No description
Find a file
Etienne Dechamps e3c763eae8 Introduce lightweight PMTU probe replies.
When replying to a PMTU probe, tinc sends a packet with the same length
as the PMTU probe itself, which is usually large (~1450 bytes). This is
not necessary: the other node wants to know the size of the PMTU probes
that have been received, but encoding this information as the actual
reply length is probably the most inefficient way to do it. It doubles
the bandwidth usage of the PMTU discovery process, and makes it less
reliable since large packets are more likely to be dropped.

This patch introduces a new PMTU probe reply type, encoded as type "2"
in the first byte of the packet, that indicates that the length of the
PMTU probe that is being replied to is encoded in the next two bytes of
the packet. Thus reply packets are only 3 bytes long.

(This also protects against very broken networks that drop very small
packets - yes, I've seen it happen on a subnet of a national ISP - in
such a case the PMTU probe replies will be dropped, and tinc won't
enable UDP communication, which is a good thing.)

Because legacy nodes won't understand type 2 probe replies, the minor
protocol number is bumped to 3.

Note that this also improves bandwidth estimation, as it is able to
measure bandwidth in both directions independently (the node receiving
the replies is measuring in the TX direction) and the use of smaller
reply packets might decrease the influence of jitter.
2013-07-22 21:25:37 +01:00
bash_completion.d Add an invitation protocol. 2013-05-29 18:31:10 +02:00
doc Allow extra options to be passed to "tinc restart" again. 2013-07-21 00:20:54 +02:00
gui Let the GUI use UNIX sockets if available. 2013-02-07 15:27:16 +01:00
m4 Drop libevent and use our own event handling again. 2012-11-29 12:28:23 +01:00
src Introduce lightweight PMTU probe replies. 2013-07-22 21:25:37 +01:00
.gitignore Don't ignore Makefile.am. 2012-09-24 14:56:00 +02:00
AUTHORS Attribution for Loïc Grenié. 2011-06-04 11:27:54 +02:00
configure.ac Add an invitation protocol. 2013-05-29 18:31:10 +02:00
COPYING Releasing 1.1pre7. 2013-04-22 15:54:05 +02:00
COPYING.README Releasing 1.0.12. 2010-02-03 22:49:48 +01:00
Makefile.am Use conditional compilation for cryptographic functions. 2013-05-01 17:17:22 +02:00
NEWS Releasing 1.1pre7. 2013-04-22 15:54:05 +02:00
README Releasing 1.1pre7. 2013-04-22 15:54:05 +02:00
README.android Android cross-compilation instructions. 2012-09-24 13:55:38 +02:00
README.git Drop libevent and use our own event handling again. 2012-11-29 12:28:23 +01:00
THANKS Attribution for Etienne Dechamps. 2013-07-20 23:41:01 +02:00

This is the README file for tinc version 1.1pre7. Installation
instructions may be found in the INSTALL file.

tinc is Copyright (C) 1998-2013 by:

Ivo Timmermans,
Guus Sliepen <guus@tinc-vpn.org>,
and others.

For a complete list of authors see the AUTHORS file.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at
your option) any later version. See the file COPYING for more details.


This is a pre-release
---------------------

Please note that this is NOT a stable release. Until version 1.1.0 is released,
please use one of the 1.0.x versions if you need a stable version of tinc.

Although tinc 1.1 will be protocol compatible with tinc 1.0.x, the
functionality of the tinc program may still change, and the control socket
protocol is not fixed yet.


Security statement
------------------

This version uses an experimental and unfinished cryptographic protocol. Use it
at your own risk.


Compatibility
-------------

Version 1.1pre7 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc.

When the ExperimentalProtocol option is used, tinc is still compatible with
1.0.X and 1.1pre7 itself, but not with any other 1.1preX version.


Requirements
------------

In order to compile tinc, you will need a GNU C compiler environment. Please
ensure you have the latest stable versions of all the required libraries:

- OpenSSL (http://www.openssl.org/) version 1.0.0 or later.

The following libraries are used by default, but can be disabled if necessary:

- zlib (http://www.gzip.org/zlib/)
- lzo (http://www.oberhumer.com/opensource/lzo/)
- ncurses (http://invisible-island.net/ncurses/)
- readline (ftp://ftp.gnu.org/pub/gnu/readline/)


Features
--------

Tinc is a peer-to-peer VPN daemon that supports VPNs with an arbitrary number
of nodes. Instead of configuring tunnels, you give tinc the location and
public key of a few nodes in the VPN. After making the initial connections to
those nodes, tinc will learn about all other nodes on the VPN, and will make
connections automatically. When direct connections are not possible, data will
be forwarded by intermediate nodes.

By default, nodes authenticate each other using 2048 bit RSA (or 521 bit
ECDSA*) keys. Traffic is encrypted using Blowfish in CBC mode (or AES-256 in
CTR mode*), authenticated using HMAC-SHA1 (or HMAC-SHA-256*), and is protected
against replay attacks.

*) When using the ExperimentalProtocol option.

Tinc fully supports IPv6.

Tinc can operate in several routing modes. In the default mode, "router", every
node is associated with one or more IPv4 and/or IPv6 Subnets. The other two
modes, "switch" and "hub", let the tinc daemons work together to form a virtual
Ethernet network switch or hub.

Normally, when started tinc will detach and run in the background. In a native
Windows environment this means tinc will intall itself as a service, which will
restart after reboots.  To prevent tinc from detaching or running as a service,
use the -D option.

The status of the VPN can be queried using the "tinc" command, which connects
to a running tinc daemon via a control connection. The same tool also makes it
easy to start and stop tinc, and to change its configuration.