Updated tinc.conf manual.

doc/tinc.conf.5

@@ -59,67 +59,104 @@ one space character.
 .PP
 .SH "VARIABLES"
 .PP
-Here are all valid variables, listed in alphabetical order:
+Here are all valid variables, listed in alphabetical order. The default
+value, required or optional is given between parentheses.
 .TP
-\fBConnectPort = \fIport\fR
+\fBConnectPort\fR = <\fIport\fR> (655)
-Connect to the upstream host (given with the \fBConnectTo\fR
+Connect to the upstream host (given with the \fBConnectTo\fR directive) on
-directive) on port \fIport\fR. \fIport\fR may be given in decimal
+port \fIport\fR. port may be given in decimal (default), octal (when preceded
-(default), octal (when preceded by a single zero) or hexadecimal
+by a single zero) or hexadecimal (prefixed with 0x). \fIport\fR is the port
-(prefixed with \fB0x\fR). \fIport\fR is the port number for both the
+number for both the UDP and the TCP (meta) connections.
-UDP and the TCP (meta) connections.
 .TP
-\fBConnectTo = \fB(\fIIP address\fB|\fIhostname\fB)\fR
+\fBConnectTo\fR = <\fIIP address|hostname\fR> (optional)
-Specifies which host to connect to on startup. If the
+Specifies which host to connect to on startup. Multiple \fBConnectTo\fR variables
-\fBConnectPort\fR variable is omitted, then tinc will try to connect
+may be specified, if connecting to the first one fails then tinc will try
-to port 655.
+the next one, and so on. It is possible to specify hostnames for dynamic IP
+addresses (like those given on dyndns.org), tinc will not cache the resolved
+IP address.
 
-If you don't specify a host with \fBConnectTo\fR, tinc won't connect
+If you don't specify a host with \fBConnectTo\fR, regardless of whether a
-at all, and will instead just listen for incoming connections. Only
+value for \fBConnectPort\fR is given, tinc won't connect at all, and will
-the initiator of a tinc VPN should need this.
+instead just listen for incoming connections.
 .TP
-\fBKeyExpire = \fIs\fR
+\fBHostnames\fR = <\fIyes|no\fR> (no)
-The secret (and public) key expires after \fIs\fR seconds. The default
+This option selects whether IP addresses (both real and on the VPN) should
-is 3600 seconds, or one hour.
+be resolved. Since DNS lookups are blocking, it might affect tinc's
+efficiency, even stopping the daemon for a few seconds everytime it does
+a lookup if your DNS server is not responding.
 
-If you make it shorter, a lot of time and bandwidth is spent
+This does not affect resolving hostnames to IP addresses from the configuration
-negotiating over the new keys. If you make it longer, you make
+file.
-yourself more vulnerable to crackers, because they have more data to
-work with. The best value depends on the speed of the link, and the
-amount of data that goes over it.
 .TP
-\fBListenPort = \fIport\fR
+\fBIndirectData\fR = <\fIyes|no\fR> (no)
-Listen on local port \fIport\fR. The computer connecting to this
+This option specifies whether other tinc daemons besides the one you
-daemon should use this number as the argument for his
+specified with \fBConnectTo\fR can make a direct connection to you. This is
-\fBConnectPort\fR. Again, the default is 655.
+especially useful if you are behind a firewall and it is impossible
+to make a connection from the outside to your tinc daemon. Otherwise,
+it is best to leave this option out or set it to no.
 .TP
-\fBMyOwnVPNIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
+\fBInterface\fR = <\fIdevice\fR> (optional)
-The \fInetwork address\fR is the number that the daemon will propagate
+If you have more than one network interface in your computer, tinc will by
-to other daemons on the network when it is identifying itself. Hence
+default listen on all of them for incoming connections. It is possible to
-this will be the file name of the passphrase file that the other end
+bind tinc to a single interface like eth0 or ppp0 with this variable.
-expects to find the passphrase in.
+.TP
+\fBInterfaceIP\fR = <\fIlocal address\fR> (optional)
+If your computer has more than one IP address on a single interface (for example
+if you are running virtual hosts), tinc will by default listen on all of them for
+incoming connections. It is possible to bind tinc to a single IP address with
+this variable. It is still possible to listen on several interfaces at the same
+time though, if they share the same IP address.
+.TP
+\fBKeyExpire\fR = <\fIseconds\fR> (3600)
+This option controls the time the encryption keys used to encrypt the data
+are valid. It is common practice to change keys at regular intervals to
+make it even harder for crackers, even though it is thought to be nearly
+impossible to crack a single key.
+.TP
+\fBListenPort\fR = <\fIport\fR> (655)
+Listen on local port \fIport\fR. The computer connecting to this daemon should
+use this number as the argument for his \fBConnectPort\fR.
+.TP
+\fBMyOwnVPNIP\fR = <\fIlocal address[/maskbits]\fR> (required)
+The \fIlocal address\fR is the number that the daemon will propagate to
+other daemons on the network when it is identifying itself. Hence this
+will be the file name of the passphrase file that the other end expects
+to find the passphrase in.
+
+The local address is the IP address of the tap device, not the real IP
+address of the host running tincd. Due to changes in recent kernels, it
+is also necessary that you make the ethernet (also known as MAC) address
+equal to the IP address (see the example).
 
 \fImaskbits\fR is the number of bits set to 1 in the netmask part.
 .TP
-\fBMyVirtualIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
+\fBMyVirtualIP\fR = <\fIlocal address[/maskbits]>
 This is an alias for \fBMyOwnVPNIP\fR.
 .TP
-\fBPassphrases = \fIdirectory\fR
+\fBPassphrases\fR = <\fIdirectory\fR> (/etc/tinc/NETNAME/passphrases)
-The directory where tinc will look for passphrases when someone tries
+The directory where tinc will look for passphrases when someone tries to
-to cennect. Please see the manpage for \fBgenauth\fR(8) for more
+connect. Please see the manpage for genauth(8) for more information
-information about passphrases as used by tinc.
+about passphrases as used by tinc.
 .TP
-\fBPingTimeout = \fInumber\fR
+\fBPingTimeout\fR = <\fIseconds\fR> (5)
-The number of seconds of inactivity that tinc will wait before sending
+The number of seconds of inactivity that tinc will wait before sending a
-a probe to the other end. If that other end doesn't answer within that
+probe to the other end. If that other end doesn't answer within that
 same amount of seconds, the connection is terminated, and the others
 will be notified of this.
 .TP
-\fBTapDevice = \fIdevice\fR
+\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0)
 The ethertap device to use. Note that you can only use one device per
 daemon. The info pages of the tinc package contain more information
-about configuring an ethertap device for linux.
+about configuring an ethertap device for Linux.
 .TP
-\fBNetMask = \fImask\fR
+\fBTCPonly\fR = <\fIyes|no\fR> (no, experimental)
+If this variable is set to yes, then the packets are tunnelled over a TCP
+connection instead of a UDP connection. This is especially useful for those
+who want to run a tinc daemon from behind a masquerading firewall, or if
+UDP packet routing is disabled somehow. This is experimental code,
+try this at your own risk.
+.TP
+\fBVpnMask\fR = <\fImask\fR> (optional)
 The mask that defines the scope of the entire VPN. This option is not used
 by the tinc daemon itself, but can be used by startup scripts to configure
 the ethertap devices correctly.