diff --git a/README.md b/README.md
index 05ad300..17aebe6 100644
--- a/README.md
+++ b/README.md
@@ -95,6 +95,13 @@ class { 'ff_gw':
     dhcprange_start => '10.112.30.2',
     dhcprange_end   => '10.112.31.254',
 
+    # only for inter-city VPN hosts
+	gw_do_ic_peering => true,
+	tinc_name        => 'hamburg01',
+	tinc_keyfile     => '/etc/tinc/rsa_key.priv',
+	ic_vpn_ip4       => '10.207.X.Y',
+	ic_vpn_ip6       => 'fec0::a:cf:X:Y',
+
     # secret credentials for fastd and vpn
     secret_key      => '...',
     vpn_ca_crt      => '-----BEGIN CERTIFICATE-----
diff --git a/manifests/init.pp b/manifests/init.pp
index 7e86325..29fb934 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,4 +1,4 @@
-class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv6, $secret_key, $vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, $dhcprange_start, $dhcprange_end, $gw_do_ic_peering = false) {
+class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv6, $secret_key, $vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, $dhcprange_start, $dhcprange_end, $gw_do_ic_peering = false, $tinc_name, $tinc_keyfile, $ic_vpn_ip4, $ic_vpn_ip6) {
   class { 'ff_gw::software': }
   ->
   class { 'ff_gw::fastd':
@@ -19,8 +19,8 @@ class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv6, $secre
   }
   ->
   class { 'ff_gw::vpn':
-	usr_crt => $vpn_usr_crt,
-	usr_key => $vpn_usr_key,
+    usr_crt => $vpn_usr_crt,
+    usr_key => $vpn_usr_key,
     ca_crt  => $vpn_ca_crt,
   }
   ->
@@ -36,6 +36,15 @@ class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv6, $secre
     own_ipv6         => $gw_ipv6,
     gw_do_ic_peering => $gw_do_ic_peering,
   }
+
+  if $gw_do_ic_peering {
+    class { 'ff_gw::tinc':
+      tinc_name    => $tinc_name,
+      tinc_keyfile => $tinc_keyfile,
+      ic_vpn_ip4   => $ic_vpn_ip4,
+      ic_vpn_ip4   => $ic_vpn_ip6
+    }
+  }
 }
 
 class ff_gw::software {
@@ -69,6 +78,7 @@ class ff_gw::fastd($mesh_mac, $gw_ipv4, $gw_ipv6, $secret_key) {
       content => template('ff_gw/etc/fastd/ffhh-mesh-vpn/fastd.conf.erb');
     '/etc/fastd/ffhh-mesh-vpn/secret.conf':
       ensure  => file,
+      mode    => '0600',
       content => inline_template('secret "<%= @secret_key %>";');
     '/root/bin':
       ensure => directory;
@@ -462,3 +472,45 @@ class ff_gw::bird($ff_net, $ff_mesh_net, $ff_as, $own_ipv4, $own_ipv6, $gw_do_ic
       require => Service['openvpn'],
   }
 }
+
+class ff_gw::tinc($tinc_name, $tinc_keyfile = '/etc/tinc/rsa_key.priv', $ic_vpn_ip4, $ic_vpn_ip6, $version = 'present') {
+  package {
+    'tinc':
+      ensure => $version,
+  }
+  ->
+  vcsrepo { '/etc/tinc/icvpn':
+    ensure   => present,
+    provider => git,
+    source   => 'https://github.com/freifunk/icvpn',
+  }
+  ->
+  file {
+    '/etc/tinc/icvpn/tinc.conf':
+      ensure  => file,
+      content => template('ff_gw/etc/tinc/icvpn/tinc.conf.erb');
+    '/etc/tinc/icvpn/tinc-up':
+      ensure  => file,
+      mode    => '0755';
+      content => inline_template('#!/bin/sh
+/sbin/ip link set dev $INTERFACE up
+/sbin/ip addr add dev $INTERFACE <%= @ic_vpn_ip4 %>/16 broadcast 10.207.255.255
+/sbin/ip -6 addr add dev $INTERFACE <%= @ic_vpn_ip6 %>/96 preferred_lft 0
+');
+    '/etc/tinc/icvpn/tinc-down':
+      ensure  => file,
+      mode    => '0755';
+      content => inline_template('#!/bin/sh
+/sbin/ip addr del dev $INTERFACE <%= @ic_vpn_ip4 %>/16 broadcast 10.207.255.255
+/sbin/ip -6 addr del dev $INTERFACE <%= @ic_vpn_ip6 %>/96
+/sbin/ip link set dev $INTERFACE down
+');
+  }
+  ~>
+  service {
+    'tinc':
+      ensure  => running,
+      enable  => true,
+      require => Service['openvpn'],
+  }
+}
diff --git a/templates/etc/tinc/icvpn/tinc.conf.erb b/templates/etc/tinc/icvpn/tinc.conf.erb
new file mode 100644
index 0000000..6bc8c52
--- /dev/null
+++ b/templates/etc/tinc/icvpn/tinc.conf.erb
@@ -0,0 +1,48 @@
+Name = <%= @tinc_name %>
+PrivateKeyFile = <%= @tinc_keyfile %>
+Mode = Switch
+PingTimeout = 30
+Port = 656
+Hostnames = yes
+
+ConnectTo = augsburg1
+ConnectTo = augsburg2
+ConnectTo = bayreuth1
+ConnectTo = berlin1
+ConnectTo = bielefeld1
+ConnectTo = bielefeld2
+ConnectTo = bremen2
+ConnectTo = chemnitz1
+ConnectTo = diac24_sbc
+ConnectTo = diac24_sbz
+ConnectTo = dresden1
+ConnectTo = ffhallevpn1
+ConnectTo = franken1
+ConnectTo = franken2
+ConnectTo = franken3
+ConnectTo = franken_ro1
+ConnectTo = Frankfurt1
+ConnectTo = freiburg1
+ConnectTo = gronau1
+ConnectTo = gronau2
+ConnectTo = halle1
+ConnectTo = halle2
+ConnectTo = jena1
+ConnectTo = jena2
+ConnectTo = kiel1
+ConnectTo = kiel13
+ConnectTo = kiel3
+ConnectTo = kiel4
+ConnectTo = koeln1
+ConnectTo = leipzig1
+ConnectTo = leipzig2
+ConnectTo = ljubljana1
+ConnectTo = luebeck1
+ConnectTo = luebeck2
+ConnectTo = mainz1
+ConnectTo = nrw2
+ConnectTo = oldenburg1
+ConnectTo = weimar1
+ConnectTo = weimar2
+ConnectTo = wermelskirchen1
+