Experiment – Mesh VPN setup with Tinc

This is super short post on my experiment with setting up a mesh VPN using tinc.


  • It’s used in creating a VPN out of many small networks that are geographically distributed
  • There is no concept of server or client in tinc, so nodes try to talk to each other directly or through other nodes

Actors in the mesh

<name> – name for each actor

  • Digital Ocean droplet <externalnyc> – to which all below actors connect to
  • Digital Ocean droplet <externalblr>
  • Laptop <fedora> (Home LAN)
  • RaspberryPi <pi> (Home LAN)

How Actors are connected ?

  • externalblr ===> externalnyc
  • fedora ===> externalnyc
  • pi ===> fedora

Assumption is that except externalnyc all others are behind a NAT/Firewall

IP for each actor in VPN

  • externalnyc –
  • externalblr –
  • fedora –
  • pi –


  • Every actor is able to talk to every other actor
  • Access services that are allowed in firewall



Steps that helped me with Digital Ocean server setup


     Hey everyone! From the title you might be wondering , “Why this guy would write about some setup that has been done a million times?”. Well, I could understand your frustration on that.  So, to give you a hint of why I am writing this blog in the first place, I will list down things that I wanted to do and how these different blog posts help me achieve that. So the list is as follows,

  • I need to get a feel of managing cloud environments (preferably GNU/Linux. Hint: I am a Free software activist 😉 )
  • Ah! I need a web server in the first place and there are many providers out there, who do I choose? who offers cheap plans? how easy is the setup?
  • I need to setup a simple web app that is running locally and make it run on the remote server
  • I bought a domain from a domain registrar and need to link it to my web server
  • I also need to make the app HTTPS enabled at zero cost (that’s an important step)

     These are reasons that I needed to achieve and to be honest I picked some needs along the way reading (sorry about that 🙂 ). Another reason for me to write this blog is that, some of these steps are linked and are well mentioned in the blog, which we either miss or ignore and end up with some issue.

Getting a domain name

     There are number of domain registrars out there who offer domain with various plans and features included. Choose which is best for you and go ahead with that provider. I am not going to share any howto’s here since the domain registrars have covered that.

Note: I needed to link my web server to a domain, so this is a necessary step for me

Getting a web server

     Domains are just one part of the story and web servers is the other. Like with domain names, there are lots of web hosting companies offering variety of plans to choose from. I chose to go with Digital Ocean (which this blog covers) who offered plans as low as 5$/month. Digital ocean calls their VPS (Virtual Private Servers) as droplets and the blog that you can read to get a server up and running in less than 55 seconds is given below.


Setting SSH key based access to your server

Read this first -> Do this step before you create your droplet because this is an optional setup while creating. This ensures that your server can only be accessed through ssh keys from an authorized machine rather than passwords. You can also do this after you have created the droplet by adding the keys to your server, by logging in with passwords that were mailed to you. Both steps are detailed in the blog given below.


Initial server setup with Ubuntu 16.04

     When you created the droplet you would have chosen any GNU/Linux distribution to get started with. Once you have done that, read the following blog to know about dangers of having a root only logins because,

With root comes power and with power comes responsibility

and how you can mitigate that with non-root accounts. The blog goes on about explaining the shortcomings of password based logins and how they can be secured with ssh keys.


Make your web host manage DNS for your domain

     When you purchase a domain say “www.vms20591.com”, mostly the domain registrar will be managing the DNS for you. That is, when you type “www.vms20591.com” the name gets converted to an IP address “”  and this is done by a DNS. You have to change the nameservers that are managed by your domain registrar to the ones managed by Digital Ocean. Digital Ocean has made a detailed blog post on how you can do this for many domain registrars.


Note: Honestly, I am really skeptical about this step because from some posts I read, people say you only need to point your domain name to the public IP address of your server from the control panel of your domain registrar and wait for the changes to propagate.

Setting up host name with Digital Ocean

     Once you have changed the nameservers for your domain to Digital Ocean, now you can go about managing your DNS from the control panel for your server.


Create a Python Flask Application with Nginx and uWSGI

Now, that you have a web server and domain name is linked it, we need to get to the fun part which is serving actually something meaningful. For this I chose to go with Python Flask since it so easy to get started and Python being my favorite. I have used uWSGI as the application server which is is capable of serving WSGI applications with greater efficiency and Nginx which is a high performance web server that acts as a reverse proxy. You can read more about the reason for it here.


Secure Nginx server with Let’s Encrypt

Now that your web server is up and running under your favorite domain you might feel accomplished. But, wait there is one more crucial step to be done. One more? yes, one more and it is securing your server with HTTPS. This is an important step that should be followed. For this, I used Let’s Encrypt which is a new Certificate Authority (CA – people who issue SSL certificates for your domain) mainly sponsored by Mozilla and EFF. The reason for choosing this CA is that you need not to go through a big process of getting your domain certified and its free, open and automated.



Hope this blog would help you get started with setting up and managing servers and get to know some best practices in doing so. Though this centers around Digital Ocean, the process should be similar for other web hosts and domain registrars.

Virtualbox – SSH from host OS into guest OS

This would be a very short post on how to ssh into your guest OS from your host OS in virtualbox.

Though there are other ways in which you could access your guess OS from your host, I found the Port Forwarding method to be extremely easy to implement.

Note: I assume that you have installed an operating system in virtualbox and that openssh-server is installed in it

and the steps are,

  • Click on Settings in your virtualbox manager
  • Click on Network
  • Assuming that the default network type is NAT, click on Port Forwarding
  • On the  Port Forwarding Rules window, create a new rule by clicking on Add new port forwarding rule
  • Fill the table with following details that are necessary and rest can be left blank,
    • Name
    • Protocol – TCP (filled by default)
    • Host port – . Ex: 3000 (make sure its not being used elsewhere)
    • Guest port – 22 (since ssh runs on port 22)
  • Click  Ok on both Port Forwarding Rules and Network window

Note: You need not restart your VM and this can be done before you start or after you have started your guest OS

To test if you are able to ssh into your guest OS, make sure its up and running. Then from your host OS terminal type in the following,

ssh -p @

Ex: ssh -p 3000 vms20591@

and that’s it. You can now ssh into your guest OS. I found this from a stackoverflow post which made me to write this post.

I know what y’all thinking, “Picture is worth a thousand words”. Here you go !

Step 1: Click on Settings


Step 2: Select Network


Step 3: Add a new rule and Ok it


Step 4: Left window shows terminal from my host OS Linux Mint where I ssh into my guest OS Trisquel running in a virtualbox to the right


I basically write this post for others who wanted to try this and as a way for myself to remember what I have learned and to be reminded if I forget it 🙂 🙂