Install and Configure tinc VPN

Home / Install and Configure tinc VPN

Install and Configure tinc VPN

December 9, 2015 | Article | 1 Comment

tinc is an open-source VPN daemon that uses tunnelling and encryption to create a secure private network between hosts on the internet. Because the VPN appears to the IP level network code as a normal network device, there is no need to adapt any existing software. This allows VPN sites to share information with each other over the Internet without exposing any information to others.

tinc comes with a number of powerful features not found in other VPN solutions.  For example, tinc allows peers behind NAT to communicate with one another via VPN directly, not through a third party.  Other features include full IPv6 support and path MTU discovery. For a complete list, you should go to tinc official site.


Unlike any other article, we will use a scenario to illustrate the case we use in this article.

In this article, we will set up a VPN connection between two hosts via tinc. Let’s call these hosts as “Alice” and “Bob”. We also assume that Bob will initiate a VPN connection to host “alice”.


First, install tinc on both hosts.

Linux Package Manager Way

For Debian or its derivatives system (Ubuntu, Linux Mint):

sudo apt-get install tinc

For Red Hat or derivatives system (Fedora, CentOS, Scientific Linux, etc), you should set up Repoforge repository first and then do:

sudo yum install tinc -y

Windows Way

For a Windows system (Windows XP/Vista/7/8), there is an installation file you can use. The latest version you can find is 1.0.22.

Download and execute the file, here.

Mac OS Way

The recommended methods to install tinc on Mac OS is using macports port system. he MacPorts Project is an open-source community initiative to design an easy-to-use system for compiling, installing, and upgrading either command-line, X11 or Aqua based open-source software on the MacOSX operating system. Macports is recommended because it does not modify your system files. It keeps itself separate from your system.

XCode is required prerequisite. It must be installed before installing Macports. Download and install the Macports system from MacForge.

  • XCode (requires free online ADC Membership); it can also be obtained from original OSX installation DVD
  • Macports

After Macports is installed, close and reopen your terminal. Update the ports system and ports list.

sudo port selfupdate
sudo port sync

Then you can install tinc and all necessary dependencies by:

sudo port install tinc

All configuration files are located in /opt/local/etc/tinc.


For each host, create a directory for tinc.

Alice machine

mkdir -p /etc/tinc/myvpn/hosts

Then create a file /etc/tinc/myvpn/tinc.conf with following data:

Name = alice
AddressFamily = ipv4
Interface = tun0

The above example create a “session” under name “myvpn”. This is the name of the VPN network to established between Alice and Bob on this scenario. VPN name can be any alphanumeric name without containing “-”. In tinc.conf example, “Name” field indicates the name of tinc-running local host, which doesn’t have to be actual hostname. You can choose any generic name.

Next, create host configuration files which contain host-specific information on /etc/tinc/myvpn/hosts/alice with following text:

Address =
Subnet =

The name of host configuration file (e.g., alice) should be the same as the one you defined in tinc.conf. The “Address” field indicates a globally routable public IP address associated with alice. This field is required for at least one host in a given VPN network so that other hosts can initiate VPN connections to it. In this example, alice will serve as the bootstrapping server, and so has a public IP address (e.g., The “Subnet” field indicates the VPN IP address to be assigned to alice.

Next, generate public/private pair keys (using root privileges):

tincd -n myvpn -K4096

The above command will generate 4096-bit public/private keys for host “alice”. The private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and the public key will be appended to /etc/tinc/myvpn/hosts/alice.

Next, configure the scripts that will be run right after tinc daemon gets started, as well as right before tinc daemon is terminated. Make sure you have them executable by chmod to 755.

Create /etc/tinc/myvpn/tinc-up for startup script:

ifconfig $INTERFACE netmask

Create /etc/tinc/myvpn/tinc-down for shutdown script:

ifconfig $INTERFACE down

Bob Machine

mkdir -p /etc/tinc/myvpn/hosts

Then create a file /etc/tinc/myvpn/tinc.conf with following data:

Name = bob
AddressFamily = ipv4
Interface = tun0
ConnectTo = alice

Similar to Alice machine, we create a configuration for Bob. However, we remember that in this scenario Bob is initiating connection to Alice. Therefor, we put “ConnectTo” field to connect to Alice machine.

Create a file /etc/tinc/myvpn/hosts/bob with following data:

Subnet =

Then create a private/public key pair (using root privileges):

tincd -n myvpn -K4096

This will store the Bob’s private key as /etc/tinc/myvpn/rsa_key.priv and its public will be added to /etc/tinc/myvpn/hosts/bob.

We also need to create two script similar to alice, namely /etc/tinc/myvpn/tinc-up and /etc/myvpn/tinc-down.

On /etc/tinc/myvpn/tinc-up, write:

ifconfig $INTERFACE netmask

On /etc/tinc/myvpn/tinc-down, write:

ifconfig $INTERFACE down

Make sure both script are executable.

Copying Both Key

Next we need to copy each host’s public key file into other host. This way, both party can connect into a VPN network.

On Alice:

scp /etc/tinc/myvpn/hosts/alice [email protected]:/etc/tinc/myvpn/hosts/

On Bob:

scp /etc/tinc/myvpn/hosts/bob [email protected]:/etc/tinc/myvpn/hosts/

Creating Connection

After finishing the configuration, you should be able to create a connection. Based on our scenario, since Bob initiates a VPN connection, you need to start tinc daemon on Alice first and then Bob. Both are using same command (use root privileges):

tincd -n myvpn


About Author

about author


A man who is obsessed to low level technology.

1 Comment
  1. Creating Multiple VPN Tunnels Between Two Hosts using tinc VPN - Xathrya.ID

    […] a basic set up, you can follow this article in the configuration […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Social Share Buttons and Icons powered by Ultimatelysocial