Italiano English
Modifica History Actions

Differenze per "IsoleVPN"

Differenze tra le versioni 1 e 5 (in 4 versioni)
Versione 1 del 2013-03-19 21:37:29
Dimensione: 2194
Autore: G10h4ck
Versione 5 del 2013-03-19 22:03:53
Dimensione: 4389
Autore: G10h4ck
Le cancellazioni sono segnalate in questo modo. Le aggiunte sono segnalate in questo modo.
Linea 1: Linea 1:
= Disclaimer =
Linea 2: Linea 4:
It is not aimed to connect single persons that wants access internal services via VPN.
It is not intended to connect single persons that wants access internal services via VPN.
Linea 8: Linea 9:
1) Install tinc on your Linux (e.g. apt-get install tinc) '''MAKE SURE YOU HAVE AT LEAST TINC 1.0.13''' 1) Install tinc on your Linux Distro ( Debian based: apt-get install tinc, Gentoo based: emerge tinc ) '''MAKE SURE YOU HAVE AT LEAST TINC 1.0.13'''
Linea 10: Linea 11:
2) {{{mkdir /etc/tinc/isole}}} 2) {{{ mkdir /etc/tinc/isole }}}
Linea 12: Linea 13:
3) Create {{{/etc/tinc/isole/tinc.conf}}} 3) Create {{{ /etc/tinc/isole/tinc.conf }}}
Linea 31: Linea 32:
{{YourPreferredEditor /etc/tinc/isole/hosts/HostNickName}} {{{ /etc/tinc/isole/hosts/HostNickName }}}
Linea 33: Linea 34:
{{ {{{
Linea 46: Linea 47:
}} }}}
Linea 50: Linea 51:
7) Look for a free IP address in the subnet and add your self in the table on the [[GestioneIndirizzi]] wiki page.
Linea 51: Linea 53:
8) Create the file {{{/etc/tinc/ninux/tinc-up}}}
# If your distro supports flexible init networking scripts like Gentoo do you can do it in more elegant way

ip link set dev $INTERFACE up
#Adjust MTU
ip link set mtu 1350 dev $INTERFACE
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Where in place of HEREYOURIPADDRESS you must put the IP address choosen at point 7 of this guide

Make the file executable chmod +x /etc/tinc/ninux/tinc-up

9) Send an email to and with your Nickname choosen at point 3 and your generated public key ( also append your public key at [[ChiaviTincVPNIsole]] ) so people can authorize you in their VPN nodes.

10) Once you received notification that your public key is authorized you can try to connect

{{{tincd -n isole}}}

If everything worked out you can ping Now configure babeld to use the interface "isole"

It is FUNDAMENTAL to use latest [[ babeld]] version

11) Configure babeld ( depending on your distro default babeld config file path can be different we will use Debian in the example )

edit {{{/etc/babeld.conf.}}}

It should be something like that but may vary depending on your setup

## Add interface isole as wired with a fixed cost of 300
interface isole wired true rxcost 300

## Refuse every ipv4 route with a prefix lenght less or equal to 14
in le 14 ip deny

## Refuse route
in ip deny

## Refuse route with a prefix lenght great or equal 24 matching with
in ge 24 ip deny

## Allow announcing route
redistribute ip allow

## Allow here the sharing of route you want share
## for example
# redistribute ip allow

## Deny announcing all other route
redistribute local deny
redistribute deny



This VPN is mainly used to connect network islands when it is very difficult to build a wired/wireless link ( for example two community networks in very distant city ). It is not intended to connect single persons that wants access internal services via VPN. It is recommended to avoid data traffic over the VPN because it will slow down troubleshooting operation that is one of main use of the VPN itself.

Connect to the VPN between islands with Tinc

1) Install tinc on your Linux Distro ( Debian based: apt-get install tinc, Gentoo based: emerge tinc ) MAKE SURE YOU HAVE AT LEAST TINC 1.0.13

2)  mkdir /etc/tinc/isole 

3) Create  /etc/tinc/isole/tinc.conf 

Name = yournickname
ConnectTo = coppermine
ConnectTo = zefiro
ConnectTo = RomaVpnIsole
ConnectTo = BitArno
Mode = switch

Mode switch is required because tinc will operate with a tap interface, needed to run babeld on it.

4) Create the hosts folder mkdir /etc/tinc/isole/hosts/

5) Generate a Keypair tincd -n isole -K

6) Add only keys you trust ( at least the ones you specified as ConnectTo ) as authorized hosts files from ChiaviTincVPNIsole (each file you add should appear like this):


Address = Host_Address_If_Available

-----BEGIN RSA PUBLIC KEY-----                                                                                                                                                     

This file has the address ( if available ) and the public key of the VPN node

7) Look for a free IP address in the subnet and add your self in the table on the GestioneIndirizzi wiki page.

8) Create the file /etc/tinc/ninux/tinc-up

# If your distro supports flexible init networking scripts like Gentoo do you can do it in more elegant way

ip link set dev $INTERFACE up
#Adjust MTU
ip link set mtu 1350 dev $INTERFACE
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Where in place of HEREYOURIPADDRESS you must put the IP address choosen at point 7 of this guide

Make the file executable chmod +x /etc/tinc/ninux/tinc-up

9) Send an email to and with your Nickname choosen at point 3 and your generated public key ( also append your public key at ChiaviTincVPNIsole ) so people can authorize you in their VPN nodes.

10) Once you received notification that your public key is authorized you can try to connect

tincd -n isole

If everything worked out you can ping Now configure babeld to use the interface "isole"

It is FUNDAMENTAL to use latest babeld version

11) Configure babeld ( depending on your distro default babeld config file path can be different we will use Debian in the example )

edit /etc/babeld.conf.

It should be something like that but may vary depending on your setup

## Add interface isole as wired with a fixed cost of 300
interface isole wired true rxcost 300

## Refuse every ipv4 route with a prefix lenght less or equal to 14
in le 14 ip deny

## Refuse route
in ip deny

## Refuse route with a prefix lenght great or equal 24 matching with
in ge 24 ip deny

## Allow announcing route
redistribute ip allow

## Allow here the sharing of route you want share
## for example
# redistribute ip allow

## Deny announcing all other route 
redistribute local deny
redistribute deny