Tinc Konfiguartion für ein Freifunk Netz in einer Region. Hier am Beispiel Stuttgart und Umkreis. Es wird OLSR durch den Tunnel genutzt.
- ipkg update
- ipkg install tinc
- mkdir /etc/tinc
- mkdir /etc/tinc/stuttgart
- mkdir /etc/tinc/stuttgart/hosts
- vi /etc/tinc/stuttgart/tinc.conf
# Kurzname des Routers/Computers
Name = weinstadt1
# Mit folgenden Computern versuchen zu verbinden
ConnectTo = weinstadt1
ConnectTo = S_Gablenberg_1
# Wo liegt der Private Key, den man bitte niemandem gibt
PrivateKeyFile = /etc/tinc/stuttgart/rsa_key.priv
# Arbeitsweise des VPN
Mode = Switch
# Timeout optional
PingTimeout = 30
# Wird nur benötigt wenn tinc hinter Router errecihbar sein soll
#TCPOnly = yes
#BlockingTCP=yes
# alternativen Port zu 655 verwenden
Port = 8656
- vi /etc/tinc/stuttgart/tinc-up
#!/bin/sh
ip addr add dev $INTERFACE 172.21.84.235/24 broadcast 172.21.255.255
ip link set dev $INTERFACE up
- chmod +x /etc/tinc/stuttgart/tinc-*
- tincd -n stuttgart -K
Generating 1024 bits keys:
................++++++ p
...................++++++ q
Done.
Please enter a file to save private RSA key to [/etc/tinc/stuttgart/rsa_key.priv]:
Please enter a file to save public RSA key to [/etc/tinc/stuttgart/hosts/weinstadt1]:
- vi /etc/tinc/stuttgart/hosts/weinstadt1
Address = mail6.albi.info
Address = server.albi.xipx.de
Address = albi.dyndns.info
Port = 8656
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAKe+pEuYsGXl6/tUDqc1/ZUE/3jK/IumPIljMBZr+cDB2G2DRGIKzkK1
1rM9BBusMIrhubmXz35FGY1Fx/CBt4RzbFbujdBdkK0eXm0D9dSNAugXenAsu0bB
64zkp5WuCQNaYgYXs37u5vAj08/ReY9HPPLcKClsY77L5KB28TEHAgMBAAE=
-----END RSA PUBLIC KEY-----
- Kopiere Public Key aus /etc/tinc/stuttgart/hosts/ zu deinem Gegenüber und kopiere seine Datei zu dir ins hosts Verzeichnis
- tincd -n stuttgart --debug=3
- logread
- OLSR für VPN aktivieren: vi /etc/local.olsrd.conf
Interface "stuttgart"
{
HelloInterval 15.0
HelloValidityTime 90.0
TcInterval 2.0
TcValidityTime 270.0
MidInterval 15.0
MidValidityTime 90.0
HnaInterval 15.0
HnaValidityTime 90.0
LinkQualityMult default 0.3
}
Hier nochmals alle Public Keys die beim vpn stuttgart mitmachen
# cat weinstadt1
Address = mail6.albi.info
Address = albi.dyndns.info
Port = 8656
Subnet = 172.21.255.84/32
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAKe+pEuYsGXl6/tUDqc1/ZUE/3jK/IumPIljMBZr+cDB2G2DRGIKzkK1
1rM9BBusMIrhubmXz35FGY1Fx/CBt4RzbFbujdBdkK0eXm0D9dSNAugXenAsu0bB
64zkp5WuCQNaYgYXs37u5vAj08/ReY9HPPLcKClsY77L5KB28TEHAgMBAAE=
-----END RSA PUBLIC KEY-----
# cat weinstadt241
Port = 8656
Subnet = 172.21.255.241/32
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAJSmO/+R3gvHLim26knI9g8Dqn/AIyPxeUgp76F4kSeeInsyYOh1ThEf
FfadvKrEb98pM8V0XDGVUAC/MVdWqL0NBdfGZrAnW+tix7kHKRORi1+utxjSrnIU
rJJ3Da42D+HKbItX6z13gP/AGPZFc1TUX2K7DYnlx3hR05Y+bMqlAgMBAAE=
-----END RSA PUBLIC KEY-----
# cat S_Gablenberg_1
Address = lairddave.no-ip.org
Port = 8656
Subnet = 172.21.255.186
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwp2GCxZ5dOGwJy9hNVt7D3YGNRKELVMtSgl5dACSQm7w9lWvcHAF
BzEJ7z1GTeQA5rSkLu0TA3YI2Y7Lj9LZuwPJyZ3XVanuYtyWxMEupPRKBs0x/Ts+
tApMdAMiP04LtUBb6z+ae5TkCoukugYQeVMW3oDzbUcDkVT8g5q7dRwJZ3vRsnws
DtleAEHly2/8s7Sh7hDd/MyH7KMILEonLA34v6q00JGm52IUrDSzxo3eAebsKKU6
GW2oP2wndMIoM9a8l3KjIn9yLuQk2DF02dhhU+Tu6kFiFSdRuHneYLt4d8QRJHnQ
tmImc+EWYP2O4wBu22KwEAlL2DnkGWtgxwIDAQAB
-----END RSA PUBLIC KEY-----
Alte Sachen die nicht mehr benötigt werden
- Automatischer Start: vi /etc/init.d/S52tincd
#!/bin/sh
. /etc/functions.sh
NETS="stuttgart"
case "$1" in
start)
echo -n "Starting tinc:"
for n in $NETS ; do
echo -n " $n"
tincd -n $n --debug=3
done
echo "."
sleep 2
;;
stop)
for n in $NETS ; do
tincd -n $n -k
done
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 start|stop|restart"
;;
esac
- Firewall anpassen (nur nötig wenn sie aktiviert ist): vi /etc/local.fw-tinc
#!/bin/sh
# Place your firewall addons here or use /etc/local.fw-xxx
# configuration
NETS="stuttgart"
case $1 in
start)
# Allow tinc ports to WAN interface
iptables -A INPUT -i $WANDEV -p tcp --dport 655 -j ACCEPT
iptables -A INPUT -i $WANDEV -p tcp --dport 8655:8659 -j ACCEPT
for TAPDEV in $NETS; do
# Allow all traffic through the tunnel
iptables -I OUTPUT -o $TAPDEV -j ACCEPT
iptables -I INPUT -i $TAPDEV -j ACCEPT
iptables -I FORWARD -o $TAPDEV -j ACCEPT
iptables -I FORWARD -i $TAPDEV -j ACCEPT
# Masquerade LAN traffic through the tunnel
iptables -t nat -A POSTROUTING -o $TAPDEV -s $LANNET/$LANPRE -j MASQUERADE
iptables -I FORWARD -i $LANDEV -o $TAPDEV -j ACCEPT
iptables -I FORWARD -i $TAPDEV -o $LANDEV -j ACCEPT
done
;;
stop)
iptables -D INPUT -i $WANDEV -p tcp --dport 655 -j ACCEPT
iptables -D INPUT -i $WANDEV -p tcp --dport 8655:8659 -j ACCEPT
for TAPDEV in $NETS; do
iptables -D OUTPUT -o $TAPDEV -j ACCEPT
iptables -D INPUT -i $TAPDEV -j ACCEPT
iptables -D FORWARD -o $TAPDEV -j ACCEPT
iptables -D FORWARD -i $TAPDEV -j ACCEPT
iptables -t nat -D POSTROUTING -o $TAPDEV -s $LANNET/$LANPRE -j MASQUERADE
iptables -D FORWARD -i $LANDEV -o $TAPDEV -j ACCEPT
iptables -D FORWARD -i $TAPDEV -o $LANDEV -j ACCEPT
done
;;
esac