On Mon, Jan 12, 2015 at 08:40:31AM -0600, md at rpzdesign.com wrote:
> Here is some examples of using templates for TINC configurations and
> settings:
[...]> Now your only configuration file is your STARTUP SCRIPT! Yeah, a single
> file to manage and its fully parameterized.
If the script you wrote works for you, then of course just use it.
I'll just give some comments about it, feel free to disregard any of it.
First, it is not just a single file to manage. You have your templates
as well. Although you could put those in the script (I'll explain
below).
> In your startup script, BEFORE starting TINC VPN, put a number of entries
to
> configure your VPN:
>
> sh ./templatewriter.sh LAN LOSI101 8540 255.255.255.0 0.0.0.0 10.99.0.11
> 10.98.0.11 ConnectTo=LOSI102 ConnectTo= ConnectTo
It's of course very nice to have a single command that sets up
everything you want in one go. The problem is always to make this work
for everybody. Your script sets a few specific parameters, which may or
may not work for others. It might also be hard to remember which
parameters to give and in which order.
In tinc 1.1, there is a simple command to set up a very basic
configuration:
tinc -n <netname> init [name]
Where [name] is optional, if you don't specify it, it will ask you for a
name to give the local node. It creates tinc.conf, the hosts/ directory,
an empty tinc-up file and it generates keys. Further configuration can
be done by other commands, such as:
tinc -n <netname> set Port 12345
tinc -n <netname> add ConnectTo foo
tinc -n <netname> edit tinc-up
If this is tedious to type, you can set the NETNAME environment variable
so you don't have to specify -n <netname>, and you can even pipe
commands in via stdin. For example:
export NETNAME=<netname>
tinc << EOF
init
set Port 12345
add ConnectTo foo
edit tinc-up
EOF
You could avoid using templates if you use that feature of tinc 1.1. If
you use tinc 1.0, or still want to use templates for something, you can
put the template in the script and avoid using sed altogether, like so:
VAR=value
cat >/tinc/$SDIR/somefile << EOF
# This is an example file.
Variable = $VAR
EOF
> #READING IN THE RSA AND 25519 KEYS CAUSES ALL SORTS OF HEADACHES WITH SED
> #JUST KEEP THEM IN THE TEMPLATES AS IS
> #RSAKEY=$(cat "/tinc/rsa_key.pub")
> #ED25519KEY=$(cat "/tinc/ed25519_key.pub")
If you put keys in your template, I guess you are using the same key for
all nodes. This only works if you control all nodes. Even then, if one
node is compromised, all nodes are. You are also copying private keys
over, so now you also have to worry about doing that securely. I would
rather recommend having each node generate its own keys.
Tinc 1.1 allows you to programatically exchange public keys. The most
direct way is using tinc import, export and/or exchange. For example, if
you can access another node via SSH, then:
tinc -n <netname> export | ssh user at remotenode sudo tinc -n
<netname> exchange | tinc -n <netname> import
Will cause the local node and to exchange each other's public keys, and
put them in the right place. More information about that is in the
manual.
There is also the invite/join mechanism, where one node can generate an
invitation URL which you can pass along to another node, which can then
use this invitation URL to set itself up (no need to run tinc init
first) and exchange keys with the first node. An example:
ssh user at remotenode sudo tinc join `tinc -n <netname> invite foo`
> ######TINC-CONF.template
> Name=VARNODENAME
> ListenAddress=VARLISTIP VARPORT
> VARCONN1
> VARCONN2
> VARCONN3
> AddressFamily = ipv4
> Broadcast = no
> Forwarding = internal
> Hostnames = no
> ExperimentalProtocol = yes
> Device = /dev/net/tun
> Ed25519APrivateKeyFile=/tinc/Ed25519_key.priv
> PrivateKeyFile=/tinc/rsa_key.priv
Note that many options here are redundant, and some restrict
functionality needlessly. Of course, if you explicitly want all these
settings, that is fine, but if others want to do something similar, I
suggest setting only these:
Name = <name>
AutoConnect = yes
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20150112/73276890/attachment.sig>