Tinc-Boot

Idea to create a easy-to-use wrapper over tinc vpn.

Quick start (linux only)

skip to installation

Automatic

node 1

sudo tinc-boot run

node 2

follow command from previous operation

Custom token

node 1

sudo tinc-boot -t MYSECRET run 

node 2

sudo tinc-boot run -t MYSECRET --join http://<node1>:8665

Firewall

Use (--ufw) to open port on ufw-based systems automatically

tinc-boot run --ufw ...

Required opened default ports:

• <port>/udp,<port>/tcp - port defined as --tinc-port or generated in tinc.conf
• 8665/tcp - port defined as -p --port for boot protocol
• 18655/tcp (tinc interface) - internal port for communication. Only for interface defined in tinc.conf

Overview

Tinc VPN - is full-mesh, auto-healing, time-proofed VPN system without single point of failure, with high-throughput and serious cryptography. All nodes in a Tinc network are fully equal. New nodes discovering full topology through any entry point. Node may interact with each other even if they don't have direct connections.

Tinc is a great and have a lot of features. It's ideal for a complicated situations (China, Russia and others). I really admire the project.

But... it's pain to configure and maintain.

Pain to create a new node. Pain to add new node to network.

Minimal configuration for a first public node:

• 2 files (tinc.conf, hostfile),
• 1 script (tinc-up),
• 2 directories (net, hosts),
• 1 command execution (key generation).

(let's not count service initialization and other common stuff)

Second node adds key exchange (+1 operation if we will use rsync, or +2 operations if manually).

Next new public nodes require increasing number of additional operations (+N operations, where N is a number of public nodes).

To be honest, to just to connect to the network an only single key exchange operation required: with any public node. Than tincd will discover all other nodes.

But after your node disconnect/reboot and in case of death of your entry node you will be no more able to connect to other alive nodes (because they don't know your key and your node don't know theirs).

Tinc-boot - is a all-in-one tool with zero dependency (except tinc of course), that aims to achieve:

1. one-line node initialization
2. automatic keys distribution
3. simplified procedure to add new node to existent net

With simple UI (available on your VPN address with port 1655 by default)

Donating always welcome

• ETH: 0xA4eD4fB5805a023816C9B55C52Ae056898b6BdBC
• BTC: bc1qlj4v32rg8w0sgmtk8634uc36evj6jn3d5drnqy

Installation

• (recommended) look at releases page and download
• one line shell command:

curl -L https://github.com/reddec/tinc-boot/releases/latest/download/tinc-boot_linux_amd64.tar.gz | sudo tar -xz -C /usr/local/bin/ tinc-boot

• build from source go get -v github.com/reddec/tinc-boot/cmd/...

• Ansible galaxy: ansible-galaxy install reddec.tinc_boot

• From bintray repository for most debian-based distribution (trusty, xenial, bionic, buster, wheezy):

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 379CE192D401AB61
echo "deb https://dl.bintray.com/reddec/debian {distribution} main" | sudo tee -a /etc/apt/sources.list
sudo apt install tinc-boot

Independent maintainers

• Arch Linux in AUR package tinc-boot-git: yaourt -S tinc-boot-git

Support

• Community Discord
• Contact me

Build requirements

• go 1.13+

Documentation

• Available by --help for all commands
• Available in MANUAL.md

Runtime requirements

• Linux
• tincd 1.10.xx
• bash
• (recommended) systemd

Tested operation systems

• Ubuntu 18.04 x64
• Archlinux (Q1 2019) x64
• Manjaro (Q1 2019) x64

Should work on all major linux systems, except generated helpers useful only for systemd-based OS.

Quick start

Download/build binary to /usr/local/bin/tinc-boot.

First node

sudo tinc-boot gen --standalone -a <PUBLIC ADDRESS>

and follow recommendations

Explanation

• --standalone means that it's a first node, no need for keys exchange
• -a <address> sets public address of node (if exists); could be used several times

Will generate all required files under /etc/tinc/dnet.

Turn node to boot node

sudo tinc-boot bootnode --service --token <SECRETTOKEN>

and follow recommendations

Explanation

• --service generates systemd file to /etc/systemd/system/tinc-boot-{net}.service
• --dir location of tinc configuration
• --token set's authorization token that will be used by clients

Create another node and join to net

sudo tinc-boot gen --token <SECRETTOKEN> <PUBLIC ADDRESS>:8655

Don't forget add -a <NODE ADDRESS> if applicable

and follow recommendations

How it works

• Обзор (RU)
• Overview (EN)

Windows

Non-primary platform, limited support, but should work

Tested only for x64

See proof on Youtube

Requirements:

1. Tinc for Windows: download on official site
2. Install TAP driver!:

• Go to C:\Program Files(x86)\tinc\tap-win64
• As administrator run addtap.bat

3. Rename generated network adapter to the name of the network (dnet by-default)

Usage:

1. Launch command line As administrator
2. Navigate to the directory with tinc-boot.exe
3. With black-magic, tinc-boot.exe /help command and instructions for normal OS (*Nix) generate config