lagertonne/tinc
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Wiki Activity

Import Upstream version 1.0.13

Browse source
This commit is contained in:
Guus Sliepen 2019-08-26 13:44:40 +02:00
parent c54d214bf2
commit 3f0ae998e8
34 changed files with 861 additions and 375 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
doc/sample-config.tar.gz
View file

Binary file not shown.

39
doc/tinc.conf.5.in
View file

@ -199,6 +199,32 @@ Tinc will expect packets read from the virtual network device
to start with an Ethernet header.
.El
.It Va DirectOnly Li = yes | no Po no Pc Bq experimental
When this option is enabled, packets that cannot be sent directly to the destination node,
but which would have to be forwarded by an intermediate node, are dropped instead.
When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped.
.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
This option selects the way indirect packets are forwarded.
.Bl -tag -width indent
.It off
Incoming packets that are not meant for the local node,
but which should be forwarded to another node, are dropped.
.It internal
Incoming packets that are meant for another node are forwarded by tinc internally.
.Pp
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
.It kernel
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
and can also help debugging.
.El
.It Va GraphDumpFile Li = Ar filename Bq experimental
If this option is present,
.Nm tinc
@ -308,11 +334,18 @@ specified in the configuration file.
When this option is used the priority of the tincd process will be adjusted.
Increasing the priority may help to reduce latency and packet loss on the VPN.
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow nodes and subnets on the VPN which are present in the
.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory.
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow connections with nodes for which host config files are present in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory.
Setting this options also implicitly sets StrictSubnets.
.El
.Sh HOST CONFIGURATION FILES

149
doc/tinc.info
View file

@ -5,7 +5,7 @@ START-INFO-DIR-ENTRY
* tinc: (tinc). The tinc Manual.
END-INFO-DIR-ENTRY
This is the info manual for tinc version 1.0.12, a Virtual Private
This is the info manual for tinc version 1.0.13, a Virtual Private
Network daemon.
Copyright (C) 1998-2010 Ivo Timmermans, Guus Sliepen
@ -738,6 +738,33 @@ DeviceType = <tun|tunnohead|tunifhead|tap> (only supported on BSD platforms)
Set type to tap. Tinc will expect packets read from the
virtual network device to start with an Ethernet header.
DirectOnly = <yes|no> (no) [experimental]
When this option is enabled, packets that cannot be sent directly
to the destination node, but which would have to be forwarded by
an intermediate node, are dropped instead. When combined with the
IndirectData option, packets for nodes for which we do not have a
meta connection with are also dropped.
Forwarding = <off|internal|kernel> (internal) [experimental]
This option selects the way indirect packets are forwarded.
off
Incoming packets that are not meant for the local node, but
which should be forwarded to another node, are dropped.
internal
Incoming packets that are meant for another node are
forwarded by tinc internally.
This is the default mode, and unless you really know you need
another forwarding mode, don't change it.
kernel
Incoming packets are always sent to the TUN/TAP device, even
if the packets are not for the local node. This is less
efficient, but allows the kernel to apply its routing and
firewall rules on them, and can also help debugging.
GraphDumpFile = <FILENAME> [experimental]
If this option is present, tinc will dump the current network
graph to the file FILENAME every minute, unless there were no
@ -842,11 +869,17 @@ ProcessPriority = <low|normal|high>
adjusted. Increasing the priority may help to reduce latency and
packet loss on the VPN.
StrictSubnets <yes|no> (no) [experimental]
When this option is enabled tinc will only use Subnet statements
which are present in the host config files in the local
`/etc/tinc/NETNAME/hosts/' directory.
TunnelServer = <yes|no> (no) [experimental]
When this option is enabled tinc will no longer forward
information between other tinc daemons, and will only allow nodes
and subnets on the VPN which are present in the
`/etc/tinc/NETNAME/hosts/' directory.
information between other tinc daemons, and will only allow
connections with nodes for which host config files are present in
the local `/etc/tinc/NETNAME/hosts/' directory. Setting this
options also implicitly sets StrictSubnets.

@ -1200,9 +1233,9 @@ _BranchA_ would be configured like this:
Note that the IP addresses of eth0 and tap0 are the same. This is
quite possible, if you make sure that the netmasks of the interfaces
are different. It is in fact recommended to give give both real
internal network interfaces and tap interfaces the same IP address,
since that will make things a lot easier to remember and set up.
are different. It is in fact recommended to give both real internal
network interfaces and tap interfaces the same IP address, since that
will make things a lot easier to remember and set up.
For Branch B
............
@ -1220,8 +1253,8 @@ In `/etc/tinc/company/tinc-up':
ConnectTo = BranchA
Note here that the internal address (on eth0) doesn't have to be the
same as on the tap0 device. Also, ConnectTo is given so that no-one can
connect to this node.
same as on the tap0 device. Also, ConnectTo is given so that this node
will always try to connect to BranchA.
On all hosts, in `/etc/tinc/company/hosts/BranchB':
@ -2258,47 +2291,51 @@ Concept Index
(line 45)
* Digest: Host configuration variables.
(line 29)
* DirectOnly: Main configuration variables.
(line 73)
* encapsulating: The UDP tunnel. (line 30)
* encryption: Encryption of network packets.
(line 6)
* environment variables: Scripts. (line 43)
* example: Example configuration.
(line 6)
* Forwarding: Main configuration variables.
(line 80)
* frame type: The UDP tunnel. (line 6)
* GraphDumpFile: Main configuration variables.
(line 73)
(line 100)
* Hostnames: Main configuration variables.
(line 81)
(line 108)
* hub: Main configuration variables.
(line 122)
(line 149)
* ID: Authentication protocol.
(line 10)
* IndirectData: Host configuration variables.
(line 34)
* INTERFACE: Scripts. (line 58)
* Interface: Main configuration variables.
(line 91)
(line 118)
* IRC: Contact information. (line 9)
* key generation: Generating keypairs. (line 6)
* KEY_CHANGED: The meta-protocol. (line 64)
* KeyExpire: Main configuration variables.
(line 127)
(line 154)
* libraries: Libraries. (line 6)
* license: OpenSSL. (line 36)
* lzo: lzo. (line 6)
* MACExpire: Main configuration variables.
(line 133)
(line 160)
* MACLength: Host configuration variables.
(line 42)
* meta-protocol: The meta-connection. (line 18)
* META_KEY: Authentication protocol.
(line 10)
* Mode: Main configuration variables.
(line 99)
(line 126)
* multiple networks: Multiple networks. (line 6)
* NAME: Scripts. (line 52)
* Name: Main configuration variables.
(line 138)
(line 165)
* netmask: Network interfaces. (line 34)
* NETNAME: Scripts. (line 49)
* netname: Multiple networks. (line 6)
@ -2311,9 +2348,9 @@ Concept Index
(line 67)
* PING: The meta-protocol. (line 89)
* PingInterval: Main configuration variables.
(line 143)
(line 170)
* PingTimeout: Main configuration variables.
(line 147)
(line 174)
* platforms: Supported platforms. (line 6)
* PMTU: Host configuration variables.
(line 47)
@ -2324,15 +2361,15 @@ Concept Index
(line 55)
* port numbers: Other files. (line 17)
* PriorityInheritance: Main configuration variables.
(line 153)
(line 180)
* private: Virtual Private Networks.
(line 10)
* PrivateKey: Main configuration variables.
(line 158)
(line 185)
* PrivateKeyFile: Main configuration variables.
(line 164)
(line 191)
* ProcessPriority: Main configuration variables.
(line 172)
(line 199)
* PublicKey: Host configuration variables.
(line 59)
* PublicKeyFile: Host configuration variables.
@ -2343,13 +2380,15 @@ Concept Index
* REQ_KEY: The meta-protocol. (line 64)
* requirements: Libraries. (line 6)
* router: Main configuration variables.
(line 102)
(line 129)
* runtime options: Runtime options. (line 9)
* scalability: tinc. (line 19)
* scripts: Scripts. (line 6)
* server: How connections work.
(line 18)
* signals: Signals. (line 6)
* StrictSubnets: Main configuration variables.
(line 204)
* SUBNET: Scripts. (line 74)
* Subnet: Host configuration variables.
(line 74)
@ -2357,7 +2396,7 @@ Concept Index
(line 97)
* SVPN: Security. (line 11)
* switch: Main configuration variables.
(line 111)
(line 138)
* TCP: The meta-connection. (line 10)
* TCPonly: Host configuration variables.
(line 104)
@ -2371,7 +2410,7 @@ Concept Index
* tunifhead: Main configuration variables.
(line 62)
* TunnelServer: Main configuration variables.
(line 177)
(line 209)
* tunnohead: Main configuration variables.
(line 56)
* UDP <1>: Encryption of network packets.
@ -2424,34 +2463,34 @@ Node: Multiple networks21168
Node: How connections work22594
Node: Configuration files23816
Node: Main configuration variables24823
Node: Host configuration variables32865
Node: Scripts38276
Node: How to configure41046
Node: Generating keypairs42309
Node: Network interfaces42808
Node: Example configuration44656
Node: Running tinc49968
Node: Runtime options50558
Node: Signals53353
Node: Debug levels54422
Node: Solving problems55358
Node: Error messages56910
Node: Sending bug reports60923
Node: Technical information61875
Node: The connection62106
Node: The UDP tunnel62418
Node: The meta-connection65479
Node: The meta-protocol66948
Node: Security71957
Node: Authentication protocol73087
Node: Encryption of network packets78091
Node: Security issues79464
Node: Platform specific information81081
Node: Interface configuration81309
Node: Routes83208
Node: About us85124
Node: Contact information85299
Node: Authors85703
Node: Concept Index86108
Node: Host configuration variables34334
Node: Scripts39745
Node: How to configure42515
Node: Generating keypairs43778
Node: Network interfaces44277
Node: Example configuration46125
Node: Running tinc51448
Node: Runtime options52038
Node: Signals54833
Node: Debug levels55902
Node: Solving problems56838
Node: Error messages58390
Node: Sending bug reports62403
Node: Technical information63355
Node: The connection63586
Node: The UDP tunnel63898
Node: The meta-connection66959
Node: The meta-protocol68428
Node: Security73437
Node: Authentication protocol74567
Node: Encryption of network packets79571
Node: Security issues80944
Node: Platform specific information82561
Node: Interface configuration82789
Node: Routes84688
Node: About us86604
Node: Contact information86779
Node: Authors87183
Node: Concept Index87588

End Tag Table

42
doc/tinc.texi
View file

@ -818,6 +818,33 @@ Tinc will expect packets read from the virtual network device
to start with an Ethernet header.
@end table
@cindex DirectOnly
@item DirectOnly = <yes|no> (no) [experimental]
When this option is enabled, packets that cannot be sent directly to the destination node,
but which would have to be forwarded by an intermediate node, are dropped instead.
When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped.
@cindex Forwarding
@item Forwarding = <off|internal|kernel> (internal) [experimental]
This option selects the way indirect packets are forwarded.
@table @asis
@item off
Incoming packets that are not meant for the local node,
but which should be forwarded to another node, are dropped.
@item internal
Incoming packets that are meant for another node are forwarded by tinc internally.
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
@item kernel
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
and can also help debugging.
@end table
@cindex GraphDumpFile
@item GraphDumpFile = <@var{filename}> [experimental]
If this option is present,
@ -928,11 +955,18 @@ specified in the configuration file.
When this option is used the priority of the tincd process will be adjusted.
Increasing the priority may help to reduce latency and packet loss on the VPN.
@cindex StrictSubnets
@item StrictSubnets <yes|no> (no) [experimental]
When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
@cindex TunnelServer
@item TunnelServer = <yes|no> (no) [experimental]
When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow nodes and subnets on the VPN which are present in the
and will only allow connections with nodes for which host config files are present in the local
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
Setting this options also implicitly sets StrictSubnets.
@end table
@ -1314,7 +1348,7 @@ Address = 1.2.3.4
Note that the IP addresses of eth0 and tap0 are the same.
This is quite possible, if you make sure that the netmasks of the interfaces are different.
It is in fact recommended to give give both real internal network interfaces and tap interfaces the same IP address,
It is in fact recommended to give both real internal network interfaces and tap interfaces the same IP address,
since that will make things a lot easier to remember and set up.
@ -1337,8 +1371,8 @@ ConnectTo = BranchA
@end example
Note here that the internal address (on eth0) doesn't have to be the
same as on the tap0 device. Also, ConnectTo is given so that no-one can
connect to this node.
same as on the tap0 device. Also, ConnectTo is given so that this node will
always try to connect to BranchA.
On all hosts, in @file{@value{sysconfdir}/tinc/company/hosts/BranchB}: