TipLinuxTincStuttgart

Tinc Konfiguartion für ein Freifunk Netz in einer Region. Hier am Beispiel Stuttgart und Umkreis. Es wird OLSR durch den Tunnel genutzt.

• ipkg update
• ipkg install tinc
• mkdir /etc/tinc
• mkdir /etc/tinc/stuttgart
• mkdir /etc/tinc/stuttgart/hosts
• vi /etc/tinc/stuttgart/tinc.conf

# Kurzname des Routers/Computers
Name = weinstadt1
# Mit folgenden Computern versuchen zu verbinden
ConnectTo = weinstadt1
ConnectTo = S_Gablenberg_1
# Wo liegt der Private Key, den man bitte niemandem gibt
PrivateKeyFile = /etc/tinc/stuttgart/rsa_key.priv
# Arbeitsweise des VPN
Mode = Switch
# Timeout optional
PingTimeout = 30
# Wird nur benötigt wenn tinc hinter Router errecihbar sein soll
#TCPOnly = yes
#BlockingTCP=yes
# alternativen Port zu 655 verwenden
Port = 8656

• vi /etc/tinc/stuttgart/tinc-up

#!/bin/sh
ip addr add dev $INTERFACE 172.21.84.235/24 broadcast 172.21.255.255
ip link set dev $INTERFACE up

• chmod +x /etc/tinc/stuttgart/tinc-*
• tincd -n stuttgart -K

Generating 1024 bits keys:
................++++++ p
...................++++++ q
Done.
Please enter a file to save private RSA key to [/etc/tinc/stuttgart/rsa_key.priv]:
Please enter a file to save public RSA key to [/etc/tinc/stuttgart/hosts/weinstadt1]:

• vi /etc/tinc/stuttgart/hosts/weinstadt1

Address = mail6.albi.info
Address = server.albi.xipx.de
Address = albi.dyndns.info
Port = 8656
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAKe+pEuYsGXl6/tUDqc1/ZUE/3jK/IumPIljMBZr+cDB2G2DRGIKzkK1
1rM9BBusMIrhubmXz35FGY1Fx/CBt4RzbFbujdBdkK0eXm0D9dSNAugXenAsu0bB
64zkp5WuCQNaYgYXs37u5vAj08/ReY9HPPLcKClsY77L5KB28TEHAgMBAAE=
-----END RSA PUBLIC KEY-----

• Kopiere Public Key aus /etc/tinc/stuttgart/hosts/ zu deinem Gegenüber und kopiere seine Datei zu dir ins hosts Verzeichnis
• tincd -n stuttgart --debug=3
• logread
• OLSR für VPN aktivieren: vi /etc/local.olsrd.conf

Interface "stuttgart"
{
HelloInterval           15.0
HelloValidityTime       90.0
TcInterval              2.0
TcValidityTime          270.0
MidInterval             15.0
MidValidityTime         90.0
HnaInterval             15.0
HnaValidityTime         90.0
LinkQualityMult default 0.3
}

Hier nochmals alle Public Keys die beim vpn stuttgart mitmachen

# cat weinstadt1
Address = mail6.albi.info
Address = albi.dyndns.info
Port = 8656
Subnet = 172.21.255.84/32
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAKe+pEuYsGXl6/tUDqc1/ZUE/3jK/IumPIljMBZr+cDB2G2DRGIKzkK1
1rM9BBusMIrhubmXz35FGY1Fx/CBt4RzbFbujdBdkK0eXm0D9dSNAugXenAsu0bB
64zkp5WuCQNaYgYXs37u5vAj08/ReY9HPPLcKClsY77L5KB28TEHAgMBAAE=
-----END RSA PUBLIC KEY-----

# cat weinstadt241
Port = 8656
Subnet = 172.21.255.241/32
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAJSmO/+R3gvHLim26knI9g8Dqn/AIyPxeUgp76F4kSeeInsyYOh1ThEf
FfadvKrEb98pM8V0XDGVUAC/MVdWqL0NBdfGZrAnW+tix7kHKRORi1+utxjSrnIU
rJJ3Da42D+HKbItX6z13gP/AGPZFc1TUX2K7DYnlx3hR05Y+bMqlAgMBAAE=
-----END RSA PUBLIC KEY-----

# cat S_Gablenberg_1
Address = lairddave.no-ip.org
Port = 8656
Subnet = 172.21.255.186
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwp2GCxZ5dOGwJy9hNVt7D3YGNRKELVMtSgl5dACSQm7w9lWvcHAF
BzEJ7z1GTeQA5rSkLu0TA3YI2Y7Lj9LZuwPJyZ3XVanuYtyWxMEupPRKBs0x/Ts+
tApMdAMiP04LtUBb6z+ae5TkCoukugYQeVMW3oDzbUcDkVT8g5q7dRwJZ3vRsnws
DtleAEHly2/8s7Sh7hDd/MyH7KMILEonLA34v6q00JGm52IUrDSzxo3eAebsKKU6
GW2oP2wndMIoM9a8l3KjIn9yLuQk2DF02dhhU+Tu6kFiFSdRuHneYLt4d8QRJHnQ
tmImc+EWYP2O4wBu22KwEAlL2DnkGWtgxwIDAQAB
-----END RSA PUBLIC KEY-----

Alte Sachen die nicht mehr benötigt werden

• Automatischer Start: vi /etc/init.d/S52tincd

#!/bin/sh
. /etc/functions.sh
NETS="stuttgart"
case "$1" in
  start)
    echo -n "Starting tinc:"
    for n in $NETS ; do
      echo -n " $n"
      tincd -n $n --debug=3
    done
    echo "."
    sleep 2
    ;;
  stop)
    for n in $NETS ; do
      tincd -n $n -k
    done
    ;;
  restart)
    $0 stop
    $0 start
    ;;
  *)
    echo "Usage: $0 start|stop|restart"
    ;;
esac

• Firewall anpassen (nur nötig wenn sie aktiviert ist): vi /etc/local.fw-tinc

#!/bin/sh
# Place your firewall addons here or use /etc/local.fw-xxx
# configuration
NETS="stuttgart"

case $1 in
        start)
            # Allow tinc ports to WAN interface
            iptables -A INPUT -i $WANDEV -p tcp --dport 655 -j ACCEPT
            iptables -A INPUT -i $WANDEV -p tcp --dport 8655:8659 -j ACCEPT

            for TAPDEV in $NETS; do
                # Allow all traffic through the tunnel
                iptables -I OUTPUT -o $TAPDEV -j ACCEPT
                iptables -I INPUT -i $TAPDEV -j ACCEPT
                iptables -I FORWARD -o $TAPDEV -j ACCEPT
                iptables -I FORWARD -i $TAPDEV -j ACCEPT

                # Masquerade LAN traffic through the tunnel
                iptables -t nat -A POSTROUTING -o $TAPDEV -s $LANNET/$LANPRE -j MASQUERADE
                iptables -I FORWARD -i $LANDEV -o $TAPDEV -j ACCEPT
                iptables -I FORWARD -i $TAPDEV -o $LANDEV -j ACCEPT
            done
        ;;
        stop)
            iptables -D INPUT -i $WANDEV -p tcp --dport 655 -j ACCEPT
            iptables -D INPUT -i $WANDEV -p tcp --dport 8655:8659 -j ACCEPT

            for TAPDEV in $NETS; do
                iptables -D OUTPUT -o $TAPDEV -j ACCEPT
                iptables -D INPUT -i $TAPDEV -j ACCEPT
                iptables -D FORWARD -o $TAPDEV -j ACCEPT
                iptables -D FORWARD -i $TAPDEV -j ACCEPT

                iptables -t nat -D POSTROUTING -o $TAPDEV -s $LANNET/$LANPRE -j MASQUERADE
                iptables -D FORWARD -i $LANDEV -o $TAPDEV -j ACCEPT
                iptables -D FORWARD -i $TAPDEV -o $LANDEV -j ACCEPT
            done
        ;;
esac