MESH based Site2Site VPN with Tinc in Docker
You have to enable TUN interface on your docker host.
docker build -t croc/tinc .
The auto-config procedure:
- start the tinc container on all site
- synchronize the hosts file to all other sites (recommended way with
- restart the tinc container on all site
I recommend to use docker-compose method on all sites, but here is a short example for docker run:
First start the 1st container (site1):
docker run -tid --name=tinc --net=host --privileged -e SITENAME=site1 -e LANIP=192.168.1.254/24 -e SUBNET=192.168.1.0/24 -v /srv/tinc/config:/etc/tinc/site2site/hosts croc/tinc /opt/start.sh
2nd, 3rd... other containers (site2, site3 ....):
docker run -tid --name=tinc --net=host --privileged -e SITENAME=site2 -e LANIP=192.168.2.254/24 -e SUBNET=192.168.2.0/24 -v /srv/tinc/config:/etc/tinc/site2site/hosts croc/tinc /opt/start.sh docker run -tid --name=tinc --net=host --privileged -e SITENAME=site3 -e LANIP=192.168.3.254/24 -e SUBNET=192.168.3.0/24 -e PUBADDR=22.214.171.124 -v /srv/tinc/config:/etc/tinc/site2site/hosts croc/tinc /opt/start.sh ...
You have to use
--privileged parameters, because the containers needs the tun/tap interface on the docker host.
/srv/tinc/configstores your tinc config on your docker host
-e LANIP=...defines the container's IP on your LAN network
-e SUBNET=...defines your LAN network. You can use wider network address like
172.17.0.0/19or something similar... This is your choice.
- if you have multiple WAN connection or something other reason, you can override the automatic public IP finder mechanism with
-e PUBADDR=126.96.36.199parameter for your public IP
Don't forget the latest step! (check the 'Usage' chapter for more info):
You have to restart every the tinc container on every host if the network doesn't work at the first time.
docker restart tinc
You can use
docker-compose for starting the stack (tinc and sync solution), but do not forget the site specified config!
Change your docker-compose.yml on every site, for site-local config.
... SITENAME: "test-site" LANIP: "192.168.230.253/24" SUBNET: "192.168.230.0/19" ...
Start the stack (with sync):
docker-compose up -d
... and ...
- configure the sync (resilio or syncthing or other)
- wait for the first config sync while other site configs arrive to the all hosts (1-5-10 mins)
- restart the tinc or the full stack with
You have to stop and start every container on every site 2 times:
- 1st time, the start script generates the default config, and the host's SSL key
- 2nd time, the script reads the config of the other sites and generates the "network up" script
If you've added a new site, you have to restart (stop, wait some seconds, start) every Tinc container on every site to rewrite a config for the new site.
You can check the syncronized and rewritten site config on your docker host's folder, example in the
DO NOT FORGET: Sync the config of the hosts/sites from the docker host'si! (example:
EXTRA_PARAMS- You can use this parameter if you would like to run tinc in debug mode (example:
-d 3) or something similar.
Check the man page of tinc, and use that parameter.
PORT- tinc uses 655 tcp and udp port by default. You can change this with this paramter. If you use tinc behind a firewall, do not forget to forward this port to the tinc server. (Tinc use udp by default, but it is not availble automatically changes to tcp mode)
I recommend sync the Tinc's config files with Resilio or Syncthing BitTorrent based sync tools (more simpler and easier), but I've written a Git-based sync container.
This is a basic container that will be upload and download the Tinc's config to a Git repo (Github, Bitbucket, Gogs, Gitlab, etc.)
docker-compose_gitsyncer.yml compose file to docker-compose.yml and chage the parameters (for tinc and for the git repo too!)
When the tinc stack is started, the git-syncer container will be uploading the latest site config to the Git repository.
Sorry, but this is not a daemon! You have to restart this container or the stack (
docker-compose restart) when the site config was changed.
This is restart is the biggest disadvantage, and I think is not to stable for a long time.
I strongly recommend, use another sync method to syncronize Tinc's config files.
Check my Github page and Wiki site for more information and examples.