tinc: A Decentralized VPN Daemon

Overview

tinc is an open-source virtual private network (VPN) daemon that creates a secure, private network between hosts on the internet using tunneling and encryption technologies. It is free software licensed under the GNU General Public License version 2 or later.

Since tinc behaves as a standard network device at the IP network layer, existing software requires no modifications to work with it. This allows nodes within the VPN to securely share information over the internet without exposing data to external parties.

Latest stable version: 1.0.36
Latest pre-release version (1.1 branch): 1.1pre18

Core Features and Advantages

1. Full Encryption, Authentication, and Compression

• Secure Communication: All traffic is strongly encrypted using the LibreSSL or OpenSSL libraries, with message authentication codes and sequence numbers ensuring data integrity and protection against tampering.
• Traffic Compression: Optional compression using zlib or LZO improves bandwidth efficiency, particularly beneficial on low-speed connections.

2. Automatic Full Mesh Routing

• Point-to-Point Direct Connections: Regardless of how initial connections between tinc daemons are configured, VPN traffic always attempts to be sent directly from the source node to the destination node, bypassing intermediate nodes.
• Reduced Latency and Load: This design reduces hop count, lowers network latency, and avoids bandwidth bottlenecks and single points of failure at central nodes.

3. Robust NAT Traversal

• Simplified Deployment: As long as at least one node in the VPN has a public IP address (even dynamic) and allows inbound connections, tinc can traverse NAT, enabling direct communication between nodes behind different NATs.
• No Central Server Needed: Greatly reduces the complexity of building geographically dispersed private networks, eliminating the need for port forwarding on all nodes or reliance on centralized VPN servers.

4. Scalable Network Architecture

• Seamless Node Addition: Adding a new node to an existing VPN requires only creating a new configuration file and starting the tinc daemon on the new node. No restart of existing nodes or reconfiguration of network interfaces is necessary.
• Flexible Topology: Supports any topology, including star, mesh, or hybrid networks, configurable according to requirements.

5. Ethernet Bridging Capability

• Layer-2 Network Extension: Can bridge multiple physically isolated Ethernet segments, making them function logically as a single local area network (LAN).
• Support for Advanced Applications: Enables applications and games typically restricted to LAN environments to run over the internet via tinc VPN, such as network broadcasts, Windows Network Neighborhood, and multicast-dependent software.

6. Excellent Cross-Platform Compatibility

• Multi-OS Support: Supports numerous operating systems, including macOS (OS X), Linux, FreeBSD, OpenBSD, NetBSD, Solaris, and Windows (2000, XP, Vista, 7, 8, 10, 11).
• Full IPv6 Support: Fully compatible with IPv6, deployable in pure IPv4, pure IPv6, or dual-stack network environments.

Recent Updates (Highlights of 1.1pre18)

The latest pre-release version 1.1pre18 introduces several improvements and fixes:

• Connection Checks: Validates all Address declarations when establishing outbound connections.
• Enhanced Invitation Mechanism: Allows more variables to be safely used in invitation functionality, and enables tinc --force join to accept all variables from an invitation.
• Cross-Platform Improvements:
  • Ensures that the stop command works properly on Windows even when tincd is running in the foreground.
  • Handles DOS line endings in invitation files.
  • Generates tinc-up.bat scripts on Windows.
• Stability and Performance Optimization:
  • Prevents continuous sending of large numbers of UDP probe packets.
  • Makes more persistent attempts to reconnect with unreachable nodes.
  • Fixes a potential infinite loop issue when adding Subnets to a running tincd.
• Advanced Feature: Allows passing tun/tap file descriptors via UNIX Socket.
• BSD System Optimization: Uses auto-cloned tun/tap devices by default on FreeBSD and DragonFlyBSD.

Conclusion

tinc is a powerful, flexible, and forward-thinking VPN solution, especially suitable for users who need to build decentralized, scalable, point-to-point private networks. Its full mesh routing, robust NAT traversal, and Ethernet bridging capabilities make it ideal for connecting distributed servers, setting up private game servers, remote home network access, or creating secure office networks. For macOS users, it offers a stable, command-line-driven enterprise-grade tool for constructing VPNs.