214 lines
8.6 KiB
Groff
214 lines
8.6 KiB
Groff
.TH TINC 5 "Jan 2001" "tinc version 1.0pre4" "FSF"
|
|
.SH NAME
|
|
tinc.conf \- tinc daemon configuration
|
|
.SH "DESCRIPTION"
|
|
The files in the \fI/etc/tinc\fR directory contain runtime and
|
|
security information for the \fBtinc\fR(8) daemon.
|
|
.PP
|
|
.SH "NETWORKS"
|
|
It is perfectly ok for you to run more than one tinc daemon. However,
|
|
in its default form, you will soon notice that you can't use two
|
|
different configuration files without the \fI-c\fR option.
|
|
|
|
We have thought of another way of dealing with this: network
|
|
names. This means that you call \fBtincd\fR with the \fI-n\fR argument,
|
|
which will assign a name to this daemon.
|
|
|
|
The effect of this is that the daemon will set its configuration
|
|
``root'' to \fI/etc/tinc/\fBnn\fI/\fR, where \fBnn\fR is your argument
|
|
to the \fI-n\fR option. You'll notice that it appears in syslog as
|
|
``tincd.\fBnn\fR''.
|
|
|
|
However, it is not strictly necessary that you call tinc with the -n
|
|
option. In this case, the network name would just be empty, and it
|
|
will be used as such. tinc now looks for files in \fI/etc/tinc/\fR,
|
|
instead of \fI/etc/tinc/\fBnn\fI/\fR; the configuration file should be
|
|
\fI/etc/tinc/tinc.conf\fR, and the passphrases are now expected to be
|
|
in \fI/etc/tinc/passphrases/\fR.
|
|
|
|
But it is highly recommended that you use this feature of tinc,
|
|
because it will be so much clearer whom your daemon talks to. Hence,
|
|
we will assume that you use it.
|
|
.PP
|
|
.SH "NAMES"
|
|
Each tinc daemon should have a name that is unique in the network which
|
|
it will be part of. The name will be used by other tinc daemons for
|
|
identification. The name has to be declared in the
|
|
\fI/etc/tinc/\fBnn\fI/tinc.conf\fR file.
|
|
|
|
To make things easy, choose something that will give unique and easy
|
|
to rememebr names to your tinc daemon(s).
|
|
You could try things like hostnames, owner surnames or location names.
|
|
.PP
|
|
.SH "PUBLIC/PRIVATE KEYS"
|
|
You should use \fBtincd --generate-keys\fR to generate public/private
|
|
keypairs. It will generate two keys. The line containing the private
|
|
key should be completely copied to \fI/etc/tinc/\fBnn\fI/tinc.conf\fR
|
|
\-\- where \fBnn\fR stands for the network (See under \fBNETWORKS\fR)
|
|
above. The line containing the public key should be completely copied
|
|
to \fI/etc/tinc/\fBnn\fI/hosts/\fBname\fR \-\- where \fBname\fR stands
|
|
for the name of the tinc daemon (See \fBNAMES\fR).
|
|
.PP
|
|
.SH "SERVER CONFIGURATION"
|
|
The server configuration of the daemon is done in the file
|
|
\fI/etc/tinc/\fBnn\fI/tinc.conf\fR.
|
|
|
|
This file consists of comments (lines started with a \fB#\fR) or
|
|
assignments in the form of
|
|
.PP
|
|
.Vb 1
|
|
\& \fIVariable \fB= \fIValue\fR.
|
|
.Ve
|
|
.PP
|
|
The variable names are case insensitive, and any spaces, tabs,
|
|
newlines and carriage returns are ignored. \fINote\fR: it is not
|
|
required that you put in the \fB=\fR sign, but doing so improves
|
|
readability. If you leave it out, remember to replace it with at least
|
|
one space character.
|
|
.PP
|
|
Here are all valid variables, listed in alphabetical order. The default
|
|
value, required or optional is given between parentheses.
|
|
.TP
|
|
\fBConnectTo\fR = <\fIname\fR> (optional)
|
|
Specifies which host to connect to on startup. Multiple \fBConnectTo\fR variables
|
|
may be specified, if connecting to the first one fails then tinc will try
|
|
the next one, and so on. The names should be known to this tinc daemon
|
|
(i.e., there should be a host configuration file for the name on the ConnectTo
|
|
line).
|
|
|
|
If you don't specify a host with \fBConnectTo\fR, tinc won't connect at all,
|
|
and will instead just listen for incoming connections.
|
|
.TP
|
|
\fBHostnames\fR = <\fIyes|no\fR> (no)
|
|
This option selects whether IP addresses (both real and on the VPN) should
|
|
be resolved. Since DNS lookups are blocking, it might affect tinc's
|
|
efficiency, even stopping the daemon for a few seconds everytime it does
|
|
a lookup if your DNS server is not responding.
|
|
|
|
This does not affect resolving hostnames to IP addresses from the
|
|
host configuration files.
|
|
.TP
|
|
\fBKeyExpire\fR = <\fIseconds\fR> (3600)
|
|
This option controls the time the encryption keys used to encrypt the data
|
|
are valid. It is common practice to change keys at regular intervals to
|
|
make it even harder for crackers, even though it is thought to be nearly
|
|
impossible to crack a single key.
|
|
.TP
|
|
\fBName\fR = <\fIname\fR> (required)
|
|
This is the name which identifies this tinc daemon. It must be unique for
|
|
the virtual private network this daemon will connect to.
|
|
.TP
|
|
\fBPingTimeout\fR = <\fIseconds\fR> (5)
|
|
The number of seconds of inactivity that tinc will wait before sending a
|
|
probe to the other end. If that other end doesn't answer within that
|
|
same amount of seconds, the connection is terminated, and the others
|
|
will be notified of this.
|
|
.TP
|
|
\fBPrivateKey\fR = <\fIkey\fR>
|
|
The private RSA key of this tinc daemon. It will allow this tinc daemon to
|
|
authenticate itself to other daemons.
|
|
.TP
|
|
\fBPrivateKeyFile\fR = <\fIfilename\fR>
|
|
The file in which the private RSA key of this tinc daemon resides.
|
|
|
|
Note that there must be exactly one of \fBPrivateKey\fR or \fBPrivateKeyFile\fR
|
|
specified in the configuration file.
|
|
.TP
|
|
\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0)
|
|
The ethertap or tun/tap device to use. tinc will automatically detect what
|
|
kind of tapdevice it is.
|
|
Note that you can only use one device per
|
|
daemon. The info pages of the tinc package contain more information
|
|
about configuring an ethertap device for Linux.
|
|
.PP
|
|
.SH "HOST CONFIGURATION FILES"
|
|
The host configuration files contain all information needed to establish a
|
|
connection to those hosts. A host configuration file is also required for the
|
|
local tinc daemon, it will use it to read in it's listen port, public key and
|
|
subnets.
|
|
|
|
The idea is that these files are ``portable''. You can safely mail your own host
|
|
configuration file to someone else. That other person can then copy it to his
|
|
own hosts directory, and now his tinc daemon will be able to connect to your
|
|
tinc daemon. Since host configuration files only contain public keys, no secrets
|
|
are revealed by sending out this information.
|
|
.PP
|
|
.TP
|
|
\fBAddress\fR = <\fIIP address\fR> (required)
|
|
The real address or hostname of this tinc daemon.
|
|
.TP
|
|
\fBPort\fR = <\fIport number\fR> (655)
|
|
The port on which this tinc daemon is listening for incoming connections.
|
|
.TP
|
|
\fBPublicKey\fR = <\fIkey\fR>
|
|
The public RSA key of this tinc daemon. It will be used to cryptographically
|
|
verify it's identity and to set up a secure connection.
|
|
.TP
|
|
\fBPublicKeyFile\fR = <\fIfilename\fR>
|
|
The file in which the public RSA key of this tinc daemon resides.
|
|
|
|
Note that there must be exactly one of \fBPublicKey\fR or \fBPublicKeyFile\fR
|
|
specified in each host configuration file, if you want to be able to establish
|
|
a connection with that host.
|
|
.TP
|
|
\fBSubnet\fR = <\fIaddress/masklength\fR> (optional)
|
|
The subnet which this tinc daemon will serve. tinc tries to look up which other
|
|
daemon it should send a packet to by searching the appropiate subnet. If the
|
|
packet matches a subnet, it will be sent to the daemon who has this subnet in his
|
|
host configuration file. Multiple subnet lines can be specified.
|
|
|
|
At the moment, this directive is only used in the host configuration file of
|
|
the local tinc daemon itself. In upcoming versions of tinc, it will be possible to
|
|
restrict other hosts in which subnets they server.
|
|
|
|
The subnets must be in a form like \fI192.168.1.0/24\fR, where 192.168.1.0 is the
|
|
network address and 24 is the number of bits set in the netmask. Note that subnets
|
|
like \fI192.168.1.1/24\fR are invalid! Read a networking howto/FAQ/guide if you
|
|
don't understand this.
|
|
.SH "FILES"
|
|
.TP
|
|
\fI/etc/tinc/\fR
|
|
The top directory for configuration files.
|
|
.TP
|
|
\fI/etc/tinc/\fBnn\fI/tinc.conf\fR
|
|
The default name of the server configuration file for net
|
|
\fBnn\fR.
|
|
.TP
|
|
\fI/etc/tinc/\fBnn\fI/hosts/\fR
|
|
Host configuration files are kept in this directory.
|
|
.TP
|
|
\fI/etc/tinc/\fBnn\fI/tinc-up\fR
|
|
If an executable file with this name exists, it will be executed
|
|
right after the tinc daemon has connected to the tap device. It can
|
|
be used to ifconfig the network interface.
|
|
|
|
If the tapdevice is a tun/tap device, the evironment variable
|
|
\fB$IFNAME\fR will be set to the name of the network interface.
|
|
.TP
|
|
\fI/etc/tinc/\fBnn\fI/tinc-down\fR
|
|
If an executable file with this name exists, it will be executed
|
|
right before the tinc daemon is going to close it's connection to the
|
|
tap device.
|
|
.PP
|
|
.SH "SEE ALSO"
|
|
\fBtincd\fR(8)
|
|
.TP
|
|
\fBhttp://tinc.nl.linux.org/\fR
|
|
.TP
|
|
\fBhttp://www.kernelnotes.org/guides/NAG/\fR
|
|
.PP
|
|
The full documentation for
|
|
.B tinc
|
|
is maintained as a Texinfo manual. If the
|
|
.B info
|
|
and
|
|
.B tinc
|
|
programs are properly installed at your site, the command
|
|
.IP
|
|
.B info tinc
|
|
.PP
|
|
should give you access to the complete manual.
|
|
.PP
|
|
tinc comes with ABSOLUTELY NO WARRANTY. This is free software,
|
|
and you are welcome to redistribute it under certain conditions;
|
|
see the file COPYING for details.
|