TINC VPN config generator

tinc is a great mesh Virtual Private Network daemon, with just one little glitch (and also some little crypto problems ;-). I find its configuration really tedious and complicated compared to OpenVPN and its possibility to centrally assign IP addresses and push options to clients. I know, that’s the tax for being mesh, but wouldn’t it be great to configure your mesh network a bit centrally ?

And there comes my ansible playbook, that can do something like that. It generates complete tinc configuration for each node in network, and additionally, it can also deploy configuration to nodes that are reachable via ssh. All you need to do is to write one simple hosts file in /etc/tinc.

$ cat /etc/tinc/hosts
gw1 ansible_ssh_host=vpn-host1  tinc_ip=    tinc_hostname=gw1.in.domaim
gw2 ansible_connection=local    tinc_ip=    tinc_hostname=gw2.in.domain tinc_remote=gw2.some-dynamic-dns.org tinc_subnet='["",""]'
gw3 ansible_ssh_host=vpn-host3  tinc_ip=   tinc_hostname=gw3.in.domain tinc_subnet='' tinc_port=1655
client1 ansible_connection=local    tinc_ip=   tinc_hostname=client1.in.domain
client2 ansible_connection=local    tinc_ip=   tinc_hostname=client2.in.domaim os_family=Android tinc_connect='["gw1","gw2"]'

And start ansible for selected network

$ ansible-playbook site.yml -e netname=vpn1

When successfully finished, tinc network on reachable hosts (with ssh access) should be up and running, and for all other nodes (clients), there will be a generated config in /etc/tinc/netname/config.

Detailed info and configuration options can be found on ansible-tinc project page or github page of ansible-tinc, where you can also get the sources.

Btw. I made a little performance performance testing with nttcp tool, and tinc seems to be up to 30% faster compared to OpenVPN, on the same hardware. So it is faster, and additionally its mesh topology avoids unnecessary packet round trips. Not that bad…

Leave a Reply

Your email address will not be published. Required fields are marked *