tinc IPv6 VPN router on a Raspberry Pi – part one
January 16th, 2015 by Anders Kringstad

In December 2014 I had the opportunity to work with Nordic Semiconductor (Nordic) on a consultancy project aimed to equip their sales team with a demonstration kit that allowed Bluetooth Smart technology (Bluetooth low energy devices) to talk to services on the Internet using IPv6.

2015-01-16-nRF51-IPv6-connectivity-trThe problem Nordic faced is that one can not know what kind of network you will be presented with when doing a demonstration and most networks are set up with only IPv4 RFC1918 local network addressing with NAT and one public IPv4 address on the outside (WAN) before you reach the Internet. There is close to zero native IPv6 connectivity in most venues, hence, you need to do some level of tunnelling / VPN to get IPv6 onto your kit that talks IPv6.
The do and do-not.
Before I was invited to the project Nordic had already started out with the basic idea that a broad band router with dual stack IPv4/IPv6 connectivity could cater for this with a Raspberry Pi on it’s local WLAN or wired LAN. The Raspberry Pi would then allow the Bluetooth devices to connect to it through the bluetooth network interface using the 6LoWPAN technology that recently has emerged in kernel space (starting with the Linux kernel series 3.17).

However, we quickly became aware of the issues with such broadband routers: Their IPv6 capabilities exist on paper, but for the most, are rather often than not, badly implemented or even tacked onto the software part of the devices after initial design is done. Opening an web browser talking to your broadband router will mostly give you menus saying things like “Network => WAN, WLAN, LAN” and at the very end of the row of other tabs like “Security” and “Administration” you get this new one.. “IPv6”. Right.

Disappointed with the sorry state of technology at this stage I went back home and thought about how to do things properly. “Properly” in this context must be, I thought, some kind of device that always will try to connect to the Internet and present you with an IPv6 connection you can share with devices on your LAN, no matter what state the local network is in. I used Google. I used IRC, I talked to other skilled people on the phone and took a long walk.

Enter tinc
Then I found this project called “tinc”. The tinc VPN website says this about the software:
“Tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet. Tinc is Free Software and licensed under the GNU General Public License version 2 or later. Because the VPN appears to the IP level network code as a normal network device, there is no need to adapt any existing software. This allows VPN sites to share information with each other over the Internet without exposing any information to others.” Tinc uses private/public keys to authenticate all nodes in a VPN and can therefore cater for incoming clients without static endpoints (e.g. static IPv4/IPv6 connectivity) as long as the router has both a IPv4 and IPv6 address with static connectivity.

I decided to give tinc a run. I then remembered the request from Nordic that the Raspberry Pi was to be the device connecting things to the router and then to the Internet. I researched the Raspbian (Debian based operating system to run on Raspberry Pi devices) software repositories and happily discovered that tinc was already packaged for Debian and had made it’s way into the Raspbian repositories as well.

Basic connectivity – the Raspberry Pi, you and the Internet
Connecting to the Raspberry Pi from your computer has always been the main problem for people trying to explore the device and it’s usage. To be able to talk to the device directly from your computer you could give it a LAN IPv4 address and talk to it directly by your computer LAN port. Most modern computers automatically cross their RJ45-ports so that devices can be connected directly. Thus, you can use your computer as a gateway for the Raspberry Pi and onto your WLAN and the Internet.

This is quite easily done using the howto at or similar pages. However, to be able to always have the option to connect by LAN to the Pi you would need to modify the howto a bit. Do as the howto says, but at the stage describing the interfaces file, modify so that you use the following entries:

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
iface eth0:1 inet static

By all means, edit the above to reflect your your local network requirements. The idea here is that the eth0 (wired Ethernet) interface on the Pi will always try to get an DHCP IPv4 address from a DHCP-server on the network it is connected to, but you will by the same time also have a eth0:1 interface defined with a static IPv4 RFC1918-address that allows you to directly plug your Pi into your computer network port and after editing your own LAN configuration to match the above network for eth0:1 (use any other address than .0, .1, .6 and .255) you will be able to SSH into your Pi.
If you do not have a switch that you can connect your Pi to, this is the way to do it. After this, your computer is connected to the Pi and you can access it in headless mode with SSH. If you also happen to run Linux and use a WLAN for your Internet access you can follow these steps to act as a NAT router for your Pi and give it Internet access:

iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

With this setup in place you can now download software from the Internet to your Raspberry Pi, and make it a node in a tinc VPN network. In part two we will look at setting up the two critical pieces of software – the tinc VPN router (on a separate dual stack machine/server on the Internet) and the tinc VPN router software on the Raspberry Pi.

Comments are closed

»  Substance:WordPress   »  Style:Ahren Ahimsa