Been using tinc for god knows how long... Perhaps 20 years? It's been fantastic. I really don't know why people are wax-lyrical about wireguard. tinc was doing it 20 years ago. UDP? yeah. encryption, mesh, proxy ARP you name it. I've had countless install and it's been the best VPN.<p>You even get a 'dot' graph of your current network status if you want to. When 'git' was invented, I put my /etc/tinc/*/ into git with the public keys, and installing a new host to the mesh is one 'git clone' away.<p>Most underrated open source software ever.
Tinc is incredible, it has worked flawlessly for me for 6+ years with exactly 0 maintenance.<p>As trustworthy as it is, I am sadly on the hunt to replace it. Compared to wireguard, the throughput ain't great, and it takes way too much CPU on my low power nodes. I would pay good money for "tinc, but with wireguard transport" -- there's of course projects purporting to do this but I haven't found one I trust yet.
Aren't there concerns around the encryption used by Tinc? (<a href="https://www.tinc-vpn.org/documentation/Security.html#Security" rel="nofollow noreferrer">https://www.tinc-vpn.org/documentation/Security.html#Securit...</a>)<p>It's probably fine for personal projects though, and indeed simple and very flexible (maybe too much), well suited for connecting IoT devices.
One of the nicest things about tinc is how little attention it needs. It starts on boot, and no matter if the connection between two points drops, or one end gets a new address, or connects via IPv6 instead of IPv4, or restarts, the connection just always comes back up magically, without any futzing. There are many other tunneling methods that don't do this.<p>I used to provide a tunnel using tinc via a MIPS-based Cobalt RaQ. Throughput was surprisingly good, even on an old 250 MHz CPU, so even though I hear people talking about needing something faster, I can't imagine other tunneling methods being measurably faster, unless they're using weaker encryption. I'd benchmark it some time, but the slowest NanoPis that I use for tunnels these days can push many times more traffic through tinc than their Internet connections will allow. I'd be curious to see anyone else's comparisons, though.
Tinc can work on L2, which means works like switch, means it can works like an cable between any nodes.It doesn't need an ip, you can make a bridge. There is no known good replacement for this.<p>The down side is<p>- single thread (perf has limits in 10gbe)<p>- userspace (wg can works in kernel)<p>- 1.1 is stable enough, but still may crash, be careful<p>You may also interested in n2n
Personally, I've been building my mesh network up over Yggdrasil[1]. A router can even hand out Ygg IP's, resolve traffic for-, and firewall off- naive IOT devices (neccessary if you route through the public mesh, which isn't the only way to set things up).<p>1: <a href="https://yggdrasil-network.github.io/" rel="nofollow noreferrer">https://yggdrasil-network.github.io/</a>
one killer feature tinc has is a poor man's anycast<p>you can assign an ip to any number of nodes and tinc will talk to the one with the lowest latency. i've used this to run globally distributed dns on a tinc network
Slack's Nebula is another great open source mesh VPN application: <a href="https://github.com/slackhq/nebula">https://github.com/slackhq/nebula</a>
Tinc is a perfect tool to make a VPN mesh across different clouds/hosters. Been using it for 5 years. It's so much easier in support comparing with ipsec madness.
Switched from openvpn to tinc after openvpn certificate expired after 10 years (default duration of creation script) and I lost connection to my family computers, so I had to drive a few hundred kilometers<p>Nearly 8 years ago, still running:<p><pre><code> $ ls -l /etc/tinc/guerby1/tinc.conf
-rw-r--r-- 1 root root 51 Jul 31 2015 /etc/tinc/guerby1/tinc.conf</code></pre>
Sounds very similar to how SyncThing. I would if the SymcThing discovery and NAT traversal could be combined with wireguard and the ease of tailscale, but distributed mesh and no headscale. And all the other things that tinc does.
It's always odd to me when people point out lack of updates (without context) as evidence of a problem? I'm a regular user of Tinc and Openbox.<p>They're mostly finished products. That's why few updates. It's nice.
I’d love to understand how this compares to Zerotier, Wireguard, Tailscale, Nebula, …<p>I use Zerotier because simplicity, cost, and iOS support matters more for me than speed, but I’m curious about alternatives (WG seemed much easier for me to screw up)
Another huge Tinc fan here. Used it in prod for 5 or so years before switching to zerotier for easier management as we grew. Tinc is rock solid and dead easy to configure.
Another tool to look at is vpncloud (<a href="https://github.com/dswd/vpncloud">https://github.com/dswd/vpncloud</a>). It also builds a mesh network over UDP. Key setup is a bit easier, static keys are only used for authentication. Encryption keys are dynamically generated and replaced on a schedule.<p>I combine it with an ansible script to push out the (minimal) configuration to end nodes.