tinc/doc/tinc.conf.5

.TH TINC 5 "May 2000" "tinc version 1.0" "FSF"
.SH NAME
tincd.conf \- tinc daemon configuration
.SH "DESCRIPTION"
The files in the \fI/etc/tinc\fR directory contain runtime and
security information for the \fBtinc\fR(8) daemon.
.PP
.SH "NETWORKS"
It is perfectly ok for you to run more than one tinc daemon. However,
in its default form, you will soon notice that you can't use two
different configuration files without the \fI-c\fR option.

We have thought of another way of dealing with this: network
names. This means that you call \fBtincd\fR with the \fI-n\fR argument,
which will assign a name to this daemon.

The effect of this is that the daemon will set its configuration
``root'' to \fI/etc/tinc/\fBnn\fI/\fR, where \fBnn\fR is your argument
to the \fI-n\fR option. You'll notice that it appears in syslog as
``tincd.\fBnn\fR''.

However, it is not strictly necessary that you call tinc with the -n
option. In this case, the network name would just be empty, and it
will be used as such. tinc now looks for files in \fI/etc/tinc/\fR,
instead of \fI/etc/tinc/\fBnn\fI/\fR; the configuration file should be
\fI/etc/tinc/tincd.conf\fR, and the passphrases are now expected to be
in \fI/etc/tinc/passphrases/\fR.

But it is highly recommended that you use this feature of tinc,
because it will be so much clearer whom your daemon talks to. Hence,
we will assume that you use it.
.PP
.SH "PASSPHRASES"
You should use the \fBgenauth\fR(8) program to generate passphrases.
with, it accepts a single parameter, which is the number of bits the
passphrase should be. Its output should be stored in
\fI/etc/tinc/\fBnn\fI/passphrases/local\fR \-\- where \fBnn\fR stands
for the network (See under \fBNETWORKS\fR) above.

Please see the manpage for \fBgenauth\fR to learn more about setting
up an authentication scheme.
.PP
.SH "CONFIGURATION"
The actual configuration of the daemon is done in the file
\fI/etc/tinc/\fBnn\fI/tincd.conf\fR.

This file consists of comments (lines started with a \fB#\fR) or
assignments in the form of
.PP
.Vb 1
\&    \fIVariable \fB= \fIValue\fR.
.Ve
.PP
The variable names are case insensitive, and any spaces, tabs,
newlines and carriage returns are ignored. \fINote\fR: it is not
required that you put in the \fB=\fR sign, but doing so improves
readability. If you leave it out, remember to replace it with at least
one space character.
.PP
.SH "VARIABLES"
.PP
Here are all valid variables, listed in alphabetical order. The default
value, required or optional is given between parentheses.
.TP
\fBConnectPort\fR = <\fIport\fR> (655)
Connect to the upstream host (given with the \fBConnectTo\fR directive) on
port \fIport\fR. port may be given in decimal (default), octal (when preceded
by a single zero) or hexadecimal (prefixed with 0x). \fIport\fR is the port
number for both the UDP and the TCP (meta) connections.
.TP
\fBConnectTo\fR = <\fIIP address|hostname\fR> (optional)
Specifies which host to connect to on startup. Multiple \fBConnectTo\fR variables
may be specified, if connecting to the first one fails then tinc will try
the next one, and so on. It is possible to specify hostnames for dynamic IP
addresses (like those given on dyndns.org), tinc will not cache the resolved
IP address.

If you don't specify a host with \fBConnectTo\fR, regardless of whether a
value for \fBConnectPort\fR is given, tinc won't connect at all, and will
instead just listen for incoming connections.
.TP
\fBHostnames\fR = <\fIyes|no\fR> (no)
This option selects whether IP addresses (both real and on the VPN) should
be resolved. Since DNS lookups are blocking, it might affect tinc's
efficiency, even stopping the daemon for a few seconds everytime it does
a lookup if your DNS server is not responding.

This does not affect resolving hostnames to IP addresses from the configuration
file.
.TP
\fBIndirectData\fR = <\fIyes|no\fR> (no)
This option specifies whether other tinc daemons besides the one you
specified with \fBConnectTo\fR can make a direct connection to you. This is
especially useful if you are behind a firewall and it is impossible
to make a connection from the outside to your tinc daemon. Otherwise,
it is best to leave this option out or set it to no.
.TP
\fBInterface\fR = <\fIdevice\fR> (optional)
If you have more than one network interface in your computer, tinc will by
default listen on all of them for incoming connections. It is possible to
bind tinc to a single interface like eth0 or ppp0 with this variable.
.TP
\fBInterfaceIP\fR = <\fIlocal address\fR> (optional)
If your computer has more than one IP address on a single interface (for example
if you are running virtual hosts), tinc will by default listen on all of them for
incoming connections. It is possible to bind tinc to a single IP address with
this variable. It is still possible to listen on several interfaces at the same
time though, if they share the same IP address.
.TP
\fBKeyExpire\fR = <\fIseconds\fR> (3600)
This option controls the time the encryption keys used to encrypt the data
are valid. It is common practice to change keys at regular intervals to
make it even harder for crackers, even though it is thought to be nearly
impossible to crack a single key.
.TP
\fBListenPort\fR = <\fIport\fR> (655)
Listen on local port \fIport\fR. The computer connecting to this daemon should
use this number as the argument for his \fBConnectPort\fR.
.TP
\fBMyOwnVPNIP\fR = <\fIlocal address[/maskbits]\fR> (required)
The \fIlocal address\fR is the number that the daemon will propagate to
other daemons on the network when it is identifying itself. Hence this
will be the file name of the passphrase file that the other end expects
to find the passphrase in.

The local address is the IP address of the tap device, not the real IP
address of the host running tincd. Due to changes in recent kernels, it
is also necessary that you make the ethernet (also known as MAC) address
equal to the IP address (see the example).

\fImaskbits\fR is the number of bits set to 1 in the netmask part.
.TP
\fBMyVirtualIP\fR = <\fIlocal address[/maskbits]>
This is an alias for \fBMyOwnVPNIP\fR.
.TP
\fBPassphrases\fR = <\fIdirectory\fR> (/etc/tinc/NETNAME/passphrases)
The directory where tinc will look for passphrases when someone tries to
connect. Please see the manpage for genauth(8) for more information
about passphrases as used by tinc.
.TP
\fBPingTimeout\fR = <\fIseconds\fR> (5)
The number of seconds of inactivity that tinc will wait before sending a
probe to the other end. If that other end doesn't answer within that
same amount of seconds, the connection is terminated, and the others
will be notified of this.
.TP
\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0)
The ethertap device to use. Note that you can only use one device per
daemon. The info pages of the tinc package contain more information
about configuring an ethertap device for Linux.
.TP
\fBTCPonly\fR = <\fIyes|no\fR> (no, experimental)
If this variable is set to yes, then the packets are tunnelled over a TCP
connection instead of a UDP connection. This is especially useful for those
who want to run a tinc daemon from behind a masquerading firewall, or if
UDP packet routing is disabled somehow. This is experimental code,
try this at your own risk.
.TP
\fBVpnMask\fR = <\fImask\fR> (optional)
The mask that defines the scope of the entire VPN. This option is not used
by the tinc daemon itself, but can be used by startup scripts to configure
the ethertap devices correctly.
.PP
.SH "FILES"
.TP
\fI/etc/tinc/\fR
The top directory for configuration files.
.TP
\fI/etc/tinc/\fBnn\fI/tincd.conf\fR
The default name of the configuration file for net
\fBnn\fR.
.TP
\fI/etc/tinc/\fBnn\fI/passphrases/\fR
Passphrases are kept in this directory. (See the section
\fBPASSPHRASES\fR above).
.PP
.SH "SEE ALSO"
\fBtincd\fR(8), \fBgenauth\fR(8)
.TP
\fBhttp://tinc.nl.linux.org/\fR
.PP
The full documentation for
.B tinc
is maintained as a Texinfo manual.  If the
.B info
and
.B tinc
programs are properly installed at your site, the command
.IP
.B info tinc
.PP
should give you access to the complete manual.
.PP
tinc comes with ABSOLUTELY NO WARRANTY.  This is free software,
and you are welcome to redistribute it under certain conditions;
see the file COPYING for details.