Added architecture section, made a start with the kernel section.

ToDo: install tinc myself to see if everything is as I say =)
This commit is contained in:
Wessel Dankers 2000-07-01 07:29:32 +00:00
parent 8ec648abf4
commit 7fdc881b86

View file

@ -21,7 +21,20 @@ outgoing network connection for both internet and intranet.
Architecture Architecture
------------ ------------
FIXME When a few Tinc daemons are running they will try to seek contact with
eachother. A daemon is all the time connected to a few other daemons,
but if traffic is required with a daemon it doesn't know yet, it will
instantly contact it and exchange keys. These so-called meta-connections
are made over TCP, using encryption of course.
When actual traffic has to be sent, a daemon checks his connection list to
see if the addressee is known (and makes contact with it if neccessary).
All packets are then sent using UDP to the other host, just like in a real
network. If a packet gets lost, the connection layer of Linux will resend
the packet, just like it would over a normal network.
Once in a while the daemons will renegotiate keys so that even if a cracker
breaks one, it'll be of limited use.
Getting Tinc Getting Tinc
------------ ------------
@ -54,7 +67,11 @@ The first will do the actual build, the second copies all files into place.
The kernel The kernel
---------- ----------
FIXME Next you will have to configure the kernel to support the tap device.
It is important that you run a recent kernel, but anything after 2.2.16
will do. You have to enable both the netlink device AND the ethertap
device (in that order). Enable them as modules!
Compile, install =) You don't even have to reboot.
Picking your numbers Picking your numbers
-------------------- --------------------
@ -87,17 +104,18 @@ It is very important that none of the Tinc netmasks overlap! Note how the
192.168.0/16 network covers the entire address space of the three hosts. 192.168.0/16 network covers the entire address space of the three hosts.
We will refer to the 192.168.0/16 network as the `umbrella' from now on. We will refer to the 192.168.0/16 network as the `umbrella' from now on.
As you can see we can fit 256 hosts into this umbrella this way, which is As you can see we can fit 256 hosts into this umbrella this way, which is
also the practical maximum for tinc. also the practical maximum for tinc. Let's name our VPN 'fubar'.
The configuration file The configuration file
---------------------- ----------------------
Let's create a configuration file for f00f. We have to put it in /etc/tinc, Let's create a configuration file for f00f. We have to put it in
unless you participate in multiple umbrella's (more on that later). /etc/tinc/fubar because that's how we named our VPN.
MyOwnVPNIP = 192.168.1.1/24 MyOwnVPNIP = 192.168.1.1/24
VpnMask = 255.255.0.0 VpnMask = 255.255.0.0
ConnectTo = 126.202.37.81 ConnectTo = 126.202.37.81
ConnectTo = 103.22.1.218 ConnectTo = 103.22.1.218
TapDevice = /dev/tap0
The first two lines tell Tinc about the numbers we have chosen above. The first two lines tell Tinc about the numbers we have chosen above.
Using the ConnectTo lines, the daemon will seek contact with the rest of Using the ConnectTo lines, the daemon will seek contact with the rest of
@ -105,29 +123,53 @@ the umbrella. It's possible to configure any number of ConnectTo lines,
you can even omit them so that it just sits and waits until someone else you can even omit them so that it just sits and waits until someone else
contacts it. Until someone does, the poor daemon won't be able to send contacts it. Until someone does, the poor daemon won't be able to send
any data because it doesn't know where everybody is. any data because it doesn't know where everybody is.
The TapDevice is where the tinc daemon will interface with the kernel.
The passphrases The passphrases
--------------- ---------------
We will have to generate keys for ourselves, and get a key from everybody We will have to generate keys for ourselves, and get a key from everybody
we want to ConnectTo. All of these go into a directory named we want to ConnectTo. All of these go into a directory named
/etc/tinc/passphrases. PROTECT THIS DIRECTORY! /etc/tinc/fubar/passphrases. PROTECT THIS DIRECTORY!
mkdir -m 700 /etc/tinc/passphrases mkdir -m 700 /etc/tinc/fubar/passphrases
To generate our own key: To generate our own key:
genauth 1024 >/etc/tinc/passphrases/local genauth 1024 >/etc/tinc/fubar/passphrases/local
You should then proceed to give this key to anyone who wants to ConnectTo You should then proceed to give this key to anyone who wants to ConnectTo
you. DO THIS IN A SECURE MANNER! Anyone who has this number can do icky you. DO THIS IN A SECURE MANNER! Anyone who has this number can do icky
things to the umbrella network! Encrypt it using PGP, GPG or another things to the umbrella network! Encrypt it using PGP, GPG or another
program using asymetric keys. Read it over the phone (without anyone program using asymmetric keys. Read it over the phone (without anyone
listening of course). Send it by snailmail. Write the key down and bring listening of course). Send it by snailmail. Write the key down and bring
it to your partners yourself! it to your partners personally!
If you get any keys from your partners, store them under their network If you get any keys from your partners, store them under their network
number. For example, the key we get from fdiv's network administrator number. For example, the key we get from fdiv's network administrator
will be stored in /etc/tinc/passphrases/192.168.2.0 (note the 0). will be stored in /etc/tinc/fubar/passphrases/192.168.2.0 (note the 0).
Running the daemon
------------------
If you use a package manager to install Tinc, the startup scripts use a file
called /etc/tinc/nets.boot to see which umbrella's exist. It has a line
per VPN, and lines starting with a # are ignored. Ours will contain:
# Example VPN from the HOWTO
fubar
In Debian, /etc/init.d/tinc start will start the daemons.
If you use Doohickey Linux just like we do, you'll have to edit the systems
startup scripts by hand. It should contain something along the lines of:
insmod ethertap -s --name=tap0 unit=0
ifconfig tap0 hw ether fe:fd:c0:a8:01:01
ifconfig tap0 192.168.1.1 netmask 255.255.0.0 broadcast 192.168.255.255 -arp
There are two things to note here! First, the MAC address of the ethertap
device is very important. It must start with fe:fd, and end in the
hexadecimal representation of the VPN IP number.
Second, the netmask of the tap device is set to that of the umbrella!
-- --
$Id: HOWTO,v 1.2.2.2 2000/06/30 21:16:52 wsl Exp $ $Id: HOWTO,v 1.2.2.3 2000/07/01 07:29:32 wsl Exp $