Secure Peer Networking with TINC


Spencer Krum, IBM

Jan 23rd, 2016



  • Who am I
  • What do I work on
  • github






  • I've wanted to give this talk for a long time
  • This is a talk about tinc
  • A little about consul

Tinc is a VPN



  • Mesh VPN
  • Different than point-to-point VPNs like OpenVPN

Tinc Fast Facts



  • Written in C
  • Started in 1998, first commited to src in 2000
  • Portable (*nix, Windows, Android, IOS incoming)
  • Daemon
  • 99% 2 Developers
  • freenode channel / mailing list / dev process
  • 15 % link speed slowdown in the cloud
  • Port 655 in /etc/services

The Network



  • Use this with my friends / not prod lol
  • Bringing back the network / https as the only service sucks
  • University Network
  • LAN Parties
  • Services
  • Blurry line between workstation and server
  • we run it on laptops and home routers and the occasional rackmount gear

VPN & Network



  • this pic Generated every minute
  • Flat IP space
  • Daemon = node
  • Each daemon responsible for a subnet and an ip addr
  • Continually probes for most efficient routes
  • Re-routes around failures

VPN & Network



  • tinc has a concept of 'connect to'
  • Connections don't have to be reflexive
  • Network trafic is bidirectional regardless
  • These nodes are laptops or servers or home routers
  • basically comes down to which nodes have a known public ip
  • public/private keys

Getting Status

kill -USR2 $(pidof tincd); tail /var/log/syslog

  bkero to spencer at  weight 1538
  spencer to bkero at  weight 1538
End of edges.
Subnet list: owner spencer owner bkero
End of subnet list.


  • tinc uses signals to communicate
  • dumps to syslog by default

Getting Status (Improved)

curl -s -i
  "total_bytes_in": 115324,
  "total_bytes_out": 67990,
  "connections": [
      "name": "bkero",
      "ip": "216.xx.xx.xx",
      "port": 4545


  • go utility
  • run as a daemon, partialy parses the log output
  • the motivation for me was to put it into my statusbar on my computer
  • 1.1 will bring a tinc info command, control socket

Now What



  • Apache
  • UPnP
  • VLC Streaming
  • StarCraft

A Problem Arises


  • You think its dns at first, and we did
  • Solved it the way we thought we should, with hosts files
  • Briefly ran a bind server, that didn't scale
  • The problem is there isn't one admin domain, there are many
  • Even with domains solved, how would we say what protocols?
  • The need is for something mutable and highly available

The Requirements

Something mutable and highly available


  • mutable because many people need to modify it
  • highly available because nodes die all the time

Let's do something Hip



  • etcd is software from coreos
  • originally designed to store configs for docker because docker is write
  • sometimes refered to as a 'distributed lock manager'
  • raft consensus protocol
  • hierarchal key-value store
  • highly available, can be configured for n+2
  • start writing hostname -> ip mappings in it
  • working on a script to dump etcd keys and output a hosts file or something

Let's do something stupid



  • how many people know what libnss is
  • name service switcher
  • turns out you can write endpoints for the name service switcher
  • in c
  • someone writes a libnss-etcd, which basically just shells out to the etcdctl utility
  • dns is solved!

Let's do the hippest thing imaginable



  • consul was going to come back
  • turns out the janky c code to get in the way of dns lookups, that was build into consul
  • consul can respond for keys inside dns
  • consul can also do nagios-like healthchecks, to evaluate which services have died and which have not
  • these are hackers so services are going up and going down all the time


Neat Tricks



** Can set DISPLAY= to run over a network ** Useful combined with xpra (screen for X)

What's Next


Thank You


Spencer Krum