tinc VPN on pfSense setup

I am typing this up mostly because there is very little information on the internet with respect to setting this up on pfsense. It's a package that has been present in the distribution for some time and I'm hoping that more knowledge of it may lead to more adoption and better implementation in future.

tinc is mostly useful as a site to site VPN rather than a client-server connection. Ideal uses are for connecting whole networks to each other via the internet rather than a single client to a main site.

tinc does this by creating a software 'mesh' for the involved networks, building a routing table based on the connections that are, or become available on the internet, on the fly.

It establishes connections using RSA public/private key pairs so it has moderate security. The communication between networks following the initial connection can be encrypted using a cipher like 'blowfish'.

Where it excels is that it can work alongside traditional VPNs such as IPSEC as its connection port number can be customised.

Anyhow let us see how pfsense can be set up with pfsense. We will do this with two sites, Router A that has public IP address 1.2.3.4 and Router B that has public IP 6.7.8.9

On Router A 'Package / VPN Tinc Settings / Settings:

Name: tincSiteA

Local IP: 10.19.0.1

Local Subnet: 10.19.0.0/24

VPN Netmask: 255.0.0.0

Address Family: IPV4

Click the 'Generate RSA Key Pair' checkbox.

Save.

The hit the Advanced Features button and fill as follows:

Extra Tinc Parameters:
Node=router
Port=1637
Cipher=blowfish
Digest=sha1

Extra Host Parameters:
Subnet=10.19.0.0/24#10

Click Save.

The 'Subnet=.....' lines are the most important variable here. Usually you will have a line with the same subnet that you typed above as your LAN IP and subnet to share but any number of 'Subnet=' lines can be placed here if you want to share them. Note that these lines are placed on the Router where the network is located in order to identify that the Router has the network present and available.

The '#10' is a priority indicator. If you have 3 sites and two have the same subnet numbers present, then the lower number for priority will be the one that gets routed when the mesh is established. If one of the sites becomes unavailable then there will still be a connection to one or the other depending on this priority.

On Router B... 'Package / VPN Tinc Settings / Settings:

Name: tincSiteB

Local IP: 10.38.0.1

Local Subnet: 10.38.0.0/24

VPN Netmask: 255.0.0.0

Address Family: IPV4

Click the 'Generate RSA Key Pair' checkbox.

Save.

The hit the Advanced Features button and fill as follows:

Extra Tinc Parameters:
Node=router
Port=1637
Cipher=blowfish
Digest=sha1

Extra Host Parameters:
Subnet=10.38.0.0/24#10

Click Save.

After this is done, the 'Hosts' tab should be clicked and '+Add' selected. In the new page enter on Router A...

Name: tincSiteB

Address: 6.7.8.9

Subnet: 10.38.0.0/24

RSA Public Key: <Copied from Router B public key>

Click Save.

On Router B...

Name: tincSiteA

Address: 1.2.3.4

Subnet: 10.19.0.0/24

RSA Public Key: <Copied from Router A public key>

Click Save.

Finally you will have to permit port 1637 or whatever you have chosen on your WAN firewall rules. After this go to Status / Tinc VPN and you should see the connection details between your two sites as well as the subnets being shared.