2000-03-26 00:33:07 +00:00
|
|
|
\input texinfo @c -*-texinfo-*-
|
2000-10-14 22:22:06 +00:00
|
|
|
@c $Id: tinc.texi,v 1.8.4.5 2000/10/14 22:22:06 zarq Exp $
|
2000-03-26 00:33:07 +00:00
|
|
|
@c %**start of header
|
|
|
|
@setfilename tinc.info
|
|
|
|
@settitle tinc Manual
|
|
|
|
@setchapternewpage odd
|
|
|
|
@c %**end of header
|
|
|
|
|
|
|
|
@ifinfo
|
2000-04-26 22:42:15 +00:00
|
|
|
@direntry
|
|
|
|
* tinc: (tinc). The tinc Manual.
|
|
|
|
@end direntry
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
This is the info manual for tinc, a Virtual Private Network daemon.
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
Copyright @copyright{} 1998,199,2000 Ivo Timmermans
|
|
|
|
<itimmermans@@bigfoot.com>, Guus Sliepen <guus@@sliepen.warande.net> and
|
|
|
|
Wessel Dankers <wsl@@nl.linux.org>.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-10-14 22:22:06 +00:00
|
|
|
$Id: tinc.texi,v 1.8.4.5 2000/10/14 22:22:06 zarq Exp $
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
Permission is granted to make and distribute verbatim copies of this
|
|
|
|
manual provided the copyright notice and this permission notice are
|
|
|
|
preserved on all copies.
|
|
|
|
|
|
|
|
Permission is granted to copy and distribute modified versions of this
|
|
|
|
manual under the conditions for verbatim copying, provided that the
|
|
|
|
entire resulting derived work is distributed under the terms of a
|
|
|
|
permission notice identical to this one.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@end ifinfo
|
|
|
|
|
|
|
|
@titlepage
|
|
|
|
@title tinc Manual
|
|
|
|
@subtitle Setting up a Virtual Private Network with tinc
|
2000-09-27 20:32:29 +00:00
|
|
|
@author Ivo Timmermans and Guus Sliepen
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@page
|
|
|
|
@vskip 0pt plus 1filll
|
2000-09-27 20:32:29 +00:00
|
|
|
@cindex copyright
|
|
|
|
Copyright @copyright{} 1998,1999,2000 Ivo Timmermans
|
|
|
|
<itimmermans@@bigfoot.com>, Guus Sliepen <guus@@sliepen.warande.net> and
|
|
|
|
Wessel Dankers <wsl@@nl.linux.org>.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-10-14 22:22:06 +00:00
|
|
|
$Id: tinc.texi,v 1.8.4.5 2000/10/14 22:22:06 zarq Exp $
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
Permission is granted to make and distribute verbatim copies of this
|
|
|
|
manual provided the copyright notice and this permission notice are
|
|
|
|
preserved on all copies.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
Permission is granted to copy and distribute modified versions of this
|
|
|
|
manual under the conditions for verbatim copying, provided that the
|
|
|
|
entire resulting derived work is distributed under the terms of a
|
|
|
|
permission notice identical to this one.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@end titlepage
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Top, Introduction, (dir), (dir)
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* Introduction:: Introduction
|
2000-09-27 20:32:29 +00:00
|
|
|
* Installing tinc - preparations::
|
|
|
|
* Installing tinc - installation::
|
2000-03-26 00:33:07 +00:00
|
|
|
* Configuring tinc::
|
|
|
|
* Running tinc::
|
|
|
|
* Technical information::
|
|
|
|
* About us::
|
|
|
|
* Concept Index:: All used terms explained
|
|
|
|
@end menu
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
|
|
|
|
@contents
|
|
|
|
|
2000-03-26 00:33:07 +00:00
|
|
|
@c ==================================================================
|
2000-09-27 20:32:29 +00:00
|
|
|
@node Introduction, Installing tinc - preparations, Top, Top
|
2000-03-26 00:33:07 +00:00
|
|
|
@chapter Introduction
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
@cindex tinc
|
2000-03-26 00:33:07 +00:00
|
|
|
tinc is a Virtual Private Network (VPN) daemon that uses tunneling and
|
|
|
|
encryption to create a secure private network between hosts on the
|
|
|
|
Internet.
|
|
|
|
|
|
|
|
Because the tunnel appears to the IP level network code as a normal
|
|
|
|
network device, there is no need to adapt any existing software.
|
|
|
|
|
2000-04-25 01:45:34 +00:00
|
|
|
This tunneling allows VPN sites to share information with each other
|
2000-03-26 00:33:07 +00:00
|
|
|
over the Internet without exposing any information to others.
|
|
|
|
|
|
|
|
This document is the manual for tinc. Included are chapters on how to
|
|
|
|
configure your computer to use tinc, as well as the configuration
|
|
|
|
process of tinc itself.
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* VPNs:: Virtual Private Networks in general
|
|
|
|
* tinc:: about tinc
|
2000-09-27 20:32:29 +00:00
|
|
|
* Supported platforms::
|
2000-03-26 00:33:07 +00:00
|
|
|
@end menu
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node VPNs, tinc, Introduction, Introduction
|
|
|
|
@section Virtual Private Networks
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
@cindex VPN
|
2000-03-26 00:33:07 +00:00
|
|
|
A Virtual Private Network or VPN is a network that can only be accessed
|
|
|
|
by a few elected computers that participate. This goal is achievable in
|
|
|
|
more than just one way.
|
|
|
|
|
|
|
|
@cindex private
|
2000-05-27 13:21:20 +00:00
|
|
|
Private networks can consist of a single stand-alone ethernet LAN. Or
|
|
|
|
even two computers hooked up using a null-modem cable. In these cases,
|
|
|
|
it is
|
2000-08-18 14:45:38 +00:00
|
|
|
obvious that the network is @emph{private}, no one can access it from the
|
2000-05-27 13:21:20 +00:00
|
|
|
outside. But if your computers are linked to the internet, the network
|
|
|
|
is not private anymore, unless one uses firewalls to block all private
|
|
|
|
traffic. But then, there is no way to send private data to trusted
|
|
|
|
computers on the other end of the internet.
|
|
|
|
|
|
|
|
@cindex virtual
|
|
|
|
This problem can be solved by using @emph{virtual} networks. Virtual
|
|
|
|
networks can live on top of other networks, but do not interfere with
|
|
|
|
each other. Mostly, virtual networks appear like a singe LAN, even though
|
|
|
|
they can span the entire world. But virtual networks can't be secured
|
|
|
|
by using firewalls, because the traffic that flows through it has to go
|
|
|
|
through the internet, where other people can look at it.
|
|
|
|
|
|
|
|
When one introduces encryption, we can form a true VPN. Other people may
|
|
|
|
see encrypted traffic, but if they don't know how to decipher it (they
|
|
|
|
need to know the key for that), they cannot read the information that flows
|
|
|
|
through the VPN. This is what tinc was made for.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@cindex virtual
|
|
|
|
tinc uses normal IP datagrams to encapsulate data that goes over the VPN
|
|
|
|
network link. In this case it's also clear that the network is
|
|
|
|
@emph{virtual}, because no direct network link has to exist between to
|
|
|
|
participants.
|
|
|
|
|
|
|
|
As is the case with either type of VPN, anybody could eavesdrop. Or
|
|
|
|
worse, alter data. Hence it's probably advisable to encrypt the data
|
|
|
|
that flows over the network.
|
|
|
|
|
2000-04-25 01:45:34 +00:00
|
|
|
|
2000-03-26 00:33:07 +00:00
|
|
|
@c ==================================================================
|
2000-09-27 20:32:29 +00:00
|
|
|
@node tinc, Supported platforms, VPNs, Introduction
|
2000-03-26 00:33:07 +00:00
|
|
|
@section tinc
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
@cindex vpnd
|
|
|
|
@cindex ethertap
|
2000-03-26 00:33:07 +00:00
|
|
|
I really don't quite remember what got us started, but it must have been
|
|
|
|
Guus' idea. He wrote a simple implementation (about 50 lines of C) that
|
2000-04-25 01:45:34 +00:00
|
|
|
used the @emph{ethertap} device that Linux knows of since somewhere
|
2000-03-26 00:33:07 +00:00
|
|
|
about kernel 2.1.60. It didn't work immediately and he improved it a
|
|
|
|
bit. At this stage, the project was still simply called @samp{vpnd}.
|
|
|
|
|
|
|
|
Since then, a lot has changed---to say the least.
|
|
|
|
|
|
|
|
@cindex tincd
|
|
|
|
tinc now supports encryption, it consists of a single daemon (tincd) for
|
2000-04-25 01:45:34 +00:00
|
|
|
both the receiving and sending end, it has become largely
|
2000-03-26 00:33:07 +00:00
|
|
|
runtime-configurable---in short, it has become a full-fledged
|
|
|
|
professional package.
|
|
|
|
|
|
|
|
A lot can---and will be---changed. I have a few things that I'd like to
|
|
|
|
see in the future releases of tinc. Not everything will be available in
|
|
|
|
the near future. Our first objective is to make tinc work perfectly as
|
|
|
|
it stands, and then add more advanced features.
|
|
|
|
|
|
|
|
Meanwhile, we're always open-minded towards new ideas. And we're
|
|
|
|
available too.
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
2000-09-27 20:32:29 +00:00
|
|
|
@node Supported platforms, , tinc, Introduction
|
|
|
|
@section Supported platforms
|
|
|
|
|
|
|
|
tinc works on Linux, FreeBSD and Solaris. These are the three platforms
|
|
|
|
that are supported by the universial TUN/TAP device driver, so if
|
|
|
|
support for other operating systems is added to this driver, perhaps
|
|
|
|
tinc will run on them as well. Without this driver, tinc will most
|
|
|
|
likely compile and run, but it will not be able to send or receive data
|
|
|
|
packets.
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@subsection Linux
|
|
|
|
|
|
|
|
tinc was first written for Linux running on an intel x86 processor, so
|
|
|
|
this is the best supported platform. The protocol however, and actually
|
|
|
|
anything about tinc, has been rewritten to support random byte ordering
|
|
|
|
and arbitrary word length. So in theory it should run on other
|
|
|
|
processors that Linux runs on. Take care however, we haven't been able
|
|
|
|
to really test it yet. If you want to run tinc on another platform than
|
|
|
|
x86, and want to tell us how it went, please do so.
|
|
|
|
|
|
|
|
tinc uses the ethertap device that is provided in the standard kernel
|
|
|
|
since version 2.1.60, so anything above that (2.2.x, 2.3.x, and the
|
|
|
|
2.4.0-testx (which is current at the time of this writing) kernel
|
|
|
|
versions) is able to support tinc.
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@subsection FreeBSD
|
|
|
|
|
|
|
|
tinc on FreeBSD relies on the universial TUN/TAP driver for its data
|
|
|
|
acquisition from the kernel. Therefore, tinc suports the same platforms
|
|
|
|
as this driver. These are: FreeBSD 3.x, 4.x, 5.x.
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@subsection Solaris
|
|
|
|
|
|
|
|
tinc on Solaris relies on the universial TUN/TAP driver for its data
|
|
|
|
acquisition from the kernel. Therefore, tinc suports the same platforms
|
|
|
|
as this driver. These are: Solaris, 2.1.x.
|
|
|
|
|
|
|
|
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c Preparing your system
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Installing tinc - preparations, Installing tinc - installation, Introduction, Top
|
|
|
|
@chapter Installing tinc: preparations
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
This chapter contains information on how to prepare your system to
|
|
|
|
support tinc.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@menu
|
|
|
|
* Configuring the kernel::
|
2000-09-27 20:32:29 +00:00
|
|
|
* Libraries::
|
2000-03-26 00:33:07 +00:00
|
|
|
@end menu
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
2000-09-27 20:32:29 +00:00
|
|
|
@node Configuring the kernel, Libraries, Installing tinc - preparations, Installing tinc - preparations
|
2000-03-26 00:33:07 +00:00
|
|
|
@section Configuring the kernel
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
If you are running Linux, chances are good that your kernel already
|
|
|
|
supports all the devices that tinc needs for proper operation. For
|
|
|
|
example, the standard kernel from Redhat Linux already has support for
|
|
|
|
ethertap and netlink compiled in. Debian users can use the modconf
|
|
|
|
utility to select the modules. If your Linux distribution supports this
|
|
|
|
method of selecting devices, look out for something called `ethertap',
|
|
|
|
and `netlink_dev'. You need both these devices.
|
|
|
|
|
|
|
|
If you can install these devices in a similar manner, you may skip this
|
|
|
|
section.
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* Configuration of the Linux kernel::
|
|
|
|
* Configuration of the FreeBSD kernel::
|
|
|
|
* Configuration of the Solaris kernel::
|
|
|
|
@end menu
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Configuration of the Linux kernel, Configuration of the FreeBSD kernel, Configuring the kernel, Configuring the kernel
|
|
|
|
@subsection Configuring the Linux kernel
|
|
|
|
|
2000-03-26 00:33:07 +00:00
|
|
|
Since this particular implementation only runs on 2.1 or higher Linux
|
|
|
|
kernels, you should grab one (2.2 is current at this time). A 2.0 port
|
|
|
|
is not really possible, unless someone tells me someone ported the
|
|
|
|
ethertap and netlink devices back to 2.0.
|
|
|
|
|
|
|
|
If you are unfamiliar with the process of configuring and compiling a
|
|
|
|
new kernel, you should read the
|
|
|
|
@uref{http://howto.linuxberg.com/LDP/HOWTO/Kernel-HOWTO.html, Kernel
|
|
|
|
HOWTO} first. Do that now!
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
Here are the options you have to turn on when configuring a new
|
2000-03-26 00:33:07 +00:00
|
|
|
kernel.
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
For kernel 2.2.x:
|
|
|
|
|
2000-03-26 00:33:07 +00:00
|
|
|
@example
|
|
|
|
Code maturity level options
|
|
|
|
[*] Prompt for development and/or incomplete code/drivers
|
|
|
|
Networking options
|
|
|
|
[*] Kernel/User netlink socket
|
|
|
|
<*> Netlink device emulation
|
|
|
|
Network device support
|
|
|
|
<*> Ethertap network tap
|
|
|
|
@end example
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
For kernel 2.3.x and 2.4.x:
|
|
|
|
|
|
|
|
@example
|
|
|
|
Code maturity level options
|
|
|
|
[*] Prompt for development and/or incomplete code/drivers
|
|
|
|
Networking options
|
|
|
|
[*] Kernel/User netlink socket
|
|
|
|
<*> Netlink device emulation
|
|
|
|
Network device support
|
|
|
|
<*> Universal TUN/TAP device driver support
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
2000-03-26 00:33:07 +00:00
|
|
|
Any other options not mentioned here are not relevant to tinc. If you
|
|
|
|
decide to build any of these as dynamic kernel modules, it's a good idea
|
|
|
|
to add these lines to @file{/etc/modules.conf}.
|
|
|
|
|
|
|
|
@example
|
|
|
|
alias tap0 ethertap
|
|
|
|
alias char-major-36 netlink_dev
|
|
|
|
@end example
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
If you have a 2.4 kernel, you can also choose to use the `Ethertap
|
|
|
|
network tap' device. This is marked obsolete, because the universal
|
|
|
|
TUN/TAP driver is a newer implementation that is supposed to be used in
|
|
|
|
favor of ethertap. For tinc, it doesn't really matter which one you
|
|
|
|
choose; based on the device file name, tinc will make the right choice
|
|
|
|
about what protocol to use.
|
|
|
|
|
2000-03-26 00:33:07 +00:00
|
|
|
Finally, after having set up other options, build the kernel and boot
|
2000-09-27 20:32:29 +00:00
|
|
|
it. Unfortunately it's not possible to insert these modules in a
|
|
|
|
running kernel.
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Configuration of the FreeBSD kernel, Configuration of the Solaris kernel, Configuration of the Linux kernel, Configuring the kernel
|
|
|
|
@subsection Configuring the FreeBSD kernel
|
|
|
|
|
|
|
|
This section will contain information on how to configure your FreeBSD
|
|
|
|
kernel to support the universal TUN/TAP device. For 5.0 and 4.1
|
|
|
|
systems, this is included in the kernel configuration, for earlier
|
|
|
|
systems (4.0 and 3.x), you need to install the universal TUN/TAP driver
|
|
|
|
yourself.
|
|
|
|
|
|
|
|
Unfortunately somebody still has to write the text.
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Configuration of the Solaris kernel, , Configuration of the FreeBSD kernel, Configuring the kernel
|
|
|
|
@subsection Configuring the Solaris kernel
|
|
|
|
|
|
|
|
This section will contain information on how to configure your Solaris
|
|
|
|
kernel to support the universal TUN/TAP device. You need to install
|
|
|
|
this driver yourself.
|
|
|
|
|
|
|
|
Unfortunately somebody still has to write the text.
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Libraries, , Configuring the kernel, Installing tinc - preparations
|
|
|
|
@section Libraries
|
|
|
|
|
|
|
|
@cindex requirements
|
2000-10-14 22:17:29 +00:00
|
|
|
Before you can configure or build tinc, you need to have the OpenSSL
|
|
|
|
library installed on your system. If you try to configure tinc without
|
|
|
|
having installed it, configure will give you an error message, and stop.
|
2000-09-27 20:32:29 +00:00
|
|
|
|
|
|
|
@menu
|
|
|
|
* OpenSSL::
|
|
|
|
@end menu
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
2000-10-14 22:17:29 +00:00
|
|
|
@node OpenSSL, , Libraries, Libraries
|
2000-09-27 20:32:29 +00:00
|
|
|
@subsection OpenSSL
|
|
|
|
|
|
|
|
@cindex OpenSSL
|
|
|
|
For all cryptography-related functions, tinc uses the functions provided
|
|
|
|
by the OpenSSL library. We recommend using version 0.9.5 or 0.9.6 of
|
|
|
|
this library. Other versions may also work, but we can guarantee
|
|
|
|
nothing.
|
|
|
|
|
2000-10-14 22:17:29 +00:00
|
|
|
If this library is not installed, you wil get an error when configuring
|
|
|
|
tinc for build. Support for running tinc without having OpenSSL
|
|
|
|
installed @emph{may} be added in the future.
|
|
|
|
|
|
|
|
You can use your operating system's package manager to install this if
|
|
|
|
available. Make sure you install the development AND runtime versions
|
|
|
|
of this package.
|
2000-09-27 20:32:29 +00:00
|
|
|
|
|
|
|
If you have to install OpenSSL manually, you can get the source code
|
|
|
|
from @url{http://www.openssl.org/}. Instructions on how to configure,
|
|
|
|
build and install this package are included within the package. Please
|
|
|
|
make sure you build development and runtime libraries (which is the
|
|
|
|
default).
|
|
|
|
|
|
|
|
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c Installing tinc
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Installing tinc - installation, Configuring tinc, Installing tinc - preparations, Top
|
|
|
|
@chapter Installing tinc: installation
|
|
|
|
|
|
|
|
If you use Redhat or Debian, you may want to install one of the
|
|
|
|
precompiled packages for your system. These packages are equipped with
|
|
|
|
system startup scripts and sample configurations.
|
|
|
|
|
|
|
|
If you don't run either of these systems, or you want to compile tinc
|
|
|
|
for yourself, you can use the source. The source is distributed under
|
|
|
|
the GNU General Public License (GPL). Download the source from the
|
|
|
|
@uref{http://tinc.nl.linux.org/download.html, download page}, which has
|
|
|
|
the checksums of these files listed; you may wish to check these with
|
|
|
|
md5sum before continuing.
|
|
|
|
|
|
|
|
tinc comes in a handy autoconf/automake package, which you can just
|
|
|
|
treat the same as any other package. Which is just untar it, type
|
|
|
|
`configure' and then `make'.
|
|
|
|
|
|
|
|
More detailed instructions are in the file @file{INSTALL}, which is
|
|
|
|
included in the source distribution.
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* Building tinc::
|
|
|
|
* System files::
|
|
|
|
* Interfaces::
|
|
|
|
@end menu
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Building tinc, System files, Installing tinc - installation, Installing tinc - installation
|
|
|
|
@section Building tinc
|
|
|
|
|
|
|
|
Detailed instructions on configuring the source and building tinc can be
|
|
|
|
found in the file called @file{INSTALL}.
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node System files, Interfaces, Building tinc, Installing tinc - installation
|
|
|
|
@section System files
|
|
|
|
|
|
|
|
Before you can run tinc, you
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* Device files::
|
|
|
|
* Other files::
|
|
|
|
@end menu
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Device files, Other files, System files, System files
|
|
|
|
@subsection Device files
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
First, you'll need the special device file(s) that form the interface
|
2000-09-27 20:32:29 +00:00
|
|
|
between the kernel and the daemon.
|
|
|
|
|
|
|
|
The permissions for these files have to be such that only the super user
|
|
|
|
may read/write to this file. You'd want this, because otherwise
|
|
|
|
eavesdropping would become a bit too easy. This does, however, imply
|
|
|
|
that you'd have to run tincd as root.
|
|
|
|
|
|
|
|
If you use the universal TUN/TAP driver, you have to create the
|
|
|
|
following device files (unless they already exist):
|
|
|
|
|
|
|
|
@example
|
|
|
|
mknod -m 600 /dev/... c .. ..
|
|
|
|
chown 0.0 /dev/...
|
|
|
|
@end example
|
|
|
|
|
|
|
|
If you want to have more devices, the device numbers will be .. .. ...
|
|
|
|
|
|
|
|
If you use Linux, and you run the new 2.4 kernel using the devfs
|
|
|
|
filesystem, then the tap device will be automatically generated as
|
|
|
|
@file{/dev/netlink/tap0}.
|
|
|
|
|
|
|
|
If you use Linux and have kernel 2.2.x, you have to make the ethertap
|
|
|
|
devices:
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
mknod -m 600 /dev/tap0 c 36 16
|
|
|
|
chown 0.0 /dev/tap0
|
|
|
|
@end example
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
Any further ethertap devices have minor device number 16 through 31.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
@c ==================================================================
|
|
|
|
@node Other files, , Device files, System files
|
|
|
|
@subsection Other files
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@subsubheading @file{/etc/networks}
|
|
|
|
|
2000-04-25 10:40:08 +00:00
|
|
|
You may add a line to @file{/etc/networks} so that your VPN will get a
|
2000-04-25 01:45:34 +00:00
|
|
|
symbolic name. For example:
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
myvpn 10.0.0.0
|
|
|
|
@end example
|
|
|
|
|
2000-08-18 14:45:38 +00:00
|
|
|
This has nothing to do with the MyVPNIP configuration variable that will be
|
|
|
|
discussed later, it is only to make the output of the route command more
|
|
|
|
legible.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@subsubheading @file{/etc/services}
|
|
|
|
|
|
|
|
You may add this line to @file{/etc/services}. The effect is that you
|
2000-04-25 10:40:08 +00:00
|
|
|
may supply a @samp{tinc} as a valid port number to some programs. The
|
2000-03-26 00:33:07 +00:00
|
|
|
number 655 is registered with the IANA.
|
|
|
|
|
|
|
|
@example
|
|
|
|
tinc 655/tcp TINC
|
|
|
|
tinc 655/udp TINC
|
|
|
|
# Ivo Timmermans <itimmermans@@bigfoot.com>
|
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
2000-09-27 20:32:29 +00:00
|
|
|
@node Interfaces, , System files, Installing tinc - installation
|
|
|
|
@section Interfaces
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
Before you can start transmitting data over the tinc tunnel, you must
|
|
|
|
set up the ethertap network devices.
|
|
|
|
|
|
|
|
First, decide which IP addresses you want to have associated with these
|
2000-09-27 20:32:29 +00:00
|
|
|
devices, and what network mask they must have. You also need these
|
|
|
|
numbers when you are going to configure tinc itself. @xref{Configuring
|
2000-03-26 00:33:07 +00:00
|
|
|
tinc}.
|
|
|
|
|
|
|
|
It doesn't matter much which part you do first, setting up the network
|
|
|
|
devices or configure tinc. But they both have to be done before you try
|
|
|
|
to start a tincd.
|
|
|
|
|
|
|
|
The actual setup of the ethertap device is quite simple, just repeat
|
|
|
|
after me:
|
|
|
|
|
|
|
|
@example
|
|
|
|
ifconfig tap@emph{n} hw ether fe:fd:@emph{xx}:@emph{xx}:@emph{xx}:@emph{xx}
|
|
|
|
@end example
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
The @emph{n} here is the number of the ethertap device you want to use.
|
|
|
|
It should be the same @emph{n} as the one you use for
|
|
|
|
@file{/dev/tap@emph{n}}. The @emph{xx}s are four hexadecimal numbers
|
2000-03-26 00:33:07 +00:00
|
|
|
(0--ff). With previous versions of tincd, it didn't matter what they
|
2000-09-27 20:32:29 +00:00
|
|
|
were. But newer kernels require properly set up ethernet addresses. In
|
|
|
|
fact, the old behavior was wrong. It is required that the @emph{xx}s
|
|
|
|
match the numbers of the IP address you will give to the tap device and
|
|
|
|
to the MyOwnVPNIP configuration (which will be discussed later).
|
|
|
|
|
|
|
|
@cindex MAC address
|
|
|
|
@cindex hardware address
|
|
|
|
@strong{Tip}: for finding out what the MAC address of the tap interface
|
|
|
|
should be, you can use the following command:
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@example
|
2000-09-27 20:32:29 +00:00
|
|
|
$ printf 'fe:fd:%02x:%02x:%02x:%02x' 10 1 54 1
|
|
|
|
fe:fd:0a:01:36:01
|
2000-03-26 00:33:07 +00:00
|
|
|
@end example
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
@cindex ifconfig
|
|
|
|
To activate the device, you have to assign an IP address to it. To set
|
|
|
|
an IP address @emph{IP} with network mask @emph{mask}, do the following:
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
@example
|
|
|
|
ifconfig tap@emph{n} @emph{xx}.@emph{xx}.@emph{xx}.@emph{xx} netmask @emph{mask}
|
|
|
|
@end example
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
@cindex netmask
|
|
|
|
The netmask is the mask of the @emph{entire} VPN network, not just your
|
|
|
|
own subnet. It is the same netmask you will have to specify with the
|
|
|
|
VpnMask configuration variable.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c Configuring tinc
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
|
|
|
@c
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
2000-09-27 20:32:29 +00:00
|
|
|
@node Configuring tinc, Running tinc, Installing tinc - installation, Top
|
2000-03-26 00:33:07 +00:00
|
|
|
@chapter Configuring tinc
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* Multiple networks::
|
|
|
|
* How connections work::
|
|
|
|
* Configuration file::
|
|
|
|
* Example::
|
|
|
|
@end menu
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Multiple networks, How connections work, Configuring tinc, Configuring tinc
|
|
|
|
@section Multiple networks
|
|
|
|
|
|
|
|
@c from the manpage
|
|
|
|
|
2000-04-25 01:45:34 +00:00
|
|
|
It is perfectly OK for you to run more than one tinc daemon.
|
2000-03-26 00:33:07 +00:00
|
|
|
However, in its default form, you will soon notice that you can't use
|
|
|
|
two different configuration files without the -c option.
|
|
|
|
|
|
|
|
We have thought of another way of dealing with this: network names. This
|
|
|
|
means that you call tincd with the -n argument, which will assign a name
|
|
|
|
to this daemon.
|
|
|
|
|
|
|
|
The effect of this is that the daemon will set its configuration
|
|
|
|
``root'' to /etc/tinc/nn/, where nn is your argument to the -n
|
2000-04-29 13:56:06 +00:00
|
|
|
option. You'll notice that it appears in syslog as ``tinc.nn''.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
However, it is not strictly necessary that you call tinc with the -n
|
|
|
|
option. In this case, the network name would just be empty, and it will
|
|
|
|
be used as such. tinc now looks for files in /etc/tinc/, instead of
|
2000-04-29 13:56:06 +00:00
|
|
|
/etc/tinc/nn/; the configuration file should be /etc/tinc/tinc.conf,
|
2000-03-26 00:33:07 +00:00
|
|
|
and the passphrases are now expected to be in /etc/tinc/passphrases/.
|
|
|
|
|
|
|
|
But it is highly recommended that you use this feature of tinc, because
|
|
|
|
it will be so much clearer whom your daemon talks to. Hence, we will
|
|
|
|
assume that you use it.
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node How connections work, Configuration file, Multiple networks, Configuring tinc
|
|
|
|
@section How connections work
|
|
|
|
|
|
|
|
Before going on, first a bit on how tinc sees connections.
|
|
|
|
|
|
|
|
When tinc starts up, it reads in the configuration file and parses the
|
2000-04-25 01:45:34 +00:00
|
|
|
command-line options. If it sees a `ConnectTo' value in the file, it
|
|
|
|
will try to connect to it, on the given port. If this fails, tinc exits.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Configuration file, Example, How connections work, Configuring tinc
|
|
|
|
@section Configuration file
|
|
|
|
|
|
|
|
The actual configuration of the daemon is done in the file
|
2000-04-29 13:56:06 +00:00
|
|
|
@file{/etc/tinc/nn/tinc.conf}.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
This file consists of comments (lines started with a #) or assignments
|
|
|
|
in the form of
|
|
|
|
|
|
|
|
@example
|
|
|
|
Variable = Value.
|
|
|
|
@end example
|
|
|
|
|
|
|
|
The variable names are case insensitive, and any spaces, tabs, newlines
|
|
|
|
and carriage returns are ignored. Note: it is not required that you put
|
|
|
|
in the `=' sign, but doing so improves readability. If you leave it
|
|
|
|
out, remember to replace it with at least one space character.
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* Variables::
|
|
|
|
@end menu
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Variables, , Configuration file, Configuration file
|
|
|
|
@subsection Variables
|
|
|
|
|
2000-08-18 14:45:38 +00:00
|
|
|
Here are all valid variables, listed in alphabetical order. The default
|
|
|
|
value, required or optional is given between parentheses.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@c straight from the manpage
|
|
|
|
@table @asis
|
2000-08-18 14:45:38 +00:00
|
|
|
@item ConnectPort = <port> (655)
|
2000-03-26 00:33:07 +00:00
|
|
|
Connect to the upstream host (given with the ConnectTo directive) on
|
|
|
|
port port. port may be given in decimal (default), octal (when preceded
|
|
|
|
by a single zero) or hexadecimal (prefixed with 0x). port is the port
|
|
|
|
number for both the UDP and the TCP (meta) connections.
|
|
|
|
|
2000-08-18 14:45:38 +00:00
|
|
|
@item ConnectTo = <IP address|hostname> (optional)
|
|
|
|
Specifies which host to connect to on startup. Multiple ConnectTo variables
|
|
|
|
may be specified, if connecting to the first one fails then tinc will try
|
|
|
|
the next one, and so on. It is possible to specify hostnames for dynamic IP
|
|
|
|
addresses (like those given on dyndns.org), tinc will not cache the resolved
|
|
|
|
IP address.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
If you don't specify a host with ConnectTo, regardless of whether a
|
|
|
|
value for ConnectPort is given, tinc won't connect at all, and will
|
2000-08-18 14:45:38 +00:00
|
|
|
instead just listen for incoming connections.
|
|
|
|
|
|
|
|
@item Hostnames = <yes|no> (no)
|
|
|
|
This option selects whether IP addresses (both real and on the VPN) should
|
|
|
|
be resolved. Since DNS lookups are blocking, it might affect tinc's
|
|
|
|
efficiency, even stopping the daemon for a few seconds everytime it does
|
|
|
|
a lookup if your DNS server is not responding.
|
|
|
|
|
|
|
|
This does not affect resolving hostnames to IP addresses from the configuration
|
|
|
|
file.
|
|
|
|
|
|
|
|
@item IndirectData = <yes|no> (no)
|
|
|
|
This option specifies whether other tinc daemons besides the one you
|
|
|
|
specified with ConnectTo can make a direct connection to you. This is
|
|
|
|
especially useful if you are behind a firewall and it is impossible
|
|
|
|
to make a connection from the outside to your tinc daemon. Otherwise,
|
|
|
|
it is best to leave this option out or set it to no.
|
|
|
|
|
|
|
|
@item Interface = <device> (optional)
|
|
|
|
If you have more than one network interface in your computer, tinc will by
|
|
|
|
default listen on all of them for incoming connections. It is possible to
|
|
|
|
bind tinc to a single interface like eth0 or ppp0 with this variable.
|
|
|
|
|
|
|
|
@item InterfaceIP = <local address> (optional)
|
|
|
|
If your computer has more than one IP address on a single interface (for example
|
|
|
|
if you are running virtual hosts), tinc will by default listen on all of them for
|
|
|
|
incoming connections. It is possible to bind tinc to a single IP address with
|
|
|
|
this variable. It is still possible to listen on several interfaces at the same
|
|
|
|
time though, if they share the same IP address.
|
|
|
|
|
|
|
|
@item KeyExpire = <seconds> (3600)
|
|
|
|
This option controls the time the encryption keys used to encrypt the data
|
|
|
|
are valid. It is common practice to change keys at regular intervals to
|
|
|
|
make it even harder for crackers, even though it is thought to be nearly
|
|
|
|
impossible to crack a single key.
|
|
|
|
|
|
|
|
@item ListenPort = <port> (655)
|
2000-03-26 00:33:07 +00:00
|
|
|
Listen on local port port. The computer connecting to this daemon should
|
2000-08-18 14:45:38 +00:00
|
|
|
use this number as the argument for his ConnectPort.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-08-18 14:45:38 +00:00
|
|
|
@item MyOwnVPNIP = <local address[/maskbits]> (required)
|
2000-03-26 00:33:07 +00:00
|
|
|
The local address is the number that the daemon will propagate to
|
|
|
|
other daemons on the network when it is identifying itself. Hence this
|
|
|
|
will be the file name of the passphrase file that the other end expects
|
|
|
|
to find the passphrase in.
|
|
|
|
|
|
|
|
The local address is the IP address of the tap device, not the real IP
|
|
|
|
address of the host running tincd. Due to changes in recent kernels, it
|
|
|
|
is also necessary that you make the ethernet (also known as MAC) address
|
|
|
|
equal to the IP address (see the example).
|
|
|
|
|
|
|
|
maskbits is the number of bits set to 1 in the netmask part.
|
|
|
|
|
2000-08-18 14:45:38 +00:00
|
|
|
@item MyVirtualIP = <local address[/maskbits]>
|
2000-03-26 00:33:07 +00:00
|
|
|
This is an alias for MyOwnVPNIP.
|
|
|
|
|
2000-08-18 14:45:38 +00:00
|
|
|
@item Passphrases = <directory> (/etc/tinc/NETNAME/passphrases)
|
2000-03-26 00:33:07 +00:00
|
|
|
The directory where tinc will look for passphrases when someone tries to
|
2000-04-25 01:45:34 +00:00
|
|
|
connect. Please see the manpage for genauth(8) for more information
|
2000-03-26 00:33:07 +00:00
|
|
|
about passphrases as used by tinc.
|
|
|
|
|
2000-08-18 14:45:38 +00:00
|
|
|
@item PingTimeout = <seconds> (5)
|
2000-03-26 00:33:07 +00:00
|
|
|
The number of seconds of inactivity that tinc will wait before sending a
|
|
|
|
probe to the other end. If that other end doesn't answer within that
|
|
|
|
same amount of seconds, the connection is terminated, and the others
|
|
|
|
will be notified of this.
|
|
|
|
|
2000-08-18 14:45:38 +00:00
|
|
|
@item TapDevice = <device> (/dev/tap0)
|
2000-03-26 00:33:07 +00:00
|
|
|
The ethertap device to use. Note that you can only use one device per
|
|
|
|
daemon. The info pages of the tinc package contain more information
|
2000-04-25 01:45:34 +00:00
|
|
|
about configuring an ethertap device for Linux.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-08-18 14:45:38 +00:00
|
|
|
@item TCPonly = <yes|no> (no, experimental)
|
|
|
|
If this variable is set to yes, then the packets are tunnelled over a TCP
|
|
|
|
connection instead of a UDP connection. This is especially useful for those
|
|
|
|
who want to run a tinc daemon from behind a masquerading firewall, or if
|
|
|
|
UDP packet routing is disabled somehow. This is experimental code,
|
|
|
|
try this at your own risk.
|
|
|
|
|
|
|
|
@item VpnMask = <mask> (optional)
|
2000-05-27 13:21:20 +00:00
|
|
|
The mask that defines the scope of the entire VPN. This option is not used
|
|
|
|
by the tinc daemon itself, but can be used by startup scripts to configure
|
|
|
|
the ethertap devices correctly.
|
2000-03-26 00:33:07 +00:00
|
|
|
@end table
|
|
|
|
|
|
|
|
|
2000-08-18 14:45:38 +00:00
|
|
|
|
2000-03-26 00:33:07 +00:00
|
|
|
@c ==================================================================
|
|
|
|
@node Example, , Configuration file, Configuring tinc
|
|
|
|
@section Example
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
|
2000-03-26 00:33:07 +00:00
|
|
|
Imagine the following situation. An A-based company wants to connect
|
|
|
|
three branch offices in B, C and D using the internet. All four offices
|
|
|
|
have a 24/7 connection to the internet.
|
|
|
|
|
|
|
|
A is going to serve as the center of the network. B and C will connect
|
|
|
|
to A, and D will connect to C. Each office will be assigned their own IP
|
|
|
|
network, 10.x.0.0.
|
|
|
|
|
|
|
|
@example
|
|
|
|
A: net 10.1.0.0 mask 255.255.0.0 gateway 10.1.54.1 internet IP 1.2.3.4
|
|
|
|
B: net 10.2.0.0 mask 255.255.0.0 gateway 10.2.1.12 internet IP 2.3.4.5
|
|
|
|
C: net 10.3.0.0 mask 255.255.0.0 gateway 10.3.69.254 internet IP 3.4.5.6
|
|
|
|
D: net 10.4.0.0 mask 255.255.0.0 gateway 10.4.3.32 internet IP 4.5.6.7
|
|
|
|
@end example
|
|
|
|
|
|
|
|
``gateway'' is the VPN IP address of the machine that is running the
|
|
|
|
tincd. ``internet IP'' is the IP address of the firewall, which does not
|
|
|
|
need to run tincd, but it must do a port forwarding of TCP&UDP on port
|
2000-04-25 01:45:34 +00:00
|
|
|
655 (unless otherwise configured).
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
In this example, it is assumed that eth0 is the interface that points to
|
2000-09-10 18:37:46 +00:00
|
|
|
the inner LAN of the office, although this could also be the same as the
|
|
|
|
interface that leads to the internet. The configuration of the real
|
|
|
|
interface is also shown as a comment, to give you an idea of how these
|
|
|
|
example host is set up.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@subsubheading For A
|
|
|
|
|
|
|
|
@emph{A} would be configured like this:
|
|
|
|
|
|
|
|
@example
|
2000-08-18 14:45:38 +00:00
|
|
|
#ifconfig eth0 10.1.54.1 netmask 255.255.0.0 broadcast 10.1.255.255
|
2000-03-26 00:33:07 +00:00
|
|
|
ifconfig tap0 hw ether fe:fd:0a:01:36:01
|
|
|
|
ifconfig tap0 10.1.54.1 netmask 255.0.0.0
|
|
|
|
@end example
|
|
|
|
|
2000-04-29 13:56:06 +00:00
|
|
|
and in /etc/tinc/tinc.conf:
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
TapDevice = /dev/tap0
|
|
|
|
MyVirtualIP = 10.1.54.1/16
|
2000-05-27 13:21:20 +00:00
|
|
|
VpnMask = 255.0.0.0
|
2000-03-26 00:33:07 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
@subsubheading For B
|
|
|
|
|
|
|
|
@example
|
2000-08-18 14:45:38 +00:00
|
|
|
#ifconfig eth0 10.2.43.8 netmask 255.255.0.0 broadcast 10.2.255.255
|
2000-03-26 00:33:07 +00:00
|
|
|
ifconfig tap0 hw ether fe:fd:0a:02:01:0c
|
|
|
|
ifconfig tap0 10.2.1.12 netmask 255.0.0.0
|
|
|
|
@end example
|
|
|
|
|
2000-04-29 13:56:06 +00:00
|
|
|
and in /etc/tinc/tinc.conf:
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
TapDevice = /dev/tap0
|
|
|
|
MyVirtualIP = 10.2.1.12/16
|
|
|
|
ConnectTo = 1.2.3.4
|
2000-05-27 13:21:20 +00:00
|
|
|
VpnMask = 255.0.0.0
|
2000-03-26 00:33:07 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
Note here that the internal address (on eth0) doesn't have to be the
|
|
|
|
same as on the tap0 device. Also, ConnectTo is given so that no-one can
|
|
|
|
connect to this node.
|
|
|
|
|
|
|
|
@subsubheading For C
|
|
|
|
|
|
|
|
@example
|
2000-08-18 14:45:38 +00:00
|
|
|
#ifconfig eth0 10.3.69.254 netmask 255.255.0.0 broadcast 10.3.255.255
|
2000-03-26 00:33:07 +00:00
|
|
|
ifconfig tap0 hw ether fe:fd:0a:03:45:fe
|
|
|
|
ifconfig tap0 10.3.69.254 netmask 255.0.0.0
|
|
|
|
@end example
|
|
|
|
|
2000-04-29 13:56:06 +00:00
|
|
|
and in /etc/tinc/A/tinc.conf:
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
MyVirtualIP = 10.3.69.254/16
|
2000-08-18 14:45:38 +00:00
|
|
|
TapDevice = /dev/tap1
|
2000-03-26 00:33:07 +00:00
|
|
|
ConnectTo = 1.2.3.4
|
|
|
|
ListenPort = 2000
|
2000-05-27 13:21:20 +00:00
|
|
|
VpnMask = 255.0.0.0
|
2000-03-26 00:33:07 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
C already has another daemon that runs on port 655, so they have to
|
2000-08-18 14:45:38 +00:00
|
|
|
reserve another port for tinc. It can connect to other tinc daemons on
|
|
|
|
the regular port though, so no ConnectPort variable is needed.
|
|
|
|
They also use the netname to distinguish
|
2000-03-26 00:33:07 +00:00
|
|
|
between the two. tinc is started with `tincd -n A'.
|
|
|
|
|
|
|
|
@subsubheading For D
|
|
|
|
|
|
|
|
@example
|
2000-08-18 14:45:38 +00:00
|
|
|
#ifconfig tap0 10.4.3.32 netmask 255.255.0.0 broadcast 10.4.255.255
|
2000-03-26 00:33:07 +00:00
|
|
|
ifconfig tap0 hw ether fe:fd:0a:04:03:20
|
|
|
|
ifconfig tap0 10.4.3.32 netmask 255.0.0.0
|
|
|
|
@end example
|
|
|
|
|
2000-04-29 13:56:06 +00:00
|
|
|
and in /etc/tinc/tinc.conf:
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
MyVirtualIP = 10.4.3.32/16
|
|
|
|
ConnectTo = 3.4.5.6
|
|
|
|
ConnectPort = 2000
|
2000-05-27 13:21:20 +00:00
|
|
|
VpnMask=255.0.0.0
|
2000-03-26 00:33:07 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
D will be connecting to C, which has a tincd running for this network on
|
2000-08-18 14:45:38 +00:00
|
|
|
port 2000. Hence they need to put in a ConnectPort, but it doesn't need
|
|
|
|
to have a different ListenPort.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@subsubheading Authentication
|
|
|
|
|
|
|
|
A, B, C and D all generate a passphrase with genauth 2048, the output is
|
|
|
|
stored in /etc/tinc/passphrases/local, except for C, where it should be
|
|
|
|
/etc/tinc/A/passphrases/local.
|
|
|
|
|
2000-09-10 18:37:46 +00:00
|
|
|
A stores a copy of B's passphrase in /etc/tinc/passphrases/10.2.1.12
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-09-10 18:37:46 +00:00
|
|
|
A stores a copy of C's passphrase in /etc/tinc/passphrases/10.3.69.254
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-09-10 18:37:46 +00:00
|
|
|
B stores a copy of A's passphrase in /etc/tinc/passphrases/10.1.54.1
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-09-10 18:37:46 +00:00
|
|
|
C stores a copy of A's passphrase in /etc/tinc/A/passphrases/10.1.54.1
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-09-10 18:37:46 +00:00
|
|
|
C stores a copy of D's passphrase in /etc/tinc/A/passphrases/10.4.3.32
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2000-09-10 18:37:46 +00:00
|
|
|
D stores a copy of C's passphrase in /etc/tinc/passphrases/10.3.69.254
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@subsubheading Starting
|
|
|
|
|
|
|
|
A has to start their tincd first. Then come B and C, where C has to
|
|
|
|
provide the option `-n A', because they have more than one tinc
|
|
|
|
network. Finally, D's tincd is started.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Running tinc, Technical information, Configuring tinc, Top
|
|
|
|
@chapter Running tinc
|
|
|
|
|
|
|
|
Running tinc isn't just as easy as typing `tincd' and hoping everything
|
|
|
|
will just work out the way you wanted. Instead, the use of tinc is a
|
|
|
|
project that involves trust relations and more than one computer.
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* Managing keys::
|
|
|
|
* Runtime options::
|
|
|
|
@end menu
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Managing keys, Runtime options, Running tinc, Running tinc
|
|
|
|
@section Managing keys
|
|
|
|
|
|
|
|
Before attempting to start tinc, you have to create passphrases. When
|
|
|
|
tinc tries to make a connection, it exchanges some sensitive
|
|
|
|
data. Before doing so, it likes to know if the other end is
|
|
|
|
trustworthy.
|
|
|
|
|
|
|
|
To do this, both ends must have some knowledge about the other. In the
|
|
|
|
case of tinc this is the authentication passphrase.
|
|
|
|
|
|
|
|
This passphrase is a number, which is chosen at random. This number is
|
|
|
|
then sent to the other computers which want to talk to us directly. To
|
|
|
|
avoid breaking security, this should be done over a known secure channel
|
|
|
|
(such as ssh or similar).
|
|
|
|
|
|
|
|
All passphrases are stored in the passphrases directory, which is
|
|
|
|
normally /etc/tinc/nn/passphrases/, but it may be changed using the
|
|
|
|
`Passphrases' option in the config file.
|
|
|
|
|
|
|
|
To generate a passphrase, run `genauth'. genauth takes one argument,
|
|
|
|
which is the length of the passphrase in bits. The length of the
|
|
|
|
passphrase should be in the range 1024--2048 for a key length of 128
|
|
|
|
bits. genauth creates a random number of the specified length, and puts
|
|
|
|
it to stdout.
|
|
|
|
|
|
|
|
Every computer that wants to participate in the VPN should do this, and
|
|
|
|
store the output in the passphrases directory, in the file @file{local}.
|
|
|
|
|
|
|
|
When every computer has his own local key, it should copy it to the
|
|
|
|
computer that it wants to talk to directly. (i.e. the one it connects to
|
|
|
|
during startup.) This should be done via a secure channel, because it is
|
|
|
|
sensitive information. If this is not done securely, someone might break
|
|
|
|
in on you later on.
|
|
|
|
|
|
|
|
Those non-local passphrase files must have the name of the VPN IP
|
|
|
|
address that they will advertise to you. For instance, if a computer
|
|
|
|
tells us it likes to be 10.1.1.3 with netmask 255.255.0.0, the file
|
|
|
|
should still be called 10.1.1.3, and not 10.1.0.0.
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Runtime options, , Managing keys, Running tinc
|
|
|
|
@section Runtime options
|
|
|
|
|
|
|
|
Besides the settings in the configuration file, tinc also accepts some
|
|
|
|
command line options.
|
|
|
|
|
|
|
|
This list is a longer version of that in the manpage. The latter is
|
|
|
|
generated automatically, so may be more up-to-date.
|
|
|
|
|
|
|
|
@c from the manpage
|
|
|
|
@table @asis
|
|
|
|
@item -c, --config=FILE
|
|
|
|
Read configuration options from FILE. The default is
|
2000-04-29 13:56:06 +00:00
|
|
|
@file{/etc/tinc/nn/tinc.conf}.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@item -d
|
|
|
|
Increase debug level. The higher it gets, the more gets
|
|
|
|
logged. Everything goes via syslog.
|
|
|
|
|
|
|
|
0 is the default, only some basic information connection attempts get
|
|
|
|
logged. Setting it to 1 will log a bit more, still not very
|
|
|
|
disturbing. With two -d's tincd will log protocol information, which can
|
|
|
|
get pretty noisy. Three or more -d's will output every single packet
|
|
|
|
that goes out or comes in, which probably generates more data than the
|
|
|
|
packets themselves.
|
|
|
|
|
|
|
|
@item -k, --kill
|
|
|
|
Attempt to kill a running tincd and exit. A TERM signal (15) gets sent
|
2000-04-29 13:56:06 +00:00
|
|
|
to the daemon that his its PID in /var/run/tinc.nn.pid.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
Because it kills only one tincd, you should use -n here if you use it
|
|
|
|
normally.
|
|
|
|
|
|
|
|
@item -n, --net=NETNAME
|
|
|
|
Connect to net NETNAME. @xref{Multiple networks}.
|
|
|
|
|
|
|
|
@item -t, --timeout=TIMEOUT
|
|
|
|
Seconds to wait before giving a timeout. Should not be set too low,
|
|
|
|
because every time tincd senses a timeout, it disconnects and reconnects
|
|
|
|
again, which will cause unnecessary network traffic and log messages.
|
|
|
|
|
|
|
|
@item --help
|
|
|
|
Display a short reminder of these runtime options and terminate.
|
|
|
|
|
|
|
|
@item --version
|
|
|
|
Output version information and exit.
|
|
|
|
|
|
|
|
@end table
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Technical information, About us, Running tinc, Top
|
|
|
|
@chapter Technical information
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@menu
|
|
|
|
* The Connection::
|
|
|
|
* Security::
|
|
|
|
@end menu
|
|
|
|
|
|
|
|
@node The Connection, Security, Technical information, Technical information
|
|
|
|
@section The basic philosophy of the way tinc works
|
|
|
|
@cindex Connection
|
|
|
|
|
|
|
|
tinc is a daemon that takes VPN data and transmit that to another host
|
|
|
|
computer over the existing Internet infrastructure.
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* Protocol Preview::
|
|
|
|
* The Meta-connection::
|
|
|
|
@end menu
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Protocol Preview, The Meta-connection, The Connection, The Connection
|
|
|
|
@subsection A preview of the way the tinc works
|
|
|
|
|
|
|
|
@cindex ethertap
|
|
|
|
@cindex frame type
|
|
|
|
The data itself is read from a character device file, the so-called
|
|
|
|
@emph{ethertap} device. This device is associated with a network
|
|
|
|
interface. Any data sent to this interface can be read from the device,
|
|
|
|
and any data written to the device gets sent from the interface. Data to
|
|
|
|
and from the device is formatted as if it were a normal ethernet card,
|
|
|
|
so a frame is preceded by two MAC addresses and a @emph{frame type}
|
|
|
|
field.
|
|
|
|
|
|
|
|
So when tinc reads an ethernet frame from the device, it determines its
|
|
|
|
type. Right now, tinc can only handle Internet Protocol version 4 (IPv4)
|
|
|
|
frames. Plans to support other protocols are being made. When tinc knows
|
|
|
|
which type of frame it has read, it can also read the source and
|
|
|
|
destination address from it.
|
|
|
|
|
|
|
|
Now it is time that the frame gets encrypted. Currently the only
|
|
|
|
encryption algorithm available is blowfish.
|
|
|
|
|
|
|
|
@cindex encapsulating
|
|
|
|
When the encryption is ready, time has come to actually transport the
|
|
|
|
packet to the destination computer. We do this by sending the packet
|
|
|
|
over an UDP connection to the destination host. This is called
|
|
|
|
@emph{encapsulating}, the VPN packet (though now encrypted) is
|
|
|
|
encapsulated in another IP datagram.
|
|
|
|
|
|
|
|
When the destination receives this packet, the same thing happens, only
|
|
|
|
in reverse. So it does a decrypt on the contents of the UDP datagram,
|
|
|
|
and it writes the decrypted information to its own ethertap device.
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node The Meta-connection, , Protocol Preview, The Connection
|
|
|
|
@subsection The meta-connection
|
|
|
|
|
2000-05-27 13:21:20 +00:00
|
|
|
Having only an UDP connection available is not enough. Though suitable
|
2000-03-26 00:33:07 +00:00
|
|
|
for transmitting data, we want to be able to reliably send other
|
|
|
|
information, such as routing and encryption information to somebody.
|
|
|
|
|
|
|
|
TCP is a better alternative, because it already contains protection
|
|
|
|
against information being lost, unlike UDP.
|
|
|
|
|
|
|
|
So we establish two connections. One for the encrypted VPN data, and one
|
|
|
|
for other information, the meta-data. Hence, we call the second
|
|
|
|
connection the meta-connection. We can now be sure that the
|
|
|
|
meta-information doesn't get lost on the way to another computer.
|
|
|
|
|
|
|
|
@cindex data-protocol
|
|
|
|
@cindex meta-protocol
|
|
|
|
Like with any communication, we must have a protocol, so that everybody
|
|
|
|
knows what everything stands for, an how he should react. Because we
|
|
|
|
have two connections, we also have two protocols. The protocol used for
|
|
|
|
the UDP data is the ``data-protocol,'' the other one is the
|
|
|
|
``meta-protocol.''
|
|
|
|
|
2000-05-14 12:22:42 +00:00
|
|
|
The reason we don't use TCP for both protocols is that UDP is much
|
|
|
|
better for encapsulation, even while it is less reliable. The real
|
|
|
|
problem is that when TCP would be used to encapsulate a TCP stream
|
|
|
|
that's on the private network, for every packet sent there would be
|
|
|
|
three ACK's sent instead of just one. Furthermore, if there would be
|
|
|
|
a timeout, both TCP streams would sense the timeout, and both would
|
|
|
|
start resending packets.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@c ==================================================================
|
2000-05-12 13:31:00 +00:00
|
|
|
@node Security, , The Connection, Technical information
|
2000-03-26 00:33:07 +00:00
|
|
|
@section About tinc's encryption and other security-related issues.
|
|
|
|
|
|
|
|
@cindex tinc
|
|
|
|
@cindex Cabal
|
|
|
|
tinc got its name from ``TINC,'' short for @emph{There Is No Cabal}; the
|
|
|
|
alleged Cabal was/is an organization that was said to keep an eye on the
|
|
|
|
entire Internet. As this is exactly what you @emph{don't} want, we named
|
|
|
|
the tinc project after TINC.
|
|
|
|
|
|
|
|
@cindex SVPN
|
|
|
|
But in order to be ``immune'' to eavesdropping, you'll have to encrypt
|
|
|
|
your data. Because tinc is a @emph{Secure} VPN (SVPN) daemon, it does
|
|
|
|
exactly that: encrypt.
|
|
|
|
|
|
|
|
This chapter is a mixture of ideas, reasoning and explanation, please
|
|
|
|
don't take it too serious.
|
|
|
|
|
|
|
|
@menu
|
2000-09-27 20:32:29 +00:00
|
|
|
* Key Types::
|
2000-03-26 00:33:07 +00:00
|
|
|
* Key Management::
|
2000-04-25 01:45:34 +00:00
|
|
|
* Authentication::
|
2000-03-26 00:33:07 +00:00
|
|
|
* Protection::
|
|
|
|
@end menu
|
|
|
|
|
2000-08-18 14:45:38 +00:00
|
|
|
@c ==================================================================
|
|
|
|
@node Key Types, Key Management, Security, Security
|
|
|
|
@subsection Key Types
|
|
|
|
@c FIXME: check if I'm not talking nonsense
|
|
|
|
|
|
|
|
There are several types of encryption keys. Tinc uses two of them,
|
|
|
|
symmetric private keypairs and public/private keypairs.
|
|
|
|
|
|
|
|
Public/private keypairs are used in public key cryptography. It enables
|
|
|
|
someone to send out a public key with which other people can encrypt their
|
|
|
|
data. The encrypted data now can only be decrypted by the person who has
|
|
|
|
the private key that matches the public key. So, a public key only allows
|
|
|
|
@emph{other} people to send encrypted messages to you. This is very useful
|
|
|
|
in setting up private communications channels. Just send out your public key
|
|
|
|
and other people can talk to you in a secure way. But how can you know
|
|
|
|
the other person is who he says he is?
|
|
|
|
|
|
|
|
For authentication itself tinc uses symmetric private keypairs, referred
|
|
|
|
to as a passphrase. The identity of each tinc daemon is defined by it's
|
|
|
|
passphrase (like you can be identified by your social security number).
|
|
|
|
Every tinc daemon that is allowed to connect to you has a copy of your
|
|
|
|
passphrase (hence symmetrical).
|
|
|
|
|
|
|
|
It would also be possible to use public/private keypairs for authentication,
|
|
|
|
so that you could shout out your public key and don't need to keep it
|
|
|
|
secret (like the passphrase you would have to send to someone else). Also,
|
|
|
|
no one else has to know a private key from you.
|
|
|
|
Both forms have their pros and cons, and at the moment tinc just uses passphrases
|
|
|
|
(which are computationaly more efficient and perhaps in some way more
|
|
|
|
secure).
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@c ==================================================================
|
2000-08-18 14:45:38 +00:00
|
|
|
@node Key Management, Authentication, Key Types, Security
|
2000-03-26 00:33:07 +00:00
|
|
|
@subsection Key Management
|
2000-09-27 20:32:29 +00:00
|
|
|
@c FIXME change for the current protocol
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@cindex Diffie-Hellman
|
|
|
|
You can't just send a private encryption key to your peer, because
|
|
|
|
somebody else might already be listening to you. So you'll have to
|
|
|
|
negotiate over a shared but secret key. One way to do this is by using
|
|
|
|
the ``Diffie-Hellman key exchange'' protocol
|
|
|
|
(@uref{http://www.rsa.com/rsalabs/faq/html/3-6-1.html}). The idea is as
|
|
|
|
follows.
|
|
|
|
|
|
|
|
You have two participants A and B that want to agree over a shared
|
|
|
|
secret encryption key. Both parties have some large prime number p and a
|
|
|
|
generator g. These numbers may be known to the outside world, and hence
|
|
|
|
may be included in the source distribution.
|
|
|
|
|
|
|
|
@cindex secret key
|
|
|
|
Both parties then generate a secret key. A generates a, and computes g^a
|
|
|
|
mod p. This is then sent to B; while B computes g^b mod p, and transmits
|
|
|
|
this to A, b being generated by B. Both a and b must be smaller than
|
|
|
|
p-1.
|
|
|
|
|
|
|
|
Both parties then calculate g^ab mod p = k. k is the new, shared, but
|
|
|
|
still secret key.
|
|
|
|
|
|
|
|
To obtain a key k of a sufficient length (128 bits in our vpnd), p
|
|
|
|
should be 2^129-1 or more.
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
2000-04-25 01:45:34 +00:00
|
|
|
@node Authentication, Protection, Key Management, Security
|
|
|
|
@subsection Authentication
|
2000-03-26 00:33:07 +00:00
|
|
|
@c FIXME: recheck
|
|
|
|
|
|
|
|
@cindex man-in-the-middle attack
|
|
|
|
Because the Diffie-Hellman protocol is in itself vulnerable to the
|
2000-04-25 01:45:34 +00:00
|
|
|
``man-in-the-middle attack,'' we should introduce an authentication
|
2000-03-26 00:33:07 +00:00
|
|
|
system.
|
|
|
|
|
|
|
|
We will let A transmit a passphrase that is also known to B encrypted
|
|
|
|
with g^a, before A sends this to B. This way, B can check whether A is
|
|
|
|
really A or just someone else.
|
2000-08-18 14:45:38 +00:00
|
|
|
B will never receive the real passphrase though, because it was
|
|
|
|
encrypted using public/private keypairs. This way there is no way an
|
|
|
|
imposter could steal A's passphrase.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@cindex passphrase
|
2000-08-18 14:45:38 +00:00
|
|
|
@c ehrmz... but we only use 1024 bits passphrases ourselves? [guus]
|
2000-03-26 00:33:07 +00:00
|
|
|
This passphrase should be 2304 bits for a symmetric encryption
|
|
|
|
system. But since an asymmetric system is more secure, we could do with
|
|
|
|
2048 bits. This only holds if the passphrase is very random.
|
|
|
|
|
|
|
|
These passphrases could be stored in a file that is non-readable by
|
2000-08-18 14:45:38 +00:00
|
|
|
anyone else but root; e.g. @file{/etc/tinc/passphrases} with UID 0
|
|
|
|
and permissions mode 700.
|
|
|
|
|
|
|
|
The only thing that needs to be taken care of is how A can securely send
|
|
|
|
a copy of it's passphrase to B if B doesn't have it yet. This could be
|
|
|
|
done via mail with PGP, but you should be really convinced of the
|
|
|
|
identity of the person who owns the email address you are sending this to.
|
|
|
|
Swapping floppy disks in real life might be the best way to do this!
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
2000-04-25 01:45:34 +00:00
|
|
|
@node Protection, , Authentication, Security
|
2000-03-26 00:33:07 +00:00
|
|
|
@subsection Protecting your data
|
|
|
|
|
|
|
|
Now we have securely hidden our data. But a malicious cracker may still
|
|
|
|
bother you by randomly altering the encrypted data he intercepts.
|
|
|
|
|
2000-09-27 20:32:29 +00:00
|
|
|
@c FIXME what the hell is this all about? remove? IT
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node About us, Concept Index, Technical information, Top
|
|
|
|
@chapter About us
|
|
|
|
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* Contact Information::
|
|
|
|
* Authors::
|
|
|
|
@end menu
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Contact Information, Authors, About us, About us
|
|
|
|
@section Contact information
|
|
|
|
|
|
|
|
tinc's main page is at @url{http://tinc.nl.linux.org/},
|
|
|
|
this server is located in the Netherlands.
|
|
|
|
|
|
|
|
We have an IRC channel on the Open Projects IRC network. Connect to
|
|
|
|
@uref{http://openprojects.nu/services/irc.html, irc.openprojects.net},
|
|
|
|
and join channel #tinc.
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Authors, , Contact Information, About us
|
|
|
|
@section Authors
|
|
|
|
|
|
|
|
@table @asis
|
|
|
|
@item Ivo Timmermans (zarq) (@email{itimmermans@@bigfoot.com})
|
|
|
|
Main coder/hacker and maintainer of the package.
|
|
|
|
|
|
|
|
@item Guus Sliepen (guus)
|
|
|
|
Originator of it all, co-author.
|
|
|
|
|
|
|
|
@item Wessel Dankers (Ubiq)
|
2000-04-25 10:40:08 +00:00
|
|
|
General obfuscater of the code.
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
@end table
|
|
|
|
|
|
|
|
Thank you's to: Dekan, Emphyrio, vDong
|
|
|
|
|
|
|
|
Greetings to: braque, Fluor, giggles, macro, smoke, tribbel
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@node Concept Index, , About us, Top
|
|
|
|
@c node-name, next, previous, up
|
|
|
|
@unnumbered Concept Index
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@printindex cp
|
|
|
|
|
|
|
|
|
|
|
|
@c ==================================================================
|
|
|
|
@contents
|
|
|
|
@bye
|
|
|
|
|