Creating a Secure Connection Between Two Debian/Ubuntu Servers Using Tinc
Introduction
Tinc is a multi-platform VPN daemon that uses tunneling and encryption to create a secure private network between hosts on the Internet.
In this tutorial, we will cover the process if setting up a secure connection between two servers to securely transfer files between them.
Installation
Tinc can be installed via apt
on Debian and Ubuntu, which is what we will be doing in this tutorial:
apt-get install tinc
Basic Configuration
Once installed, you will need to navigate to /etc/tinc
and create a sub directory with any name. The newly created directory will contain all the necessary configuration files for our new private network.
The next step would be to /etc/tinc/nets.boot
and add a new line with the name of the newly created directory.
The next step would be to create a Tinc configuration file in the newly created directory. The configuration file should be named tinc.conf
. Open tinc.conf
using your favorite text editor and add the following lines:
Name = Name-of-this-Machine
AddressFamily = any
Mode = switch
Interface = tap0
ConnectTo = Name-of-the-other-Machine
The contents of this file will provide the Tinc daemon with the necessary information to establish the secure VPN connection between the current server and the other server you wish to establish connection with.
The next step would be to create a new file named tinc-up
which assigns the proper address to our VPN Interface:
#!/bin/sh
ifconfig $INTERFACE up
ip addr add 10.100.100.1/31 dev $INTERFACE
Since you need to shut down the interface when stopping Tinc, we need to create a second file named tinc-down
which shuts down the VPN Interface.
#!/bin/sh
ifconfig $INTERFACE down
Note: The private IP address used in this tutorial is only an example, you can use any private subnet/ip you prefer.
Generating keyfiles
Tinc uses a rather secure schema for creating the private and public keys used for authentication. Before we create the keys, we need to create a new directory named hosts
; in this directory, we will be creating a new file named tinc.conf
with the following lines in it.
Address = External IP of our server
Port = Unused Port for connection
Then, we can create the key files:
tincd -n NETWORK_NAME -K4092
Note: Replace NETWORK_NAME
with the name of the folder you created in Configuration.
Copying keyfiles
Assuming you configured your other server the same way you configured the one referenced in this tutorial, you will need to copy host
file from the current server to the other/destination server.
Start
Once the key files are present on both server, you can start Tinc using the below command:
tincd -n NETWORKNAME
Conclusion
Tinc is a very secure Layer2 VPN Daemon and performs rather well, especially when it comes to bandwidth throughput, as well as compression. Additionally, it features AES-256 Encryption which is a huge advantage.
This concludes our tutorial. Thank you for reading.