tinc (QPKG Building Guide) 1.0.25

Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure priv...

  1. Silas Mariusz
    Tinc VPN package for the Qnap NAS platforms

    tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet. tinc is Free Software and licensed under the GNU General Public Licenseversion 2 or later. Because the VPN appears to the IP level network code as a normal network device, there is no need to adapt any existing software. This allows VPN sites to share information with each other over the Internet without exposing any information to others. In addition, tinc has the following features:
    Encryption, authentication and compression
    All traffic is optionally compressed using zlib or LZO, and OpenSSL is used to encrypt the traffic and protect it from alteration with message authentication codes and sequence numbers.
    Automatic full mesh routing
    Regardless of how you set up the tinc daemons to connect to each other, VPN traffic is always (if possible) sent directly to the destination, without going through intermediate hops.
    Easily expand your VPN
    When you want to add nodes to your VPN, all you have to do is add an extra configuration file, there is no need to start new daemons or create and configure new devices or network interfaces.
    Ability to bridge ethernet segments
    You can link multiple ethernet segments together to work like a single segment, allowing you to run applications and games that normally only work on a LAN over the Internet.
    Runs on many operating systems and supports IPv6
    Currently Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X, Solaris, Windows 2000, XP, Vista and Windows 7 and 8 platforms are supported. See our section about supported platforms for more information about the state of the ports. tinc has also full support for IPv6, providing both the possibility of tunneling IPv6 traffic over its tunnels and of creating tunnels over existing IPv6 networks.

    Tinc Compile Notes
    The configure script from the tinc package will fail on the sed that comes with your qnap. If you install sed from the Optware package and run the commands below as admin, the ./configure script should succeed.
    Kod (Bash):
    1. cd /bin/
    2. mv sed sed-busybox
    3. ln -s /opt/bin/sed sed
    How to use this
    This simply provides a QDK enviroment for Tinc on Qnap devices. It does not provde a installable binary package. You will need to:
    1. Compile Tinc for your device. On an x86 Qnap [URL]http://james.vautin.com/?p=285[/URL] can be helpful but he's wrong about gawk, the problem is with sed, see code:
      Kod (Bash):
      1. # Author: Silas Mariusz
      2. src=/share/Public/src.tmp
      3. mkdir -p $src
      4. cd $src
      6. ipkg update
      7. ipkg install grep zlib gawk lzo gcc make openssl openssl-dev
      9. wget http://www.tinc-vpn.org/packages/tinc-1.0.25.tar.gz
      10. tar zxvf tinc-1.0.25.tar.gz
      11. rm tinc-1.0.25.tar.gz
      12. cd tinc-1.0.25
      14. # This prevents the BusyBox some things in /bin/ from being called by configure/make
      15. export PATH=/opt/bin/:$PATH:/opt/bin/
      17. # But it’s still necessary for force set AWK, as seen below:
      18. _AWK=$AWK
      19. export AWK=/opt/bin/gawk
      21. # COMPILATION
      22. ./configure
      23. /opt/bin/gawk make
      24. /opt/bin/gawk make install
      26. $ Restore AWK
      27. AWK=$_AWK
      29. cd ..
      30. rm -rf $src
      31. # Done!
    2. SSH into your Qnap and check this repo out with git.
    3. copy your compiled tincd binary into the x86 dir. (other platform specific dirs might work for those platforms.)
    4. Run qbuild to produce a .qpkg you can install.

    The Tinc qpkg this generates needs a share named "Tinc". I suggest you make this share very private, so no users can access it after setup. For each /share/Tinc/[netname]/tinc.conf an instance of Tinc will be started for that netname's config directory.

    Also, when the Tinc qpkg starts it will look for /share/Tinc/sample. If that doesn't exist it will create a stub network config directory containing the tinc scripts I like and auto generate private and public keys. You should then rename this directory to your desired netname and then rename/edit the tinc.conf.sample file to tinc.conf . You'll need to provide the other ./hosts/HostName files.

    Reminder: Once you get this running, remoke access by all users as they don't need it for Tinc to work and you don't want to accidently leak your private key.

    As of May 29, 2014 all my Qnap devices are deployed remotely and there won't be more updates until I have a need for more Qnaps. I'll still try to field support requests to help get people started.

    Example setups

    A list of examples of common setups can be found here, along with the typical configuration files, firewall rules and other issues. If you have any questions, comments or examples of your own, please inform us.

    The following links go to external sites: