Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

VPN

:warning: This service will change during TPA-RFC-73: Tails infra merge roadmap and this page should be updated when that happens.

We're using a VPN between our different machines to interconnect them. This is especially important for machines that host VMs without public IPs, as this may be the most practical way of communicating with other systems.

:warning: this documentation does not take into account the changes done in puppet-tails commit da321073230f1feb3076d4296d6ab73f70cbca4f and friends.

Installation

Once you installed the system on a new machine, you'll need to setup the VPN by hand on it, right before you can go on with the puppet client setup and first run.

  1. On the new system

    apt-get install tinc

  2. Generate the SSL key pair for this host:

    export VPN_NAME=tailsvpn
export VPN_HOSTNAME=$(hostname)
mkdir -p /etc/tinc/$VPN_NAME/hosts
tincd -n $VPN_NAME -K4096

  3. Mark the VPN as autostarting:

    echo "$VPN_NAME" >> /etc/tinc/nets.boot
systemctl enable tinc@tailsvpn.service

  4. Create a new host configuration file in Puppet (site/profile/files/tails/vpn/tailsvpn/hosts/$VPN_HOSTNAME). Use another one as example. You just need to change the Address field, the Subnet one, and put the right RSA public key.

  5. Make sure that the node includes the profile::tails::vpn::instance class. Note that this profile is alreadyn included by the role::tails::physical class.

  6. Run the Puppet agent.

  7. Restart the tinc@tailsvpn service:

    systemctl restart tinc@tailsvpn