# Company:  PowerCraft Technology
# Author:   Copyright Jelle de Jong <jelledejong@powercraft.nl>
# Note:     Please send me an email if you enhanced the document
# Date:     2010-05-24 / 2010-07-04
# License:  CC-BY-SA

# This document is free documentation; you can redistribute it and/or
# modify it under the terms of the Creative Commons Attribution Share
# Alike as published by the Creative Commons Foundation; either version
# 3.0 of the License, or (at your option) any later version.
#
# This document is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# Creative Commons BY-SA License for more details.
#
# https://creativecommons.org/licenses/by-sa/

#-----------------------------------------------------------------------

# for commercial support contact me, part of the revenue go back to tinc

#-----------------------------------------------------------------------

# https://www.tinc-vpn.org/
# https://www.tinc-vpn.org/documentation/tinc_toc

#-----------------------------------------------------------------------

# this is the configuration of the roxy system

#-----------------------------------------------------------------------

unset LANG LANGUAGE LC_ALL
apt-get update; apt-get dist-upgrade

apt-cache show tinc
apt-get install tinc/testing

#-----------------------------------------------------------------------

/etc/init.d/tinc stop

#-----------------------------------------------------------------------

# ls -hal /dev/net/tun
crw------- 1 root root 10, 200 May 24 15:53 /dev/net/tun

# grep tinc /etc/services
tinc        655/tcp             # tinc control port
tinc        655/udp

# getent services tinc/udp
tinc        655/udp
# getent services tinc/tcp
tinc        655/tcp

cat /usr/share/doc/tinc/README.Debian
zcat /usr/share/doc/tinc/README.gz | less
zcat /usr/share/doc/tinc/NEWS.gz | less
cat /usr/share/doc/tinc/examples/tinc-up
w3m /usr/share/doc/tinc/tinc_0.html

#-----------------------------------------------------------------------

vim /etc/default/tinc
EXTRA="-d"
cat /etc/default/tinc

# less /etc/init.d/tinc

#-----------------------------------------------------------------------

ifconfig -a
route -n

#-----------------------------------------------------------------------

# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:0d:b9:1a:44:6c
          inet addr:84.245.9.246  Bcast:84.245.9.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4863 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2958 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4302418 (4.1 MiB)  TX bytes:303100 (295.9 KiB)
          Interrupt:10 Base address:0x1000

eth1      Link encap:Ethernet  HWaddr 00:0d:b9:1a:44:6d
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:11 Base address:0x1400

eth2      Link encap:Ethernet  HWaddr 00:0d:b9:1a:44:6e
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:15 Base address:0x1800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1200 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1200 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:96572 (94.3 KiB)  TX bytes:96572 (94.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
84.245.9.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         84.245.9.1      0.0.0.0         UG    0      0        0 eth0

#-----------------------------------------------------------------------

# client01 configuration

cat /etc/tinc/nets.boot
echo 'powercraft01' | sudo tee --append /etc/tinc/nets.boot
cat /etc/tinc/nets.boot

#-----------------------------------------------------------------------

sudo mkdir --verbose /etc/tinc/powercraft01/
sudo mkdir --verbose /etc/tinc/powercraft01/hosts/
sudo touch /etc/tinc/powercraft01/tinc.conf

#-----------------------------------------------------------------------

# on server
cat /etc/tinc/powercraft01/hosts/server01

# on client, copy cert data of server to client
sudo vim /etc/tinc/powercraft01/hosts/server01

# on client, add on head of file
Address = powercraft.nl 656
Address = 84.245.3.195 656
Address = tinc-vpn.powercraft.nl 656
Address = powercraft.nl 655
Address = 84.245.3.195 655
Address = tinc-vpn.powercraft.nl 655

#-----------------------------------------------------------------------

echo 'ConnectTo = server01
Device = /dev/net/tun
Interface = tun1
Mode = switch
Name = client01' | sudo tee /etc/tinc/powercraft01/tinc.conf

sudo cat /etc/tinc/powercraft01/tinc.conf
sudo chmod 644 /etc/tinc/powercraft01/tinc.conf
ls -hal /etc/tinc/powercraft01/tinc.conf

echo '#!/bin/sh
ifconfig $INTERFACE 0.0.0.0' | tee /etc/tinc/powercraft01/tinc-up

sudo cat /etc/tinc/powercraft01/tinc-up
sudo chmod 755 /etc/tinc/powercraft01/tinc-up
ls -hal /etc/tinc/powercraft01/tinc-up

echo '#!/bin/sh
# ifconfig tun1 hw ether 00:ff:5d:ea:b4:ec
ifup $INTERFACE &' | sudo tee /etc/tinc/powercraft01/hosts/server01-up

sudo cat /etc/tinc/powercraft01/hosts/server01-up
sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-up
ls -hal /etc/tinc/powercraft01/hosts/server01-up

echo '#!/bin/sh
ifconfig $INTERFACE down' | sudo tee /etc/tinc/powercraft01/tinc-down

sudo cat /etc/tinc/powercraft01/tinc-down
sudo chmod 755 /etc/tinc/powercraft01/tinc-down
ls -hal /etc/tinc/powercraft01/tinc-down

echo '#!/bin/sh
ifdown $INTERFACE' | sudo tee /etc/tinc/powercraft01/hosts/server01-down

sudo cat /etc/tinc/powercraft01/hosts/server01-down
sudo chmod 755 /etc/tinc/powercraft01/hosts/server01-down
ls -hal /etc/tinc/powercraft01/hosts/server01-down

#-----------------------------------------------------------------------

sudo rm /etc/tinc/powercraft01/rsa_key.priv
sudo rm /etc/tinc/powercraft01/hosts/client10
sudo tincd -n powercraft01 -K

#-----------------------------------------------------------------------

# on client add on head of file
sudo vim /etc/tinc/powercraft01/hosts/client01
Compression = 9
PMTU = 1492
PMTUDiscovery = yes
Port = 656
# Cipher = aes-128-cbc

# on client
sudo cat /etc/tinc/powercraft01/hosts/client01

# on server, copy cert data of client to server
vim /etc/tinc/powercraft01/hosts/client01

#-----------------------------------------------------------------------

# watch out when using multiple dhcp clients there can be conflicts

echo 'interface "tun1" {
  request subnet-mask, broadcast-address, time-offset,
    host-name, netbios-scope, interface-mtu, ntp-servers;
}' | tee --append /etc/dhcp3/dhclient.conf

cat /etc/dhcp3/dhclient.conf

#-----------------------------------------------------------------------

vim /etc/network/interfaces

iface tun1 inet dhcp
  pre-up ifconfig tun1 down || true
  pre-up ifconfig tun1 hw ether 9a:f6:50:3b:c0:48 || true
  post-up route del default dev tun1 || true
  # pre-down /etc/init.d/munin-node stop || true
  # post-up /etc/init.d/munin-node restart || true
  # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/tun1/proxy_arp || true
  # optional # post-up /bin/echo 1 > /proc/sys/net/ipv4/conf/vlan4/proxy_arp || true
  # optional # post-up route add -net 192.168.2.0 netmask 255.255.255.0 tun1 || true
  # optional # pre-down route del -net 192.168.2.0 netmask 255.255.255.0 tun1 || true

#-----------------------------------------------------------------------

ifdown tun1; ifdown tun1

#-----------------------------------------------------------------------

sudo /etc/init.d/tinc stop
fg
sudo /usr/sbin/tincd --net powercraft01 --no-detach --debug=5

#-----------------------------------------------------------------------

sudo /etc/init.d/tinc start

#-----------------------------------------------------------------------

# tincd --version
tinc version 1.0.13 (built Apr 13 2010 10:27:56, protocol 17)

#-----------------------------------------------------------------------

tincd -n powercraft01 -kUSR2
tail -n 100 /var/log/syslog

#-----------------------------------------------------------------------

May 24 19:43:59 roxy tinc.powercraft01[5104]: Statistics for Linux tun/tap device (tap mode) /dev/net/tun:
May 24 19:43:59 roxy tinc.powercraft01[5104]:  total bytes in:         830
May 24 19:43:59 roxy tinc.powercraft01[5104]:  total bytes out:        914
May 24 19:43:59 roxy tinc.powercraft01[5104]: Nodes:
May 24 19:43:59 roxy tinc.powercraft01[5104]:  client01 at MYSELF cipher 0 digest 0 maclength 0 compression 0 options c status 0018 nexthop client01 via client01 pmtu 1518 (min 0 max 1518)
May 24 19:43:59 roxy tinc.powercraft01[5104]:  server01 at 84.245.3.195 port 656 cipher 91 digest 64 maclength 4 compression 9 options c status 001a nexthop server01 via server01 pmtu 1416 (min 1416 max 1416)
May 24 19:43:59 roxy tinc.powercraft01[5104]: End of nodes.
May 24 19:43:59 roxy tinc.powercraft01[5104]: Edges:
May 24 19:43:59 roxy tinc.powercraft01[5104]:  client01 to server01 at 84.245.3.195 port 656 options c weight 413
May 24 19:43:59 roxy tinc.powercraft01[5104]:  server01 to client01 at 84.245.9.246 port 655 options c weight 413
May 24 19:43:59 roxy tinc.powercraft01[5104]: End of edges.
May 24 19:43:59 roxy tinc.powercraft01[5104]: Subnet list:
May 24 19:43:59 roxy tinc.powercraft01[5104]:  0:1b:21:61:af:d7#10 owner server01
May 24 19:43:59 roxy tinc.powercraft01[5104]:  56:fc:c2:fd:69:10#10 owner server01
May 24 19:43:59 roxy tinc.powercraft01[5104]:  ea:3:e7:3d:46:20#10 owner client01
May 24 19:43:59 roxy tinc.powercraft01[5104]: End of subnet list.

#-----------------------------------------------------------------------

# ifconfig -a
ifconfig tun1
route -n

#-----------------------------------------------------------------------

# ifconfig tun1
tun1      Link encap:Ethernet  HWaddr ea:03:e7:3d:46:20
          inet addr:192.168.3.201  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:27 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:9342 (9.1 KiB)  TX bytes:9088 (8.8 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
84.245.9.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 tun1
0.0.0.0         84.245.9.1      0.0.0.0         UG    0      0        0 eth0

#-----------------------------------------------------------------------

ping -c 2 192.168.3.1
ping -c 2 -M dont -s 1500 192.168.3.1

#-----------------------------------------------------------------------

lsof -i :655
lsof -i :656

#-----------------------------------------------------------------------

# Accept new connections for fordwarding designated from our virtual private netwerk to the local network
/sbin/iptables --append FORWARD --in-interface ${VPN01} --out-interface ${LAN01} --jump ACCEPT
/sbin/iptables --append FORWARD --in-interface ${LAN01} --out-interface ${VPN01} --jump ACCEPT

# Use masquerade so the outside world sees only one ip source for all outgoing trafic
/sbin/iptables --table nat --append POSTROUTING --out-interface ${VPN01} --jump MASQUERADE

#-----------------------------------------------------------------------