3352 lines
125 KiB
Text
3352 lines
125 KiB
Text
\input texinfo @c -*-texinfo-*-
|
|
@c %**start of header
|
|
@setfilename tinc.info
|
|
@settitle tinc Manual
|
|
@setchapternewpage odd
|
|
@c %**end of header
|
|
|
|
@include tincinclude.texi
|
|
|
|
@ifinfo
|
|
@dircategory Networking tools
|
|
@direntry
|
|
* tinc: (tinc). The tinc Manual.
|
|
@end direntry
|
|
|
|
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
|
|
|
|
Copyright @copyright{} 1998-2014 Ivo Timmermans,
|
|
Guus Sliepen <guus@@tinc-vpn.org> and
|
|
Wessel Dankers <wsl@@tinc-vpn.org>.
|
|
|
|
Permission is granted to make and distribute verbatim copies of this
|
|
manual provided the copyright notice and this permission notice are
|
|
preserved on all copies.
|
|
|
|
Permission is granted to copy and distribute modified versions of this
|
|
manual under the conditions for verbatim copying, provided that the
|
|
entire resulting derived work is distributed under the terms of a
|
|
permission notice identical to this one.
|
|
|
|
@end ifinfo
|
|
|
|
@afourpaper
|
|
@paragraphindent none
|
|
@finalout
|
|
|
|
@titlepage
|
|
@title tinc Manual
|
|
@subtitle Setting up a Virtual Private Network with tinc
|
|
@author Ivo Timmermans and Guus Sliepen
|
|
|
|
@page
|
|
@vskip 0pt plus 1filll
|
|
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
|
|
|
|
Copyright @copyright{} 1998-2014 Ivo Timmermans,
|
|
Guus Sliepen <guus@@tinc-vpn.org> and
|
|
Wessel Dankers <wsl@@tinc-vpn.org>.
|
|
|
|
Permission is granted to make and distribute verbatim copies of this
|
|
manual provided the copyright notice and this permission notice are
|
|
preserved on all copies.
|
|
|
|
Permission is granted to copy and distribute modified versions of this
|
|
manual under the conditions for verbatim copying, provided that the
|
|
entire resulting derived work is distributed under the terms of a
|
|
permission notice identical to this one.
|
|
|
|
@end titlepage
|
|
|
|
@ifnottex
|
|
@c ==================================================================
|
|
@node Top
|
|
@top Top
|
|
|
|
@menu
|
|
* Introduction::
|
|
* Preparations::
|
|
* Installation::
|
|
* Configuration::
|
|
* Running tinc::
|
|
* Controlling tinc::
|
|
* Technical information::
|
|
* Platform specific information::
|
|
* About us::
|
|
* Concept Index:: All used terms explained
|
|
@end menu
|
|
@end ifnottex
|
|
|
|
@c ==================================================================
|
|
@node Introduction
|
|
@chapter Introduction
|
|
|
|
@cindex tinc
|
|
Tinc is a Virtual Private Network (VPN) daemon that uses tunneling and
|
|
encryption to create a secure private network between hosts on the
|
|
Internet.
|
|
|
|
Because the tunnel appears to the IP level network code as a normal
|
|
network device, there is no need to adapt any existing software.
|
|
The encrypted tunnels allows VPN sites to share information with each other
|
|
over the Internet without exposing any information to others.
|
|
|
|
This document is the manual for tinc. Included are chapters on how to
|
|
configure your computer to use tinc, as well as the configuration
|
|
process of tinc itself.
|
|
|
|
@menu
|
|
* Virtual Private Networks::
|
|
* tinc:: About tinc
|
|
* Supported platforms::
|
|
@end menu
|
|
|
|
@c ==================================================================
|
|
@node Virtual Private Networks
|
|
@section Virtual Private Networks
|
|
|
|
@cindex VPN
|
|
A Virtual Private Network or VPN is a network that can only be accessed
|
|
by a few elected computers that participate. This goal is achievable in
|
|
more than just one way.
|
|
|
|
@cindex private
|
|
Private networks can consist of a single stand-alone Ethernet LAN. Or
|
|
even two computers hooked up using a null-modem cable. In these cases,
|
|
it is
|
|
obvious that the network is @emph{private}, no one can access it from the
|
|
outside. But if your computers are linked to the Internet, the network
|
|
is not private anymore, unless one uses firewalls to block all private
|
|
traffic. But then, there is no way to send private data to trusted
|
|
computers on the other end of the Internet.
|
|
|
|
@cindex virtual
|
|
This problem can be solved by using @emph{virtual} networks. Virtual
|
|
networks can live on top of other networks, but they use encapsulation to
|
|
keep using their private address space so they do not interfere with
|
|
the Internet. Mostly, virtual networks appear like a single LAN, even though
|
|
they can span the entire world. But virtual networks can't be secured
|
|
by using firewalls, because the traffic that flows through it has to go
|
|
through the Internet, where other people can look at it.
|
|
|
|
As is the case with either type of VPN, anybody could eavesdrop. Or
|
|
worse, alter data. Hence it's probably advisable to encrypt the data
|
|
that flows over the network.
|
|
|
|
When one introduces encryption, we can form a true VPN. Other people may
|
|
see encrypted traffic, but if they don't know how to decipher it (they
|
|
need to know the key for that), they cannot read the information that flows
|
|
through the VPN. This is what tinc was made for.
|
|
|
|
|
|
@c ==================================================================
|
|
@node tinc
|
|
@section tinc
|
|
|
|
@cindex vpnd
|
|
I really don't quite remember what got us started, but it must have been
|
|
Guus' idea. He wrote a simple implementation (about 50 lines of C) that
|
|
used the ethertap device that Linux knows of since somewhere
|
|
about kernel 2.1.60. It didn't work immediately and he improved it a
|
|
bit. At this stage, the project was still simply called "vpnd".
|
|
|
|
Since then, a lot has changed---to say the least.
|
|
|
|
@cindex tincd
|
|
Tinc now supports encryption, it consists of a single daemon (tincd) for
|
|
both the receiving and sending end, it has become largely
|
|
runtime-configurable---in short, it has become a full-fledged
|
|
professional package.
|
|
|
|
@cindex traditional VPNs
|
|
@cindex scalability
|
|
Tinc also allows more than two sites to connect to eachother and form a single VPN.
|
|
Traditionally VPNs are created by making tunnels, which only have two endpoints.
|
|
Larger VPNs with more sites are created by adding more tunnels.
|
|
Tinc takes another approach: only endpoints are specified,
|
|
the software itself will take care of creating the tunnels.
|
|
This allows for easier configuration and improved scalability.
|
|
|
|
A lot can---and will be---changed. We have a number of things that we would like to
|
|
see in the future releases of tinc. Not everything will be available in
|
|
the near future. Our first objective is to make tinc work perfectly as
|
|
it stands, and then add more advanced features.
|
|
|
|
Meanwhile, we're always open-minded towards new ideas. And we're
|
|
available too.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Supported platforms
|
|
@section Supported platforms
|
|
|
|
@cindex platforms
|
|
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment),
|
|
with various hardware architectures. These are some of the platforms
|
|
that are supported by the universal tun/tap device driver or other virtual network device drivers.
|
|
Without such a driver, tinc will most
|
|
likely compile and run, but it will not be able to send or receive data
|
|
packets.
|
|
|
|
@cindex release
|
|
For an up to date list of supported platforms, please check the list on
|
|
our website:
|
|
@uref{http://www.tinc-vpn.org/platforms/}.
|
|
|
|
@c
|
|
@c
|
|
@c
|
|
@c
|
|
@c
|
|
@c
|
|
@c Preparing your system
|
|
@c
|
|
@c
|
|
@c
|
|
@c
|
|
@c
|
|
|
|
@c ==================================================================
|
|
@node Preparations
|
|
@chapter Preparations
|
|
|
|
This chapter contains information on how to prepare your system to
|
|
support tinc.
|
|
|
|
@menu
|
|
* Configuring the kernel::
|
|
* Libraries::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node Configuring the kernel
|
|
@section Configuring the kernel
|
|
|
|
@menu
|
|
* Configuration of Linux kernels::
|
|
* Configuration of FreeBSD kernels::
|
|
* Configuration of OpenBSD kernels::
|
|
* Configuration of NetBSD kernels::
|
|
* Configuration of Solaris kernels::
|
|
* Configuration of Darwin (MacOS/X) kernels::
|
|
* Configuration of Windows::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node Configuration of Linux kernels
|
|
@subsection Configuration of Linux kernels
|
|
|
|
@cindex Universal tun/tap
|
|
For tinc to work, you need a kernel that supports the Universal tun/tap device.
|
|
Most distributions come with kernels that already support this.
|
|
Here are the options you have to turn on when configuring a new kernel:
|
|
|
|
@example
|
|
Code maturity level options
|
|
[*] Prompt for development and/or incomplete code/drivers
|
|
Network device support
|
|
<M> Universal tun/tap device driver support
|
|
@end example
|
|
|
|
It's not necessary to compile this driver as a module, even if you are going to
|
|
run more than one instance of tinc.
|
|
|
|
If you decide to build the tun/tap driver as a kernel module, add these lines
|
|
to @file{/etc/modules.conf}:
|
|
|
|
@example
|
|
alias char-major-10-200 tun
|
|
@end example
|
|
|
|
|
|
@c ==================================================================
|
|
@node Configuration of FreeBSD kernels
|
|
@subsection Configuration of FreeBSD kernels
|
|
|
|
For FreeBSD version 4.1 and higher, tun and tap drivers are included in the default kernel configuration.
|
|
The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_tap_load="YES"} to @file{/boot/loader.conf}.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Configuration of OpenBSD kernels
|
|
@subsection Configuration of OpenBSD kernels
|
|
|
|
For OpenBSD version 2.9 and higher,
|
|
the tun driver is included in the default kernel configuration.
|
|
There is also a kernel patch from @uref{http://diehard.n-r-g.com/stuff/openbsd/}
|
|
which adds a tap device to OpenBSD which should work with tinc,
|
|
but with recent versions of OpenBSD,
|
|
a tun device can act as a tap device by setting the link0 option with ifconfig.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Configuration of NetBSD kernels
|
|
@subsection Configuration of NetBSD kernels
|
|
|
|
For NetBSD version 1.5.2 and higher,
|
|
the tun driver is included in the default kernel configuration.
|
|
|
|
Tunneling IPv6 may not work on NetBSD's tun device.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Configuration of Solaris kernels
|
|
@subsection Configuration of Solaris kernels
|
|
|
|
For Solaris 8 (SunOS 5.8) and higher,
|
|
the tun driver may or may not be included in the default kernel configuration.
|
|
If it isn't, the source can be downloaded from @uref{http://vtun.sourceforge.net/tun/}.
|
|
For x86 and sparc64 architectures, precompiled versions can be found at @uref{http://www.monkey.org/~dugsong/fragroute/}.
|
|
If the @file{net/if_tun.h} header file is missing, install it from the source package.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Configuration of Darwin (MacOS/X) kernels
|
|
@subsection Configuration of Darwin (MacOS/X) kernels
|
|
|
|
Tinc on Darwin relies on a tunnel driver for its data acquisition from the kernel.
|
|
Tinc supports either the driver from @uref{http://tuntaposx.sourceforge.net/},
|
|
which supports both tun and tap style devices,
|
|
and also the driver from from @uref{http://chrisp.de/en/projects/tunnel.html}.
|
|
The former driver is recommended.
|
|
The tunnel driver must be loaded before starting tinc with the following command:
|
|
|
|
@example
|
|
kmodload tunnel
|
|
@end example
|
|
|
|
|
|
@c ==================================================================
|
|
@node Configuration of Windows
|
|
@subsection Configuration of Windows
|
|
|
|
You will need to install the latest TAP-Win32 driver from OpenVPN.
|
|
You can download it from @uref{http://openvpn.sourceforge.net}.
|
|
Using the Network Connections control panel,
|
|
configure the TAP-Win32 network interface in the same way as you would do from the tinc-up script,
|
|
as explained in the rest of the documentation.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Libraries
|
|
@section Libraries
|
|
|
|
@cindex requirements
|
|
@cindex libraries
|
|
Before you can configure or build tinc, you need to have the OpenSSL, zlib,
|
|
lzo, curses and readline libraries installed on your system. If you try to
|
|
configure tinc without having them installed, configure will give you an error
|
|
message, and stop.
|
|
|
|
@menu
|
|
* OpenSSL::
|
|
* zlib::
|
|
* lzo::
|
|
* libcurses::
|
|
* libreadline::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node OpenSSL
|
|
@subsection OpenSSL
|
|
|
|
@cindex OpenSSL
|
|
For all cryptography-related functions, tinc uses the functions provided
|
|
by the OpenSSL library.
|
|
|
|
If this library is not installed, you wil get an error when configuring
|
|
tinc for build. Support for running tinc with other cryptographic libraries
|
|
installed @emph{may} be added in the future.
|
|
|
|
You can use your operating system's package manager to install this if
|
|
available. Make sure you install the development AND runtime versions
|
|
of this package.
|
|
|
|
If you have to install OpenSSL manually, you can get the source code
|
|
from @url{http://www.openssl.org/}. Instructions on how to configure,
|
|
build and install this package are included within the package. Please
|
|
make sure you build development and runtime libraries (which is the
|
|
default).
|
|
|
|
If you installed the OpenSSL libraries from source, it may be necessary
|
|
to let configure know where they are, by passing configure one of the
|
|
--with-openssl-* parameters.
|
|
|
|
@example
|
|
--with-openssl=DIR OpenSSL library and headers prefix
|
|
--with-openssl-include=DIR OpenSSL headers directory
|
|
(Default is OPENSSL_DIR/include)
|
|
--with-openssl-lib=DIR OpenSSL library directory
|
|
(Default is OPENSSL_DIR/lib)
|
|
@end example
|
|
|
|
|
|
@subsubheading License
|
|
|
|
@cindex license
|
|
The complete source code of tinc is covered by the GNU GPL version 2.
|
|
Since the license under which OpenSSL is distributed is not directly
|
|
compatible with the terms of the GNU GPL
|
|
@uref{http://www.openssl.org/support/faq.html#LEGAL2}, we
|
|
include an exemption to the GPL (see also the file COPYING.README) to allow
|
|
everyone to create a statically or dynamically linked executable:
|
|
|
|
@quotation
|
|
This program is released under the GPL with the additional exemption
|
|
that compiling, linking, and/or using OpenSSL is allowed. You may
|
|
provide binary packages linked to the OpenSSL libraries, provided that
|
|
all other requirements of the GPL are met.
|
|
@end quotation
|
|
|
|
Since the LZO library used by tinc is also covered by the GPL,
|
|
we also present the following exemption:
|
|
|
|
@quotation
|
|
Hereby I grant a special exception to the tinc VPN project
|
|
(http://www.tinc-vpn.org/) to link the LZO library with the OpenSSL library
|
|
(http://www.openssl.org).
|
|
|
|
Markus F.X.J. Oberhumer
|
|
@end quotation
|
|
|
|
|
|
@c ==================================================================
|
|
@node zlib
|
|
@subsection zlib
|
|
|
|
@cindex zlib
|
|
For the optional compression of UDP packets, tinc uses the functions provided
|
|
by the zlib library.
|
|
|
|
If this library is not installed, you wil get an error when running the
|
|
configure script. You can either install the zlib library, or disable support
|
|
for zlib compression by using the "--disable-zlib" option when running the
|
|
configure script. Note that if you disable support for zlib, the resulting
|
|
binary will not work correctly on VPNs where zlib compression is used.
|
|
|
|
You can use your operating system's package manager to install this if
|
|
available. Make sure you install the development AND runtime versions
|
|
of this package.
|
|
|
|
If you have to install zlib manually, you can get the source code
|
|
from @url{http://www.gzip.org/zlib/}. Instructions on how to configure,
|
|
build and install this package are included within the package. Please
|
|
make sure you build development and runtime libraries (which is the
|
|
default).
|
|
|
|
|
|
@c ==================================================================
|
|
@node lzo
|
|
@subsection lzo
|
|
|
|
@cindex lzo
|
|
Another form of compression is offered using the LZO library.
|
|
|
|
If this library is not installed, you wil get an error when running the
|
|
configure script. You can either install the LZO library, or disable support
|
|
for LZO compression by using the "--disable-lzo" option when running the
|
|
configure script. Note that if you disable support for LZO, the resulting
|
|
binary will not work correctly on VPNs where LZO compression is used.
|
|
|
|
You can use your operating system's package manager to install this if
|
|
available. Make sure you install the development AND runtime versions
|
|
of this package.
|
|
|
|
If you have to install lzo manually, you can get the source code
|
|
from @url{http://www.oberhumer.com/opensource/lzo/}. Instructions on how to configure,
|
|
build and install this package are included within the package. Please
|
|
make sure you build development and runtime libraries (which is the
|
|
default).
|
|
|
|
|
|
@c ==================================================================
|
|
@node libcurses
|
|
@subsection libcurses
|
|
|
|
@cindex libcurses
|
|
For the "tinc top" command, tinc requires a curses library.
|
|
|
|
If this library is not installed, you wil get an error when running the
|
|
configure script. You can either install a suitable curses library, or disable
|
|
all functionality that depends on a curses library by using the
|
|
"--disable-curses" option when running the configure script.
|
|
|
|
There are several curses libraries. It is recommended that you install
|
|
"ncurses" (@url{http://invisible-island.net/ncurses/}),
|
|
however other curses libraries should also work.
|
|
In particular, "PDCurses" (@url{http://pdcurses.sourceforge.net/})
|
|
is recommended if you want to compile tinc for Windows.
|
|
|
|
You can use your operating system's package manager to install this if
|
|
available. Make sure you install the development AND runtime versions
|
|
of this package.
|
|
|
|
|
|
@c ==================================================================
|
|
@node libreadline
|
|
@subsection libreadline
|
|
|
|
@cindex libreadline
|
|
For the "tinc" command's shell functionality, tinc uses the readline library.
|
|
|
|
If this library is not installed, you wil get an error when running the
|
|
configure script. You can either install a suitable readline library, or
|
|
disable all functionality that depends on a readline library by using the
|
|
"--disable-readline" option when running the configure script.
|
|
|
|
You can use your operating system's package manager to install this if
|
|
available. Make sure you install the development AND runtime versions
|
|
of this package.
|
|
|
|
If you have to install libreadline manually, you can get the source code from
|
|
@url{http://www.gnu.org/software/readline/}. Instructions on how to configure,
|
|
build and install this package are included within the package. Please make
|
|
sure you build development and runtime libraries (which is the default).
|
|
|
|
|
|
@c
|
|
@c
|
|
@c
|
|
@c Installing tinc
|
|
@c
|
|
@c
|
|
@c
|
|
@c
|
|
|
|
@c ==================================================================
|
|
@node Installation
|
|
@chapter Installation
|
|
|
|
If you use Debian, you may want to install one of the
|
|
precompiled packages for your system. These packages are equipped with
|
|
system startup scripts and sample configurations.
|
|
|
|
If you cannot use one of the precompiled packages, or you want to compile tinc
|
|
for yourself, you can use the source. The source is distributed under
|
|
the GNU General Public License (GPL). Download the source from the
|
|
@uref{http://www.tinc-vpn.org/download/, download page}, which has
|
|
the checksums of these files listed; you may wish to check these with
|
|
md5sum before continuing.
|
|
|
|
Tinc comes in a convenient autoconf/automake package, which you can just
|
|
treat the same as any other package. Which is just untar it, type
|
|
`./configure' and then `make'.
|
|
More detailed instructions are in the file @file{INSTALL}, which is
|
|
included in the source distribution.
|
|
|
|
@menu
|
|
* Building and installing tinc::
|
|
* System files::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node Building and installing tinc
|
|
@section Building and installing tinc
|
|
|
|
Detailed instructions on configuring the source, building tinc and installing tinc
|
|
can be found in the file called @file{INSTALL}.
|
|
|
|
@cindex binary package
|
|
If you happen to have a binary package for tinc for your distribution,
|
|
you can use the package management tools of that distribution to install tinc.
|
|
The documentation that comes along with your distribution will tell you how to do that.
|
|
|
|
@menu
|
|
* Darwin (MacOS/X) build environment::
|
|
* Cygwin (Windows) build environment::
|
|
* MinGW (Windows) build environment::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node Darwin (MacOS/X) build environment
|
|
@subsection Darwin (MacOS/X) build environment
|
|
|
|
In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools
|
|
from @uref{http://developer.apple.com/tools/macosxtools.html} and
|
|
a recent version of Fink from @uref{http://www.finkproject.org/}.
|
|
|
|
After installation use fink to download and install the following packages:
|
|
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
|
|
|
|
@c ==================================================================
|
|
@node Cygwin (Windows) build environment
|
|
@subsection Cygwin (Windows) build environment
|
|
|
|
If Cygwin hasn't already been installed, install it directly from
|
|
@uref{http://www.cygwin.com/}.
|
|
|
|
When tinc is compiled in a Cygwin environment, it can only be run in this environment,
|
|
but all programs, including those started outside the Cygwin environment, will be able to use the VPN.
|
|
It will also support all features.
|
|
|
|
@c ==================================================================
|
|
@node MinGW (Windows) build environment
|
|
@subsection MinGW (Windows) build environment
|
|
|
|
You will need to install the MinGW environment from @uref{http://www.mingw.org}.
|
|
|
|
When tinc is compiled using MinGW it runs natively under Windows,
|
|
it is not necessary to keep MinGW installed.
|
|
|
|
When detaching, tinc will install itself as a service,
|
|
which will be restarted automatically after reboots.
|
|
|
|
|
|
@c ==================================================================
|
|
@node System files
|
|
@section System files
|
|
|
|
Before you can run tinc, you must make sure you have all the needed
|
|
files on your system.
|
|
|
|
@menu
|
|
* Device files::
|
|
* Other files::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node Device files
|
|
@subsection Device files
|
|
|
|
@cindex device files
|
|
Most operating systems nowadays come with the necessary device files by default,
|
|
or they have a mechanism to create them on demand.
|
|
|
|
If you use Linux and do not have udev installed,
|
|
you may need to create the following device file if it does not exist:
|
|
|
|
@example
|
|
mknod -m 600 /dev/net/tun c 10 200
|
|
@end example
|
|
|
|
|
|
@c ==================================================================
|
|
@node Other files
|
|
@subsection Other files
|
|
|
|
@subsubheading @file{/etc/networks}
|
|
|
|
You may add a line to @file{/etc/networks} so that your VPN will get a
|
|
symbolic name. For example:
|
|
|
|
@example
|
|
myvpn 10.0.0.0
|
|
@end example
|
|
|
|
@subsubheading @file{/etc/services}
|
|
|
|
@cindex port numbers
|
|
You may add this line to @file{/etc/services}. The effect is that you
|
|
may supply a @samp{tinc} as a valid port number to some programs. The
|
|
number 655 is registered with the IANA.
|
|
|
|
@example
|
|
tinc 655/tcp TINC
|
|
tinc 655/udp TINC
|
|
# Ivo Timmermans <ivo@@tinc-vpn.org>
|
|
@end example
|
|
|
|
|
|
@c
|
|
@c
|
|
@c
|
|
@c
|
|
@c Configuring tinc
|
|
@c
|
|
@c
|
|
@c
|
|
@c
|
|
|
|
|
|
@c ==================================================================
|
|
@node Configuration
|
|
@chapter Configuration
|
|
|
|
@menu
|
|
* Configuration introduction::
|
|
* Multiple networks::
|
|
* How connections work::
|
|
* Configuration files::
|
|
* Network interfaces::
|
|
* Example configuration::
|
|
@end menu
|
|
|
|
@c ==================================================================
|
|
@node Configuration introduction
|
|
@section Configuration introduction
|
|
|
|
Before actually starting to configure tinc and editing files,
|
|
make sure you have read this entire section so you know what to expect.
|
|
Then, make it clear to yourself how you want to organize your VPN:
|
|
What are the nodes (computers running tinc)?
|
|
What IP addresses/subnets do they have?
|
|
What is the network mask of the entire VPN?
|
|
Do you need special firewall rules?
|
|
Do you have to set up masquerading or forwarding rules?
|
|
Do you want to run tinc in router mode or switch mode?
|
|
These questions can only be answered by yourself,
|
|
you will not find the answers in this documentation.
|
|
Make sure you have an adequate understanding of networks in general.
|
|
@cindex Network Administrators Guide
|
|
A good resource on networking is the
|
|
@uref{http://www.tldp.org/LDP/nag2/, Linux Network Administrators Guide}.
|
|
|
|
If you have everything clearly pictured in your mind,
|
|
proceed in the following order:
|
|
First, create the initial configuration files and public/private keypairs using the following command:
|
|
@example
|
|
tinc -n @var{NETNAME} init @var{NAME}
|
|
@end example
|
|
Second, use @samp{tinc -n @var{NETNAME} add ...} to further configure tinc.
|
|
Finally, export your host configuration file using @samp{tinc -n @var{NETNAME} export} and send it to those
|
|
people or computers you want tinc to connect to.
|
|
They should send you their host configuration file back, which you can import using @samp{tinc -n @var{NETNAME} import}.
|
|
|
|
These steps are described in the subsections below.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Multiple networks
|
|
@section Multiple networks
|
|
|
|
@cindex multiple networks
|
|
@cindex netname
|
|
|
|
In order to allow you to run more than one tinc daemon on one computer,
|
|
for instance if your computer is part of more than one VPN,
|
|
you can assign a @var{netname} to your VPN.
|
|
It is not required if you only run one tinc daemon,
|
|
it doesn't even have to be the same on all the nodes of your VPN,
|
|
but it is recommended that you choose one anyway.
|
|
|
|
We will asume you use a netname throughout this document.
|
|
This means that you call tinc with the -n argument,
|
|
which will specify the netname.
|
|
|
|
The effect of this option is that tinc will set its configuration
|
|
root to @file{@value{sysconfdir}/tinc/@var{netname}/}, where @var{netname} is your argument to the -n option.
|
|
You will also notice that log messages it appears in syslog as coming from @file{tinc.@var{netname}},
|
|
and on Linux, unless specified otherwise, the name of the virtual network interface will be the same as the network name.
|
|
|
|
However, it is not strictly necessary that you call tinc with the -n
|
|
option. If you don not use it, the network name will just be empty, and
|
|
tinc will look for files in @file{@value{sysconfdir}/tinc/} instead of
|
|
@file{@value{sysconfdir}/tinc/@var{netname}/};
|
|
the configuration file will then be @file{@value{sysconfdir}/tinc/tinc.conf},
|
|
and the host configuration files are expected to be in @file{@value{sysconfdir}/tinc/hosts/}.
|
|
|
|
|
|
@c ==================================================================
|
|
@node How connections work
|
|
@section How connections work
|
|
|
|
When tinc starts up, it parses the command-line options and then
|
|
reads in the configuration file tinc.conf.
|
|
If it sees one or more `ConnectTo' values pointing to other tinc daemons in that file,
|
|
it will try to connect to those other daemons.
|
|
Whether this succeeds or not and whether `ConnectTo' is specified or not,
|
|
tinc will listen for incoming connection from other deamons.
|
|
If you did specify a `ConnectTo' value and the other side is not responding,
|
|
tinc will keep retrying.
|
|
This means that once started, tinc will stay running until you tell it to stop,
|
|
and failures to connect to other tinc daemons will not stop your tinc daemon
|
|
for trying again later.
|
|
This means you don't have to intervene if there are temporary network problems.
|
|
|
|
@cindex client
|
|
@cindex server
|
|
There is no real distinction between a server and a client in tinc.
|
|
If you wish, you can view a tinc daemon without a `ConnectTo' value as a server,
|
|
and one which does specify such a value as a client.
|
|
It does not matter if two tinc daemons have a `ConnectTo' value pointing to each other however.
|
|
|
|
Connections specified using `ConnectTo' are so-called meta-connections.
|
|
Tinc daemons exchange information about all other daemon they know about via these meta-connections.
|
|
After learning about all the daemons in the VPN,
|
|
tinc will create other connections as necessary in order to communicate with them.
|
|
For example, if there are three daemons named A, B and C, and A has @samp{ConnectTo = B} in its tinc.conf file,
|
|
and C has @samp{ConnectTo = B} in its tinc.conf file, then A will learn about C from B,
|
|
and will be able to exchange VPN packets with C without the need to have @samp{ConnectTo = C} in its tinc.conf file.
|
|
|
|
It could be that some daemons are located behind a Network Address Translation (NAT) device, or behind a firewall.
|
|
In the above scenario with three daemons, if A and C are behind a NAT,
|
|
B will automatically help A and C punch holes through their NAT,
|
|
in a way similar to the STUN protocol, so that A and C can still communicate with each other directly.
|
|
It is not always possible to do this however, and firewalls might also prevent direct communication.
|
|
In that case, VPN packets between A and C will be forwarded by B.
|
|
|
|
In effect, all nodes in the VPN will be able to talk to each other, as long as
|
|
their is a path of meta-connections between them, and whenever possible, two
|
|
nodes will communicate with each other directly.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Configuration files
|
|
@section Configuration files
|
|
|
|
The actual configuration of the daemon is done in the file
|
|
@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory
|
|
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/}.
|
|
|
|
An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
|
|
any .conf file will be read.
|
|
|
|
These file consists of comments (lines started with a #) or assignments
|
|
in the form of
|
|
|
|
@example
|
|
Variable = Value.
|
|
@end example
|
|
|
|
The variable names are case insensitive, and any spaces, tabs, newlines
|
|
and carriage returns are ignored. Note: it is not required that you put
|
|
in the `=' sign, but doing so improves readability. If you leave it
|
|
out, remember to replace it with at least one space character.
|
|
|
|
The server configuration is complemented with host specific configuration (see
|
|
the next section). Although all host configuration options for the local node
|
|
listed in this document can also be put in
|
|
@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf}, it is recommended to
|
|
put host specific configuration options in the host configuration file, as this
|
|
makes it easy to exchange with other nodes.
|
|
|
|
You can edit the config file manually, but it is recommended that you use
|
|
the tinc command to change configuration variables for you.
|
|
|
|
In the following two subsections all valid variables are listed in alphabetical order.
|
|
The default value is given between parentheses,
|
|
other comments are between square brackets.
|
|
|
|
@menu
|
|
* Main configuration variables::
|
|
* Host configuration variables::
|
|
* Scripts::
|
|
* How to configure::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node Main configuration variables
|
|
@subsection Main configuration variables
|
|
|
|
@table @asis
|
|
@cindex AddressFamily
|
|
@item AddressFamily = <ipv4|ipv6|any> (any)
|
|
This option affects the address family of listening and outgoing sockets.
|
|
If any is selected, then depending on the operating system
|
|
both IPv4 and IPv6 or just IPv6 listening sockets will be created.
|
|
|
|
@cindex AutoConnect
|
|
@item AutoConnect = <yes|no> (no) [experimental]
|
|
If set to yes, tinc will automatically set up meta connections to other nodes,
|
|
without requiring @var{ConnectTo} variables.
|
|
|
|
@cindex BindToAddress
|
|
@item BindToAddress = <@var{address}> [<@var{port}>]
|
|
This is the same as ListenAddress, however the address given with the BindToAddress option
|
|
will also be used for outgoing connections.
|
|
This is useful if your computer has more than one IPv4 or IPv6 address,
|
|
and you want tinc to only use a specific one for outgoing packets.
|
|
|
|
@cindex BindToInterface
|
|
@item BindToInterface = <@var{interface}> [experimental]
|
|
If you have more than one network interface in your computer, tinc will
|
|
by default listen on all of them for incoming connections. It is
|
|
possible to bind tinc to a single interface like eth0 or ppp0 with this
|
|
variable.
|
|
|
|
This option may not work on all platforms.
|
|
Also, on some platforms it will not actually bind to an interface,
|
|
but rather to the address that the interface has at the moment a socket is created.
|
|
|
|
@cindex Broadcast
|
|
@item Broadcast = <no | mst | direct> (mst) [experimental]
|
|
This option selects the way broadcast packets are sent to other daemons.
|
|
@emph{NOTE: all nodes in a VPN must use the same Broadcast mode, otherwise routing loops can form.}
|
|
|
|
@table @asis
|
|
@item no
|
|
Broadcast packets are never sent to other nodes.
|
|
|
|
@item mst
|
|
Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree.
|
|
This ensures broadcast packets reach all nodes.
|
|
|
|
@item direct
|
|
Broadcast packets are sent directly to all nodes that can be reached directly.
|
|
Broadcast packets received from other nodes are never forwarded.
|
|
If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to.
|
|
@end table
|
|
|
|
@cindex BroadcastSubnet
|
|
@item BroadcastSubnet = @var{address}[/@var{prefixlength}]
|
|
Declares a broadcast subnet.
|
|
Any packet with a destination address falling into such a subnet will be routed as a broadcast
|
|
(provided all nodes have it declared).
|
|
This is most useful to declare subnet broadcast addresses (e.g. 10.42.255.255),
|
|
otherwise tinc won't know what to do with them.
|
|
|
|
Note that global broadcast addresses (MAC ff:ff:ff:ff:ff:ff, IPv4 255.255.255.255),
|
|
as well as multicast space (IPv4 224.0.0.0/4, IPv6 ff00::/8)
|
|
are always considered broadcast addresses and don't need to be declared.
|
|
|
|
@cindex ConnectTo
|
|
@item ConnectTo = <@var{name}>
|
|
Specifies which other tinc daemon to connect to on startup.
|
|
Multiple ConnectTo variables may be specified,
|
|
in which case outgoing connections to each specified tinc daemon are made.
|
|
The names should be known to this tinc daemon
|
|
(i.e., there should be a host configuration file for the name on the ConnectTo line).
|
|
|
|
If you don't specify a host with ConnectTo and don't enable AutoConnect,
|
|
tinc won't try to connect to other daemons at all,
|
|
and will instead just listen for incoming connections.
|
|
|
|
@cindex DecrementTTL
|
|
@item DecrementTTL = <yes | no> (no) [experimental]
|
|
When enabled, tinc will decrement the Time To Live field in IPv4 packets, or the Hop Limit field in IPv6 packets,
|
|
before forwarding a received packet to the virtual network device or to another node,
|
|
and will drop packets that have a TTL value of zero,
|
|
in which case it will send an ICMP Time Exceeded packet back.
|
|
|
|
Do not use this option if you use switch mode and want to use IPv6.
|
|
|
|
@cindex Device
|
|
@item Device = <@var{device}> (@file{/dev/tap0}, @file{/dev/net/tun} or other depending on platform)
|
|
The virtual network device to use.
|
|
Tinc will automatically detect what kind of device it is.
|
|
Note that you can only use one device per daemon.
|
|
Under Windows, use @var{Interface} instead of @var{Device}.
|
|
Note that you can only use one device per daemon.
|
|
See also @ref{Device files}.
|
|
|
|
@cindex DeviceStandby
|
|
@item DeviceStandby = <yes | no> (no)
|
|
When disabled, tinc calls @file{tinc-up} on startup, and @file{tinc-down} on shutdown.
|
|
When enabled, tinc will only call @file{tinc-up} when at least one node is reachable,
|
|
and will call @file{tinc-down} as soon as no nodes are reachable.
|
|
On Windows, this also determines when the virtual network interface "cable" is "plugged".
|
|
|
|
@cindex DeviceType
|
|
@item DeviceType = <@var{type}> (platform dependent)
|
|
The type of the virtual network device.
|
|
Tinc will normally automatically select the right type of tun/tap interface, and this option should not be used.
|
|
However, this option can be used to select one of the special interface types, if support for them is compiled in.
|
|
|
|
@table @asis
|
|
@cindex dummy
|
|
@item dummy
|
|
Use a dummy interface.
|
|
No packets are ever read or written to a virtual network device.
|
|
Useful for testing, or when setting up a node that only forwards packets for other nodes.
|
|
|
|
@cindex raw_socket
|
|
@item raw_socket
|
|
Open a raw socket, and bind it to a pre-existing
|
|
@var{Interface} (eth0 by default).
|
|
All packets are read from this interface.
|
|
Packets received for the local node are written to the raw socket.
|
|
However, at least on Linux, the operating system does not process IP packets destined for the local host.
|
|
|
|
@cindex multicast
|
|
@item multicast
|
|
Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using @var{Device}.
|
|
Packets are read from and written to this multicast socket.
|
|
This can be used to connect to UML, QEMU or KVM instances listening on the same multicast address.
|
|
Do NOT connect multiple tinc daemons to the same multicast address, this will very likely cause routing loops.
|
|
Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
|
|
|
|
@cindex UML
|
|
@item uml (not compiled in by default)
|
|
Create a UNIX socket with the filename specified by
|
|
@var{Device}, or @file{@value{localstatedir}/run/@var{netname}.umlsocket}
|
|
if not specified.
|
|
Tinc will wait for a User Mode Linux instance to connect to this socket.
|
|
|
|
@cindex VDE
|
|
@item vde (not compiled in by default)
|
|
Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch,
|
|
using the UNIX socket specified by
|
|
@var{Device}, or @file{@value{localstatedir}/run/vde.ctl}
|
|
if not specified.
|
|
@end table
|
|
|
|
Also, in case tinc does not seem to correctly interpret packets received from the virtual network device,
|
|
it can be used to change the way packets are interpreted:
|
|
|
|
@table @asis
|
|
@item tun (BSD and Linux)
|
|
Set type to tun.
|
|
Depending on the platform, this can either be with or without an address family header (see below).
|
|
|
|
@cindex tunnohead
|
|
@item tunnohead (BSD)
|
|
Set type to tun without an address family header.
|
|
Tinc will expect packets read from the virtual network device to start with an IP header.
|
|
On some platforms IPv6 packets cannot be read from or written to the device in this mode.
|
|
|
|
@cindex tunifhead
|
|
@item tunifhead (BSD)
|
|
Set type to tun with an address family header.
|
|
Tinc will expect packets read from the virtual network device
|
|
to start with a four byte header containing the address family,
|
|
followed by an IP header.
|
|
This mode should support both IPv4 and IPv6 packets.
|
|
|
|
@item tap (BSD and Linux)
|
|
Set type to tap.
|
|
Tinc will expect packets read from the virtual network device
|
|
to start with an Ethernet header.
|
|
@end table
|
|
|
|
@cindex DirectOnly
|
|
@item DirectOnly = <yes|no> (no) [experimental]
|
|
When this option is enabled, packets that cannot be sent directly to the destination node,
|
|
but which would have to be forwarded by an intermediate node, are dropped instead.
|
|
When combined with the IndirectData option,
|
|
packets for nodes for which we do not have a meta connection with are also dropped.
|
|
|
|
@cindex Ed25519PrivateKeyFile
|
|
@item Ed25519PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/ed25519_key.priv})
|
|
The file in which the private Ed25519 key of this tinc daemon resides.
|
|
This is only used if ExperimentalProtocol is enabled.
|
|
|
|
@cindex ExperimentalProtocol
|
|
@item ExperimentalProtocol = <yes|no> (yes)
|
|
When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
|
|
Ephemeral ECDH will be used for key exchanges,
|
|
and Ed25519 will be used instead of RSA for authentication.
|
|
When enabled, an Ed25519 key must have been generated before with
|
|
@samp{tinc generate-ed25519-keys}.
|
|
|
|
@cindex Forwarding
|
|
@item Forwarding = <off|internal|kernel> (internal) [experimental]
|
|
This option selects the way indirect packets are forwarded.
|
|
|
|
@table @asis
|
|
@item off
|
|
Incoming packets that are not meant for the local node,
|
|
but which should be forwarded to another node, are dropped.
|
|
|
|
@item internal
|
|
Incoming packets that are meant for another node are forwarded by tinc internally.
|
|
|
|
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
|
|
|
|
@item kernel
|
|
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
|
|
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
|
|
and can also help debugging.
|
|
@end table
|
|
|
|
@cindex Hostnames
|
|
@item Hostnames = <yes|no> (no)
|
|
This option selects whether IP addresses (both real and on the VPN)
|
|
should be resolved. Since DNS lookups are blocking, it might affect
|
|
tinc's efficiency, even stopping the daemon for a few seconds everytime
|
|
it does a lookup if your DNS server is not responding.
|
|
|
|
This does not affect resolving hostnames to IP addresses from the
|
|
configuration file, but whether hostnames should be resolved while logging.
|
|
|
|
@cindex Interface
|
|
@item Interface = <@var{interface}>
|
|
Defines the name of the interface corresponding to the virtual network device.
|
|
Depending on the operating system and the type of device this may or may not actually set the name of the interface.
|
|
Under Windows, this variable is used to select which network interface will be used.
|
|
If you specified a Device, this variable is almost always already correctly set.
|
|
|
|
@cindex ListenAddress
|
|
@item ListenAddress = <@var{address}> [<@var{port}>]
|
|
If your computer has more than one IPv4 or IPv6 address, tinc
|
|
will by default listen on all of them for incoming connections.
|
|
This option can be used to restrict which addresses tinc listens on.
|
|
Multiple ListenAddress variables may be specified,
|
|
in which case listening sockets for each specified address are made.
|
|
|
|
If no @var{port} is specified, the socket will listen on the port specified by the Port option,
|
|
or to port 655 if neither is given.
|
|
To only listen on a specific port but not to a specific address, use "*" for the @var{address}.
|
|
|
|
@cindex LocalDiscovery
|
|
@item LocalDiscovery = <yes | no> (no)
|
|
When enabled, tinc will try to detect peers that are on the same local network.
|
|
This will allow direct communication using LAN addresses, even if both peers are behind a NAT
|
|
and they only ConnectTo a third node outside the NAT,
|
|
which normally would prevent the peers from learning each other's LAN address.
|
|
|
|
Currently, local discovery is implemented by sending some packets to the local address of the node during UDP discovery.
|
|
This will not work with old nodes that don't transmit their local address.
|
|
|
|
@cindex LocalDiscoveryAddress
|
|
@item LocalDiscoveryAddress <@var{address}>
|
|
If this variable is specified, local discovery packets are sent to the given @var{address}.
|
|
|
|
@cindex Mode
|
|
@item Mode = <router|switch|hub> (router)
|
|
This option selects the way packets are routed to other daemons.
|
|
|
|
@table @asis
|
|
@cindex router
|
|
@item router
|
|
In this mode Subnet
|
|
variables in the host configuration files will be used to form a routing table.
|
|
Only packets of routable protocols (IPv4 and IPv6) are supported in this mode.
|
|
|
|
This is the default mode, and unless you really know you need another mode, don't change it.
|
|
|
|
@cindex switch
|
|
@item switch
|
|
In this mode the MAC addresses of the packets on the VPN will be used to
|
|
dynamically create a routing table just like an Ethernet switch does.
|
|
Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode
|
|
at the cost of frequent broadcast ARP requests and routing table updates.
|
|
|
|
This mode is primarily useful if you want to bridge Ethernet segments.
|
|
|
|
@cindex hub
|
|
@item hub
|
|
This mode is almost the same as the switch mode, but instead
|
|
every packet will be broadcast to the other daemons
|
|
while no routing table is managed.
|
|
@end table
|
|
|
|
@cindex KeyExpire
|
|
@item KeyExpire = <@var{seconds}> (3600)
|
|
This option controls the time the encryption keys used to encrypt the data
|
|
are valid. It is common practice to change keys at regular intervals to
|
|
make it even harder for crackers, even though it is thought to be nearly
|
|
impossible to crack a single key.
|
|
|
|
@cindex MACExpire
|
|
@item MACExpire = <@var{seconds}> (600)
|
|
This option controls the amount of time MAC addresses are kept before they are removed.
|
|
This only has effect when Mode is set to "switch".
|
|
|
|
@cindex MaxConnectionBurst
|
|
@item MaxConnectionBurst = <@var{count}> (100)
|
|
This option controls how many connections tinc accepts in quick succession.
|
|
If there are more connections than the given number in a short time interval,
|
|
tinc will reduce the number of accepted connections to only one per second,
|
|
until the burst has passed.
|
|
|
|
@cindex Name
|
|
@item Name = <@var{name}> [required]
|
|
This is a symbolic name for this connection.
|
|
The name should consist only of alfanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is case sensitive.
|
|
|
|
If Name starts with a $, then the contents of the environment variable that follows will be used.
|
|
In that case, invalid characters will be converted to underscores.
|
|
If Name is $HOST, but no such environment variable exist,
|
|
the hostname will be read using the gethostname() system call.
|
|
|
|
@cindex PingInterval
|
|
@item PingInterval = <@var{seconds}> (60)
|
|
The number of seconds of inactivity that tinc will wait before sending a
|
|
probe to the other end.
|
|
|
|
@cindex PingTimeout
|
|
@item PingTimeout = <@var{seconds}> (5)
|
|
The number of seconds to wait for a response to pings or to allow meta
|
|
connections to block. If the other end doesn't respond within this time,
|
|
the connection is terminated, and the others will be notified of this.
|
|
|
|
@cindex PriorityInheritance
|
|
@item PriorityInheritance = <yes|no> (no) [experimental]
|
|
When this option is enabled the value of the TOS field of tunneled IPv4 packets
|
|
will be inherited by the UDP packets that are sent out.
|
|
|
|
@cindex PrivateKey
|
|
@item PrivateKey = <@var{key}> [obsolete]
|
|
This is the RSA private key for tinc. However, for safety reasons it is
|
|
advised to store private keys of any kind in separate files. This prevents
|
|
accidental eavesdropping if you are editting the configuration file.
|
|
|
|
@cindex PrivateKeyFile
|
|
@item PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/rsa_key.priv})
|
|
This is the full path name of the RSA private key file that was
|
|
generated by @samp{tinc generate-keys}. It must be a full path, not a
|
|
relative directory.
|
|
|
|
@cindex ProcessPriority
|
|
@item ProcessPriority = <low|normal|high>
|
|
When this option is used the priority of the tincd process will be adjusted.
|
|
Increasing the priority may help to reduce latency and packet loss on the VPN.
|
|
|
|
@cindex Proxy
|
|
@item Proxy = socks4 | socks5 | http | exec @var{...} [experimental]
|
|
Use a proxy when making outgoing connections.
|
|
The following proxy types are currently supported:
|
|
|
|
@table @asis
|
|
@cindex socks4
|
|
@item socks4 <@var{address}> <@var{port}> [<@var{username}>]
|
|
Connects to the proxy using the SOCKS version 4 protocol.
|
|
Optionally, a @var{username} can be supplied which will be passed on to the proxy server.
|
|
|
|
@cindex socks5
|
|
@item socks5 <@var{address}> <@var{port}> [<@var{username}> <@var{password}>]
|
|
Connect to the proxy using the SOCKS version 5 protocol.
|
|
If a @var{username} and @var{password} are given, basic username/password authentication will be used,
|
|
otherwise no authentication will be used.
|
|
|
|
@cindex http
|
|
@item http <@var{address}> <@var{port}>
|
|
Connects to the proxy and sends a HTTP CONNECT request.
|
|
|
|
@cindex exec
|
|
@item exec <@var{command}>
|
|
Executes the given command which should set up the outgoing connection.
|
|
The environment variables @env{NAME}, @env{NODE}, @env{REMOTEADDRES} and @env{REMOTEPORT} are available.
|
|
@end table
|
|
|
|
@cindex ReplayWindow
|
|
@item ReplayWindow = <bytes> (16)
|
|
This is the size of the replay tracking window for each remote node, in bytes.
|
|
The window is a bitfield which tracks 1 packet per bit, so for example
|
|
the default setting of 16 will track up to 128 packets in the window. In high
|
|
bandwidth scenarios, setting this to a higher value can reduce packet loss from
|
|
the interaction of replay tracking with underlying real packet loss and/or
|
|
reordering. Setting this to zero will disable replay tracking completely and
|
|
pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
|
|
traffic.
|
|
|
|
@cindex StrictSubnets
|
|
@item StrictSubnets = <yes|no> (no) [experimental]
|
|
When this option is enabled tinc will only use Subnet statements which are
|
|
present in the host config files in the local
|
|
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
|
|
Subnets learned via connections to other nodes and which are not
|
|
present in the local host config files are ignored.
|
|
|
|
@cindex TunnelServer
|
|
@item TunnelServer = <yes|no> (no) [experimental]
|
|
When this option is enabled tinc will no longer forward information between other tinc daemons,
|
|
and will only allow connections with nodes for which host config files are present in the local
|
|
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
|
|
Setting this options also implicitly sets StrictSubnets.
|
|
|
|
@cindex UDPDiscovey
|
|
@item UDPDiscovery = <yes|no> (yes)
|
|
When this option is enabled tinc will try to establish UDP connectivity to nodes,
|
|
using TCP while it determines if a node is reachable over UDP. If it is disabled,
|
|
tinc always assumes a node is reachable over UDP.
|
|
Note that tinc will never use UDP with nodes that have TCPOnly enabled.
|
|
|
|
@cindex UDPDiscoveryKeepaliveInterval
|
|
@item UDPDiscoveryKeepaliveInterval = <seconds> (9)
|
|
The minimum amount of time between sending UDP ping datagrams to check UDP connectivity once it has been established.
|
|
Note that these pings are large, since they are used to verify link MTU as well.
|
|
|
|
@cindex UDPDiscoveryInterval
|
|
@item UDPDiscoveryInterval = <seconds> (2)
|
|
The minimum amount of time between sending UDP ping datagrams to try to establish UDP connectivity.
|
|
|
|
@cindex UDPDiscoveryTimeout
|
|
@item UDPDiscoveryTimeout = <seconds> (30)
|
|
If tinc doesn't receive any UDP ping replies over the specified interval,
|
|
it will assume UDP communication is broken and will fall back to TCP.
|
|
|
|
@cindex UDPRcvBuf
|
|
@item UDPRcvBuf = <bytes> (OS default)
|
|
Sets the socket receive buffer size for the UDP socket, in bytes.
|
|
If unset, the default buffer size will be used by the operating system.
|
|
|
|
@cindex UDPSndBuf
|
|
@item UDPSndBuf = <bytes> Pq OS default
|
|
Sets the socket send buffer size for the UDP socket, in bytes.
|
|
If unset, the default buffer size will be used by the operating system.
|
|
|
|
@end table
|
|
|
|
|
|
@c ==================================================================
|
|
@node Host configuration variables
|
|
@subsection Host configuration variables
|
|
|
|
@table @asis
|
|
@cindex Address
|
|
@item Address = <@var{IP address}|@var{hostname}> [<port>] [recommended]
|
|
This variable is only required if you want to connect to this host. It
|
|
must resolve to the external IP address where the host can be reached,
|
|
not the one that is internal to the VPN.
|
|
If no port is specified, the default Port is used.
|
|
Multiple Address variables can be specified, in which case each address will be
|
|
tried until a working connection has been established.
|
|
|
|
@cindex Cipher
|
|
@item Cipher = <@var{cipher}> (blowfish)
|
|
The symmetric cipher algorithm used to encrypt UDP packets using the legacy protocol.
|
|
Any cipher supported by OpenSSL is recognized.
|
|
Furthermore, specifying "none" will turn off packet encryption.
|
|
It is best to use only those ciphers which support CBC mode.
|
|
This option has no effect for connections using the SPTPS protocol, which always use AES-256-CTR.
|
|
|
|
@cindex ClampMSS
|
|
@item ClampMSS = <yes|no> (yes)
|
|
This option specifies whether tinc should clamp the maximum segment size (MSS)
|
|
of TCP packets to the path MTU. This helps in situations where ICMP
|
|
Fragmentation Needed or Packet too Big messages are dropped by firewalls.
|
|
|
|
@cindex Compression
|
|
@item Compression = <@var{level}> (0)
|
|
This option sets the level of compression used for UDP packets.
|
|
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
|
|
10 (fast lzo) and 11 (best lzo).
|
|
|
|
@cindex Digest
|
|
@item Digest = <@var{digest}> (sha1)
|
|
The digest algorithm used to authenticate UDP packets using the legacy protocol.
|
|
Any digest supported by OpenSSL is recognized.
|
|
Furthermore, specifying "none" will turn off packet authentication.
|
|
This option has no effect for connections using the SPTPS protocol, which always use HMAC-SHA-256.
|
|
|
|
@cindex IndirectData
|
|
@item IndirectData = <yes|no> (no)
|
|
When set to yes, other nodes which do not already have a meta connection to you
|
|
will not try to establish direct communication with you.
|
|
It is best to leave this option out or set it to no.
|
|
|
|
@cindex MACLength
|
|
@item MACLength = <@var{bytes}> (4)
|
|
The length of the message authentication code used to authenticate UDP packets using the legacy protocol.
|
|
Can be anything from 0
|
|
up to the length of the digest produced by the digest algorithm.
|
|
This option has no effect for connections using the SPTPS protocol, which never truncate MACs.
|
|
|
|
@cindex PMTU
|
|
@item PMTU = <@var{mtu}> (1514)
|
|
This option controls the initial path MTU to this node.
|
|
|
|
@cindex PMTUDiscovery
|
|
@item PMTUDiscovery = <yes|no> (yes)
|
|
When this option is enabled, tinc will try to discover the path MTU to this node.
|
|
After the path MTU has been discovered, it will be enforced on the VPN.
|
|
|
|
@cindex Port
|
|
@item Port = <@var{port}> (655)
|
|
This is the port this tinc daemon listens on.
|
|
You can use decimal portnumbers or symbolic names (as listed in @file{/etc/services}).
|
|
|
|
@cindex PublicKey
|
|
@item PublicKey = <@var{key}> [obsolete]
|
|
This is the RSA public key for this host.
|
|
|
|
@cindex PublicKeyFile
|
|
@item PublicKeyFile = <@var{path}> [obsolete]
|
|
This is the full path name of the RSA public key file that was generated
|
|
by @samp{tinc generate-keys}. It must be a full path, not a relative
|
|
directory.
|
|
|
|
@cindex PEM format
|
|
From version 1.0pre4 on tinc will store the public key directly into the
|
|
host configuration file in PEM format, the above two options then are not
|
|
necessary. Either the PEM format is used, or exactly
|
|
@strong{one of the above two options} must be specified
|
|
in each host configuration file, if you want to be able to establish a
|
|
connection with that host.
|
|
|
|
@cindex Subnet
|
|
@item Subnet = <@var{address}[/@var{prefixlength}[#@var{weight}]]>
|
|
The subnet which this tinc daemon will serve.
|
|
Tinc tries to look up which other daemon it should send a packet to by searching the appropiate subnet.
|
|
If the packet matches a subnet,
|
|
it will be sent to the daemon who has this subnet in his host configuration file.
|
|
Multiple subnet lines can be specified for each daemon.
|
|
|
|
Subnets can either be single MAC, IPv4 or IPv6 addresses,
|
|
in which case a subnet consisting of only that single address is assumed,
|
|
or they can be a IPv4 or IPv6 network address with a prefixlength.
|
|
For example, IPv4 subnets must be in a form like 192.168.1.0/24,
|
|
where 192.168.1.0 is the network address and 24 is the number of bits set in the netmask.
|
|
Note that subnets like 192.168.1.1/24 are invalid!
|
|
Read a networking HOWTO/FAQ/guide if you don't understand this.
|
|
IPv6 subnets are notated like fec0:0:0:1::/64.
|
|
MAC addresses are notated like 0:1a:2b:3c:4d:5e.
|
|
|
|
@cindex CIDR notation
|
|
Prefixlength is the number of bits set to 1 in the netmask part; for
|
|
example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
|
|
/22. This conforms to standard CIDR notation as described in
|
|
@uref{http://www.ietf.org/rfc/rfc1519.txt, RFC1519}
|
|
|
|
A Subnet can be given a weight to indicate its priority over identical Subnets
|
|
owned by different nodes. The default weight is 10. Lower values indicate
|
|
higher priority. Packets will be sent to the node with the highest priority,
|
|
unless that node is not reachable, in which case the node with the next highest
|
|
priority will be tried, and so on.
|
|
|
|
@cindex TCPonly
|
|
@item TCPonly = <yes|no> (no)
|
|
If this variable is set to yes, then the packets are tunnelled over a
|
|
TCP connection instead of a UDP connection. This is especially useful
|
|
for those who want to run a tinc daemon from behind a masquerading
|
|
firewall, or if UDP packet routing is disabled somehow.
|
|
Setting this options also implicitly sets IndirectData.
|
|
|
|
@cindex Weight
|
|
@item Weight = <weight>
|
|
If this variable is set, it overrides the weight given to connections made with
|
|
another host. A higher weight means a lower priority is given to this
|
|
connection when broadcasting or forwarding packets.
|
|
@end table
|
|
|
|
|
|
@c ==================================================================
|
|
@node Scripts
|
|
@subsection Scripts
|
|
|
|
@cindex scripts
|
|
Apart from reading the server and host configuration files,
|
|
tinc can also run scripts at certain moments.
|
|
Under Windows (not Cygwin), the scripts should have the extension @file{.bat} or @file{.cmd}.
|
|
|
|
@table @file
|
|
@cindex tinc-up
|
|
@item @value{sysconfdir}/tinc/@var{netname}/tinc-up
|
|
This is the most important script.
|
|
If it is present it will be executed right after the tinc daemon has been
|
|
started and has connected to the virtual network device.
|
|
It should be used to set up the corresponding network interface,
|
|
but can also be used to start other things.
|
|
Under Windows you can use the Network Connections control panel instead of creating this script.
|
|
|
|
@cindex tinc-down
|
|
@item @value{sysconfdir}/tinc/@var{netname}/tinc-down
|
|
This script is started right before the tinc daemon quits.
|
|
|
|
@item @value{sysconfdir}/tinc/@var{netname}/hosts/@var{host}-up
|
|
This script is started when the tinc daemon with name @var{host} becomes reachable.
|
|
|
|
@item @value{sysconfdir}/tinc/@var{netname}/hosts/@var{host}-down
|
|
This script is started when the tinc daemon with name @var{host} becomes unreachable.
|
|
|
|
@item @value{sysconfdir}/tinc/@var{netname}/host-up
|
|
This script is started when any host becomes reachable.
|
|
|
|
@item @value{sysconfdir}/tinc/@var{netname}/host-down
|
|
This script is started when any host becomes unreachable.
|
|
|
|
@item @value{sysconfdir}/tinc/@var{netname}/subnet-up
|
|
This script is started when a Subnet becomes reachable.
|
|
The Subnet and the node it belongs to are passed in environment variables.
|
|
|
|
@item @value{sysconfdir}/tinc/@var{netname}/subnet-down
|
|
This script is started when a Subnet becomes unreachable.
|
|
|
|
@item @value{sysconfdir}/tinc/@var{netname}/invitation-created
|
|
This script is started when a new invitation has been created.
|
|
|
|
@item @value{sysconfdir}/tinc/@var{netname}/invitation-accepted
|
|
This script is started when an invitation has been used.
|
|
|
|
@end table
|
|
|
|
@cindex environment variables
|
|
The scripts are started without command line arguments,
|
|
but can make use of certain environment variables.
|
|
Under UNIX like operating systems the names of environment variables must be preceded by a $ in scripts.
|
|
Under Windows, in @file{.bat} or @file{.cmd} files, they have to be put between % signs.
|
|
|
|
@table @env
|
|
@cindex NETNAME
|
|
@item NETNAME
|
|
If a netname was specified, this environment variable contains it.
|
|
|
|
@cindex NAME
|
|
@item NAME
|
|
Contains the name of this tinc daemon.
|
|
|
|
@cindex DEVICE
|
|
@item DEVICE
|
|
Contains the name of the virtual network device that tinc uses.
|
|
|
|
@cindex INTERFACE
|
|
@item INTERFACE
|
|
Contains the name of the virtual network interface that tinc uses.
|
|
This should be used for commands like ifconfig.
|
|
|
|
@cindex NODE
|
|
@item NODE
|
|
When a host becomes (un)reachable, this is set to its name.
|
|
If a subnet becomes (un)reachable, this is set to the owner of that subnet.
|
|
|
|
@cindex REMOTEADDRESS
|
|
@item REMOTEADDRESS
|
|
When a host becomes (un)reachable, this is set to its real address.
|
|
|
|
@cindex REMOTEPORT
|
|
@item REMOTEPORT
|
|
When a host becomes (un)reachable,
|
|
this is set to the port number it uses for communication with other tinc daemons.
|
|
|
|
@cindex SUBNET
|
|
@item SUBNET
|
|
When a subnet becomes (un)reachable, this is set to the subnet.
|
|
|
|
@cindex WEIGHT
|
|
@item WEIGHT
|
|
When a subnet becomes (un)reachable, this is set to the subnet weight.
|
|
|
|
@cindex INVITATION_FILE
|
|
@item INVITATION_FILE
|
|
When the @file{invitation-created} script is called,
|
|
this is set to the file where the invitation details will be stored.
|
|
|
|
@cindex INVITATION_URL
|
|
@item INVITATION_URL
|
|
When the @file{invitation-created} script is called,
|
|
this is set to the invitation URL that has been created.
|
|
@end table
|
|
|
|
Do not forget that under UNIX operating systems,
|
|
you have to make the scripts executable, using the command @samp{chmod a+x script}.
|
|
|
|
|
|
@c ==================================================================
|
|
@node How to configure
|
|
@subsection How to configure
|
|
|
|
@subsubheading Step 1. Creating initial configuration files.
|
|
|
|
The initial directory structure, configuration files and public/private keypairs are created using the following command:
|
|
|
|
@example
|
|
tinc -n @var{netname} init @var{name}
|
|
@end example
|
|
|
|
(You will need to run this as root, or use "sudo".)
|
|
This will create the configuration directory @file{@value{sysconfdir}/tinc/@var{netname}.},
|
|
and inside it will create another directory named @file{hosts/}.
|
|
In the configuration directory, it will create the file @file{tinc.conf} with the following contents:
|
|
|
|
@example
|
|
Name = @var{name}
|
|
@end example
|
|
|
|
It will also create private RSA and Ed25519 keys, which will be stored in the files @file{rsa_key.priv} and @file{ed25519_key.priv}.
|
|
It will also create a host configuration file @file{hosts/@var{name}},
|
|
which will contain the corresponding public RSA and Ed25519 keys.
|
|
|
|
Finally, on UNIX operating systems, it will create an executable script @file{tinc-up},
|
|
which will initially not do anything except warning that you should edit it.
|
|
|
|
@subsubheading Step 2. Modifying the initial configuration.
|
|
|
|
Unless you want to use tinc in switch mode,
|
|
you should now configure which range of addresses you will use on the VPN.
|
|
Let's assume you will be part of a VPN which uses the address range 192.168.0.0/16,
|
|
and you yourself have a smaller portion of that range: 192.168.2.0/24.
|
|
Then you should run the following command:
|
|
|
|
@example
|
|
tinc -n @var{netname} add subnet 192.168.2.0/24
|
|
@end example
|
|
|
|
This will add a Subnet statement to your host configuration file.
|
|
Try opening the file @file{@value{sysconfdir}/tinc/@var{netname}/hosts/@var{name}} in an editor.
|
|
You should now see a file containing the public RSA and Ed25519 keys (which looks like a bunch of random characters),
|
|
and the following line at the bottom:
|
|
|
|
@example
|
|
Subnet = 192.168.2.0/24
|
|
@end example
|
|
|
|
If you will use more than one address range, you can add more Subnets.
|
|
For example, if you also use the IPv6 subnet fec0:0:0:2::/64, you can add it as well:
|
|
|
|
@example
|
|
tinc -n @var{netname} add subnet fec0:0:0:2::/24
|
|
@end example
|
|
|
|
This will add another line to the file @file{hosts/@var{name}}.
|
|
If you make a mistake, you can undo it by simply using @samp{del} instead of @samp{add}.
|
|
|
|
If you want other tinc daemons to create meta-connections to your daemon,
|
|
you should add your public IP address or hostname to your host configuration file.
|
|
For example, if your hostname is foo.example.org, run:
|
|
|
|
@example
|
|
tinc -n @var{netname} add address foo.example.org
|
|
@end example
|
|
|
|
If you already know to which daemons your daemon should make meta-connections,
|
|
you should configure that now as well.
|
|
Suppose you want to connect to a daemon named "bar", run:
|
|
|
|
@example
|
|
tinc -n @var{netname} add connectto bar
|
|
@end example
|
|
|
|
Note that you specify the Name of the other daemon here, not an IP address or hostname!
|
|
When you start tinc, and it tries to make a connection to "bar",
|
|
it will look for a host configuration file named @file{hosts/bar},
|
|
and will read Address statements and public keys from that file.
|
|
|
|
@subsubheading Step 2. Exchanging configuration files.
|
|
|
|
If your daemon has a ConnectTo = bar statement in its @file{tinc.conf} file,
|
|
or if bar has a ConnectTo your daemon, then you both need each other's host configuration files.
|
|
You should send @file{hosts/@var{name}} to bar, and bar should send you his file which you should move to @file{hosts/bar}.
|
|
If you are on a UNIX platform, you can easily send an email containing the necessary information using the following command
|
|
(assuming the owner of bar has the email address bar@@example.org):
|
|
|
|
@example
|
|
tinc -n @var{netname} export | mail -s "My config file" bar@@example.org
|
|
@end example
|
|
|
|
If the owner of bar does the same to send his host configuration file to you,
|
|
you can probably pipe his email through the following command,
|
|
or you can just start this command in a terminal and copy&paste the email:
|
|
|
|
@example
|
|
tinc -n @var{netname} import
|
|
@end example
|
|
|
|
If you are the owner of bar yourself, and you have SSH access to that computer,
|
|
you can also swap the host configuration files using the following command:
|
|
|
|
@example
|
|
tinc -n @var{netname} export \
|
|
| ssh bar.example.org tinc -n @var{netname} exchange \
|
|
| tinc -n @var{netname} import
|
|
@end example
|
|
|
|
You should repeat this for all nodes you ConnectTo, or which ConnectTo you.
|
|
However, remember that you do not need to ConnectTo all nodes in the VPN;
|
|
it is only necessary to create one or a few meta-connections,
|
|
after the connections are made tinc will learn about all the other nodes in the VPN,
|
|
and will automatically make other connections as necessary.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Network interfaces
|
|
@section Network interfaces
|
|
|
|
Before tinc can start transmitting data over the tunnel, it must
|
|
set up the virtual network interface.
|
|
|
|
First, decide which IP addresses you want to have associated with these
|
|
devices, and what network mask they must have.
|
|
|
|
Tinc will open a virtual network device (@file{/dev/tun}, @file{/dev/tap0} or similar),
|
|
which will also create a network interface called something like @samp{tun0}, @samp{tap0}.
|
|
If you are using the Linux tun/tap driver, the network interface will by default have the same name as the @var{netname}.
|
|
Under Windows you can change the name of the network interface from the Network Connections control panel.
|
|
|
|
@cindex tinc-up
|
|
You can configure the network interface by putting ordinary ifconfig, route, and other commands
|
|
to a script named @file{@value{sysconfdir}/tinc/@var{netname}/tinc-up}.
|
|
When tinc starts, this script will be executed. When tinc exits, it will execute the script named
|
|
@file{@value{sysconfdir}/tinc/@var{netname}/tinc-down}, but normally you don't need to create that script.
|
|
You can manually open the script in an editor, or use the following command:
|
|
|
|
@example
|
|
tinc -n @var{netname} edit tinc-up
|
|
@end example
|
|
|
|
An example @file{tinc-up} script, that would be appropriate for the scenario in the previous section, is:
|
|
|
|
@example
|
|
#!/bin/sh
|
|
ifconfig $INTERFACE 192.168.2.1 netmask 255.255.0.0
|
|
ip addr add fec0:0:0:2::/48 dev $INTERFACE
|
|
@end example
|
|
|
|
The first command gives the interface an IPv4 address and a netmask.
|
|
The kernel will also automatically add an IPv4 route to this interface, so normally you don't need
|
|
to add route commands to the @file{tinc-up} script.
|
|
The kernel will also bring the interface up after this command.
|
|
@cindex netmask
|
|
The netmask is the mask of the @emph{entire} VPN network, not just your
|
|
own subnet.
|
|
The second command gives the interface an IPv6 address and netmask,
|
|
which will also automatically add an IPv6 route.
|
|
If you only want to use "ip addr" commands on Linux, don't forget that it doesn't bring the interface up, unlike ifconfig,
|
|
so you need to add @samp{ip link set $INTERFACE up} in that case.
|
|
|
|
The exact syntax of the ifconfig and route commands differs from platform to platform.
|
|
You can look up the commands for setting addresses and adding routes in @ref{Platform specific information},
|
|
but it is best to consult the manpages of those utilities on your platform.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Example configuration
|
|
@section Example configuration
|
|
|
|
|
|
@cindex example
|
|
Imagine the following situation. Branch A of our example `company' wants to connect
|
|
three branch offices in B, C and D using the Internet. All four offices
|
|
have a 24/7 connection to the Internet.
|
|
|
|
A is going to serve as the center of the network. B and C will connect
|
|
to A, and D will connect to C. Each office will be assigned their own IP
|
|
network, 10.x.0.0.
|
|
|
|
@example
|
|
A: net 10.1.0.0 mask 255.255.0.0 gateway 10.1.54.1 internet IP 1.2.3.4
|
|
B: net 10.2.0.0 mask 255.255.0.0 gateway 10.2.1.12 internet IP 2.3.4.5
|
|
C: net 10.3.0.0 mask 255.255.0.0 gateway 10.3.69.254 internet IP 3.4.5.6
|
|
D: net 10.4.0.0 mask 255.255.0.0 gateway 10.4.3.32 internet IP 4.5.6.7
|
|
@end example
|
|
|
|
Here, ``gateway'' is the VPN IP address of the machine that is running the
|
|
tincd, and ``internet IP'' is the IP address of the firewall, which does not
|
|
need to run tincd, but it must do a port forwarding of TCP and UDP on port
|
|
655 (unless otherwise configured).
|
|
|
|
In this example, it is assumed that eth0 is the interface that points to
|
|
the inner (physical) LAN of the office, although this could also be the
|
|
same as the interface that leads to the Internet. The configuration of
|
|
the real interface is also shown as a comment, to give you an idea of
|
|
how these example host is set up. All branches use the netname `company'
|
|
for this particular VPN.
|
|
|
|
Each branch is set up using the @samp{tinc init} and @samp{tinc config} commands,
|
|
here we just show the end results:
|
|
|
|
@subsubheading For Branch A
|
|
|
|
@emph{BranchA} would be configured like this:
|
|
|
|
In @file{@value{sysconfdir}/tinc/company/tinc-up}:
|
|
|
|
@example
|
|
#!/bin/sh
|
|
|
|
# Real interface of internal network:
|
|
# ifconfig eth0 10.1.54.1 netmask 255.255.0.0
|
|
|
|
ifconfig $INTERFACE 10.1.54.1 netmask 255.0.0.0
|
|
@end example
|
|
|
|
and in @file{@value{sysconfdir}/tinc/company/tinc.conf}:
|
|
|
|
@example
|
|
Name = BranchA
|
|
@end example
|
|
|
|
On all hosts, @file{@value{sysconfdir}/tinc/company/hosts/BranchA} contains:
|
|
|
|
@example
|
|
Subnet = 10.1.0.0/16
|
|
Address = 1.2.3.4
|
|
|
|
-----BEGIN RSA PUBLIC KEY-----
|
|
...
|
|
-----END RSA PUBLIC KEY-----
|
|
@end example
|
|
|
|
Note that the IP addresses of eth0 and the VPN interface are the same.
|
|
This is quite possible, if you make sure that the netmasks of the interfaces are different.
|
|
It is in fact recommended to give both real internal network interfaces and VPN interfaces the same IP address,
|
|
since that will make things a lot easier to remember and set up.
|
|
|
|
|
|
@subsubheading For Branch B
|
|
|
|
In @file{@value{sysconfdir}/tinc/company/tinc-up}:
|
|
|
|
@example
|
|
#!/bin/sh
|
|
|
|
# Real interface of internal network:
|
|
# ifconfig eth0 10.2.43.8 netmask 255.255.0.0
|
|
|
|
ifconfig $INTERFACE 10.2.1.12 netmask 255.0.0.0
|
|
@end example
|
|
|
|
and in @file{@value{sysconfdir}/tinc/company/tinc.conf}:
|
|
|
|
@example
|
|
Name = BranchB
|
|
ConnectTo = BranchA
|
|
@end example
|
|
|
|
Note here that the internal address (on eth0) doesn't have to be the
|
|
same as on the VPN interface. Also, ConnectTo is given so that this node will
|
|
always try to connect to BranchA.
|
|
|
|
On all hosts, in @file{@value{sysconfdir}/tinc/company/hosts/BranchB}:
|
|
|
|
@example
|
|
Subnet = 10.2.0.0/16
|
|
Address = 2.3.4.5
|
|
|
|
-----BEGIN RSA PUBLIC KEY-----
|
|
...
|
|
-----END RSA PUBLIC KEY-----
|
|
@end example
|
|
|
|
|
|
@subsubheading For Branch C
|
|
|
|
In @file{@value{sysconfdir}/tinc/company/tinc-up}:
|
|
|
|
@example
|
|
#!/bin/sh
|
|
|
|
# Real interface of internal network:
|
|
# ifconfig eth0 10.3.69.254 netmask 255.255.0.0
|
|
|
|
ifconfig $INTERFACE 10.3.69.254 netmask 255.0.0.0
|
|
@end example
|
|
|
|
and in @file{@value{sysconfdir}/tinc/company/tinc.conf}:
|
|
|
|
@example
|
|
Name = BranchC
|
|
ConnectTo = BranchA
|
|
@end example
|
|
|
|
C already has another daemon that runs on port 655, so they have to
|
|
reserve another port for tinc. It knows the portnumber it has to listen on
|
|
from it's own host configuration file.
|
|
|
|
On all hosts, in @file{@value{sysconfdir}/tinc/company/hosts/BranchC}:
|
|
|
|
@example
|
|
Address = 3.4.5.6
|
|
Subnet = 10.3.0.0/16
|
|
Port = 2000
|
|
|
|
-----BEGIN RSA PUBLIC KEY-----
|
|
...
|
|
-----END RSA PUBLIC KEY-----
|
|
@end example
|
|
|
|
|
|
@subsubheading For Branch D
|
|
|
|
In @file{@value{sysconfdir}/tinc/company/tinc-up}:
|
|
|
|
@example
|
|
#!/bin/sh
|
|
|
|
# Real interface of internal network:
|
|
# ifconfig eth0 10.4.3.32 netmask 255.255.0.0
|
|
|
|
ifconfig $INTERFACE 10.4.3.32 netmask 255.0.0.0
|
|
@end example
|
|
|
|
and in @file{@value{sysconfdir}/tinc/company/tinc.conf}:
|
|
|
|
@example
|
|
Name = BranchD
|
|
ConnectTo = BranchC
|
|
@end example
|
|
|
|
D will be connecting to C, which has a tincd running for this network on
|
|
port 2000. It knows the port number from the host configuration file.
|
|
|
|
On all hosts, in @file{@value{sysconfdir}/tinc/company/hosts/BranchD}:
|
|
|
|
@example
|
|
Subnet = 10.4.0.0/16
|
|
Address = 4.5.6.7
|
|
|
|
-----BEGIN RSA PUBLIC KEY-----
|
|
...
|
|
-----END RSA PUBLIC KEY-----
|
|
@end example
|
|
|
|
@subsubheading Key files
|
|
|
|
A, B, C and D all have their own public/private keypairs:
|
|
|
|
The private RSA key is stored in @file{@value{sysconfdir}/tinc/company/rsa_key.priv},
|
|
the private Ed25519 key is stored in @file{@value{sysconfdir}/tinc/company/ed25519_key.priv},
|
|
and the public RSA and Ed25519 keys are put into the host configuration file in the @file{@value{sysconfdir}/tinc/company/hosts/} directory.
|
|
|
|
@subsubheading Starting
|
|
|
|
After each branch has finished configuration and they have distributed
|
|
the host configuration files amongst them, they can start their tinc daemons.
|
|
They don't necessarily have to wait for the other branches to have started
|
|
their daemons, tinc will try connecting until they are available.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Running tinc
|
|
@chapter Running tinc
|
|
|
|
If everything else is done, you can start tinc by typing the following command:
|
|
|
|
@example
|
|
tinc -n @var{netname} start
|
|
@end example
|
|
|
|
@cindex daemon
|
|
Tinc will detach from the terminal and continue to run in the background like a good daemon.
|
|
If there are any problems however you can try to increase the debug level
|
|
and look in the syslog to find out what the problems are.
|
|
|
|
@menu
|
|
* Runtime options::
|
|
* Signals::
|
|
* Debug levels::
|
|
* Solving problems::
|
|
* Error messages::
|
|
* Sending bug reports::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node Runtime options
|
|
@section Runtime options
|
|
|
|
Besides the settings in the configuration file, tinc also accepts some
|
|
command line options.
|
|
|
|
@cindex command line
|
|
@cindex runtime options
|
|
@cindex options
|
|
@c from the manpage
|
|
@table @option
|
|
@item -c, --config=@var{path}
|
|
Read configuration options from the directory @var{path}. The default is
|
|
@file{@value{sysconfdir}/tinc/@var{netname}/}.
|
|
|
|
@item -D, --no-detach
|
|
Don't fork and detach.
|
|
This will also disable the automatic restart mechanism for fatal errors.
|
|
|
|
@cindex debug level
|
|
@item -d, --debug=@var{level}
|
|
Set debug level to @var{level}. The higher the debug level, the more gets
|
|
logged. Everything goes via syslog.
|
|
|
|
@item -n, --net=@var{netname}
|
|
Use configuration for net @var{netname}.
|
|
This will let tinc read all configuration files from
|
|
@file{@value{sysconfdir}/tinc/@var{netname}/}.
|
|
Specifying . for @var{netname} is the same as not specifying any @var{netname}.
|
|
@xref{Multiple networks}.
|
|
|
|
@item --pidfile=@var{filename}
|
|
Store a cookie in @var{filename} which allows tinc to authenticate.
|
|
If unspecified, the default is
|
|
@file{@value{localstatedir}/run/tinc.@var{netname}.pid}.
|
|
|
|
@item -o, --option=[@var{HOST}.]@var{KEY}=@var{VALUE}
|
|
Without specifying a @var{HOST}, this will set server configuration variable @var{KEY} to @var{VALUE}.
|
|
If specified as @var{HOST}.@var{KEY}=@var{VALUE},
|
|
this will set the host configuration variable @var{KEY} of the host named @var{HOST} to @var{VALUE}.
|
|
This option can be used more than once to specify multiple configuration variables.
|
|
|
|
@item -L, --mlock
|
|
Lock tinc into main memory.
|
|
This will prevent sensitive data like shared private keys to be written to the system swap files/partitions.
|
|
|
|
This option is not supported on all platforms.
|
|
|
|
@item --logfile[=@var{file}]
|
|
Write log entries to a file instead of to the system logging facility.
|
|
If @var{file} is omitted, the default is @file{@value{localstatedir}/log/tinc.@var{netname}.log}.
|
|
|
|
@item --bypass-security
|
|
Disables encryption and authentication.
|
|
Only useful for debugging.
|
|
|
|
@item -R, --chroot
|
|
Change process root directory to the directory where the config file is
|
|
located (@file{@value{sysconfdir}/tinc/@var{netname}/} as determined by
|
|
-n/--net option or as given by -c/--config option), for added security.
|
|
The chroot is performed after all the initialization is done, after
|
|
writing pid files and opening network sockets.
|
|
|
|
Note that this option alone does not do any good without -U/--user, below.
|
|
|
|
Note also that tinc can't run scripts anymore (such as tinc-down or host-up),
|
|
unless it's setup to be runnable inside chroot environment.
|
|
|
|
This option is not supported on all platforms.
|
|
@item -U, --user=@var{user}
|
|
Switch to the given @var{user} after initialization, at the same time as
|
|
chroot is performed (see --chroot above). With this option tinc drops
|
|
privileges, for added security.
|
|
|
|
This option is not supported on all platforms.
|
|
|
|
@item --help
|
|
Display a short reminder of these runtime options and terminate.
|
|
|
|
@item --version
|
|
Output version information and exit.
|
|
|
|
@end table
|
|
|
|
@c ==================================================================
|
|
@node Signals
|
|
@section Signals
|
|
|
|
@cindex signals
|
|
You can also send the following signals to a running tincd process:
|
|
|
|
@c from the manpage
|
|
@table @samp
|
|
|
|
@item ALRM
|
|
Forces tinc to try to connect to all uplinks immediately.
|
|
Usually tinc attempts to do this itself,
|
|
but increases the time it waits between the attempts each time it failed,
|
|
and if tinc didn't succeed to connect to an uplink the first time after it started,
|
|
it defaults to the maximum time of 15 minutes.
|
|
|
|
@item HUP
|
|
Partially rereads configuration files.
|
|
Connections to hosts whose host config file are removed are closed.
|
|
New outgoing connections specified in @file{tinc.conf} will be made.
|
|
If the --logfile option is used, this will also close and reopen the log file,
|
|
useful when log rotation is used.
|
|
|
|
@end table
|
|
|
|
@c ==================================================================
|
|
@node Debug levels
|
|
@section Debug levels
|
|
|
|
@cindex debug levels
|
|
The tinc daemon can send a lot of messages to the syslog.
|
|
The higher the debug level, the more messages it will log.
|
|
Each level inherits all messages of the previous level:
|
|
|
|
@c from the manpage
|
|
@table @samp
|
|
|
|
@item 0
|
|
This will log a message indicating tinc has started along with a version number.
|
|
It will also log any serious error.
|
|
|
|
@item 1
|
|
This will log all connections that are made with other tinc daemons.
|
|
|
|
@item 2
|
|
This will log status and error messages from scripts and other tinc daemons.
|
|
|
|
@item 3
|
|
This will log all requests that are exchanged with other tinc daemons. These include
|
|
authentication, key exchange and connection list updates.
|
|
|
|
@item 4
|
|
This will log a copy of everything received on the meta socket.
|
|
|
|
@item 5
|
|
This will log all network traffic over the virtual private network.
|
|
|
|
@end table
|
|
|
|
@c ==================================================================
|
|
@node Solving problems
|
|
@section Solving problems
|
|
|
|
If tinc starts without problems, but if the VPN doesn't work, you will have to find the cause of the problem.
|
|
The first thing to do is to start tinc with a high debug level in the foreground,
|
|
so you can directly see everything tinc logs:
|
|
|
|
@example
|
|
tincd -n @var{netname} -d5 -D
|
|
@end example
|
|
|
|
If tinc does not log any error messages, then you might want to check the following things:
|
|
|
|
@itemize
|
|
@item @file{tinc-up} script
|
|
Does this script contain the right commands?
|
|
Normally you must give the interface the address of this host on the VPN, and the netmask must be big enough so that the entire VPN is covered.
|
|
|
|
@item Subnet
|
|
Does the Subnet (or Subnets) in the host configuration file of this host match the portion of the VPN that belongs to this host?
|
|
|
|
@item Firewalls and NATs
|
|
Do you have a firewall or a NAT device (a masquerading firewall or perhaps an ADSL router that performs masquerading)?
|
|
If so, check that it allows TCP and UDP traffic on port 655.
|
|
If it masquerades and the host running tinc is behind it, make sure that it forwards TCP and UDP traffic to port 655 to the host running tinc.
|
|
You can add @samp{TCPOnly = yes} to your host config file to force tinc to only use a single TCP connection,
|
|
this works through most firewalls and NATs.
|
|
|
|
@end itemize
|
|
|
|
|
|
@c ==================================================================
|
|
@node Error messages
|
|
@section Error messages
|
|
|
|
What follows is a list of the most common error messages you might find in the logs.
|
|
Some of them will only be visible if the debug level is high enough.
|
|
|
|
@table @samp
|
|
@item Could not open /dev/tap0: No such device
|
|
|
|
@itemize
|
|
@item You forgot to `modprobe netlink_dev' or `modprobe ethertap'.
|
|
@item You forgot to compile `Netlink device emulation' in the kernel.
|
|
@end itemize
|
|
|
|
@item Can't write to /dev/net/tun: No such device
|
|
|
|
@itemize
|
|
@item You forgot to `modprobe tun'.
|
|
@item You forgot to compile `Universal TUN/TAP driver' in the kernel.
|
|
@item The tun device is located somewhere else in @file{/dev/}.
|
|
@end itemize
|
|
|
|
@item Network address and prefix length do not match!
|
|
|
|
@itemize
|
|
@item The Subnet field must contain a @emph{network} address, trailing bits should be 0.
|
|
@item If you only want to use one IP address, set the netmask to /32.
|
|
@end itemize
|
|
|
|
@item Error reading RSA key file `rsa_key.priv': No such file or directory
|
|
|
|
@itemize
|
|
@item You forgot to create a public/private keypair.
|
|
@item Specify the complete pathname to the private key file with the @samp{PrivateKeyFile} option.
|
|
@end itemize
|
|
|
|
@item Warning: insecure file permissions for RSA private key file `rsa_key.priv'!
|
|
|
|
@itemize
|
|
@item The private key file is readable by users other than root.
|
|
Use chmod to correct the file permissions.
|
|
@end itemize
|
|
|
|
@item Creating metasocket failed: Address family not supported
|
|
|
|
@itemize
|
|
@item By default tinc tries to create both IPv4 and IPv6 sockets.
|
|
On some platforms this might not be implemented.
|
|
If the logs show @samp{Ready} later on, then at least one metasocket was created,
|
|
and you can ignore this message.
|
|
You can add @samp{AddressFamily = ipv4} to @file{tinc.conf} to prevent this from happening.
|
|
@end itemize
|
|
|
|
@item Cannot route packet: unknown IPv4 destination 1.2.3.4
|
|
|
|
@itemize
|
|
@item You try to send traffic to a host on the VPN for which no Subnet is known.
|
|
@item If it is a broadcast address (ending in .255), it probably is a samba server or a Windows host sending broadcast packets.
|
|
You can ignore it.
|
|
@end itemize
|
|
|
|
@item Cannot route packet: ARP request for unknown address 1.2.3.4
|
|
|
|
@itemize
|
|
@item You try to send traffic to a host on the VPN for which no Subnet is known.
|
|
@end itemize
|
|
|
|
@item Packet with destination 1.2.3.4 is looping back to us!
|
|
|
|
@itemize
|
|
@item Something is not configured right. Packets are being sent out to the
|
|
virtual network device, but according to the Subnet directives in your host configuration
|
|
file, those packets should go to your own host. Most common mistake is that
|
|
you have a Subnet line in your host configuration file with a prefix length which is
|
|
just as large as the prefix of the virtual network interface. The latter should in almost all
|
|
cases be larger. Rethink your configuration.
|
|
Note that you will only see this message if you specified a debug
|
|
level of 5 or higher!
|
|
@item Chances are that a @samp{Subnet = ...} line in the host configuration file of this tinc daemon is wrong.
|
|
Change it to a subnet that is accepted locally by another interface,
|
|
or if that is not the case, try changing the prefix length into /32.
|
|
@end itemize
|
|
|
|
@item Node foo (1.2.3.4) is not reachable
|
|
|
|
@itemize
|
|
@item Node foo does not have a connection anymore, its tinc daemon is not running or its connection to the Internet is broken.
|
|
@end itemize
|
|
|
|
@item Received UDP packet from unknown source 1.2.3.4 (port 12345)
|
|
|
|
@itemize
|
|
@item If you see this only sporadically, it is harmless and caused by a node sending packets using an old key.
|
|
@item If you see this often and another node is not reachable anymore, then a NAT (masquerading firewall) is changing the source address of UDP packets.
|
|
You can add @samp{TCPOnly = yes} to host configuration files to force all VPN traffic to go over a TCP connection.
|
|
@end itemize
|
|
|
|
@item Got bad/bogus/unauthorized REQUEST from foo (1.2.3.4 port 12345)
|
|
|
|
@itemize
|
|
@item Node foo does not have the right public/private keypair.
|
|
Generate new keypairs and distribute them again.
|
|
@item An attacker tries to gain access to your VPN.
|
|
@item A network error caused corruption of metadata sent from foo.
|
|
@end itemize
|
|
|
|
@end table
|
|
|
|
@c ==================================================================
|
|
@node Sending bug reports
|
|
@section Sending bug reports
|
|
|
|
If you really can't find the cause of a problem, or if you suspect tinc is not working right,
|
|
you can send us a bugreport, see @ref{Contact information}.
|
|
Be sure to include the following information in your bugreport:
|
|
|
|
@itemize
|
|
@item A clear description of what you are trying to achieve and what the problem is.
|
|
@item What platform (operating system, version, hardware architecture) and which version of tinc you use.
|
|
@item If compiling tinc fails, a copy of @file{config.log} and the error messages you get.
|
|
@item Otherwise, a copy of @file{tinc.conf}, @file{tinc-up} and all files in the @file{hosts/} directory.
|
|
@item The output of the commands @samp{ifconfig -a} and @samp{route -n} (or @samp{netstat -rn} if that doesn't work).
|
|
@item The output of any command that fails to work as it should (like ping or traceroute).
|
|
@end itemize
|
|
|
|
@c ==================================================================
|
|
@node Controlling tinc
|
|
@chapter Controlling tinc
|
|
|
|
@cindex command line interface
|
|
You can start, stop, control and inspect a running tincd through the tinc
|
|
command. A quick example:
|
|
|
|
@example
|
|
tinc -n @var{netname} reload
|
|
@end example
|
|
|
|
@cindex shell
|
|
If tinc is started without a command, it will act as a shell; it will display a
|
|
prompt, and commands can be entered on the prompt. If tinc is compiled with
|
|
libreadline, history and command completion are available on the prompt. One
|
|
can also pipe a script containing commands through tinc. In that case, lines
|
|
starting with a # symbol will be ignored.
|
|
|
|
@menu
|
|
* tinc runtime options::
|
|
* tinc environment variables::
|
|
* tinc commands::
|
|
* tinc examples::
|
|
* tinc top::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node tinc runtime options
|
|
@section tinc runtime options
|
|
|
|
@c from the manpage
|
|
@table @option
|
|
@item -c, --config=@var{path}
|
|
Read configuration options from the directory @var{path}. The default is
|
|
@file{@value{sysconfdir}/tinc/@var{netname}/}.
|
|
|
|
@item -n, --net=@var{netname}
|
|
Use configuration for net @var{netname}. @xref{Multiple networks}.
|
|
|
|
@item --pidfile=@var{filename}
|
|
Use the cookie from @var{filename} to authenticate with a running tinc daemon.
|
|
If unspecified, the default is
|
|
@file{@value{localstatedir}/run/tinc.@var{netname}.pid}.
|
|
|
|
@item --force
|
|
Force some commands to work despite warnings.
|
|
|
|
@item --help
|
|
Display a short reminder of runtime options and commands, then terminate.
|
|
|
|
@item --version
|
|
Output version information and exit.
|
|
|
|
@end table
|
|
|
|
@c ==================================================================
|
|
@node tinc environment variables
|
|
@section tinc environment variables
|
|
|
|
@table @env
|
|
@cindex NETNAME
|
|
@item NETNAME
|
|
If no netname is specified on the command line with the @option{-n} option,
|
|
the value of this environment variable is used.
|
|
@end table
|
|
|
|
@c ==================================================================
|
|
@node tinc commands
|
|
@section tinc commands
|
|
|
|
@c from the manpage
|
|
@table @code
|
|
|
|
@cindex init
|
|
@item init [@var{name}]
|
|
Create initial configuration files and RSA and Ed25519 keypairs with default length.
|
|
If no @var{name} for this node is given, it will be asked for.
|
|
|
|
@cindex get
|
|
@item get @var{variable}
|
|
Print the current value of configuration variable @var{variable}.
|
|
If more than one variable with the same name exists,
|
|
the value of each of them will be printed on a separate line.
|
|
|
|
@cindex set
|
|
@item set @var{variable} @var{value}
|
|
Set configuration variable @var{variable} to the given @var{value}.
|
|
All previously existing configuration variables with the same name are removed.
|
|
To set a variable for a specific host, use the notation @var{host}.@var{variable}.
|
|
|
|
@cindex add
|
|
@item add @var{variable} @var{value}
|
|
As above, but without removing any previously existing configuration variables.
|
|
If the variable already exists with the given value, nothing happens.
|
|
|
|
@cindex del
|
|
@item del @var{variable} [@var{value}]
|
|
Remove configuration variables with the same name and @var{value}.
|
|
If no @var{value} is given, all configuration variables with the same name will be removed.
|
|
|
|
@cindex edit
|
|
@item edit @var{filename}
|
|
Start an editor for the given configuration file.
|
|
You do not need to specify the full path to the file.
|
|
|
|
@cindex export
|
|
@item export
|
|
Export the host configuration file of the local node to standard output.
|
|
|
|
@cindex export-all
|
|
@item export-all
|
|
Export all host configuration files to standard output.
|
|
|
|
@cindex import
|
|
@item import
|
|
Import host configuration file(s) generated by the tinc export command from standard input.
|
|
Already existing host configuration files are not overwritten unless the option --force is used.
|
|
|
|
@cindex exchange
|
|
@item exchange
|
|
The same as export followed by import.
|
|
|
|
@cindex exchange-all
|
|
@item exchange-all
|
|
The same as export-all followed by import.
|
|
|
|
@cindex invite
|
|
@item invite @var{name}
|
|
Prepares an invitation for a new node with the given @var{name},
|
|
and prints a short invitation URL that can be used with the join command.
|
|
|
|
@cindex join
|
|
@item join [@var{URL}]
|
|
Join an existing VPN using an invitation URL created using the invite command.
|
|
If no @var{URL} is given, it will be read from standard input.
|
|
|
|
@cindex start
|
|
@item start [tincd options]
|
|
Start @samp{tincd}, optionally with the given extra options.
|
|
|
|
@cindex stop
|
|
@item stop
|
|
Stop @samp{tincd}.
|
|
|
|
@cindex restart
|
|
@item restart [tincd options]
|
|
Restart @samp{tincd}, optionally with the given extra options.
|
|
|
|
@cindex reload
|
|
@item reload
|
|
Partially rereads configuration files. Connections to hosts whose host
|
|
config files are removed are closed. New outgoing connections specified
|
|
in @file{tinc.conf} will be made.
|
|
|
|
@cindex pid
|
|
@item pid
|
|
Shows the PID of the currently running @samp{tincd}.
|
|
|
|
@cindex generate-keys
|
|
@item generate-keys [@var{bits}]
|
|
Generate both RSA and Ed25519 keypairs (see below) and exit.
|
|
tinc will ask where you want to store the files, but will default to the
|
|
configuration directory (you can use the -c or -n option).
|
|
|
|
@cindex generate-ed25519-keys
|
|
@item generate-ed25519-keys
|
|
Generate public/private Ed25519 keypair and exit.
|
|
|
|
@cindex generate-rsa-keys
|
|
@item generate-rsa-keys [@var{bits}]
|
|
Generate public/private RSA keypair and exit. If @var{bits} is omitted, the
|
|
default length will be 2048 bits. When saving keys to existing files, tinc
|
|
will not delete the old keys; you have to remove them manually.
|
|
|
|
@cindex dump
|
|
@item dump [reachable] nodes
|
|
Dump a list of all known nodes in the VPN.
|
|
If the reachable keyword is used, only lists reachable nodes.
|
|
|
|
@item dump edges
|
|
Dump a list of all known connections in the VPN.
|
|
|
|
@item dump subnets
|
|
Dump a list of all known subnets in the VPN.
|
|
|
|
@item dump connections
|
|
Dump a list of all meta connections with ourself.
|
|
|
|
@cindex graph
|
|
@item dump graph | digraph
|
|
Dump a graph of the VPN in dotty format.
|
|
Nodes are colored according to their reachability:
|
|
red nodes are unreachable, orange nodes are indirectly reachable, green nodes are directly reachable.
|
|
Black nodes are either directly or indirectly reachable, but direct reachability has not been tried yet.
|
|
|
|
@cindex info
|
|
@item info @var{node} | @var{subnet} | @var{address}
|
|
Show information about a particular @var{node}, @var{subnet} or @var{address}.
|
|
If an @var{address} is given, any matching subnet will be shown.
|
|
|
|
@cindex purge
|
|
@item purge
|
|
Purges all information remembered about unreachable nodes.
|
|
|
|
@cindex debug
|
|
@item debug @var{level}
|
|
Sets debug level to @var{level}.
|
|
|
|
@cindex log
|
|
@item log [@var{level}]
|
|
Capture log messages from a running tinc daemon.
|
|
An optional debug level can be given that will be applied only for log messages sent to tinc.
|
|
|
|
@cindex retry
|
|
@item retry
|
|
Forces tinc to try to connect to all uplinks immediately.
|
|
Usually tinc attempts to do this itself,
|
|
but increases the time it waits between the attempts each time it failed,
|
|
and if tinc didn't succeed to connect to an uplink the first time after it started,
|
|
it defaults to the maximum time of 15 minutes.
|
|
|
|
@cindex disconnect
|
|
@item disconnect @var{node}
|
|
Closes the meta connection with the given @var{node}.
|
|
|
|
@cindex top
|
|
@item top
|
|
If tinc is compiled with libcurses support, this will display live traffic statistics for all the known nodes,
|
|
similar to the UNIX top command.
|
|
See below for more information.
|
|
|
|
@cindex pcap
|
|
@item pcap
|
|
Dump VPN traffic going through the local tinc node in pcap-savefile format to standard output,
|
|
from where it can be redirected to a file or piped through a program that can parse it directly,
|
|
such as tcpdump.
|
|
|
|
@cindex network
|
|
@item network [@var{netname}]
|
|
If @var{netname} is given, switch to that network.
|
|
Otherwise, display a list of all networks for which configuration files exist.
|
|
|
|
@cindex fsck
|
|
@item fsck
|
|
This will check the configuration files for possible problems,
|
|
such as unsafe file permissions, missing executable bit on script,
|
|
unknown and obsolete configuration variables, wrong public and/or private keys, and so on.
|
|
|
|
When problems are found, this will be printed on a line with WARNING or ERROR in front of it.
|
|
Most problems must be corrected by the user itself, however in some cases (like file permissions and missing public keys),
|
|
tinc will ask if it should fix the problem.
|
|
|
|
@end table
|
|
|
|
@c ==================================================================
|
|
@node tinc examples
|
|
@section tinc examples
|
|
|
|
Examples of some commands:
|
|
|
|
@example
|
|
tinc -n vpn dump graph | circo -Txlib
|
|
tinc -n vpn pcap | tcpdump -r -
|
|
tinc -n vpn top
|
|
@end example
|
|
|
|
Examples of changing the configuration using tinc:
|
|
|
|
@example
|
|
tinc -n vpn init foo
|
|
tinc -n vpn add Subnet 192.168.1.0/24
|
|
tinc -n vpn add bar.Address bar.example.com
|
|
tinc -n vpn add ConnectTo bar
|
|
tinc -n vpn export | gpg --clearsign | mail -s "My config" vpnmaster@@example.com
|
|
@end example
|
|
|
|
@c ==================================================================
|
|
@node tinc top
|
|
@section tinc top
|
|
|
|
@cindex top
|
|
The top command connects to a running tinc daemon and repeatedly queries its per-node traffic counters.
|
|
It displays a list of all the known nodes in the left-most column,
|
|
and the amount of bytes and packets read from and sent to each node in the other columns.
|
|
By default, the information is updated every second.
|
|
The behaviour of the top command can be changed using the following keys:
|
|
|
|
@table @key
|
|
|
|
@item s
|
|
Change the interval between updates.
|
|
After pressing the @key{s} key, enter the desired interval in seconds, followed by enter.
|
|
Fractional seconds are honored.
|
|
Intervals lower than 0.1 seconds are not allowed.
|
|
|
|
@item c
|
|
Toggle between displaying current traffic rates (in packets and bytes per second)
|
|
and cummulative traffic (total packets and bytes since the tinc daemon started).
|
|
|
|
@item n
|
|
Sort the list of nodes by name.
|
|
|
|
@item i
|
|
Sort the list of nodes by incoming amount of bytes.
|
|
|
|
@item I
|
|
Sort the list of nodes by incoming amount of packets.
|
|
|
|
@item o
|
|
Sort the list of nodes by outgoing amount of bytes.
|
|
|
|
@item O
|
|
Sort the list of nodes by outgoing amount of packets.
|
|
|
|
@item t
|
|
Sort the list of nodes by sum of incoming and outgoing amount of bytes.
|
|
|
|
@item T
|
|
Sort the list of nodes by sum of incoming and outgoing amount of packets.
|
|
|
|
@item b
|
|
Show amount of traffic in bytes.
|
|
|
|
@item k
|
|
Show amount of traffic in kilobytes.
|
|
|
|
@item M
|
|
Show amount of traffic in megabytes.
|
|
|
|
@item G
|
|
Show amount of traffic in gigabytes.
|
|
|
|
@item q
|
|
Quit.
|
|
|
|
@end table
|
|
|
|
|
|
@c ==================================================================
|
|
@node Technical information
|
|
@chapter Technical information
|
|
|
|
|
|
@menu
|
|
* The connection::
|
|
* The meta-protocol::
|
|
* Security::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node The connection
|
|
@section The connection
|
|
|
|
@cindex connection
|
|
Tinc is a daemon that takes VPN data and transmit that to another host
|
|
computer over the existing Internet infrastructure.
|
|
|
|
@menu
|
|
* The UDP tunnel::
|
|
* The meta-connection::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node The UDP tunnel
|
|
@subsection The UDP tunnel
|
|
|
|
@cindex virtual network device
|
|
@cindex frame type
|
|
The data itself is read from a character device file, the so-called
|
|
@emph{virtual network device}. This device is associated with a network
|
|
interface. Any data sent to this interface can be read from the device,
|
|
and any data written to the device gets sent from the interface.
|
|
There are two possible types of virtual network devices:
|
|
`tun' style, which are point-to-point devices which can only handle IPv4 and/or IPv6 packets,
|
|
and `tap' style, which are Ethernet devices and handle complete Ethernet frames.
|
|
|
|
So when tinc reads an Ethernet frame from the device, it determines its
|
|
type. When tinc is in it's default routing mode, it can handle IPv4 and IPv6
|
|
packets. Depending on the Subnet lines, it will send the packets off to their destination IP address.
|
|
In the `switch' and `hub' mode, tinc will use broadcasts and MAC address discovery
|
|
to deduce the destination of the packets.
|
|
Since the latter modes only depend on the link layer information,
|
|
any protocol that runs over Ethernet is supported (for instance IPX and Appletalk).
|
|
However, only `tap' style devices provide this information.
|
|
|
|
After the destination has been determined,
|
|
the packet will be compressed (optionally),
|
|
a sequence number will be added to the packet,
|
|
the packet will then be encrypted
|
|
and a message authentication code will be appended.
|
|
|
|
@cindex encapsulating
|
|
@cindex UDP
|
|
When that is done, time has come to actually transport the
|
|
packet to the destination computer. We do this by sending the packet
|
|
over an UDP connection to the destination host. This is called
|
|
@emph{encapsulating}, the VPN packet (though now encrypted) is
|
|
encapsulated in another IP datagram.
|
|
|
|
When the destination receives this packet, the same thing happens, only
|
|
in reverse. So it checks the message authentication code, decrypts the contents of the UDP datagram,
|
|
checks the sequence number
|
|
and writes the decrypted information to its own virtual network device.
|
|
|
|
If the virtual network device is a `tun' device (a point-to-point tunnel),
|
|
there is no problem for the kernel to accept a packet.
|
|
However, if it is a `tap' device (this is the only available type on FreeBSD),
|
|
the destination MAC address must match that of the virtual network interface.
|
|
If tinc is in it's default routing mode, ARP does not work, so the correct destination MAC
|
|
can not be known by the sending host.
|
|
Tinc solves this by letting the receiving end detect the MAC address of its own virtual network interface
|
|
and overwriting the destination MAC address of the received packet.
|
|
|
|
In switch or hub modes ARP does work so the sender already knows the correct destination MAC address.
|
|
In those modes every interface should have a unique MAC address, so make sure they are not the same.
|
|
Because switch and hub modes rely on MAC addresses to function correctly,
|
|
these modes cannot be used on the following operating systems which don't have a `tap' style virtual network device:
|
|
OpenBSD, NetBSD, Darwin and Solaris.
|
|
|
|
|
|
@c ==================================================================
|
|
@node The meta-connection
|
|
@subsection The meta-connection
|
|
|
|
Having only a UDP connection available is not enough. Though suitable
|
|
for transmitting data, we want to be able to reliably send other
|
|
information, such as routing and session key information to somebody.
|
|
|
|
@cindex TCP
|
|
TCP is a better alternative, because it already contains protection
|
|
against information being lost, unlike UDP.
|
|
|
|
So we establish two connections. One for the encrypted VPN data, and one
|
|
for other information, the meta-data. Hence, we call the second
|
|
connection the meta-connection. We can now be sure that the
|
|
meta-information doesn't get lost on the way to another computer.
|
|
|
|
@cindex data-protocol
|
|
@cindex meta-protocol
|
|
Like with any communication, we must have a protocol, so that everybody
|
|
knows what everything stands for, and how she should react. Because we
|
|
have two connections, we also have two protocols. The protocol used for
|
|
the UDP data is the ``data-protocol,'' the other one is the
|
|
``meta-protocol.''
|
|
|
|
The reason we don't use TCP for both protocols is that UDP is much
|
|
better for encapsulation, even while it is less reliable. The real
|
|
problem is that when TCP would be used to encapsulate a TCP stream
|
|
that's on the private network, for every packet sent there would be
|
|
three ACKs sent instead of just one. Furthermore, if there would be
|
|
a timeout, both TCP streams would sense the timeout, and both would
|
|
start re-sending packets.
|
|
|
|
|
|
@c ==================================================================
|
|
@node The meta-protocol
|
|
@section The meta-protocol
|
|
|
|
The meta protocol is used to tie all tinc daemons together, and
|
|
exchange information about which tinc daemon serves which virtual
|
|
subnet.
|
|
|
|
The meta protocol consists of requests that can be sent to the other
|
|
side. Each request has a unique number and several parameters. All
|
|
requests are represented in the standard ASCII character set. It is
|
|
possible to use tools such as telnet or netcat to connect to a tinc
|
|
daemon started with the --bypass-security option
|
|
and to read and write requests by hand, provided that one
|
|
understands the numeric codes sent.
|
|
|
|
The authentication scheme is described in @ref{Security}. After a
|
|
successful authentication, the server and the client will exchange all the
|
|
information about other tinc daemons and subnets they know of, so that both
|
|
sides (and all the other tinc daemons behind them) have their information
|
|
synchronised.
|
|
|
|
@cindex ADD_EDGE
|
|
@cindex ADD_SUBNET
|
|
@example
|
|
message
|
|
------------------------------------------------------------------
|
|
ADD_EDGE node1 node2 21.32.43.54 655 222 0
|
|
| | | | | +-> options
|
|
| | | | +----> weight
|
|
| | | +--------> UDP port of node2
|
|
| | +----------------> real address of node2
|
|
| +-------------------------> name of destination node
|
|
+-------------------------------> name of source node
|
|
|
|
ADD_SUBNET node 192.168.1.0/24
|
|
| | +--> prefixlength
|
|
| +--------> network address
|
|
+------------------> owner of this subnet
|
|
------------------------------------------------------------------
|
|
@end example
|
|
|
|
The ADD_EDGE messages are to inform other tinc daemons that a connection between
|
|
two nodes exist. The address of the destination node is available so that
|
|
VPN packets can be sent directly to that node.
|
|
|
|
The ADD_SUBNET messages inform other tinc daemons that certain subnets belong
|
|
to certain nodes. tinc will use it to determine to which node a VPN packet has
|
|
to be sent.
|
|
|
|
@cindex DEL_EDGE
|
|
@cindex DEL_SUBNET
|
|
@example
|
|
message
|
|
------------------------------------------------------------------
|
|
DEL_EDGE node1 node2
|
|
| +----> name of destination node
|
|
+----------> name of source node
|
|
|
|
DEL_SUBNET node 192.168.1.0/24
|
|
| | +--> prefixlength
|
|
| +--------> network address
|
|
+------------------> owner of this subnet
|
|
------------------------------------------------------------------
|
|
@end example
|
|
|
|
In case a connection between two daemons is closed or broken, DEL_EDGE messages
|
|
are sent to inform the other daemons of that fact. Each daemon will calculate a
|
|
new route to the the daemons, or mark them unreachable if there isn't any.
|
|
|
|
@cindex REQ_KEY
|
|
@cindex ANS_KEY
|
|
@cindex KEY_CHANGED
|
|
@example
|
|
message
|
|
------------------------------------------------------------------
|
|
REQ_KEY origin destination
|
|
| +--> name of the tinc daemon it wants the key from
|
|
+----------> name of the daemon that wants the key
|
|
|
|
ANS_KEY origin destination 4ae0b0a82d6e0078 91 64 4
|
|
| | \______________/ | | +--> MAC length
|
|
| | | | +-----> digest algorithm
|
|
| | | +--------> cipher algorithm
|
|
| | +--> 128 bits key
|
|
| +--> name of the daemon that wants the key
|
|
+----------> name of the daemon that uses this key
|
|
|
|
KEY_CHANGED origin
|
|
+--> daemon that has changed it's packet key
|
|
------------------------------------------------------------------
|
|
@end example
|
|
|
|
The keys used to encrypt VPN packets are not sent out directly. This is
|
|
because it would generate a lot of traffic on VPNs with many daemons, and
|
|
chances are that not every tinc daemon will ever send a packet to every
|
|
other daemon. Instead, if a daemon needs a key it sends a request for it
|
|
via the meta connection of the nearest hop in the direction of the
|
|
destination.
|
|
|
|
@cindex PING
|
|
@cindex PONG
|
|
@example
|
|
daemon message
|
|
------------------------------------------------------------------
|
|
origin PING
|
|
dest. PONG
|
|
------------------------------------------------------------------
|
|
@end example
|
|
|
|
There is also a mechanism to check if hosts are still alive. Since network
|
|
failures or a crash can cause a daemon to be killed without properly
|
|
shutting down the TCP connection, this is necessary to keep an up to date
|
|
connection list. PINGs are sent at regular intervals, except when there
|
|
is also some other traffic. A little bit of salt (random data) is added
|
|
with each PING and PONG message, to make sure that long sequences of PING/PONG
|
|
messages without any other traffic won't result in known plaintext.
|
|
|
|
This basically covers what is sent over the meta connection by tinc.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Security
|
|
@section Security
|
|
|
|
@cindex TINC
|
|
@cindex Cabal
|
|
Tinc got its name from ``TINC,'' short for @emph{There Is No Cabal}; the
|
|
alleged Cabal was/is an organisation that was said to keep an eye on the
|
|
entire Internet. As this is exactly what you @emph{don't} want, we named
|
|
the tinc project after TINC.
|
|
|
|
@cindex SVPN
|
|
But in order to be ``immune'' to eavesdropping, you'll have to encrypt
|
|
your data. Because tinc is a @emph{Secure} VPN (SVPN) daemon, it does
|
|
exactly that: encrypt.
|
|
However, encryption in itself does not prevent an attacker from modifying the encrypted data.
|
|
Therefore, tinc also authenticates the data.
|
|
Finally, tinc uses sequence numbers (which themselves are also authenticated) to prevent an attacker from replaying valid packets.
|
|
|
|
Since version 1.1pre3, tinc has two protocols used to protect your data; the legacy protocol, and the new Simple Peer-to-Peer Security (SPTPS) protocol.
|
|
The SPTPS protocol is designed to address some weaknesses in the legacy protocol.
|
|
The new authentication protocol is used when two nodes connect to each other that both have the ExperimentalProtocol option set to yes,
|
|
otherwise the legacy protocol will be used.
|
|
|
|
@menu
|
|
* Legacy authentication protocol::
|
|
* Simple Peer-to-Peer Security::
|
|
* Encryption of network packets::
|
|
* Security issues::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node Legacy authentication protocol
|
|
@subsection Legacy authentication protocol
|
|
|
|
@cindex legacy authentication protocol
|
|
|
|
@cindex ID
|
|
@cindex META_KEY
|
|
@cindex CHALLENGE
|
|
@cindex CHAL_REPLY
|
|
@cindex ACK
|
|
@example
|
|
daemon message
|
|
--------------------------------------------------------------------------
|
|
client <attempts connection>
|
|
|
|
server <accepts connection>
|
|
|
|
client ID client 17.2
|
|
| | +-> minor protocol version
|
|
| +----> major protocol version
|
|
+--------> name of tinc daemon
|
|
|
|
server ID server 17.2
|
|
| | +-> minor protocol version
|
|
| +----> major protocol version
|
|
+--------> name of tinc daemon
|
|
|
|
client META_KEY 94 64 0 0 5f0823a93e35b69e...7086ec7866ce582b
|
|
| | | | \_________________________________/
|
|
| | | | +-> RSAKEYLEN bits totally random string S1,
|
|
| | | | encrypted with server's public RSA key
|
|
| | | +-> compression level
|
|
| | +---> MAC length
|
|
| +------> digest algorithm NID
|
|
+---------> cipher algorithm NID
|
|
|
|
server META_KEY 94 64 0 0 6ab9c1640388f8f0...45d1a07f8a672630
|
|
| | | | \_________________________________/
|
|
| | | | +-> RSAKEYLEN bits totally random string S2,
|
|
| | | | encrypted with client's public RSA key
|
|
| | | +-> compression level
|
|
| | +---> MAC length
|
|
| +------> digest algorithm NID
|
|
+---------> cipher algorithm NID
|
|
--------------------------------------------------------------------------
|
|
@end example
|
|
|
|
The protocol allows each side to specify encryption algorithms and parameters,
|
|
but in practice they are always fixed, since older versions of tinc did not
|
|
allow them to be different from the default values. The cipher is always
|
|
Blowfish in OFB mode, the digest is SHA1, but the MAC length is zero and no
|
|
compression is used.
|
|
|
|
From now on:
|
|
@itemize
|
|
@item the client will symmetrically encrypt outgoing traffic using S1
|
|
@item the server will symmetrically encrypt outgoing traffic using S2
|
|
@end itemize
|
|
|
|
@example
|
|
--------------------------------------------------------------------------
|
|
client CHALLENGE da02add1817c1920989ba6ae2a49cecbda0
|
|
\_________________________________/
|
|
+-> CHALLEN bits totally random string H1
|
|
|
|
server CHALLENGE 57fb4b2ccd70d6bb35a64c142f47e61d57f
|
|
\_________________________________/
|
|
+-> CHALLEN bits totally random string H2
|
|
|
|
client CHAL_REPLY 816a86
|
|
+-> 160 bits SHA1 of H2
|
|
|
|
server CHAL_REPLY 928ffe
|
|
+-> 160 bits SHA1 of H1
|
|
|
|
After the correct challenge replies are received, both ends have proved
|
|
their identity. Further information is exchanged.
|
|
|
|
client ACK 655 123 0
|
|
| | +-> options
|
|
| +----> estimated weight
|
|
+--------> listening port of client
|
|
|
|
server ACK 655 321 0
|
|
| | +-> options
|
|
| +----> estimated weight
|
|
+--------> listening port of server
|
|
--------------------------------------------------------------------------
|
|
@end example
|
|
|
|
This legacy authentication protocol has several weaknesses, pointed out by security export Peter Gutmann.
|
|
First, data is encrypted with RSA without padding.
|
|
Padding schemes are designed to prevent attacks when the size of the plaintext is not equal to the size of the RSA key.
|
|
Tinc always encrypts random nonces that have the same size as the RSA key, so we do not believe this leads to a break of the security.
|
|
There might be timing or other side-channel attacks against RSA encryption and decryption, tinc does not employ any protection against those.
|
|
Furthermore, both sides send identical messages to each other, there is no distinction between server and client,
|
|
which could make a MITM attack easier.
|
|
However, no exploit is known in which a third party who is not already trusted by other nodes in the VPN could gain access.
|
|
Finally, the RSA keys are used to directly encrypt the session keys, which means that if the RSA keys are compromised, it is possible to decrypt all previous VPN traffic.
|
|
In other words, the legacy protocol does not provide perfect forward secrecy.
|
|
|
|
@c ==================================================================
|
|
@node Simple Peer-to-Peer Security
|
|
@subsection Simple Peer-to-Peer Security
|
|
@cindex SPTPS
|
|
|
|
The SPTPS protocol is designed to address the weaknesses in the legacy protocol.
|
|
SPTPS is based on TLS 1.2, but has been simplified: there is no support for exchanging public keys, and there is no cipher suite negotiation.
|
|
Instead, SPTPS always uses a very strong cipher suite:
|
|
peers authenticate each other using 521 bits ECC keys,
|
|
Diffie-Hellman using ephemeral 521 bits ECC keys is used to provide perfect forward secrecy (PFS),
|
|
AES-256-CTR is used for encryption, and HMAC-SHA-256 for message authentication.
|
|
|
|
Similar to TLS, messages are split up in records.
|
|
A complete logical record contains the following information:
|
|
|
|
@itemize
|
|
@item uint32_t seqno (network byte order)
|
|
@item uint16_t length (network byte order)
|
|
@item uint8_t type
|
|
@item opaque data[length]
|
|
@item opaque hmac[HMAC_SIZE] (HMAC over all preceding fields)
|
|
@end itemize
|
|
|
|
Depending on whether SPTPS records are sent via TCP or UDP, either the seqno or the length field is omitted on the wire
|
|
(but they are still included in the calculation of the HMAC);
|
|
for TCP packets are guaranteed to arrive in-order so we can infer the seqno, but packets can be split or merged, so we still need the length field to determine the boundaries between records;
|
|
for UDP packets we know that there is exactly one record per packet, and we know the length of a packet, but packets can be dropped, duplicated and/or reordered, so we need to include the seqno.
|
|
|
|
The type field is used to distinguish between application records or handshake records.
|
|
Types 0 to 127 are application records, type 128 is a handshake record, and types 129 to 255 are reserved.
|
|
|
|
Before the initial handshake, no fields are encrypted, and the HMAC field is not present.
|
|
After the authentication handshake, the length (if present), type and data fields are encrypted, and the HMAC field is present.
|
|
For UDP packets, the seqno field is not encrypted, as it is used to determine the value of the counter used for encryption.
|
|
|
|
The authentication consists of an exchange of Key EXchange, SIGnature and ACKnowledge messages, transmitted using type 128 records.
|
|
|
|
Overview:
|
|
|
|
@example
|
|
Initiator Responder
|
|
---------------------
|
|
KEX ->
|
|
<- KEX
|
|
SIG ->
|
|
<- SIG
|
|
|
|
...encrypt and HMAC using session keys from now on...
|
|
|
|
App ->
|
|
<- App
|
|
...
|
|
...
|
|
|
|
...key renegotiation starts here...
|
|
|
|
KEX ->
|
|
<- KEX
|
|
SIG ->
|
|
<- SIG
|
|
ACK ->
|
|
<- ACK
|
|
|
|
...encrypt and HMAC using new session keys from now on...
|
|
|
|
App ->
|
|
<- App
|
|
...
|
|
...
|
|
---------------------
|
|
@end example
|
|
|
|
Note that the responder does not need to wait before it receives the first KEX message,
|
|
it can immediately send its own once it has accepted an incoming connection.
|
|
|
|
Key EXchange message:
|
|
|
|
@itemize
|
|
@item uint8_t kex_version (always 0 in this version of SPTPS)
|
|
@item opaque nonce[32] (random number)
|
|
@item opaque ecdh_key[ECDH_SIZE]
|
|
@end itemize
|
|
|
|
SIGnature message:
|
|
|
|
@itemize
|
|
@item opaque ecdsa_signature[ECDSA_SIZE]
|
|
@end itemize
|
|
|
|
ACKnowledge message:
|
|
|
|
@itemize
|
|
@item empty (only sent after key renegotiation)
|
|
@end itemize
|
|
|
|
Remarks:
|
|
|
|
@itemize
|
|
@item At the start, both peers generate a random nonce and an Elliptic Curve public key and send it to the other in the KEX message.
|
|
@item After receiving the other's KEX message, both KEX messages are concatenated (see below),
|
|
and the result is signed using ECDSA.
|
|
The result is sent to the other.
|
|
@item After receiving the other's SIG message, the signature is verified.
|
|
If it is correct, the shared secret is calculated from the public keys exchanged in the KEX message using the Elliptic Curve Diffie-Helman algorithm.
|
|
@item The shared secret key is expanded using a PRF.
|
|
Both nonces and the application specific label are also used as input for the PRF.
|
|
@item An ACK message is sent only when doing key renegotiation, and is sent using the old encryption keys.
|
|
@item The expanded key is used to key the encryption and HMAC algorithms.
|
|
@end itemize
|
|
|
|
The signature is calculated over this string:
|
|
|
|
@itemize
|
|
@item uint8_t initiator (0 = local peer, 1 = remote peer is initiator)
|
|
@item opaque remote_kex_message[1 + 32 + ECDH_SIZE]
|
|
@item opaque local_kex_message[1 + 32 + ECDH_SIZE]
|
|
@item opaque label[label_length]
|
|
@end itemize
|
|
|
|
The PRF is calculated as follows:
|
|
|
|
@itemize
|
|
@item A HMAC using SHA512 is used, the shared secret is used as the key.
|
|
@item For each block of 64 bytes, a HMAC is calculated. For block n: hmac[n] =
|
|
HMAC_SHA512(hmac[n - 1] + seed)
|
|
@item For the first block (n = 1), hmac[0] is given by HMAC_SHA512(zeroes + seed),
|
|
where zeroes is a block of 64 zero bytes.
|
|
@end itemize
|
|
|
|
The seed is as follows:
|
|
|
|
@itemize
|
|
@item const char[13] "key expansion"
|
|
@item opaque responder_nonce[32]
|
|
@item opaque initiator_nonce[32]
|
|
@item opaque label[label_length]
|
|
@end itemize
|
|
|
|
The expanded key is used as follows:
|
|
|
|
@itemize
|
|
@item opaque responder_cipher_key[CIPHER_KEYSIZE]
|
|
@item opaque responder_digest_key[DIGEST_KEYSIZE]
|
|
@item opaque initiator_cipher_key[CIPHER_KEYSIZE]
|
|
@item opaque initiator_digest_key[DIGEST_KEYSIZE]
|
|
@end itemize
|
|
|
|
Where initiator_cipher_key is the key used by session initiator to encrypt
|
|
messages sent to the responder.
|
|
|
|
When using 256 bits Ed25519 keys, the AES-256-CTR cipher and HMAC-SHA-256 digest algorithm,
|
|
the sizes are as follows:
|
|
|
|
@example
|
|
ECDH_SIZE: 32 (= 256/8)
|
|
ECDSA_SIZE: 64 (= 2 * 256/8)
|
|
CIPHER_KEYSIZE: 48 (= 256/8 + 128/8)
|
|
DIGEST_KEYSIZE: 32 (= 256/8)
|
|
@end example
|
|
|
|
Note that the cipher key also includes the initial value for the counter.
|
|
|
|
@c ==================================================================
|
|
@node Encryption of network packets
|
|
@subsection Encryption of network packets
|
|
@cindex encryption
|
|
|
|
A data packet can only be sent if the encryption key is known to both
|
|
parties, and the connection is activated. If the encryption key is not
|
|
known, a request is sent to the destination using the meta connection
|
|
to retrieve it.
|
|
|
|
@cindex UDP
|
|
The UDP packets can be either encrypted with the legacy protocol or with SPTPS.
|
|
In case of the legacy protocol, the UDP packet containing the network packet from the VPN has the following layout:
|
|
|
|
@example
|
|
... | IP header | UDP header | seqno | VPN packet | MAC | UDP trailer
|
|
\___________________/\_____/
|
|
| |
|
|
V +---> digest algorithm
|
|
Encrypted with symmetric cipher
|
|
@end example
|
|
|
|
|
|
|
|
|
|
So, the entire VPN packet is encrypted using a symmetric cipher, including a 32 bits
|
|
sequence number that is added in front of the actual VPN packet, to act as a unique
|
|
IV for each packet and to prevent replay attacks. A message authentication code
|
|
is added to the UDP packet to prevent alteration of packets.
|
|
Tinc by default encrypts network packets using Blowfish with 128 bit keys in CBC mode
|
|
and uses 4 byte long message authentication codes to make sure
|
|
eavesdroppers cannot get and cannot change any information at all from the
|
|
packets they can intercept. The encryption algorithm and message authentication
|
|
algorithm can be changed in the configuration. The length of the message
|
|
authentication codes is also adjustable. The length of the key for the
|
|
encryption algorithm is always the default length used by OpenSSL.
|
|
|
|
The SPTPS protocol is described in @ref{Simple Peer-to-Peer Security}.
|
|
For comparison, this is how SPTPS UDP packets look:
|
|
|
|
@example
|
|
... | IP header | UDP header | seqno | type | VPN packet | MAC | UDP trailer
|
|
\__________________/\_____/
|
|
| |
|
|
V +---> digest algorithm
|
|
Encrypted with symmetric cipher
|
|
@end example
|
|
|
|
The difference is that the seqno is not encrypted, since the encryption cipher is used in CTR mode,
|
|
and therefore the seqno must be known before the packet can be decrypted.
|
|
Furthermore, the MAC is never truncated.
|
|
The SPTPS protocol always uses the AES-256-CTR cipher and HMAC-SHA-256 digest,
|
|
this cannot be changed.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Security issues
|
|
@subsection Security issues
|
|
|
|
In August 2000, we discovered the existence of a security hole in all versions
|
|
of tinc up to and including 1.0pre2. This had to do with the way we exchanged
|
|
keys. Since then, we have been working on a new authentication scheme to make
|
|
tinc as secure as possible. The current version uses the OpenSSL library and
|
|
uses strong authentication with RSA keys.
|
|
|
|
On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc
|
|
1.0pre4. Due to a lack of sequence numbers and a message authentication code
|
|
for each packet, an attacker could possibly disrupt certain network services or
|
|
launch a denial of service attack by replaying intercepted packets. The current
|
|
version adds sequence numbers and message authentication codes to prevent such
|
|
attacks.
|
|
|
|
On the 15th of September 2003, Peter Gutmann posted a security analysis of tinc
|
|
1.0.1. He argues that the 32 bit sequence number used by tinc is not a good IV,
|
|
that tinc's default length of 4 bytes for the MAC is too short, and he doesn't
|
|
like tinc's use of RSA during authentication. We do not know of a security hole
|
|
in the legacy protocol of tinc, but it is not as strong as TLS or IPsec.
|
|
|
|
This version of tinc comes with an improved protocol, called Simple Peer-to-Peer Security,
|
|
which aims to be as strong as TLS with one of the strongest cipher suites.
|
|
|
|
Cryptography is a hard thing to get right. We cannot make any
|
|
guarantees. Time, review and feedback are the only things that can
|
|
prove the security of any cryptographic product. If you wish to review
|
|
tinc or give us feedback, you are stronly encouraged to do so.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Platform specific information
|
|
@chapter Platform specific information
|
|
|
|
@menu
|
|
* Interface configuration::
|
|
* Routes::
|
|
@end menu
|
|
|
|
@c ==================================================================
|
|
@node Interface configuration
|
|
@section Interface configuration
|
|
|
|
When configuring an interface, one normally assigns it an address and a
|
|
netmask. The address uniquely identifies the host on the network attached to
|
|
the interface. The netmask, combined with the address, forms a subnet. It is
|
|
used to add a route to the routing table instructing the kernel to send all
|
|
packets which fall into that subnet to that interface. Because all packets for
|
|
the entire VPN should go to the virtual network interface used by tinc, the
|
|
netmask should be such that it encompasses the entire VPN.
|
|
|
|
For IPv4 addresses:
|
|
|
|
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
|
@item Linux
|
|
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
|
|
@item Linux iproute2
|
|
@tab @code{ip addr add} @var{address}@code{/}@var{prefixlength} @code{dev} @var{interface}
|
|
@item FreeBSD
|
|
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
|
|
@item OpenBSD
|
|
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
|
|
@item NetBSD
|
|
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
|
|
@item Solaris
|
|
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
|
|
@item Darwin (MacOS/X)
|
|
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
|
|
@item Windows
|
|
@tab @code{netsh interface ip set address} @var{interface} @code{static} @var{address} @var{netmask}
|
|
@end multitable
|
|
|
|
For IPv6 addresses:
|
|
|
|
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
|
@item Linux
|
|
@tab @code{ifconfig} @var{interface} @code{add} @var{address}@code{/}@var{prefixlength}
|
|
@item FreeBSD
|
|
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
|
|
@item OpenBSD
|
|
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
|
|
@item NetBSD
|
|
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
|
|
@item Solaris
|
|
@tab @code{ifconfig} @var{interface} @code{inet6 plumb up}
|
|
@item
|
|
@tab @code{ifconfig} @var{interface} @code{inet6 addif} @var{address} @var{address}
|
|
@item Darwin (MacOS/X)
|
|
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
|
|
@item Windows
|
|
@tab @code{netsh interface ipv6 add address} @var{interface} @code{static} @var{address}/@var{prefixlength}
|
|
@end multitable
|
|
|
|
On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command:
|
|
|
|
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
|
@item OpenBSD
|
|
@tab @code{ifconfig} @var{interface} @code{link0}
|
|
@end multitable
|
|
|
|
On Linux, it is possible to create a persistent tun/tap interface which will
|
|
continue to exist even if tinc quit, although this is normally not required.
|
|
It can be useful to set up a tun/tap interface owned by a non-root user, so
|
|
tinc can be started without needing any root privileges at all.
|
|
|
|
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
|
@item Linux
|
|
@tab @code{ip tuntap add dev} @var{interface} @code{mode} @var{tun|tap} @code{user} @var{username}
|
|
@end multitable
|
|
|
|
@c ==================================================================
|
|
@node Routes
|
|
@section Routes
|
|
|
|
In some cases it might be necessary to add more routes to the virtual network
|
|
interface. There are two ways to indicate which interface a packet should go
|
|
to, one is to use the name of the interface itself, another way is to specify
|
|
the (local) address that is assigned to that interface (@var{local_address}). The
|
|
former way is unambiguous and therefore preferable, but not all platforms
|
|
support this.
|
|
|
|
Adding routes to IPv4 subnets:
|
|
|
|
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
|
@item Linux
|
|
@tab @code{route add -net} @var{network_address} @code{netmask} @var{netmask} @var{interface}
|
|
@item Linux iproute2
|
|
@tab @code{ip route add} @var{network_address}@code{/}@var{prefixlength} @code{dev} @var{interface}
|
|
@item FreeBSD
|
|
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
|
|
@item OpenBSD
|
|
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
|
|
@item NetBSD
|
|
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
|
|
@item Solaris
|
|
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
|
|
@item Darwin (MacOS/X)
|
|
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
|
|
@item Windows
|
|
@tab @code{netsh routing ip add persistentroute} @var{network_address} @var{netmask} @var{interface} @var{local_address}
|
|
@end multitable
|
|
|
|
Adding routes to IPv6 subnets:
|
|
|
|
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
|
@item Linux
|
|
@tab @code{route add -A inet6} @var{network_address}@code{/}@var{prefixlength} @var{interface}
|
|
@item Linux iproute2
|
|
@tab @code{ip route add} @var{network_address}@code{/}@var{prefixlength} @code{dev} @var{interface}
|
|
@item FreeBSD
|
|
@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
|
|
@item OpenBSD
|
|
@tab @code{route add -inet6} @var{network_address} @var{local_address} @code{-prefixlen} @var{prefixlength}
|
|
@item NetBSD
|
|
@tab @code{route add -inet6} @var{network_address} @var{local_address} @code{-prefixlen} @var{prefixlength}
|
|
@item Solaris
|
|
@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
|
|
@item Darwin (MacOS/X)
|
|
@tab ?
|
|
@item Windows
|
|
@tab @code{netsh interface ipv6 add route} @var{network address}/@var{prefixlength} @var{interface}
|
|
@end multitable
|
|
|
|
|
|
@c ==================================================================
|
|
@node About us
|
|
@chapter About us
|
|
|
|
|
|
@menu
|
|
* Contact information::
|
|
* Authors::
|
|
@end menu
|
|
|
|
|
|
@c ==================================================================
|
|
@node Contact information
|
|
@section Contact information
|
|
|
|
@cindex website
|
|
Tinc's website is at @url{http://www.tinc-vpn.org/},
|
|
this server is located in the Netherlands.
|
|
|
|
@cindex IRC
|
|
We have an IRC channel on the FreeNode and OFTC IRC networks. Connect to
|
|
@uref{http://www.freenode.net/, irc.freenode.net}
|
|
or
|
|
@uref{http://www.oftc.net/, irc.oftc.net}
|
|
and join channel #tinc.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Authors
|
|
@section Authors
|
|
|
|
@table @asis
|
|
@item Ivo Timmermans (zarq)
|
|
@item Guus Sliepen (guus) (@email{guus@@tinc-vpn.org})
|
|
@end table
|
|
|
|
We have received a lot of valuable input from users. With their help,
|
|
tinc has become the flexible and robust tool that it is today. We have
|
|
composed a list of contributions, in the file called @file{THANKS} in
|
|
the source distribution.
|
|
|
|
|
|
@c ==================================================================
|
|
@node Concept Index
|
|
@unnumbered Concept Index
|
|
|
|
@c ==================================================================
|
|
@printindex cp
|
|
|
|
|
|
@c ==================================================================
|
|
@contents
|
|
@bye
|