Reference: https://www.linode.com/docs/networking/vpn/how-to-set-up-tinc-peer-to-peer-vpn/ It is expected that you will duplicate this directory and its contents. These config values mean the following: - {HOSTNAME}: custom id for the box you'll be connecting to the mesh - {SUBNET}: number in the range [0, 255] you must obtain from mesh admins - {DNS}: custom domain for your home devices used before the ".home" suffix - terracrypt: name of the mesh network - grandline, alpha: hostnames for the mesh gateways Install and initial setup (ssh): opkg install tinc mkdir -p /etc/tinc/terracrypt/hosts # generates keypair: /etc/tinc/terracrypt/rsa_key.priv # /etc/tinc/terracrypt/hosts/{HOSTNAME} # when prompted where to save, use the two paths above, substituting a unique # name for your box for the placeholder {HOSTNAME}, for example we don't # want multiple hosts trying to call themselves "OpenWrt" on the mesh tincd -n terracrypt -K 4096 Modify these files (ssh): - /etc/tinc/terracrypt/hosts/{HOSTNAME} - Add this line to the beginning: "Subnet = 10.4.{SUBNET}.0/24" - Coordinate with network owner to determine your {SUBNET} - Make sure /etc/tinc/terracrypt/*-{up,down} are executable chmod +x /etc/tinc/terracrypt/*-* Send public key file to network owner and get them to install it (ssh): /etc/tinc/terracrpyt/hosts/{HOSTNAME} Create new interface (LuCI): - Navigate: Network > Interfaces > Add new interface... - Name: terracrypt - Protocol: Unmanaged - Bridge interfaces: UNCHECKED - Interface: Ethernet Adapter: "terracrypt" (terracrypt) - Click: Create interface - Choose tab: Firewall Settings - In the drop-down type "terracrypt" into the text box and press Enter - Click: Save - Click: Save & Apply Modify firewall rules (LuCI): - Navigate: Network > Firewall - Click: Edit (in the row with "terracrypt" on the left side of the arrow) - Name: terracrypt - Input: accept - Output: accept - Forward: accept - Masquerading: UNCHECKED - MSS clamping: UNCHECKED - Covered networks: CHECK "terracrypt" in drop-down - Allow forward to destination zones: CHECK "lan" in drop-down - Allow forward from source zones: CHECK "lan" in drop-down - Click: Save - Click: Save & Apply Restart tinc service (LuCI): - Navigate: System > Startup - Click: Restart (in the row for tinc) Test (local computer or ssh): ping 10.4.11.30 Add custom DNS resolvers (LuCI): # {DNS} is your custom domain; probably your name or a nick-name # examples of current {DNS}: schwa, jfred, athena - Navigate: Network > DHCP and DNS - Local server: /{DNS}.home/ - Local domain: {DNS}.home - DNS forwardings: use "+" button as necessary to add: - /schwa.home/10.4.11.1#53 - /jfred.home/10.4.42.4#553 - /athena.home/10.4.7.1#53 - Allow localhost: CHECKED - Domain whitelist: use "+" button as necessary to add: - schwa.home - jfred.home - vpn.jahschwa.com - Click: Save & Apply - Notify network admins of your new {DNS} home domain Test (local computer or ssh): ping tri.schwa.home