5G Hotspots and Tinc

by byeman

In February 2021, I was one of millions of Texans who fell victim to their state government's zeal to put profit over people and spent a week in below-freezing weather without power or water.  Once the power did finally come back on, I was still without Internet access for nearly a week.  I was in the dark now figuratively as our local cable and Internet monopoly doesn't provide information about outages or repairs.  It's also their policy not to refund fees customers paid for days they had no service.  And, on top of all of this, they had coincidentally increased my monthly bill by 25 percent without warning or explanation.

I had had enough.

I discovered that I live line-of-sight to a T-Mobile 5G tower and they offered home Internet for $50 a month with autopay.  I signed up and a few days later my silver "trash can" arrived at the doorstep: a Nokia 5G21.  I plugged it in and was online in minutes with speeds that rivaled that of my cable company.

Then reality hit.

I have a Raspberry Pi that I use as a Linux server at home.  It hosts my Nextcloud instance along with various other things.  The 5G router doesn't give the user any control over much of anything.  I can change my SSID and password, and that's about it.  No port forwarding meant no accessing my server from outside the house.

Or did it?

I knew there had to be a solution and, like any good hacker, I found it.  All I needed was a server outside of the house.  I already had a Virtual Private Server (VPS) with vultr.com and, at $5 a month, wasn't exactly going to break the bank.  And besides, I was itching to give the finger to my cable company.

Here's the idea.  Create a peer-to-peer Virtual Private Network (VPN), putting my Raspberry Pi on the same subnet as my external VPS.  Using a reverse proxy, I could access my Pi from anywhere in the world.

Enter Tinc

Tinc is a VPN daemon that uses tunneling and encryption to create a secure private network between hosts on the Internet.  The setup involves a lot of steps, but don't let this stop you.

This tutorial assumes you're comfortable using the Linux command line interface and have Sudo rights to all machines involved.  I will not discuss how to modify your DNS records or set up a reverse proxy.  There are plenty of resources out there to help you.

Please do not confuse VPS with VPN.  They are two completely different things.  My VPS is a server I pay a monthly fee to use that sits in a server room somewhere.  A VPN is what we're about to create.

Many articles like this include a tongue-in-cheek disclaimer about being for informational purposes only.  I won't do that.  But remember, T-Mobile cripples their routers for a reason.  Someone could host a popular high-bandwidth site and ruin it for the rest of us.  My server is just for me and I'm willing to bet I use less bandwidth in a month than I use watching a single episode of Stranger Things.

Installing and Configuring Tinc

1.)  Plan out your naming and IP addresses.  Seriously, write them down on a notepad because when you're in the middle of setting this up, you're going to get confused.

2.)  Get the IP address of your VPS.  I don't want to publish my IP address, nor do I want to publish anyone else's.  For these reasons, I'll use the make-believe and invalid IP address of 123.456.78.90 in my examples.

3.)  Decide on the name of your VPN.  I decided to use vpn.

4.)  Pick a name for the node hosted on your VPS.  I picked cloud and assigned it an internal IP address of 10.0.0.1.

5.)  I called my Raspberry Pi home and assigned it 10.0.0.2.

Your notepad should have scribbly notes that look like this:

Server Name External IP Internal IP VPS eloud 123.456.78.90 10.0.0.1 Raspberry Pi home N/A 10.0.0.2

Preparing the Hosts

1.)  Install Tinc on both machines.  If you're using a Debian-based Linux distro, simply type:

$ sudo apt install -y tinc

2.)  Create the file structure on both machines.  Remember, I decided to call my VPN simply vpn:

$ sudo mkdir -p /etc/tinc/vpn/hosts

In that path, vpn is the name of my network and hosts will contain information about the hosts.

Start by Setting Up Tinc on the VPS

In the end you're going to set up both servers, so it doesn't matter which one you start with.  I like to start with the VPS because it's the common denominator.  Any additional computers will talk to the VPS.

Up and Down Files

Tinc needs these two files to set up and take down the virtual network device.  A word of caution and a mistake I made: My VPN didn't work the first time I tried this.

During my troubleshooting, I was running these two files and questioning the value of $INTERFACE.  Don't do that, it won't work.  Neither are intended to be run by anything or anyone except Tinc.

Using your favorite text editor and Sudo access, create two files: tinc-down and tinc-up in /etc/tinc/vpn.

tinc-down:

ifconfig $INTERFACE down

tinc-up:

ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0

In your tinc-up file, the internal IP address is the one you assigned in your scribbly notes.

Config File

Again, using a text editor and Sudo access, create a file called tinc.conf in /etc/tinc/vpn.

Name = cloud AddressFamily = ipv4 Interface = tun0 Mode = switch

RSA Key Pair

Tinc is secure, and this security is thanks to the RSA key pair you'll now generate.  Make sure you're in /etc/tinc/vpn and execute: tincd -c . -K

This will generate the keys and ask you where to store them.  Choose the default locations.

Edit the Hosts File

The above step created a file called hosts/cloud.

Edit that file and add your external VPS IP address and subnet.  Your file should look something like this now:

Address = 123.456.78.90 Subnet = 10.0.0.1/32 -----BEGIN RSA PUBLIC KEY----- YOUR KEY WILL APPEAR HERE -----END RSA PUBLIC KEY-----

Now Set Up Your Local Server

The process is almost exactly the same with a few small differences.

1.)  /etc/tinc/vpn/tinc.conf should reflect the name you assigned in your scribbly notes.  Instead of Name = cloud it should be Name = home.

2.)  After creating your key pair, you'll need to modify the hosts file /etc/tinc/vpn/hosts/home adding the subnet and mask in CIDR format Subnet = 10.0.0.2/32 to the top of the file.

You can create as many servers as you like, or rather, as many until you run out of IP addresses.  Just remember to assign a unique address to each one.

You can also create as many networks as you like.  We used vpn as the name for this one.  Name your next one after your dog.  Your third one after your first born.  It doesn't matter, just know you can do it.

Share Your Hosts Files

The /etc/tinc/vpn/hosts directories should contain the same files on all servers.  In our case, you'll need to copy /etc/tinc/vpn/hosts/cloud to your Raspberry Pi and /etc/tinc/vpn/hosts/home to your VPS.  If you have a third server, yes, share that file too.

Start Them Up

On both systems, enter the following command: sudo tincd -D -n vpn

You'll now need to open a second shell window on both computers to check things out.

Check if the new network interfaces appear: ifconfig

You should see a new device called: tun0:

Now see if you can ping.  From your VPS, type: ping 10.0.0.2

Check it the other way too.  From your Raspberry Pi, type: ping 10.0.0.1

Now for the real test.  Log in to one of the systems.  From your VPS, type: ssh pi@10.0.0.2

If all went well, you should now have a SSH connection over your own VPN.  Good job.

What if it doesn't work?  Well, I could document a hundred things that could go wrong and yours would be the 101^st.  Pay close attention to the netmasks.  That's where I went wrong.  Make sure your IP addresses are unique.  Check for typos.  Did you type vnp instead of vpn?

What's Next?

Using your favorite web server software, you can set up a reverse proxy on your VPS allowing outside access to your server inside your home on your 5G router.  But that's not all.  You can SSH, SFTP, SCP, really anything.

Oh, and you'll want this to start up automatically:

$ sudo systemctl start tinc@vpn $ sudo systemctl enable tinc@vpn

Good luck and happy hacking!