Friday, August 11, 2017

Using tinc VPN for linking up a Linux data cluster with static IPv6 addresses

10 years ago, I wrote up this tutorial on how to use tinc to create a basic IPv6 network between multiple sites. I followed up on that work with a more robust network: that is documented on my own website, and frankly could use some updating. At least one person made a cleaned up variant.

Over the past four years since leaving the employer I built that network up at, the acceptance and us of either tinc, and/or IPv6; has been rather mixed. However, I think I've found a use case for this past research: data clusters. In fact, another person (and another person as well) seems to have had a similar thought for his own needs. It also helps that most applications have full IPv6 support now: something that was barely in place 10 years ago.

Installation

CentOS/RHEL 7.x: yum install tinc ; you'll need to edit iptables & ip6tables files /etc/sysconfig , or use a firewalld command, to allow tcp and udp on port 655.

Debian/Ubuntu: grab the latest tinc-1.0.x deb from somewhere like Ubuntu Packages. It's also possible an apt install tinc will get you a new-enough version. You'll also need to run ufw allow 655/tcp && ufw allow 655/udp if you're using Uncomplicated Firewall.

Configuration


We're going to call this "privatelan", and assume you're using sudo / root to do this work. For editing, make sure you have nano, vi, etc. installed.
  1. mkdir -p -m=0700 /etc/tinc/privatelan/hosts
  2. In the past, you needed to edit /etc/tinc/nets.boot : but if you're using systemd, go ahead and delete it. Otherwise, edit it to have privatelan as a line in it.
  3. If ls /etc/init.d/tinc*finds a file, and you're using systemd, you'll need the systemd scripts. Download both .service files and copy those to /etc/systemd/system .
  4. You'll need to pick out / assign a ULA for this. You can use a ULA generator to pick a /64.
  5. Create and edit the files for /etc/tinc/privatelan/tinc.conf/etc/tinc/privatelan/tinc-up , and /etc/tinc/privatelan/tinc-down .
  6. chmod u+x /etc/tinc/privatelan/tinc-*
  7. tincd -n privatelan -K will generate a private key, and create a hostfile in /etc/tinc/privatelan/hosts. Optionally, you can edit that new hostfile with Compression=# (number being 1-11, with 1-9 being gzip, and 10-11 LZO).
  8. The master node needs a copy of the host file from every member system: those get copied to /etc/tinc/privatelan/hosts.
  9. All client nodes need copies of the master node host file. That file has to have something like Address=(DNS/IP) in the top of the file to be able to find that host with.
  10. When a node is ready, you can systemctl enable tinc@privatelan && systemctl restart tinc@privatelan ; check your distro if not using systemd.
  11. You should either add your new IPv6 addresses to your local DNS; or populate them as a batch in /etc/hosts.
  12. When in doubt, read the docs! Thanks!
  13. Added: on CentOS / RHEL systems, you may need to make sure SELinux isn't blocking anything ,by doing an audit2allow -a

Config files


tinc.conf

Name=node
Device=/dev/net/tun
Interface=privatelan
Mode=switch
#Comment next line if master
ConnectTo=master

tinc-up

#!/bin/sh
ip link set privatelan mtu 1280 qlen 4096 up
ip -6 address add 2001:db8:beef::1::1/64 dev privatelan

tinc-down

#!/bin/sh
ip -6 address del 2001:db8:beef::1::1/64 dev privatelan
ip link set privatelan down

hosts/node

Address=192.0.2.200
Compression=10

===SSHkey===

No comments:

Post a Comment