tinc is a great mesh Virtual Private Network daemon, with just one little glitch (and also some little crypto problems ;-). I find its configuration really tedious and complicated compared to OpenVPN and its possibility to centrally assign IP addresses and push options to clients. I know, that’s the tax for being mesh, but wouldn’t it be great to configure your mesh network a bit centrally ?
And there comes my ansible playbook, that can do something like that. It generates complete tinc configuration for each node in network, and additionally, it can also deploy configuration to nodes that are reachable via ssh. All you need to do is to write one simple hosts file in /etc/tinc.
$ cat /etc/tinc/hosts [vpn1] gw1 ansible_ssh_host=vpn-host1 tinc_ip=172.16.100.1 tinc_hostname=gw1.in.domaim gw2 ansible_connection=local tinc_ip=172.16.100.2 tinc_hostname=gw2.in.domain tinc_remote=gw2.some-dynamic-dns.org tinc_subnet='["172.16.100.2/32","192.168.11.0/24"]' gw3 ansible_ssh_host=vpn-host3 tinc_ip=172.16.100.18 tinc_hostname=gw3.in.domain tinc_subnet='172.16.100.16/29' tinc_port=1655 client1 ansible_connection=local tinc_ip=172.16.100.10 tinc_hostname=client1.in.domain client2 ansible_connection=local tinc_ip=172.16.100.11 tinc_hostname=client2.in.domaim os_family=Android tinc_connect='["gw1","gw2"]' [vpn2] ...
And start ansible for selected network
$ ansible-playbook site.yml -e netname=vpn1
When successfully finished, tinc network on reachable hosts (with ssh access) should be up and running, and for all other nodes (clients), there will be a generated config in /etc/tinc/netname/config.
Btw. I made a little performance performance testing with nttcp tool, and tinc seems to be up to 30% faster compared to OpenVPN, on the same hardware. So it is faster, and additionally its mesh topology avoids unnecessary packet round trips. Not that bad…