Pfsense configuring tinc site to site tunneling tutorial

​ ​tinc​​ Is a virtual private network (VPN) A daemon , It uses encrypted tunnels in Internet Establish a secure private network between hosts on .tinc It's free software , according to GNU General public license No 2 Version or later is licensed . because VPN stay IP Level network code is represented as a common network device , There is no need to adapt any existing software , allow VPN Site through Internet Share information with each other , Without exposing any information to others .tinc It has the following characteristics ：

• encryption 、 Authentication and compression ： All flows are optional zlib or LZO Compress , Use LibreSSL or OpenSSL Encrypted traffic .
• Automatic full mesh routing ： Set it up anyway tinc To connect with each other ,VPN Flow always （ If possible ） Send directly to the destination , Without having to go through an intermediate hop .
• NAT through ： as long as VPN A node in allows public IP Incoming connections on addresses （ Even if it's dynamic IP Address ）,tinc Then we can do NAT through , This allows direct communication between peers .
• Easily expand ： When you need to add a new node , Just add an additional configuration file .
• You can bridge Ethernet segments ： Multiple Ethernet segments can be linked together , Work like a single network segment .
• Support IPv6： Support... On various mainstream platforms IPv6 Application .

pfSense Provide for the right to tinc Good support for , You can install tinc Plug-in method to configure and use , Let's say pfSense plus 22.01 For example , Introduce how to pass between two firewalls tinc establish VPN The process of tunneling .

The network configuration

A firewall A( Dark screenshot ):                              A firewall B( Light color screenshot )：

WAN IP：202.10X.XX.XX                      117.4X.XX.XX

LAN IP：192.168.11.1/24                      192.168.12.1/24

install tinc

First, install... On two firewalls tinc plug-in unit . Navigate to the system separately > Plug-in management , On the available plug ins tab , Search for tinc, After finding , Click the Install button on the right to install . After installation , Just go ahead tinc Tunnel configuration .

On the firewall tinc Tunnel configuration is divided into tunnel settings 、 Remote host settings and firewall rules are added in three parts .

Tunnel setup

Navigate to VPN>tinc, On the Settings tab , Enter the following parameters ：

SITEA：

• Enable TInc VPN： Choose
• name ：SITEA
• Local IP：192.168.11.1
• Local subnet ：192.168.11.0/24
• VPN Mask ：255.255.0.0
• Address family ：IPv4
• Generate RSA Key pair ： Choose

​​​​

Click to display advanced options , In addition Tinc Parameter bar , Enter the following options ：

      
      

       
       Node=router
       
       
Cipher=blowfish
       
       
Digest=sha1
      
      
      
      

       
       
1.
       
       
2.
       
       
3.
      
      

​​​​

SITEB：

• Enable TInc VPN： Choose
• name ：SITEB
• Local IP：192.168.12.1
• Local subnet ：192.168.12.0/24
• VPN Mask ：255.255.0.0
• Address family ：IPv4
• Generate RSA Key pair ： Choose

​​​​

Additional... At advanced options Tinc Parameter bar , And SITEA Agreement .

Add host

Navigate to VPN>tinc, Hosts tab , Add each other as a remote host .

SITEA:

• name ：SITEB
• Address ：SITEB Of WAN Address , Here for 117.4X.XX.XX
• subnet ：SITEB Of LAN subnet , Here for 192.168.12.0/24
• Connect on startup ： No election , Just select at one end
• RSA The public key ： from SITEB Of tinc vpn Copy on the tunnel

​ ​​​

Click save and the list is as follows ：

​​​​

SITEB:

• name ：SITEA
• Address ：SITEA Of WAN Address , Here for 202.1X.XX.XX
• subnet ：SITEA Of LAN subnet , Here for 192.168.11.0/24
• Connect on startup ： Choose
• RSA The public key ： from SITEA Of tinc vpn Copy on the tunnel

​​​​

Click save and the list is as follows ：

​​​​

Add firewall rules

Add two firewall rules , One is to allow the tunnel to access any network , One is in wan Release on the interface tinc Default communication port for 655.

stay pkg_tinc On the tab , Add one any to any The rules , Allow access to any network through a tunnel .

​​​​

stay wan On the tab , Add a release tcp agreement 655 Port rules , And put it at the top of the rules .

​​​​

The rules of the two firewalls are the same , Here is just SITEA Example .

Connect the test

After the above settings are correct , Now it should be able to connect normally .

Navigate to status >Tinc VPN, You can view the connection information of the tunnel ：

​​​​

Use on the firewall PING To test , normal Ping Through remote gateway .

​​​​

On the client computer , function Ping command , normal ping Through remote gateway ：

​​​​

Use iperf Speed measurement ,300M Uplink and downlink peer-to-peer private lines , Measured VPN The tunnel speed is as follows ：

​​​​

thus ,pfSense Upper Tinc VPN Site to site tunnel configuration is complete .