Tinc: use TUN instead of TAP

95e3e5bf · drebs · 9aba79ec · 95e3e5bf · 95e3e5bf · 95e3e5bf
Commit 95e3e5bf authored Jul 29, 2021 by drebs
--- a/profile/lib/facter/tinc_pubkey.rb
+++ b/profile/lib/facter/tinc_pubkey.rb
 Facter.add(:tinc_pubkey) do
  setcode do
    begin
-      File.read('/etc/tinc/tap0/rsa_key.pub')
+      File.read('/etc/tinc/tun0/rsa_key.pub')
    rescue Errno::ENOENT
      ''
    end

--- a/profile/manifests/tinc.pp
+++ b/profile/manifests/tinc.pp
 # Configure a VPN using tinc in switch mode
 class profile::tinc (
-  String $netname = 'tap0',
+  String $netname = 'tun0',
  Array[String] $connect_to = [],
  Optional[String] $ip = undef,
  Optional[String] $route = undef,
@@ -36,6 +36,7 @@ class profile::tinc (
    tinc_name  => $tinc_name,
    netname    => $netname,
    config_dir => $config_dir,
+    ip         => $ip,
  } ~> Service["tinc@${netname}"]
  file { "${config_dir}/tinc.conf":
@@ -44,8 +45,9 @@ class profile::tinc (
    owner   => root,
    group   => root,
    content => epp('profile/tinc/tinc.conf.epp', {
-      'name'       => $tinc_name,
+      name       => $tinc_name,
-      'connect_to' => $connect_to,
+      connect_to => $connect_to,
+      interface  => $netname,
    }),
    require => File[$config_dir],
  } ~> Service["tinc@${netname}"]
@@ -55,10 +57,7 @@ class profile::tinc (
    mode    => '0755',
    owner   => root,
    group   => root,
-    content => epp('profile/tinc/tinc-up.epp', {
+    content => epp('profile/tinc/tinc-up.epp', { ip => $ip }),
-      ip    => $ip,
-      route => $route,
-    }),
    require => File[$config_dir],
  } ~> Service["tinc@${netname}"]

--- a/profile/manifests/tinc/firewall.pp
+++ b/profile/manifests/tinc/firewall.pp
 # Firewall configurations for Tinc
 class profile::tinc::firewall (
-  String $netname = 'tap0',
+  String $netname = 'tun0',
  Enum['client', 'server'] $type = 'client',
  String $client_ip = $facts['networking']['ip'],
 ) {

--- a/profile/manifests/tinc/hosts.pp
+++ b/profile/manifests/tinc/hosts.pp
@@ -2,8 +2,9 @@
 class profile::tinc::hosts (
  String $tinc_name = regsubst($trusted['certname'], '[^[a-zA-Z0-9]]', '_', 'G'),
  String $address = $facts['networking']['ip'],
-  String $netname = 'tap0',
+  String $netname = 'tun0',
  Stdlib::Absolutepath $config_dir = "/etc/tinc/${netname}",
+  Optional[String] $ip = undef,
 ) {
  #
@@ -48,6 +49,7 @@ class profile::tinc::hosts (
    group   => root,
    content => epp('profile/tinc/host.epp', {
      address => $address,
+      ip      => $ip,
      pubkey  => $pubkey,
    }),
    tag     => [ 'tinc_host_file', $tag_netname, $tag_environment ],

--- a/profile/templates/tinc/host.epp
+++ b/profile/templates/tinc/host.epp
-<%- | String[1] $address, String $pubkey | -%>
+<%- | String[1] $address, Optional[String] $ip, String $pubkey | -%>
 Address = <%= $address %>
+<%- unless $ip =~ Undef { -%>
+Subnet = <%= $ip %>/32
+<%- } %>
 <%= $pubkey -%>
--- a/profile/templates/tinc/tinc-up.epp
+++ b/profile/templates/tinc/tinc-up.epp
-<%- |
+<%- | Optional[String] $ip = undef | -%>
-  Optional[String] $ip = undef,
-  Optional[String] $route = undef
-| -%>
 #!/bin/sh
 ip link set $INTERFACE up
 <%- unless $ip =~ Undef { -%>
-ip addr add <%= $ip %>/32 dev $INTERFACE
+ip addr add <%= $ip %>/24 dev $INTERFACE
-<%- } -%>
-<%- unless $route =~ Undef { -%>
-ip route add <%= $route %> dev $INTERFACE
 <%- } -%>
--- a/profile/templates/tinc/tinc.conf.epp
+++ b/profile/templates/tinc/tinc.conf.epp
 <%- |
-  String[1]         $name,
+  String            $name,
  Integer[1, 65535] $port       = 655,
-  Array[String]     $connect_to = []
+  Array[String]     $connect_to = [],
+  String $interface,
 | -%>
 Name = <%= $name %>
 AddressFamily = any
@@ -12,8 +13,8 @@ Compression = 0
 ConnectTo = <%= $address %>
 <%   } -%>
 <% } -%>
-DeviceType = tap
+DeviceType = tun
 Digest = SHA512
-Interface = tap0
+Interface = <%= $interface %>
-Mode = switch
+Mode = router
 Port = <%= $port %>