How do I use Tinc to create a mesh network of two different VPN on the same server? Is it possible to create multiple VPN tunnels between two hosts using tinc VPN software?
Tinc is a fabulous, mesh based VPN. It can be used to build a secure, encrypted VLAN over the internet or insecure LAN or two instances of cloud computers.
From the official docs:
In order to allow you to run more than one tinc daemon on one computer, for instance if your computer is part of more than one VPN, you can assign a netname to your VPN. It is not required if you only run one tinc daemon, it doesn’t even have to be the same on all the sites of your VPN, but it is recommended that you choose one anyway.
We will assume you use a netname throughout this document. This means that you call tincd with the -n argument, which will assign a netname to this daemon. The effect of this is that the daemon will set its configuration root to /etc/tinc/netname/, where netname is your argument to the -n option. You’ll notice that it appears in syslog as tinc.netname.
However, it is not strictly necessary that you call tinc with the -n option. In this case, the network name would just be empty, and it will be used as such. tinc now looks for files in /etc/tinc/, instead of /etc/tinc/netname/; the configuration file should be /etc/tinc/tinc.conf, and the host configuration files are now expected to be in /etc/tinc/hosts/.
But it is highly recommended that you use this feature of tinc, because it will be so much clearer whom your daemon talks to. Hence, we will assume that you use it.
Follow my tinc configuration instruction, provision two separate tinc VPNs named vpn0 and vpn1. Let us say you have two vpn as follows in /etc/tinc on serverA with two different subnets for two VPNs. The only difference is you need to define port for each VPN. For example vpn0 will use port 655 and vpn1 will use 656 port numbers.
VPN #1: /etc/tinc/vpn0/ – 172.16.1.1/32
First you must define Port in /etc/tinc/vpn0/tinc.conf
Name = serverA Device = /dev/net/tun BindToAddress = 192.168.4.5 AddressFamily = ipv4 Port = 655
Next you must update /etc/tinc/vpn0/hosts/serverA and /etc/tinc/vpn0/hosts/serverB files to include Port Number:
$ cat /etc/tinc/vpn0/hosts/serverA
Address = 192.168.4.5 Subnet = 172.16.1.1/32 Port = 655 -----BEGIN RSA PUBLIC KEY----- ..... ... your random key here .... -----END RSA PUBLIC KEY-----
$ cat /etc/tinc/vpn0/hosts/serverB
Subnet = 172.16.1.2/32 Port = 655 -----BEGIN RSA PUBLIC KEY----- ..... ... your random key here .... -----END RSA PUBLIC KEY-----
VPN #2: /etc/tinc/vpn1/ – 172.16.2.1/32
First you must define Port in /etc/tinc/vpn1/tinc.conf
Name = serverA Device = /dev/net/tun BindToAddress = 192.168.4.5 AddressFamily = ipv4 Port = 656
Next you must update /etc/tinc/vpn1/hosts/serverA and /etc/tinc/vpn1/hosts/serverB files to include Port Number:
$ cat /etc/tinc/vpn1/hosts/serverA
Address = 192.168.4.5 Subnet = 172.16.1.1/32 Port = 656 -----BEGIN RSA PUBLIC KEY----- ..... ... your random key here .... -----END RSA PUBLIC KEY-----
$ cat /etc/tinc/vpn1/hosts/serverB
Subnet = 172.16.1.2/32 Port = 656 -----BEGIN RSA PUBLIC KEY----- ..... ... your random key here .... -----END RSA PUBLIC KEY-----
Basically you need to define port for each new VPN on same server. Once done, update your /etc/tinc/nets.boot to include both vpn0 and vpn1:
$ cat /etc/tinc/nets.boot
## This file contains all names of the networks to be started on system startup. vpn0 vpn1
Restart the tinc on servers:
$ systemctl restart tinc
$ ip r
$ ip a
$ ping ip-of-clientB
$ ping ip-of-serverA
$ ping ip-of-clientA
$ ping ip-of-serverB
Make sure you update firewall rule set to allow both port numbers i.e. 655 and 656.