How To Install A Vpn On Ubuntu 18.04
Introduction
Tinc is an open-source Virtual Individual Network (VPN) daemon with useful features like encryption, optional compression, and automatic mesh routing that can opportunistically road VPN traffic directly between servers. These features differentiate tinc from other VPN solutions, and brand it a good choice for creating a VPN out of many small, geographically distributed networks.
In this tutorial, we will go over how to use tinc to create a secure VPN on which your servers can communicate equally if they were on a local network. We will also demonstrate how to utilise tinc to ready up a secure tunnel into a individual network. We volition be using Ubuntu eighteen.04 servers, but the configurations tin can be adapted for employ with whatever other Bone.
Goals
In order to cover multiple use cases, this tutorial outlines how to connect one client node to the VPN over a individual network interface and some other over a public one. You can, nonetheless, adapt this setup to suit your own needs. You'll just need to program out how you desire your servers to access each other and adapt the examples presented in this tutorial to your own needs. If you are adapting this to your ain setup, be sure to substitute the highlighted values in the examples with your own values. It may be in your involvement, though, to beginning follow the tutorial as it's written to brand sure you lot sympathise the components and processes involved before modifying these instructions.
To assistance keep things clear, this tutorial will refer to the servers like this:
- server-01: All of the VPN nodes will connect to this machine, and the connection must be maintained for proper VPN functionality. Additional servers can exist configured in the same way as this one to provide redundancy, if desired
- client-01: Connects to the server-01 VPN node using its private network interface
- customer-02: Connects to the server-01 VPN node over the public network interface
Note: Tinc itself doesn't differentiate between servers (machines that host and deliver VPN services) and clients (the machines that connect to and employ the secure private network), just information technology can be helpful to empathize and visualize how tinc works by thinking of your servers similar this.
Here is a diagram of the VPN that nosotros want to prepare upward:
The blue box represents our VPN and the pinkish represents the underlying private network. All 3 servers tin can communicate on the VPN, even though the individual network is otherwise inaccessible to client-02.
Prerequisites
If y'all would like to follow this tutorial exactly, provision two Ubuntu xviii.04 servers (server-01 and client-01) in the aforementioned datacenter and enable individual networking on each. And then, create some other Ubuntu 18.04 server (customer-02) in a dissever datacenter. Each server should have an administrative user and a firewall configured with ufw. To set this up, follow our initial server setup guide for Ubuntu eighteen.04.
Additionally, later on in this tutorial we'll need to transfer a few files between each car using scp. Considering of this, you'll need to generate SSH keys on each of your servers, add together both client-01 and client-02's SSH keys to server-01'southward authorized_keys file, and and so add server-01's SSH key to both customer-01 and customer-02's authorized_keys files. For help setting this up, see our guide on How to Set Up SSH Keys on Ubuntu 18.04.
Step 1 — Installing Tinc
Tinc is available from the default Ubuntu APT repositories, which means nosotros can install it with just a few commands.
If y'all've non done then recently, run the following control on each server to update their respective package indexes:
All servers
- sudo apt update
Then install tinc on each server by running the following command:
All servers
- sudo apt install tinc
With that, y'all've installed tinc on each of your servers. All the same, you'll need to brand some changes to tinc's configuration on each auto in social club to become your VPN up and running. Permit's begin with updating server-01.
Step two — Configuring the Tinc Server
Tinc requires that every machine that will be part of the VPN has the following iii configuration components:
- Tinc configuration files: At that place are three singled-out files that configure the tinc daemon:
-
tinc.conf, which defines the netname, the network device over which the VPN will run, and other VPN options; -
tinc-up, a script that activates the network device defined intinc.conflater on tinc is started; -
tinc-downward, which deactivates the network device whenever tinc stops.
-
- Public/private primal pairs: Tinc uses public/private central pairs to ensure that just users with valid keys are able to access the VPN.
- Host configuration files: Each machine (or host) on the VPN has its ain configuration file that holds the host's actual IP address and the subnet where tinc will serve it
Tinc uses a netname to distinguish one tinc VPN from another. This is helpful in cases where you want to set upwards multiple VPNs, merely information technology'due south recommended that you use a netname even if y'all are just planning on configuring one VPN. You can give your VPN whatever netname you similar, but for simplicity we will call our VPN netname .
On server-01, create the configuration directory structure for the VPN:
server-01
- sudo mkdir -p /etc/tinc/netname/hosts
Use your preferred text editor to create a tinc.conf file. Hither, we'll use nano:
server-01
- sudo nano /etc/tinc/netname/tinc.conf
Add together the following lines to the empty file. These configure a tinc node named server_01 with a network interface called tun0 which volition use IPv4:
server-01:/etc/tinc/netname/tinc.conf
Name = server_01 AddressFamily = ipv4 Interface = tun0 Warning: Note how the value after the Name directive includes an underscore (_) rather than a hyphen (-). This is important, since tinc requires that the Name value contain simply alphanumeric or underscore characters. If you use a hyphen here, you lot'll encounter an error when you endeavour to commencement the VPN later in this guide.
Save and close the file subsequently adding these lines. If you used nano, do so by pressing CTRL+X, Y, then ENTER.
Next, create a host configuration file named server_01 in the hosts subdirectory. Ultimately, the client nodes will use this file to communicate with server-01:
server-01
- sudo nano /etc/tinc/netname/hosts/server_01
Again, note that the name of this file contains an underscore rather than a hyphen. This way, information technology aligns with the Name directive in the tinc.conf file which will allow tinc to automatically append the server's public RSA key to this file when we generate afterwards on.
Add the post-obit lines to the file, making certain to include server-01'south public IP accost:
server-01:/etc/tinc/netname/hosts/server_01
Address = server-01_public_IP_address Subnet = 10.0.0.one/32 The Accost field specifies how other nodes will connect to this server, and Subnet specifies which subnet this daemon will serve. Salve and close the file.
Next, generate a pair of public and private RSA keys for this host with the post-obit command:
server-01
- sudo tincd -n netname -K4096
After running this control, yous'll be prompted to enter filenames where tinc will relieve the public and private RSA keys:
Output
. . . Please enter a file to salvage private RSA central to [/etc/tinc/netname/rsa_key.priv]: Please enter a file to salve public RSA key to [/etc/tinc/netname/hosts/server_01]: Printing ENTER to take the default locations at each prompt; doing then volition tell tinc to shop the private fundamental in a file named rsa_key.priv and suspend the public fundamental to the server_01 host configuration file.
Adjacent, create tinc-upwards, the script that volition run whenever the netname VPN is started:
server-01
- sudo nano /etc/tinc/netname/tinc-up
Add together the following lines:
server-01:/etc/tinc/netname/tinc-up
#!/bin/sh ip link set $INTERFACE up ip addr add 10.0.0.1/32 dev $INTERFACE ip road add 10.0.0.0/24 dev $INTERFACE Here's what each of these lines exercise:
-
ip link …: sets the condition of tinc'south virtual network interface asupwards -
ip addr …: adds the IP address10.0.0.onewith a netmask of32to tinc's virtual network interface, which will cause the other machines on the VPN to come across server-01's IP address asten.0.0.i -
ip route …: adds a road (10.0.0.0/24) which tin can be reached on tinc's virtual network interface
Salvage and close the file later on adding these lines.
Next, create a script to remove the virtual network interface when your VPN is stopped:
server-01
- sudo nano /etc/tinc/netname/tinc-downward
Add together the following lines:
server-01:/etc/tinc/netname/tinc-down
#!/bin/sh ip road del 10.0.0.0/24 dev $INTERFACE ip addr del ten.0.0.1/32 dev $INTERFACE ip link set $INTERFACE downwards These lines have the opposite furnishings equally those in the tinc-up script:
-
ip road …: deletes the10.0.0.0/24route -
ip addr …: deletes the IP addressten.0.0.1from tinc'southward virtual network interface -
ip link …: sets the condition of tinc's virtual network interface every bitdown
Salvage and close the file, then brand both of these new network scripts executable:
server-01
- sudo chmod 755 /etc/tinc/netname/tinc-*
As a last step of configuring server-01, add a firewall rule that volition allow traffic through port 655, tinc'southward default port:
server-01
- sudo ufw let 655
server-01 is at present fully configured and yous can move on to setting up your client nodes.
Step 3 — Configuring the Client Nodes
Both of your client machines volition require a slightly unlike configuration than the server, although the procedure volition mostly exist quite similar.
Because of the setup nosotros're aiming for in this guide, we will configure client-01 and customer-02 almost identically with only a few slight differences between them. Hence, many of the commands given in this step must be run on both machines. Note, though, that if customer-01 or client-02 require a specific command or special configuration, those instructions will exist shown in a blueish or red control block, respectively.
On both client-01 and client-02, replicate the directory structure you created on server-01:
client-01 & client-02
- sudo mkdir -p /etc/tinc/netname/hosts
And so create a tinc.conf file:
client-01 & client-02
- sudo nano /etc/tinc/netname/tinc.conf
Add the following lines to the file on both machines:
client-01 & client-02 /etc/tinc/netname/tinc.conf
Proper noun = node_name AddressFamily = ipv4 Interface = tun0 ConnectTo = server_01 Be sure to substitute node_name with the respective client node's name. Over again, make sure this proper name uses an underscore (_) rather than a hyphen.
Annotation that this file contains a ConnectTo directive pointing to server_01, while server-01's tinc.conf file didn't include this directive. By not including a ConnectTo statement on server-01, it means that server-01 volition only listen for incoming connections. This works for our setup since information technology won't connect to whatsoever other machines.
Salvage and close the file.
Next, create a host configuration file on each client node. Once more, make certain the file name is spelled with an underscore instead of a hyphen:
client-01 & customer-02
- sudo nano /etc/tinc/netname/hosts/node_name
For client-01, add this line:
client-01:/etc/tinc/netname/hosts/client_01
Subnet = x.0.0.two/32 For client-02, add this line:
client-02:/etc/tinc/netname/hosts/client_02
Subnet = x.0.0.3/32 Note that each customer has a dissimilar subnet that tinc will serve. Relieve and close the file.
Adjacent, generate the keypairs on each customer machine:
client-01 & client-02
- sudo tincd -n netname -K4096
Again equally you lot did with server-01, when prompted to select files to store the RSA keys, press ENTER to take the default choices.
Following that, create the network interface outset script on each client:
customer-01 & client-02
- sudo nano /etc/tinc/netname/tinc-upward
For client-01, add these lines:
client-01:/etc/tinc/netname/tinc-up
#!/bin/sh ip link gear up $INTERFACE upwards ip addr add x.0.0.2/32 dev $INTERFACE ip route add 10.0.0.0/24 dev $INTERFACE For client-02, add together the following:
customer-02:/etc/tinc/netname/tinc-upwardly
#!/bin/sh ip link fix $INTERFACE up ip addr add 10.0.0.3/32 dev $INTERFACE ip route add together 10.0.0.0/24 dev $INTERFACE Relieve and shut each file.
Side by side, create the network interface stop script on each client:
client-01 & client-02
- sudo nano /etc/tinc/netname/tinc-downwardly
On client-01, add the post-obit content to the empty file:
client-01:/etc/tinc/netname/tinc-downwards
#!/bin/sh ip route del 10.0.0.0/24 dev $INTERFACE ip addr del 10.0.0.2/32 dev $INTERFACE ip link set up $INTERFACE down On client-02, add the following::
customer-02:/etc/tinc/netname/tinc-downwards
#!/bin/sh ip route del 10.0.0.0/24 dev $INTERFACE ip addr del 10.0.0.3/32 dev $INTERFACE ip link set $INTERFACE down Salve and shut the files.
Make networking scripts executable by running the following control on each client motorcar:
customer-01 & customer-02
- sudo chmod 755 /etc/tinc/netname/tinc-*
Lastly, open upward port 655 on each customer:
client-01 & customer-02
- sudo ufw allow 655
At this point, the customer nodes are almost, although not quite, set up. They still demand the public key that nosotros created on server-01 in the previous step in order to authenticate the connection to the VPN.
Step 4 — Distributing the Keys
Each node that wants to communicate directly with another node must have exchanged public keys, which are inside of the host configuration files. In our case, server-01 needs to exchange public keys with the other nodes.
Exchange Keys Betwixt server-01 and client-01
On client-01, copy its host configuration file to server-01. Because both client-01 and server-01 are in the aforementioned data center and both accept private networking enabled, you can apply server01'south private IP address here:
client-01
- scp /etc/tinc/netname/hosts/client_01 sammy@server-01_private_IP:/tmp
Then on server-01, copy the client-01 host configuration file into the /etc/tinc/netname/hosts/ directory:
server-01
- sudo cp /tmp/client_01 /etc/tinc/netname/hosts/
And so, while notwithstanding on server-01, copy its host configuration file to client-01:
server-01
- scp /etc/tinc/netname/hosts/server_01 user@client-01_private_IP:/tmp
On client-01, copy server-01'southward file to the appropriate location:
client-01
- sudo cp /tmp/server_01 /etc/tinc/netname/hosts/
On customer-01, edit server-01's host configuration file so the Address field is set to server-01'southward private IP address. This style, client-01 volition connect to the VPN via the private network:
client-01
- sudo nano /etc/tinc/netname/hosts/server_01
Change the Address directive to point to server-01's private IP address:
client-01:/etc/tinc/netname/hosts/server_01
Address = server-01_private_IP Subnet = x.0.0.1/32 Save and quit. Now permit's motility on to our remaining node, client-02.
Substitution Keys Between server-01 and client-02
On client-02, copy its host configuration file to server-01:
customer-02
- scp /etc/tinc/netname/hosts/client_02 sammy@server-01_public_IP:/tmp
Then on server-01, copy the client_02 host configuration file into the appropriate location:
server-01
- sudo cp /tmp/client_02 /etc/tinc/netname/hosts/
And then copy server-01'southward host configuration file to client-02:
server-01
- scp /etc/tinc/netname/hosts/server_01 user@customer-02_public_IP:/tmp
On client-02, copy server-01'due south file to the appropriate location:
client-02
- sudo cp /tmp/server_01 /etc/tinc/netname/hosts/
Assuming you're only setting up 2 client nodes, you're finished distributing public keys. If, however, you're creating a larger VPN, now is a good time to exchange the keys between those other nodes. Remember that if you lot want 2 nodes to directly communicate with each other (without a forwarding server betwixt), they demand to have exchanged their keys/hosts configuration files, and they need to be able to access each other'southward real network interfaces. Also, information technology is fine to merely copy each host's configuration file to every node in the VPN.
Footstep 5 — Testing the Configuration
On each node, starting with server-01, offset tinc with the following command:
All servers
- sudo tincd -north netname -D -d3
This command includes the -n flag, which points to the netname for our VPN, netname . This is useful if you have more than than one VPN set up upwardly and you need to specify which i you want to start. Information technology also includes the -D flag, which prevents tinc from forking and detaching, every bit well as disables tinc's automated restart mechanism. Lastly, it includes the -d flag, which tells tinc to run in debug fashion, with a debug level of 3.
Annotation: When it comes to the tinc daemon, a debug level of 3 will show every request exchanged between any two of the servers, including hallmark requests, key exchanges, and connexion listing updates. Higher debug levels show more data regarding network traffic, merely for now nosotros're but concerned with whether the nodes tin can communicate with ane some other, and so a level of 3 will suffice. In a production scenario, though, yous would want to modify to a lower debug level so as not to fill disks with log files.
You tin can learn more about tinc's debug levels past reviewing the official documentation.
Subsequently starting the daemon on each node, yous should see output with the names of each node as they connect to server-01. At present let'southward test the connection over the VPN.
In a carve up window, on client-02, ping client-01'due south VPN IP accost. We assigned this to be 10.0.0.2, earlier:
client-02
- ping 10.0.0.2
The ping should work correctly, and yous should see some debug output in the other windows about the connexion on the VPN. This indicates that customer-02 is able to communicate over the VPN through server-01 to client-01. Printing CTRL+C to quit pinging.
You may as well utilise the VPN interfaces to do any other network communication, like awarding connections, copying files, and SSH.
On each tinc daemon debug window, quit the daemon by pressing CTRL+\.
Stride 6 — Configuring Tinc To Get-go Up on Kicking
Ubuntu servers use systemd equally the default system manager to control starting and running processes. Because of this, we can enable the netname VPN to start up automatically at boot with a single systemctl command.
Run the following command on each node to ready the tinc VPN to showtime upwardly whenever the machines kicking:
All servers
- sudo systemctl enable tinc@netname
Tinc is configured to beginning at boot on each of your machines and you lot can control information technology with the systemctl control. If you would similar to start information technology now, run the following control on each of your nodes:
All servers
- sudo systemctl start tinc@netname
Note: If you have multiple VPNs you enable or start each of them at in one case, similar this:
All servers
- sudo systemctl commencement tinc@natename_01 tinc@netname_02 … tinc@netname_n
With that, your tinc VPN fully configured and running on each of your nodes.
Decision
Now that you have gone through this tutorial, you should have a good foundation to build out your VPN to run into your needs. Tinc is very flexible, and any node can be configured to connect to any other node (that it tin access over the network) and so it can act as a mesh VPN without relying on i individual node.
Source: https://www.digitalocean.com/community/tutorials/how-to-install-tinc-and-set-up-a-basic-vpn-on-ubuntu-18-04
Posted by: chinafts1959.blogspot.com
0 Response to "How To Install A Vpn On Ubuntu 18.04"
Post a Comment