@Viking , itās a bit similar to the Zerotier addon. Itās also a peer 2 peer VPN. Itās totally self-hosted though unlike Zerotier which is why people use it over zerotier.
@Viking OpenVPN is a point to point VPN. All your endpoints connect to a single server.
Zerotier, Tailscale, and Tinc (and also Nebula for that matter) are peer to peer VPNs. Itās also quite similar to hamachi that is used a lot for gaming. That means that while there is a central coordination instance, peers can connect directly if a more direct path is available. So if your laptops are on the same wifi they will simply build a direct (encrypted) connection but if you bring one to the coffeeshop across the road they will keep communicating but through a āserverā (if both networks are behind NAT)
I use it mainly to have an āinternalā IP range on all my devices thatās available wherever I am with my devices. Both on mobile, desktops, devices (home assistant etc). Until now I didnāt find a tinc client for home assistant so I was using a standard Linux install with the HASS docker on top instead of home assistant os. Because home assistant os is so locked down I could not install it on there and I really need it Itās great that mdzidic made this addon, I will try it to see if it suffices. Because Iām thinking of moving to the OS and this was a blocking point.
In terms of performance @danbutter I donāt really know. Iāve only ever used tinc. I donāt like the centralised approach of zerotier or tailscale. I know there is a self-hosted option for tailscale in the form of headscale, but I already have tinc running and now that thereās a good Android client I just didnāt see any need to change.
Tinc is the oldest of all these options (Iāve used it for decades!) so itās probably not quite as advanced in terms of hole punching NATs etc. Itās certainly not as glossy as tailscale. But it works fine for me and itās fully self hosted and thereās not a commercial entity behind it like there is with tailscale, zerotier and nebula (which is from slack). So I donāt have to worry about them trying to push subscription schemes and undermining self-hosted options. So Iām just not bothered about changing it.
I must have misunderstood things. In my book, a VPN is a HUB-Spoke network where all clients log onto a sentral VPN server using classical authentication, typically username/password. While peer-to-peer communication does not require a server once the communication and authorization has been done. Hence the name Peer-to-Peer VPN becomes a contradiction in terms? It must be either or, not both, right. Horses do not come with wheels.
So what is this thing called Tinc? Is it just another VPN client? Or is it a peer client? If so where is the comm setup and authentication handled? Can I install a self-managed version, invisible to Home Assistant?
If you have running tincd (tinc daemon/server) you can use this add-on as HA tinc client. As @GP123 already mentioned itās a free and self-hosted alternative to all currently available cloud services for peer-to-peer networking.
Of course, tinc is less popular than OpenVPN, but tinc focuses more on performance and security over speed.
Before Nabu Casa and cloudflared tunnel add-on, I have been using tinc to expose my HA instance in combination with balance and VPS (static public IP).
So Tincd is the server. Can that be run in a docker container on a Linux platform anywhere? I assume this server has to be reachable from the internet in order to be able to provide its services, right?
And then this thread talks about a Tinc client tailored specifically for HA, right? Or is it just a general purpose client that will expose any web service defined by an IP:Port or DNS name?
Of course, you can dockerize it but donāt forget to allow docker privilege āNET_ADMINā on that container. You can follow the source code on my GitHub link and replicate it for your Linux server.
True, this add-on is tailored for HA to act as a āclient 2 serverā and you can do whatever you want on your server side once you have your HA instance connected to tinc private network (it will not expose your HA instance to the world by default).
Itās a little bit different than you explain @Viking, what you would normally do is to install tinc on every device you have so they can communicate together. Itās a mesh VPN, not a VPN with a single central point.
Every client is also a āserverā, but normally you would have a central server on a VPS exposed to the internet that is always reachable. So in that way you kinda have a central point, but if the clients can āseeā each other itās more for coordination than actually handling all your traffic.
Normally on a linux server I wouldnāt bother with docker for it because itās such a tiny daemon (115kb literally). Docker would incur a lot of overhead. Of course on home assistant OS itās the only option.
And yeah I prefer it over the Nabu Casa option because Iām only dependent on myself for security then, and Home Assistant is not the only self-hosted service I expose this way (by far!)
I just wonder why itās named tinc-vpn when it is clearly not a virtual private network but a peering network? I find that name confusing and incorrect.
It is a virtual private network. Just a different type than the traditional point to point type. Itās simply an evolution of VPN, with the added optimisation that clients can communicate directly when they have a different path between them (but fall back to the traditional method when they donāt). This is better than a traditional VPN because it improves throughput and latency where possible. But it still provides the exact same which is a secure tunnel between your devices. You can also include a whole subnet between a tinc node like you would with a traditional VPN, itās just not normally done because you lose the routing optimisation (and add a dependency on that tinc node for everything!). Itās really nice to be able to still reach your other devices when your server is down.
See the most popular option right now in the same niche: Tailscale āBest VPN Service for secure networksā. Theyāre all marketing themselves as VPN, though some try to give a different spin on it to make it sound like theyāre more special (like Zerotier with their āGlobal Area WANā).
PS: I see Tailscale is also listed on the Home Assistant store as a VPN. And it does the exact same thing as tinc
I couldnāt remember why I have never tried tinc before as it is even an addon for pfsense and running directly on the router would be best case scenario. I looked again and found out why.
Your mileage may vary depending on your ISP, but the thing I see as a non starter for tinc is that it wonāt work for those behind cgnat.
Quote from their siteā¦
āAs long as one node in the VPN allows incoming connections on a public IP addressā
I know this is less common, but it happens.
Whereas tailscale and Zerotier will work because of their coordination servers. I understand the trust you have to put into these companies, but if you have cgnat and you donāt want to trust a company like zerotier or others you have to pay someone to do something outside your network even if that something is running a vps with tinc on it.
So all these donāt do the exact same thing even if your internet provider is setup such that you get the same result.
Either way, good job on the addon. I bet plenty will get use from it.
As we already mentioned before, it can be used as simple VPN service (server/client), as many of us already have VPS server in the public cloud (or if not, you can buy one for a few bucks per month) with public IP assigned to that VPS server, we use that VPS as ācentralā tinc server or coordinator/lighthouse server if you like, your device behind CGNAT will be able to connect to that ācentralā tinc server.
CGNAT will only block the mesh feature of the tinc service where every client is also the server.
Gotcha.
I was just saying it differs from tailscale and zerotier as you donāt need to have that vps in the cloud to use them in the case of having cgnat from your isp.
If youāre gonna pay for something just to get remote access to home assistant you might as well use naba casa cloud and support development.
Gotcha.
I was just saying it differs from tailscale and zerotier as you donāt need to have that vps in the cloud to use them in the case of having cgnat from your isp.
Tailscale and Zerotier host that āVPSā for you, thatās why. You still need that central point. Itās just part of the (free) service they provide. I donāt like giving the keys of my VPN to a third party, so theyāre non-starters for me (though tailscale can be self-hosted using headscale, technically).
If youāre gonna pay for something just to get remote access to home assistant you might as well use naba casa cloud and support development.
True but Home Assistant isnāt the only thing I use my VPN for. I have a ton of stuff behind it. As an example, I have a matrix server running at home interfacing to WhatsApp, Signal, Telegram, Discord etc. And tons of other servers at home for other things. All that also goes over tinc when Iām away. I have a lot more control over my security this way as I donāt rely on a third party to configure things for me (perhaps incorrectly).
I run other things on my VPSāes too, like IRC bouncers and other things. I donāt need them just for this.
I know the Nabu Casa service but itās not what I want, at least for this. Perhaps I will get it some time for the text to speech.
CGNAT will only block the mesh feature of the tinc service where every client is also the server.
Indeed, and if the endpoint it is trying to connect to is not behind (CG)NAT itself can still work! Because the one behind NAT can connect to the other one. With IPv6 this is more common.
Some other VPNs like Tailscale and Nebula can also do āNAT Hole-Punchingā by sending fake packets to simulate an existing NAT connection. However I donāt think Tinc does this, as far as I have seen. Itās not a problem bothersome enough for me to change over though. I like tinc.
Itās great that mdzidic made this addon, I will try it to see if it suffices. Because Iām thinking of moving to the OS and this was a blocking point.