Import Upstream version 1.1~pre11

This commit is contained in:
Guus Sliepen 2019-08-26 13:44:51 +02:00
parent 60cff3039b
commit 1813f3157e
128 changed files with 10991 additions and 3132 deletions

View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.14 from Makefile.am.
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -80,9 +80,12 @@ subdir = doc
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am texinfo.tex
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/curses.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/readline.m4 \
$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/curses.m4 $(top_srcdir)/m4/libgcrypt.m4 \
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \
$(top_srcdir)/m4/readline.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
@ -216,9 +219,6 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LDFLAGS = @LDFLAGS@
LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LN_S = @LN_S@
@ -234,7 +234,6 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
RANLIB = @RANLIB@
READLINE_LIBS = @READLINE_LIBS@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@

View file

@ -1,4 +1,4 @@
.Dd 2013-01-15
.Dd 2014-01-16
.Dt TINCCTL 8
.\" Manual page created by:
.\" Scott Lamb
@ -13,14 +13,36 @@
.Op Fl -pidfile Ns = Ns Ar FILENAME
.Op Fl -help
.Op Fl -version
.Ar COMMAND
.Op Ar COMMAND
.Sh DESCRIPTION
This is the control program of tinc, a secure virtual private network (VPN)
project.
.Nm
communicates with
.Xr tincd 8
to alter and inspect the running VPN's state.
can start and stop
.Xr tincd 8 ,
and can to alter and inspect the state of a running VPN.
It can also be used to change the configuration,
or to import or export host configuration files from other nodes.
If
.Nm
is started with a
.Ar COMMAND ,
this command is immediately executed, after which
.Nm
exits.
If no
.Ar COMMAND
is given,
.Nm
will act as a shell;
it will display a prompt, and commands can be entered on the prompt.
If
.Nm
is compiled with libreadline, history and command completion are available on the prompt.
One can also pipe a script containing commands through
.Nm .
In that case, lines starting with a # symbol will be ignored.
.Sh OPTIONS
.Bl -tag -width indent
.It Fl n, -net Ns = Ns Ar NETNAME
@ -47,7 +69,7 @@ option, the value of this environment variable is used.
.Sh COMMANDS
.Bl -tag -width indent
.It init Op Ar name
Create initial configuration files and RSA and ECDSA keypairs with default length.
Create initial configuration files and RSA and Ed25519 keypairs with default length.
If no
.Ar name
for this node is given, it will be asked for.
@ -120,9 +142,9 @@ will be made.
Shows the PID of the currently running
.Xr tincd 8 .
.It generate-keys Op bits
Generate both RSA and ECDSA keypairs (see below) and exit.
.It generate-ecdsa-keys
Generate public/private ECDSA keypair and exit.
Generate both RSA and Ed25519 keypairs (see below) and exit.
.It generate-ed25519-keys
Generate public/private Ed25519 keypair and exit.
.It generate-rsa-keys Op bits
Generate public/private RSA keypair and exit.
If
@ -188,6 +210,11 @@ format to standard output,
from where it can be redirected to a file or piped through a program that can parse it directly,
such as
.Xr tcpdump 8 .
.It network Op Ar netname
If
.Ar netname
is given, switch to that network.
Otherwise, display a list of all networks for which configuration files exist.
.El
.Sh EXAMPLES
Examples of some commands:
@ -197,7 +224,7 @@ tinc -n vpn pcap | tcpdump -r -
tinc -n vpn top
.Pp
.Ed
Example of configuring tinc using
Examples of changing the configuration using
.Nm :
.Bd -literal -offset indent
tinc -n vpn init foo

View file

@ -1,4 +1,4 @@
.Dd 2013-01-14
.Dd 2014-01-29
.Dt TINC.CONF 5
.\" Manual page created by:
.\" Ivo Timmermans
@ -64,20 +64,20 @@ or by using
.Sh PUBLIC/PRIVATE KEYS
The
.Nm tinc Li init
command will have generated both RSA and ECDSA public/private keypairs.
command will have generated both RSA and Ed25519 public/private keypairs.
The private keys should be stored in files named
.Pa rsa_key.priv
and
.Pa ecdsa_key.priv
.Pa ed25519_key.priv
in the directory
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /
The public keys should be stored in the host configuration file
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Va NAME .
The RSA keys are used for backwards compatibility with tinc version 1.0.
If you are upgrading from version 1.0 to 1.1, you can keep the old configuration files,
but you will need to create ECDSA keys using the following command:
but you will need to create Ed25519 keys using the following command:
.Bd -literal -offset indent
.Nm tinc Fl n Ar NETNAME Li generate-ecdsa-keys
.Nm tinc Fl n Ar NETNAME Li generate-ed25519-keys
.Ed
.Sh SERVER CONFIGURATION
The server configuration of the daemon is done in the file
@ -114,33 +114,24 @@ If
.Qq any
is selected, then depending on the operating system both IPv4 and IPv6 or just
IPv6 listening sockets will be created.
.It Va AutoConnect Li = Ar count Po 0 Pc Bq experimental
If set to a non-zero value,
.Nm
will try to only have
.Ar count
meta connections to other nodes,
by automatically making or breaking connections to known nodes.
Higher values increase redundancy but also increase meta data overhead.
When using this option, a good value is 3.
.It Va BindToAddress Li = Ar address Op Ar port
If your computer has more than one IPv4 or IPv6 address,
.It Va AutoConnect Li = yes | no Po no Pc Bq experimental
If set to yes,
.Nm tinc
will by default listen on all of them for incoming connections.
Multiple
.Va BindToAddress
variables may be specified,
in which case listening sockets for each specified address are made.
will automatically set up meta connections to other nodes,
without requiring
.Va ConnectTo
variables.
.Pp
If no
.Ar port
is specified, the socket will be bound to the port specified by the
.Va Port
option, or to port 655 if neither is given.
To only bind to a specific port but not to a specific address, use
.Li *
for the
.Ar address .
Note: it is not possible to connect to nodes using zero (system-assigned) ports in this way.
.It Va BindToAddress Li = Ar address Op Ar port
This is the same as
.Va ListenAddress ,
however the address given with the
.Va BindToAddress
option will also be used for outgoing connections. This is useful if your
computer has more than one IPv4 or IPv6 address, and you want
.Nm tinc
to only use a specific one for outgoing packets.
.It Va BindToInterface Li = Ar interface Bq experimental
If your computer has more than one network interface,
.Nm tinc
@ -166,6 +157,13 @@ Broadcast packets are sent directly to all nodes that can be reached directly.
Broadcast packets received from other nodes are never forwarded.
If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to.
.El
.It Va BroadcastSubnet Li = Ar address Ns Op Li / Ns Ar prefixlength
Declares a broadcast subnet. Any packet with a destination address falling into such a subnet will be routed as a broadcast (provided all nodes have it declared).
This is most useful to declare subnet broadcast addresses (e.g. 10.42.255.255), otherwise
.Nm tinc
won't know what to do with them.
.Pp
Note that global broadcast addresses (MAC ff:ff:ff:ff:ff:ff, IPv4 255.255.255.255), as well as multicast space (IPv4 224.0.0.0/4, IPv6 ff00::/8) are always considered broadcast addresses and don't need to be declared.
.It Va ConnectTo Li = Ar name
Specifies which other tinc daemon to connect to on startup.
Multiple
@ -178,7 +176,9 @@ The names should be known to this tinc daemon
line).
.Pp
If you don't specify a host with
.Va ConnectTo ,
.Va ConnectTo
and don't enable
.Va AutoConnect ,
.Nm tinc
won't try to connect to other daemons at all,
and will instead just listen for incoming connections.
@ -202,6 +202,13 @@ instead of
.Va Device .
The info pages of the tinc package contain more information
about configuring the virtual network device.
.It Va DeviceStandby Li = yes | no Po no Pc
When disabled,
.Nm tinc
calls tinc-up on startup, and tinc-down on shutdown. When enabled,
.Nm tinc
will only call tinc-up when at least one node is reachable, and will call tinc-down as soon as no nodes are reachable.
On Windows, this also determines when the virtual network interface "cable" is "plugged".
.It Va DeviceType Li = Ar type Pq platform dependent
The type of the virtual network device.
Tinc will normally automatically select the right type of tun/tap interface, and this option should not be used.
@ -269,17 +276,17 @@ When this option is enabled, packets that cannot be sent directly to the destina
but which would have to be forwarded by an intermediate node, are dropped instead.
When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped.
.It Va ECDSAPrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /ecdsa_key.priv Pc
The file in which the private ECDSA key of this tinc daemon resides.
.It Va Ed25519PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /ed25519_key.priv Pc
The file in which the private Ed25519 key of this tinc daemon resides.
This is only used if
.Va ExperimentalProtocol
is enabled.
.It Va ExperimentalProtocol Li = yes | no Pq yes
When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
Ephemeral ECDH will be used for key exchanges,
and ECDSA will be used instead of RSA for authentication.
When enabled, an ECDSA key must have been generated before with
.Nm tinc generate-ecdsa-keys .
and Ed25519 will be used instead of RSA for authentication.
When enabled, an Ed25519 key must have been generated before with
.Nm tinc generate-ed25519-keys .
.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
This option selects the way indirect packets are forwarded.
.Bl -tag -width indent
@ -316,7 +323,34 @@ this variable is almost always already correctly set.
This option controls the period the encryption keys used to encrypt the data are valid.
It is common practice to change keys at regular intervals to make it even harder for crackers,
even though it is thought to be nearly impossible to crack a single key.
.It Va LocalDiscovery Li = yes | no Pq no
.It Va ListenAddress Li = Ar address Op Ar port
If your computer has more than one IPv4 or IPv6 address,
.Nm tinc
will by default listen on all of them for incoming connections.
This option can be used to restrict which addresses tinc listens on.
Multiple
.Va ListenAddress
variables may be specified,
in which case listening sockets for each specified address are made.
.Pp
If no
.Ar port
is specified, the socket will listen on the port specified by the
.Va Port
option, or to port 655 if neither is given.
To only listen on a specific port but not on a specific address, use
.Li *
for the
.Ar address .
.Pp
If
.Ar port
is set to zero, it will be randomly assigned by the system. This is useful to randomize source ports of UDP packets, which can improve UDP hole punching reliability. In this case it is recommended to set
.Va AddressFamily
as well, otherwise
.Nm tinc
will assign different ports to different address families but other nodes can only know of one.
.It Va LocalDiscovery Li = yes | no Pq yes
When enabled,
.Nm tinc
will try to detect peers that are on the same local network.
@ -324,11 +358,7 @@ This will allow direct communication using LAN addresses, even if both peers are
and they only ConnectTo a third node outside the NAT,
which normally would prevent the peers from learning each other's LAN address.
.Pp
Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery.
This feature may not work in all possible situations.
.It Va LocalDiscoveryAddress Li = Ar address
If this variable is specified, local discovery packets are sent to the given
.Ar address .
Currently, local discovery is implemented by sending some packets to the local address of the node during path MTU discovery. This will not work with old nodes that don't transmit their local address.
.It Va MACExpire Li = Ar seconds Pq 600
This option controls the amount of time MAC addresses are kept before they are removed.
This only has effect when
@ -367,7 +397,8 @@ while no routing table is managed.
.It Va Name Li = Ar name Bq required
This is the name which identifies this tinc daemon.
It must be unique for the virtual private network this daemon will connect to.
The Name may only consist of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is case sensitive.
.Va Name
may only consist of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is case sensitive.
If
.Va Name
starts with a
@ -436,17 +467,18 @@ are available.
.It Va ReplayWindow Li = Ar bytes Pq 16
This is the size of the replay tracking window for each remote node, in bytes.
The window is a bitfield which tracks 1 packet per bit, so for example
the default setting of 16 will track up to 128 packets in the window. In high
the default setting of 16 will track up to 128 packets in the window. In high
bandwidth scenarios, setting this to a higher value can reduce packet loss from
the interaction of replay tracking with underlying real packet loss and/or
reordering. Setting this to zero will disable replay tracking completely and
reordering. Setting this to zero will disable replay tracking completely and
pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
traffic.
.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory.
directory. Subnets learned via connections to other nodes and which are not
present in the local host config files are ignored.
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow connections with nodes for which host config files are present in the local
@ -507,8 +539,8 @@ will turn off packet authentication.
This option has no effect for connections between nodes using
.Va ExperimentalProtocol .
.It Va IndirectData Li = yes | no Pq no
When set to yes, other nodes which do not already have a meta connection to you
will not try to establish direct communication with you.
When set to yes, only nodes which already have a meta connection to you
will try to establish direct communication with you.
It is best to leave this option out or set it to no.
.It Va MACLength Li = Ar length Pq 4
The length of the message authentication code used to authenticate UDP packets.
@ -527,6 +559,14 @@ The port number on which this tinc daemon is listening for incoming connections,
which is used if no port number is specified in an
.Va Address
statement.
.Pp
If this is set to zero, the port will be randomly assigned by the system. This is useful to randomize source ports of UDP packets, which can improve UDP hole punching reliability. When setting
.Va Port
to zero it is recommended to set
.Va AddressFamily
as well, otherwise
.Nm tinc
will assign different ports to different address families but other nodes can only know of one.
.It Va PublicKey Li = Ar key Bq obsolete
The public RSA key of this tinc daemon.
It will be used to cryptographically verify it's identity and to set up a secure connection.
@ -561,7 +601,7 @@ IPv6 subnets are notated like fec0:0:0:1::/64.
MAC addresses are notated like 0:1a:2b:3c:4d:5e.
.Pp
A Subnet can be given a weight to indicate its priority over identical Subnets
owned by different nodes. The default weight is 10. Lower values indicate
owned by different nodes. The default weight is 10. Lower values indicate
higher priority. Packets will be sent to the node with the highest priority,
unless that node is not reachable, in which case the node with the next highest
priority will be tried, and so on.
@ -575,6 +615,12 @@ Setting this options also implicitly sets IndirectData.
.Pp
Since version 1.0.10, tinc will automatically detect whether communication via
UDP is possible or not.
.It Va Weight Li = Ar weight
If this variable is set, it overrides the weight given to connections made with
another host. A higher
.Ar weight
means a lower priority is given to this connection when broadcasting or
forwarding packets.
.El
.Sh SCRIPTS
Apart from reading the server and host configuration files,
@ -586,12 +632,16 @@ or
.Bl -tag -width indent
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
This is the most important script.
If it is present it will be executed right after the tinc daemon has been started and has connected to the virtual network device.
If it is present it will be executed right after the tinc daemon has been started and has connected to the virtual network device (or when the first node becomes reachable if
.Va DeviceStandby
is used).
It should be used to set up the corresponding network interface,
but can also be used to start other things.
Under Windows you can use the Network Connections control panel instead of creating this script.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
This script is started right before the tinc daemon quits.
This script is started right before the tinc daemon quits (or when the last node becomes unreachable if
.Va DeviceStandby
is used).
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -up
This script is started when the tinc daemon with name
.Ar HOST
@ -668,6 +718,8 @@ The top directory for configuration files.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
The default name of the server configuration file for net
.Ar NETNAME .
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /conf.d/
Optional directory from which any .conf file will be loaded
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
Host configuration files are kept in this directory.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up

View file

@ -1,14 +1,14 @@
This is tinc.info, produced by makeinfo version 5.1 from tinc.texi.
This is tinc.info, produced by makeinfo version 5.2 from tinc.texi.
INFO-DIR-SECTION Networking tools
START-INFO-DIR-ENTRY
* tinc: (tinc). The tinc Manual.
END-INFO-DIR-ENTRY
This is the info manual for tinc version 1.1pre9, a Virtual Private
This is the info manual for tinc version 1.1pre10, a Virtual Private
Network daemon.
Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen
Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen
<guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
Permission is granted to make and distribute verbatim copies of this
@ -286,9 +286,9 @@ File: tinc.info, Node: Libraries, Prev: Configuring the kernel, Up: Preparati
=============
Before you can configure or build tinc, you need to have the OpenSSL,
zlib and lzo libraries installed on your system. If you try to
configure tinc without having them installed, configure will give you an
error message, and stop.
zlib, lzo, curses and readline libraries installed on your system. If
you try to configure tinc without having them installed, configure will
give you an error message, and stop.
* Menu:
@ -724,6 +724,9 @@ The actual configuration of the daemon is done in the file
'/etc/tinc/NETNAME/tinc.conf' and at least one other file in the
directory '/etc/tinc/NETNAME/hosts/'.
An optionnal directory '/etc/tinc/NETNAME/conf.d' can be added from
which any .conf file will be read.
These file consists of comments (lines started with a #) or assignments
in the form of
@ -767,23 +770,16 @@ AddressFamily = <ipv4|ipv6|any> (any)
system both IPv4 and IPv6 or just IPv6 listening sockets will be
created.
AutoConnect = <count> (0) [experimental]
If set to a non-zero value, tinc will try to only have count meta
connections to other nodes, by automatically making or breaking
connections to known nodes. Higher values increase redundancy but
also increase meta data overhead. When using this option, a good
value is 3.
AutoConnect = <yes|no> (no) [experimental]
If set to yes, tinc will automatically set up meta connections to
other nodes, without requiring CONNECTTO variables.
BindToAddress = <ADDRESS> [<PORT>]
If your computer has more than one IPv4 or IPv6 address, tinc will
by default listen on all of them for incoming connections.
Multiple BindToAddress variables may be specified, in which case
listening sockets for each specified address are made.
If no PORT is specified, the socket will be bound to the port
specified by the Port option, or to port 655 if neither is given.
To only bind to a specific port but not to a specific address, use
"*" for the ADDRESS.
This is the same as ListenAddress, however the address given with
the BindToAddress option will also be used for outgoing
connections. This is useful if your computer has more than one
IPv4 or IPv6 address, and you want tinc to only use a specific one
for outgoing packets.
BindToInterface = <INTERFACE> [experimental]
If you have more than one network interface in your computer, tinc
@ -815,6 +811,18 @@ Broadcast = <no | mst | direct> (mst) [experimental]
broadcast packets will only be sent to nodes which we have a
meta connection to.
BroadcastSubnet = ADDRESS[/PREFIXLENGTH]
Declares a broadcast subnet. Any packet with a destination address
falling into such a subnet will be routed as a broadcast (provided
all nodes have it declared). This is most useful to declare subnet
broadcast addresses (e.g. 10.42.255.255), otherwise tinc won't
know what to do with them.
Note that global broadcast addresses (MAC ff:ff:ff:ff:ff:ff, IPv4
255.255.255.255), as well as multicast space (IPv4 224.0.0.0/4,
IPv6 ff00::/8) are always considered broadcast addresses and don't
need to be declared.
ConnectTo = <NAME>
Specifies which other tinc daemon to connect to on startup.
Multiple ConnectTo variables may be specified, in which case
@ -822,9 +830,9 @@ ConnectTo = <NAME>
names should be known to this tinc daemon (i.e., there should be a
host configuration file for the name on the ConnectTo line).
If you don't specify a host with ConnectTo, tinc won't try to
connect to other daemons at all, and will instead just listen for
incoming connections.
If you don't specify a host with ConnectTo and don't enable
AutoConnect, tinc won't try to connect to other daemons at all, and
will instead just listen for incoming connections.
DecrementTTL = <yes | no> (no) [experimental]
When enabled, tinc will decrement the Time To Live field in IPv4
@ -842,6 +850,13 @@ Device = <DEVICE> ('/dev/tap0', '/dev/net/tun' or other depending on platform)
that you can only use one device per daemon. See also *note Device
files::.
DeviceStandby = <yes | no> (no)
When disabled, tinc calls 'tinc-up' on startup, and 'tinc-down' on
shutdown. When enabled, tinc will only call 'tinc-up' when at
least one node is reachable, and will call 'tinc-down' as soon as
no nodes are reachable. On Windows, this also determines when the
virtual network interface "cable" is "plugged".
DeviceType = <TYPE> (platform dependent)
The type of the virtual network device. Tinc will normally
automatically select the right type of tun/tap interface, and this
@ -914,16 +929,16 @@ DirectOnly = <yes|no> (no) [experimental]
IndirectData option, packets for nodes for which we do not have a
meta connection with are also dropped.
ECDSAPrivateKeyFile = <PATH> ('/etc/tinc/NETNAME/ecdsa_key.priv')
The file in which the private ECDSA key of this tinc daemon
Ed25519PrivateKeyFile = <PATH> ('/etc/tinc/NETNAME/ed25519_key.priv')
The file in which the private Ed25519 key of this tinc daemon
resides. This is only used if ExperimentalProtocol is enabled.
ExperimentalProtocol = <yes|no> (yes)
When this option is enabled, the SPTPS protocol will be used when
connecting to nodes that also support it. Ephemeral ECDH will be
used for key exchanges, and ECDSA will be used instead of RSA for
authentication. When enabled, an ECDSA key must have been
generated before with 'tinc generate-ecdsa-keys'.
used for key exchanges, and Ed25519 will be used instead of RSA for
authentication. When enabled, an Ed25519 key must have been
generated before with 'tinc generate-ed25519-keys'.
Forwarding = <off|internal|kernel> (internal) [experimental]
This option selects the way indirect packets are forwarded.
@ -964,6 +979,18 @@ Interface = <INTERFACE>
interface will be used. If you specified a Device, this variable
is almost always already correctly set.
ListenAddress = <ADDRESS> [<PORT>]
If your computer has more than one IPv4 or IPv6 address, tinc will
by default listen on all of them for incoming connections. This
option can be used to restrict which addresses tinc listens on.
Multiple ListenAddress variables may be specified, in which case
listening sockets for each specified address are made.
If no PORT is specified, the socket will listen on the port
specified by the Port option, or to port 655 if neither is given.
To only listen on a specific port but not to a specific address,
use "*" for the ADDRESS.
LocalDiscovery = <yes | no> (no)
When enabled, tinc will try to detect peers that are on the same
local network. This will allow direct communication using LAN
@ -1065,7 +1092,7 @@ ProcessPriority = <low|normal|high>
adjusted. Increasing the priority may help to reduce latency and
packet loss on the VPN.
Proxy = socks4 | socks4 | http | exec ... [experimental]
Proxy = socks4 | socks5 | http | exec ... [experimental]
Use a proxy when making outgoing connections. The following proxy
types are currently supported:
@ -1074,7 +1101,7 @@ Proxy = socks4 | socks4 | http | exec ... [experimental]
Optionally, a USERNAME can be supplied which will be passed on
to the proxy server.
socks4 <ADDRESS> <PORT> [<USERNAME> <PASSWORD>]
socks5 <ADDRESS> <PORT> [<USERNAME> <PASSWORD>]
Connect to the proxy using the SOCKS version 5 protocol. If a
USERNAME and PASSWORD are given, basic username/password
authentication will be used, otherwise no authentication will
@ -1099,10 +1126,12 @@ ReplayWindow = <bytes> (16)
pass all traffic, but leaves tinc vulnerable to replay-based
attacks on your traffic.
StrictSubnets <yes|no> (no) [experimental]
StrictSubnets = <yes|no> (no) [experimental]
When this option is enabled tinc will only use Subnet statements
which are present in the host config files in the local
'/etc/tinc/NETNAME/hosts/' directory.
'/etc/tinc/NETNAME/hosts/' directory. Subnets learned via
connections to other nodes and which are not present in the local
host config files are ignored.
TunnelServer = <yes|no> (no) [experimental]
When this option is enabled tinc will no longer forward information
@ -1131,7 +1160,9 @@ Address = <IP ADDRESS|HOSTNAME> [<port>] [recommended]
This variable is only required if you want to connect to this host.
It must resolve to the external IP address where the host can be
reached, not the one that is internal to the VPN. If no port is
specified, the default Port is used.
specified, the default Port is used. Multiple Address variables
can be specified, in which case each address will be tried until a
working connection has been established.
Cipher = <CIPHER> (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets using
@ -1234,6 +1265,12 @@ TCPonly = <yes|no> (no)
masquerading firewall, or if UDP packet routing is disabled
somehow. Setting this options also implicitly sets IndirectData.
Weight = <weight>
If this variable is set, it overrides the weight given to
connections made with another host. A higher weight means a lower
priority is given to this connection when broadcasting or
forwarding packets.

File: tinc.info, Node: Scripts, Next: How to configure, Prev: Host configuration variables, Up: Configuration files
@ -1353,10 +1390,10 @@ contents:
Name = NAME
It will also create private RSA and ECDSA keys, which will be stored in
the files 'rsa_key.priv' and 'ecdsa_key.priv'. It will also create a
host configuration file 'hosts/NAME', which will contain the
corresponding public RSA and ECDSA keys.
It will also create private RSA and Ed25519 keys, which will be stored
in the files 'rsa_key.priv' and 'ed25519_key.priv'. It will also create
a host configuration file 'hosts/NAME', which will contain the
corresponding public RSA and Ed25519 keys.
Finally, on UNIX operating systems, it will create an executable script
'tinc-up', which will initially not do anything except warning that you
@ -1375,7 +1412,7 @@ should run the following command:
This will add a Subnet statement to your host configuration file. Try
opening the file '/etc/tinc/NETNAME/hosts/NAME' in an editor. You
should now see a file containing the public RSA and ECDSA keys (which
should now see a file containing the public RSA and Ed25519 keys (which
looks like a bunch of random characters), and the following line at the
bottom:
@ -1657,9 +1694,9 @@ Key files
A, B, C and D all have their own public/private keypairs:
The private RSA key is stored in '/etc/tinc/company/rsa_key.priv', the
private ECDSA key is stored in '/etc/tinc/company/ecdsa_key.priv', and
the public RSA and ECDSA keys are put into the host configuration file
in the '/etc/tinc/company/hosts/' directory.
private Ed25519 key is stored in '/etc/tinc/company/ed25519_key.priv',
and the public RSA and Ed25519 keys are put into the host configuration
file in the '/etc/tinc/company/hosts/' directory.
Starting
........
@ -1997,11 +2034,17 @@ File: tinc.info, Node: Controlling tinc, Next: Technical information, Prev: R
6 Controlling tinc
******************
You can control and inspect a running tincd through the tinc command. A
quick example:
You can start, stop, control and inspect a running tincd through the
tinc command. A quick example:
tinc -n NETNAME reload
If tinc is started without a command, it will act as a shell; it will
display a prompt, and commands can be entered on the prompt. If tinc is
compiled with libreadline, history and command completion are available
on the prompt. One can also pipe a script containing commands through
tinc. In that case, lines starting with a # symbol will be ignored.
* Menu:
* tinc runtime options::
@ -2052,8 +2095,8 @@ File: tinc.info, Node: tinc commands, Next: tinc examples, Prev: tinc environ
=================
'init [NAME]'
Create initial configuration files and RSA and ECDSA keypairs with
default length. If no NAME for this node is given, it will be
Create initial configuration files and RSA and Ed25519 keypairs
with default length. If no NAME for this node is given, it will be
asked for.
'get VARIABLE'
@ -2126,12 +2169,12 @@ File: tinc.info, Node: tinc commands, Next: tinc examples, Prev: tinc environ
Shows the PID of the currently running 'tincd'.
'generate-keys [BITS]'
Generate both RSA and ECDSA keypairs (see below) and exit. tinc
Generate both RSA and Ed25519 keypairs (see below) and exit. tinc
will ask where you want to store the files, but will default to the
configuration directory (you can use the -c or -n option).
'generate-ecdsa-keys'
Generate public/private ECDSA keypair and exit.
'generate-ed25519-keys'
Generate public/private Ed25519 keypair and exit.
'generate-rsa-keys [BITS]'
Generate public/private RSA keypair and exit. If BITS is omitted,
@ -2195,6 +2238,10 @@ File: tinc.info, Node: tinc commands, Next: tinc examples, Prev: tinc environ
file or piped through a program that can parse it directly, such as
tcpdump.
'network'
If NETNAME is given, switch to that network. Otherwise, display a
list of all networks for which configuration files exist.

File: tinc.info, Node: tinc examples, Next: tinc top, Prev: tinc commands, Up: Controlling tinc
@ -2207,7 +2254,7 @@ Examples of some commands:
tinc -n vpn pcap | tcpdump -r -
tinc -n vpn top
Example of configuring tinc using the tinc command:
Examples of changing the configuration using tinc:
tinc -n vpn init foo
tinc -n vpn add Subnet 192.168.1.0/24
@ -2776,11 +2823,11 @@ The expanded key is used as follows:
Where initiator_cipher_key is the key used by session initiator to
encrypt messages sent to the responder.
When using 521 bits EC keys, the AES-256-CTR cipher and HMAC-SHA-256
digest algorithm, the sizes are as follows:
When using 256 bits Ed25519 keys, the AES-256-CTR cipher and
HMAC-SHA-256 digest algorithm, the sizes are as follows:
ECDH_SIZE: 67 (= ceil(521/8) + 1)
ECDSA_SIZE: 141 (= 2 * ceil(521/8) + 9)
ECDH_SIZE: 32 (= 256/8)
ECDSA_SIZE: 64 (= 2 * 256/8)
CIPHER_KEYSIZE: 48 (= 256/8 + 128/8)
DIGEST_KEYSIZE: 32 (= 256/8)
@ -3019,6 +3066,7 @@ Concept Index
* ACK: Legacy authentication protocol.
(line 6)
* add: tinc commands. (line 22)
* Address: Host configuration variables.
(line 6)
* AddressFamily: Main configuration variables.
@ -3031,83 +3079,107 @@ Concept Index
* binary package: Building and installing tinc.
(line 9)
* BindToAddress: Main configuration variables.
(line 19)
(line 16)
* BindToInterface: Main configuration variables.
(line 30)
(line 23)
* Broadcast: Main configuration variables.
(line 40)
(line 33)
* BroadcastSubnet: Main configuration variables.
(line 53)
* Cabal: Security. (line 6)
* CHALLENGE: Legacy authentication protocol.
(line 6)
* CHAL_REPLY: Legacy authentication protocol.
(line 6)
* CIDR notation: Host configuration variables.
(line 94)
(line 96)
* Cipher: Host configuration variables.
(line 12)
(line 14)
* ClampMSS: Host configuration variables.
(line 20)
(line 22)
* client: How connections work.
(line 18)
* command line: Runtime options. (line 9)
* command line interface: Controlling tinc. (line 6)
* Compression: Host configuration variables.
(line 26)
(line 28)
* connection: The connection. (line 6)
* ConnectTo: Main configuration variables.
(line 60)
(line 65)
* daemon: Running tinc. (line 11)
* data-protocol: The meta-connection. (line 18)
* debug: tinc commands. (line 121)
* debug level: Runtime options. (line 17)
* debug levels: Debug levels. (line 6)
* DecrementTTL: Main configuration variables.
(line 71)
(line 76)
* del: tinc commands. (line 26)
* DEL_EDGE: The meta-protocol. (line 46)
* DEL_SUBNET: The meta-protocol. (line 46)
* Device: Main configuration variables.
(line 80)
(line 85)
* DEVICE: Scripts. (line 60)
* device files: Device files. (line 6)
* DeviceStandby: Main configuration variables.
(line 92)
* DeviceType: Main configuration variables.
(line 87)
(line 99)
* Digest: Host configuration variables.
(line 31)
(line 33)
* DirectOnly: Main configuration variables.
(line 152)
(line 164)
* disconnect: tinc commands. (line 136)
* dummy: Main configuration variables.
(line 94)
* ECDSAPrivateKeyFile: Main configuration variables.
(line 159)
(line 106)
* dump: tinc commands. (line 94)
* Ed25519PrivateKeyFile: Main configuration variables.
(line 171)
* edit: tinc commands. (line 31)
* encapsulating: The UDP tunnel. (line 30)
* encryption: Encryption of network packets.
(line 6)
* environment variables: Scripts. (line 48)
* example: Example configuration.
(line 6)
* exchange: tinc commands. (line 47)
* exchange-all: tinc commands. (line 50)
* exec: Main configuration variables.
(line 328)
(line 352)
* ExperimentalProtocol: Main configuration variables.
(line 163)
(line 175)
* export: tinc commands. (line 35)
* export-all: tinc commands. (line 39)
* Forwarding: Main configuration variables.
(line 170)
(line 182)
* frame type: The UDP tunnel. (line 6)
* generate-ed25519-keys: tinc commands. (line 85)
* generate-keys: tinc commands. (line 80)
* generate-rsa-keys: tinc commands. (line 88)
* get: tinc commands. (line 11)
* graph: tinc commands. (line 107)
* Hostnames: Main configuration variables.
(line 190)
(line 202)
* http: Main configuration variables.
(line 325)
(line 349)
* hub: Main configuration variables.
(line 246)
(line 270)
* ID: Legacy authentication protocol.
(line 6)
* import: tinc commands. (line 42)
* IndirectData: Host configuration variables.
(line 38)
(line 40)
* info: tinc commands. (line 114)
* init: tinc commands. (line 6)
* Interface: Main configuration variables.
(line 201)
(line 213)
* INTERFACE: Scripts. (line 63)
* INVITATION_FILE: Scripts. (line 86)
* INVITATION_URL: Scripts. (line 90)
* invite: tinc commands. (line 53)
* IRC: Contact information. (line 9)
* join: tinc commands. (line 58)
* KeyExpire: Main configuration variables.
(line 251)
(line 275)
* KEY_CHANGED: The meta-protocol. (line 63)
* legacy authentication protocol: Legacy authentication protocol.
(line 6)
@ -3115,27 +3187,30 @@ Concept Index
* libraries: Libraries. (line 6)
* libreadline: libreadline. (line 6)
* license: OpenSSL. (line 35)
* ListenAddress: Main configuration variables.
(line 221)
* LocalDiscovery: Main configuration variables.
(line 209)
(line 233)
* LocalDiscoveryAddress: Main configuration variables.
(line 220)
(line 244)
* log: tinc commands. (line 124)
* lzo: lzo. (line 6)
* MACExpire: Main configuration variables.
(line 257)
(line 281)
* MACLength: Host configuration variables.
(line 43)
(line 45)
* MaxConnectionBurst: Main configuration variables.
(line 262)
(line 286)
* meta-protocol: The meta-connection. (line 18)
* META_KEY: Legacy authentication protocol.
(line 6)
* Mode: Main configuration variables.
(line 224)
(line 248)
* multicast: Main configuration variables.
(line 106)
(line 118)
* multiple networks: Multiple networks. (line 6)
* Name: Main configuration variables.
(line 268)
(line 292)
* NAME: Scripts. (line 57)
* netmask: Network interfaces. (line 39)
* netname: Multiple networks. (line 6)
@ -3144,101 +3219,114 @@ Concept Index
(line 6)
* Network Administrators Guide: Configuration introduction.
(line 15)
* network [NETNAME]: tinc commands. (line 150)
* NODE: Scripts. (line 67)
* OpenSSL: OpenSSL. (line 6)
* options: Runtime options. (line 9)
* pcap: tinc commands. (line 144)
* PEM format: Host configuration variables.
(line 70)
(line 72)
* pid: tinc commands. (line 77)
* PING: The meta-protocol. (line 88)
* PingInterval: Main configuration variables.
(line 279)
(line 303)
* PingTimeout: Main configuration variables.
(line 283)
(line 307)
* platforms: Supported platforms. (line 6)
* PMTU: Host configuration variables.
(line 50)
(line 52)
* PMTUDiscovery: Host configuration variables.
(line 53)
(line 55)
* PONG: The meta-protocol. (line 88)
* Port: Host configuration variables.
(line 58)
(line 60)
* port numbers: Other files. (line 17)
* PriorityInheritance: Main configuration variables.
(line 289)
(line 313)
* private: Virtual Private Networks.
(line 10)
* PrivateKey: Main configuration variables.
(line 294)
(line 318)
* PrivateKeyFile: Main configuration variables.
(line 300)
(line 324)
* ProcessPriority: Main configuration variables.
(line 305)
(line 329)
* Proxy: Main configuration variables.
(line 310)
(line 334)
* PublicKey: Host configuration variables.
(line 62)
(line 64)
* PublicKeyFile: Host configuration variables.
(line 65)
(line 67)
* purge: tinc commands. (line 118)
* raw_socket: Main configuration variables.
(line 99)
(line 111)
* release: Supported platforms. (line 14)
* reload: tinc commands. (line 72)
* REMOTEADDRESS: Scripts. (line 72)
* REMOTEPORT: Scripts. (line 75)
* ReplayWindow: Main configuration variables.
(line 333)
(line 357)
* requirements: Libraries. (line 6)
* REQ_KEY: The meta-protocol. (line 63)
* restart: tinc commands. (line 69)
* retry: tinc commands. (line 129)
* router: Main configuration variables.
(line 227)
(line 251)
* runtime options: Runtime options. (line 9)
* scalability: tinc. (line 19)
* scripts: Scripts. (line 6)
* server: How connections work.
(line 18)
* set: tinc commands. (line 16)
* shell: Controlling tinc. (line 11)
* signals: Signals. (line 6)
* socks4: Main configuration variables.
(line 314)
(line 338)
* socks5: Main configuration variables.
(line 319)
(line 343)
* SPTPS: Simple Peer-to-Peer Security.
(line 6)
* start: tinc commands. (line 63)
* stop: tinc commands. (line 66)
* StrictSubnets: Main configuration variables.
(line 344)
(line 368)
* Subnet: Host configuration variables.
(line 77)
(line 79)
* SUBNET: Scripts. (line 79)
* SVPN: Security. (line 11)
* switch: Main configuration variables.
(line 235)
(line 259)
* TCP: The meta-connection. (line 10)
* TCPonly: Host configuration variables.
(line 106)
(line 108)
* tinc: Introduction. (line 6)
* TINC: Security. (line 6)
* tinc-down: Scripts. (line 18)
* tinc-up: Scripts. (line 10)
* tinc-up <1>: Network interfaces. (line 19)
* tincd: tinc. (line 14)
* top: tinc commands. (line 139)
* top <1>: tinc top. (line 6)
* traditional VPNs: tinc. (line 19)
* tunifhead: Main configuration variables.
(line 141)
(line 153)
* TunnelServer: Main configuration variables.
(line 349)
(line 375)
* tunnohead: Main configuration variables.
(line 135)
(line 147)
* UDP: The UDP tunnel. (line 30)
* UDP <1>: Encryption of network packets.
(line 11)
* UDPRcvBuf: Main configuration variables.
(line 356)
(line 382)
* UDPSndBuf: Main configuration variables.
(line 361)
(line 387)
* UML: Main configuration variables.
(line 117)
(line 129)
* Universal tun/tap: Configuration of Linux kernels.
(line 6)
* VDE: Main configuration variables.
(line 122)
(line 134)
* virtual: Virtual Private Networks.
(line 18)
* virtual network device: The UDP tunnel. (line 6)
@ -3246,80 +3334,82 @@ Concept Index
(line 6)
* vpnd: tinc. (line 6)
* website: Contact information. (line 6)
* Weight: Host configuration variables.
(line 115)
* WEIGHT: Scripts. (line 82)
* zlib: zlib. (line 6)

Tag Table:
Node: Top807
Node: Introduction1127
Node: Virtual Private Networks1931
Node: tinc3643
Node: Supported platforms5155
Node: Preparations5851
Node: Configuring the kernel6107
Node: Configuration of Linux kernels6516
Node: Configuration of FreeBSD kernels7365
Node: Configuration of OpenBSD kernels7830
Node: Configuration of NetBSD kernels8438
Node: Configuration of Solaris kernels8840
Node: Configuration of Darwin (MacOS/X) kernels9501
Node: Configuration of Windows10190
Node: Libraries10703
Node: OpenSSL11121
Node: zlib13393
Node: lzo14411
Node: libcurses15401
Node: libreadline16311
Node: Installation17248
Node: Building and installing tinc18257
Node: Darwin (MacOS/X) build environment18913
Node: Cygwin (Windows) build environment19477
Node: MinGW (Windows) build environment20061
Node: System files20579
Node: Device files20844
Node: Other files21257
Node: Configuration21870
Node: Configuration introduction22157
Node: Multiple networks23678
Node: How connections work25046
Node: Configuration files27607
Node: Main configuration variables29135
Node: Host configuration variables45893
Node: Scripts51364
Node: How to configure54765
Node: Network interfaces59241
Node: Example configuration61620
Node: Running tinc66713
Node: Runtime options67300
Node: Signals70160
Node: Debug levels71009
Node: Solving problems71945
Node: Error messages73371
Node: Sending bug reports77688
Node: Controlling tinc78635
Node: tinc runtime options79012
Node: tinc environment variables79699
Node: tinc commands80028
Node: tinc examples85138
Node: tinc top85701
Node: Technical information87286
Node: The connection87521
Node: The UDP tunnel87833
Node: The meta-connection90878
Node: The meta-protocol92336
Node: Security97319
Node: Legacy authentication protocol98656
Node: Simple Peer-to-Peer Security103273
Node: Encryption of network packets108933
Node: Security issues111562
Node: Platform specific information113297
Node: Interface configuration113525
Node: Routes115966
Node: About us117877
Node: Contact information118052
Node: Authors118454
Node: Concept Index118856
Node: Top808
Node: Introduction1128
Node: Virtual Private Networks1932
Node: tinc3644
Node: Supported platforms5156
Node: Preparations5852
Node: Configuring the kernel6108
Node: Configuration of Linux kernels6517
Node: Configuration of FreeBSD kernels7366
Node: Configuration of OpenBSD kernels7831
Node: Configuration of NetBSD kernels8439
Node: Configuration of Solaris kernels8841
Node: Configuration of Darwin (MacOS/X) kernels9502
Node: Configuration of Windows10191
Node: Libraries10704
Node: OpenSSL11140
Node: zlib13412
Node: lzo14430
Node: libcurses15420
Node: libreadline16330
Node: Installation17267
Node: Building and installing tinc18276
Node: Darwin (MacOS/X) build environment18932
Node: Cygwin (Windows) build environment19496
Node: MinGW (Windows) build environment20080
Node: System files20598
Node: Device files20863
Node: Other files21276
Node: Configuration21889
Node: Configuration introduction22176
Node: Multiple networks23697
Node: How connections work25065
Node: Configuration files27626
Node: Main configuration variables29258
Node: Host configuration variables47397
Node: Scripts53256
Node: How to configure56657
Node: Network interfaces61141
Node: Example configuration63520
Node: Running tinc68619
Node: Runtime options69206
Node: Signals72066
Node: Debug levels72915
Node: Solving problems73851
Node: Error messages75277
Node: Sending bug reports79594
Node: Controlling tinc80541
Node: tinc runtime options81287
Node: tinc environment variables81974
Node: tinc commands82303
Node: tinc examples87567
Node: tinc top88129
Node: Technical information89714
Node: The connection89949
Node: The UDP tunnel90261
Node: The meta-connection93306
Node: The meta-protocol94764
Node: Security99747
Node: Legacy authentication protocol101084
Node: Simple Peer-to-Peer Security105701
Node: Encryption of network packets111346
Node: Security issues113975
Node: Platform specific information115710
Node: Interface configuration115938
Node: Routes118379
Node: About us120290
Node: Contact information120465
Node: Authors120867
Node: Concept Index121269

End Tag Table

View file

@ -15,7 +15,7 @@
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2013 Ivo Timmermans,
Copyright @copyright{} 1998-2014 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@ -43,7 +43,7 @@ permission notice identical to this one.
@vskip 0pt plus 1filll
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2013 Ivo Timmermans,
Copyright @copyright{} 1998-2014 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@ -335,9 +335,10 @@ as explained in the rest of the documentation.
@cindex requirements
@cindex libraries
Before you can configure or build tinc, you need to have the OpenSSL,
zlib and lzo libraries installed on your system. If you try to configure tinc without
having them installed, configure will give you an error message, and stop.
Before you can configure or build tinc, you need to have the OpenSSL, zlib,
lzo, curses and readline libraries installed on your system. If you try to
configure tinc without having them installed, configure will give you an error
message, and stop.
@menu
* OpenSSL::
@ -793,6 +794,9 @@ The actual configuration of the daemon is done in the file
@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/}.
An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
any .conf file will be read.
These file consists of comments (lines started with a #) or assignments
in the form of
@ -839,23 +843,16 @@ If any is selected, then depending on the operating system
both IPv4 and IPv6 or just IPv6 listening sockets will be created.
@cindex AutoConnect
@item AutoConnect = <count> (0) [experimental]
If set to a non-zero value,
tinc will try to only have count meta connections to other nodes,
by automatically making or breaking connections to known nodes.
Higher values increase redundancy but also increase meta data overhead.
When using this option, a good value is 3.
@item AutoConnect = <yes|no> (no) [experimental]
If set to yes, tinc will automatically set up meta connections to other nodes,
without requiring @var{ConnectTo} variables.
@cindex BindToAddress
@item BindToAddress = <@var{address}> [<@var{port}>]
If your computer has more than one IPv4 or IPv6 address, tinc
will by default listen on all of them for incoming connections.
Multiple BindToAddress variables may be specified,
in which case listening sockets for each specified address are made.
If no @var{port} is specified, the socket will be bound to the port specified by the Port option,
or to port 655 if neither is given.
To only bind to a specific port but not to a specific address, use "*" for the @var{address}.
This is the same as ListenAddress, however the address given with the BindToAddress option
will also be used for outgoing connections.
This is useful if your computer has more than one IPv4 or IPv6 address,
and you want tinc to only use a specific one for outgoing packets.
@cindex BindToInterface
@item BindToInterface = <@var{interface}> [experimental]
@ -887,6 +884,18 @@ Broadcast packets received from other nodes are never forwarded.
If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to.
@end table
@cindex BroadcastSubnet
@item BroadcastSubnet = @var{address}[/@var{prefixlength}]
Declares a broadcast subnet.
Any packet with a destination address falling into such a subnet will be routed as a broadcast
(provided all nodes have it declared).
This is most useful to declare subnet broadcast addresses (e.g. 10.42.255.255),
otherwise tinc won't know what to do with them.
Note that global broadcast addresses (MAC ff:ff:ff:ff:ff:ff, IPv4 255.255.255.255),
as well as multicast space (IPv4 224.0.0.0/4, IPv6 ff00::/8)
are always considered broadcast addresses and don't need to be declared.
@cindex ConnectTo
@item ConnectTo = <@var{name}>
Specifies which other tinc daemon to connect to on startup.
@ -895,7 +904,7 @@ in which case outgoing connections to each specified tinc daemon are made.
The names should be known to this tinc daemon
(i.e., there should be a host configuration file for the name on the ConnectTo line).
If you don't specify a host with ConnectTo,
If you don't specify a host with ConnectTo and don't enable AutoConnect,
tinc won't try to connect to other daemons at all,
and will instead just listen for incoming connections.
@ -917,6 +926,13 @@ Under Windows, use @var{Interface} instead of @var{Device}.
Note that you can only use one device per daemon.
See also @ref{Device files}.
@cindex DeviceStandby
@item DeviceStandby = <yes | no> (no)
When disabled, tinc calls @file{tinc-up} on startup, and @file{tinc-down} on shutdown.
When enabled, tinc will only call @file{tinc-up} when at least one node is reachable,
and will call @file{tinc-down} as soon as no nodes are reachable.
On Windows, this also determines when the virtual network interface "cable" is "plugged".
@cindex DeviceType
@item DeviceType = <@var{type}> (platform dependent)
The type of the virtual network device.
@ -996,18 +1012,18 @@ but which would have to be forwarded by an intermediate node, are dropped instea
When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped.
@cindex ECDSAPrivateKeyFile
@item ECDSAPrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/ecdsa_key.priv})
The file in which the private ECDSA key of this tinc daemon resides.
@cindex Ed25519PrivateKeyFile
@item Ed25519PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/ed25519_key.priv})
The file in which the private Ed25519 key of this tinc daemon resides.
This is only used if ExperimentalProtocol is enabled.
@cindex ExperimentalProtocol
@item ExperimentalProtocol = <yes|no> (yes)
When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
Ephemeral ECDH will be used for key exchanges,
and ECDSA will be used instead of RSA for authentication.
When enabled, an ECDSA key must have been generated before with
@samp{tinc generate-ecdsa-keys}.
and Ed25519 will be used instead of RSA for authentication.
When enabled, an Ed25519 key must have been generated before with
@samp{tinc generate-ed25519-keys}.
@cindex Forwarding
@item Forwarding = <off|internal|kernel> (internal) [experimental]
@ -1046,6 +1062,18 @@ Depending on the operating system and the type of device this may or may not act
Under Windows, this variable is used to select which network interface will be used.
If you specified a Device, this variable is almost always already correctly set.
@cindex ListenAddress
@item ListenAddress = <@var{address}> [<@var{port}>]
If your computer has more than one IPv4 or IPv6 address, tinc
will by default listen on all of them for incoming connections.
This option can be used to restrict which addresses tinc listens on.
Multiple ListenAddress variables may be specified,
in which case listening sockets for each specified address are made.
If no @var{port} is specified, the socket will listen on the port specified by the Port option,
or to port 655 if neither is given.
To only listen on a specific port but not to a specific address, use "*" for the @var{address}.
@cindex LocalDiscovery
@item LocalDiscovery = <yes | no> (no)
When enabled, tinc will try to detect peers that are on the same local network.
@ -1152,7 +1180,7 @@ When this option is used the priority of the tincd process will be adjusted.
Increasing the priority may help to reduce latency and packet loss on the VPN.
@cindex Proxy
@item Proxy = socks4 | socks4 | http | exec @var{...} [experimental]
@item Proxy = socks4 | socks5 | http | exec @var{...} [experimental]
Use a proxy when making outgoing connections.
The following proxy types are currently supported:
@ -1163,7 +1191,7 @@ Connects to the proxy using the SOCKS version 4 protocol.
Optionally, a @var{username} can be supplied which will be passed on to the proxy server.
@cindex socks5
@item socks4 <@var{address}> <@var{port}> [<@var{username}> <@var{password}>]
@item socks5 <@var{address}> <@var{port}> [<@var{username}> <@var{password}>]
Connect to the proxy using the SOCKS version 5 protocol.
If a @var{username} and @var{password} are given, basic username/password authentication will be used,
otherwise no authentication will be used.
@ -1190,10 +1218,12 @@ pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
traffic.
@cindex StrictSubnets
@item StrictSubnets <yes|no> (no) [experimental]
@item StrictSubnets = <yes|no> (no) [experimental]
When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
Subnets learned via connections to other nodes and which are not
present in the local host config files are ignored.
@cindex TunnelServer
@item TunnelServer = <yes|no> (no) [experimental]
@ -1226,6 +1256,8 @@ This variable is only required if you want to connect to this host. It
must resolve to the external IP address where the host can be reached,
not the one that is internal to the VPN.
If no port is specified, the default Port is used.
Multiple Address variables can be specified, in which case each address will be
tried until a working connection has been established.
@cindex Cipher
@item Cipher = <@var{cipher}> (blowfish)
@ -1336,6 +1368,12 @@ TCP connection instead of a UDP connection. This is especially useful
for those who want to run a tinc daemon from behind a masquerading
firewall, or if UDP packet routing is disabled somehow.
Setting this options also implicitly sets IndirectData.
@cindex Weight
@item Weight = <weight>
If this variable is set, it overrides the weight given to connections made with
another host. A higher weight means a lower priority is given to this
connection when broadcasting or forwarding packets.
@end table
@ -1471,9 +1509,9 @@ In the configuration directory, it will create the file @file{tinc.conf} with th
Name = @var{name}
@end example
It will also create private RSA and ECDSA keys, which will be stored in the files @file{rsa_key.priv} and @file{ecdsa_key.priv}.
It will also create private RSA and Ed25519 keys, which will be stored in the files @file{rsa_key.priv} and @file{ed25519_key.priv}.
It will also create a host configuration file @file{hosts/@var{name}},
which will contain the corresponding public RSA and ECDSA keys.
which will contain the corresponding public RSA and Ed25519 keys.
Finally, on UNIX operating systems, it will create an executable script @file{tinc-up},
which will initially not do anything except warning that you should edit it.
@ -1492,7 +1530,7 @@ tinc -n @var{netname} add subnet 192.168.2.0/24
This will add a Subnet statement to your host configuration file.
Try opening the file @file{@value{sysconfdir}/tinc/@var{netname}/hosts/@var{name}} in an editor.
You should now see a file containing the public RSA and ECDSA keys (which looks like a bunch of random characters),
You should now see a file containing the public RSA and Ed25519 keys (which looks like a bunch of random characters),
and the following line at the bottom:
@example
@ -1803,8 +1841,8 @@ Address = 4.5.6.7
A, B, C and D all have their own public/private keypairs:
The private RSA key is stored in @file{@value{sysconfdir}/tinc/company/rsa_key.priv},
the private ECDSA key is stored in @file{@value{sysconfdir}/tinc/company/ecdsa_key.priv},
and the public RSA and ECDSA keys are put into the host configuration file in the @file{@value{sysconfdir}/tinc/company/hosts/} directory.
the private Ed25519 key is stored in @file{@value{sysconfdir}/tinc/company/ed25519_key.priv},
and the public RSA and Ed25519 keys are put into the host configuration file in the @file{@value{sysconfdir}/tinc/company/hosts/} directory.
@subsubheading Starting
@ -2146,13 +2184,21 @@ Be sure to include the following information in your bugreport:
@node Controlling tinc
@chapter Controlling tinc
You can control and inspect a running tincd through the tinc
@cindex command line interface
You can start, stop, control and inspect a running tincd through the tinc
command. A quick example:
@example
tinc -n @var{netname} reload
@end example
@cindex shell
If tinc is started without a command, it will act as a shell; it will display a
prompt, and commands can be entered on the prompt. If tinc is compiled with
libreadline, history and command completion are available on the prompt. One
can also pipe a script containing commands through tinc. In that case, lines
starting with a # symbol will be ignored.
@menu
* tinc runtime options::
* tinc environment variables::
@ -2206,85 +2252,107 @@ the value of this environment variable is used.
@c from the manpage
@table @code
@cindex init
@item init [@var{name}]
Create initial configuration files and RSA and ECDSA keypairs with default length.
Create initial configuration files and RSA and Ed25519 keypairs with default length.
If no @var{name} for this node is given, it will be asked for.
@cindex get
@item get @var{variable}
Print the current value of configuration variable @var{variable}.
If more than one variable with the same name exists,
the value of each of them will be printed on a separate line.
@cindex set
@item set @var{variable} @var{value}
Set configuration variable @var{variable} to the given @var{value}.
All previously existing configuration variables with the same name are removed.
To set a variable for a specific host, use the notation @var{host}.@var{variable}.
@cindex add
@item add @var{variable} @var{value}
As above, but without removing any previously existing configuration variables.
@cindex del
@item del @var{variable} [@var{value}]
Remove configuration variables with the same name and @var{value}.
If no @var{value} is given, all configuration variables with the same name will be removed.
@cindex edit
@item edit @var{filename}
Start an editor for the given configuration file.
You do not need to specify the full path to the file.
@cindex export
@item export
Export the host configuration file of the local node to standard output.
@cindex export-all
@item export-all
Export all host configuration files to standard output.
@cindex import
@item import [--force]
Import host configuration file(s) generated by the tinc export command from standard input.
Already existing host configuration files are not overwritten unless the option --force is used.
@cindex exchange
@item exchange [--force]
The same as export followed by import.
@cindex exchange-all
@item exchange-all [--force]
The same as export-all followed by import.
@cindex invite
@item invite @var{name}
Prepares an invitation for a new node with the given @var{name},
and prints a short invitation URL that can be used with the join command.
@cindex join
@item join [@var{URL}]
Join an existing VPN using an invitation URL created using the invite command.
If no @var{URL} is given, it will be read from standard input.
@cindex start
@item start [tincd options]
Start @samp{tincd}, optionally with the given extra options.
@cindex stop
@item stop
Stop @samp{tincd}.
@cindex restart
@item restart [tincd options]
Restart @samp{tincd}, optionally with the given extra options.
@cindex reload
@item reload
Partially rereads configuration files. Connections to hosts whose host
config files are removed are closed. New outgoing connections specified
in @file{tinc.conf} will be made.
@cindex pid
@item pid
Shows the PID of the currently running @samp{tincd}.
@cindex generate-keys
@item generate-keys [@var{bits}]
Generate both RSA and ECDSA keypairs (see below) and exit.
Generate both RSA and Ed25519 keypairs (see below) and exit.
tinc will ask where you want to store the files, but will default to the
configuration directory (you can use the -c or -n option).
@item generate-ecdsa-keys
Generate public/private ECDSA keypair and exit.
@cindex generate-ed25519-keys
@item generate-ed25519-keys
Generate public/private Ed25519 keypair and exit.
@cindex generate-rsa-keys
@item generate-rsa-keys [@var{bits}]
Generate public/private RSA keypair and exit. If @var{bits} is omitted, the
default length will be 2048 bits. When saving keys to existing files, tinc
will not delete the old keys; you have to remove them manually.
@cindex dump
@item dump [reachable] nodes
Dump a list of all known nodes in the VPN.
If the reachable keyword is used, only lists reachable nodes.
@ -2298,26 +2366,32 @@ Dump a list of all known subnets in the VPN.
@item dump connections
Dump a list of all meta connections with ourself.
@cindex graph
@item dump graph | digraph
Dump a graph of the VPN in dotty format.
Nodes are colored according to their reachability:
red nodes are unreachable, orange nodes are indirectly reachable, green nodes are directly reachable.
Black nodes are either directly or indirectly reachable, but direct reachability has not been tried yet.
@cindex info
@item info @var{node} | @var{subnet} | @var{address}
Show information about a particular @var{node}, @var{subnet} or @var{address}.
If an @var{address} is given, any matching subnet will be shown.
@cindex purge
@item purge
Purges all information remembered about unreachable nodes.
@cindex debug
@item debug @var{level}
Sets debug level to @var{level}.
@cindex log
@item log [@var{level}]
Capture log messages from a running tinc daemon.
An optional debug level can be given that will be applied only for log messages sent to tinc.
@cindex retry
@item retry
Forces tinc to try to connect to all uplinks immediately.
Usually tinc attempts to do this itself,
@ -2325,19 +2399,27 @@ but increases the time it waits between the attempts each time it failed,
and if tinc didn't succeed to connect to an uplink the first time after it started,
it defaults to the maximum time of 15 minutes.
@cindex disconnect
@item disconnect @var{node}
Closes the meta connection with the given @var{node}.
@cindex top
@item top
If tinc is compiled with libcurses support, this will display live traffic statistics for all the known nodes,
similar to the UNIX top command.
See below for more information.
@cindex pcap
@item pcap
Dump VPN traffic going through the local tinc node in pcap-savefile format to standard output,
from where it can be redirected to a file or piped through a program that can parse it directly,
such as tcpdump.
@cindex network [@var{netname}]
@item network
If @var{netname} is given, switch to that network.
Otherwise, display a list of all networks for which configuration files exist.
@end table
@c ==================================================================
@ -2352,7 +2434,7 @@ tinc -n vpn pcap | tcpdump -r -
tinc -n vpn top
@end example
Example of configuring tinc using the tinc command:
Examples of changing the configuration using tinc:
@example
tinc -n vpn init foo
@ -2366,6 +2448,7 @@ tinc -n vpn export | gpg --clearsign | mail -s "My config" vpnmaster@@example.co
@node tinc top
@section tinc top
@cindex top
The top command connects to a running tinc daemon and repeatedly queries its per-node traffic counters.
It displays a list of all the known nodes in the left-most column,
and the amount of bytes and packets read from and sent to each node in the other columns.
@ -2946,12 +3029,12 @@ The expanded key is used as follows:
Where initiator_cipher_key is the key used by session initiator to encrypt
messages sent to the responder.
When using 521 bits EC keys, the AES-256-CTR cipher and HMAC-SHA-256 digest algorithm,
When using 256 bits Ed25519 keys, the AES-256-CTR cipher and HMAC-SHA-256 digest algorithm,
the sizes are as follows:
@example
ECDH_SIZE: 67 (= ceil(521/8) + 1)
ECDSA_SIZE: 141 (= 2 * ceil(521/8) + 9)
ECDH_SIZE: 32 (= 256/8)
ECDSA_SIZE: 64 (= 2 * 256/8)
CIPHER_KEYSIZE: 48 (= 256/8 + 128/8)
DIGEST_KEYSIZE: 32 (= 256/8)
@end example