Reverse-tunneling with Tinc on 9front

Lexicon:

“alpha” is the sysname of machine A (the one reachable through a static IPv4 address).
“beta” is the sysname of machine B (the one that's hidden, which alpha wants to connect to).
123.234.35.67 is the static IPv4 address of alpha.
10.0.0.45 is going to be the address of alpha within the private network.
10.0.0.44 is going to be the address of beta within the private network.
“tunnel” is going to be the name of the private network.
$tinc is going to be the configuration directory. On 9front it can be /cfg/$sysname/tinc, $home/lib/tinc, or whatever works for you. On OpenBSD it's /etc/tinc by default.
On OpenBSD, the Tinc port is going to be set to the default 655. On 9front, following the 17xxx convention for private ports, it's going to be 17655.

Commands executed on alpha have the prompt prefixed with “alpha”, and “beta” on beta. The prompt is “%” on 9front and “#” on OpenBSD.

The /120 network mask is in reality a /24. On Plan 9 all addresses are IPv6 under the hood.

Important: After configuring the nodes, you need to propagate the host files to both machines i.e. $tinc/tunnel/hosts on both machines should have the exact same contents. This is left as an excercise for the reader.

1. 9front to 9front

Both alpha and beta are 9front machines.

1.1. Host keys

alpha% auth/rsagen -t 'service=tinc role=client host=alpha' > rsa_key.priv
alpha% auth/rsa2pub < rsa_key.priv | auth/rsa2asn1 | auth/pemencode 'RSA PUBLIC KEY' > $tinc/tunnel/hosts/alpha
alpha% cat rsa_key.priv >>/mnt/factotum/ctl

beta% auth/rsagen -t 'service=tinc role=client host=beta' > rsa_key.priv
beta% auth/rsa2pub < rsa_key.priv | auth/rsa2asn1 | auth/pemencode 'RSA PUBLIC KEY' > $tinc/tunnel/hosts/beta
beta% cat rsa_key.priv >>/mnt/factotum/ctl

1.2. Node configuration

alpha% cat $tinc/tunnel/hosts/alpha
Name = alpha
Address = 123.234.35.67
Port = 17655
Subnet = 10.0.0.45/32
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

beta% cat $tinc/tunnel/hosts/beta
Name = beta
Port = 17655
Subnet = 10.0.0.44/32
ConnectTo = alpha
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

Propagate the host files to the nodes.

1.3. Start up

alpha% ip/tinc -c $tinc/tunnel -n alpha 10.0.0.45 /120 beta

beta% ip/tinc -c $tinc/tunnel -n beta 10.0.0.44 /120 alpha

alpha% ip/ping 10.0.0.44
sending 32 64 byte messages 1000 ms apart to icmp!10.0.0.44!1
0: rtt 44457 µs, avg rtt 44457 µs, ttl = 255
1: rtt 43893 µs, avg rtt 44175 µs, ttl = 255
2: rtt 44167 µs, avg rtt 44172 µs, ttl = 255
3: rtt 43700 µs, avg rtt 44054 µs, ttl = 255

beta% ip/ping 10.0.0.45
sending 32 64 byte messages 1000 ms apart to icmp!10.0.0.45!1
0: rtt 48211 µs, avg rtt 48211 µs, ttl = 255
1: rtt 44000 µs, avg rtt 46105 µs, ttl = 255
2: rtt 43528 µs, avg rtt 45246 µs, ttl = 255
3: rtt 44648 µs, avg rtt 45096 µs, ttl = 255

2. 9front to OpenBSD

Alpha is an OpenBSD machine, beta is a 9front machine. On OpenBSD, install tinc with pkg_add tinc.

2.1. Host keys

alpha# tinc -n tunnel generate-rsa-keys
alpha# cat $tinc/tunnel/rsa_key.priv
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
alpha# cat $tinc/tunnel/hosts/alpha
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

beta% auth/rsagen -t 'service=tinc role=client host=beta' > rsa_key.priv
beta% auth/rsa2pub < rsa_key.priv | auth/rsa2asn1 | auth/pemencode 'RSA PUBLIC KEY' > $tinc/tunnel/hosts/beta
beta% cat rsa_key.priv >>/mnt/factotum/ctl

2.2. Node configuration

alpha# ls $tinc/tunnel
hosts	rsa_key.priv	tinc-down	tinc-up	tinc.conf
alpha# cat $tinc/tunnel/tinc.conf
Name = alpha
Device = /dev/tap0
alpha# cat $tinc/tunnel/tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.0.0.45 netmask 255.255.255.0
alpha# cat $tinc/tunnel/tinc-down
#!/bin/sh
ifconfig $INTERFACE down
alpha# cat $tinc/tunnel/hosts/alpha
Name = alpha
Address = 123.234.35.67
Port = 655
Subnet = 10.0.0.45/32
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

beta% cat $tinc/tunnel/hosts/beta
Name = beta
Port = 17655
Subnet = 10.0.0.44/32
ConnectTo = alpha
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

Propagate the host files to the nodes.

2.3. Start up

alpha# tincd -n tunnel

beta% ip/tinc -c $tinc/tunnel -n beta 10.0.0.44 /120 alpha

alpha# ping 10.0.0.44
PING 10.0.0.44 (10.0.0.44): 56 data bytes
64 bytes from 10.0.0.44: icmp_seq=0 ttl=255 time=40.663 ms
64 bytes from 10.0.0.44: icmp_seq=1 ttl=255 time=40.284 ms
64 bytes from 10.0.0.44: icmp_seq=2 ttl=255 time=40.684 ms
64 bytes from 10.0.0.44: icmp_seq=3 ttl=255 time=40.646 ms

beta% ip/ping 10.0.0.45
sending 32 64 byte messages 1000 ms apart to icmp!10.0.0.45!1
0: rtt 41060 µs, avg rtt 41060 µs, ttl = 255
1: rtt 41179 µs, avg rtt 41119 µs, ttl = 255
2: rtt 41287 µs, avg rtt 41175 µs, ttl = 255
3: rtt 40907 µs, avg rtt 41108 µs, ttl = 255