Tinc provides an open-source L2/L3 VPN implementation.
Tinc generally relies on public-key cryptography. It requires to generate a private and public key for each peer and exchange only the public keys. While the private key is best never disclosed outside the peer where it was generated.
The Tinc init script combines both UCI settings and the contents of the /etc/tinc directory to a full configuration located in the /tmp/tinc directory.
The Tinc UCI config contains two types of sections:
| UCI section | Mapped config | Generated config | Description |
|---|---|---|---|
tinc-net | /etc/tinc/<NETNAME> | /tmp/tinc/<NETNAME>/tinc.conf | Defines the VPN network settings. |
tinc-host | /etc/tinc/<NETNAME>/hosts/<NODENAME> | /tmp/tinc/<NETNAME>/hosts/<NODENAME> | Defines the VPN peer settings. |
The Tinc keys generated by default:
| Key file | Description |
|---|---|
/etc/tinc/<NETNAME>/ed25519_key.priv | Ed25519 private key. |
/etc/tinc/<NETNAME>/ed25519_key.pub | Ed25519 public key. |
/etc/tinc/<NETNAME>/rsa_key.priv | RSA private key. |
/etc/tinc/<NETNAME>/rsa_key.pub | RSA public key. |
Public keys for each peer need to be stored either in UCI host sections or in host files using the same format as the generated keys.