I have in the past used OpenVPN to setup a VPN connection between home and my VPS. Usually everything was good, and worked the way i wanted it to. The troubles started when i wanted to add a Notebook and various Development Virtual Machines to this network. I somehow managed to put this together, add some more services and keep this thing alive.
It was no fun whatsoever to use and maintain though, so i needed a new Solution.
I started exploring alternatives to OpenVPN and quickly stumbled on Tinc which looked exactly like what i needed. The Setup is fairly easy to do, and there is plenty of Documentation available online already.
At first i used Tinc’s “Router” Mode with multiple networks connected together, like i used to have with the OpenVPN setup. Routing in such a small network though is painfull, and if you constantly add new devices and networks you’ll pretty quickly grow tired of maintaining your static routes.
I’ve since simply setup Tinc to do “Switch” mode where it acts as a simple Network switch (as the name suggests). All endpoints can now share the same network and there is no need to setup routes anymore.
Another advantage is, that you can use the Linux Bridge Utils to put your Tinc interface into a bridge with a local Lan interface, and immediately have that entire network added to your Tinc VPN.
My current setup looks like this:
- At home i have a OpenWRT Router with Tinc installed, where the Tinc interface is simply added to the Bridge that OpenWRT already has
- On my VPS i have a Tinc endpoint
- On my Notebook i also just have a tinc endpoint.
Both my Notebook and my VPS are now always on my Local Lan, no matter where i am physically.
Adding Zeroconf DNS to the mix
With the Tinc setup above your life will already be much better. With some tiny shell scripts my Notebook figures out if it’s at home or on the road and connects to my VPN automatically. Everywhere i go i have my Home Network with me.
Now there’s only one Problem left: DNS
When you connect to a foreign network, you will usually be issued a DHCP IP and a DNS Server along with it. That DNS Server obviously knows nothing about the Hosts you have at home.
After i started using tinc, i setup a DNS Server at home to serve my Hostnames, and built a bunch of shell scripts that would make sure all endpoints used that DNS. That is not a very good solution.
The only real alternative to using DNS is Zeroconf DNS or mDNS: Your System will announce it’s Hostname and IP Address via Multicast.
As i already had a Switched VPN network, all i had to do was to replace the DNS server with Zeroconf. I simply installed Avahi and the mDNS Resolver on all my hosts, and started using the .local hostnames for everything. This works flawlessly on OS-X too. Windows is a bit hit and miss, as the Bonjour implementation from Apple on Windows seems a bit lacking.
This Setup has a couple of benefits that i don’t want to miss anymore.
- Static Network Layout: It doesn’t matter if i am at home or on the road, my Network configuration always looks the same everywhere.
- Dynamic Autoconfiguration: Once you have Tinc and Avahi running, there is really nothing you need to do anymore configuration wise. You configure it once, and it just works. I haven’t had that experience with OpenVPN which was a constant struggle to keep running.
- Encryption everywhere: I don’t like people spying on me, if i connect my Notebook to a “hostile” network, chances are my usage will be monitored somehow. With the VPN Configuration i can just route all my HTTP traffic to a Squid Proxy running on my VPS and know that nobody will be able to sniff my connection.
- Easy to Expand: At home i don’t really need to do anything, i can just add Virtual Machines. The Tinc Tunnel is bridged with my LAN, and all traffic is automatically forwarded.
I have a MySQL Database running on my VPS. If i wanted to connect to it from Home without the VPN configuration, i would need to expose the MySQL server to the public internet. With the VPN i can just let it listen on the VPN interface, and don’t need to worry about exposing it. With Avahi on the VPS i have a “public” (aello.beerta.net) and a “private” (aello.local) hostname. This way i don’t need to remember IP Addresses.
Before i ditched Apple, i also used to have a iTunes running at home to serve music through Bonjour, as my VPN network was in one broadcast domain, i could listen to Music from whereever i was. Something that Apple tries to make sure you can’t do.
The only problem with this setup is: If your Home Lan Network Range clashes with the network you connect to physically you are doomed. So choose a network range at home that is as small as possible and fairly uncommon.
Aliases with Avahi
For my Development VMs i need a way to have multiple Hostnames for one IP. Unfortunately the standard Avahi Installation does not yet allow Aliases. Fortunately though somebody spent some time and build avahi-alias.py that does exactly what i need.
On Debian you just need to install
you can run
avahi-alias.py development.local to Create the alias in your
lan, which will then instantly broadcast througout the Tinc Network.
If you’d like a bit more details on the Setup drop me a note, and i’ll put up some more documentation on the entire setup.