以前做VPN都是用openvpn来做,当点数多于两个时,需要做星型结构才能让所有点互通。这会产生一个问题,例如同一省的两个城市分公司之间通信,需要绕道核心点,例如北京的VPN服务器,无端增加了非常大的延时。
为了解决这种需求,发现TINC这个VPN软件可以做到。
TINC是开源软件,官网https://www.tinc-vpn.org.
下边举个例子,说明一下full mesh结构的tinc VPN如何配置。
三个点,北京,柏林,拉斯维加斯,后边分别带本地的一个局域网络,要求3个点组成Full
mesh结构。
下边开始流水账:
TINC在Centos的EPEL源中有,yum安装即可。
1.[北京]
Beijing]# yum install tinc
Beijing]# mkdir -p /etc/tinc/netname/hosts
Beijing]# vi /etc/tinc/netname/tinc.conf
==> Name = Beijing
==> AddressFamily = ipv4
==> Interface = tun0
==> ConnectTo = Lasvegas
==> ConnectTo = Berlin
Beijing]# vi /etc/tinc/netname/hosts/Beijing
==> Address = Beijing_public_IP
==> Subnet = 10.0.0.1/32
==> Subnet = 172.16.3.0/24
Beijing]# tincd -n netname -K4096
Beijing]# vi /etc/tinc/netname/tinc-up
==> #!/bin/sh
==> ip link set $INTERFACE up
==> ip addr add 10.0.0.1/24 dev $INTERFACE
==> ip route add 192.168.133.0/24 dev $INTERFACE
==> ip route add 192.168.184.0/24 dev $INTERFACE
Beijing]# vi /etc/tinc/netname/tinc-down
==> #!/bin/sh
==> ip link set $INTERFACE down
Beijing]# chmod 755 /etc/tinc/netname/tinc-*
2.[拉斯维加斯]
Lasvegas]# yum install tinc
Lasvegas]# mkdir -p /etc/tinc/netname/hosts
Lasvegas]# vi /etc/tinc/netname/tinc.conf
==> Name = Lasvegas
==> AddressFamily = ipv4
==> Interface = tun0
==> ConnectTo = Beijing
==> ConnectTo = Berlin
Lasvegas]# vi /etc/tinc/netname/hosts/Lasvegas
==> Address = Lasvegas_public_IP
==> Subnet = 10.0.0.2/32
==> Subnet = 192.168.184.0/24
Lasvegas]# tincd -n netname -K4096
Lasvegas]# vi /etc/tinc/netname/tinc-up
==> #!/bin/sh
==> ip link set $INTERFACE up
==> ip addr add 10.0.0.2/24 dev $INTERFACE
==> ip route add 172.16.3.0/24 dev $INTERFACE
==> ip route add 192.168.184.0/24 dev $INTERFACE
Lasvegas]# vi /etc/tinc/netname/tinc-down
==> #!/bin/sh
==> ip link set $INTERFACE down
Lasvegas]# chmod 755 /etc/tinc/netname/tinc-*
3.[柏林]
Berlin]# yum install tinc
Berlin]# mkdir -p /etc/tinc/netname/hosts
Berlin]# vi /etc/tinc/netname/tinc.conf
==> Name = Berlin
==> AddressFamily = ipv4
==> Interface = tun0
==> ConnectTo = Beijing
==> ConnectTo = Lasvegas
Berlin]# vi /etc/tinc/netname/hosts/Berlin
==> Address = Berlin_public_IP
==> Subnet = 10.0.0.3/32
==> Subnet = 192.168.133.0/24
Berlin]# tincd -n netname -K4096
Berlin]# vi /etc/tinc/netname/tinc-up
==> #!/bin/sh
==> ip link set $INTERFACE up
==> ip addr add 10.0.0.3/24 dev $INTERFACE
==> ip route add 172.16.3.0/24 dev $INTERFACE
==> ip route add 192.168.133.0/24 dev $INTERFACE
Berlin]# vi /etc/tinc/netname/tinc-down
==> #!/bin/sh
==> ip link set $INTERFACE down
Berlin]# chmod 755 /etc/tinc/netname/tinc-*
4.复制hosts文件到各台服务器
不管你用什么方法,scp也好,sftp也好,最终每台机器的/etc/tinc/netname/hosts目录下都要有所有vpn节点的配置文件,如下所示:
--/etc
--tinc
--netname
--hosts
--Beijing
--Berlin
--Lasvegas
5.在每个vpn节点启动tinc
]# tincd -n netname -D -d3
6.设为开机自动启动
]# systemctl enable
tinc@$VPN_NAME
]# systemctl start
tinc@$VPN_NAME
备注1: 更改监听的端口
如果网络防火墙有低位端口限制,可以让tinc监听在任意你指定的端口上,只需要在hosts文件里Address位置写上指定的端口号即可。
Address = address [port]
参考文档:
https://www.digitalocean.com/community/tutorials/how-to-install-tinc-and-set-up-a-basic-vpn-on-ubuntu-14-04
http://ostolc.org/site-to-site-vpn-with-tinc.html
https://2kswiki.wordpress.com/2016/02/05/simple-vpn-network-mesh-with-tinc/
http://blog.hackathon.de/using-tinc-with-iproute2.html
http://www.jianshu.com/p/e030dabafd61
https://florianjacob.de/tinc-vpn-with-ipv6-and-iproute2.html
http://www.rendoumi.com/ling-wai-yi-chong-vpnfang-shi-tinc/
https://silvenga.com/deploy-a-tinc-mesh-vpn-running-tap/
https://wiki.archlinux.org/index.php/Tinc
