GithubHelp home page GithubHelp logo

docker-tinc's Introduction

MESH based Site2Site VPN with Tinc in Docker

Info

Docker host

You have to enable TUN interface on your docker host.

modprobe tun

Build

docker build -t croc/tinc .

Run

The auto-config procedure:

  • start the tinc container on all site
  • synchronize the hosts file to all other sites (recommended way with syncthing/syncthing or resilio/sync container)
  • restart the tinc container on all site

I recommend to use docker-compose method on all sites, but here is a short example for docker run:

First start the 1st container (site1):

docker run -tid --name=tinc --net=host --privileged -e SITENAME=site1 -e LANIP=192.168.1.254/24 -e SUBNET=192.168.1.0/24 -v /srv/tinc/config:/etc/tinc/site2site/hosts croc/tinc /opt/start.sh

2nd, 3rd... other containers (site2, site3 ....):

docker run -tid --name=tinc --net=host --privileged -e SITENAME=site2 -e LANIP=192.168.2.254/24 -e SUBNET=192.168.2.0/24 -v /srv/tinc/config:/etc/tinc/site2site/hosts croc/tinc /opt/start.sh

docker run -tid --name=tinc --net=host --privileged -e SITENAME=site3 -e LANIP=192.168.3.254/24 -e SUBNET=192.168.3.0/24 -e PUBADDR=8.9.1.1 -v /srv/tinc/config:/etc/tinc/site2site/hosts croc/tinc /opt/start.sh
...

You have to use --net=host and --privileged parameters, because the containers needs the tun/tap interface on the docker host.

  • /srv/tinc/config stores your tinc config on your docker host
  • the -e LANIP=... defines the container's IP on your LAN network
  • the -e SUBNET=... defines your LAN network. You can use wider network address like 192.168.0.0/22 or 172.17.0.0/19 or something similar... This is your choice.
  • if you have multiple WAN connection or something other reason, you can override the automatic public IP finder mechanism with -e PUBADDR=8.9.1.1 parameter for your public IP

Don't forget the latest step! (check the 'Usage' chapter for more info):

You have to restart every the tinc container on every host if the network doesn't work at the first time.

docker restart tinc

Docker-Compose

You can use docker-compose for starting the stack (tinc and sync solution), but do not forget the site specified config! Change your docker-compose.yml on every site, for site-local config.

Example:

docker-compose.yml:

...
      SITENAME: "test-site"
      LANIP: "192.168.230.253/24"
      SUBNET: "192.168.230.0/19"
...

Start the stack (with sync):

docker-compose up -d

... and ...

  • configure the sync (resilio or syncthing or other)
  • wait for the first config sync while other site configs arrive to the all hosts (1-5-10 mins)
  • restart the tinc or the full stack with docker-compose restart

Usage

You have to stop and start every container on every site 2 times:

  • 1st time, the start script generates the default config, and the host's SSL key
  • 2nd time, the script reads the config of the other sites and generates the "network up" script

If you've added a new site, you have to restart (stop, wait some seconds, start) every Tinc container on every site to rewrite a config for the new site.

You can check the syncronized and rewritten site config on your docker host's folder, example in the /srv/tinc/config folder.

DO NOT FORGET: Sync the config of the hosts/sites from the docker host'si! (example: /srv/tinc/config folder)

Extra parameters

  • EXTRA_PARAMS - You can use this parameter if you would like to run tinc in debug mode (example: -d 3 ) or something similar. Check the man page of tinc, and use that parameter.
  • PORT - tinc uses 655 tcp and udp port by default. You can change this with this paramter. If you use tinc behind a firewall, do not forget to forward this port to the tinc server. (Tinc use udp by default, but it is not availble automatically changes to tcp mode)

Extra stuff

Git-syncer

I recommend sync the Tinc's config files with Resilio or Syncthing BitTorrent based sync tools (more simpler and easier), but I've written a Git-based sync container. This is a basic container that will be upload and download the Tinc's config to a Git repo (Github, Bitbucket, Gogs, Gitlab, etc.)

Copy the docker-compose_gitsyncer.yml compose file to docker-compose.yml and chage the parameters (for tinc and for the git repo too!)

When the tinc stack is started, the git-syncer container will be uploading the latest site config to the Git repository. Sorry, but this is not a daemon! You have to restart this container or the stack (docker-compose restart) when the site config was changed. This is restart is the biggest disadvantage, and I think is not to stable for a long time. I strongly recommend, use another sync method to syncronize Tinc's config files.

Check my Github page and Wiki site for more information and examples.

Good Luck!

docker-tinc's People

Contributors

crocandr avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

leolinkspace ztaozhang gurjindersingh

docker-tinc's Issues

Generates new key at every startup

After syncing hosts I need to restart the container to load the new hosts, but when restarting it creates a new private key for itself:

tinc_1  | STARTED: Tue 17 Nov 2020 11:58:29 AM CET
tinc_1  | Generating 4096 bits keys:
tinc_1  | .......................................++++ p
tinc_1  | ........................................++++ q
tinc_1  | Done.
tinc_1  | Warning: old key(s) found and disabled.

This creates an loop scenario that makes it impossible to use this image.

It appears the entrypoint script does attempt to check if a key already exists, but it generates a new key regardless.

docker-compose:

  tinc:
    image: croc/tinc
    ports:
      - 26488:26488/tcp
      - 26488:26488/udp
    environment:
      - SITENAME=test
      - PORT=26488
      - PUBADDR=mydomain
      - LANIP=10.131.1.253/24
      - SUBNET=10.131.1.0/24
    volumes:
      - './tinc:/etc/tinc/site2site/hosts'
      - '/etc/localtime:/etc/localtime:ro'
    cap_add: ['net_admin']
    devices: ['/dev/net/tun:/dev/net/tun']
    restart: always

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.