Tinc is more secure than a GRE tunnel as connections are encrypted. Tinc also gives you the ability to built a distributed mesh network. We are not covering Tinc’s extensive capabilities here, please visit tinc-vpn.org
For the networking gurus Tinc can operate as a router in layer 3 or a switch in layer 2 mode, for this example we are using Tinc in its default router mode.
To avoid container IP clash we are going to change the default lxcbr0 subnet 10.0.3.0/24 on one side, let’s do it on Host A
Change the subnet on Host A
Edit the /etc/init.d/lxc-net script to change the LXC subnet on lxcbr0 NAT network from 10.0.3.0/24 to 10.0.4.0/24. If you are Ubuntu edit the /etc/default/lxc-net file. Before doing this stop containers on Host A, stop the lxc-net service, make the change and then restart the lxc-net service.
service lxc-net stop
Edit the lxc-net script
service lxc-net start
So here is the network map.
Host A has public IP 184.108.40.206 Host B has public IP 220.127.116.11 Containers in Host A are on subnet 10.0.4.0/24 via default lxcbr0 nat bridge Containers in Host B are on subnet 10.0.3.0/24 via default lxcbr0 nat bridge
We are going to use 10.0.0.1 and 10.0.0.2 as the interface IPs for Tinc.
Install Tinc on both Host A and B
apt-get install tinc
Tinc operates on a concept of network names for the private VPN. Let’s call our network ‘flockport’.
In /etc/tinc/ on both Host A and Host B create a folder called ‘flockport’ and do the following.
This will hold our configuration for this network.
Create a ‘hosts’ folder in the flockport folder
Create the following files in the flockport folder – tinc.conf, tinc-up, tinc-down
touch tinc.conf tinc-up tinc-down
Configure Tinc on Host A
Name = hosta (You can use any name for your hosts) AddressFamily = ipv4 Interface = tun0
#!/bin/bash ifconfig $interface 10.0.0.1 netmask 255.255.255.0 ip route add 10.0.3.0/24 dev $INTERFACE
#!/bin/bash ifconfig $INTERFACE down ip route del 10.0.3.0/24 dev $INTERFACE
Address 18.104.22.168 Subnet 10.0.4.0/24
Configure Tinc on Host B
Name = hostb AddressFamily = ipv4 Interface = tun0 ConnectTo = hosta
#!/bin/bash ifconfig $interface 10.0.0.2 netmask 255.255.255.0 ip route add 10.0.4.0/24 dev $INTERFACE
#!/bin/bash ifconfig $INTERFACE down ip route del 10.0.4.0/24 dev $INTERFACE
Generate keys on both Host A and Host B
tincd -n flockport -K
This will generate private key files in the flockport folder and append public keys to the host files /etc/tinc/flockport/hosts/xxx
Exchange host files on either side
Copy the hosts file with the public keys from /etc/tinc/flockport/hosts/xxx on host A to the hosts folder n Host B and vice versa.
So now your /etc/tinc/flockport/hosts folder on Host A and Host B should have both ‘hosta’ and ‘hostb’ files in them
The moment of truth! Run the tincd command on both Host A and Host B
tincd -n flockport
If you followed the guide accurately your containers on both Host A and B should now be able to ping each other
To ensure the Tinc private network starts on reboot edit the /etc/tinc/nets.boot file on Host A and B and add the network name ie in this case flockport. This ensures that the Tinc network startup on boot and is available.
You can easily add more LXC hosts to the network. Tinc has a number of options on optimizing connectivity – compression etc, and choosing the security cipher. Please visit the Tinc website and go through the documentation for more options.