Creating a Secure Connection Between Two Debian/Ubuntu Servers Using Tinc

Updated on July 24, 2016
Creating a Secure Connection Between Two Debian/Ubuntu Servers Using Tinc header image

Introduction

Tinc is a multi-platform VPN daemon that uses tunneling and encryption to create a secure private network between hosts on the Internet.

In this tutorial, we will cover the process if setting up a secure connection between two servers to securely transfer files between them.

Installation

Tinc can be installed via apt on Debian and Ubuntu, which is what we will be doing in this tutorial:

apt-get install tinc

Basic Configuration

Once installed, you will need to navigate to /etc/tinc and create a sub directory with any name. The newly created directory will contain all the necessary configuration files for our new private network.

The next step would be to /etc/tinc/nets.boot and add a new line with the name of the newly created directory.

The next step would be to create a Tinc configuration file in the newly created directory. The configuration file should be named tinc.conf. Open tinc.conf using your favorite text editor and add the following lines:

Name = Name-of-this-Machine
AddressFamily = any
Mode = switch
Interface = tap0
ConnectTo = Name-of-the-other-Machine

The contents of this file will provide the Tinc daemon with the necessary information to establish the secure VPN connection between the current server and the other server you wish to establish connection with.

The next step would be to create a new file named tinc-up which assigns the proper address to our VPN Interface:

#!/bin/sh
ifconfig $INTERFACE up
ip addr add 10.100.100.1/31 dev $INTERFACE

Since you need to shut down the interface when stopping Tinc, we need to create a second file named tinc-down which shuts down the VPN Interface.

#!/bin/sh
ifconfig $INTERFACE down

Note: The private IP address used in this tutorial is only an example, you can use any private subnet/ip you prefer.

Generating keyfiles

Tinc uses a rather secure schema for creating the private and public keys used for authentication. Before we create the keys, we need to create a new directory named hosts; in this directory, we will be creating a new file named tinc.conf with the following lines in it.

Address = External IP of our server
Port = Unused Port for connection

Then, we can create the key files:

tincd -n NETWORK_NAME -K4092

Note: Replace NETWORK_NAME  with the name of the folder you created in Configuration.

Copying keyfiles

Assuming you configured your other server the same way you configured the one referenced in this tutorial, you will need to copy host file from the current server to the other/destination server.

Start

Once the key files are present on both server, you can start Tinc using the below command:

tincd -n NETWORKNAME

Conclusion

Tinc is a very secure Layer2 VPN Daemon and performs rather well, especially when it comes to bandwidth throughput, as well as compression. Additionally, it features AES-256 Encryption which is a huge advantage.

This concludes our tutorial. Thank you for reading.