BREAKING: USPS slashes address verification to 60 addresses/hour. What now?
Smarty
RecommendedPinpoint 2025: Day 1 recapNovember 28, 2025What to look for in an address data solution: Ease of implementation November 19, 2025What to look for in an address data solution: Quality of support November 17, 2025

How to setup a tinc VPN

Smarty header pin graphic
Updated October 29, 2025
Tags
Operations blog tagOperationsProgramming blog tagProgrammingTesting blog tagTestingTechnical support blog tagTechnical support
Smarty header pin graphic

I was given the task of setting up a tinc VPN so that we could test performance for comparison against other VPN systems. This task took much longer than it should have. For that reason, I am making this post to help me and others remember how to do it again in the future.

Installing tinc is straightforward enough. You can download the latest release and build it or install it from your favorite package manager.

The configuration for tinc lives in /etc/tinc. The configuration is what seems to be the hard part of getting tinc to work.

Here is what my final directory structure looked like:

/etc
	/smartynet
		/hosts
			master
			client
		rsa_key.priv
		tinc-down
		tinc-up
		tinc.conf

For this testing setup, I used two hosts. One of them I called master , and the other I called client. It is good to keep in mind that tinc uses a peer-to-peer model, not client/server.

To do the configuration, you will need to be root or at least use sudo for elevated privileges in order to work in the /etc directory.

Step 1

Setup the directory structure on both machines:

# mkdir -p /etc/tinc/smartynet/hosts/

Step 2

Create the /etc/tinc/smartynet/tinc.conf file on both machines.

# ------- master -------
Name = master
Device = /dev/net/tun

# ------- client -------
Name = client
Device = /dev/net/tun
ConnectTo = master

Note: ConnectTo is optional. If this field is not specified, tinc will still listen for connections but will not try to connect to any other node.

Step 3

Create the public and private keypair on both machines:

# tincd -n smartynet -K

This command will create the keys and put them in the following files for you:

/etc/tinc/smartynet/rsa_key.priv
/etc/tinc/smartynet/hosts/master # on the master host
-- or --
/etc/tinc/smartynet/hosts/client # on the client host

Step 4

Add host addresses to the host files that tinc created:

# ------- master -------
# /etc/tinc/smartynet/hosts/master
Address = 198.198.198.198
Subnet = 10.0.7.1/32
# Public key goes below here

# ------- client -------
# /etc/tinc/smartynet/hosts/client
Subnet = 10.0.7.2/32
# Public key goes below here

Note: The Address in the master host file should be the public address of the host machine.

Step 5

Copy host files to the other hosts.

From the master you will copy the /etc/tinc/smartynet/hosts/master file to the client machine, and put it in exactly the same location: /etc/tinc/smartynet/hosts/master.

From the client you will copy the /etc/tinc/smartynet/hosts/client file to the master machine, and put it in exactly the same location: /etc/tinc/smartynet/hosts/client.

Note: Make sure to copy the entire contents of the host files, including the public key that tinc put in them.

Step 6

Create network interface control scripts. There are two files I used that react when tinc switches from online to offline. The files are nearly identical on both hosts, except for the interface address.

# /etc/tinc/smartynet/tinc-up
ifconfig $INTERFACE 10.0.7.1 netmask 255.255.255.0

# /etc/tinc/smartynet/tinc-down
ifconfig $INTERFACE down

Note: remember to change the IP address in the tinc-up script to match the address found in the host file.

Once the interface control scripts are created, change their mode to be executable:

# chmod u+x /etc/tinc/smartynet/tinc-*

Step 7

Start the VPN.

One thing you may need to do before running the VPN is to disable any firewall, or even take the time to punch a hole in it specifically for VPN traffic. I just disabled ufw while I was testing. The VPN did not work for me while the firewall was on.

# ufw disable

You may now commence primary ignition on both hosts:

# tincd -n smartynet -d3

Note: The optional -d switch sets the debug level.

The tinc VPN should now be running. You should be able to run ifconfig and see the new interface that was created for the VPN traffic. You should also be able to ping and even ssh from one host to the other using the private IP addresses that you chose.

For reference, here are all of the files I used for both hosts:

------- files on master -------

======= /etc/tinc/smartynet/tinc.conf =======
Name = master
Device = /dev/net/tun

======= /etc/tinc/smartynet/tinc-up =======
ifconfig $INTERFACE 10.0.7.1 netmask 255.255.255.0

======= /etc/tinc/smartynet/tinc-down =======
ifconfig $INTERFACE down

======= /etc/tinc/smartynet/hosts/master =======
Address = 198.198.198.198
Subnet = 10.0.7.1/32

-----BEGIN RSA PUBLIC KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-----END RSA PUBLIC KEY-----

======= /etc/tinc/smartynet/hosts/client =======
Subnet = 10.0.7.2/32

-----BEGIN RSA PUBLIC KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-----END RSA PUBLIC KEY-----

------- files on client -------

======= /etc/tinc/smartynet/tinc.conf =======
Name = client
Device = /dev/net/tun
ConnectTo = master

======= /etc/tinc/smartynet/tinc-up =======
ifconfig $INTERFACE 10.0.7.2 netmask 255.255.255.0

======= /etc/tinc/smartynet/tinc-down =======
ifconfig $INTERFACE down

======= /etc/tinc/smartynet/hosts/master =======
Address = 198.198.198.198
Subnet = 10.0.7.1/32

-----BEGIN RSA PUBLIC KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-----END RSA PUBLIC KEY-----

======= /etc/tinc/smartynet/hosts/client =======
Subnet = 10.0.7.2/32

-----BEGIN RSA PUBLIC KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-----END RSA PUBLIC KEY-----

Take a look at the official tinc manual for many more details on how to use this tool.

Subscribe to our blog!
Learn more about RSS feeds here.
Read our 5 address validation use cases ebook now
Read our recent posts
Christmas traditions around Smarty
Arrow Icon
Around the world, people celebrate Christmas in all kinds of ways. In Iceland, it’s tradition to read books by candlelight on Christmas Eve. Christmas firework shows are a staple in El Salvador. Families in Australia often spend Christmas Day playing cricket. At Smarty, we keep the season bright with a few traditions of our own. From wacky holiday decorating to gingerbread house competitions, we love taking the holidays to the next level. So stick around; things are about to get festive. Our favorite Christmas traditions are:Seasonal service projectsUpside-down holiday decorUgly Sweater DayThe Great Gingerbread House Bake OffAddy the Address ElfYuletide karaokeLetters to SantaGift-wrapping extravaganzaSeasonal service projectsWe like to celebrate the season of giving by giving back! This year, we participated in United Way's Sub for Santa program, where families—or Smartys 😉—sub in for Santa by donating gifts to local families in need.
Accessibility best practices at Smarty
Arrow Icon
An enterprise-level customer of Smarty’s recently shared how impressed they were with our accessibility-first approach, inquiring about how we designed our tools to function in a way that feels equitable and usable for everyone. At Smarty, one of our core values is outwardness — seeing people as people, not objects or caricatures. Every person who interacts with our tools has their own needs, wants, and objectives, and accessibility is one of the most meaningful ways we connect with people - an area we’re striving to improve.
Introducing Smarty’s mascot… Hermes?
Arrow Icon
Greek gods, as it turns out, have a lot to say to the mortals on Earth and the souls in Hades. What they don’t have is time to travel from Olympus all the way to Earth or Hades just to tell a mere mortal to perform 12 labors… or eat a magical herb… or free Odysseus. That’s why the gods have a personal messenger: Hermes. Equipped with winged sandals, Hermes travels between Olympus, Earth, and the underworld with lightning speed (Get it? Lightning? Because his dad is Zeus? 🤣)Smarty also knows a thing or two about outrageous speed, and that’s not where our similarities with Hermes end.
Previous Post
Next Post

Ready to get started?

Schedule Demo