Skip to content

tinc

Jump to bottom
xxooxxooxx edited this page Dec 4, 2018 · 38 revisions

//netname=vpn

apt update && apt install tinc
cd /etc/tinc && mkdir -p vpn/hosts

//服务端不需要ConnectTo字段

cat >vpn/tinc.conf<<'EOF'
Name = xx2
ConnectTo = master
EOF

cat >vpn/tinc-up<<'EOF'
#!/bin/sh
ip link set $INTERFACE up
ip addr add  10.0.7.10/24 dev $INTERFACE
EOF

cat >vpn/tinc-down<<'EOF'
#!/bin/sh
ip link set $INTERFACE down
EOF

chmod +x vpn/tinc-*

tincd -n vpn -K 4096

//复制服务端公钥master到本机
//复制本客户端公钥xx2到服务端

//on client

sed -i '1 i Address = public_IP' /etc/tinc/vpn/hosts/master
sed -i '1 i Subnet = 10.0.7.10/32' /etc/tinc/vpn/hosts/xx2

// on server

sed -i '1 i Subnet = 0.0.0.0/0' /etc/tinc/vpn/hosts/master

├── nets.boot		->systmed下不起作用
└── vpn			->连接网络名(netname=vpn)
    ├── hosts		->存放多个公钥的目录	
    │   ├── master	->服务端公钥
    │   ├── master-down	->断开后执行的脚本
    │   ├── master-up	->连接后执行的脚本(前缀对应连接名字)
    │   └── xx2		->客户端公钥
    ├── rsa_key.priv	->客户端私钥(权限600)
    ├── tinc.conf	->配置文件
    ├── tinc-down	->服务停止后执行的脚本
    └── tinc-up		->服务启动后执行的脚本

apt install iproute2
echo -e '50\tlan' >> /etc/iproute2/rt_tables

cat >/etc/tinc/vpn/hosts/master-up<<'EOF'
#!/bin/sh  
ip rule add from 10.0.7.0/24 table lan
ip route add default via 10.0.7.1 dev vpn table lan
EOF

cat >/etc/tinc/vpn/hosts/master-down<<'EOF'
#!/bin/sh  
ip route del default via 10.0.7.1 dev vpn table lan
ip rule del from 10.0.7.0/24 table lan
EOF

chmod +x /etc/tinc/vpn/hosts/master-*
systemctl enable tinc@vpn
systemctl start tinc@vpn
ifconfig

//server

iptables -t nat -A PREROUTING -p tcp -d public_IP -m tcp --dport 443 -j DNAT --to 10.0.7.10:443
iptables -t nat -A POSTROUTING -m iprange --src-range 10.0.7.2-10.0.7.20 -j SNAT --to-source public_IP

#!/bin/sh

DOWN='/etc/network/if-post-down.d'
UP='/etc/network/if-pre-up.d'
>$DOWN/iptables
>$UP/iptables
cat > $DOWN/iptables<<-EOF
	#!/bin/sh
	iptables-save > /etc/iptables.rules
EOF
cat > $UP/iptables<<-EOF
	#!/bin/sh
	iptables-restore < /etc/iptables.rules
EOF
chmod +x $DOWN/iptables $UP/iptables

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

redirecting the default gateway to a host on the VPN
Scripts

default route (linux)

master-up

#!/bin/sh

VPN_GATEWAY=10.0.7.1
ORIGINAL_GATEWAY=`ip route show | grep ^default | egrep -o '\<([1-9]|[1-9][0-9]|1[0-9]{2}|2[01][0-9]|22[0-3])\>\.(\<([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\>\.){2}\<([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\>'`

ip route add $REMOTEADDRESS via $ORIGINAL_GATEWAY
ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE

master-down

#!/bin/sh

ORIGINAL_GATEWAY=`ip route show | grep ^default | egrep -o '\<([1-9]|[1-9][0-9]|1[0-9]{2}|2[01][0-9]|22[0-3])\>\.(\<([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\>\.){2}\<([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\>'`

ip route del $REMOTEADDRESS via $ORIGINAL_GATEWAY
ip route del 0.0.0.0/1 dev $INTERFACE
ip route del 128.0.0.0/1 dev $INTERFACE
Clone this wiki locally