Tinc is an open-source Virtual Private Network (VPN) adapter that provides a simple way to create a private peer-to-peer (P2P) mesh network in Linux, Windows, and macOS. Similar to OpenVPN and Wireguard, it can link together multiple computers across different network topologies into a single virtual LAN. Here we show you the benefits of using Tinc and how to install and create a simple Tinc-based mesh network.
Why Use Tinc over Wireguard and OpenVPN?
One unique selling point of Tinc over other VPN daemons is it’s designed to be a mesh network. This means that, unlike Wireguard, it can easily adapt to changes in network conditions. This makes it more resilient, especially for computers with a poor network connection.
Aside from that, Tinc enjoys most of the features that you would expect out of a traditional VPN such as OpenVPN. This includes the ability to traverse NAT environments, create encrypted tunnels, and link LAN-only applications.
Lastly, Tinc also strives to make every connection you make inside the network P2P. This could either be through automatic peer discovery or coordinating with a publicly accessible Tinc server. As a result, connections inside a Tinc VPN are not only resilient but also quick and responsive.
Good to know: still undecided on what VPN to pick? Check out our article where we look at how Wireguard and OpenVPN stacks against each other.
Installing Tinc on Linux
The first step in installing Tinc is to make sure your system is up-to-date. In Ubuntu, run the following command:
sudo apt update && sudo apt upgrade -yDownload and install Tinc directly from Ubuntu’s package repositories:
sudo apt install tinc
To install Tinc on other Linux distros, use the appropriate package manager for that system. For example, I need to run sudo dnf install tinc to fetch the program in Fedora.
Confirm that you’ve properly installed Tinc by opening a terminal session and running tincd --version.
Creating a Basic Mesh Network with Tinc
With Tinc on your machine, you can now configure your first Tinc-based network. Make a new folder inside “/etc/tinc.” This will contain all the files related to your Tinc node:
sudo mkdir -p /etc/tinc/mynetwork/hostsCreate a new config file using your favorite text editor:
sudo nano /etc/tinc/mynetwork/tinc.confPaste the following block of code inside your new config file:
Name = mynode
Device = /dev/net/tun
Note: some Linux distros might change the location of the tun adapter inside “/dev.” To find its exact path for your system, run:
find /dev -name *tun* -type cCreate a text file under the “hosts” folder with the name of your Tinc node and paste the following inside it:
Subnet = 192.168.11.1/32
Address = YOUR-MACHINE-IP-ADDRESS-HERE
Port = 655Replace the value of the “Address” variable with the IP address of your machine. You can find this by running ip addr.
Note: you need to provide your machine’s public IP address if you want to create a publicly accessible VPN.
Save your machine’s hosts file, then create two files under “/etc/tinc/mynetwork:”
sudo touch /etc/tinc/mynetwork/tinc-{up,down}
sudo chmod +x /etc/tinc/mynetwork/tinc-(up,down}Open the “tinc-up” file, then paste the following Bash code inside it. This creates the virtual network interface for Tinc and assigns the IP address to that interface:
#!/bin/sh
ip link set $INTERFACE up
ip addr add 192.168.11.1/32 dev $INTERFACE
ip route add 192.168.11.0/24 dev $INTERFACESave the file, then open the “tinc-down” file and paste the following inside it as well. This does the reverse of “tinc-up:” it unassigns the IP address from your Tinc interface and removes that interface from your machine:
#!/bin/sh
ip route del 192.168.11.0/24 dev $INTERFACE
ip addr del 192.168.11.1/32 dev $INTERFACE
ip link set $INTERFACE down
Generate a keypair for your Tinc node by running tincd:
sudo tincd -n mynetwork --generate-keys=4096Press Enter twice to accept the default saving location for both private and public keys on your Tinc node.
Adding the First Tinc Client
To add a new Tinc client, begin by making sure that you’ve installed Tinc properly on your second machine.
Create the directory structure for your Tinc config using mkdir -p.
Use your favorite text editor to create the config file for your Tinc client:
sudo nano /etc/tinc/mynetwork/tinc.confPaste the following lines of code inside your second machine’s config file:
Name = myclient
Device = /dev/net/tun
ConnectTo = mynodeCreate a file with the name of your Tinc machine under “/etc/tinc/mynetwork/hosts.” In this case, I’ve named my second machine as “myclient,” so I will create a file with the name “myclient:”
sudo nano /etc/tinc/mynetwork/hosts/myclientPaste the following block of code inside your new hosts file. Similar to your first node, this dictates the network configuration of your Tinc daemon:
Subnet = 192.168.11.2/32
Port = 655Save your new hosts file, then create a “tinc-up” and “tinc-down” script on your second machine:
sudo touch /etc/tinc/mynetwork/tinc-{up,down}
sudo chmod +x /etc/tinc/mynetwork/tinc-{up,down}
Open the tinc-up file using your favorite text editor, then paste the following block of code inside it:
#!/bin/sh
ip link set $INTERFACE up
ip addr add 192.168.11.2/32 dev $INTERFACE
ip route add 192.168.11.0/24 dev $INTERFACESave your tinc-up file, then open tinc-down and paste the following lines of code inside it as well:
#!/bin/sh
ip route del 192.168.11.0/24 dev $INTERFACE
ip addr del 192.168.11.2/32 dev $INTERFACE
ip link set $INTERFACE downFinalize your Tinc client configuration by generating its keypair:
sudo tincd -n mynetwork --generate-keys=4096
Running the Tinc Mesh Network
At this point, you now have two properly configured Tinc daemons. However, you still need to link these two Tinc daemons to create your P2P VPN in Linux. For that, you need to copy the hosts config file from your Tinc node to your client and vice versa.
Start by opening your node’s terminal session and navigating to its “/etc/tinc/mynetwork/hosts” directory:
cd /etc/tinc/mynetwork/hostsCopy the config file inside this directory and transfer it to your client. In my case, I will use scp to send this file through ssh:
scp ./mynode YOUR-CLIENT-IP-ADDRESS:~
Note: While I’ve used scp in this example, you can also manually transfer them using flash drives.
Go to your client machine and copy the hosts file that you just transferred to the client’s “/etc/tinc/mynetwork/hosts” folder:
sudo cp -v ~/mynode /etc/tinc/mynetwork/hosts/After that, run scp on the client machine’s side to transfer its hosts file back to your node:
scp /etc/tinc/mynetwork/hosts/myclient YOUR-NODE-IP-ADDRESS:~
Copy your client’s hosts file to your node’s hosts directory:
sudo cp ~/myclient /etc/tinc/mynetwork/hosts/On a side note: concerned about your personal privacy on the internet? Learn how you can improve the privacy and security of your Linux PC.
Starting the Tinc Mesh Network
Start your fully configured Tinc network by running the following command on each of your hosts:
sudo tincd -n mynetworkConfirm that you’re able to communicate with your nodes through the Tinc interface by doing a simple ping:
ping -c 5 192.168.11.2
Lastly, enable the Tinc service to ensure that your VPN will work on system startup:
sudo systemctl enable --now tinc@mynetwork.service
Learning how to create your own P2P mesh VPN in Linux with Tinc is just the first step in exploring this wonderful world of computer networking. Take a deep dive on the intricacies of this technology by checking out our comprehensive overview on VPNs.
Image credit: Growtika via Unsplash. All alterations and screenshots by Ramces Red.
