3 If you are just starting to create a VPN, first consider what IP addresses you
4 want to use on the VPN. There are several blocks of IP addresses reserved for
5 [private networks](https://en.wikipedia.org/wiki/Private_network):
12 Make sure the [IP range](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing)
13 you are choosing is large enough for all the nodes you want to add to the VPN,
14 and also consider that some of these private address ranges might also be used
15 on local area networks, so check in advance that you won't conflict with any
16 range that is already in use by any of the participants. When in doubt, just
17 pick one and try it out. For this quickstart guide, we will use 172.16.0.0/16
18 as the range of the VPN.
20 Also think of a name for your whole VPN. This will be used as the "netname"
21 parameter for tinc, and on Linux this will then also automatically be used as
22 the name for the virtual network interface. We will use "myvpn" as the name in
25 # Create your first node
27 Think of a name for your first node. We will call it "first" in the examples
28 below. The name must be unique for each node in the same VPN, and may only
29 contain letters, numbers and underscores. Apart from that you can choose
30 whatever you want. Now we can create the first node:
33 sudo tinc -n myvpn init first
36 This creates the initial configuration for the node, but has not started tinc
37 yet. Before we do that, two things have to be done first. We have to tell tinc
38 which part of the IP range of the VPN belongs to *this* particular node. We
39 will use 172.168.1.0/24 for this example. We then have to give this command:
42 sudo tinc -n myvpn add Subnet 172.168.1.0/24
45 However, tinc itself will not actually configure the virtual network interface
46 for you. You have to create a script named `tinc-up` that does this. To do
47 this, run the command:
50 sudo tinc -n myvpn edit tinc-up
53 This should start an editor. When you ran the `init` command, a dummy script
54 was already created. Edit it to make sure it looks like this:
58 ifconfig $INTERFACE 172.168.1.1/16
61 Note that the literal text `$INTERFACE` should be in the script, tinc will make
62 sure that environment variable is set correctly when the script is run. The
63 address should be that of the node itself, but the netmask or prefix length
64 (the `/16` in this case) you provide must be that of the *whole* VPN. This
65 tells the kernel that everything for the VPN's IP range should go to tinc's
66 virtual network interface, from then on tinc will handle it and route it to the
67 right node based on the `Subnet`s that you configured.
72 sudo tinc -n myvpn start
75 This will start running tinc in the background. You can also run it in the
76 foreground with debugging enabled using this command:
79 sudo tinc -n myvpn start -d5 -D
82 This might be helpful in the beginning to debug any issues you have setting up
85 # Create your second node
87 There are two ways to add new nodes to the VPN.
89 ## Using import/export of host config files
91 One way to do it is to create a second node just like you created the first
92 node. Just make sure it has a different name (let's call it "second"), and that
93 it gets a different IP range for itself (let's use 172.168.2.0/24). So on the second node run:
96 sudo tinc -n myvpn init second
97 sudo tinc -n myvpn add Subnet 172.168.2.0/24
98 sudo tinc -n myvpn edit tinc-up
101 And make sure the second node's tinc up contains:
105 ifconfig $INTERFACE 172.168.2.1/16
108 And `start` the second node. After you have done that, you have to make sure
109 that the two nodes can find each other. To do this, at least one node should
110 have a public IP address. Let's assume the first node has public IP address
111 93.184.216.34. You would then give this command on the first node:
114 sudo tinc -n myvpn add Address 93.184.216.34
117 Note that if you have a public domain name, you can also use that domain name
118 instead of a numeric IP address. Now run the following on the first node:
121 sudo tinc -n myvpn export
124 This outputs a small amount of text that contains the node's public keys and
125 the public address. On the second node, run this:
128 sudo tinc -n myvpn import
131 And copy&paste the output from the first node, then press ctrl-D on a new line.
132 If done correctly it should tell you that it has imported the host
133 configuration file. Now you have to do the same but in the other direction: use
134 the `export` command on the second node, and then use `import` on the first
135 node. Now that both nodes know each other, they should be able to connect. This
136 should happen automatically after a while.
138 Note that instead of copy&pasting the text manually, you could also redirect it
139 to a text file, send it via email, pipe it through an SSH connection, or use
140 any other way to exchange the host config files. For more information, see the
141 [manual](https://www.tinc-vpn.org/documentation-1.1/How-to-configure.html).
145 Another way to add more nodes is to have an existing node generate an
146 [invitation](https://www.tinc-vpn.org/documentation-1.1/Invitations.html)
147 for another node. A prerequisite is that the node generating the invitation
148 should have a public IP address to the invitee will be able to connect to it.
149 Again, let's assume the first node has public IP address 93.184.216.34:
152 sudo tinc -n myvpn add Address 93.184.216.34
155 Then on the first node, generate in invitation for the second node:
158 sudo tinc -n myvpn invite second
161 This should generate one line of text that looks like an URL, like for example:
164 93.184.216.34:655/R4BU9VMzdY4S_EIuAhW1-B0XV50HqooyEv6EUfl4k6Z9_zrq
167 On the second node, don't using `init` to create the initial configuration.
168 Instead, run the following command:
171 sudo tinc -n myvpn join 93.184.216.34:655/R4BU9VMzdY4S_EIuAhW1-B0XV50HqooyEv6EUfl4k6Z9_zrq
174 It will then initialize itself and make a connection to the first node and
175 exchange configuration files automatically. You still have to add the `Subnet`
176 and edit `tinc-up` afterwards on the second node (as described in the section
177 above), and use the `start` command to start tinc.
179 Invitations are easier to use, and relatively secure. Once used, the invitation
180 is no longer valid. However, be aware that anyone holding an unused invitation
181 can use it to join a VPN, so make sure you do not make invitation URLs public.
183 # Checking that things are working
185 After you have set up two nodes, you should be able to ping `172.16.1.1`. If it
186 doesn't work, there can be multiple reasons. Make sure you don't have any
187 firewall rules blocking tinc's port, and that at least one node has a public IP
188 address that is accepting incoming connections. You can further investigate by
189 asking tinc the status of a given node. So for example, on the first node, you
193 sudo tinc -n myvpn info second
196 You can also dump a list of connections:
199 sudo tinc -n myvpn dump connections
202 Or `dump nodes` to get a list of known nodes, `dump subnets` to see all
203 subnets. If you ran tinc in the background, you can get still get log output
207 sudo tinc -n myvpn log 5
210 Finally, if the problem is not with tinc, using `tcpdump` to look at the
211 traffic on your real and virtual interfaces might help determine what the