History

Jakub Sokołowski bca648485d don't specify pip3 path explicitly Signed-off-by: Jakub Sokołowski <jakub@status.im>		2020-12-01 13:35:39 +01:00
..
README.md	add the role itself	2019-01-19 20:47:48 +01:00
config.yml	replace cron job with a systemd timer	2020-11-24 11:39:28 +01:00
consul.yml	fix permissions on consul service definition file	2020-09-09 22:38:42 +02:00
firewall.yml	add tinc_allow_incoming to stop opening firewall too much	2020-11-27 15:18:33 +01:00
health.yml	fix tags to fit new separate role	2019-01-21 10:53:24 +01:00
install.yml	don't specify pip3 path explicitly	2020-12-01 13:35:39 +01:00
main.yml	replace cron job with a systemd timer	2020-11-24 11:39:28 +01:00
service.yml	add explicit enabling and restarting of tinc service	2019-02-18 13:33:36 +01:00
timer.yml	replace cron job with a systemd timer	2020-11-24 11:39:28 +01:00

README.md

Description

Tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts. Each host has it's own public and private key which is used to authenticate them and encrypt the traffic.

Setup

Here are the core files defining te setup of status.im network:

/etc/tinc/status.im/ - Network configuration dir.
/etc/tinc/status.im/hosts/ - Contains config files for all connected hosts.
/etc/tinc/status.im/tinc.conf - Main network configuration.
/etc/tinc/status.im/tinc-ip - VPN IP address of the local Tinc peer.
/etc/tinc/status.im/tinc-up - Script for creating the tun0 interface.
/etc/tinc/status.im/tinc-down - Script for destorying the tun0 interface.
/etc/tinc/status.im/tinc-refresh - Core script which configures the network.

Refresh

In order to stay up-to-date with the rest of the network the Tinc server has to know about all of the hosts in the network and their public keys.

To achieve that we run the /etc/tinc/status.im/tinc-refresh script which does the following:

Queries the Consul catalog for all Tinc peers across all DCs.
OPTIONAL: Assigns the current peer an address in the hosts dir and tinc-up.
Generates the tinc-ip file to store the peer VPN IP address.
Generates the tinc.conf file to update the list of peers.
Generates the files in hosts dir with public and VIP IP addresses and public key.
Updates the /etc/hosts file with hostnames with the .tinc sufix.

This process is configured to be repeated every 30 minutes via cron.

Usage

In order to allow easy usage of this VPN network all peers have a Consul service configured:

curl -sk https://localhost:8400/v1/catalog/service/tinc --cert /certs/consul-client.crt --key /certs/consul-client.key  | jq '.[0]'

{
  "Address": "35.202.99.224",
  "Datacenter": "gc-us-central1-a",
  "TaggedAddresses": {
    "lan": "35.202.99.224",
    "wan": "35.202.99.224"
  },
  "NodeMeta": {
    "env": "eth",
    "stage": "beta"
  },
  "ServiceID": "tinc",
  "ServiceName": "tinc",
  "ServiceTags": [
    "vpn"
  ],
  "ServiceMeta": {
    "tinc_address": "10.2.0.6",
    "tinc_pub_key": "\n-----BEGIN RSA PUBLIC KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n-----END RSA PUBLIC KEY-----\n"
  },
  "ServicePort": 655,
}

Using the metadata from the catalog contained within tinc_address and tinc_pub_key variables the tinc-refresh script can generate configuration that connects all the known hosts via VPN.