This page was originally a static page on my website. I have incorporated it into my blog, entry dated the last time the page was edited, as a more appropriate place to archive old things like this. tgwnet as described no longer exists.

tgwnet is a peer-to-peer VPN based on the excellent tincd.

Tier 1 nodes

Hostname Owner External DNS Avahi DNS Internal IP ConnectTo IP pool
hestia Sean hestia.local None yet
raspbmc John raspbmc.local hestia

Tier 2 nodes

(may not always be up-to-date)

Hostname Owner External DNS Avahi DNS Internal IP ConnectTo
artemis Sean N/A artemis.local hestia, asteria
zephyr Sean N/A zephyr.local hestia
asteria Sean asteria.local hestia
selene Sean selene.local hestia
john-laptop John N/A john-laptop.local raspbmc

How to add a new tier 1 node

These instructions are not yet complete, such as, they don’t reflect the following sentence. Suppose you are setting up a host called host and your IP block assignment is and you want to use as your tier 1 node’s IP address (you can use anything in your pool).


Contact Sean to get an IP pool allocation, which will be of the form 172.19.4X.X (makes them easier to remember if we just go up 43, 44, 45…—and no-one gets 42, to prevent arguments :P). The idea is one class B(?) per tier 1 node admin i.e. TGW member. Choose an IP address for your tier 1 node, from your IP pool. E-mail this information to Sean so the table above can be updated.

It’s possible to use tinc to bridge your local LAN into tgwnet with only one machine (generally your router) running tinc. If you want to do this, the easiest thing to do is get a second class B(?) for your LAN’s computers which your router’s DHCP server can be setup to hand out.


Install the tincd package however your distribution does that. Also install avahi-daemon to get automagic distributed DNS. Now mkdir /etc/tinc/tgwnet/hosts (throughout you can use some other word instead of tgwnet; it’s a purely local identifier) and then edit /etc/tinc/tgwnet/tinc.conf:

Name = hestia
Interface = tap1
AddressFamily = ipv4
LocalDiscovery = yes
ConnectTo = hestia
Mode = switch

You can add the following lines to bind on more than one port, for example if you need access to your tier 1 node from within Balliol’s ridiculous LAN.

BindToAddress = * 655
BindToAddress = * 1194

Replacing the IP address in the below with your tier 1 node’s IP address that you selected earlier, create /etc/tinc/tgwnet/tinc-up

ifconfig $INTERFACE netmask

and chmod this file to 755. Now create /etc/tinc/tgwnet/hosts/hestia where hestia is your tier 1 host’s name (yes, the machine you are creating the file on):

Subnet =

where the IP address here is your chosen IP for your tier 1 node. Now execute, as root, tincd -n tgwnet -K4096 to generate a keypair for your host. Accept the default location to save the public key. E-mail this public key /etc/tinc/tgwnet/host, PGP signed and encrypted, to Sean. He will send you back a file to be put as /etc/tinc/tgwnet/hestia; this is hestia’s public key, so that you can connect in to the rest of the network.

If you like you could establish similar relationships with other tier 1 hosts but this isn’t strictly necessary as tinc will automatically build the tunnels. If you do establish such relationships, though, notify Sean so he can update the above table.

The node is now operational and you can go ahead and add tier 2 nodes using the instructions below. Test by pinging things like zephyr.local and watch to see if the ping times drop as tunnels are built, assuming Sean has his computer on.


Very similar to the above, just different config file locations etc.

How to add a new tier 2 node

These instructions are not yet complete.


Very similar to adding a tier 1 node, except you need to supply the tier 1 node’s public key file, obviously, and the ConnectTo statement in /etc/tinc/tgwnet/tinc.conf should point to your tier 1 node.


Very similar to the above, just different config file locations etc.