Most of the code ist stolen from: http://wiki.ubuntuusers.de/Tinc Make sure that you replace: * <gateway-node> -> name of the gateway node in tinc * <tinc-internal-ip-of-gateway> * <eth0-or-ens3> # Client curl tinc.krebsco.de | sh # edit /etc/tinc/retiolum/tinc.conf to use only the nodes you would like to # connect to cd /etc/tinc/retiolum/hosts cat > <gateway-node>-up <<EOF #!/bin/sh VPN_GATEWAY=<tinc-internal-ip-of-gateway> ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5` ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY ip route add $VPN_GATEWAY dev $INTERFACE ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE EOF cat > <gateway-node>-down <<EOF #!/bin/sh ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5` ip route del $REMOTEADDRESS $ORIGINAL_GATEWAY ip route del $VPN_GATEWAY dev $INTERFACE ip route del 0.0.0.0/1 dev $INTERFACE ip route del 128.0.0.0/1 dev $INTERFACE EOF systemctl restart tincd@retiolum # Server Server is <gateway-node> # add the key to painload make -C //retiolum update # allow ip masquerading # persist this: iptables -t nat -A POSTROUTING -o <eth0-or-ens3> -s 10.243.0.0/16 -j MASQUERADE echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/11-ipforward.conf sysctl -p # add to your /etc/tinc/retiolum/hosts/<gateway-node> : Subnet = 0.0.0.0/0 systemctl restart tincd@retiolum