWRT. Use
> this new knowledge to install Tinc 1.1pre11 onto my router. Feel
> accomplished.
>
> or something else?
>
> I'm exploring this mainly for the fun of figuring it out, so there's
> no deadline or even a business reason to succeed. Does that suggest I
> should tackle option a, and then go ahead and try option b, resulting
> in twice the fun and sense of accomplishment?
>
> And, overall, how difficult are each of these options?
>
> Thanks, by the way, for all your work. From what I've seen so far,
> this project is pretty impressive.
>
> Jonathan
> Kingston, New York, USA
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
--
Sandy McArthur, Jr.
"No nation could preserve its freedom in the midst of continual warfare."
- Letters and Other Writings of James Madison (1865), Vol. IV, p. 491
More information about the tinc
mailing list