How to Set Up Tinc for Encrypted Peer-to-Peer VPNsTinc is an open-source VPN daemon that creates a secure, encrypted, peer-to-peer mesh network between hosts. Unlike traditional hub-and-spoke VPNs, Tinc lets every node connect directly to others when possible, automatically routing traffic across the mesh and encrypting links with public-key cryptography. This guide walks through planning, installing, configuring, and troubleshooting a Tinc-based VPN suitable for small teams, multi-site setups, or home lab networks.
Why choose Tinc?
- Peer-to-peer mesh: Nodes form direct connections when possible, reducing latency and single points of failure.
- Automatic routing: Tinc discovers optimal routes across the mesh and forwards traffic transparently.
- Strong encryption: Uses public/private key pairs (and optional TLS) to authenticate and encrypt links.
- Network bridging and routing: Supports both routed IP subnets and layer-2 bridging (tun/tap).
- Cross-platform: Runs on Linux, BSDs, macOS, and Windows (with Cygwin or native builds).
Planning your Tinc network
-
Decide whether you need routed (tun) or bridged (tap) mode:
- Tun (layer 3): Best for connecting separate IP subnets; simpler and more efficient.
- Tap (layer 2): Useful for LAN-level broadcasts, non-IP protocols, or specific services that require being on the same Ethernet segment.
-
Choose topology:
- Full mesh: Every node connects to every other — simpler routing, more links.
- Partial mesh: Nodes keep only a few connections; Tinc routes through intermediaries.
-
IP addressing:
- Allocate a private subnet for the VPN (example: 10.0.0.0/24 or 172.16.0.0/24). Assign static addresses to nodes for predictability.
-
NAT and firewalls:
- Tinc can operate behind NATs using TCP/UDP; use port forwarding or NAT traversal (if available). Plan which nodes (if any) act as stable “entry” points.
-
Security:
- Keep private keys secure. Use secure channels (SSH, scp) to exchange host-config files when bootstrapping.
- Consider additional firewall rules to limit access to the tinc port.
Installing Tinc
On Debian/Ubuntu:
sudo apt update sudo apt install tinc On Fedora:
sudo dnf install tinc On Arch Linux:
sudo pacman -S tinc On macOS (Homebrew):
brew install tinc On Windows:
- Use native builds or Cygwin packages; setup is similar but paths and service management differ.
Basic configuration overview
Tinc stores configuration per network (called an “instance”) in /etc/tinc/
- /etc/tinc/
/tinc.conf — main config for the local node. - /etc/tinc/
/hosts/ — directory containing peer host files (one file per node). - /etc/tinc/
/rsa_key.* — node’s private/public key pair. - /etc/tinc/
/tinc-up and tinc-down — scripts run when the interface starts/stops. - /etc/tinc/
/tinc-up.d/ and tinc-down.d/ — optional hook scripts.
Step-by-step setup (example: network “mymesh”, routed/tun mode)
This example shows two nodes: nodeA (10.0.0.1) and nodeB (10.0.0.2). Adjust names, IPs, and interfaces for your environment.
-
Create network directory on each node:
sudo mkdir -p /etc/tinc/mymesh/hosts sudo chown -R root:root /etc/tinc/mymesh sudo chmod 700 /etc/tinc/mymesh -
Create tinc.conf for each node:
On nodeA (/etc/tinc/mymesh/tinc.conf):
Name = nodeA AddressFamily = ipv4 Interface = tun0 On nodeB (/etc/tinc/mymesh/tinc.conf):
Name = nodeB AddressFamily = ipv4 Interface = tun0 -
Generate keys (on each node):
sudo tincd -n mymesh -K4096This generates /etc/tinc/mymesh/rsa_key.priv and rsa_key.pub.
-
Create host files (on each node, the host file contains info peers need):
On nodeA, create /etc/tinc/mymesh/hosts/nodeA:
Name = nodeA Address = 198.51.100.10 # public IP or reachable address for nodeA Port = 655 # optional, default is 655 Method = netkey -----BEGIN RSA PUBLIC KEY----- <contents of rsa_key.pub for nodeA> -----END RSA PUBLIC KEY----- On nodeB, create /etc/tinc/mymesh/hosts/nodeB similarly.
- Exchange host files:
- Copy nodeA’s host file to /etc/tinc/mymesh/hosts/ on nodeB and vice versa. Use scp or other secure transfer:
scp /etc/tinc/mymesh/hosts/nodeA root@nodeB:/etc/tinc/mymesh/hosts/ scp /etc/tinc/mymesh/hosts/nodeB root@nodeA:/etc/tinc/mymesh/hosts/
- Configure IP addressing for the VPN interface:
Create /etc/tinc/mymesh/tinc-up on each node (make executable): On nodeA (assign 10.0.0.⁄24):
#!/bin/sh ip link set "$INTERFACE" up ip addr add 10.0.0.1/24 dev "$INTERFACE" On nodeB (assign 10.0.0.⁄24):
#!/bin/sh ip link set "$INTERFACE" up ip addr add 10.0.0.2/24 dev "$INTERFACE" Make scripts executable:
sudo chmod +x /etc/tinc/mymesh/tinc-up sudo chmod +x /etc/tinc/mymesh/tinc-down - Start tinc daemon:
On systemd systems, create /etc/systemd/system/[email protected] is usually installed; enable and start:
sudo systemctl enable --now tinc@mymesh Or start manually:
sudo tincd -n mymesh -D - Test connectivity:
- Ping across the VPN:
ping -c 3 10.0.0.2 - Check tinc status and peers:
sudo tincd -n mymesh --netstat sudo tincd -n mymesh --dump
Advanced configuration tips
- Compression and performance:
- Tinc supports compression; enable if links are CPU-light but bandwidth-limited.
- Multiple connections and port options:
- Use Port and BindToAddress in host files to control how tinc connects. Example: Port = 655 and BindToAddress = 0.0.0.0.
- NAT traversal:
- If nodes are behind NAT, either forward the tinc UDP/TCP port on the router or use a publicly-reachable relay node.
- Firewall rules:
- Allow the tinc port/transport (UDP/TCP) and the tun/tap device traffic as needed.
- Routing non-VPN traffic:
- To route all traffic through the VPN, add appropriate default route and IP forwarding rules on an exit node; configure iptables/nftables to NAT outgoing traffic.
- DNS:
- Push DNS settings via tinc-up scripts or configure clients to use internal DNS over the VPN.
- Security hardening:
- Use 4096-bit keys for higher assurance, rotate keys periodically, and restrict host file distribution.
- Dynamic peers:
- For larger networks, automate host file exchange with configuration management (Ansible, Salt) or a central repository, being careful with private key security.
Troubleshooting common issues
- Peers don’t connect:
- Check public IP/port in host files; confirm port forwarding on NAT routers.
- Ensure firewall allows port/protocol.
- Use tcpdump/wireshark to verify packets reach the peer.
- Incorrect IP/routing:
- Verify tun interface addresses with ip addr.
- Use route or ip route to inspect routing tables.
- Permission/ownership problems:
- Ensure /etc/tinc/
/ and its files are readable by root and have appropriate permissions.
- Ensure /etc/tinc/
- Key mismatch or missing public key:
- Confirm host files include the correct public key block for each node.
- Performance problems:
- Check CPU usage (encryption can be CPU-heavy), try enabling/disabling compression, or adjust MTU.
Example: Adding a third node
- Generate keys on nodeC, create its host file with its public IP and public key.
- Copy nodeC’s host file to nodeA and nodeB’s hosts directories; copy nodeA and nodeB host files to nodeC.
- Restart tinc or reload configuration on each node:
sudo systemctl restart tinc@mymesh - Verify mesh connectivity (ping all nodes, traceroute to inspect routing).
Backup and maintenance
- Back up /etc/tinc/
/ including rsa_key.priv (store securely). - Keep Tinc updated to patch security issues.
- Periodically audit host files to remove stale entries and rotate keys if needed.
When not to use Tinc
- If you require centralized access control, user-level authentication, or per-user VPN sessions, consider solutions like OpenVPN or WireGuard with management layers.
- For extremely high-throughput, low-latency requirements in data center fabrics, specialized SD-WAN or hardware VPNs may be more appropriate.
Tinc is powerful for building flexible, encrypted, peer-to-peer VPNs that scale from a couple of hosts to larger meshes. With careful planning around addressing, NAT, and key distribution, you can create a robust and private network that routes traffic securely between your sites.
Leave a Reply