
Tinc – A Virtual Private Network (VPN) Daemon - simonpure
http://tinc-vpn.org/
======
gsliepen
Main author of tinc here: it's great to see this get to the front page of HN!
Development has been quite slow the last few years. Feel free to contribute to
tinc!

It would be great to get version 1.1 out the door, and then focus on the
future. One possibility that is very tempting would be to use Wireguard as a
back-end for the end-to-end communication between peers, but have tinc manage
the whole mesh, to get the best of both worlds.

------
mirimir
As others note, it's trivial with tinc to setup mesh networks, with both
direct and indirect routing among peers. It's the basis of CCC's ChaosVPN.[0]
Also, it works well as a Tor v3 onion service, and so provides an alternative
to OnionCat, which will become unusable when the Tor Project deprecates the v2
onion protocol next year.

0)
[https://wiki.hamburg.ccc.de/ChaosVPN](https://wiki.hamburg.ccc.de/ChaosVPN)

------
kitotik
I was a long time user of this for both work and personal. It’s a really
fantastic and underrated project.

I’ve since followed the momentum and moved to wireguard, but I’m a little sad
Tinc hasn’t gained the mindshare it deserves.

The simplicity of config and mesh networking are far more pleasant and
practical to work with than Wireguard, at the expense of a few ms in latency.

~~~
marcrosoft
How do you manage your wireguard setup? Mine breaks pretty much every time I
upgrade because it depends on a kernel module. Maybe this goes away when I can
upgrade to the latest kernel with native support?

~~~
zx2c4
Here's where we're at with WireGuard distro kernel shipping support, as of
writing (July 4, 2020):

\- Ubuntu Focal 20.04 LTS: native built-in

\- Ubuntu Eoan 19.10: native built-in

\- Ubuntu Bionic 18.04 LTS: native built-in

\- Ubuntu Xenial 16.04 LTS: dkms :(

\- Ubuntu Trusty 14.04 LTS: dkms :(

\- Debian: native built-in

\- Fedora: native built-in

\- Mageia: native built-in

\- Arch: native built-in

\- OpenSUSE: native built-in

\- SUSE Linux Enterprise: native built-in

\- Alpine: native built-in

\- Gentoo: native built-in

\- Exherbo: native built-in

\- NixOS: native built-in

\- RHEL/CentOS: dkms and elrepo kmod :(

\- Void: native built-in

\- Adélie: native built-in

\- Source Mage: native built-in

\- Buildroot: native built-in

The rule of thumb here is: distros with kernel ≥ 5.6 have it native built-in,
plus a few distros that have backported it, like Ubuntu, Debian, and SUSE. I'm
in the process of working with other distros to get it backported; we'll see
if I'm successful. I'm also maintaining a 5.4.y backport for distros who ship
this LTS kernel (like Oracle's UEK), to make backporting it easier:
<[https://git.zx2c4.com/wireguard-
linux/log/?h=backport-5.4.y>](https://git.zx2c4.com/wireguard-
linux/log/?h=backport-5.4.y>). There are instructions for each distro on
<[https://www.wireguard.com/install/>](https://www.wireguard.com/install/>).

If you're presently having "update troubles", make sure you're using the
latest variant of any of the "native built-in" distros written above.

~~~
luckman212
I hope FreeBSD gets it soon too. I know they're working on it.

~~~
nix23
Already in ports:

[https://www.freshports.org/net/wireguard/](https://www.freshports.org/net/wireguard/)

Work for in-kernel are in full swing.

------
dang
If curious see also

2018
[https://news.ycombinator.com/item?id=16325394](https://news.ycombinator.com/item?id=16325394)

------
wener
Use tinc for work and personally, recently built a hybrid k8s use tinc as
flannel backend, reliable and easy to maintain, also use tinc Switch mode,
works on L2, so DHCP works, wireguard can only work on L4.

~~~
alyandon
Similar issue here - I want functional mDNS so I'm sticking with tinc for the
foreseeable future. I'd really like to see tinc evolve to be able to use
pluggable transports so that WG could form the backbone though.

------
marcrosoft
How does this or ZeroTier compare to WireGuard besides the fact WireGuard
doesn’t have much of a UI or key management?

~~~
tptacek
WireGuard is like a modernized version of the SPTPS protocol --- SPTPS is a
denatured variant of TLS --- that tinc uses, (ordinarily) coupled to the Linux
networking stack. It is something you would build a modern version of tinc on
top of, not a competitor to tinc. See Tailscale for an example of something
that looks a lot like tinc, but built on WireGuard.

Tinc's security track record has not been especially great†, and while
WireGuard and tinc are both written in C, tinc is a great ghastly blob of C,
and WireGuard was written defensively by a vulnerability researcher to
minimize attack surface --- the whole thing is about 4000 lines of code, and
can be run without memory allocation.

So if you were just comparing SPTPS to WireGuard, it'd be no contest at all:
you'd always, always prefer WireGuard. And that's what most people should do,
because most people run simple access VPNs that don't need elaborate mesh
routing features. For the minority that do, for now, there's Tailscale and
Tinc; maybe Tinc can do a 2.0 on top of WireGuard, with its userland
components in a memory-safe language.

† _This, in particular, is not the commit message you want to see in a fix for
an error oracle vulnerability:[https://www.tinc-
vpn.org/git/browse?p=tinc;a=commit;h=d3297f...](https://www.tinc-
vpn.org/git/browse?p=tinc;a=commit;h=d3297fbd3b8c8c8a4661f5bbf89aca5cacba8b5a)
_

~~~
marcrosoft
Thanks for the rundown. I’m already using wireguard so I’ll stick with that
and hopefully figure out some of the kernel upgrade issues I’ve ran into.

Tailscale is an automatic no for me. I won’t use proprietary software for
something as important as this. Even with tincs history I’d much rather go
with opensource.

~~~
xyzzy_plugh
Tailscale is open source. Your data might route through their servers (e.g.
STUN) but it's E2E encrypted, which you can verify easily.

~~~
opqpo
It is NOT. It's a paid commercial software where only the client is open
source.

------
ilaksh
Years ago when I was building out a Docker hosting startup that never went
anywhere, it was largely based on using Tinc to create a VPN so that your
applications in different containers could all talk together.

------
jsilence
I always found tinc rather difficult to set up. Have had a more convenient
experience with zerotier one.

~~~
mrmattyboy
I agree, but the actual simplicity (no meta server etc.) is amazing. I've
found it to be incredibly reliable and low overhead. (I've been using for
years for MySQL replication and docker across low latency WAN connections).

~~~
hartzell
> I've found it to be incredibly reliable and low overhead.

(I'm a bit confused which of tinc and zerotier in the parent post you're
referring to....)

By "it", you mean _tinc_ , correct?

------
fulafel
Are there implementations in memory safe languages?

