Port 655: Tinc — The mesh VPN that routes around damage

Port 655 is officially assigned to tinc, a Virtual Private Network (VPN) daemon that creates encrypted mesh networks between hosts across the Internet.¹²

What Tinc Does

Tinc builds mesh VPNs. Unlike traditional VPNs that use a hub-and-spoke model—where every connection goes through a central server—tinc creates peer-to-peer networks where every node can communicate directly with every other node.³

When you connect three machines with tinc, they form a triangle. Each machine knows about the others and can route traffic directly. If one connection fails, traffic automatically flows through the remaining paths. The network adapts.⁴

This makes tinc particularly useful for:

• Connecting multiple sites without a central bottleneck
• Building resilient networks that survive individual link failures
• Creating private networks between mobile devices with changing IP addresses
• Linking together machines across different network topologies into a single virtual LAN

How It Works

Tinc uses tunneling and encryption to create secure connections. By default, it listens on port 655 for both TCP and UDP traffic.⁵ The protocol handles:

• Peer discovery — Nodes learn about each other and establish direct connections
• Automatic routing — Traffic finds the best path through the mesh
• Encryption — All traffic is encrypted between nodes
• NAT traversal — Connections work even when nodes are behind firewalls

When a node's network conditions change—new IP address, connection drops, network switch—tinc adapts without manual reconfiguration.

The Name

Tinc stands for "There Is No Cabal"—a reference to the alleged secret organization rumored to monitor the entire Internet.⁶ Since a VPN exists specifically to prevent that kind of surveillance, naming the project after the denial of the Cabal's existence is darkly appropriate.

Port 655 and Privilege

Port 655 sits in the well-known port range (0-1023), which means only privileged users (root on Unix-like systems) can bind to it.¹ This is a historical security feature—preventing regular users from running services on standard ports.

For tinc, this privilege requirement became more of an inconvenience than a protection. You can configure tinc to run on any port.⁷ Many deployments use higher-numbered ports to avoid requiring root privileges.

Security Considerations

Tinc requires careful key management. Each node has a public/private key pair, and nodes must exchange public keys to establish trust. If an attacker obtains a node's private key, they can impersonate that node in the mesh.

The mesh topology means every node is a potential entry point. Secure one node poorly, and an attacker can potentially access the entire virtual network.

Firewall rules matter. If you're exposing port 655 to the Internet, ensure only authorized nodes can connect. Consider using higher ports or non-standard ports to reduce automated scanning exposure.

Checking What's on Port 655

On Linux or macOS:

sudo lsof -i :655

On Windows:

netstat -ano | findstr :655

If nothing returns, no service is listening on port 655.

Related Ports

• Port 1194 — OpenVPN's default port, another VPN protocol but with hub-and-spoke topology
• Port 51820 — WireGuard, a modern VPN protocol focused on simplicity
• Port 500 — IKE (Internet Key Exchange), used by IPsec VPNs