17
freebsd
tinc
3
iocage
4
jail
PrevNext
Installing GoCD on FreeBSDPF in Jail

What is Tinc?

Tinc is a VPN client/ server that's: 1) really easy to set up, 2) configurable as a mesh network. Works on FreeBSD, Windows, and Android.

Why run Tinc in a jail?

This is a personal choice. Apart from the security positives isolating applications through jails, jails compartmentalises dependency installations, and keeps the host OS at minimal config. I remember my annual Windows spring cleaning which starts with a refresh reinstall of Windows just to throw out all the unusued/ outdated apps.

Is configuring Tinc in a jail hard?

Not as much as I thought initially, and this article documents the relevant steps!

Assumptions

  1. Jails managed by iocage (py37-iocage)
  2. FreeBSD 12.2-RELEASE
  3. Some basic iocage/ jail configuration especially with vnets.

Create/ configure the jail

# create jail
%sudo iocage create -r 12.2-RELEASE -n tincjail
# configure jail
%sudo iocage set bpf=1 tincjail
%sudo iocage set vnet=1 tincjail
%sudo iocage set allow_tun=1 tincjail
%sudo iocage set ip4_addr="vnet0|<your ip here>" tincjail
%sudo iocage set defaultrouter="<your gateway ip here>" tincjail
# not necessary but good for testing networking
%sudo iocage set allow_raw_sockets=1 tincjail 
# add other config for your jail setup eg vnet_default_interface

Configure Tinc

Tinc config on FreeBSD isn't much different from other OSes, and there's not much value recreating the same info from current availability. I will however list a few that were found useful:

  1. Redundant ethernet bridge with FreeBSD and tinc
  2. My Tinc setup after upgrading from FreeBSD 8.2 to 9.0
  3. How to Set up tinc, a Peer-to-Peer VPN

Common gotchas

(In log) Could not open /dev/tun0: No such file or directory

This is probably the most popular errors. One should check the following:

  1. allow_tun is not set: See 'Create/ configure the jail' above
  2. Wrong tun interface avail: If you're running other VPN services (eg. Wireguard) on the host you just have to try another tunnel interface (eg. tun1). My way of making tunnels predictable is to order jail startup (iocage: boot priority).

Script tinc-up exited with non-zero status 126

tinc-up needs to be made executable:

chmod +x tinc-up

FAQs

Will Tinc work in jail without vnet?

Probably, though I do not recall being successful in earlier attempts. That may be due to lack of familiarity with jail properties (eg. allow_tun). It should work.