lagertonne/tinc
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Wiki Activity

Import Upstream version 1.1~pre12

Browse source
This commit is contained in:
Guus Sliepen 2019-08-26 13:44:52 +02:00
parent 1813f3157e
commit aa10d88732
134 changed files with 8673 additions and 4989 deletions
Download patch file Download diff file Expand all files Collapse all files

22
doc/Makefile.am
View file

@ -6,7 +6,7 @@ man_MANS = tincd.8 tinc.8 tinc.conf.5 tinc-gui.8
EXTRA_DIST = tincinclude.texi.in tincd.8.in tinc.8.in tinc.conf.5.in tinc-gui.8.in sample-config.tar.gz
CLEANFILES = *.html tincd.8 tinc.8 tinc.conf.5 tinc-gui.8 tincinclude.texi
CLEANFILES = *.html tincd.8 tinc.8 tinc.conf.5 tinc-gui.8 tincinclude.texi sample-config.tar.gz
# Use `ginstall' in the definition of man_MANS to avoid
# confusion with the `install' target. The install rule transforms `ginstall'
@ -17,19 +17,19 @@ transform = s/ginstall/install/; @program_transform_name@
# see GNUmakefile and Makefile.maint.
sample-config.tar.gz: sample-config
GZIP=$(GZIP_ENV) $(AMTAR) chozf sample-config.tar.gz --exclude .svn sample-config
$(AM_V_GEN)GZIP=$(GZIP_ENV) $(AMTAR) chozf $@ --exclude .svn $<
tincd.8.html: tincd.8
w3mman2html $? > $@
$(AM_V_GEN)w3mman2html $? > $@
tinc.8.html: tinc.8
w3mman2html $? > $@
$(AM_V_GEN)w3mman2html $? > $@
tinc-gui.8.html: tinc-gui.8
w3mman2html $? > $@
$(AM_V_GEN)w3mman2html $? > $@
tinc.conf.5.html: tinc.conf.5
w3mman2html $? > $@
$(AM_V_GEN)w3mman2html $? > $@
substitute = sed \
-e s,'@PACKAGE\@',"$(PACKAGE)",g \
@ -38,18 +38,18 @@ substitute = sed \
-e s,'@localstatedir\@',"$(localstatedir)",g
tincd.8: tincd.8.in
$(substitute) $? > $@
$(AM_V_GEN)$(substitute) $? > $@
tinc.8: tinc.8.in
$(substitute) $? > $@
$(AM_V_GEN)$(substitute) $? > $@
tinc-gui.8: tinc-gui.8.in
$(substitute) $? > $@
$(AM_V_GEN)$(substitute) $? > $@
tinc.conf.5: tinc.conf.5.in
$(substitute) $? > $@
$(AM_V_GEN)$(substitute) $? > $@
tincinclude.texi: tincinclude.texi.in
$(substitute) $? > $@
$(AM_V_GEN)$(substitute) $? > $@
tinc.texi: tincinclude.texi

53
doc/Makefile.in
View file

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -14,7 +14,17 @@
@SET_MAKE@
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@ -77,17 +87,17 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = doc
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am texinfo.tex
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/curses.m4 $(top_srcdir)/m4/libgcrypt.m4 \
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \
$(top_srcdir)/m4/readline.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/miniupnpc.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/readline.m4 \
$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
@ -185,6 +195,7 @@ man8dir = $(mandir)/man8
NROFF = nroff
MANS = $(man_MANS)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(srcdir)/Makefile.in texinfo.tex
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
# Use `ginstall' in the definition of man_MANS to avoid
@ -224,6 +235,7 @@ LIBS = @LIBS@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MINIUPNPC_LIBS = @MINIUPNPC_LIBS@
MKDIR_P = @MKDIR_P@
OBJEXT = @OBJEXT@
PACKAGE = @PACKAGE@
@ -281,10 +293,12 @@ pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
systemd_path = @systemd_path@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
@ -292,7 +306,7 @@ top_srcdir = @top_srcdir@
info_TEXINFOS = tinc.texi
man_MANS = tincd.8 tinc.8 tinc.conf.5 tinc-gui.8
EXTRA_DIST = tincinclude.texi.in tincd.8.in tinc.8.in tinc.conf.5.in tinc-gui.8.in sample-config.tar.gz
CLEANFILES = *.html tincd.8 tinc.8 tinc.conf.5 tinc-gui.8 tincinclude.texi
CLEANFILES = *.html tincd.8 tinc.8 tinc.conf.5 tinc-gui.8 tincinclude.texi sample-config.tar.gz
substitute = sed \
-e s,'@PACKAGE\@',"$(PACKAGE)",g \
-e s,'@VERSION\@',"$(VERSION)",g \
@ -315,7 +329,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu doc/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@ -816,39 +829,41 @@ uninstall-man: uninstall-man5 uninstall-man8
uninstall-html-am uninstall-info-am uninstall-man \
uninstall-man5 uninstall-man8 uninstall-pdf-am uninstall-ps-am
.PRECIOUS: Makefile
# For additional rules usually of interest only to the maintainer,
# see GNUmakefile and Makefile.maint.
sample-config.tar.gz: sample-config
GZIP=$(GZIP_ENV) $(AMTAR) chozf sample-config.tar.gz --exclude .svn sample-config
$(AM_V_GEN)GZIP=$(GZIP_ENV) $(AMTAR) chozf $@ --exclude .svn $<
tincd.8.html: tincd.8
w3mman2html $? > $@
$(AM_V_GEN)w3mman2html $? > $@
tinc.8.html: tinc.8
w3mman2html $? > $@
$(AM_V_GEN)w3mman2html $? > $@
tinc-gui.8.html: tinc-gui.8
w3mman2html $? > $@
$(AM_V_GEN)w3mman2html $? > $@
tinc.conf.5.html: tinc.conf.5
w3mman2html $? > $@
$(AM_V_GEN)w3mman2html $? > $@
tincd.8: tincd.8.in
$(substitute) $? > $@
$(AM_V_GEN)$(substitute) $? > $@
tinc.8: tinc.8.in
$(substitute) $? > $@
$(AM_V_GEN)$(substitute) $? > $@
tinc-gui.8: tinc-gui.8.in
$(substitute) $? > $@
$(AM_V_GEN)$(substitute) $? > $@
tinc.conf.5: tinc.conf.5.in
$(substitute) $? > $@
$(AM_V_GEN)$(substitute) $? > $@
tincinclude.texi: tincinclude.texi.in
$(substitute) $? > $@
$(AM_V_GEN)$(substitute) $? > $@
tinc.texi: tincinclude.texi

BIN
doc/sample-config.tar.gz
View file

Binary file not shown.

45
doc/tinc.8.in
View file

@ -11,6 +11,7 @@
.Op Fl -config Ns = Ns Ar DIR
.Op Fl -net Ns = Ns Ar NETNAME
.Op Fl -pidfile Ns = Ns Ar FILENAME
.Op Fl -force
.Op Fl -help
.Op Fl -version
.Op Ar COMMAND
@ -54,6 +55,8 @@ Use the cookie from
to authenticate with a running tinc daemon.
If unspecified, the default is
.Pa @localstatedir@/run/tinc. Ns Ar NETNAME Ns Pa .pid.
.It Fl -force
Force some commands to work despite warnings.
.It Fl -help
Display short list of options.
.It Fl -version
@ -88,6 +91,7 @@ To set a variable for a specific host, use the notation
.Ar host Ns Li . Ns Ar variable .
.It add Ar variable Ar value
As above, but without removing any previously existing configuration variables.
If the variable already exists with the given value, nothing happens.
.It del Ar variable Op Ar value
Remove configuration variables with the same name and
.Ar value .
@ -101,16 +105,16 @@ You do not need to specify the full path to the file.
Export the host configuration file of the local node to standard output.
.It export-all
Export all host configuration files to standard output.
.It import Op Fl -force
.It import
Import host configuration data generated by the
.Nm
export command from standard input.
Already existing host configuration files are not overwritten unless the option
.Fl -force
is used.
.It exchange Op Fl -force
.It exchange
The same as export followed by import.
.It exchange-all Op Fl -force
.It exchange-all
The same as export-all followed by import.
.It invite Ar name
Prepares an invitation for a new node with the given
@ -168,6 +172,9 @@ format.
Nodes are colored according to their reachability:
red nodes are unreachable, orange nodes are indirectly reachable, green nodes are directly reachable.
Black nodes are either directly or indirectly reachable, but direct reachability has not been tried yet.
.It dump invitations
Dump a list of outstanding invitations.
The filename of the invitation, as well as the name of the node that is being invited is shown for each invitation.
.It info Ar node | subnet | address
Show information about a particular node, subnet or address.
If an address is given, any matching subnet will be shown.
@ -215,6 +222,38 @@ If
.Ar netname
is given, switch to that network.
Otherwise, display a list of all networks for which configuration files exist.
.It fsck
This will check the configuration files for possible problems,
such as unsafe file permissions, missing executable bit on script,
unknown and obsolete configuration variables, wrong public and/or private keys, and so on.
.Pp
When problems are found, this will be printed on a line with WARNING or ERROR in front of it.
Most problems must be corrected by the user itself, however in some cases (like file permissions and missing public keys),
tinc will ask if it should fix the problem.
.It sign Op Ar filename
Sign a file with the local node's private key.
If no
.Ar filename
is given, the file is read from standard input.
The signed file is written to standard output.
.It verify Ar name Op Ar filename
Check the signature of a file against a node's public key.
The
.Ar name
of the node must be given,
or can be
.Li .
to check against the local node's public key, or
.Li *
to allow a signature from any node whose public key is known.
If no
.Ar filename
is given, the file is read from standard input.
If the verification is succesful,
a copy of the input with the signature removed is written to standard output,
and the exit code will be zero.
If the verification failed,
nothing will be written to standard output, and the exit code will be non-zero.
.El
.Sh EXAMPLES
Examples of some commands:

73
doc/tinc.conf.5.in
View file

@ -1,4 +1,4 @@
.Dd 2014-01-29
.Dd 2016-04-11
.Dt TINC.CONF 5
.\" Manual page created by:
.\" Ivo Timmermans
@ -42,7 +42,7 @@ the configuration file should be
and the host configuration files are now expected to be in
.Pa @sysconfdir@/tinc/hosts/ .
.Sh NAMES
Each tinc daemon should have a name that is unique in the network which it will be part of.
Each tinc daemon must have a name that is unique in the network which it will be part of.
The name will be used by other tinc daemons for identification.
The name has to be declared in the
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
@ -266,6 +266,10 @@ Tinc will expect packets read from the virtual network device
to start with a four byte header containing the address family,
followed by an IP header.
This mode should support both IPv4 and IPv6 packets.
.It utun Pq OS X
Set type to utun.
This is only supported on OS X version 10.6.8 and higher, but doesn't require the tuntaposx module.
This mode should support both IPv4 and IPv6 packets.
.It tap Pq BSD and Linux
Set type to tap.
Tinc will expect packets read from the virtual network device
@ -358,7 +362,7 @@ This will allow direct communication using LAN addresses, even if both peers are
and they only ConnectTo a third node outside the NAT,
which normally would prevent the peers from learning each other's LAN address.
.Pp
Currently, local discovery is implemented by sending some packets to the local address of the node during path MTU discovery. This will not work with old nodes that don't transmit their local address.
Currently, local discovery is implemented by sending some packets to the local address of the node during UDP discovery. This will not work with old nodes that don't transmit their local address.
.It Va MACExpire Li = Ar seconds Pq 600
This option controls the amount of time MAC addresses are kept before they are removed.
This only has effect when
@ -464,10 +468,10 @@ and
.Ev REMOTEPORT
are available.
.El
.It Va ReplayWindow Li = Ar bytes Pq 16
.It Va ReplayWindow Li = Ar bytes Pq 32
This is the size of the replay tracking window for each remote node, in bytes.
The window is a bitfield which tracks 1 packet per bit, so for example
the default setting of 16 will track up to 128 packets in the window. In high
the default setting of 32 will track up to 256 packets in the window. In high
bandwidth scenarios, setting this to a higher value can reduce packet loss from
the interaction of replay tracking with underlying real packet loss and/or
reordering. Setting this to zero will disable replay tracking completely and
@ -485,12 +489,42 @@ and will only allow connections with nodes for which host config files are prese
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory.
Setting this options also implicitly sets StrictSubnets.
.It Va UDPRcvBuf Li = Ar bytes Pq OS default
.It Va UDPDiscovery Li = yes | no Po yes Pc
When this option is enabled tinc will try to establish UDP connectivity to nodes,
using TCP while it determines if a node is reachable over UDP. If it is disabled,
tinc always assumes a node is reachable over UDP.
Note that tinc will never use UDP with nodes that have
.Va TCPOnly
enabled.
.It Va UDPDiscoveryKeepaliveInterval Li = Ar seconds Pq 9
The minimum amount of time between sending UDP ping datagrams to check UDP connectivity once it has been established.
Note that these pings are large, since they are used to verify link MTU as well.
.It Va UDPDiscoveryInterval Li = Ar seconds Pq 2
The minimum amount of time between sending UDP ping datagrams to try to establish UDP connectivity.
.It Va UDPDiscoveryTimeout Li = Ar seconds Pq 30
If tinc doesn't receive any UDP ping replies over the specified interval,
it will assume UDP communication is broken and will fall back to TCP.
.It Va UDPInfoInterval Li = Ar seconds Pq 5
The minimum amount of time between sending periodic updates about UDP addresses, which are mostly useful for UDP hole punching.
.It Va UDPRcvBuf Li = Ar bytes Pq 1048576
Sets the socket receive buffer size for the UDP socket, in bytes.
If unset, the default buffer size will be used by the operating system.
.It Va UDPSndBuf Li = Ar bytes Pq OS default
If set to zero, the default buffer size will be used by the operating system.
Note: this setting can have a significant impact on performance, especially raw throughput.
.It Va UDPSndBuf Li = Ar bytes Pq 1048576
Sets the socket send buffer size for the UDP socket, in bytes.
If unset, the default buffer size will be used by the operating system.
If set to zero, the default buffer size will be used by the operating system.
Note: this setting can have a significant impact on performance, especially raw throughput.
.It Va UPnP Li = yes | udponly | no Po no Pc
If this option is enabled then tinc will search for UPnP-IGD devices on the local network.
It will then create and maintain port mappings for tinc's listening TCP and UDP ports.
If set to "udponly", tinc will only create a mapping for its UDP (data) port, not for its TCP (metaconnection) port.
Note that tinc must have been built with miniupnpc support for this feature to be available.
Furthermore, be advised that enabling this can have security implications, because the miniupnpc library that
tinc uses might not be well-hardened with regard to malicious UPnP replies.
.It Va UPnPDiscoverWait Li = Ar seconds Pq 5
The amount of time to wait for replies when probing the local network for UPnP devices.
.It Va UPnPRefreshPeriod Li = Ar seconds Pq 60
How often tinc will re-add the port mapping, in case it gets reset on the UPnP device. This also controls the duration of the port mapping itself, which will be set to twice that duration.
.El
.Sh HOST CONFIGURATION FILES
The host configuration files contain all information needed
@ -515,7 +549,7 @@ variables can be specified, in which case each address will be tried until a wor
connection has been established.
.It Va Cipher Li = Ar cipher Pq blowfish
The symmetric cipher algorithm used to encrypt UDP packets.
Any cipher supported by OpenSSL is recognised.
Any cipher supported by LibreSSL or OpenSSL is recognised.
Furthermore, specifying
.Qq none
will turn off packet encryption.
@ -532,7 +566,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
10 (fast lzo) and 11 (best lzo).
.It Va Digest Li = Ar digest Pq sha1
The digest algorithm used to authenticate UDP packets.
Any digest supported by OpenSSL is recognised.
Any digest supported by LibreSSL or OpenSSL is recognised.
Furthermore, specifying
.Qq none
will turn off packet authentication.
@ -554,6 +588,8 @@ This option controls the initial path MTU to this node.
.It Va PMTUDiscovery Li = yes | no Po yes Pc
When this option is enabled, tinc will try to discover the path MTU to this node.
After the path MTU has been discovered, it will be enforced on the VPN.
.It Va MTUInfoInterval Li = Ar seconds Pq 5
The minimum amount of time between sending periodic updates about relay path MTU. Useful for quickly determining MTU to indirect nodes.
.It Va Port Li = Ar port Pq 655
The port number on which this tinc daemon is listening for incoming connections,
which is used if no port number is specified in an
@ -625,10 +661,18 @@ forwarding packets.
.Sh SCRIPTS
Apart from reading the server and host configuration files,
tinc can also run scripts at certain moments.
Under Windows (not Cygwin), the scripts should have the extension
Below is a list of filenames of scripts and a description of when they are run.
A script is only run if it exists and if it is executable.
.Pp
Scripts are run synchronously;
this means that tinc will temporarily stop processing packets until the called script finishes executing.
This guarantees that scripts will execute in the exact same order as the events that trigger them.
If you need to run commands asynchronously, you have to ensure yourself that they are being run in the background.
.Pp
Under Windows (not Cygwin), the scripts must have the extension
.Pa .bat
or
.Pa cmd .
.Pa .cmd .
.Bl -tag -width indent
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
This is the most important script.
@ -637,6 +681,7 @@ If it is present it will be executed right after the tinc daemon has been starte
is used).
It should be used to set up the corresponding network interface,
but can also be used to start other things.
.Pp
Under Windows you can use the Network Connections control panel instead of creating this script.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
This script is started right before the tinc daemon quits (or when the last node becomes unreachable if
@ -734,7 +779,7 @@ its connection to the virtual network device.
.Sh SEE ALSO
.Xr tincd 8 ,
.Xr tinc 8 ,
.Pa http://www.tinc-vpn.org/ ,
.Pa https://www.tinc-vpn.org/ ,
.Pa http://www.tldp.org/LDP/nag2/ .
.Pp
The full documentation for

844
doc/tinc.info
View file

File diff suppressed because it is too large Load diff

386
doc/tinc.texi
View file

@ -15,7 +15,7 @@
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2014 Ivo Timmermans,
Copyright @copyright{} 1998-2016 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@ -43,7 +43,7 @@ permission notice identical to this one.
@vskip 0pt plus 1filll
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2014 Ivo Timmermans,
Copyright @copyright{} 1998-2016 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@ -70,6 +70,7 @@ permission notice identical to this one.
* Configuration::
* Running tinc::
* Controlling tinc::
* Invitations::
* Technical information::
* Platform specific information::
* About us::
@ -191,7 +192,7 @@ packets.
@cindex release
For an up to date list of supported platforms, please check the list on
our website:
@uref{http://www.tinc-vpn.org/platforms/}.
@uref{https://www.tinc-vpn.org/platforms/}.
@c
@c
@ -273,12 +274,7 @@ The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_t
@node Configuration of OpenBSD kernels
@subsection Configuration of OpenBSD kernels
For OpenBSD version 2.9 and higher,
the tun driver is included in the default kernel configuration.
There is also a kernel patch from @uref{http://diehard.n-r-g.com/stuff/openbsd/}
which adds a tap device to OpenBSD which should work with tinc,
but with recent versions of OpenBSD,
a tun device can act as a tap device by setting the link0 option with ifconfig.
Recent versions of OpenBSD come with both tun and tap devices enabled in the default kernel configuration.
@c ==================================================================
@ -298,7 +294,7 @@ Tunneling IPv6 may not work on NetBSD's tun device.
For Solaris 8 (SunOS 5.8) and higher,
the tun driver may or may not be included in the default kernel configuration.
If it isn't, the source can be downloaded from @uref{http://vtun.sourceforge.net/tun/}.
For x86 and sparc64 architectures, precompiled versions can be found at @uref{http://www.monkey.org/~dugsong/fragroute/}.
For x86 and sparc64 architectures, precompiled versions can be found at @uref{https://www.monkey.org/~dugsong/fragroute/}.
If the @file{net/if_tun.h} header file is missing, install it from the source package.
@ -307,15 +303,14 @@ If the @file{net/if_tun.h} header file is missing, install it from the source pa
@subsection Configuration of Darwin (MacOS/X) kernels
Tinc on Darwin relies on a tunnel driver for its data acquisition from the kernel.
Tinc supports either the driver from @uref{http://tuntaposx.sourceforge.net/},
OS X version 10.6.8 and later have a built-in tun driver called "utun".
Tinc also supports the driver from @uref{http://tuntaposx.sourceforge.net/},
which supports both tun and tap style devices,
and also the driver from from @uref{http://chrisp.de/en/projects/tunnel.html}.
The former driver is recommended.
The tunnel driver must be loaded before starting tinc with the following command:
@example
kmodload tunnel
@end example
By default, tinc expects the tuntaposx driver to be installed.
To use the utun driver, set add @code{Device = utunX} to @file{tinc.conf},
where X is the desired number for the utun interface.
You can also omit the number, in which case the first free number will be chosen.
@c ==================================================================
@ -323,7 +318,7 @@ kmodload tunnel
@subsection Configuration of Windows
You will need to install the latest TAP-Win32 driver from OpenVPN.
You can download it from @uref{http://openvpn.sourceforge.net}.
You can download it from @uref{https://openvpn.net/index.php/open-source/downloads.html}.
Using the Network Connections control panel,
configure the TAP-Win32 network interface in the same way as you would do from the tinc-up script,
as explained in the rest of the documentation.
@ -335,13 +330,13 @@ as explained in the rest of the documentation.
@cindex requirements
@cindex libraries
Before you can configure or build tinc, you need to have the OpenSSL, zlib,
Before you can configure or build tinc, you need to have the LibreSSL or OpenSSL, zlib,
lzo, curses and readline libraries installed on your system. If you try to
configure tinc without having them installed, configure will give you an error
message, and stop.
@menu
* OpenSSL::
* LibreSSL/OpenSSL::
* zlib::
* lzo::
* libcurses::
@ -350,12 +345,13 @@ message, and stop.
@c ==================================================================
@node OpenSSL
@subsection OpenSSL
@node LibreSSL/OpenSSL
@subsection LibreSSL/OpenSSL
@cindex LibreSSL
@cindex OpenSSL
For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library.
by the LibreSSL or the OpenSSL library.
If this library is not installed, you wil get an error when configuring
tinc for build. Support for running tinc with other cryptographic libraries
@ -365,21 +361,23 @@ You can use your operating system's package manager to install this if
available. Make sure you install the development AND runtime versions
of this package.
If you have to install OpenSSL manually, you can get the source code
from @url{http://www.openssl.org/}. Instructions on how to configure,
build and install this package are included within the package. Please
make sure you build development and runtime libraries (which is the
If your operating system comes neither with LibreSSL or OpenSSL, you have to
install one manually. It is recommended that you get the latest version of
LibreSSL from @url{http://www.libressl.org/}. Instructions on how to
configure, build and install this package are included within the package.
Please make sure you build development and runtime libraries (which is the
default).
If you installed the OpenSSL libraries from source, it may be necessary
If you installed the LibreSSL or OpenSSL libraries from source, it may be necessary
to let configure know where they are, by passing configure one of the
--with-openssl-* parameters.
--with-openssl-* parameters. Note that you even have to use --with-openssl-* if you
are using LibreSSL.
@example
--with-openssl=DIR OpenSSL library and headers prefix
--with-openssl-include=DIR OpenSSL headers directory
--with-openssl=DIR LibreSSL/OpenSSL library and headers prefix
--with-openssl-include=DIR LibreSSL/OpenSSL headers directory
(Default is OPENSSL_DIR/include)
--with-openssl-lib=DIR OpenSSL library directory
--with-openssl-lib=DIR LibreSSL/OpenSSL library directory
(Default is OPENSSL_DIR/lib)
@end example
@ -390,7 +388,7 @@ to let configure know where they are, by passing configure one of the
The complete source code of tinc is covered by the GNU GPL version 2.
Since the license under which OpenSSL is distributed is not directly
compatible with the terms of the GNU GPL
@uref{http://www.openssl.org/support/faq.html#LEGAL2}, we
@uref{https://www.openssl.org/support/faq.html#LEGAL2}, we
include an exemption to the GPL (see also the file COPYING.README) to allow
everyone to create a statically or dynamically linked executable:
@ -406,8 +404,8 @@ we also present the following exemption:
@quotation
Hereby I grant a special exception to the tinc VPN project
(http://www.tinc-vpn.org/) to link the LZO library with the OpenSSL library
(http://www.openssl.org).
(https://www.tinc-vpn.org/) to link the LZO library with the OpenSSL library
(https://www.openssl.org).
Markus F.X.J. Oberhumer
@end quotation
@ -432,7 +430,7 @@ available. Make sure you install the development AND runtime versions
of this package.
If you have to install zlib manually, you can get the source code
from @url{http://www.gzip.org/zlib/}. Instructions on how to configure,
from @url{http://www.zlib.net/}. Instructions on how to configure,
build and install this package are included within the package. Please
make sure you build development and runtime libraries (which is the
default).
@ -456,7 +454,7 @@ available. Make sure you install the development AND runtime versions
of this package.
If you have to install lzo manually, you can get the source code
from @url{http://www.oberhumer.com/opensource/lzo/}. Instructions on how to configure,
from @url{https://www.oberhumer.com/opensource/lzo/}. Instructions on how to configure,
build and install this package are included within the package. Please
make sure you build development and runtime libraries (which is the
default).
@ -527,9 +525,7 @@ system startup scripts and sample configurations.
If you cannot use one of the precompiled packages, or you want to compile tinc
for yourself, you can use the source. The source is distributed under
the GNU General Public License (GPL). Download the source from the
@uref{http://www.tinc-vpn.org/download/, download page}, which has
the checksums of these files listed; you may wish to check these with
md5sum before continuing.
@uref{https://www.tinc-vpn.org/download/, download page}.
Tinc comes in a convenient autoconf/automake package, which you can just
treat the same as any other package. Which is just untar it, type
@ -566,19 +562,18 @@ The documentation that comes along with your distribution will tell you how to d
@node Darwin (MacOS/X) build environment
@subsection Darwin (MacOS/X) build environment
In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools
from @uref{http://developer.apple.com/tools/macosxtools.html} and
a recent version of Fink from @uref{http://www.finkproject.org/}.
In order to build tinc on Darwin, you need to install Xcode from @uref{https://developer.apple.com/xcode/}.
It might also help to install a recent version of Fink from @uref{http://www.finkproject.org/}.
After installation use fink to download and install the following packages:
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
You need to download and install LibreSSL (or OpenSSL) and LZO,
either directly from their websites (see @ref{Libraries}) or using Fink.
@c ==================================================================
@node Cygwin (Windows) build environment
@subsection Cygwin (Windows) build environment
If Cygwin hasn't already been installed, install it directly from
@uref{http://www.cygwin.com/}.
@uref{https://www.cygwin.com/}.
When tinc is compiled in a Cygwin environment, it can only be run in this environment,
but all programs, including those started outside the Cygwin environment, will be able to use the VPN.
@ -589,6 +584,7 @@ It will also support all features.
@subsection MinGW (Windows) build environment
You will need to install the MinGW environment from @uref{http://www.mingw.org}.
You also need to download and install LibreSSL (or OpenSSL) and LZO.
When tinc is compiled using MinGW it runs natively under Windows,
it is not necessary to keep MinGW installed.
@ -735,7 +731,7 @@ You will also notice that log messages it appears in syslog as coming from @file
and on Linux, unless specified otherwise, the name of the virtual network interface will be the same as the network name.
However, it is not strictly necessary that you call tinc with the -n
option. If you don not use it, the network name will just be empty, and
option. If you do not use it, the network name will just be empty, and
tinc will look for files in @file{@value{sysconfdir}/tinc/} instead of
@file{@value{sysconfdir}/tinc/@var{netname}/};
the configuration file will then be @file{@value{sysconfdir}/tinc/tinc.conf},
@ -999,6 +995,12 @@ to start with a four byte header containing the address family,
followed by an IP header.
This mode should support both IPv4 and IPv6 packets.
@cindex utun
@item utun (OS X)
Set type to utun.
This is only supported on OS X version 10.6.8 and higher, but doesn't require the tuntaposx module.
This mode should support both IPv4 and IPv6 packets.
@item tap (BSD and Linux)
Set type to tap.
Tinc will expect packets read from the virtual network device
@ -1081,8 +1083,8 @@ This will allow direct communication using LAN addresses, even if both peers are
and they only ConnectTo a third node outside the NAT,
which normally would prevent the peers from learning each other's LAN address.
Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery.
This feature may not work in all possible situations.
Currently, local discovery is implemented by sending some packets to the local address of the node during UDP discovery.
This will not work with old nodes that don't transmit their local address.
@cindex LocalDiscoveryAddress
@item LocalDiscoveryAddress <@var{address}>
@ -1139,7 +1141,7 @@ until the burst has passed.
@cindex Name
@item Name = <@var{name}> [required]
This is a symbolic name for this connection.
The name should consist only of alfanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is case sensitive.
The name must consist only of alfanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is case sensitive.
If Name starts with a $, then the contents of the environment variable that follows will be used.
In that case, invalid characters will be converted to underscores.
@ -1207,10 +1209,10 @@ The environment variables @env{NAME}, @env{NODE}, @env{REMOTEADDRES} and @env{RE
@end table
@cindex ReplayWindow
@item ReplayWindow = <bytes> (16)
@item ReplayWindow = <bytes> (32)
This is the size of the replay tracking window for each remote node, in bytes.
The window is a bitfield which tracks 1 packet per bit, so for example
the default setting of 16 will track up to 128 packets in the window. In high
the default setting of 32 will track up to 256 packets in the window. In high
bandwidth scenarios, setting this to a higher value can reduce packet loss from
the interaction of replay tracking with underlying real packet loss and/or
reordering. Setting this to zero will disable replay tracking completely and
@ -1232,15 +1234,60 @@ and will only allow connections with nodes for which host config files are prese
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
Setting this options also implicitly sets StrictSubnets.
@cindex UDPDiscovey
@item UDPDiscovery = <yes|no> (yes)
When this option is enabled tinc will try to establish UDP connectivity to nodes,
using TCP while it determines if a node is reachable over UDP. If it is disabled,
tinc always assumes a node is reachable over UDP.
Note that tinc will never use UDP with nodes that have TCPOnly enabled.
@cindex UDPDiscoveryKeepaliveInterval
@item UDPDiscoveryKeepaliveInterval = <seconds> (9)
The minimum amount of time between sending UDP ping datagrams to check UDP connectivity once it has been established.
Note that these pings are large, since they are used to verify link MTU as well.
@cindex UDPDiscoveryInterval
@item UDPDiscoveryInterval = <seconds> (2)
The minimum amount of time between sending UDP ping datagrams to try to establish UDP connectivity.
@cindex UDPDiscoveryTimeout
@item UDPDiscoveryTimeout = <seconds> (30)
If tinc doesn't receive any UDP ping replies over the specified interval,
it will assume UDP communication is broken and will fall back to TCP.
@cindex UDPInfoInterval
@item UDPInfoInterval = <seconds> (5)
The minimum amount of time between sending periodic updates about UDP addresses, which are mostly useful for UDP hole punching.
@cindex UDPRcvBuf
@item UDPRcvBuf = <bytes> (OS default)
@item UDPRcvBuf = <bytes> (1048576)
Sets the socket receive buffer size for the UDP socket, in bytes.
If unset, the default buffer size will be used by the operating system.
If set to zero, the default buffer size will be used by the operating system.
Note: this setting can have a significant impact on performance, especially raw throughput.
@cindex UDPSndBuf
@item UDPSndBuf = <bytes> Pq OS default
@item UDPSndBuf = <bytes> (1048576)
Sets the socket send buffer size for the UDP socket, in bytes.
If unset, the default buffer size will be used by the operating system.
If set to zero, the default buffer size will be used by the operating system.
Note: this setting can have a significant impact on performance, especially raw throughput.
@cindex UPnP
@item UPnP = <yes|udponly|no> (no)
If this option is enabled then tinc will search for UPnP-IGD devices on the local network.
It will then create and maintain port mappings for tinc's listening TCP and UDP ports.
If set to "udponly", tinc will only create a mapping for its UDP (data) port, not for its TCP (metaconnection) port.
Note that tinc must have been built with miniupnpc support for this feature to be available.
Furthermore, be advised that enabling this can have security implications, because the miniupnpc library that
tinc uses might not be well-hardened with regard to malicious UPnP replies.
@cindex UPnPDiscoverWait
@item UPnPDiscoverWait = <seconds> (5)
The amount of time to wait for replies when probing the local network for UPnP devices.
@cindex UPnPRefreshPeriod
@item UPnPRefreshPeriod = <seconds> (5)
How often tinc will re-add the port mapping, in case it gets reset on the UPnP device.
This also controls the duration of the port mapping itself, which will be set to twice that duration.
@end table
@ -1262,7 +1309,7 @@ tried until a working connection has been established.
@cindex Cipher
@item Cipher = <@var{cipher}> (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets using the legacy protocol.
Any cipher supported by OpenSSL is recognized.
Any cipher supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet encryption.
It is best to use only those ciphers which support CBC mode.
This option has no effect for connections using the SPTPS protocol, which always use AES-256-CTR.
@ -1282,7 +1329,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
@cindex Digest
@item Digest = <@var{digest}> (sha1)
The digest algorithm used to authenticate UDP packets using the legacy protocol.
Any digest supported by OpenSSL is recognized.
Any digest supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet authentication.
This option has no effect for connections using the SPTPS protocol, which always use HMAC-SHA-256.
@ -1308,6 +1355,10 @@ This option controls the initial path MTU to this node.
When this option is enabled, tinc will try to discover the path MTU to this node.
After the path MTU has been discovered, it will be enforced on the VPN.
@cindex MTUInfoInterval
@item MTUInfoInterval = <seconds> (5)
The minimum amount of time between sending periodic updates about relay path MTU. Useful for quickly determining MTU to indirect nodes.
@cindex Port
@item Port = <@var{port}> (655)
This is the port this tinc daemon listens on.
@ -1353,7 +1404,7 @@ MAC addresses are notated like 0:1a:2b:3c:4d:5e.
Prefixlength is the number of bits set to 1 in the netmask part; for
example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
/22. This conforms to standard CIDR notation as described in
@uref{http://www.ietf.org/rfc/rfc1519.txt, RFC1519}
@uref{https://www.ietf.org/rfc/rfc1519.txt, RFC1519}
A Subnet can be given a weight to indicate its priority over identical Subnets
owned by different nodes. The default weight is 10. Lower values indicate
@ -1384,6 +1435,14 @@ connection when broadcasting or forwarding packets.
@cindex scripts
Apart from reading the server and host configuration files,
tinc can also run scripts at certain moments.
Below is a list of filenames of scripts and a description of when they are run.
A script is only run if it exists and if it is executable.
Scripts are run synchronously;
this means that tinc will temporarily stop processing packets until the called script finishes executing.
This guarantees that scripts will execute in the exact same order as the events that trigger them.
If you need to run commands asynchronously, you have to ensure yourself that they are being run in the background.
Under Windows (not Cygwin), the scripts should have the extension @file{.bat} or @file{.cmd}.
@table @file
@ -1394,6 +1453,7 @@ If it is present it will be executed right after the tinc daemon has been
started and has connected to the virtual network device.
It should be used to set up the corresponding network interface,
but can also be used to start other things.
Under Windows you can use the Network Connections control panel instead of creating this script.
@cindex tinc-down
@ -2226,6 +2286,9 @@ Use the cookie from @var{filename} to authenticate with a running tinc daemon.
If unspecified, the default is
@file{@value{localstatedir}/run/tinc.@var{netname}.pid}.
@item --force
Force some commands to work despite warnings.
@item --help
Display a short reminder of runtime options and commands, then terminate.
@ -2272,6 +2335,7 @@ To set a variable for a specific host, use the notation @var{host}.@var{variable
@cindex add
@item add @var{variable} @var{value}
As above, but without removing any previously existing configuration variables.
If the variable already exists with the given value, nothing happens.
@cindex del
@item del @var{variable} [@var{value}]
@ -2292,16 +2356,16 @@ Export the host configuration file of the local node to standard output.
Export all host configuration files to standard output.
@cindex import
@item import [--force]
@item import
Import host configuration file(s) generated by the tinc export command from standard input.
Already existing host configuration files are not overwritten unless the option --force is used.
@cindex exchange
@item exchange [--force]
@item exchange
The same as export followed by import.
@cindex exchange-all
@item exchange-all [--force]
@item exchange-all
The same as export-all followed by import.
@cindex invite
@ -2373,6 +2437,10 @@ Nodes are colored according to their reachability:
red nodes are unreachable, orange nodes are indirectly reachable, green nodes are directly reachable.
Black nodes are either directly or indirectly reachable, but direct reachability has not been tried yet.
@item dump invitations
Dump a list of outstanding invitations.
The filename of the invitation, as well as the name of the node that is being invited is shown for each invitation.
@cindex info
@item info @var{node} | @var{subnet} | @var{address}
Show information about a particular @var{node}, @var{subnet} or @var{address}.
@ -2415,11 +2483,38 @@ Dump VPN traffic going through the local tinc node in pcap-savefile format to st
from where it can be redirected to a file or piped through a program that can parse it directly,
such as tcpdump.
@cindex network [@var{netname}]
@item network
@cindex network
@item network [@var{netname}]
If @var{netname} is given, switch to that network.
Otherwise, display a list of all networks for which configuration files exist.
@cindex fsck
@item fsck
This will check the configuration files for possible problems,
such as unsafe file permissions, missing executable bit on script,
unknown and obsolete configuration variables, wrong public and/or private keys, and so on.
When problems are found, this will be printed on a line with WARNING or ERROR in front of it.
Most problems must be corrected by the user itself, however in some cases (like file permissions and missing public keys),
tinc will ask if it should fix the problem.
@cindex sign
@item sign [@var{filename}]
Sign a file with the local node's private key.
If no @var{filename} is given, the file is read from standard input.
The signed file is written to standard output.
@cindex verify
@item verify @var{name} [@var{filename}]
Check the signature of a file against a node's public key.
The @var{name} of the node must be given,
or can be "." to check against the local node's public key,
or "*" to allow a signature from any node whose public key is known.
If no @var{filename} is given, the file is read from standard input.
If the verification is succesful, a copy of the input with the signature removed is written to standard output, and the exit code will be zero.
If the verification failed, nothing will be written to standard output, and the exit code will be non-zero.
@end table
@c ==================================================================
@ -2506,6 +2601,159 @@ Quit.
@end table
@c ==================================================================
@node Invitations
@chapter Invitations
Invitations are an easy way to add new nodes to an existing VPN. Invitations
can be created on an existing node using the @code{tinc invite} command, which
generates a relatively short URL which can be given to someone else, who uses
the @code{tinc join} command to automatically set up tinc so it can connect to
the inviting node. The next sections describe how invitations actually work,
and how to further automate the invitations.
@menu
* How invitations work::
* Invitation file format::
* Writing an invitation-created script::
@end menu
@c ==================================================================
@node How invitations work
@section How invitations work
When an invitation is created on a node (which from now on we will call the
server) using the @code{tinc invite} command, an invitation file is created
that contains all the information necessary for the invitee (which we will call
the client) to create its configuration files. The invitation file is stays on
the server, but a URL is generated that has enough information for the client
to contact the server and to retrieve the invitation file. The whole URL is
around 80 characters long and looks like this:
@example
server.example.org:12345/cW1NhLHS-1WPFlcFio8ztYHvewTTKYZp8BjEKg3vbMtDz7w4
@end example
It is composed of four parts:
@example
hostname : port / keyhash cookie
@end example
The hostname and port tell the client how to reach the tinc daemon on the server.
The part after the slash looks like one blob, but is composed of two parts.
The keyhash is the hash of the public key of the server.
The cookie is a shared secret that identifies the client to the server.
When the client connects to the server in order to join the VPN, the client and
server will exchange temporary public keys. The client verifies that the hash
of the server's public key matches the keyhash from the invitation URL. If
not, it will immediately exit with an error. Otherwise, an ECDH exchange will
happen so the client and server can communicate privately with each other. The
client will then present the cookie to the server. The server uses this to
look up the corresponding invitation file it generated earlier. If it exists,
it will send the invitation file to the client. The client will also create a
permanent public key, and send it to the server. After the exchange is
completed, the connection is broken. The server creates a host config file for
the client containing the client's permanent public key, and the client creates
tinc.conf, host config files and possibly a tinc-up script based on the
information in the invitation file.
It is important that the invitation URL is kept secret until it is used; if
another person gets a copy of the invitation URL before the real client runs
the @code{tinc join} command, then that other person can try to join the VPN.
@c ==================================================================
@node Invitation file format
@section Invitation file format
The contents of an invitation file that is generated by the @code{tinc invite}
command looks like this:
@example
Name = client
Netname = vpn
ConnectTo = server
#-------------------------------------#
Name = server
Ed25519PublicKey = augbnwegoij123587...
Address = server.example.com
@end example
The file is basically a concatenation of several host config blocks. Each host
config block starts with @code{Name = ...}. Lines that look like @code{#---#}
are not important, it just makes it easier for humans to read the file.
The first host config block is always the one representing the invitee. So the
first Name statement determines the name that the invitee will get. From the
first block, the @file{tinc.conf} and @file{hosts/client} files will be
generated; the @code{tinc join} command on the client will automatically
separate statements based on whether they should be in @file{tinc.conf} or in a
host config file. Some statements are special and are treated differently:
@table @asis
@item Netname = <@var{netname}>
This is a hint to the invitee which netname to use for the VPN. It is used if
the invitee did not already specify a netname, and if there is no pre-existing
configuration with the same netname.
@cindex Ifconfig
@item Ifconfig = <@var{address}[/@var{netmask}] | dhcp | dhcp6 | slaac>
This is a hint for generating a @file{tinc-up} script.
If an address is specified, a command will be added to @file{tinc-up} so the VPN interface will be configured to have the given address.
If it is the word "dhcp", a command will be added to start a DHCP client on the VPN interface.
If it is the word dhcpv6, it will be a DHCPv6 client.
If it is "slaac", then it will add commands to enable IPv6 stateless address autoconfiguration.
It is also possible to specify a MAC address, in which case a command will be added to set the MAC address of the VPN interface.
The exact commands added to the @file{tinc-up} script depends on the operating system the client is using.
Multiple Ifconfig statements can be specified, however one should only use one Ifconfig statement per address family.
@cindex Route
@item Route = <@var{address}[/@var{netmask}]> [<@var{gateway}>]
This is a hint for generating a @file{tinc-up} script.
Route statements are similar to Ifconfig statements, but add routes instead of addresses.
These only allow IPv4 and IPv6 routes.
If no gateway address is specified, the route is directed to the VPN interface.
In general, a gateway is only necessary when running tinc in switch mode.
@end table
Subsequent host config blocks are copied verbatim into their respective files
in @file{hosts/}. The invitation file generated by @code{tinc invite} will
normally only contain two blocks; one for the client and one for the server.
@c ==================================================================
@node Writing an invitation-created script
@section Writing an invitation-created script
When an invitation is generated, the "invitation-created" script is called (if
it exists) right after the invitation file is written, but before the URL has
been written to stdout. This allows one to change the invitation file
automatically before the invitation URL is passed to the invitee. Here is an
example shell script that aproximately recreates the default invitation file:
@example
#!/bin/sh
cat >$INVITATION_FILE <<EOF
Name = $NODE
Netname = $NETNAME
ConnectTo = $NAME
#----------------#
EOF
tinc export >>$INVITATION_FILE
@end example
You can add more ConnectTo statements, and change `tinc export` to `tinc
export-all` for example. But you can also use the script to automatically hand
out a Subnet to the invitee. Note that the script doesn't have to be a shell script,
you can use any language, it just has to be executable.
@c ==================================================================
@node Technical information
@chapter Technical information
@ -3076,7 +3324,7 @@ eavesdroppers cannot get and cannot change any information at all from the
packets they can intercept. The encryption algorithm and message authentication
algorithm can be changed in the configuration. The length of the message
authentication codes is also adjustable. The length of the key for the
encryption algorithm is always the default length used by OpenSSL.
encryption algorithm is always the default length used by LibreSSL/OpenSSL.
The SPTPS protocol is described in @ref{Simple Peer-to-Peer Security}.
For comparison, this is how SPTPS UDP packets look:
@ -3103,7 +3351,7 @@ this cannot be changed.
In August 2000, we discovered the existence of a security hole in all versions
of tinc up to and including 1.0pre2. This had to do with the way we exchanged
keys. Since then, we have been working on a new authentication scheme to make
tinc as secure as possible. The current version uses the OpenSSL library and
tinc as secure as possible. The current version uses the LibreSSL or OpenSSL library and
uses strong authentication with RSA keys.
On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc
@ -3278,14 +3526,14 @@ Adding routes to IPv6 subnets:
@section Contact information
@cindex website
Tinc's website is at @url{http://www.tinc-vpn.org/},
Tinc's website is at @url{https://www.tinc-vpn.org/},
this server is located in the Netherlands.
@cindex IRC
We have an IRC channel on the FreeNode and OFTC IRC networks. Connect to
@uref{http://www.freenode.net/, irc.freenode.net}
@uref{https://freenode.net/, irc.freenode.net}
or
@uref{http://www.oftc.net/, irc.oftc.net}
@uref{https://www.oftc.net/, irc.oftc.net}
and join channel #tinc.

7
doc/tincd.8.in
View file

@ -8,7 +8,7 @@
.Nd tinc VPN daemon
.Sh SYNOPSIS
.Nm
.Op Fl cdDKnoLRU
.Op Fl cdDKnsoLRU
.Op Fl -config Ns = Ns Ar DIR
.Op Fl -no-detach
.Op Fl -debug Ns Op = Ns Ar LEVEL
@ -16,6 +16,7 @@
.Op Fl -option Ns = Ns Ar [HOST.]KEY=VALUE
.Op Fl -mlock
.Op Fl -logfile Ns Op = Ns Ar FILE
.Op Fl -syslog
.Op Fl -bypass-security
.Op Fl -chroot
.Op Fl -user Ns = Ns Ar USER
@ -88,6 +89,8 @@ If
.Ar FILE
is omitted, the default is
.Pa @localstatedir@/log/tinc. Ns Ar NETNAME Ns Pa .log.
.It Fl s, -syslog
When this option is is set, tinc uses syslog instead of stderr in --no-detach mode.
.It Fl -pidfile Ns = Ns Ar FILENAME
Store a cookie in
.Ar FILENAME
@ -188,7 +191,7 @@ A lot, especially security auditing.
.Sh SEE ALSO
.Xr tinc 8 ,
.Xr tinc.conf 5 ,
.Pa http://www.tinc-vpn.org/ ,
.Pa https://www.tinc-vpn.org/ ,
.Pa http://www.cabal.org/ .
.Pp
The full documentation for tinc is maintained as a Texinfo manual.