[Package Request] Tinc

[ericjarvies]

Name: Tinc
Description: Virtual Private Network (VPN) daemon
Website: https://www.tinc-vpn.org
Software documentation: https://www.tinc-vpn.org/docs/
Build/Installation documentation: https://www.tinc-vpn.org/documentation-1.1/Installation.html
Source Code: https://www.tinc-vpn.org/packages/tinc-1.1pre14.tar.gz
License: GNU General Public License version 2

Mesh VPN over tun0 Interface.

[Dr-Bean]

In case someone starts on this, this comment might be of interest: #2354 (comment). Not sure if DSM is able to handle tun interfaces nowadays, but something to keep in mind.

[ericjarvies]

Tinc configuration involves editing the /etc/hosts file to add the vpn node entries, e.g.-

127.0.0.1 localhost node1
192.168.1.10 synologyNAS node1
10.0.0.1 node1
10.0.0.2 node2
10.0.0.3 node3

And then the Tinc configuration files located at /etc/tinc/meshVPNname, e.g.-
tinc.conf

Name = node1
AddressFamily = ipv4
Interface = tun0
ConnectTo = node2
ConnectTo = node3

tinc-up

#!/bin/sh
ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0

tinc-down

#!/bin/sh
ifconfig $INTERFACE down

And /etc/config/hosts/, e.g.-

node1
node2
node3

The above node1, node2, and node3 files look like this;

Address = a.public.ip.address
Subnet = 10.0.0.1/32
-----BEGIN RSA PUBLIC KEY-----
moo said the fat cow
-----END RSA PUBLIC KEY-----
Ed25519PublicKey = someSkinnyCrypticCowConundrum

These files are edited manually (e.g.- sudo nano), so there really is no need to have any DSM interaction. The important prerequisites is that Java is installed and that the tun0 interface can be created when executing Tinc, e.g.-

sudo tinc -n meshVPNname

When Tinc source code is built, it should use;

./configure --prefix=/ --exec-prefix=/usr --datadir=/etc --localstatedir=/var
make
make install

This way the tinc.meshVPNname.pid is created in the /var/run/ folder, and the root Tinc config files are located in the /etc/tinc/ folder, and tincd and tinc are installed into /usr/sbin/ and tinc-gui is installed into /usr/bin/

Otherwise, it also needs to survive reboots (tinc and tinc networks are started). Things like; start|stop|restart|etc. can be accomplished in the tinc cli.

Apart from OpenSSL (libssl-dev) and the various usual suspects (build tools), building Tinc from source also requires LZO (liblzo2-dev).

The latest Tinc version should be used, e.g.-

https://tinc-vpn.org/packages/tinc-1.1pre14.tar.gz

If anyone is interested, I'll post a bounty on this accordingly.

[MMD70]

Creating tun0 interface is problematic because it is used by VPN Center (OpenVPN).
The same goes for tun1000 which is used by Quick Connect.
These are the two that I know of.

[ericjarvies]

Assuming OpenVPN is using tun0, Tinc can use tun1, tun2, tun3, or so forth, correct?

Regarding QuickConnect... how does this use tun1000? Isn't QuickConnect a Synology [ddns] resolving service (e.g.- http://YourNAS.quickConnect.to)?

[MMD70]

Yes correct, but I would go with tun101, tun102, etc.

No its not DDNS, its a relay service that will try to establish a direct connection and if not possible it will relay. It`s trying/using various ways to establish connection between DS and APP.
In the whitepaper you can read a virtual tunnel is being used.
https://global.download.synology.com/download/Document/WhitePaper/Synology_QuickConnect_White_Paper.pdf

If you use it then try ifconfig, tun1000 will show up.
global.quickconnect.to is being contacted by DS.
blowfish and SHA1 is being used the last time I checked, which is pretty ugly to be honest, just as current OpenVPN configuration they use, it`s vulnerable to SWEET32, also QC!!!.

Now who will do backups with a remote DS? Or keep it connected 24/7 on OpenVPN and/or QC?
Also check out:
/usr/syno/etc/synorelayd
/usr/syno/etc.defaults/synorelayd

[ericjarvies]

I tried that, but on neither of my Synology NAS devices am I able to detect tun0 in use (running ifconfig when connecting using myNAS.quickConnect.to). It does not let me QuickConnect using SSH... only HTTP/HTTPS. When I run OpenVPS (via DSM) then tun0 is present.

[ericjarvies]

I want to configure my NAS devices so they can be nodes on my ElasticSearch cluster... nodes that basically house (backup) the cluster's data, and can serve as incubator nodes if all the other nodes go down/are taken down.

For example, having a few nodes running on DigitalOcean, a few nodes on Linode, and a handful of nodes elsewhere, I am currently using my client devices (my desktop/workstation devices) as edge nodes, so whenever I need to take all of those hosted nodes offline, I have my edge nodes that reside on my workstation(s), from whence -at a latter time/date, I can then create new -empty- nodes on remote servers, and use my -populated- workstation node to get them going/up and operational.

I want to simply move this to the NAS devices and off of my desktops. Tinc works wonderfully for this purpose.

[MMD70]

to detect tun0 in use

I guess you mean tun1000...
Yes, I phrased it wrong.
If its possible to directly connect then theres no need for a tunnel, that`s the "intelligence" of QC.

You could install Easy Bootstrap Installer and choose for Entware-NG, it has 1.1pre14 on the feed.

[buzo-ffm]

A few people seem to have done this already, see https://www.tinc-vpn.org/pipermail/tinc/2019-June/005464.html .