Ansible role for Tinc VPN mesh network
Go to file
Jakub Sokołowski df046b1891
readme: add legacy repo warning
Signed-off-by: Jakub Sokołowski <jakub@status.im>
2021-05-25 16:06:40 +02:00
defaults add tinc_allow_incoming to stop opening firewall too much 2020-11-27 15:18:33 +01:00
files tinc-refresh: log files that change 2020-11-24 16:37:41 +01:00
meta add metadata 2019-01-19 20:46:44 +01:00
tasks don't specify pip3 path explicitly 2020-12-01 13:35:39 +01:00
templates replace cron job with a systemd timer 2020-11-24 11:39:28 +01:00
README.md readme: add legacy repo warning 2021-05-25 16:06:40 +02:00

README.md

⚠️ WARNING: This repository was made obsolete by infra-role-wireguard.

Description

Tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts. Each host has it's own public and private key which is used to authenticate them and encrypt the traffic.

WARNING: This role assumes that Consul is available under localhost:8500.

Setup

Here are the core files defining te setup of status.im network:

  • /etc/tinc/status.im/ - Network configuration dir.
  • /etc/tinc/status.im/hosts/ - Contains config files for all connected hosts.
  • /etc/tinc/status.im/tinc.conf - Main network configuration.
  • /etc/tinc/status.im/tinc-ip - VPN IP address of the local Tinc peer.
  • /etc/tinc/status.im/tinc-up - Script for creating the tun0 interface.
  • /etc/tinc/status.im/tinc-down - Script for destorying the tun0 interface.
  • /etc/tinc/status.im/tinc-refresh - Core script which configures the network.

Refresh

In order to stay up-to-date with the rest of the network the Tinc server has to know about all of the hosts in the network and their public keys.

To achieve that we run the /etc/tinc/status.im/tinc-refresh script which does the following:

  1. Queries the Consul catalog for all Tinc peers across all DCs.
  2. OPTIONAL: Assigns the current peer an address in the hosts dir and tinc-up.
  3. Generates the tinc-ip file to store the peer VPN IP address.
  4. Generates the tinc.conf file to update the list of peers.
  5. Generates the files in hosts dir with public and VIP IP addresses and public key.
  6. Updates the /etc/hosts file with hostnames with the .tinc sufix.

This process is configured to be repeated hourly via a systemd timer.

Usage

In order to allow easy usage of this VPN network all peers have a Consul service configured:

curl -sk https://localhost:8400/v1/catalog/service/tinc --cert /certs/consul-client.crt --key /certs/consul-client.key  | jq '.[0]'
{
  "Address": "35.202.99.224",
  "Datacenter": "gc-us-central1-a",
  "TaggedAddresses": {
    "lan": "35.202.99.224",
    "wan": "35.202.99.224"
  },
  "NodeMeta": {
    "env": "eth",
    "stage": "beta"
  },
  "ServiceID": "tinc",
  "ServiceName": "tinc",
  "ServiceTags": [
    "vpn"
  ],
  "ServiceMeta": {
    "tinc_address": "10.2.0.6",
    "tinc_pub_key": "\n-----BEGIN RSA PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n-----END RSA PUBLIC KEY-----\n"
  },
  "ServicePort": 655,
}

Using the metadata from the catalog contained within tinc_address and tinc_pub_key variables the tinc-refresh script can generate configuration that connects all the known hosts via VPN.