Tinc is more secure than a GRE tunnel as connections are encrypted. Tinc also gives you the ability to built a distributed mesh network. We are not covering Tinc’s extensive capabilities here, please visit tinc-vpn.org
For the networking gurus Tinc can operate as a router in layer 3 or a switch in layer 2 mode, for this example we are using Tinc in its default router mode.
To avoid container IP clash we are going to change the default lxcbr0 subnet 10.0.3.0/24 on one side, let’s do it on Host A
Change the subnet on Host A
Edit the /etc/init.d/lxc-net script to change the LXC subnet on lxcbr0 NAT network from 10.0.3.0/24 to 10.0.4.0/24. If you are Ubuntu edit the /etc/default/lxc-net file. Before doing this stop containers on Host A, stop the lxc-net service, make the change and then restart the lxc-net service.
service lxc-net stop
Edit the lxc-net script
service lxc-net start
So here is the network map.
Host A has public IP 1.2.3.4 Host B has public IP 2.3.4.5 Containers in Host A are on subnet 10.0.4.0/24 via default lxcbr0 nat bridge Containers in Host B are on subnet 10.0.3.0/24 via default lxcbr0 nat bridge
We are going to use 10.0.0.1 and 10.0.0.2 as the interface IPs for Tinc.
Install Tinc on both Host A and B
apt-get install tinc
Tinc operates on a concept of network names for the private VPN. Let’s call our network ‘flockport’.
In /etc/tinc/ on both Host A and Host B create a folder called ‘flockport’ and do the following.
mkdir /etc/tinc/flockport
This will hold our configuration for this network.
Create a ‘hosts’ folder in the flockport folder
mkdir /etc/tinc/flockport/hosts
Create the following files in the flockport folder – tinc.conf, tinc-up, tinc-down
touch tinc.conf tinc-up tinc-down
Configure Tinc on Host A
nano /etc/tinc/flockport/tinc.conf
Name = hosta (You can use any name for your hosts) AddressFamily = ipv4 Interface = tun0
nano tinc-up
#!/bin/bash ifconfig $interface 10.0.0.1 netmask 255.255.255.0 ip route add 10.0.3.0/24 dev $INTERFACE
nano tinc-down
#!/bin/bash ifconfig $INTERFACE down ip route del 10.0.3.0/24 dev $INTERFACE
nano /etc/tinc/flockport/hosts/hosta
Address 1.2.3.4 Subnet 10.0.4.0/24
Configure Tinc on Host B
nano /etc/tinc/flockport/tinc.conf
Name = hostb AddressFamily = ipv4 Interface = tun0 ConnectTo = hosta
nano tinc-up
#!/bin/bash ifconfig $interface 10.0.0.2 netmask 255.255.255.0 ip route add 10.0.4.0/24 dev $INTERFACE
nano tinc-down
#!/bin/bash ifconfig $INTERFACE down ip route del 10.0.4.0/24 dev $INTERFACE
nano /etc/tinc/flockport/hosts/hostb
Subnet 10.0.3.0/24
Generate keys on both Host A and Host B
tincd -n flockport -K
This will generate private key files in the flockport folder and append public keys to the host files /etc/tinc/flockport/hosts/xxx
Exchange host files on either side
Copy the hosts file with the public keys from /etc/tinc/flockport/hosts/xxx on host A to the hosts folder n Host B and vice versa.
So now your /etc/tinc/flockport/hosts folder on Host A and Host B should have both ‘hosta’ and ‘hostb’ files in them
The moment of truth! Run the tincd command on both Host A and Host B
tincd -n flockport
If you followed the guide accurately your containers on both Host A and B should now be able to ping each other
To ensure the Tinc private network starts on reboot edit the /etc/tinc/nets.boot file on Host A and B and add the network name ie in this case flockport. This ensures that the Tinc network startup on boot and is available.
You can easily add more LXC hosts to the network. Tinc has a number of options on optimizing connectivity – compression etc, and choosing the security cipher. Please visit the Tinc website and go through the documentation for more options.