Hello, I need to build a VPN, and I am not sure if tinc is the right tool to use. I am more familiar with OpenVPN. I have a few boxes at home, behind a router with a dynamic IP address. Those boxes host some services, like web sites, for instance. I have a server hosted online, with a few IPv4 and IPv6 addresses. All addresses being static, of course. I am planning to use tinc on Debian, to "expose" the services hosted on these "home" boxes on IPv4/IPv6 addresses, using tinc VPN. The NAT would occur in the tunnel. I can write the nat/masquerade rules. The big question is, does tinc need the two nodes have a static IP address ? I don't want to modify the router configuration or to create nat rules in the home router. Thanks, André
Hi Andrê, So by nodes I assume you mean the "boxes". I would suggest each "box" gets it's own tinc node(with a static ip) and then on the server it should be a matter of pointing at the ip address of the appropriate box tinc ip address. I've done this myself with WireGuard and it works great. On Mon, Nov 25, 2019 at 7:14 AM André Rodier <andre at rodier.me> wrote:> Hello, > > I need to build a VPN, and I am not sure if tinc is the right tool to > use. I am more familiar with OpenVPN. > > I have a few boxes at home, behind a router with a dynamic IP > address. Those boxes host some services, like web sites, for instance. > > I have a server hosted online, with a few IPv4 and IPv6 addresses. All > addresses being static, of course. > > I am planning to use tinc on Debian, to "expose" the services hosted on > these "home" boxes on IPv4/IPv6 addresses, using tinc VPN. The NAT > would occur in the tunnel. I can write the nat/masquerade rules. > > The big question is, does tinc need the two nodes have a static IP > address ? > > I don't want to modify the router configuration or to create nat rules > in the home router. > > Thanks, > André > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20191125/63ed8a09/attachment-0001.html>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, 25 Nov 2019, André Rodier wrote:> Hello,Hi,> I need to build a VPN, and I am not sure if tinc is the right tool to > use. I am more familiar with OpenVPN.I was an openvpn user before, too, but since I encountered tinc, I really much like it :-)> > I have a few boxes at home, behind a router with a dynamic IP > address. Those boxes host some services, like web sites, for instance. > > I have a server hosted online, with a few IPv4 and IPv6 addresses. All > addresses being static, of course. > > I am planning to use tinc on Debian, to "expose" the services hosted on > these "home" boxes on IPv4/IPv6 addresses, using tinc VPN. The NAT > would occur in the tunnel. I can write the nat/masquerade rules. > > The big question is, does tinc need the two nodes have a static IP > address ?No, tinc does not need *any* static ips (openvpn does not need any either) - - - as long as one host can be reached by whatever means (ddns can help here). OTHO, it is convenient to have *one* static ip and let the other hosts connect to that one host by ip - pretty much like with openvpn. But: tinc adds the advantage, that all clients will automatically try to send traffic to each other directly, so when you use the vpn in your local network, chances are good, that (besides the first few packages) no data packages will leave you home net at all. Note: this happens automatically and no additional configuration is needed from your side. To put this in context to Andrê's answer: (I think) he means the ips of the boxes *inside* tinc to be static - the outside ips can be dynamic and unknown.> > I don't want to modify the router configuration or to create nat rules > in the home router.- - From the router's view the home boxes are "clients" which have outgoing connections to your outside server (assuming that one does not reside behind a nat, too). All the routing/nat should happen at the outside server. That is if you choose to run one tinc on each home box which will provide a service - in case you want (for whatever reason) run only one tinc instance in your home net, that one will need to do some routing, too - - obviously.> > Thanks, > Andréregards, Erich -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3bjUEACgkQCu7JB1Xa e1oKgxAAspRS8Xjojf4CNB0JJHvJPp25HEvJmrbx0kzfCfWbd+j4On8TaPn8bHTK tNIx5lGbEMlBbQKL6Iy7SZuQi1E20/ddeR79hL86tqPrSVrJhF4gzJ7dV6W3duB6 Nxm5tKhq9LAGpoju5UvUzMPS2uWOeTT5USP2+t7I/TrsPVQJKWfFkbrIOJGEWxXq G6t6EkSIVZeUmqrKjlz15PSW6Ij2/yYyhtqyl78bHhmwkDlFwZ60KViV0NRq/sPh H6BM9vrgqAzcpmKsNKZCjleFsvfvhjrWjbKY7eZYTdLyaI3s9Ai/CJAeP7yKLirL ntsZjru4fxAx/iqgUaCMJulMxRW+1ndYZmsEUhuDkRrH0W1lPUeq5EpCE19sCB4l JDH982k4j8WVZjIvL4GYGoBlBT/Mkyqu3kanbpgRFhERMaStZlY+4sTx1JZe4obx 5ekEpxFvklMvLX46hLoyWM7iseTevEKbhQiOPHnKlfQ9e8BFA8nuUp6ybkbMzJ62 7209z9GNSsELMnw93PXgO3EZbval8pm5qMkTh1dYt69gF/eMdJP7NbxKz8Dy9kWq 8lFz+4i7WnPHNQptFphWDvtWesZpR8d0kBM9fG4ZrYopZqEOYsCg5NdvDshkowxs kHT64y40zKIvuhAFyh8AkRoHb8nIxCqpuYyFTOKbCT/TRk4/wSs=Nbfr -----END PGP SIGNATURE-----
Thanks, this is exactly what I wanted to know. Kind regards, André. https://rodier.me/ 25 Nov 2019 08:01:10 Martin <martinmoen at gmail.com>:> Hi Andrê, > So by nodes I assume you mean the "boxes".I would suggest each "box" gets it's own tinc node(with a static ip) and then on the server it should be a matter of pointing at the ip address of the appropriate box tinc ip address. > I've done this myself with WireGuard and it works great. > > On Mon, Nov 25, 2019 at 7:14 AM André Rodier <andre at rodier.me[mailto:andre at rodier.me]> wrote: > >> Hello, >> >> I need to build a VPN, and I am not sure if tinc is the right tool to >> use. I am more familiar with OpenVPN. >> >> I have a few boxes at home, behind a router with a dynamic IP >> address. Those boxes host some services, like web sites, for instance. >> >> I have a server hosted online, with a few IPv4 and IPv6 addresses. All >> addresses being static, of course. >> >> I am planning to use tinc on Debian, to "expose" the services hosted on >> these "home" boxes on IPv4/IPv6 addresses, using tinc VPN. The NAT >> would occur in the tunnel. I can write the nat/masquerade rules. >> >> The big question is, does tinc need the two nodes have a static IP >> address ? >> >> I don't want to modify the router configuration or to create nat rules >> in the home router. >> >> Thanks, >> André >> >> _______________________________________________ >> tinc mailing list >> tinc at tinc-vpn.org[mailto:tinc at tinc-vpn.org] >> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc[https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc] >> >