No description
9bb230f30f
In this commit, nodes use UDP_INFO messages to provide UDP address information. The basic principle is that the node that receives packets sends UDP_INFO messages to the node that's sending the packets. The message originally contains no address information, and is (hopefully) updated with relevant address information as it gets relayed through the metagraph - specifically, each intermediate node will update the message with its best guess as to what the address is while forwarding it. When a node receives an UDP_INFO message, and it doesn't have a confirmed UDP tunnel with the originator node, it will update its records with the new address for that node, so that it always has the best possible guess as to how to reach that node. This applies to the destination node of course, but also to any intermediate nodes, because there's no reason they should pass on the free intel, and because it results in nice behavior in the presence of relay chains (multiple nodes in a path all trying to reach the same destination). If, on the other hand, the node does have a confirmed UDP tunnel, it will ignore the address information contained in the message. In all cases, if the node that receives the message is not the destination node specified in the message, it will forward the message but not before overriding the address information with the one from its own records. If the node has a confirmed UDP tunnel, that means the message is updated with the address of the confirmed tunnel; if not, the message simply reflects the records of the intermediate node, which just happen to be the contents of the UDP_INFO message it just got, so it's simply forwarded with no modification. This is similar to the way ANS_KEY messages are currently overloaded to provide UDP address information, with two differences: - UDP_INFO messages are sent way more often than ANS_KEY messages, thereby keeping the address information fresh. Previously, if the UDP situation were to change after the ANS_KEY message was sent, the sender would virtually never get the updated information. - Once a node puts address information in an ANS_KEY message, it is never changed again as the message travels through the metagraph; in contrast, UDP_INFO messages behave the opposite way, as they get rewritten every time they travel through a node with a confirmed UDP tunnel. The latter behavior seems more appropriate because UDP tunnel information becomes more relevant as it moves closer to the destination node. The ANS_KEY behavior is not satisfactory in some cases such as multi-layered graphs where the first hop is located before a NAT. Ultimately, the rationale behind this whole process is to improve UDP hole punching capabilities when port translation is in effect, and more generally, to make tinc more reliable in (very) hostile network conditions (such as multi-layered NAT). |
||
|---|---|---|
| bash_completion.d | ||
| doc | ||
| gui | ||
| m4 | ||
| src | ||
| test | ||
| .gitignore | ||
| AUTHORS | ||
| configure.ac | ||
| COPYING | ||
| COPYING.README | ||
| Makefile.am | ||
| NEWS | ||
| README | ||
| README.android | ||
| README.git | ||
| THANKS | ||
This is the README file for tinc version 1.1pre11. Installation instructions may be found in the INSTALL file. tinc is Copyright (C) 1998-2014 by: Ivo Timmermans, Guus Sliepen <guus@tinc-vpn.org>, and others. For a complete list of authors see the AUTHORS file. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See the file COPYING for more details. This is a pre-release --------------------- Please note that this is NOT a stable release. Until version 1.1.0 is released, please use one of the 1.0.x versions if you need a stable version of tinc. Although tinc 1.1 will be protocol compatible with tinc 1.0.x, the functionality of the tinc program may still change, and the control socket protocol is not fixed yet. Security statement ------------------ This version uses an experimental and unfinished cryptographic protocol. Use it at your own risk. Compatibility ------------- Version 1.1pre11 is compatible with 1.0pre8, 1.0 and later, but not with older versions of tinc. When the ExperimentalProtocol option is used, tinc is still compatible with 1.0.X and 1.1pre11 itself, but not with any other 1.1preX version. Requirements ------------ In order to compile tinc, you will need a GNU C compiler environment. Please ensure you have the latest stable versions of all the required libraries: - OpenSSL (http://www.openssl.org/) version 1.0.0 or later, with support for elliptic curve cryptography (ECC) and Galois counter mode (GCM) enabled. The following libraries are used by default, but can be disabled if necessary: - zlib (http://www.gzip.org/zlib/) - lzo (http://www.oberhumer.com/opensource/lzo/) - ncurses (http://invisible-island.net/ncurses/) - readline (ftp://ftp.gnu.org/pub/gnu/readline/) Features -------- Tinc is a peer-to-peer VPN daemon that supports VPNs with an arbitrary number of nodes. Instead of configuring tunnels, you give tinc the location and public key of a few nodes in the VPN. After making the initial connections to those nodes, tinc will learn about all other nodes on the VPN, and will make connections automatically. When direct connections are not possible, data will be forwarded by intermediate nodes. By default, nodes authenticate each other using 2048 bit RSA (or 521 bit ECDSA*) keys. Traffic is encrypted using Blowfish in CBC mode (or AES-256 in GCM mode*), authenticated using HMAC-SHA1 (or GCM*), and is protected against replay attacks. *) When using the ExperimentalProtocol option. Tinc fully supports IPv6. Tinc can operate in several routing modes. In the default mode, "router", every node is associated with one or more IPv4 and/or IPv6 Subnets. The other two modes, "switch" and "hub", let the tinc daemons work together to form a virtual Ethernet network switch or hub. Normally, when started tinc will detach and run in the background. In a native Windows environment this means tinc will intall itself as a service, which will restart after reboots. To prevent tinc from detaching or running as a service, use the -D option. The status of the VPN can be queried using the "tinc" command, which connects to a running tinc daemon via a control connection. The same tool also makes it easy to start and stop tinc, and to change its configuration.