88 lines
3.8 KiB
Text
88 lines
3.8 KiB
Text
|
Introduction
|
||
|
------------
|
||
|
|
||
|
Invitations are URLs that encode a tinc server's hostname, port, an ephemeral
|
||
|
public key and a cookie. This is enough for an invitee to connect to the
|
||
|
server that generated the invitation, verify that it is indeed connected to the
|
||
|
right server, and present the cookie to the server as proof that it got the
|
||
|
invitation. The server then checks whether it has a corresponding invitation
|
||
|
file in its invitations/ directory. The contents of an invitation file that is
|
||
|
generated by the "tinc -n vpn invite client" command looks like this:
|
||
|
|
||
|
Name = client
|
||
|
Netname = vpn
|
||
|
ConnectTo = server
|
||
|
#-------------------------------------#
|
||
|
Name = server
|
||
|
Ed25519PublicKey = augbnwegoij123587...
|
||
|
Address = server.example.com
|
||
|
|
||
|
The file is basically a concatenation of several host config blocks. Each host
|
||
|
config block starts with "Name = ...". Lines that look like `#---#` are not
|
||
|
important, it just makes it easier for humans to read the file.
|
||
|
|
||
|
The first host config block is always the one representing the invitee. So the
|
||
|
first Name statement determines the name that the invitee will get. From the
|
||
|
first block, the tinc.conf and hosts/client files will be generated; the "tinc
|
||
|
join" command on the client will automatically separate statements based on
|
||
|
whether they should be in tinc.conf or in a host config file. Some statements
|
||
|
are special and are treated differently:
|
||
|
|
||
|
- "Netname" is a hint to the invitee which netname to use for the VPN. It is
|
||
|
used if the invitee did not already specify a netname, and if there is no
|
||
|
pre-existing configuration with the same netname.
|
||
|
|
||
|
- (TBI) "Ifconfig" statements are hints for generating a tinc-up script. The
|
||
|
syntax is similar to Subnet statements:
|
||
|
|
||
|
- "Ifconfig a1:b2:c3:d4:e5:f6" is a MAC address, and hints that the tun/tap
|
||
|
interface should get that hardware address.
|
||
|
- "Ifconfig 1.2.3.4/16" hints that the tun/tap interface should get IPv4
|
||
|
address 1.2.3.4 and netmask 255.255.0.0.
|
||
|
- "Ifconfig 1234::5/48" hints that the tun/tap interface shouldg et IPv6
|
||
|
address 1234::5 and prefixlength 48.
|
||
|
|
||
|
Additionally, the following arguments are supported:
|
||
|
|
||
|
- "Ifconfig dhcp" hints that the tun/tap interface should get an IPv4 address
|
||
|
and netmask from DHCP.
|
||
|
- "Ifconfig dhcp6" hints that the tun/tap interface should get an IPv6
|
||
|
address and netmask from DHCP.
|
||
|
- "Ifconfig slaac" hints that the tun/tap interface should get an IPv6
|
||
|
address and netmask from SLAAC. Multiple Ifconfig statements are allowed.
|
||
|
|
||
|
How a tinc-up script is generated depends on the operating system the client
|
||
|
is using.
|
||
|
|
||
|
- (TBI) "Route" statements are similar to "Ifconfig" statements but add routes
|
||
|
instead of addresses. These only allow IPv4 and IPv6 routes.
|
||
|
|
||
|
Subsequent host config blocks are copied verbatim into their respective files
|
||
|
in hosts/. The invitation file generated by "tinc invite" will normally only
|
||
|
contain two blocks; one for the client and one for the server.
|
||
|
|
||
|
Writing an invitation-created script
|
||
|
------------------------------------
|
||
|
|
||
|
When an invitation is generated, the "invitation-created" script is called (if
|
||
|
it exists) right after the invitation file is written, but before the URL has
|
||
|
been written to stdout. This allows one to change the invitation file
|
||
|
automatically before the invitation URL is passed to the invitee. Here is an
|
||
|
example shell script that aproximately recreates the default invitation file:
|
||
|
|
||
|
#!/bin/sh
|
||
|
|
||
|
cat >$INVITATION_FILE <<EOF
|
||
|
Name = $NODE
|
||
|
Netname = $NETNAME
|
||
|
ConnectTo = $NAME
|
||
|
#----------------#
|
||
|
EOF
|
||
|
|
||
|
tinc export >>$INVITATION_FILE
|
||
|
|
||
|
You can add more ConnectTo statements, and change `tinc export` to `tinc
|
||
|
export-all` for example. But you can also use the script to automatically hand
|
||
|
out a Subnet to the invitee. Note that the script doesn't have to be a shell script,
|
||
|
you can use any language, it just has to be executable.
|