安装tinc

安装tinc

apt install tinc

运行/卸载脚本

##tinc-up
#!/bin/sh

ip route del 10.10.10.0/24 dev $INTERFACE
ip addr del 10.10.10.1/32 dev $INTERFACE
ip link set $INTERFACE down

##tinc-down
#!/bin/sh

ip link set $INTERFACE up
ip addr add 10.10.10.1/32 dev $INTERFACE
ip route add 10.10.10.0/24 dev $INTERFACE

生成私钥

tincd -n synology_pub -K4096

自启动

systemctl enable tinc@网络名
systemctl start tinc@网络名

其安装过程很简单,网上一搜都能搜得到。

网络结构

网络架构如下:

Pasted_image_20250816095158.png

目前需求是192.168.17.0/24的网段机器都可访问192.168.10.0/24网段。

进行跨网段互通

这里我的tinc配置如下:

Name = client_nanjing_n1
ConnectTo = client_raspberry_3b
AddressFamily = ipv4
Device = /dev/net/tun
Interface = tun0
BindToAddress = * 65222
Mode = switch
Compression=11
TCPOnly = yes
Cipher  = aes-256-cbc
Digest = sha256
PingInterval = 60
PingTimeout = 60
MaxConnections = 300
LocalDiscovery = yes
PMTU = 1400
PMTUDiscovery = yes
MTUInfoInterval = 5
ClampMSS = yes

都是常规配置,最主要的在hosts里,client_nanjing_n1文件如下:

Subnet = 10.10.10.1/32
Subnet = 192.168.10.0/24
Address = xxxxx
Port = 65222

-----BEGIN RSA PUBLIC KEY-----
xxxxx
-----END RSA PUBLIC KEY-----

可以看到配置里节点A声明了其所在的子网192.168.10.0/24

确认tinc节点可以互通

使用ping确定了节点A和节点B可以互通。
节点A

ping 10.10.10.14
PING 10.10.10.14 (10.10.10.14) 56(84) bytes of data.
64 bytes from 10.10.10.14: icmp_seq=1 ttl=64 time=5.63 ms
64 bytes from 10.10.10.14: icmp_seq=2 ttl=64 time=5.80 ms
64 bytes from 10.10.10.14: icmp_seq=3 ttl=64 time=5.55 ms
64 bytes from 10.10.10.14: icmp_seq=4 ttl=64 time=5.44 ms
^C
--- 10.10.10.14 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 9ms
rtt min/avg/max/mdev = 5.437/5.602/5.796/0.160 ms

节点B

ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=5.38 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=5.68 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=64 time=5.23 ms
64 bytes from 10.10.10.1: icmp_seq=4 ttl=64 time=8.92 ms
^C
--- 10.10.10.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 5.230/6.303/8.924/1.521 ms

节点A配置转发规则

首先要开启IP包转发

# 启用 IP 转发
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -p

配置iptables规则

sudo iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# 创建MASQUERADE规则
sudo iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE

节点B配置路由

节点B只需要增加个目标网络的路由即可

ip route add 192.168.10.0/24 via 10.10.10.1
# windos 下增加
# route add 192.168.10.0 mask 255.255.255.0 10.10.10.1

也可以在tinc-up的脚本中增加。

仍无法通信?

上面配置完成后,仅能ping同目标网络下同一tinc的节点的物理地址(默认也可以),其他非运行tinc的机器无法通信。
这是因为还没有配置返程的路由。比如,192.168.10.94接收到了10.10.10.14的数据包,但是不知道如何回包到10.10.10.14 。

Pasted_image_20250816103015.png

虽然可以增加路由进行配置,但是不可能每台设备都需要配置。
这里在路由处增加个静态路由即可。
Pasted_image_20250816102436.png

至此,节点B应该可以与192.168.10.0/24的任意机器通信了。 
 ping 192.168.10.94
PING 192.168.10.94 (192.168.10.94) 56(84) bytes of data.
64 bytes from 192.168.10.94: icmp_seq=1 ttl=62 time=11.9 ms
64 bytes from 192.168.10.94: icmp_seq=2 ttl=62 time=9.43 ms
64 bytes from 192.168.10.94: icmp_seq=3 ttl=62 time=57.0 ms
64 bytes from 192.168.10.94: icmp_seq=4 ttl=62 time=86.8 ms
^C
--- 192.168.10.94 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 9.433/41.274/86.750/32.369 ms

$ ping 192.168.10.254
PING 192.168.10.254 (192.168.10.254) 56(84) bytes of data.
64 bytes from 192.168.10.254: icmp_seq=1 ttl=63 time=7.88 ms
64 bytes from 192.168.10.254: icmp_seq=2 ttl=63 time=6.88 ms
64 bytes from 192.168.10.254: icmp_seq=3 ttl=63 time=6.03 ms
64 bytes from 192.168.10.254: icmp_seq=4 ttl=63 time=12.4 ms
^C
--- 192.168.10.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 6.031/8.308/12.449/2.478 ms