How to Set Up Peer-to-Peer VPN with Tinc on Ubuntu 22.04

Tinc is free and open-source VPN software that can be used to create mesh VPN networks. It is a small and powerful VPN daemon that can be installed on multiple platforms. Tinc uses encryptions and tunneling for creating a secure private network between multiple hosts.

Tinc provides additional features such as encryption, compression, and automatic mesh routing. This allows you to create secure and distributed private networks between servers in different locations.

In this tutorial, you will set up a peer-to-peer VPN server with tinc using multiple Ubuntu 22.04 servers. You will set up a peer-to-peer VPN with three different servers. Each server will be able to connect via a secure VPN connection.

At the end of this tutorial, you will verify tinc peer-to-peer VPN installation to ensure each server can communicate with each other via the secure internal VPN connection.

Prerequisites

To complete this tutorial, you must have the following requirements:

  • Two or more Linux servers with the operating system Ubuntu 22.04 server.
  • A non-root user with sudo/root administrator privileges.

This example uses three different Ubuntu servers. Below is the detailed servers:

Hostname        Extrernal IP
------------------------------
tinc-ubuntu     192.168.5.30
client1         192.168.5.120
client2         192.168.5.122

That's it. When those requirements are ready, you can start tinc installation on each server.

Installing Tinc VPN

tinc is a small and powerful Virtual Private Network (VPN) daemon that can be installed on multiple operating systems such as Linux, BSD, MacOS, or even Windows. Tinc allows you to create a mesh VPN network without relying on a central node. Tinc VPN uses tunneling and encryption to create a secure private network between hosts on the Internet.

In this step, you will install Tinc VPN server on all of your Ubuntu servers.

By default, the tinc package is available on the Ubuntu repository. Before you begin, update and refresh your Ubuntu package index by entering the 'apt update' command below.

sudo apt update

Verify the 'tinc' package that is available on Ubuntu 22.04 repository using the following apt command.

sudo apt info tinc

At the time of this writing, the Ubuntu 22.04 repository provides tinc v1.0.36.

Output:

show tinc package

Install 'tinc' package by entering the 'apt install' command below. When prompted, input y to confirm and press ENTER to proceed.

sudo apt install tinc

Output:

install tinc

With tinc VPN installed, you will next set up ufw firewall and open the default port that will be used by tinc.

Configuring UFW Firewall

In this step, you will set up the default firewall ufw on all your Ubuntu servers. You'll add OpenSSH service, add tinc VPN port, then start and enable ufw firewall.

First, add the OpenSSH service using the ufw command below. An output 'Rules updated' confirms that the new rule was added to ufw.

sudo ufw allow OpenSSH

Add the port 655 that will be used by tinc VPN by entering the following command.

sudo ufw allow 655

Now run the following ufw command to start and enable the ufw firewall. When prompted, input y to confirm and press ENTER to proceed.

sudo ufw enable

An output message 'Firewall is active and enabled on system startup' confirms that the ufw firewall is running and it's enabled, which means ufw will also run automatically upon the system startup.

Output:

setup ufw

Lastly, verify the ufw firewall status by entering the following command. The output 'Status: active' confirm that the firewall is running. Also, any connection to port 655 is allowed.

sudo ufw status

Output:

verify ufw

With tinc VPN installed and ufw firewall enabled on all servers, you're ready to set up and configure peer-to-peer VPN between these servers.

Configuring Tinc VPN Server

In this step, you will set up a peer-to-peer VPN server between three different Ubuntu servers via tinc VPN.

Below is the list of tasks you must perform on each server:

  • Create a new directory that will be used to store tinc VPN configurations and a new 'hosts' directory for storing detail host configurations.
  • Create tinc VPN configuration 'tinc.conf' as the main tinc configuration on each server.
  • Create host configuration for each server.
  • Generate public and private keys that will be used by tinc VPN.
  • Create simple bash scripts that will be used to activate the 'tinc-up' or deactivate the 'tinc-down' VPN interface and network. Also, you must make those scripts 'tinc-up' and 'tinc-down' executable.

With this in mind, now let's start configuring tinc VPN server.

Configuring First Server: tinc-ubuntu

First, you will be setting up tinc on the first node/server 'tinc-ubuntu'.

Run the following command to create a new VPN project directory '/etc/tinc/testVPN/'. Also, within the '/etc/tinc/testVPN/' directory, you will create the 'hosts' directory.

With the '/etc/tinc/testVPN' directory, you will set up VPN server with the name 'testVPN'.

mkdir -p /etc/tinc/testVPN/hosts

Next, create a new tinc VPN config file '/etc/tinc/testVPN/tinc.conf' using the following nano editor command.

nano /etc/tinc/testVPN/tinc.conf

Add the following lines to the file. With these configurations, you will name this server as 'tinc_ubuntu' and set up the interface name for tinc VPN as 'tun0' and use IPv4.

Also, you must ensure that the 'Name' of tinc VPN node must not use '-' or minus. You can replace the '-' minus with '_' underscore.

Name = tinc_ubuntu
AddressFamily = ipv4
Interface = tun0

Save and exit the file '/etc/tinc/testVPN/tinc.conf' when finished.

Next, create a new host configuration '/etc/tinc/testVPN/hosts/tinc_ubuntu' using the following nano editor command. You must ensure that the host config file name must be matched the 'Name' of the host that you defined in the 'tinc.conf' file.

nano /etc/tinc/testVPN/hosts/tinc_ubuntu

Add the following lines to the file. The 'Address' here is the external IP address of this server. And the 'Subnet' is an internal IP address that will be used to run tinc VPN. You can change and adjust the details IP address with your environment.

Address = 192.168.5.30
Subnet = 10.0.0.1/32

Save and close the file '/etc/tinc/testVPN/hosts/tinc_ubuntu' when finished.

Next, run the following 'tincd' command to generate the RSA public and private key. The RSA public key will automatically be stored at the host config file '/etc/tinc/testVPN/hosts/tinc_ubuntu', and the RSA private key will be stored at '/etc/tinc/testVPN/rsa_key.priv'.

sudo tincd -n testVPN -K4096

Output:

generate RSA key

After the RSA public and private key is generated, you will next create a new bash script that will be used to activate and deactivate the tinc VPN network.

Create a new bash script '/etc/tinc/testVPN/tinc-up' using the following nano editor command. This script will be used to activate the tinc VPN network interface.

sudo nano /etc/tinc/testVPN/tinc-up

Add the following lines to the file. Be sure to change the subnet of the IP address below with your defined VPN network subnet on the 'tinc.conf' file.

#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.0.1/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE

Save and close the file '/etc/tinc/testVPN/tinc-up' when finished.

Now create a new bash script '/etc/tinc/testVPN/tinc-down' that will be used to deactivate tinc VPN network interface.

sudo nano /etc/tinc/testVPN/tinc-down

Add the following lines to the file.

#!/bin/sh
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.1/32 dev $INTERFACE
ip link set $INTERFACE down

Save and close the file '/etc/tinc/testVPN/tinc-down' when finished.

Now run the chmod command below to make both bash scripts '/etc/tinc/testVPN/tinc-up' and '/etc/tinc/testVPN/tinc-down' executable.

sudo chmod +x /etc/tinc/testVPN/tinc-*

You can now verify the list of files on the '/etc/tinc/testVPN/' directory via the tree command below.

tree /etc/tinc/testVPN/

You should receive an output like this:

list files tinc-ubuntu

With that, you have now finished the tinc VPN configuration on the first server 'tinc-ubuntu'. Next, you'll set up tinc VPN on the 'client1' and 'client2' servers.

Configuring Second Server: client1

Run the following command to create a new VPN project directory '/etc/tinc/testVPN/'. Also, within the '/etc/tinc/testVPN/' directory, you will create the 'hosts' directory.

With the '/etc/tinc/testVPN' directory, you will set up VPN server with the name 'testVPN'.

mkdir -p /etc/tinc/testVPN/hosts

Next, create a new tinc VPN config file '/etc/tinc/testVPN/tinc.conf' using the following nano editor command.

nano /etc/tinc/testVPN/tinc.conf

Add the following lines to the file. With these configurations, you will name this server as 'client1' and set up the interface name for tinc VPN as 'tun0' and use IPv4. Also, you will allow tinc VPN 'client1' to connect to the tinc VPN 'tinc_ubuntu' and 'client2'.

Name = client1
AddressFamily = ipv4
Interface = tun0

ConnectTo = tinc_ubuntu
ConnectTo = client2

Save and exit the file '/etc/tinc/testVPN/tinc.conf' when finished.

Next, create a new host configuration '/etc/tinc/testVPN/hosts/client1' using the following nano editor command. You must ensure that the host config file name must be matched the 'Name' of the host that you defined in the 'tinc.conf' file.

sudo nano /etc/tinc/testVPN/hosts/client1

Add the following lines to the file. The 'Address' here is the external IP address of this server. And the 'Subnet' is an internal IP address that will be used to run tinc VPN. You can change and adjust the details IP address with your environment.

Address = 192.168.5.120
Subnet = 10.0.0.2/32

Save and close the file '/etc/tinc/testVPN/hosts/client1' when finished.

Next, run the following 'tincd' command to generate the RSA public and private key. The RSA public key will automatically be stored at the host config file '/etc/tinc/testVPN/hosts/client1', and the RSA private key will be stored at '/etc/tinc/testVPN/rsa_key.priv'.

sudo tincd -n testVPN -K4096

Output:

generate rsa key client1

After the RSA public and private key is generated, you will next create a new bash script that will be used to activate and deactivate the tinc VPN network.

Create a new bash script '/etc/tinc/testVPN/tinc-up' using the following nano editor command. This script will be used to activate the tinc VPN network interface.

sudo nano /etc/tinc/testVPN/tinc-up

Add the following lines to the file. Be sure to change the subnet of the IP address below with your defined VPN network subnet on the 'tinc.conf' file.

#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.0.2/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE

Save and close the file '/etc/tinc/testVPN/tinc-up' when finished.

NMow create a new bash script '/etc/tinc/testVPN/tinc-down' that will be used to deactivate tinc VPN network interface.

sudo nano /etc/tinc/testVPN/tinc-down

Add the following lines to the file.

#!/bin/sh
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.2/32 dev $INTERFACE
ip link set $INTERFACE down

Save and close the file '/etc/tinc/testVPN/tinc-down' when finished.

Now run the chmod command below to make both bash scripts '/etc/tinc/testVPN/tinc-up' and '/etc/tinc/testVPN/tinc-down' executable.

sudo chmod +x /etc/tinc/testVPN/tinc-*

You can now verify the list of files on the '/etc/tinc/testVPN/' directory on the node 'client1' via the tree command below.

tree /etc/tinc/testVPN/

You should receive an output like this:

list files

With that, you have now finished the tinc VPN configuration on the second server 'client1'. Next, you'll set up tinc VPN on the 'client2' server.

Configuring Third Server: client2

Run the following command to create a new VPN project directory '/etc/tinc/testVPN/'. Also, within the '/etc/tinc/testVPN/' directory, you will create the 'hosts' directory.

With the '/etc/tinc/testVPN' directory, you will set up VPN server with the name 'testVPN'.

mkdir -p /etc/tinc/testVPN/hosts

Next, create a new tinc VPN config file '/etc/tinc/testVPN/tinc.conf' using the following nano editor command.

nano /etc/tinc/testVPN/tinc.conf

Add the following lines to the file. With these configurations, you will name this server as 'client2' and set up the interface name for tinc VPN as 'tun0' and use IPv4. Also, you will allow tinc VPN 'client2' to connect to the tinc VPN 'tinc_ubuntu' and 'client1'.

Name = client2
AddressFamily = ipv4
Interface = tun0

ConnectTo = tinc_ubuntu
ConnectTo = client1

Save and exit the file '/etc/tinc/testVPN/tinc.conf' when finished.

Next, create a new host configuration '/etc/tinc/testVPN/hosts/client2' using the following nano editor command. You must ensure that the host config file name must be matched the 'Name' of the host that you defined in the 'tinc.conf' file.

sudo nano /etc/tinc/testVPN/hosts/client2

Add the following lines to the file. The 'Address' here is the external IP address of this server. And the 'Subnet' is an internal IP address that will be used to run tinc VPN. You can change and adjust the details IP address with your environment.

Address = 192.168.5.122
Subnet = 10.0.0.3/32

Save and close the file '/etc/tinc/testVPN/hosts/client2' when finished.

Next, run the following 'tincd' command to generate the RSA public and private key. The RSA public key will automatically be stored at the host config file '/etc/tinc/testVPN/hosts/client2', and the RSA private key will be stored at '/etc/tinc/testVPN/rsa_key.priv'.

sudo tincd -n testVPN -K4096

Output:

generate rsa key

After the RSA public and private key is generated, you will next create a new bash script that will be used to activate and deactivate the tinc VPN network.

Create a new bash script '/etc/tinc/testVPN/tinc-up' using the following nano editor command. This script will be used to activate the tinc VPN network interface.

sudo nano /etc/tinc/testVPN/tinc-up

Add the following lines to the file. Be sure to change the subnet of the IP address below with your defined VPN network subnet on the 'tinc.conf' file.

#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.0.3/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE

Save and close the file '/etc/tinc/testVPN/tinc-up' when finished.

Now create a new bash script '/etc/tinc/testVPN/tinc-down' that will be used to deactivate tinc VPN network interface.

sudo nano /etc/tinc/testVPN/tinc-down

Add the following lines to the file.

#!/bin/sh
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.3/32 dev $INTERFACE
ip link set $INTERFACE down

Save and close the file '/etc/tinc/testVPN/tinc-down' when finished.

Now run the chmod command below to make both bash scripts '/etc/tinc/testVPN/tinc-up' and '/etc/tinc/testVPN/tinc-down' executable.

sudo chmod +x /etc/tinc/testVPN/tinc-*

You can now verify the list of files on the '/etc/tinc/testVPN/' directory on the node 'client2' via the tree command below.

tree /etc/tinc/testVPN/

You should receive an output like this:

list files client2

With that, you have now finished the tinc VPN configuration on all of your Ubuntu servers. In the next step, you'll exchange the RSA public key stored at the host configuration to each server via scp (secure copy via SSH).

Key Exchange Between Hosts/Servers

In this step, you will copy the host config file on each server to each other via SCP. This includes the RSA public that is stored in the host config file.

Below are the details hosts file you need to copy:

  • Copy the host file from the 'tinc-ubuntu' server to the client1 and client2 servers.
  • Copy the host file from the 'client1' server to the tinc-ubuntu and client2 servers.
  • Copy the host file from the 'client2' server to the tinc-ubuntu and client1 servers.

That's it.

On the 'tinc-ubuntu' server, run the following scp command to copy the host file '/etc/tinc/testVPN/hosts/tinc_ubuntu' to both client1 and client2 servers. The target directory must be the '/etc/tinc/testVPN/hosts/' directory.

scp /etc/tinc/testVPN/hosts/tinc_ubuntu [email protected]:/etc/tinc/testVPN/hosts/
scp /etc/tinc/testVPN/hosts/tinc_ubuntu [email protected]:/etc/tinc/testVPN/hosts/

Output:

scp tinc-ubuntu

On the 'client1' server, run the following scp command to copy the host file '/etc/tinc/testVPN/hosts/client1' to both the tinc-ubuntu and client2 servers. The target directory must be the '/etc/tinc/testVPN/hosts/' directory.

scp /etc/tinc/testVPN/hosts/client1 [email protected]:/etc/tinc/testVPN/hosts/
scp /etc/tinc/testVPN/hosts/client1 [email protected]:/etc/tinc/testVPN/hosts/

Output:

scp client1

On the 'client2' server, run the following scp command to copy the host file '/etc/tinc/testVPN/hosts/client2' to both the tinc-ubuntu and client2 servers. The target directory must be the '/etc/tinc/testVPN/hosts/' directory.

scp /etc/tinc/testVPN/hosts/client2 [email protected]:/etc/tinc/testVPN/hosts/
scp /etc/tinc/testVPN/hosts/client2 [email protected]:/etc/tinc/testVPN/hosts/

Output:

scp client2

With that, you will see three host files on the directory '/etc/tinc/testVPN/hosts/' on each server. Verify the list of files on '/etc/tinc/testVPN/hosts/' using the tree command below.

tree /etc/tinc/testVPN/hosts/

Output - You should see the host file 'tinc_ubuntu', 'client1', and 'client2' on each server.

list host files

At this point, you have configured tinc VPN on all servers and the host file and RSA public key is copied to all servers. With this, you're ready to verify tinc VPN installation for peer-to-peer connections between multiple nodes/servers.

Testing peer-to-peer VPN Server

In this step, you will verify the tinc VPN installation by running tinc manually from command and ping from one server to another with the local IP address of the tun0 interface from tinc VPN server.

Run the tinc VPN server on each server using the following command.

sudo tincd -n testVPN -D -d3

Below is the detailed output from three Ubuntu servers tinc-ubuntu, client1, and client2.

test tinc peer-to-peer vpn

Next, open a new terminal session, and connect to the 'tinc-ubuntu' server. Then, run the ping command to the internal IP address of client1 '10.0.0.2' and client2 '10.0.0.3'.

ping 10.0.0.1 -c3
ping 10.0.0.2 -c3

When successful, you should get a reply from each server.

ping tinc-ubuntu

Now open a new terminal session, and connect to the 'client1' server. Then, run the ping command to the internal IP address of tinc-ubuntu '10.0.0.1' and client2 '10.0.0.3'.

ping 10.0.0.1 -c3
ping 10.0.0.3 -c3

When successful, you should get a reply from each server.

ping client1

Lastly, open again the new terminal session, connect to the 'client2' server. Then, run the ping command to the internal IP address of tinc-ubuntu '10.0.0.1' and client1 '10.0.0.2'.

ping 10.0.0.1 -c3
ping 10.0.0.2 -c3

When successful, you should get a reply from each server.

ping client2

Now that each server can connect to the other via an internal IP address from tinc VPN. This means the deployment of tinc VPN for creating a peer-to-peer VPN server is finished and successful.

Move back to each terminal session and press 'Ctrl + \' to the terminal for the tinc VPN process. In the next step, you will start and enable tinc VPN as a systemd service.

Starting and Enabling Tinc VPN Service

Run the following systemctl command utility to start and enable the tinc VPN service. Be sure to run this command on all of your Ubuntu servers. In this example, the VPN name here is 'testVPN'. You can change this name with your preferred name.

With this, the tinc VPN server should be running in the background and also will start automatically upon the system startup.

sudo systemctl start tinc@testVPN
sudo systemctl enable tinc@testVPN

Verify the tinc VPN service by entering the systemctl command utility below.

sudo systemctl status tinc@testVPN

You should receive an output like this - The output 'active (running)' confirms that the tinc VPN is running, while the output '...; enabled;...' confirms that the tinc VPN is enabled and will be run automatically upon system startup.

start tinc vpn service

You can also verify the interface tun0 which is created by the tinc VPN server. Enter the following ip command on each server to check the details tun0 interface.

ip addr show tun0

On the 'tinc-ubuntu' server, you should see the tun0 interface with IP address 10.0.0.1. On the 'client1' machine you should see the tun0 interface with IP address 10.0.0.2. Lastly, on the client2 machine, you should get the tun0 interface with IP address 10.0.0.3.

Conclusion

In this tutorial, you have learned how to create and set up peer-to-peer VPN using the tinc VPN server on Ubuntu 22.04 servers. You have learned detailed processes for setting up tinc VPN with a firewall enabled on multiple Ubuntu servers.

Tinc is a simple yet powerful VPN server software that can be installed on multiple operating systems. You can add more servers/nodes to your current tinc VPN deployment. Also, you can create a mesh VPN without relying on a central node.

Learn more about the tinc VPN server on the tinc official documentation.

Share this page:

0 Comment(s)