Most of the code ist stolen from: http://wiki.ubuntuusers.de/Tinc

Make sure that you replace:
 * <gateway-node> -> name of the gateway node in tinc
 * <tinc-internal-ip-of-gateway>
 * <eth0-or-ens3>

# Client

    curl tinc.krebsco.de | sh
    # edit /etc/tinc/retiolum/tinc.conf to use only the nodes you would like to
    # connect to
    cd /etc/tinc/retiolum/hosts
    cat > <gateway-node>-up <<EOF 
    #!/bin/sh
    VPN_GATEWAY=<tinc-internal-ip-of-gateway>
    ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`

    ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY
    ip route add $VPN_GATEWAY dev $INTERFACE
    ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
    ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
    EOF
    cat > <gateway-node>-down <<EOF
    #!/bin/sh
    ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
    ip route del $REMOTEADDRESS $ORIGINAL_GATEWAY
    ip route del $VPN_GATEWAY dev $INTERFACE
    ip route del 0.0.0.0/1 dev $INTERFACE
    ip route del 128.0.0.0/1 dev $INTERFACE
    EOF
    systemctl restart tincd@retiolum


# Server
Server is <gateway-node>

    # add the key to painload
    make -C //retiolum update
    # allow ip masquerading
    #   persist this:
    iptables -t nat -A POSTROUTING -o <eth0-or-ens3> -s 10.243.0.0/16 -j MASQUERADE
    echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/11-ipforward.conf
    sysctl -p
    # add to your /etc/tinc/retiolum/hosts/<gateway-node> :
    Subnet = 0.0.0.0/0
    systemctl restart tincd@retiolum