Tinc是一个轻量型的 GNU 协议下的开源软件,通过隧道以及加密技术在互联网点与点之间创立隧道。它是 IP 层面上的,所以可以像普通的网络设备那样,不需要去适配其他已经存在的软件。所以他就可以很安全的在点与点之间传输数据,并不需要担心泄露。他还有其他几大的特点或者说优点:
- 加密 / 认证 / 压缩
- 自动全网状路由
- 易于扩展网络节点
- 能够进行网络的桥接
- 跨平台支持
- IPv6 支持
Tinc实际上和ZeroTier One有些相似,不过还是不太一样,ZeroTier One可以不需要公网IP,但是Tinc就不是了,它完全由自己掌控,通过在服务器端安装服务端,以及在客户端安装客户端即可完成客户端与服务端,客户端与客户端之间相互访问,而且由于完全由自己掌控,所以非常安全。
官方网站:https://www.tinc-vpn.org/
源码地址:https://tinc-vpn.org/git/tinc
他还有其他几大的特点:
- 加密 / 认证 / 压缩
- 自动全网状路由
- 易于扩展网络节点
- 能够进行网络的桥接
- 跨平台支持
- IPv6 支持
安装
Tinc 在各个发行版的仓库中都可以找到,例如 Debian / Ubuntu / CentOS / macOS 等系统就可以通过下面的命令安装:
#Debian/Ubuntu
apt-get install tinc
#CentOS
yum install tinc
#macOS
brew install tinc --devel
其他平台下载:
Android:Tinc App ;IOS(需越狱):Cydia packages;Windows官方下载地址
配置
目录结构
/etc/tinc
└── dock
├── hosts
│ ├── Server
│ └── Client
├── rsa_key.priv
├── tinc.conf
├── tinc-down
└── tinc-up
/etc/tinc/dock
目录下的文件都属于dock
这个网络/etc/tinc/dock/hosts
目录是存放其他用户或者说是其他网络的public key
以及他们的 ip 地址rsa_key.priv
本网络的私钥tinc.conf
本网络的配置文件tinc-down
本网络关闭时执行的脚本tinc-up
本网络启动时执行的脚本
服务端配置
首先开启 Linux 转发,在/etc/sysctl.conf
设置net.ipv4.ip_forward = 1
,并通过sysctl -p
来应用配置。
修改tinc.conf
配置文件
Name = Server
Interface = tinc
Mode = switch
Compression=9
Cipher = aes-256-cbc
Digest = sha256
PrivateKeyFile=/etc/tinc/dock/rsa_key.priv
Name
主机名称Interface
隧道所使用的网卡名称Mode
有三种模式,分别是router
/switch
/hub
,相对应我们平时使用到的路由、交换机、集线器 (默认模式router
)Compression
UDP 数据包压缩级别。可选有 0 (关闭),1 (fast zlib) 至 9 (best zlib),10 (fast lzo) 和 11 (best lzo)Cipher
加密类型。可选aes-128-cbc
aes-256-cbc
等Digest
rsa 加密协议强度。可选sha128
sha1
等PrivateKeyFile
服务器私钥的位置
修改tinc-up
和tinc-down
,用Windows
作为服务器无需这两个文件
tinc-up
!/bin/shifconfig $INTERFACE <内网ip> netmask 255.255.255.0
tinc-down
!/bin/shifconfig $INTERFACE down
添加执行权限
chmod +x tinc-*
在hosts
文件夹内添加节点配置文件
Subnet=10.1.3.1/32
Address=149.129.88.238
Port=57734
Subnet
宣告的路由地址Address
服务器的外网 IPPort
指定 tinc 连接端口(默认端口655
)
生成私钥和公钥
tincd -n dock -K4096
公钥自动添加到hosts
文件夹内的节点配置文件
客户端配置
客户端的tinc.conf
与服务器的参数基本上相同,只需要修改Name
在hosts
文件夹内添加新的节点配置文件
Subnet=10.1.3.2/32
tinc-up
和tinc-down
跟服务器配置基本一样,只需要修改tinc-up
的内网ip,Windows
客户端无需这两个文件
生成私钥和公钥
tincd -n dock -K4096
将服务端的节点配置文件放到客户端的hosts
文件夹内,并将客户端的节点配置文件放到服务端的hosts
文件夹内
运行
后台启动
Windows 端需要先安装虚拟网卡,在 tinc 的安装目录下有虚拟网卡的驱动安装包,安装完成后需要将虚拟网卡名称改为与tinc.conf
文件中的Interface
名称相同,并且手动设置虚拟网卡的 IP 地址和子网掩码,然后进入到tinc
的安装目录下再以管理员的身份运行,运行后会自动创建系统服务,需要停止的时候在 Windows 系统服务管理中停止服务
#Linux/MacOS
tincd -n dock
#Windows(需要管理员权限)
-n dock
停止运行,该命令在 Windows 端会停止运行并删除系统服务
#Linux/MacOS
tincd -n dock -k
#Windows(需要管理员权限)
-n dock -k
调试模式
#Linux/MacOS
tincd -n dock -D -d 3
#Windows
tincd.exe -n dock -D -d 3
The tinc Android application
Android binding and user interface for the tinc mesh VPN daemon.
Main features
- Does not require root privilege
- Uses conventional tinc configuration files
- Configurable VPN access/bypass per Android application
- Support for password-protected private keys
- Connection management through a graphical user interface
- Automatable using third party Android applications via Intents
Platform specific limitations
- Operates with tinc in
router
mode only - Connects to only one tinc network at a time
- No support for hook scripts
Downloads
Current version: 0.33 (changelog, released on 2021-07-12). Available:
- on F-Droid (free)
- on Google Play Store (donation version)
- directly as an APK (free)
Help and support
Online resources:
Discussion channels:
- Matrix room: #tincapp:pacien.net
- IRC channel: #tincapp on irc.libera.chat
- GitHub discussions: pacien/tincapp
Contribute
- Source repository: on GitHub, local mirror
- Bug reports and feature requests
Donations
- I gladly accept donations through PayPal, Bitcoin, and Ether.
- Please also consider donating to the tinc VPN project. Thanks!
User documentation
2021-03-28
User interface
The application is shipped with a graphical user interface for convenient network selection, network state monitoring and configuration bootstrapping. It is not meant to replace textual configuration file editing.
Start screen
The start screen lists all configured tinc networks within the application’s directory, allowing the user to easily connect to any of those.
Permission and passphrase entry dialogs may appear upon network selection, if such input is necessary.
Status screen
The status screen automatically opens when a VPN connection to a tinc network is active. It allows the user to visualise the state of the connection in three different tabs described below.
Network information
The “network” tab displays a read-only summary of the network interface configuration.
Node status
The “nodes” tab lists the known tinc nodes and their reachability status.
Tapping on a node displays more detailed information about it, equivalently to running tinc status $node
.
Subnet status
The “subnets” tab lists the known tinc subnets and their respective owning node.
Log screen
The log screen shows the activity of the currently running tinc daemon in real time at the “DEBUG” logging level.
It is possible to pause the logging and to scroll through the history, as well as to send the recently logged events to other applications.
Configuration screen
The configuration screen allows the user to control the accessibility of the tinc network configuration files, as well as run some utility commands.
It does not provide a graphical user interface for editing the configuration.
Configuration access
The “FTP access” toggle activates and deactivates the embedded FTP server through which the configuration files (1) can be transferred and edited. It also allows the user to retrieve and inspect the generated log files (2). After activation, the randomly initialised credentials and connection port (3) are shown on screen.
The accessible directory is structured as follows:
[FTP root]
├── files/
│ └── networks/ ----------------------------- (1)
│ └── [netname...]/
│ ├── network.conf
│ ├── tinc.conf
│ ├── ed25519_key.priv
│ ├── rsa_key.priv
│ └── hosts/
│ └── [host...]
├── cache/
│ ├── log/ ---------------------------------- (2)
│ │ ├── tincapp.log
│ │ └── tinc.[netname].log
│ └── run/
│ ├── tinc.[netname].pid
│ └── tinc.[netname].socket
└── shared_prefs/
├── org.pacien.tincapp.service.xml
└── org.pacien.tincapp.service.ftp.xml ---- (3)
The FTP server can be reached through both the loopback and external IP addresses of the device. This allows the configuration files to be accessed through an FTP client such as Ghost Commander on Android or the default file manager on a desktop computer.
Tools
Network configuration bootstrapping
The “Generate node configuration and keys” link opens the network creation dialog which allows to bootstrap the configuration of a new node to be part of a new or an existing tinc network.
This tool generates the public and private key pairs of the node as well as templates for the tinc daemon, network interface and hosts configuration files.
An optional passphrase can be specified to encrypt the private keys. It will then be required to connect to said network.
The initial configuration of the daemon, network interface and nodes still require some manual file editing and replicating.
Network joining through invitation
The “Join network via invitation URL” link allows a tinc network to be joined using tinc invitation taking the form of an URL string or a QR code to scan.
A new node configuration is then generated accordingly to the parameters contained within the invitation.
Private key encryption and decryption
The “Encrypt or decrypt private keys” link allows one to specify or remove a passphrase used to encrypt the private keys of a tinc network.
This allows protecting a tinc network with a passphrase which will then be required upon connecting to said network.
Internal path information
The “Internal path info” section of the configuration screens displays the internal path to the configuration and log directories, as well as the path to the tinc daemon executable binary.
Those paths are protected and only accessible to the user on rooted Android devices, on which it is possible to control the tinc daemon through the control socket located within the application’s private directory.
Configuration
The configuration directory (1) contains the configuration of tinc networks, each in their own subdirectory (2).
In addition to the tinc daemon configuration file (4) and host configuration files (5), each of those contains a network interface configuration file named network.conf
(3).
The overall directory structure is as follows:
[FTP root]
└── files/
└── networks/ ------------------ (1)
└── [netname...]/ ---------- (2)
├── network.conf ------- (3)
├── tinc.conf ---------- (4)
├── ed25519_key.priv
├── rsa_key.priv
└── hosts/
└── [host...] ------ (5)
This configuration directory can be accessed through an embedded FTP server which can be activated using the FTP access toggle on the configuration screen.
tinc daemon
The tinc daemon and networks can be configured as they would be on other platforms through the same files, albeit with some specificities to the Android platform, which are the following:
- The tinc daemon will be unable to listen for incoming connections on the standard port (655). Another unprivileged port (>1023) must therefore be chosen with the
Port
parameter in the current host’s file in thehosts
directory. This is indeed automatically done when generating a new configuration with thetinc
control command. - The underlying virtual networking device is automatically set dynamically by the Android API. Hence, no
Device
orDeviceType
must be set in the configuration. - This underlying network interface operates on the Internet layer and will only accept IP packets. The tinc daemon must therefore be configured with
Mode = router
. - The startup
nets.boot
file is ignored. Tinc VPN connections can be controlled via Android Intents instead. - No hook script (i.e.
{tinc,host,subnet}-{up,down}
) can be executed. Network configuration must be done statically through thenetwork.conf
file.
Network interface
The network.conf
file is used to configure the network interface, allowing one to set parameters such as the IP address, routes and DNS servers for use. Android applications authorised/forced to use/bypass the VPN can also be specified in this file.
The configuration is applied at VPN connect time, and it is not possible to alter the parameters of the network interface while the VPN is active.
The file consists of assignment lines in the form of Key = value
pairs, which can be repeated multiple times in order to specify multiple values. Lines beginning with #
are treated as comments.
The configuration keys (exposed from the underlying API) are:
- Address = [CIDR formatted IP address]
- Adds a network address to the VPN interface. Both IPv4 and IPv6 addresses are supported. At least one address must be set. Adding an address implicitly allows traffic from that address family (i.e., IPv4 or IPv6) to be routed over the VPN.
- Route = [CIDR formatted IP range]
- Adds a network route to the VPN interface. Both IPv4 and IPv6 routes are supported. Adding a route implicitly allows traffic from that address family (i.e., IPv4 or IPv6) to be routed over the VPN.
- DNSServer = [IP address]
- Adds a DNS server to the VPN connection. Both IPv4 and IPv6 addresses are supported. If none is set, the DNS servers of the default network will be used. Adding a server implicitly allows traffic from that address family (i.e., IPv4 or IPv6) to be routed over the VPN.
- SearchDomain = [domain]
- Adds a search domain to the DNS resolver.
- AllowApplication = [application package name]
- Adds an application that are allowed to access the VPN connection. If this parameter is set, only applications added through this method (and no others) are allowed access. Else, all applications are allowed by default. If some applications are added, other, un-added applications will use networking as if the VPN wasn’t running. A VPN may have only a set of allowed applications OR a set of disallowed ones, but not both.
- DisallowApplication = [application package name]
- Adds an application that are denied access to the VPN connection. By default, all applications are allowed access, except for those denied through this method. Denied applications will use networking as if the VPN wasn’t running. A VPN may have only a set of allowed applications OR a set of disallowed ones, but not both.
- AllowFamily = [2|10]
- Allows traffic from the specified address family. By default, if no address, route or DNS server of a specific family (IPv4 or IPv6) is added to this VPN, then all outgoing traffic of that family is blocked. If any address, route or DNS server is added, that family is allowed. This method allows an address family to be unblocked even without adding an address, route or DNS server of that family. Traffic of that family will then typically fall-through to the underlying network if it’s supported. Family must be either AF_INET (for IPv4) or AF_INET6 (for IPv6), for which integer values are respectively
2
and10
. - AllowBypass = [true|false]
- Allows all apps to bypass this VPN connection. By default, all traffic from apps is forwarded through the VPN interface and it is not possible for apps to side-step the VPN. If this parameter is set to
true
, apps may send/receive directly over the underlying network or any other network they have permissions for. - Blocking = [true|false]
- Sets the VPN interface’s file descriptor to be in blocking/non-blocking mode. By default, the file descriptor is non-blocking.
- MTU = [integer value]
- Sets the maximum transmission unit (MTU) of the VPN interface. If it is not set, the default value in the operating system will be used.
- ReconnectOnNetworkChange = [true|false]
- Forces tinc to immediately reconnect to all uplinks on network change. Enabled by default.
Automatic connection management
Connections to tinc networks can be initiated and stopped automatically on system startup and from other Android applications.
Always-on VPN
The always-on VPN feature available on Android Nougat and newer allows a tinc network connection to be restored after a device restart. This option can be enabled through the system settings, under the “Network & Internet” / “VPN” categories.
Any necessary passphrase for the current network will be saved and will not be asked for again on connection restoration.
If the VPN is disconnected due to an error or is manually disconnected by the user, a warning notification will be shown until it is reconnected.
Intent API
Tinc App allows connections to be managed through Intents, allowing flexible scripting and automation from third-party applications.
A new connection can be instantiated by starting an activity for the action org.pacien.tincapp.intent.action.CONNECT
, alongside with an opaque data URI following the pattern tinc:$netname#$passphrase
, where $netname
is the name of the tinc network to connect to, and $passphrase
an optional passphrase to unlock private keys. Connecting to a tinc network will terminate any other existing VPN connection.
If the system VPN permission has not been already granted or has been revoked, a confirmation dialog will be displayed. If the private keys are encrypted but no passphrase has been provided in the Intent data, an input dialog asking for such passphrase will be displayed as well.
A currently active tinc connection can be terminated by starting an activity for the action org.pacien.tincapp.intent.action.DISCONNECT
. Disconnecting through an Intent will not drop the system VPN permission.
项目地址:https://tincapp.pacien.org/
官方网站:https://www.tinc-vpn.org/
源码地址:https://tinc-vpn.org/git/tinc