Setting Up Tinc: Step-by-Step Tutorial for LinuxTinc is a mesh VPN that creates encrypted virtual private networks between hosts. It’s flexible, supports dynamic topologies, and is useful for connecting multiple machines across untrusted networks while preserving service-level connectivity (for example, allowing remote access to internal services or securely linking development environments). This tutorial covers a practical, step-by-step guide to installing, configuring, and testing Tinc on Linux.
Prerequisites and overview
- A basic familiarity with the Linux command line and editing text files.
- Two or more Linux machines (physical or virtual) reachable over the network and with sudo privileges. In examples below, we’ll call them HostA (IP: 192.0.2.10) and HostB (IP: 192.0.2.20). Replace with your actual IPs.
- Tinc works on many Linux distributions; examples will show Debian/Ubuntu and CentOS/RHEL variants.
- This tutorial will:
- Install Tinc.
- Create a VPN network named “mynet”.
- Generate keys and host configs.
- Exchange host info.
- Start Tinc and verify connectivity.
- Configure auto-start and optional advanced settings (routing, subnets, and NAT).
1. Install Tinc
On Debian/Ubuntu:
sudo apt update sudo apt install tinc -y On CentOS/RHEL (EPEL needed):
sudo yum install epel-release -y sudo yum install tinc -y On Fedora:
sudo dnf install tinc -y Confirm installation:
tincd --version You should see the tincd version output.
2. Create the network directory structure
Tinc stores configuration under /etc/tinc by default. We’ll create a network named mynet.
On both hosts:
sudo mkdir -p /etc/tinc/mynet/hosts sudo chown -R root:root /etc/tinc/mynet sudo chmod 755 /etc/tinc/mynet 3. Configure tinc.conf
Create /etc/tinc/mynet/tinc.conf on each host. This file defines basic network parameters.
On HostA and HostB, create the file with content:
Name = HostA # change to HostB on the other host AddressFamily = ipv4 Interface = tun0 ConnectTo = HostB # each host should include ConnectTo entries for peers Notes:
- Name must match the filename you’ll use in hosts directory (see next).
- ConnectTo can list multiple peers. Tinc will attempt to connect to those to build the mesh.
4. Generate host keys and host configuration
Tinc uses RSA keys for peer authentication. Generate them and create host files.
On HostA:
sudo tincd -n mynet -K4096 This creates /etc/tinc/mynet/rsa_key.priv and prompts to create a host file in /etc/tinc/mynet/hosts/HostA (if not, create manually).
If the command doesn’t create the host file automatically, create /etc/tinc/mynet/hosts/HostA with:
Address = 192.0.2.10 # HostA's public IP or reachable IP Port = 655 # optional custom port; default is 655 # The public key will be appended automatically if you used tincd -K On HostB, run:
sudo tincd -n mynet -K4096 and ensure /etc/tinc/mynet/hosts/HostB contains HostB’s reachable IP.
If the private key file exists but the hosts file lacks the Key line, append the public key to the host file:
sudo tincd -n mynet -K4096 sudo cat /etc/tinc/mynet/rsa_key.priv | sed -n '1,200p' # usually private; don't share Better: the tincd -K command will create the public key and append it to the hosts file; if not, extract public part:
sudo tincd -n mynet -K4096 sudo tincd -n mynet -K4096 >/dev/null 2>&1 || true (If your distro behaves differently, ensure the hosts files contain a Key = … block with the public key.)
Important: Only share the contents of /etc/tinc/mynet/hosts/HostX — the private rsa_key.priv must remain secret.
5. Exchange host files
Copy each host’s /etc/tinc/mynet/hosts/HostX file to every other host, into /etc/tinc/mynet/hosts/. For two hosts:
On HostA:
sudo scp /etc/tinc/mynet/hosts/HostA [email protected]:/tmp/ On HostB:
sudo mv /tmp/HostA /etc/tinc/mynet/hosts/ sudo chown root:root /etc/tinc/mynet/hosts/HostA sudo chmod 644 /etc/tinc/mynet/hosts/HostA Repeat for HostB’s host file to HostA.
Each hosts/ file must contain:
- Address = reachable IP (or set Address = 0.0.0.0 if behind NAT and using port forwarding)
- Port = if non-default
- Key = public key block generated earlier
6. Configure network interfaces and subnets (optional)
If you want Tinc to create a virtual subnet, add a nets file.
On both hosts create /etc/tinc/mynet/tinc-up:
#!/bin/sh ip link set "$INTERFACE" up ip addr add 10.0.0.1/24 dev "$INTERFACE" # use .1 on HostA, .2 on HostB Make it executable:
sudo chmod +x /etc/tinc/mynet/tinc-up Create /etc/tinc/mynet/tinc-down:
#!/bin/sh ip addr del 10.0.0.1/24 dev "$INTERFACE" ip link set "$INTERFACE" down Make executable:
sudo chmod +x /etc/tinc/mynet/tinc-down Decide IPs:
- HostA: 10.0.0.⁄24
- HostB: 10.0.0.⁄24
Alternatively, use ifconfig instead of ip on older systems.
To publish a subnet that a host will route through the VPN, create /etc/tinc/mynet/tinc.conf entry:
Subnet = 192.168.100.0/24 and on that host add the subnet to its tinc-up script (ip route add …).
7. Start tinc
On systemd-based systems:
Create or enable the tinc@mynet service. Many distros include a systemd unit template. Start it:
sudo systemctl enable --now tinc@mynet sudo systemctl status tinc@mynet On SysVinit:
sudo service tinc start Check tinc logs via journalctl or /var/log/syslog to confirm peers connect:
sudo journalctl -u tinc@mynet -f 8. Verify connectivity
From HostA:
- Ping HostB’s virtual IP:
ping -c 3 10.0.0.2 - Check Tinc interface:
ip addr show tun0 ip route show - To test service-level connectivity, try SSH (if configured) to the virtual IP:
ssh [email protected]
If pings fail:
- Ensure hosts files have correct Address and Port.
- Check firewall (iptables/nftables) allowing UDP (default tinc uses UDP 655) and tun interface traffic.
- Ensure NAT / port forwarding for hosts behind NAT: forward external port to internal host port.
9. Advanced options and tips
- Encryption strength: default RSA keys are usually fine; use 4096-bit keys for extra security.
- Tinc supports both UDP and TCP; specify Port and bind options in tinc.conf and host files.
- Auto-discovery: use ConnectTo directives or directory-based peer discovery with a central repository if you have many nodes.
- Using systemd-networkd or NetworkManager: ensure virtual interface scripts don’t conflict.
- Firewall rules: allow UDP port 655 (or your chosen port) and allow traffic on the tun interface.
- Troubleshooting: run tincd in the foreground with debug:
sudo tincd -n mynet -D -d3 - DNS: Tinc can carry DNS traffic; configure resolv.conf or a DNS server reachable over the VPN.
10. Example minimal host file (HostA)
Address = 192.0.2.10 Port = 655 # Key = (public key block generated by tinc) 11. Security considerations
- Keep rsa_key.priv private and properly permissioned (600).
- Use strong keys and limit ConnectTo to known peers.
- Monitor logs for unexpected peers or failed authentications.
- Regularly update tinc package for security fixes.
This guide should get a basic two-node Tinc mesh up and running on Linux. Adjust IPs, ports, and scripts to suit larger meshes, NATed hosts, or production requirements.
Leave a Reply