On Tue, Jan 27, 2015, Sandy McArthur Jr wrote:> I use the Tinc 1.0 series since I don't want to support my > own packages. <snip> > I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is > what I still use. Since then . . .Ok. I think I'll start with the 1.0 series packages that are already out there and get them working. and on Tue, Jan 27, 2015, Lance wrote:> The scripts used to create these binaries are here if you'd like to recreate > them. > https://github.com/lancethepants/tinc-mipsel-static/blob/master/tinc.sh > https://github.com/lancethepants/tinc-arm-musl-staticThanks. I'll start playing with those once I succeed (or otherwise) with the pre-packaged stuff. On Tue, Jan 27, 2015 at 10:12 AM, Sandy McArthur Jr <sandy at mcarthur.org> wrote:> Jonathan, > I really like OpenWrt. I've deployed Tinc on ~12 routers with OpenWrt > installed. I use the Tinc 1.0 series since I don't want to support my > own packages. > > OpenWrt has a nice unified configuration system. Tinc has a nice > configuration directory structure. What OpenWrt has done to merge > these two concepts over complicates things, and generally sucks. > > I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is > what I still use. Since then I wrote the script below to help automate > adding of new hosts in a network. > > A tip I've found when putting tinc on your gateway device is to bind > to several ports so you have options with mobile devices when they are > behind firewalls that block low ports. I tend to use 655 (tinc), 1194 > (openvpn), 65500 (tinc * 100 so it's a high port number) . Be careful > how you use this as some older versions of Tinc on OpenWrt crash on > startup when the .../NETWORK/hosts/NODENAME file lists multiple > "Address = .... : [port]" lines. > > Also, I like to have a backup method to find and remote to an OpenWrt > device (ddns and ssh) but if you allow ssh from the internet to your > gateway, it will get slammed on with logins by brute force all the > time. This is a good reason to make use of SSH-Keys and disallow > password authentication in the Dropbear config (option > RootPasswordAuth 'off'). > > Finally, some of my Tinc deployments are at locations that are not > staffed by technical people and would take me 3+ hours to travel to. I > now always configure these devices to daily reboot and they often have > a second Tinc network configured with a minimal, known good config > that doesn't change that I can use to remotely admin and fix the main > Tinc network config if I botch it up. > > > #!/bin/sh > > for network in /etc/tinc/*/ > do > netname=`basename $network` > echo Tinc Network Name: $netname > > for host in /etc/tinc/$netname/hosts/* > do > hostname=`basename $host` > echo Tinc Network $netname Host: $hostname > > if [ ! `uci get tinc.$hostname` ] > then > uci set tinc.$hostname=tinc-host > uci set tinc.$hostname.net=$netname > uci set tinc.$hostname.enabled=1 > uci commit > > fi > > done # for host > > done # for network > > On Mon, Jan 26, 2015 at 6:39 PM, Jonathan Clark > <tinc-list at heyjonathan.com> wrote: >> Greetings. >> >> I'm new to tinc, but have so far managed to get a couple laptops and a >> hosted server all connected. They're working as expected, running >> Tinc 1.1-pre11, which I compiled from source. >> >> Next I want to move on to adding my home router into the mix. My >> routers run OpenWRT. I don't have experience compiling anything from >> source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged. >> >> With that in mind, which direction should I move next? I think my options are: >> >> (option a) >> Switch my existing/working Tinc setup to using RSA keys (instead of >> Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT, >> and then go on to figure out how to get the already-packaged Tinc >> 1.0.25 working on my router. >> >> or >> (option b) >> Take a detour and learn how to cross-compile things for OpenWRT. Use >> this new knowledge to install Tinc 1.1pre11 onto my router. Feel >> accomplished. >> >> or something else? >> >> I'm exploring this mainly for the fun of figuring it out, so there's >> no deadline or even a business reason to succeed. Does that suggest I >> should tackle option a, and then go ahead and try option b, resulting >> in twice the fun and sense of accomplishment? >> >> And, overall, how difficult are each of these options? >> >> Thanks, by the way, for all your work. From what I've seen so far, >> this project is pretty impressive. >> >> Jonathan >> Kingston, New York, USA >> _______________________________________________ >> tinc mailing list >> tinc at tinc-vpn.org >> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > > > > -- > Sandy McArthur, Jr. > > "No nation could preserve its freedom in the midst of continual warfare." > - Letters and Other Writings of James Madison (1865), Vol. IV, p. 491
Hello Jonathan, I will probably make a tinc 1.1 OpenWrt package soon. I am already maintener for th 1.0 package. If you want to read about how to make the package there is this very good documentation: http://wiki.prplfoundation.org/wiki/Creating_an_OpenWrt_package_for_a_web_page Saverio 2015-01-29 19:02 GMT+01:00 Jonathan Clark <tinc-list at heyjonathan.com>:> On Tue, Jan 27, 2015, Sandy McArthur Jr wrote: >> I use the Tinc 1.0 series since I don't want to support my >> own packages. <snip> >> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is >> what I still use. Since then . . . > > Ok. I think I'll start with the 1.0 series packages that are already > out there and get them working. > > and on Tue, Jan 27, 2015, Lance wrote: >> The scripts used to create these binaries are here if you'd like to recreate >> them. >> https://github.com/lancethepants/tinc-mipsel-static/blob/master/tinc.sh >> https://github.com/lancethepants/tinc-arm-musl-static > > Thanks. I'll start playing with those once I succeed (or otherwise) > with the pre-packaged stuff. > > On Tue, Jan 27, 2015 at 10:12 AM, Sandy McArthur Jr <sandy at mcarthur.org> wrote: >> Jonathan, >> I really like OpenWrt. I've deployed Tinc on ~12 routers with OpenWrt >> installed. I use the Tinc 1.0 series since I don't want to support my >> own packages. >> >> OpenWrt has a nice unified configuration system. Tinc has a nice >> configuration directory structure. What OpenWrt has done to merge >> these two concepts over complicates things, and generally sucks. >> >> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is >> what I still use. Since then I wrote the script below to help automate >> adding of new hosts in a network. >> >> A tip I've found when putting tinc on your gateway device is to bind >> to several ports so you have options with mobile devices when they are >> behind firewalls that block low ports. I tend to use 655 (tinc), 1194 >> (openvpn), 65500 (tinc * 100 so it's a high port number) . Be careful >> how you use this as some older versions of Tinc on OpenWrt crash on >> startup when the .../NETWORK/hosts/NODENAME file lists multiple >> "Address = .... : [port]" lines. >> >> Also, I like to have a backup method to find and remote to an OpenWrt >> device (ddns and ssh) but if you allow ssh from the internet to your >> gateway, it will get slammed on with logins by brute force all the >> time. This is a good reason to make use of SSH-Keys and disallow >> password authentication in the Dropbear config (option >> RootPasswordAuth 'off'). >> >> Finally, some of my Tinc deployments are at locations that are not >> staffed by technical people and would take me 3+ hours to travel to. I >> now always configure these devices to daily reboot and they often have >> a second Tinc network configured with a minimal, known good config >> that doesn't change that I can use to remotely admin and fix the main >> Tinc network config if I botch it up. >> >> >> #!/bin/sh >> >> for network in /etc/tinc/*/ >> do >> netname=`basename $network` >> echo Tinc Network Name: $netname >> >> for host in /etc/tinc/$netname/hosts/* >> do >> hostname=`basename $host` >> echo Tinc Network $netname Host: $hostname >> >> if [ ! `uci get tinc.$hostname` ] >> then >> uci set tinc.$hostname=tinc-host >> uci set tinc.$hostname.net=$netname >> uci set tinc.$hostname.enabled=1 >> uci commit >> >> fi >> >> done # for host >> >> done # for network >> >> On Mon, Jan 26, 2015 at 6:39 PM, Jonathan Clark >> <tinc-list at heyjonathan.com> wrote: >>> Greetings. >>> >>> I'm new to tinc, but have so far managed to get a couple laptops and a >>> hosted server all connected. They're working as expected, running >>> Tinc 1.1-pre11, which I compiled from source. >>> >>> Next I want to move on to adding my home router into the mix. My >>> routers run OpenWRT. I don't have experience compiling anything from >>> source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged. >>> >>> With that in mind, which direction should I move next? I think my options are: >>> >>> (option a) >>> Switch my existing/working Tinc setup to using RSA keys (instead of >>> Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT, >>> and then go on to figure out how to get the already-packaged Tinc >>> 1.0.25 working on my router. >>> >>> or >>> (option b) >>> Take a detour and learn how to cross-compile things for OpenWRT. Use >>> this new knowledge to install Tinc 1.1pre11 onto my router. Feel >>> accomplished. >>> >>> or something else? >>> >>> I'm exploring this mainly for the fun of figuring it out, so there's >>> no deadline or even a business reason to succeed. Does that suggest I >>> should tackle option a, and then go ahead and try option b, resulting >>> in twice the fun and sense of accomplishment? >>> >>> And, overall, how difficult are each of these options? >>> >>> Thanks, by the way, for all your work. From what I've seen so far, >>> this project is pretty impressive. >>> >>> Jonathan >>> Kingston, New York, USA >>> _______________________________________________ >>> tinc mailing list >>> tinc at tinc-vpn.org >>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >> >> >> >> -- >> Sandy McArthur, Jr. >> >> "No nation could preserve its freedom in the midst of continual warfare." >> - Letters and Other Writings of James Madison (1865), Vol. IV, p. 491 > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
Hey Saverio, I'd really like the idea of a tinc-1.1-pre package for OpenWRT. I'm currently using tinc-1.1 with an Ed25519-only network, really like the new features and CLI and want to add some OpenWRT routers into the mix. How do you plan to handle things with OpenSSL? tinc-1.1 from git should be able to compile without it (but will then only support the built-in algorithms). Depending on device restrictions, such a version could also be very interesting. Florian Am 30.01.2015 um 14:46 schrieb Saverio Proto:> Hello Jonathan, > > I will probably make a tinc 1.1 OpenWrt package soon. I am already > maintener for th 1.0 package. > > If you want to read about how to make the package there is this very > good documentation: > > http://wiki.prplfoundation.org/wiki/Creating_an_OpenWrt_package_for_a_web_page > > Saverio > > > > 2015-01-29 19:02 GMT+01:00 Jonathan Clark <tinc-list at heyjonathan.com>: >> On Tue, Jan 27, 2015, Sandy McArthur Jr wrote: >>> I use the Tinc 1.0 series since I don't want to support my >>> own packages. <snip> >>> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is >>> what I still use. Since then . . . >> >> Ok. I think I'll start with the 1.0 series packages that are already >> out there and get them working. >> >> and on Tue, Jan 27, 2015, Lance wrote: >>> The scripts used to create these binaries are here if you'd like to recreate >>> them. >>> https://github.com/lancethepants/tinc-mipsel-static/blob/master/tinc.sh >>> https://github.com/lancethepants/tinc-arm-musl-static >> >> Thanks. I'll start playing with those once I succeed (or otherwise) >> with the pre-packaged stuff. >> >> On Tue, Jan 27, 2015 at 10:12 AM, Sandy McArthur Jr <sandy at mcarthur.org> wrote: >>> Jonathan, >>> I really like OpenWrt. I've deployed Tinc on ~12 routers with OpenWrt >>> installed. I use the Tinc 1.0 series since I don't want to support my >>> own packages. >>> >>> OpenWrt has a nice unified configuration system. Tinc has a nice >>> configuration directory structure. What OpenWrt has done to merge >>> these two concepts over complicates things, and generally sucks. >>> >>> I wrote most of http://wiki.openwrt.org/doc/howto/vpn.tinc and that is >>> what I still use. Since then I wrote the script below to help automate >>> adding of new hosts in a network. >>> >>> A tip I've found when putting tinc on your gateway device is to bind >>> to several ports so you have options with mobile devices when they are >>> behind firewalls that block low ports. I tend to use 655 (tinc), 1194 >>> (openvpn), 65500 (tinc * 100 so it's a high port number) . Be careful >>> how you use this as some older versions of Tinc on OpenWrt crash on >>> startup when the .../NETWORK/hosts/NODENAME file lists multiple >>> "Address = .... : [port]" lines. >>> >>> Also, I like to have a backup method to find and remote to an OpenWrt >>> device (ddns and ssh) but if you allow ssh from the internet to your >>> gateway, it will get slammed on with logins by brute force all the >>> time. This is a good reason to make use of SSH-Keys and disallow >>> password authentication in the Dropbear config (option >>> RootPasswordAuth 'off'). >>> >>> Finally, some of my Tinc deployments are at locations that are not >>> staffed by technical people and would take me 3+ hours to travel to. I >>> now always configure these devices to daily reboot and they often have >>> a second Tinc network configured with a minimal, known good config >>> that doesn't change that I can use to remotely admin and fix the main >>> Tinc network config if I botch it up. >>> >>> >>> #!/bin/sh >>> >>> for network in /etc/tinc/*/ >>> do >>> netname=`basename $network` >>> echo Tinc Network Name: $netname >>> >>> for host in /etc/tinc/$netname/hosts/* >>> do >>> hostname=`basename $host` >>> echo Tinc Network $netname Host: $hostname >>> >>> if [ ! `uci get tinc.$hostname` ] >>> then >>> uci set tinc.$hostname=tinc-host >>> uci set tinc.$hostname.net=$netname >>> uci set tinc.$hostname.enabled=1 >>> uci commit >>> >>> fi >>> >>> done # for host >>> >>> done # for network >>> >>> On Mon, Jan 26, 2015 at 6:39 PM, Jonathan Clark >>> <tinc-list at heyjonathan.com> wrote: >>>> Greetings. >>>> >>>> I'm new to tinc, but have so far managed to get a couple laptops and a >>>> hosted server all connected. They're working as expected, running >>>> Tinc 1.1-pre11, which I compiled from source. >>>> >>>> Next I want to move on to adding my home router into the mix. My >>>> routers run OpenWRT. I don't have experience compiling anything from >>>> source for OpenWRT, but OpenWRT has Tinc 1.0.25 prepackaged. >>>> >>>> With that in mind, which direction should I move next? I think my options are: >>>> >>>> (option a) >>>> Switch my existing/working Tinc setup to using RSA keys (instead of >>>> Ed25519) so they can talk to the 1.0.25 packages available on OpenWRT, >>>> and then go on to figure out how to get the already-packaged Tinc >>>> 1.0.25 working on my router. >>>> >>>> or >>>> (option b) >>>> Take a detour and learn how to cross-compile things for OpenWRT. Use >>>> this new knowledge to install Tinc 1.1pre11 onto my router. Feel >>>> accomplished. >>>> >>>> or something else? >>>> >>>> I'm exploring this mainly for the fun of figuring it out, so there's >>>> no deadline or even a business reason to succeed. Does that suggest I >>>> should tackle option a, and then go ahead and try option b, resulting >>>> in twice the fun and sense of accomplishment? >>>> >>>> And, overall, how difficult are each of these options? >>>> >>>> Thanks, by the way, for all your work. From what I've seen so far, >>>> this project is pretty impressive. >>>> >>>> Jonathan >>>> Kingston, New York, USA >>>> _______________________________________________ >>>> tinc mailing list >>>> tinc at tinc-vpn.org >>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >>> >>> >>> >>> -- >>> Sandy McArthur, Jr. >>> >>> "No nation could preserve its freedom in the midst of continual warfare." >>> - Letters and Other Writings of James Madison (1865), Vol. IV, p. 491 >> _______________________________________________ >> tinc mailing list >> tinc at tinc-vpn.org >> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc