Quickstart guides


Joining or creating a new network

This short guide explains how to generate an initial configuration for the new node, generating new private keys on the device itself. Configuration files can be edited with any Android text editor or, more conveniently, through a remote shell (by using Termux+sshd for example).

Bootstrapping the node configuration

A new node configuration and private keys can be generated by using the “Generate node configuration and keys” option on the application’s configuration screen. The generated files will be written in the application’s configuration directory, whose path is displayed above on the same screen.

Configuring the network interface

A minimal configuration specifying an IP address and a route can be as short as follows:

$ echo "Address =
Route =" >> $confdir/$netname/network.conf

Deploying host files

Nodes host files can be copied from and to the network’s hosts directory as usual.

Quite Easily Done.

Joining a network via invitation URL

A network can be joined using a tinc 1.1 invitation URL. The node and its network interface configuration files are automatically created from the data received from the server. Key pairs are also generated and exchanged with the inviting server.

Generating an invitation

An invitation can be generated by using the tinc -n <netname> invite [nodename] command on the “server” side. An IP address and some routes can be added to the generated invitation file with the Ifconfig and Route parameters:

Name = client
Netname = vpn
ConnectTo = server
Ifconfig =
Route =
Name = server
Ed25519PublicKey = ...
Address = server.example.com

Joining using the invitation

The network can be joined from the configuration screen, by selecting “Join network via invitation URL” and pasting the invitation URL in the appearing input dialog. This will write the node and network configuration files, as well as the generated keys into the configuration directory displayed above on the same screen.

Quite Easily Done.

Migrating from other tinc Android apps

It is possible to migrate from other Android ports of tinc to Tinc App while keeping an existing tinc network configuration with some adjustments, provided that the underlying tinc daemon was operating in router mode using a tun device.

Restoring the system’s state

All other VPN applications must be stopped before using Tinc App, whether or not they are using the Android VPN API. It is recommended to disable any autostart option in the former ones.

Some applications (such as Vilbrekin’s Tinc GUI) may have required altering system routing tables to operate correctly. Those tables must be restored to their original state before using Tinc App. This can be done simply by rebooting the device.

Copying and adapting configuration files and keys

A tinc network configuration directory can be imported in Tinc App by copying it to the application’s configuration directory (whose path is displayed on the configuration screen.

The tinc.conf file the current host’s file in the hosts directory must be modified to take those platform specificities into account. In particular, a random unprivileged port may be set in the current host’s file as follows:

$ echo "Port = 1655" >> $confdir/$netname/hosts/$hostname

The network interface configuration for IP allocation, route and DNS servers definition previously done in hook scripts (such as tinc-up) must converted into parameters in a network interface definition file, named network.conf. Usable parameters are listed here. Commands from an example tinc-up file can be translated into network.conf parameters as follows:

$ ifconfig $INTERFACE
-> Address =

$ ip route add dev $INTERFACE
-> Route =

$ setprop net.eth0.dns1
-> DNSServer =

Quite Easily Done.

Automating VPN connections

Automatically start VPN on boot

The VPN can be started automatically on device boot using the always-on VPN feature available on Android Nougat and newer.

This option can be enabled through the system settings, under the “Network & Internet” / “VPN” categories. A tinc network can then be selected in Tinc App. The chosen one will remain active across device restart until the user disconnects from it through the application’s user interface.

Through third-party apps using Intents

Connections can also be managed from automation and scripting Android applications (such as LlamaLab Automate, Tasker or Locale) by using Intents to start or terminate VPN connections based on time, location, or network availability for example.

A connection can be initiated by starting an Activity using an Intent with the following command, replacing $netname and optionally $passphrase with arbitrary values:

$ am start --user 0 --activity-exclude-from-recents \
  -a "org.pacien.tincapp.intent.action.CONNECT" \
  -d "tinc:$netname#$passphrase"

Similarly, a currently active connection can be terminated by starting an Activity with the following command:

$ am start --user 0 --activity-exclude-from-recents \
  -a "org.pacien.tincapp.intent.action.DISCONNECT"

Quite Easily Done.