Greetings. I'm new to tinc, but have so far managed to get a couple laptops and a hosted server all connected. They're working as expected, running Tinc 1.1-pre11, which I compiled from source. Next I want to move on to adding my home router into the mix. My routers run OpenWRT. I don't have experience compiling anything from source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged. With that in mind, which direction should I move next? I think my options are: (option a) Switch my existing/working Tinc setup to using RSA keys (instead of Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT, and then go on to figure out how to get the already-packaged Tinc 1.0.25 working on my router. or (option b) Take a detour and learn how to cross-compile things for OpenWRT. Use this new knowledge to install Tinc 1.1pre11 onto my router. Feel accomplished. or something else? I'm exploring this mainly for the fun of figuring it out, so there's no deadline or even a business reason to succeed. Does that suggest I should tackle option a, and then go ahead and try option b, resulting in twice the fun and sense of accomplishment? And, overall, how difficult are each of these options? Thanks, by the way, for all your work. From what I've seen so far, this project is pretty impressive. Jonathan Kingston, New York, USA
I'm a heavy tinc/router enthusiast. I have a few binaries (tinc1.1pre11) I've created for use in mipsel and arm routers available at the following. http://files.lancethepants.com/Binaries/tinc/ Statically compiled, and should work (unless perhaps you're using an older MIPSR1 mipsel router which needs an older toolchain). The scripts used to create these binaries are here if you'd like to recreate them. https://github.com/lancethepants/tinc-mipsel-static/blob/master/tinc.sh https://github.com/lancethepants/tinc-arm-musl-static The mipsel binaries use the entware toolchain, which in turn I believe is borrowed from openwrt. The arm binaries are created from a musl libc toolchain I like, also referenced on github. I like tinc so much I made an integration with gui into builds of tomato firmware. I've provided some firmware images available for mipsel devices also available on my site (the first link). Tomato shibby has added my tinc gui into his mipsel and arm builds, but hasn't caught up with my 1.1pre11 changes as of yet. More info and screenshots at the following link. http://www.linksysinfo.org/index.php?threads/tinc-mesh-vpn-beta-testing.70257/ Code for this project at the following links. https://github.com/lancethepants/Toastman-Tinc https://github.com/lancethepants/Toastman-Tinc-MIPSR1 On 1/26/2015 4:39 PM, Jonathan Clark wrote:> Greetings. > > I'm new to tinc, but have so far managed to get a couple laptops and a > hosted server all connected. They're working as expected, running > Tinc 1.1-pre11, which I compiled from source. > > Next I want to move on to adding my home router into the mix. My > routers run OpenWRT. I don't have experience compiling anything from > source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged. > > With that in mind, which direction should I move next? I think my options are: > > (option a) > Switch my existing/working Tinc setup to using RSA keys (instead of > Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT, > and then go on to figure out how to get the already-packaged Tinc > 1.0.25 working on my router. > > or > (option b) > Take a detour and learn how to cross-compile things for OpenWRT. Use > this new knowledge to install Tinc 1.1pre11 onto my router. Feel > accomplished. > > or something else? > > I'm exploring this mainly for the fun of figuring it out, so there's > no deadline or even a business reason to succeed. Does that suggest I > should tackle option a, and then go ahead and try option b, resulting > in twice the fun and sense of accomplishment? > > And, overall, how difficult are each of these options? > > Thanks, by the way, for all your work. From what I've seen so far, > this project is pretty impressive. > > Jonathan > Kingston, New York, USA > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Jonathan,
I really like OpenWrt. I've deployed Tinc on ~12 routers with OpenWrt
installed. I use the Tinc 1.0 series since I don't want to support my
own packages.
OpenWrt has a nice unified configuration system. Tinc has a nice
configuration directory structure. What OpenWrt has done to merge
these two concepts over complicates things, and generally sucks.
I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is
what I still use. Since then I wrote the script below to help automate
adding of new hosts in a network.
A tip I've found when putting tinc on your gateway device is to bind
to several ports so you have options with mobile devices when they are
behind firewalls that block low ports. I tend to use 655 (tinc), 1194
(openvpn), 65500 (tinc * 100 so it's a high port number) . Be careful
how you use this as some older versions of Tinc on OpenWrt crash on
startup when the .../NETWORK/hosts/NODENAME file lists multiple
"Address = .... : [port]" lines.
Also, I like to have a backup method to find and remote to an OpenWrt
device (ddns and ssh) but if you allow ssh from the internet to your
gateway, it will get slammed on with logins by brute force all the
time. This is a good reason to make use of SSH-Keys and disallow
password authentication in the Dropbear config (option
RootPasswordAuth 'off').
Finally, some of my Tinc deployments are at locations that are not
staffed by technical people and would take me 3+ hours to travel to. I
now always configure these devices to daily reboot and they often have
a second Tinc network configured with a minimal, known good config
that doesn't change that I can use to remotely admin and fix the main
Tinc network config if I botch it up.
#!/bin/sh
for network in /etc/tinc/*/
do
netname=`basename $network`
echo Tinc Network Name: $netname
for host in /etc/tinc/$netname/hosts/*
do
hostname=`basename $host`
echo Tinc Network $netname Host: $hostname
if [ ! `uci get tinc.$hostname` ]
then
uci set tinc.$hostname=tinc-host
uci set tinc.$hostname.net=$netname
uci set tinc.$hostname.enabled=1
uci commit
fi
done # for host
done # for network
On Mon, Jan 26, 2015 at 6:39 PM, Jonathan Clark
<tinc-list at heyjonathan.com> wrote:> Greetings.
>
> I'm new to tinc, but have so far managed to get a couple laptops and a
> hosted server all connected. They're working as expected, running
> Tinc 1.1-pre11, which I compiled from source.
>
> Next I want to move on to adding my home router into the mix. My
> routers run OpenWRT. I don't have experience compiling anything from
> source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged.
>
> With that in mind, which direction should I move next? I think my options
are:
>
> (option a)
> Switch my existing/working Tinc setup to using RSA keys (instead of
> Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT,
> and then go on to figure out how to get the already-packaged Tinc
> 1.0.25 working on my router.
>
> or
> (option b)
> Take a detour and learn how to cross-compile things for OpenWRT. Use
> this new knowledge to install Tinc 1.1pre11 onto my router. Feel
> accomplished.
>
> or something else?
>
> I'm exploring this mainly for the fun of figuring it out, so
there's
> no deadline or even a business reason to succeed. Does that suggest I
> should tackle option a, and then go ahead and try option b, resulting
> in twice the fun and sense of accomplishment?
>
> And, overall, how difficult are each of these options?
>
> Thanks, by the way, for all your work. From what I've seen so far,
> this project is pretty impressive.
>
> Jonathan
> Kingston, New York, USA
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
--
Sandy McArthur, Jr.
"No nation could preserve its freedom in the midst of continual
warfare."
- Letters and Other Writings of James Madison (1865), Vol. IV, p. 491
On Tue, Jan 27, 2015, Sandy McArthur Jr wrote:> I use the Tinc 1.0 series since I don't want to support my > own packages. <snip> > I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is > what I still use. Since then . . .Ok. I think I'll start with the 1.0 series packages that are already out there and get them working. and on Tue, Jan 27, 2015, Lance wrote:> The scripts used to create these binaries are here if you'd like to recreate > them. > https://github.com/lancethepants/tinc-mipsel-static/blob/master/tinc.sh > https://github.com/lancethepants/tinc-arm-musl-staticThanks. I'll start playing with those once I succeed (or otherwise) with the pre-packaged stuff. On Tue, Jan 27, 2015 at 10:12 AM, Sandy McArthur Jr <sandy at mcarthur.org> wrote:> Jonathan, > I really like OpenWrt. I've deployed Tinc on ~12 routers with OpenWrt > installed. I use the Tinc 1.0 series since I don't want to support my > own packages. > > OpenWrt has a nice unified configuration system. Tinc has a nice > configuration directory structure. What OpenWrt has done to merge > these two concepts over complicates things, and generally sucks. > > I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is > what I still use. Since then I wrote the script below to help automate > adding of new hosts in a network. > > A tip I've found when putting tinc on your gateway device is to bind > to several ports so you have options with mobile devices when they are > behind firewalls that block low ports. I tend to use 655 (tinc), 1194 > (openvpn), 65500 (tinc * 100 so it's a high port number) . Be careful > how you use this as some older versions of Tinc on OpenWrt crash on > startup when the .../NETWORK/hosts/NODENAME file lists multiple > "Address = .... : [port]" lines. > > Also, I like to have a backup method to find and remote to an OpenWrt > device (ddns and ssh) but if you allow ssh from the internet to your > gateway, it will get slammed on with logins by brute force all the > time. This is a good reason to make use of SSH-Keys and disallow > password authentication in the Dropbear config (option > RootPasswordAuth 'off'). > > Finally, some of my Tinc deployments are at locations that are not > staffed by technical people and would take me 3+ hours to travel to. I > now always configure these devices to daily reboot and they often have > a second Tinc network configured with a minimal, known good config > that doesn't change that I can use to remotely admin and fix the main > Tinc network config if I botch it up. > > > #!/bin/sh > > for network in /etc/tinc/*/ > do > netname=`basename $network` > echo Tinc Network Name: $netname > > for host in /etc/tinc/$netname/hosts/* > do > hostname=`basename $host` > echo Tinc Network $netname Host: $hostname > > if [ ! `uci get tinc.$hostname` ] > then > uci set tinc.$hostname=tinc-host > uci set tinc.$hostname.net=$netname > uci set tinc.$hostname.enabled=1 > uci commit > > fi > > done # for host > > done # for network > > On Mon, Jan 26, 2015 at 6:39 PM, Jonathan Clark > <tinc-list at heyjonathan.com> wrote: >> Greetings. >> >> I'm new to tinc, but have so far managed to get a couple laptops and a >> hosted server all connected. They're working as expected, running >> Tinc 1.1-pre11, which I compiled from source. >> >> Next I want to move on to adding my home router into the mix. My >> routers run OpenWRT. I don't have experience compiling anything from >> source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged. >> >> With that in mind, which direction should I move next? I think my options are: >> >> (option a) >> Switch my existing/working Tinc setup to using RSA keys (instead of >> Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT, >> and then go on to figure out how to get the already-packaged Tinc >> 1.0.25 working on my router. >> >> or >> (option b) >> Take a detour and learn how to cross-compile things for OpenWRT. Use >> this new knowledge to install Tinc 1.1pre11 onto my router. Feel >> accomplished. >> >> or something else? >> >> I'm exploring this mainly for the fun of figuring it out, so there's >> no deadline or even a business reason to succeed. Does that suggest I >> should tackle option a, and then go ahead and try option b, resulting >> in twice the fun and sense of accomplishment? >> >> And, overall, how difficult are each of these options? >> >> Thanks, by the way, for all your work. From what I've seen so far, >> this project is pretty impressive. >> >> Jonathan >> Kingston, New York, USA >> _______________________________________________ >> tinc mailing list >> tinc at tinc-vpn.org >> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > > > > -- > Sandy McArthur, Jr. > > "No nation could preserve its freedom in the midst of continual warfare." > - Letters and Other Writings of James Madison (1865), Vol. IV, p. 491