Tinc Mesh VPN

Discussion in 'Tomato Firmware' started by lancethepants, Jul 25, 2014.

  1. lancethepants

    lancethepants Network Guru Member

    Tinc automatically sets up a mesh VPN between multiple nodes in a network. Each daemon will communicate directly to every other daemon if possible. I find it very easy to setup, even if you only want to connect only two Nodes.

    Firmware sample
    MIPSR2 routers with 8MB+ flash.
    MIPSR1 routers with 4MB flash.
    Now available in Shibby firmware starting with release v122.


    I've used Tinc for years on my routers (in /jffs) and have finally gotten around to doing an integration with gui. I'm sure there's a few bugs around, so let me know what you find.

    I've integrated tinc 1.1preX. Version 1.1 fixes some security vulnerabilities in the tinc 1.0 branch. Currently 1.1 is still in pre-releases. Each pre-release is incompatible with other pre-releases, so you must make sure to use the same version everywhere, at least until 1.1 final is released. The gui will display the current version you are running.

    Tinc can also run on Windows.

    I recommend running Tinc in 'tun' mode. For tun, each node must use a different subnet. These subnets must fit with the 'VPN Netmask' found in the config tab.
    Say for example the entire VPN will fall in the address range ( Tomato by default uses a /24 netmask. You can then add subnets starting from - and everything in between.

    To begin we need to generate certificates for every node. In the 'Generate Keys' tab Generate a new set of keys. (Keys shown are only for demonstration.) Starting with tinc1.1pre11, only Ed25519 keys are required. RSA keys are only needed for backwards comparability in order to connect to tinc1.0 nodes

    Generate Keys.png

    Ed25519 Private Key
    to its location in the 'Config' tab.
    Also in the 'Config' tab pick a 'Host Name' that will identify this Node.


    We must create an entry for this node in the Hosts section. This information will be shared with other nodes to create connections.


    Copy the following
    Ed25519 Public Key
    generated earlier to its locations in the 'Hosts' tab.
    Enter the this node's Host name, and the subnet that this router is using. If this node has a publicly available static IP or hostname (ddns) enter that. For other nodes that you check ConnectTo, this will tell tinc to make a connection to that node. For this node ConnectTo has no influence (you're already connected to yourself).

    Do the same for other routers, and then you can share the hosts' information to help them connect to each other.

    It isn't necessary to define every node in every router. If Node A and Node B are connected, and Node A and Node C are connected, then Node B and Node C will learn about each other through Node A. Node B and Node C should then be able to communicate directly to each other.

    Previously nvram space may have been a large issue when connecting many nodes in a mesh network. Now in newer version of tinc, only Ed25519 keys are required. They are very small, and will allow you to add many nodes since they don't use much nvram space. RSA keys are only needed for backwards compatibility with tinc1.0 nodes.

    The Status area is active when Tinc is running, and will give you some information about the mesh.


    'Edges' and 'Connections' show nodes for which ConnectTo was defined in one or both Nodes. If you don't see a connection between two particular nodes, this doesn't mean they aren't communicating directly to each other. It means that neither had ConnectTo defined for the other, which is fine. The 'info' button will give you more detailed information about a particular node. Sometime it says "Reachability: unknown" if neither of those nodes have attempted communicating to eachother yet.
    There must be some path of ConnectTo's among the network so all nodes can learn of each other.

    The 'Scripts' tab allow you to define scripts to run whenever a subnet or host becomes available or unavailable.
    Refer to the tinc documentation for more information.
    Last edited: Jan 1, 2015
  2. shibby20

    shibby20 Network Guru Member

    Awesome job Lance!!
    lancethepants likes this.
  3. jerrm

    jerrm Network Guru Member

    Looks great!

    Really like the generate keys option. It would be great to see the feature for OpenVPN too. I've always thought key generation was a big hurdle for casual users.
    crusher9 and lancethepants like this.
  4. lancethepants

    lancethepants Network Guru Member

    Yes, OpenVPN key gen can get pretty involved, and more follows a Server <--> Client model. Tinc is more of a peer to peer model, and key generation is much easier to boot, especially with the gui.
    Last edited: Jul 26, 2014
  5. cavemandaveman

    cavemandaveman Reformed Router Member

    I'm trying to setup a tinc connection between my router and android. I'm a little confused on the process tho. Do i need two hosts enabled on the router and two hosts files on the android? And one config file on the android?
  6. lancethepants

    lancethepants Network Guru Member

    Yes, for each host that is a part the mesh, you should have a host's config file named after that host, in the hosts folder. In your case, 1 host file for the router, and one for the phone. Pretty much the hosts folder can be identical on all systems (unless you start running out of nvram).
    Each host also has a tinc.conf configuration file where you specify the device type and your ConnecTo statements.
    I have an android example at the link. Android has an additional parameter needed that is in the example. Supposedely you can get it to work without root. I haven't messed enough to confirm it, but it hasn't been my case remembering back. For phones I've rooted I have been able to get it to work great.

    edit: here's the link
    Last edited: Sep 11, 2014
    cavemandaveman likes this.
  7. cloneman

    cloneman LI Guru Member

    Thanks for making this happen. I've always found OpenVPN to be far too time consuming to configure.

    What kind of performance can we expect, and is there a way to throttle the process such that it cannot overload the router's normal operations?
  8. lancethepants

    lancethepants Network Guru Member

    I have not done much testing as the internet connection between my tinc nodes is not fast enough to saturate the cpu. The kernel as I understand has higher priority and should let tinc/openvpn suffer before other routing functions do. This seems to have been my experience. I also compile binaries on my router, and this will take a (particularly) long time if I'm maxing out my connection with usenet/torrenting.

    Tinc1.1 (What I've implemented into tomato) unlike tinc1.0, does not give you a cipher suite selection.
    ECDHE-ECDSA-AES256GCM is what the author has picked, but may add other known cryptographically secure suite options in the future. Speed will depend on your particular router using this particular cipher suite. It is possible to set "ExperimentalProtocol=no" in the tinc custom config, and then using the hosts custom config to set a faster (but likely less secure) cipher and use the less secure (with know vulnerabilities) tinc1.0 protocol.
    OpenSSL in tomato should have AES with asm, so maybe should help things be speedier.
    Please anyone with faster internet then me test and post results!

    Speaking of AES256, sounds like it is (somewhat) vulnerable to timing attacks. It will take only billions of years to crack instead of all time that has existed. Still has been under scrutiny for this. Maybe the author will change things yet. As I've mentioned, still in pre-releases, but I thought I'd go ahead and implement the more secure version in anticipation for an eventual final release.
    Last edited: Sep 11, 2014
  9. cavemandaveman

    cavemandaveman Reformed Router Member

    The examples help a lot, thanks! I'm still stuck on a couple of things, maybe it's because I'm using Shibby v122.

    On tomato, I can't add my android as a ConnectTo host without an address, but I don't have a public address for my android, so what do I put here?
    And this might sound stupid, but does it matter what I put in the subnet for router and android, and if it does, how do I find what subnets they're using?
  10. lancethepants

    lancethepants Network Guru Member

    For the router, put the subnet that your router is using. For example, if your router's IP address is '', then the subnet for your router is ''. For connecting multiple routers, each one needs their own subnet (when using 'tun' mode), ex. ->, ->

    Since your phone doesn't have a known IP address (it's probably constantly changing anyway), in the router we simply won't select 'ConnectTo' for the phone or put anything in the address column. We will instead put a ConnectTo in the phone to connect to the router (from over the internet). So your router either needs a static IP address or using dynamic dns hostname.
    A ConnectTo statement can go in one or both places, in your case, just the phone.
    With multiple routers with known IPs or dyndns, you can put ConnectTo both places. One place or another is enough to create the link though.

    For the phone you can pretty much choose whatever subnet you want. In my example I gave the phone a /24 netmask. It doesn't need that much ( a whole network like a router has), but it works anyway. We'll deviate from the example and only allocate 1 IP address to the phone. I would pick something (whatever you want) like IP address for the phone.

    In the router, the subnet for the phone will be ' /32 is a netmask for a single IP address.
    Then in the phone's tinc-up.

    /system/bin/ifconfig $INTERFACE netmask is a /16 netmask, which encompasses the entire vpn.

    Once you've entered all you hosts in the router, you can ( through ssh or another method) copy the hosts folder generated by the router in /etc/tinc (must start the tinc vpn first), and copy that to the phone for its host folder.

    Note, the android app is using tinc1.0. The ecdsa key is new in tinc1.1, but the gui requires it, so just pretend that the phone is using tinc1.1, and I believe it should work find. tinc1.1 nodes can still talk with tinc1.0 nodes.

    edit: hmm, so I decided to try and get my new phone to work. Experiencing some issues getting it to work though. Will have to play around some more with it.
    Last edited: Sep 14, 2014
  11. cloneman

    cloneman LI Guru Member

    FYI I tried to flash onto a 8MB Netgear 3500Lv1 (from shibby) and it said the image was too large to flash.

  12. cavemandaveman

    cavemandaveman Reformed Router Member

    same here, i got it to where the phone says connected but no traffic is going through plus router does not see phone
  13. lancethepants

    lancethepants Network Guru Member

    I ran through trying to connect with my phone while I set tinc to do verbose logging on the router. My phone attempts to connect, but then it says there was an error, non-descriptive.
    1.1pre10 has actually had several issues, and I think this is possibly another one. I would bet 1.1pre9 wouldn't have this issue (I might give it a test).
    I asked the tinc_gui android author on the project's github if he'd consider packaging both 1.0 and 1.1 binaries. We'll see how he responds.
    If not I think I would try rebundling his project and create an apk (maybe put it in the app store) with tinc 1.1 binaries present instead.

    edit: my issue is likely my limited fake root on my phone.
    Last edited: Oct 30, 2014
  14. kthaddock

    kthaddock Network Guru Member

    I have configured TINC and get it to run. But I get low on nvarm, Total / Free NVRAM32.00 KB / 648 (1.98%)
    I need to migrate private keys to JFFS or MNT RSA private key is fairly big, is this right way?
    When I try to delete my keys and configs tinc dont let me do that.
    I get Hostname is required/RSA Private Key is required/ECDSA Private Key is required.
    I can't delete my settings.

    I can't migrate private keys doesen't recognise them.

    I'm keeping testing and post back. :eek:
    Last edited: Oct 15, 2014
  15. kthaddock

    kthaddock Network Guru Member

    Seems to be one new raw every time starting tinc.

  16. lancethepants

    lancethepants Network Guru Member

    Just put a space in the RSA and ECDSA private key areas so it will let you save. You can then put the following in the custom field

    ECDSAPrivateKeyFile = /mnt/tinc/ecdsa_key.priv
    PrivateKeyFile = /mnt/tinc/rsa_key.priv
    You will still need to put your router's own host config in the host area.
  17. lancethepants

    lancethepants Network Guru Member

    All those iptables entries probably are showing up because of repeating times trying to start with a bad config. The firewall method I use is the same as what OpenVPN does.
    Just run 'service firewall restart', and it should clear things. Once you get a good working config the firewall will autotmatically build and tear down correctly.
  18. kthaddock

    kthaddock Network Guru Member

    Thanks, that worked now I have more nvram space. Total / Free NVRAM32.00 KB / 2496 (7.62%)
    Hmm hoost config is in: /etc/tinc/hosts/myname

    I tried to do service firewall restart but still there. I have traffic just now, my GF surfing testing that later.
    Problem is i don't have any client to test with.
    Last edited: Oct 15, 2014
  19. lancethepants

    lancethepants Network Guru Member

    Yes, there are two types of config files. The main config file called tinc.conf. Then there is the 'hosts' folder for all the different hosts with their public keys and configs. Every host config goes in that folder, including one for your own host.

    I will probably make a small change so that you will be allowed to save when "Start with WAN" is disabled, so people can remove their config if they want.

    "service firewall restart"
    not "service restart firewall"
  20. kthaddock

    kthaddock Network Guru Member

    Okey, I saw my typo "service firewall restart" I get suspicious when I not get thet dot when restarted.
    I have start with WAN not set, just do start from gui.

    Q: how do I generate keys to other hosts?
    Last edited: Oct 15, 2014
  21. lancethepants

    lancethepants Network Guru Member

    What other platform do you want to generate keys for? My tutorial pretty much just shows how to connect multiple routers.
    On other non-router hosts, say linux or windows, I usually start with

    tinc init nodename
    This will generate all your keys for you for 'nodename'.
    From there you will need to modify the 'nodename' hostfile to include the subnet it will serve, also Address and Port if applicable.
    You will also need to modify tinc.conf and tinc-up. You can look at the config tinc in the router generates for an example.
  22. alfred

    alfred LI Guru Member

    I have read the document, can we use the following configuration variables, and put the keyfiles to /jffs for the NVRAM saving.

    PrivateKeyFile = <path>
    PublicKeyFile = <path>
    ECDSAPrivateKeyFile = <path>

    I tried to put these lines to custom field in the vpn-tinc page, and left the corresponding key fields blank, but it does not accept the blank key fields.

    please help to confirm.
  23. lancethepants

    lancethepants Network Guru Member

    This is discussed earlier in the thread.
  24. lancethepants

    lancethepants Network Guru Member

    Thanks for the feedback thus far guys! Its given me a few ideas for changes, and shown me some oversights I didn't think about. I use tinc all the time, I hope you also find it useful.
  25. kthaddock

    kthaddock Network Guru Member


    When using TAP and wathching under subnets mac-address with 00 (double zero) have problem displaying 00 show only one 0 (zero) seem single zero also have problem. Same under info tab.
    Lance I can PM whats in subnet.
    Last edited: Oct 22, 2014
  26. lancethepants

    lancethepants Network Guru Member

    Could you maybe post a screenshot of what you're describing, and photoshop out any sensitive information?
  27. kthaddock

    kthaddock Network Guru Member

    I hope you can see this:
    Tinc_info_e.jpg Tinc_subnets_e.jpg
  28. calisro

    calisro Connected Client Member

    Can you specify multiple vpn subnets in the UI for a particular site?
  29. lancethepants

    lancethepants Network Guru Member

    Last edited: Oct 28, 2014
  30. kthaddock

    kthaddock Network Guru Member

    Is that only a display quirk? TAP working as is should?
  31. lancethepants

    lancethepants Network Guru Member

    Yes, it is only a display quirk.
    kthaddock likes this.
  32. sleizure

    sleizure Network Newbie Member

    This looks amazing - I have used Tinc in the past between Pfsense boxes. Although the existing package available for PfSense is 1.0 - Reading your comment re Backwards Compatibility between Pre release versions, any idea when we'll see a final version?
  33. kthaddock

    kthaddock Network Guru Member

    In TAP mode what is the difference with, Swith and Hub mode?
  34. lancethepants

    lancethepants Network Guru Member

    I'm not sure when there will be a final release. I keep an eye on the mailling lists though. I think we'll have at least a few more pre-releases before we see a final.
    While each 1.1 pre-release is incompatible with other pre-releases, all 1.1 pre-releases are backwards compatible with tinc 1.0. You can actually make tinc1.1 behave as 1.0 if you want too, with the following in the Custom Config
    ExperimentalProtocol = no

    Before there were network switches, there were network hubs. Basically hub broadcast all packets to every other device on the network. Switches keep track of MAC addresses, and smartly route packets to the destined MAC.
    I'm not sure why somone would want to use hub, but the option exists, so I put it in there.
  35. lancethepants

    lancethepants Network Guru Member

    Actually, when I run 'tinc dump subnets' at the command line, it outputs the same as I see in the gui. Yours MACs look super truncated, which I'm not seeing for myself. Could you try running the command in the cli, and see how it outputs?

    edit: Also try removing your subnet entry in the gui. It actually will tell you it doesn't allow a subnet entry for TAP. It's possible it's in there if you entered it, and changed to TAP afterwards. It shouln't hurt functionality, but I'm wondering if it is resulting in your truncation.
    Last edited: Oct 28, 2014
  36. kthaddock

    kthaddock Network Guru Member

    Same output as press subnet button.
    Remove in hosts, same result.

    I created first with TUN and after changed to TAP and therefore i dident se this:
    "Subnet is left blank when using the TAP Interface Type"
  37. lancethepants

    lancethepants Network Guru Member

    I see. In your example I thought the missing bits were also an error, but now I'm realizing it was you editing out part of your MACs.

    It appears that is how tinc itself is outputting the results, with truncated zeros. I'm not sure if this is intential or unintended on their part.
  38. kthaddock

    kthaddock Network Guru Member

    yes I maskes them, but I can send them to you if you want. I tried to PM but It doesn't allow me to attached any files.
  39. lancethepants

    lancethepants Network Guru Member

    That's not necessary, I understand better now. I thought the issue existed between getting the info from tinc and displaying it. Now I see that this is how tinc displays it. I'll bring this up in the tinc mailing list, but they may not consider it a bug. Maybe I'll take a look at the code.
  40. kthaddock

    kthaddock Network Guru Member

    Okey, sorry I have just PM to you.
    Well I don't care if this disply is messed up I only concerned if that doesn't work.
  41. eangulus

    eangulus Network Guru Member

    Hi, VPN Noob here.

    Just having a play around to see how to work this VPN stuff.

    If I am correct, setting this up joins 2 separate Networks together over the internet.

    I have managed to get certain routers to hook up, and am able to navigate the network shares between them (including printers and stuff).

    What I don't quite understand is this subnet stuff. If I have 2 routers to join, and they both run on, will this stuff still work, and if so how do I do the subnet settings and how do I navigate to a remote IP rather than the local version?

    Or am I completely wrong and have to setup each router on a different IP for eg. Router 1 = -- Router 2 =
  42. lancethepants

    lancethepants Network Guru Member

    It is possible to set this up two ways, similar also to OpenVPN.

    This is the method given in the tutorial and the easier one to setup. Each network must be on their own subnet. Traffic between the two networks is routed, which mean the two networks can communicate with each other, but they are still are two independent networks. Network data is routed by IP addresses.

    This method joins two networks as if they were one network, called bridging. Both networks in bridging are on the same subnet. This can be a little trickier to setup, I'll explain.

    Because this joins two networks into one network, all on the same subnet, you cannot have any overlapping IP addresses between the two networks. They're the same network, and multiple IP addresses will cause conflicts. This means that if one router's IP addresses is, the other router's address must be different from this. In TAP mode, Network data is routed by MAC addresses. All broadcast data, arps, and other traffic is passed to the other side, causing more overhead. DHCP, if enabled, and not blocked (there are some threads on how to do this), will probably assign IP addresses to computers at the other end of the VPN, which is undesirable. This can cause internet to be routed through the vpn, and slow down the whole vpn, and internet for that computer. If you do have DHCP enabled, you have to make sure they don't have overlapping ranges. DHCP is only one of several *brodcast* data types that could fumble your network up (upnp, natpmp, even dropbox uses broadcasts for local discovery, and could be an issue).
    In TAP mode, you would just leave the subnet portion blank. It will actually stop you from entering and saving anything there if TAP is already selected.

    TAP is useful for local network discovery. That mean games being hosted over the vpn should automatically appear in the game network menu. With tun you would have to manually specify the IP address. Tap is possible, but tricky. I used to run TAP for a while, but found I didn't really need it. Typically you wouldn't use TAP unless you needed it for a specific reason.

    Overall, I recommend TUN because it is usually sufficient, and much cleaner a setup. This does require you to change one of the routers to a different subnet.

    edit: Or later in the thread, we find you can keep the same subnets using TUN, but lie to tinc about them, and use some firewall rules to make it work.
    Last edited: Mar 2, 2015
  43. eangulus

    eangulus Network Guru Member

    So to put simply (just for noob clarification),

    TUN = Each Router is a seperate subnet R1 = R2 =
    TAP = Works same as Local Network with 2 routers etc only joined over Internet

    What happens with Network Share Browsing and IP's (thru browser or network) on TUN? Also is it possible to join 2 networks with same subnet locally on each, but seperate using the subnet settings in TINC? If yes how does that work when say I want the remote router IP of but my local router is
  44. lancethepants

    lancethepants Network Guru Member

    Right. TAP could work with more than two routers just to be clear. (Just compounds the complexity of the network)

    You can still access network shares using TUN to a remote share. The share however, will not show up automatically in windows network discovery, like typically you see within your own home network. That's because TUN doesn't transport broadcasts, but TAP does. To access the share in TUN, you must manually specify the IP address of the share in the file explorer ie. \\

    No. When both networks are using the same subnet, they can only be bridged into a single network with TAP. And when using TAP, there cannot be duplicate IP addresses. There's no way to connect both routers with identical IP addresses and to have them both be simultaneously accessible. This is a limitation of networking in general, and not just VPNs. (OpenVPN or any other VPN would have the same dilemma)

    You must either Bridge (TAP) both networks and assign a different IP address to one router (and also not have any overlapping dhcp ranges or duplicate IP addresses network wide), or use routing (TUN) to connect two networks with different subnets. Sounds as if you're trying to avoid modifying either network. Unfortunately there has to be some change for things to work.
  45. lancethepants

    lancethepants Network Guru Member

    Tun definitely is the easier and less messy of the two options. There's very little most people would need to use TAP for. Most things like PC Games, Network Shares, printers, etc, can still work fine over TUN (but you'll need to know their IP addresses).
  46. eangulus

    eangulus Network Guru Member

    Thanks for the info. I have a much better understanding now.

    I understand the last part regarding having to be on different subnets, but I am having a hard time with it not being possible. Don't know if this is possible and if not why not, but lets say we have 2 networks on same subnet connected via TUN, and we have a device that is on both networks (2 differnet devices). Isn't there a way were on 1 end you can set a subnet translation of sorts, where I may set the remote network a virtual sub of and then to access the remote version of I use instead and vice versa from the other end?
  47. lancethepants

    lancethepants Network Guru Member

    Oh, how interesting. I've never heard of what you're describing, which prompted some google searches. I think this should be possible actually. ChaosVPN mentions such a thing, which is based on tinc. This would have to be done using some special iptables rules called NETMAP. It appears Tomato should have NETMAP since a long time ago.
    Needless to say I've never attempted this before, but would be fun to try.
  48. rs232

    rs232 Network Guru Member

    This scenario happens more often than you think. The most common is when two or more companies merge together and there's suddenly the route without going through a full re-addressing. I worked in such environment an handful of times. The answer is always the same: double nat (Source NAT + Destination NAT)

  49. eangulus

    eangulus Network Guru Member

    Can anyone kindly provide an example netmask configuration for me to test and play with? Like how would I setup each side in the iptables?
  50. lancethepants

    lancethepants Network Guru Member

    I'll try to play around with it this week since you've piqued my interest.
  51. lancethepants

    lancethepants Network Guru Member

    Alright, I had success playing around with the NETMAP feature.

    Both routers have a network. (or whatever your case be).
    You then need to pick a different substitute network for each router. In my case I picked.

    Use substituted values in the 'Subnet' portion of the Tinc hosts config, one to each tinc node.

    For the router using the substituted network of, I used the following firewall rules.
    /sbin/modprobe ipt_NETMAP
    iptables -t nat -A PREROUTING  -d -j NETMAP -i tinc --to
    iptables -t nat -A POSTROUTING -s -j NETMAP -o tinc --to
    (Before anyone complains that modprobe shouldn't go in firewall, I counter with that it doesn't hurt) :)

    In the router with the substituted network of, just replace the 3's to 4's in the firewall rules.

    That's it. I was able to access the other router's gui, and also remoted into a remote pc using the substituted addresses.

    I plan to add a custom firewall textarea to tinc in the future, as I see this can be useful for this, and other reasons.
    Last edited: Nov 13, 2014
  52. calisro

    calisro Connected Client Member

    Incase anyone wamts to know performance characteristics using tinc on a rt-n66u, I get roughly between 5-7 megabits before the router is cpu bound. I want to get a rt-ac68p (dual core 1ghz broadcom) to replace this for the faster cpu. We'd likely see far faster speeds on faster cpus.
  53. lancethepants

    lancethepants Network Guru Member

    I've made a few changes and pushed a commit. Not fast enough for shibby 124, but hopefully he will add in a later release.
    The commit moves the firewall option to the scripts tab. There you can select
    Autotomatic - default generated firewall rules
    Additional - You can add your own additional rules to the automatically generated ones. ie NETMAP rules etc.
    Manual - You completely generate your own custom rules, the default rules are not used.

    It also allows you to remove your config completely when "Start With Wan" is unchecked. Previously it wouldn't let you remove some fields because it would be an invalid configuration. I like the valid configuration checks, but it is possible to remove fields when tinc is disabled from booting up.

    I'll make some new images of the ones I provide soon, if any are interested in those. ( I think most use shibby though).
  54. kthaddock

    kthaddock Network Guru Member

    Is it to late for RT-N builds to ?
  55. lancethepants

    lancethepants Network Guru Member

    I only just let the devs know today or yesterday, so probably.
  56. kthaddock

    kthaddock Network Guru Member

    Okey we will se if it's to late.
  57. calisro

    calisro Connected Client Member

    Lance, been using this on my rt-n66u. Works great. I recently upgraded to a rt-ac68u (ARM). Any chance on a compiled tinc binary for ARM? I've been unsuccessul at compiling 1.1pre10 as of yet.
  58. lancethepants

    lancethepants Network Guru Member

    Shibby's tomato included Tinc as well (if you get the AIO version I think). If you're just looking for a binary, I'll make one for ARM sometime later today.

    Also wanted to mention that they (Guus from the tinc project) mentioned he'll try to get a new pre-release before Christmas. 1.1pre10 has had a bunch of issues, so hopefully we'll see something soon. One of the issues is that it falls back to TCP sometimes too easily, which effect throughput quite a bit. We'll see what they cook up.
    calisro likes this.
  59. calisro

    calisro Connected Client Member

    I am just looking for the binary for ARM at this point. I'm giving Merlin's build a whirl on the newer ARM. I love tomato and will likely come back to it but the newer ARMs are currently working better with the standard asus builds. I really appreciate if you can help out compile one. I've been beating my head against the wall trying to get this compiled with only some progress here and there. Thanks again.
  60. lancethepants

    lancethepants Network Guru Member

    Last edited: Dec 11, 2014
  61. calisro

    calisro Connected Client Member

    Testing so far seems good. It runs basic functions so far. I'll have a mesh set up shortly and i'll comment further on how its working. I'll also be interesred in its performance on this router OC'd to 1ghz vs my rt-n66u...

    BTW, Thank-you for the binaries and even more importantly your script. I want to learn where I was failing.
  62. calisro

    calisro Connected Client Member

    The ARM binaries running on my RT-AC68U is working great. Throughput with the larger CPUs in the router is much better. I have mine OC'd to 1Ghz but I may increase that to 1200 over time once I prove stability at each step. Im now getting 30Mb across tinc hosted on the router. It maxes out one of two cores at 30Mb but its great because the other core can still manage the ither router functions. Higjly recommend the router upgrade for heavy tinc users.
  63. lancethepants

    lancethepants Network Guru Member

    @calisro Awesome, thanks for the feedback!
  64. calisro

    calisro Connected Client Member

    Some discoveries for others. I have two tincs running. One in tap and one in tun mode (different ports). Both work good...

    That being said, if anyone is attempting to use tap with android (or likely any mobile device), please note that because of the increased broadcast traffic, android will no longer deep sleep while tinc is active in tap mode. I highly recommend only tun when using android. Tinc with tun, works very well and there is no impact on battery.
    lancethepants likes this.
  65. cgallery

    cgallery Connected Client Member

    I have a couple of Buffalo WHR-HP-G54 routers and would like to give this a shot. Which image would you recommend for that hardware?
  66. lancethepants

    lancethepants Network Guru Member

    AFAIK shibby hasn't made any releases for MIPSR1 router with TINC.
    I started making a firmware with TINC based on Toastman's latest for my wrt54gl, which should also work on your WHR-HP-G54. I got it working but I need to update it to my latest commits. I could make one later today after work. Don't think it would take too long anyway.
    rs232 likes this.
  67. cgallery

    cgallery Connected Client Member

    I was looking at the Shibby site and had difficulty figuring our which was the latest version of anything. The dates are all 1932-07-06? And the builds are almost all 5X, but there are some 52 and 54. This is where I'm looking: http://tomato.groov.pl/download/K26/.

    So I tried looking at the image file naming help page and it is in a foreign language.

    So if you could produce a version that will run on my Buffalo, and tell me where to find it, that would be awesome. (I'm not normally this helpless, I swear!)

    Thank you Lancethepants!
  68. cgallery

    cgallery Connected Client Member

    Or... Maybe someone could point me to the optimum router/Tomato firmware w/ Mesh compatibility that I could try? I'll buy more gear, it will just take me longer.
  69. lancethepants

    lancethepants Network Guru Member

    I've uploaded a version that'll work on wrt54gl and similar routers. Took longer than I thought :) .

    Looks like you've' already solved your issue from the other thread though. I needed to hash this one out anyway, been wanting tinc capability on older devices. I was able to fit both OpenVPN and Tinc, which I didn't think would be possible. To do this I took out SNMP
    This one is actually more up-to-date than my MIPSR2 firmware, which I need to re-compile with my latest tinc changes.

    edit: Also, just about any MIPSR2 router should be capable of having tinc. Shibby has included it in many of his builds.
  70. cgallery

    cgallery Connected Client Member

    Actually I didn't solve the problem in the other thread, I'm going to use this as my solution. I'm going to download it and work on this over the weekend.

    Thanks for all the extra effort Sir Lancethepants.
    lancethepants likes this.
  71. cgallery

    cgallery Connected Client Member

    So far so slick. I have only setup a VPN between two locations, I haven't added the third, but don't see why it won't work well.

    But I do have a question.

    These Buffalo WHR-HP-G54 routers are apparently no speed daemons, can anyone recommend a different router that is compatible with Mesh VPN firmware releases?

    I have two of these: Netgear WNR3500L/U/v2, currently loaded with Tomato Firmware v1.28.7496 MIPSR2-Toastman-RT K26 USB VPN.

    One concern with those is the wireless may not be that hot. Under Device List, the Wireless Quality for all wireless devices is very low (like one bar). I had read this was a problem with the router, or possible the router with Tomato. I would like better wireless quality if possible.

    Any opinions or input is appreciated. If there was a way to make the WNR3500L/U/v2 work would be great, I could add another. But if the wireless portion is poor I can move on.

    I guess I should try one of the Lancethepants releases w/ Mesh but I'm unclear on which to download from his firmware page. There are several K26, some with NVRAM others w/o. Any tips here?
    Last edited: Dec 21, 2014
  72. cgallery

    cgallery Connected Client Member

    Am I completely insane adding "cipher=none" to Config/Custom?

    My intention is to disable packet encryption and compression.

    I'm only using the VPN in order to share a bunch of gadgets among family members. So things like color laser printers, photo frames, an intercom, etc. It just seems easier to setup one VPN than configure all these different devices for other forms of access.

    So I don't really care if someone wants to perform a man in the middle attack and look at pictures of the loaf of bread my wife made.

    BUT, I also don't want someone to easily be able to connect to my network, either.

    I assume by disabling encryption and compression that I haven't made it any easier for additional notes to connect.

    Also, any idea whether the RT-AC56U router would be supported by any of tomato-K26USB builds by Lancethepants?
  73. lancethepants

    lancethepants Network Guru Member

    In order to disable encryption you may need to.

    Place "ExperimentalProtocol = no" in config -> custom.
    Place "Cipher = none" in your host's custom config.

    This reverts tinc to use the 1.0 protocol (less secure). 1.1 is inheritly built to be more secure. In the 1.1 documentation is says Cipher "has no effect for connections using the SPTPS protocol". This is because 1.1 always uses one particular pre-determined secure cipher suite. So reverting to tinc1.0 functionality using the "ExperimentalProtocol" option should allow this. I'm not sure if case matters, but what I have in quotes is what the documentation shows.

    You can test that to see if that helps throughput and cpu load. You'll have to determine for yourself whether not using encryption is something you want to do. tinc1.1 protocol doesn't allow for non-encrypted connections, and tinc1.0 protocol has known vulnerabilities.

    I believe shibby has builds for the RT-AC56U that also have tinc.
    Last edited: Dec 23, 2014
  74. cgallery

    cgallery Connected Client Member

    The "ExperimentalProtocol = no" (no quotes, of course) placed in config/custom prevents the tinc from running/establishing a connection, I just get:

    Cannot connect to UNIX socket /var/run/tinc.socket: Connection refused

    when I click on Status/subnets on the 2nd router on which I click on "Start." I can start one router and it is fine and shows it is connected to the VPN, but after I start the VPN on the second router I get the "Connection refused" on both routers.

    Interestingly enough, I can remove that and leave "Cipher = none" in the custom section for each of the hosts and tinc will start and connect find, but clearly there is still encryption going on.

    I have an E900 to try but I can't get your firmware loaded on it for some reason. I'm trying your:

    8,115,200 tomato-E900USB-NVRAM64K-1.28.0506.3MIPSR2 Toastman-RT-VPN.bin

    I loaded a copy of DD-WRT (the "WebFlash for first installation"), then tried to load your firmware and it doesn't go. I'm not sure if I'm doing this correctly, that is a procedure that has worked for me in the past to get Tomato onto a router. I also tried tftp during the boot, that didn't work either. So not sure what I'm doing wrong.
    Last edited: Dec 23, 2014
  75. lancethepants

    lancethepants Network Guru Member

    I don't have a router with 8Mb (all are bigger), so it could be that it's too big. I've uploaded some new images to try. Let me know if the bigger vlan version will fit as well, if you would.
  76. cgallery

    cgallery Connected Client Member

    Got it, I'll give them a shot ASAP but maybe not until Thursday due to family holiday demands.
  77. cgallery

    cgallery Connected Client Member

    Okay, the good news is, I'm able to install both of the E900 builds you posted, these:

    8,045,568 tomato-E900USB-NVRAM64K-1.28.0506.2MIPSR2Toastman-RT-N-TINC.bin
    7,889,920 tomato-E900USB-NVRAM64K-1.28.0506.2MIPSR2Toastman-RT-N-VLAN-TINC.bin

    The sort of bad news is, I started another thread asking about a simple way to benchmark these devices and did some testing and the E900 is slower than the Netgear WNR3500L units I already had. Here are some #'s:

    Buffalo WHR-HP-G54 came in at approx. 208 iterations in 60 seconds.
    Netgear WNR3500L (V1) came in at approx. 853 iterations in 60 seconds.
    Raspberry Pi came in at 1530 iterations in same 60 seconds.
    e900 w/ Tomato 580 iterations in 60 seconds.

    An interesting side-note: When I loaded the DD-WRT on the E900 to prepare for the loading of Tomato, I ran the test and got 233 iterations in 60, which is odd.

    So you can see that when making somewhat apples-apples comparisons, the E900 is faster (by 2.5) than the Buffalo, but the Netgear is faster still (about 4x faster than the Buffalo).

    But my problem is, I can't get the Tomato firmware loaded on the Netgear. When I try within another version of Tomato, it says the file is too large for the MTD. When I try from within DD-WRT, it says the upload was successful but on reboot the router is still running DD-WRT.

    Within DD-WRT, it says my WNR3500L has 64MB of NVRAM, I've been using the file for 32MB of NVARM. DD-WRT says this:

    Space Usage
    18.34 KB / 64 KB
    (Not mounted)

    But EVERYTHING I've found says these units came with 32MB of NVRAM. Should I try your firmware for 64MB NVRAM?

    I'm kind of stuck, I'd really like to use the Tomato with your tinc firmware on the WNR3500L, if there is anything you can help me do in order to shoe-horn it on there, I'd appreciate it.

    If there is any other testing you want done on the E900 just let me know.

    (More stuff DD-WRT says about my WNR3500L)
    Router Name DD-WRT
    Router Model
    Netgear WNR3500v2/U/L
    Firmware Version
    DD-WRT v24-sp2 (03/25/13) mini - build 21061
    Kernel Version
    Linux #14312 Mon Mar 25 02:04:27 CET 2013 mips
    MAC Address
  78. cgallery

    cgallery Connected Client Member

    Just going to add that when I do an "erase Linux" on the router, it tells me this:

    root@DD-WRT:~# erase linux
    root@DD-WRT:~# reboot

    The DD-WRT that was installed was this:
    12/24/2014 11:31 PM 3,543,098 dd-wrt.v24-21061_NEWD-2_K2.6_mini-WNR3500L.chk

    So it wasn't erasing 7798784 bytes because that was the size of the build that was installed, I think it was erasing that space to make room for a new build to be tftp'd into the unit. But the two files I've downloaded from your site are:

    8,040,448 tomato-K26USB-1.28.0506.2MIPSR2Toastman-RT-N-TINC.trx
    7,888,896 tomato-K26USB-1.28.0506.2MIPSR2Toastman-RT-N-VLAN-TINC.trx

    So neither of those will fit into the 7798784 that this unit seems to have for firmware. Is there anything you can eliminate to make the firmware a tiny bit smaller?

    Also, is it odd that the version of your firmware w/ VLAN is actually smaller than w/o?

    Sorry for all this. I do very much like your tinc interface and think with the faster WNR3500L that it could really work well for me.

    I think I need something w/o the RT-N, as this is the V1 of the router instead of the V2. Maybe I'm asking too much, I sure don't want to make a ton of work for you.
  79. lancethepants

    lancethepants Network Guru Member

    I'll try and recompile one that should fit in your netgear router tomorrow. Netgears have a little less space than other routers for whatever reason. Not sure why the vlans are smaller. I think I had to remove additional features in the vlan to make it fit tinc (removed snmp). The V2 won't take RT-N then? I should be able to make an RT fine as well. Been occupied with the Holidays. Thanks for the feedback and the interest!
  80. cgallery

    cgallery Connected Client Member

    The 3500L I have is NOT the V2, it is the original. This page describes some of the differences, which don't look that substantial:

    I tried loading the firmware you made for the Buffalo, it didn't work and it bricked the 3500L (it was easy to debrick). Shibby's page here:

    Indicated older K24 units could run the K26, so I figured a K26 could run the K24. And I'm not saying they can't, all I'm saying is the firmware you created for the Buffalo didn't like the Netgear WNR3500L.

    I think it would be nice to make a build each for the WNR3500L and the WNR3500LV2. I don't have a WNR3500LV2 but I'd be happy to procure one for testing purposes. But these routers are very popular and have been pretty decent performers.

    I've been running the newest build you provided (w/o vlan) on some Linksys E900 units but I'm having stability problems that I think have something to do with the wireless (I think). Still trying to figure that out. It is possible that these refurbished units are just bad.

    Thanks for the explanation on the size re: with and without vlan, that makes sense.
  81. lancethepants

    lancethepants Network Guru Member

    And tinc1.1pre11 was released between today and yesterday.

    I haven't run the new version yet, but I think it looks it looks promising, and some improvements over 1.1pre10.
    Tinc includes a utility called "sptps_speed" to test performance for your device. 1.1pre11 made a change to the cipher used, and here are the result from my RT-N16.

    Generating keys for 10 seconds: 12.08 op/s
    ECDSA sign for 10 seconds: 11.81 op/s
    ECDSA verify for 10 seconds: 9.68 op/s
    ECDH for 10 seconds: 5.71 op/s
    SPTPS/TCP authenticate for 10 seconds: 2.73 op/s
    SPTPS/TCP transmit for 10 seconds: 28.17 Mbit/s
    SPTPS/UDP authenticate for 10 seconds: 2.73 op/s
    SPTPS/UDP transmit for 10 seconds: 28.22 Mbit/s

    Generating keys for 10 seconds: 383.30 op/s
    Ed25519 sign for 10 seconds: 339.10 op/s
    Ed25519 verify for 10 seconds: 126.50 op/s
    ECDH for 10 seconds: 101.70 op/s
    SPTPS/TCP authenticate for 10 seconds: 45.75 op/s
    SPTPS/TCP transmit for 10 seconds: 51.66 Mbit/s
    SPTPS/UDP authenticate for 10 seconds: 45.62 op/s
    SPTPS/UDP transmit for 10 seconds: 51.15 Mbit/s

    Not sure how this will translate to real world test, but the numbers sure look better. I'll make a few binaries in a minute for ARM, and maybe we can get @calisro to benchmark the performance. My internet is too slow to swamp the cpu.
  82. cgallery

    cgallery Connected Client Member

    Wow the difference in those numbers is amazing.
  83. lancethepants

    lancethepants Network Guru Member

    The change from ECDSA to Ed25519 keys will involve a few changes in several places to get working. Not hard, but just annoying. If it really gives a performance boost though I guess I can't complain too much.
  84. cgallery

    cgallery Connected Client Member

    Any idea how close they are until 1.1 is more or less finalized? It seems like a rather substantial change to be coming eleven releases into the cycle.
  85. lancethepants

    lancethepants Network Guru Member

    I think it's getting closer. Just recently someone in the mailing list asked a similar question. Here's a link to the author's response.

    With the protocol change, it's added additional size to the tinc binaries. He had to add the code for the new crypto since I don't think it's found in OpenVPN. I'm going to have to sacrifice some feature for 8MB routers.
    It mentions in this thread the byte count for 8mb is 7995392 bytes. And then it could be even smaller for netgears.

    snmp hopefully will be enough. Maybe I will remove dnssec since that is an additional feature I've added. Will try to post within a day or two, sorry don't have them up yet.
  86. cgallery

    cgallery Connected Client Member

    Interesting, thanks for the links.

    I sure hope removing snmp and dnssec will be enough. I'm crossing my fingers!
  87. lancethepants

    lancethepants Network Guru Member

    I'm going to be too busy til the New Year, sorry, got a lot going on. Later this week should produce something.
    One totally awesome thing with this update though, RSA keys are optional. You actually only need them if you're mixing versions 1.1 with 1.0, for backwards compatibility. If all your nodes are 1.1, then no need for RSA keys. Those buggers are big, and the biggest set back space wise for Tinc in Tomato. 1.1pre11 now allows Tinc to work without them, where previously they were required.
    This requires some changes in gui and backend, so after the new year I will get on it.
    Happy New Year!
  88. cgallery

    cgallery Connected Client Member

    The E900 units I was using for testing are going back, too many spontaneous reboots. Don't know if they are bad hardware (they were refurbished) or something else going on.

    So I've reverted to Netgear units and just running pptp (don't care about man in the middle attacks).

    I'm probably not going to try tinc until 1.1 is finished and I have had a chance to upgrade to routers w/ 16mb of flash.
  89. lancethepants

    lancethepants Network Guru Member

    I've uploaded new firmwares featuring tinc1.1pre11 based on Toastman's latest for RT, RT-N, and ND.

    • RSA keys are no longer required. (Only for backwards compatibilty) This saves a TON of nvram space!
    • Ed25519 keys are now used, instead of ecdsa. Ed25519 are smaller than ecdsa, saving more nvram!
    • Ed25519 is MUCH faster than ecdsa in the tinc benchmark. So possibly much better throughput!
    Happy New Years!

    Edit: The tutorial has been updated to reflect these new changes.
    Last edited: Jan 1, 2015
    M_ars, Goggy and AndreDVJ like this.
  90. cgallery

    cgallery Connected Client Member

    Looks good Lance. Now I just need to find some routers than have > 8MB of flash and which are reliable (hardware-wise), and I can try it again.

    Any reports on performance (compared to the previous tinc release)?
  91. rs232

    rs232 Network Guru Member

    Lance this is a fantastic piece of work!
    One question, are the Ed25519 keys somehow usable with standard OpenVPN config?

  92. lancethepants

    lancethepants Network Guru Member

    I haven't done any benchmarks myself, I'll try sometime this week if I get the time.

    Unfortunately no, they work differently.
  93. calisro

    calisro Connected Client Member

    I'll do some benchmarks on my rt-ac68u@1200mhz this week. Im very interested in seeing what differences these changes make. I think just the udp fixes will help significantly.
  94. calisro

    calisro Connected Client Member

    I use tinc pre11 on a raspberry pi connected over local internet to my rt-ac68u. I see about 10Megabits at which point my Raspi is at 100% CPU (my rt-ac68u isn't maxed and can handle far more... more tests to come). This is a difference over the last version which maxed at about 3MB on the RaspPi. Pretty decent for that little box.

    EDIT: Still disappointing that I can get a speed of ~16Megabits over an ssh connection and tinc can only get 10 using the same hardware and same network connectivity.... 10 isn't bad but I would think we'd be able to get similar to ssh but I understand there is much less overhead with ssh...

    good read on this (openvpn to ssh in that read):
    Last edited: Jan 13, 2015
  95. calisro

    calisro Connected Client Member

    Benchmark: tinc 1.1pre11: Similar to my prior benchmark, I am now getting about 33Mbits/sec across a local network before my rt-ac68u has one cpu pegged at 100%. Seems to be about a 10% increase in performance to me. This is over a TUN interface. I haven't tested TAP because tinc is crashing on me on my self compiled version. I need to revist that... but tun works good.
  96. eangulus

    eangulus Network Guru Member

    I know its a late reply, but I have been playing around with this TINC stuff recently and remember about this thread. First, thanks for finding a solution to the IP address issue. Although I couldn't get it to work.

    Was there anything else that needed to be done? Also I am running 1.24 now and was wondering if that script can be placed into the TINC config somewhere?

    Would be nice to see a feature in the config to set this. I was hoping the subnet setting for each connection was it but alas only works for TAP and not TUN. (It didn't let me enter a value).

    But how cool would it be in my situation. I have numerous clients all with a similar IP/Network setup. It would be awsome to enter a connection to my client networks, and then set a translated subnet for each so I can then go,,, etc.

    PS: I did try the code in the firewall script section and I did try entering it on both ends with reboots. But it seemed to work same as before. The 2 networks I tried connection has a Samba server on and as soon as I connected with TINC, I lost access to my own local and kept getting the remote version. tried the subnet IP's and it kept timing out.
  97. lancethepants

    lancethepants Network Guru Member

    If there are two (or more) routers that both have the same subnet (ie, then all those nodes must use a different substituted subnet when using tinc. You can't leave one subnet as in tinc and only change the other one. None in tinc should have, because somewhere, at least two nodes won't be able to talk to each other. You'll lie to tinc and put in the substituted subnet for each node, including the router's own substitute subnet as well, and they should all match in each router. Don't know if this is the problem your having, but is important.

    Make sure you adapt my firewall examples to your subnets, and for each router, because they will be slightly different for each one. You for example will change all the to, since that is the subnet that your routers have in common. Then the (from the example) will change for each router to the substitute subnet you've picked for each one.

    In my later changes to tinc, there is an area in the 'Scripts' tab where you can put custom firewall rules for tinc. I did this specifically for this reason, though it can be helpful in other ways as well. tinc1.1pre11 also has some awesome updates and improvements over 1.1pre10. Shibby has included 1.1pre11 in 125 and 126, but unfortunately hasn't released the MIPS versions yet (if that's what you're using). I have some custom (Toastman) images that do, or you can wait for shibby. Otherwise with the version you're running, you just add the firewall scripts to the Administration -> Scripts area. And remember, while in pre-release, all nodes must be running the same pre-release version of tinc.
  98. eangulus

    eangulus Network Guru Member

    OK, well that answers another question regarding how the network determined which subnet to go to. Say each network was and i put in to substitute the "other" network as, then which computer do I get when I go to, do I get my local or does it route to

    So in saying that I should use the following for 3 networks:

    Firewall Settings in Router 1 (Local)
    /sbin/modprobe ipt_NETMAP
    iptables -t nat -A PREROUTING -d -j NETMAP -i tinc --to
    iptables -t nat -A POSTROUTING -s -j NETMAP -o tinc --to

    Firewall Settings in Router 2 (Remote)
    /sbin/modprobe ipt_NETMAP
    iptables -t nat -A PREROUTING -d -j NETMAP -i tinc --to
    iptables -t nat -A POSTROUTING -s -j NETMAP -o tinc --to

    Firewall Settings in Router 2 (Remote)
    /sbin/modprobe ipt_NETMAP
    iptables -t nat -A PREROUTING -d -j NETMAP -i tinc --to
    iptables -t nat -A POSTROUTING -s -j NETMAP -o tinc --to
  99. lancethepants

    lancethepants Network Guru Member

    Each network locally will continue to operate as it has before the VPN. From your firewall examples, it looks as though each local network is configured with If each network has a samba share on IP address, then locally on each network, that is the IP address by which you will access the samba share. Then network 1 will access networks 2's samba share at IP address, and network 3's samba share is at Both network 2 and 3 will access network 1's samba share through IP address

    Your iptables rules look like they should work fine.

    Then in the 'hosts' section of the tinc gui on each router, you will have the substituted address for each node present, and the hosts section will be identical on all the routers.
    router 1 ->
    router 2 ->
    router 3 ->
  100. eangulus

    eangulus Network Guru Member

    Understood, and will be trying it out in a moment.

    But that last part about putting in the substituted address in the Hosts section is the catch. Originally I wanted this to work with TAP but it seems I can't enter the address's unless it is set as TUN. Is there a particular reason for this?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice