Tinc 1.1 setup instructions

About tinc

Tinc is a VPN daemon that implements mesh routing. What this means is that unlike your normal VPN systems like OpenVPN who will route all of your traffice through a single centralised server, Tinc will do attempt to set up direct connections between peers if possible. While tinc doesn’t allow you to tunnel like other VPNs do, this can still be useful when you need to create a LAN-like system with multiple machines over the internet.

Please note that at the time of writing Tinc 1.1 has not been released officially and as such might not be suitable for production use. The alternative however, is tinc 1.0 which requires you to distribute the keys of each peer manually, which is… a lot of work. Tinc 1.1 does have an option to add new machines easily but sadly it does not support excluding peers from the network (but neither does 1.0). This means that if you have a Tinc network and you add a machine to it, as long as it can connect to at least one machine that still accepts your key it will be able to reconnect and have his key redistributed across the network. This seems to be a planned feature, but it is not implemented yet.

The instructions in this post are meant for Ubuntu, Windows and Android, and are based on these posts - 1 2. Also, while this guide is fairly step by step, I recommended to read the manual first.

In the following commands replace these -

• %VPNNAME% with any name you want to your network to have
• %IP% with the IP address you want your current device you to have. Note that IP distribution is manual in router mode (default), so it’s up to you to keep track of assigned addresses.
• %FQDNORIP% with an accessible domain name or IP address of the host you’re setting up.

Install

Install on Linux

You need to compile Tinc 1.1 from source. To do this you need to -

1. Install dependencies $ sudo apt install -y build-essential libncurses5-dev libreadline6-dev libzlcore-dev zlib1g-dev liblzo2-dev libssl-dev
2. Download the latest source package. You can find it here. (current version: wget https://www.tinc-vpn.org/packages/tinc-1.1pre18.tar.gz -O tinc.tar.gz).
3. To extract and compile Tinc, just run the following commands (assuming you saved the file as tinc.tar.gz -

1
2
3
4
5

tar -xf tinc.tar.gz --one-top-level --strip-components=1
cd tinc
./configure
make
sudo make install

This will install Tinc at /usr/local.

Install on Windows

1. Download and install the latest version from here. Current version can be found here.

Set up the initial machine

The setup for the first machine is slightly different than the others. Calling it ‘the server’ would be incorrect though, because with Tinc any node can accept connections and advertise systems connected to it to the whole network. For setup on the initial machine, just continue reading. For the rest of the machines the process is summarised in the appropriate section.

A Linux machine

On machines you want peers to connect to when trying to connect to the network you will need to open udp port 655. You do not need to do this on machines that will only connect to the network and nothing else but won’t be used as a gateway by other peers. With ufw this can be done with sudo ufw allow 655/udp. If you use iptables, the command is sudo iptables -I INPUT -p udp --dport 655 -m state --state NEW -j ACCEPT

SystemD service

If you use systemd (which would be the case with most Linux distributions), it can be handy to set up a systemd service to easily manage tinc VPNs. to do this you can run the following commands -

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

sudo cat>/lib/systemd/system/tinc.service <<EOL
[Unit]
Description=Tinc VPN
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/usr/local/etc/tinc

[Install]
WantedBy=multi-user.target
EOL

sudo cat>/lib/systemd/system/[email protected] <<EOL
[Unit]
Description=Tinc net %i
PartOf=tinc.service
ReloadPropagatedFrom=tinc.service

[Service]
Type=simple
WorkingDirectory=/usr/local/etc/tinc/%i
ExecStart=/usr/local/sbin/tincd -n %i -D
ExecReload=/usr/local/sbin/tincd -n %i -kHUP
KillMode=mixed
TimeoutStopSec=5
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target
EOL

To unmask the service, run sudo systemctl unmask tinc. You will also need to create a directory for the pid file and socket. This can be done with sudo mkdir -p /usr/local/var/run/.

Linux “Server” setup

The commands you need to run are -

1. sudo tinc -n %VPNNAME% init server
2. sudo tincd -n %VPNNAME%
3. sudo tinc -n %VPNNAME% add subnet %IP%
4. sudo tinc -n %VPNNAME% add address=%FQDNORIP%

Linux interface setup

Now, to have connectivity to your new network, you’ll need to create the following files. Just like in the section above, replace %VPNNAME% and %IP% with the values you want.

1
2
3
4
5
6
7
8
9
10
11

sudo cat>/usr/local/etc/tinc/%VPNNAME%/tinc-up <<EOL
#!/bin/bash
ip addr add %IP%/24 dev $INTERFACE
ip link set $INTERFACE up
EOL

sudo cat>/usr/local/etc/tinc/VPNNAME/tinc-down <<EOL
#!/bin/bash
ip route del %IP%/24 dev $INTERFACE
ifconfig $INTERFACE down
EOL

Then make these files executable with chmod +x /usr/local/etc/tinc/%VPNNAME%/tinc-down /usr/local/etc/tinc/%VPNNAME%/tinc-up.

Starting Tinc on Linux

First ensure that no Tinc daemon is running and kill them if necessary. Afterwards I recommend to start Tinc in debug mode with sudo tincd -n VPNNAME -D -d3 while you’re connecting your first hosts. This will let you see if their connection is successful and fix any issues that arise.

Afterwards you can run Tinc with sudo systemctl start tinc@%VPNNAME%. To run it on startup, you can use systemctl enable tinc@%VPNNAME%.

A Windows machine

Windows “Server” setup

Note that if you’re using powershell, you need to prepend the commands with ./.

1. Open Tinc’s directory. Usually - cd "C:\Program Files\tinc".
2. tinc.exe -n %VPNNAME% init master
3. tinc.exe -n %VPNNAME% add subnet %IP%
4. tinc.exe -n %VPNNAME% add address=%FQDNORIP%

Windows interface setup

NOTE: If you are already using OpenVPN (which includes most commercial VPN services) you probably have the TAP adapter driver installed. Installing the version that comes with tinc is likely to break it. In this case, skip steps 1 and 2 and instead go to Device Manager (devmgmt.msc), click on Network Adapters, then click on “Action” in the menu bar -> “Add Legacy Hardware”. In the Window that opens click “Next”, then select “Install the hardware that I manually select from a list (Advanced)”, click “Next” again, select “Network Adapters” and click “Next”, select something that looks like “TAP-* Provider V9” from the “Manufacturer list” (there’s probably going to be the name of your VPN provider where the star is). In most cases you’ll only have one entry in the Model list, if not, just select the first one and click Next. If it fails to install (usually an error that says something along the lines of “service is scheduled to install”), try a different manufacturer in that list - one whose name starts with TAP-. Also try rebooting. When the device is set up, proceed to step 3. It will probably work, but no guarantees. If it doesn’t, you’ll have to choose between your VPN provider and tinc (remove the one you don’t want).

1. Open the tap driver’s directory. Usually - cd "C:\Program Files\tinc\tap-win64".
2. run addtap.bat. Click yes when it ask you if you want to install the driver. This will create a new Network adapter.
3. Locate the newly created network adapter. Usually it’s called Ethernet 2, but the name might differ on different systems. To locate it you can either use netsh interface ipv4 show interfaces or you can find it in the control panel using control netconnections.
4. Rename this interface using netsh interface set interface name = "%INTERFACE%" newname = "tinc" where %INTERFACE% is the name of the interface from the previous step.
5. netsh interface ip set address "tinc" static %IP% 255.255.255.0.

Starting Tinc on Windows

You can run Tinc in debug mode with tincd.exe -n VPNNAME -D -d3. This is recommended when running it for the first time when adding your first peer to see if everything works.

Afterwards, run tincd.exe -n %VPNNAME% to create a windows service. You can manage this service like any other windows service (through sc config or the services.msc GUI). To enable start on boot for example, you can run sc config tinc.%VPNNAME% start=auto. To start the service from the cli, you can use net start tinc.%VPNNAME%.

Set up the rest of the devices

In the following commands replace %CLIENTNAME% with the name you want to assign to the device.

On Linux

1. Install Tinc.
2. Set up the SystemD service.
3. Generate an invite link ON THE MACHINE YOU WANT TO CONNECT TO. This can be done with sudo tinc -n %VPNNAME% invite %CLIENTNAME% (remove the sudo and add .exe extension to tinc on Windows). This will output %INVITEURL%.
4. Join the network by using the following on THE MACHINE YOU WANT TO CONNECT WITH - tinc join %INVITEURL%.
5. sudo tincd -n %VPNNAME%
6. sudo tinc -n %VPNNAME% add subnet %IP% (remember that %IP% here is the IP you want for this machine).
7. Set up the interface.
8. Start the Tinc daemon.

On Windows

Remember to prepend all tinc commands with ./ if using PowerShell.

1. Install Tinc. Open the installation directory (Usually cd "C:\Program Files\tinc").
2. Generate an invite link ON THE MACHINE YOU WANT TO CONNECT TO. This can be done with tinc.exe -n %VPNNAME% invite %CLIENTNAME% (add sudo and remove the .exe extension on Linux). This will output %INVITEURL%.
3. Join the network by using the following on THE MACHINE YOU WANT TO CONNECT WITH - tinc.exe join %INVITEURL%.
4. tinc.exe -n %VPNNAME% add subnet %IP% (remember that %IP% here is the IP you want for this machine).
5. Set up the interface.
6. Start the Tinc daemon.

On Android

While it’s technically possible to set up a server on Android, I’ll only be detailing how to connect to an already existing network.

1. Install the app. The site has both F-Droid and Google Play links.
2. Open the app, click the wrench icon at top right corner. Click ‘join network via invitation URL. Paste the URL.
3. In the same menu, take note of the configuration directory (default - /Android/data/org/pacien.tincapp/files. You can hold and copy+paste it if you want to, even if there’s no feedback for the hold gesture ). Open it. There you’ll find a directory with your VPNNAME. Open it. There should be an empty file called network.conf. Edit it and add the following -

1
2

Address=%IP%/32
Route=%NETWORKADDRESS%/24

%NETWORKADDRESS% is the first address of the CIDR formatted IP range you want your IP to have. I.e. for 10.0.0.0-10.0.0.255 you would have Route=10.0.0.0/24.

4. Now in the same directory, go into the hosts folder and edit the file that has your device’s name. Add Subnet=IP at the bottom. You can also add a Port variable to specify the port the VPN will connect through on your device (or set it to 0 to make it random each time). For more information, read the docs.

Set up a DNS server on the VPN

The cool thing about VPNs is that you can also set up a DNS server and then connect to your devices using domain names. To do this you need to set up a DNS server such as Bind9 or PowerDNS on one of your nodes and set it up to listen to the IP range used by your VPN. How to do this is beyond the scope of this tutorial, however there are plenty of guides on the internet for this.

After setting it up… (%DNSSERVER% here is the IP address of your DNS server machine)

• On Linux machines you need to add your DNS server to your resolv.conf. If you use resolvconf you can add echo -n "nameserver %DNSSERVER%" | /sbin/resolvconf -a "$INTERFACE" to /usr/local/etc/tinc/%VPNNAME%/tinc-up and /sbin/resolvconf -d "$INTERFACE" to /usr/local/etc/tinc/%VPNNAME%/tinc-down. If you don’t use resolvconf, you can try other options available to you (such as adding it to resolv.conf manually - i.e. sed -i '2s/.*/nameserver %DNSSERVER%/' /etc/resolv.conf in tinc-up and sed -i '2s/.*//' /etc/resolv.conf in tinc-down).
• On Windows machines you need to add the DNS servers to your adapter. Using the GUI, open Network Connections (control netconnections or control ncpa.cpl), right click on the tinc adapter, click on Internet Protocol Version 4 (TCP/IPv4) (or IPv6 if you’ve set Tinc up to use that), click Properties and after checking the Use the following DNS server addresses, write down your DNS server. Using CLI you can use netsh interface ipv4 add dnsserver "tinc" address=%DNSSERVER% index=1 instead.
  • Note that if you want Windows to priotize your new DNS server you’ll have to change the interface metric on both your main adapter and VPN’s. To do so through the UI open Network Connections, right click on the tinc adapter, click on Internet Protocol Version 4 (TCP/IPv4), click on Properties, click on Advanced near the bottom of the window that just opened, uncheck Automatic metric and set a low value like 15. Now do the same for your main network adapter (usually Ethernet or WiFi), but set the value HIGHER than the one you set for tinc. Sometimes you might not need to do this, but I find that it’s not very stable in these situations. To test, just run nslookup zingmars.me and make sure that the Address is your VPN’s.
• On Android add the following to your network.conf file (you can have multiple lines like these for multiple DNS servers) -

1

DNSServer=%DNSSERVER%