OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: awe007 on January 12, 2017, 10:19:19 am
-
Hello All!
Please anyone can publush example (or screenshots) - how to connect two OPNSense hosts with Tinc VPN ?
**office 1**
host 1
external ip - 48.48.128.48
internal ip - 10.10.0.200
computers in this office have network 10.10.0.0/24
**office 2**
host 2
external ip - 5.105.12.5
internal ip - 192.168.3.100
computers in this office have network 192.168.3.0/24
I install plugin Tinc VPN and see two tabs - Networks and Hosts.
But I don't understand, how to setup connection. Can'f find any manuals :(( Please help me.
-
Hi,
I am not a tinc professional, but have a look at
This: https://serverfault.com/questions/830066/tinc-on-opnsense/830072#830072
and this: https://github.com/EugenMayer/tinc-opnsense
and of course the TINC-VPN Documentation:
https://www.tinc-vpn.org/documentation/
The Tinc-GUI on OPNSense is incomplete, so it's better to understand how to configure tinc via config files, based on the tinc documentation.
Greetings
Tobias
-
This tutorial comes with ABSOLUTELY NO WARRANTY
Hi,
since TINC-VPN Looks like a great solution, I used the night so playing a bit with TINC ;D
I set up a VPN test Environment consisting of 2 hosts.
All of my configurations are possible via OPNSense GUI. I am not sure if it's correct but it works for me ;) (No Warranty !)
(just in a virtual demo infrastructur, thats why is only use private IP addresses):
My Network configs:
Braunschweig :
Network: 10.124.1.1/16
This is the IP Adress configuration for the Tunnel Interface, it also defines the whole subnet of your tinc network.
All hosts in your mesh network need one IP adress from this IP range.
For example: Hannover Network could be: 10.124.2.1/16 <== IMPORTANT: it must be the same Subnet !
This Host:
Subnet: 10.124.1.0/24 (its also possible to set only one host. Example: 10.124.1.1/32)
This ist the IP Subnet behind your OPNSense, it MUST be part of the whole Tinc network.
If you want to reach other subnets, you can use Switchmode
(not possible via OPNSense with this plugin, because the plugin override the config files after changing settings... )
or make some routing stuff.
External-IP: 10.4.4.42
The IP, other hosts connect to (Keep in mind: you have to open ports for connecting ;) )
Private key: leave it empty, it will be generated automaticaly
Public key: leave it empty, it will be generated automaticaly.
Later you have to copy the generated public-key to all other TINC-Hosts in your network
Network Config on Hannover:
Network: 10.124.2.1/16
This Host:
External-IP: 10.4.4.43
Subnet: 10.124.2.0/24
Now got to the "Hosts" Section of the TINC-Config. You have to do this on every tinc-host which should be connected to your network.
In my example we have only 2 hosts.
On Braunschweig create a host named "Hannover", fill in the External IP Adress,
the subnet you configured on Hannover (10.124.2.0/24)
and copy the public key from Hannover into the Public key field.
On Hannover do the same thing,
create a host,
fill in the Name,
the subnet from Braunschweig (10.124.1.0/24)
and the external IP.
Don't forget to copy the correct Public Key from Braunschweig inside the public key field.
Save everything for applying the settings. On the dashboard you should see that the TINC-Deamon changed from stoped to start.
Now it's time to test the connection. Try to ping the Tunnel Interface of one of your remote hosts.
If it's not possible check your Firewall rules (logs, logs, logs !!!),
the Routing table of OPNSense and of course the TINC-Log (you can increase the loglevel in the TINC-Network settings)
In your routing table, you should see something like this:
pv4 10.124.0.0/16 link#7 U 236 1500 tinc0
You see: All packets, which are related to one of your Clients in the tinc-network will be routed to your tinc0 tunnel interface and tinc will send it to the correct host.
Is it great. Isn't it?
Note:
I think the TINC Integration in OPNSense it not ready for production usage.
Edit:
Removed the interface part, it's not needed because OPNSense will create the interface (but doesn't show it on the GUI)
-
Hi Venice,
Thanks for your nice tutorial, I'm sure other people will like it too.
If you have suggestions for improvements, feel free to add issues on GitHub (https://github.com/opnsense/plugins/issues).
I don't have a lot of spare time at the moment, but if issues/improvements are reported, I will try to make some time for them (as long as the issues are clearly documented and don't contain a lot of features in the same request, which makes it impossible to close cases).
Best regards,
Ad