Tinc VPN: Secure Private Network Between Hosts

+1 for tinc. I&#x27;ve used it for years in VPS providers and from home to VPS to cloak DNS from the ISP eyes and tampering.<p>It&#x27;s not as fast as strongswan or wireguard, but it has dynamic mesh routing. If one of my nodes is down, I route through the others automagically, all in user space without having to enable forwarding on any nodes. This is handy when backbone providers are having issues.

Another interesting alternative to tinc is ZeroTier ( <a href="https:&#x2F;&#x2F;www.zerotier.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.zerotier.com&#x2F;</a> ). I am using it to remotely play Steam games over the Internet and it is surprisingly easy to set up. Probably due to existence of centralized hub.

I love tinc for another reason too. I&#x27;ve been using it for many, many years, and the one feature of the re-routing that always amazes me is:<p>I&#x27;m on the laptop, connected to Gb ethernet--- I do work on remote servers (via tinc).<p>I pull the cable, the lappy&#x27;s network reconfigure to wifi, tinc re-connects and...<p><i>my</i> connections to the remote serves have not skipped a beat. As far as x2go, ssh or VNC, the &#x27;ethernet&#x27; it&#x27;s using is still up; might have lost a couple packets, but that&#x27;s it.<p>I just love it.

Have been usinh Tinc to create a private network between a few servers for a hosting that has servers in the same datacenter but only public IPs, no private networking available.<p>Transfers of quite large files as well as mysql&#x2F;redis connexions work amazingly well. CPU gets loaded quite a bit, but overall it is fast (for such a setup) and easy to configure.

This is as good a time as any to point people in the direction of sshuttle, which is a very simple and elegant VPN that can use any SSH server as an endpoint.<p>* No configuration required for endpoints - any SSH server that you have a login on will work.<p>* Works on Linux and FreeBSD and OSX<p>* Tunnels DNS and UDP, etc.<p>* I have no idea how fast it is.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;sshuttle&#x2F;sshuttle" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;sshuttle&#x2F;sshuttle</a>

The main feature that sets tinc apart from the competition is automatic and reliable upgrading of proxied connections to direct connections through NAT hole punching.

I&#x27;ve made an ansible playbook, to simplify tinc nodes management. See <a href="https:&#x2F;&#x2F;github.com&#x2F;samsk&#x2F;ansible-tinc" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;samsk&#x2F;ansible-tinc</a>

I currently run OpenVPN on a $5 raspberry pi. Powered off the computer&#x27;s USB port. Works great. Haven&#x27;t given Tinc or Wireguard a try but will experiment. I see a lot of suggestions for ssh. It&#x27;s best to use a VPN.<p>All incoming tcp traffic is blocked to my VPN, it doesn&#x27;t respond to ICMP. Pretty much looks like a dead host unless you know there&#x27;s a VPN. To connect, you need both the key and password. So it&#x27;s quite secure. I can then ssh to my internal network. Nice way to access my home network without exposing it directly to the net.

Tinc is pretty amazing. My only beef with it is that once a node is connected to the network, if you ever wish to revoke access, you have to update <i>all</i> nodes on the network to ensure the revoked node is now gone.

1.0 was 14 years ago and the latest release was 3 months ago. Any particular reason this was posted now? Great new feature &#x2F; etc?

This is as good a time as any to point people in the direction of WireGuard, Jason Donenfeld&#x27;s modernized VPN:<p>* It inherits strong, modern crypto from Trevor Perrin&#x27;s Noise Protocol Framework.<p>* It&#x27;s designed to be extremely simple to configure for the common case.<p>* It has a microscopic trusted code base --- 4-5000 lines compared with hundreds of thousands for strongSwan --- and the protocol was specifically designed to enable that; for instance, the protocol makes specific allowances to enable implementations without any dynamic allocation.<p>* It&#x27;s probably the fastest available VPN.<p>You can only use it on Linux at the moment, but that will change this year.<p>WireGuard is so good people at my company spin up Vagrant images on their Macbooks to use it. Check it out:<p><a href="https:&#x2F;&#x2F;www.wireguard.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.wireguard.com&#x2F;</a><p>Benjamin Dowling and Kenny Paterson (a name you might be familiar with) just completed and published a formal analysis of WireGuard; the results are complicated (the eCK model WireGuard was proven under doesn&#x27;t contemplate separate key exchange and data transport phases) but here&#x27;s a TLDR from Kenny:<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;kennyog&#x2F;status&#x2F;955884665801445377" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;kennyog&#x2F;status&#x2F;955884665801445377</a>

I have SoftEther running at home - which is the opensource free enterprise version (development driven by Japanese university from what I gather). Which offer enterprise features and supports OpenVPN. This looks functionally rather poor compared so Softether...

<a href="https:&#x2F;&#x2F;www.tinc-vpn.org&#x2F;documentation&#x2F;Generating-keypairs.html#Generating-keypairs" rel="nofollow">https:&#x2F;&#x2F;www.tinc-vpn.org&#x2F;documentation&#x2F;Generating-keypairs.h...</a> &quot;Just press enter to accept the defaults.&quot;<p>is there an expert mode? does this support ED_25519 keys or use open&#x2F;libressl libs?

OpenVPN is still going to be the best choice for some time. There&#x27;s nothing else as well supported across platforms and it does everything most people want, including allowing connected clients to communicate directly. It doesn&#x27;t have mesh support but that&#x27;s probably a good thing in my experience.

I really like zeroTier

If you need to securely connect servers that only have public network, I suggest you give Weave Net a try. It&#x27;s developed for Docker and also runs on Docker, but the private IPs can be exported to the host machine so you can also use it as a VPN between the hosts. It&#x27;s super easy to setup and reasonably fast since it uses ESP packets, which are encrypted on the kernel level.

Thanks bring me tinc, I just spend I whole day on this. Love it !! This will change what I want to do, with tinc, network become easier. ️

+1 for tinc, I can login to my server and see the other three computers, it&#x27;s nice for ssh-ing or tunnelling. On tinc, I was only able to get a Windows Remote Desktop connection for about 45 seconds, then it loses the connection. I&#x27;m guessing OpenVPN might not have this issue. Tinc is way easier to configure than openvpn though. I recommend it :)

In my experience for a simple connection between two hosts a port forwarded over ssh was significantly faster than tinc VPN. Obviously ssh is port forwarding is not a network, but sometimes you don&#x27;t need a network.

How does this compare to SigmaVPN[1] which is tiny and uses modern crypto instead of OpenSSL?<p>--<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;neilalexander&#x2F;sigmavpn" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;neilalexander&#x2F;sigmavpn</a>

&quot;WireGuard Key Generation in JavaScript ======================================<p>Various people believe in JavaScript crypto, unfortunately. This small example helps them fuel their poor taste.&quot;

Does anyone know if Tinc tunnels DNS requests on Android? The Android OpenVPN client does not and it introduces some problems.

Is this similar to Hamachi?

I cannot fathom why people who want <i>VPN</i> keep using Tinc with its hand-rolled protocol riddled with cryptographic errors.

Weren&#x27;t the tinc developers caught adding NSA backdoors into it and getting paid to do it last year? I remember something like this remotely from the Snowden leaks.