lagertonne/tinc
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Wiki Activity

Import Upstream version 1.0.26

Browse source
This commit is contained in:
Guus Sliepen 2019-08-26 13:44:46 +02:00
parent 45b80e247e
commit b33a93f7f6
28 changed files with 650 additions and 553 deletions
Download patch file Download diff file Expand all files Collapse all files

9
doc/tinc.conf.5.in
View file

@ -486,12 +486,9 @@ Furthermore, specifying
.Qq none
will turn off packet authentication.
.It Va IndirectData Li = yes | no Pq no
This option specifies whether other tinc daemons besides the one you specified with
.Va ConnectTo
can make a direct connection to you.
This is especially useful if you are behind a firewall
and it is impossible to make a connection from the outside to your tinc daemon.
Otherwise, it is best to leave this option out or set it to no.
When set to yes, only nodes which already have a meta connection to you
will try to establish direct communication with you.
It is best to leave this option out or set it to no.
.It Va MACLength Li = Ar length Pq 4
The length of the message authentication code used to authenticate UDP packets.
Can be anything from

353
doc/tinc.info
View file

@ -5,7 +5,7 @@ START-INFO-DIR-ENTRY
* tinc: (tinc). The tinc Manual.
END-INFO-DIR-ENTRY
This is the info manual for tinc version 1.0.23, a Virtual Private
This is the info manual for tinc version 1.0.25, a Virtual Private
Network daemon.
Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen
@ -139,7 +139,7 @@ File: tinc.info, Node: Supported platforms, Prev: tinc, Up: Introduction
=======================
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD,
MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin
Mac OS X (Darwin), Solaris, and Windows (both natively and in a Cygwin
environment), with various hardware architectures. These are some of
the platforms that are supported by the universal tun/tap device driver
or other virtual network device drivers. Without such a driver, tinc
@ -176,7 +176,7 @@ File: tinc.info, Node: Configuring the kernel, Next: Libraries, Up: Preparati
* Configuration of OpenBSD kernels::
* Configuration of NetBSD kernels::
* Configuration of Solaris kernels::
* Configuration of Darwin (MacOS/X) kernels::
* Configuration of Darwin (Mac OS X) kernels::
* Configuration of Windows::

@ -238,7 +238,7 @@ default kernel configuration.
Tunneling IPv6 may not work on NetBSD's tun device.

File: tinc.info, Node: Configuration of Solaris kernels, Next: Configuration of Darwin (MacOS/X) kernels, Prev: Configuration of NetBSD kernels, Up: Configuring the kernel
File: tinc.info, Node: Configuration of Solaris kernels, Next: Configuration of Darwin (Mac OS X) kernels, Prev: Configuration of NetBSD kernels, Up: Configuring the kernel
2.1.5 Configuration of Solaris kernels
--------------------------------------
@ -251,23 +251,18 @@ sparc64 architectures, precompiled versions can be found at
header file is missing, install it from the source package.

File: tinc.info, Node: Configuration of Darwin (MacOS/X) kernels, Next: Configuration of Windows, Prev: Configuration of Solaris kernels, Up: Configuring the kernel
File: tinc.info, Node: Configuration of Darwin (Mac OS X) kernels, Next: Configuration of Windows, Prev: Configuration of Solaris kernels, Up: Configuring the kernel
2.1.6 Configuration of Darwin (MacOS/X) kernels
-----------------------------------------------
2.1.6 Configuration of Darwin (Mac OS X) kernels
------------------------------------------------
Tinc on Darwin relies on a tunnel driver for its data acquisition from
the kernel. Tinc supports either the driver from
<http://tuntaposx.sourceforge.net/>, which supports both tun and tap
style devices, and also the driver from from
<http://chrisp.de/en/projects/tunnel.html>. The former driver is
recommended. The tunnel driver must be loaded before starting tinc with
the following command:
kmodload tunnel
style devices.

File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin (MacOS/X) kernels, Up: Configuring the kernel
File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin (Mac OS X) kernels, Up: Configuring the kernel
2.1.7 Configuration of Windows
------------------------------
@ -304,7 +299,7 @@ File: tinc.info, Node: OpenSSL, Next: zlib, Up: Libraries
For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library.
If this library is not installed, you wil get an error when
If this library is not installed, you will get an error when
configuring tinc for build. Support for running tinc with other
cryptographic libraries installed _may_ be added in the future.
@ -360,7 +355,7 @@ File: tinc.info, Node: zlib, Next: lzo, Prev: OpenSSL, Up: Libraries
For the optional compression of UDP packets, tinc uses the functions
provided by the zlib library.
If this library is not installed, you wil get an error when running
If this library is not installed, you will get an error when running
the configure script. You can either install the zlib library, or
disable support for zlib compression by using the "-disable-zlib" option
when running the configure script. Note that if you disable support for
@ -385,7 +380,7 @@ File: tinc.info, Node: lzo, Prev: zlib, Up: Libraries
Another form of compression is offered using the LZO library.
If this library is not installed, you wil get an error when running
If this library is not installed, you will get an error when running
the configure script. You can either install the LZO library, or
disable support for LZO compression by using the "-disable-lzo" option
when running the configure script. Note that if you disable support for
@ -445,25 +440,26 @@ your distribution will tell you how to do that.
* Menu:
* Darwin (MacOS/X) build environment::
* Darwin (Mac OS X) build environment::
* Cygwin (Windows) build environment::
* MinGW (Windows) build environment::

File: tinc.info, Node: Darwin (MacOS/X) build environment, Next: Cygwin (Windows) build environment, Up: Building and installing tinc
File: tinc.info, Node: Darwin (Mac OS X) build environment, Next: Cygwin (Windows) build environment, Up: Building and installing tinc
3.1.1 Darwin (MacOS/X) build environment
----------------------------------------
3.1.1 Darwin (Mac OS X) build environment
-----------------------------------------
In order to build tinc on Darwin, you need to install the MacOS/X
In order to build tinc on Darwin, you need to install the Mac OS X
Developer Tools from <http://developer.apple.com/tools/macosxtools.html>
and a recent version of Fink from <http://www.finkproject.org/>.
and preferably a recent version of Fink from
<http://www.finkproject.org/>.
After installation use fink to download and install the following
packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.

File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (MacOS/X) build environment, Up: Building and installing tinc
File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (Mac OS X) build environment, Up: Building and installing tinc
3.1.2 Cygwin (Windows) build environment
----------------------------------------
@ -596,9 +592,9 @@ assign a NETNAME to your VPN. It is not required if you only run one
tinc daemon, it doesn't even have to be the same on all the sites of
your VPN, but it is recommended that you choose one anyway.
We will asume you use a netname throughout this document. This means
that you call tincd with the -n argument, which will assign a netname to
this daemon.
We will assume you use a netname throughout this document. This
means that you call tincd with the -n argument, which will assign a
netname to this daemon.
The effect of this is that the daemon will set its configuration root
to '/etc/tinc/NETNAME/', where NETNAME is your argument to the -n
@ -626,7 +622,7 @@ in the configuration file tinc.conf. If it sees one or more 'ConnectTo'
values pointing to other tinc daemons in that file, it will try to
connect to those other daemons. Whether this succeeds or not and
whether 'ConnectTo' is specified or not, tinc will listen for incoming
connection from other deamons. If you did specify a 'ConnectTo' value
connection from other daemons. If you did specify a 'ConnectTo' value
and the other side is not responding, tinc will keep retrying. This
means that once started, tinc will stay running until you tell it to
stop, and failures to connect to other tinc daemons will not stop your
@ -649,7 +645,7 @@ The actual configuration of the daemon is done in the file
'/etc/tinc/NETNAME/tinc.conf' and at least one other file in the
directory '/etc/tinc/NETNAME/hosts/'.
An optionnal directory '/etc/tinc/NETNAME/conf.d' can be added from
An optional directory '/etc/tinc/NETNAME/conf.d' can be added from
which any .conf file will be read.
These file consists of comments (lines started with a #) or
@ -755,10 +751,9 @@ DecrementTTL = <yes | no> (no) [experimental]
Device = <DEVICE> ('/dev/tap0', '/dev/net/tun' or other depending on platform)
The virtual network device to use. Tinc will automatically detect
what kind of device it is. Note that you can only use one device
per daemon. Under Windows, use INTERFACE instead of DEVICE. Note
that you can only use one device per daemon. See also *note Device
files::.
what kind of device it is. Under Windows, use INTERFACE instead of
DEVICE. Note that you can only use one device per daemon. See
also *note Device files::.
DeviceType = <TYPE> (platform dependent)
The type of the virtual network device. Tinc will normally
@ -864,7 +859,7 @@ Hostnames = <yes|no> (no)
This option selects whether IP addresses (both real and on the VPN)
should be resolved. Since DNS lookups are blocking, it might
affect tinc's efficiency, even stopping the daemon for a few
seconds everytime it does a lookup if your DNS server is not
seconds every time it does a lookup if your DNS server is not
responding.
This does not affect resolving hostnames to IP addresses from the
@ -937,7 +932,7 @@ Mode = <router|switch|hub> (router)
Name = <NAME> [required]
This is a symbolic name for this connection. The name should
consist only of alfanumeric and underscore characters (a-z, A-Z,
consist only of alphanumeric and underscore characters (a-z, A-Z,
0-9 and _).
If Name starts with a $, then the contents of the environment
@ -964,7 +959,7 @@ PriorityInheritance = <yes|no> (no) [experimental]
PrivateKey = <KEY> [obsolete]
This is the RSA private key for tinc. However, for safety reasons
it is advised to store private keys of any kind in separate files.
This prevents accidental eavesdropping if you are editting the
This prevents accidental eavesdropping if you are editing the
configuration file.
PrivateKeyFile = <PATH> ('/etc/tinc/NETNAME/rsa_key.priv')
@ -1114,9 +1109,9 @@ PublicKeyFile = <PATH> [obsolete]
Subnet = <ADDRESS[/PREFIXLENGTH[#WEIGHT]]>
The subnet which this tinc daemon will serve. Tinc tries to look
up which other daemon it should send a packet to by searching the
appropiate subnet. If the packet matches a subnet, it will be sent
to the daemon who has this subnet in his host configuration file.
Multiple subnet lines can be specified for each daemon.
appropriate subnet. If the packet matches a subnet, it will be
sent to the daemon who has this subnet in his host configuration
file. Multiple subnet lines can be specified for each daemon.
Subnets can either be single MAC, IPv4 or IPv6 addresses, in which
case a subnet consisting of only that single address is assumed, or
@ -1186,11 +1181,11 @@ scripts should have the extension .bat.
This script is started when any host becomes unreachable.
'/etc/tinc/NETNAME/subnet-up'
This script is started when a Subnet becomes reachable. The Subnet
This script is started when a subnet becomes reachable. The Subnet
and the node it belongs to are passed in environment variables.
'/etc/tinc/NETNAME/subnet-down'
This script is started when a Subnet becomes unreachable.
This script is started when a subnet becomes unreachable.
The scripts are started without command line arguments, but can make
use of certain environment variables. Under UNIX like operating systems
@ -1252,7 +1247,7 @@ Step 2. Creating your host configuration file
.............................................
If you added a line containing 'Name = yourname' in the main
configuarion file, you will need to create a host configuration file
configuration file, you will need to create a host configuration file
'/etc/tinc/NETNAME/hosts/yourname'. Adapt the following example to
create a host configuration file:
@ -1880,7 +1875,7 @@ packets, and 'tap' style, which are Ethernet devices and handle complete
Ethernet frames.
So when tinc reads an Ethernet frame from the device, it determines
its type. When tinc is in it's default routing mode, it can handle IPv4
its type. When tinc is in its default routing mode, it can handle IPv4
and IPv6 packets. Depending on the Subnet lines, it will send the
packets off to their destination IP address. In the 'switch' and 'hub'
mode, tinc will use broadcasts and MAC address discovery to deduce the
@ -1909,8 +1904,8 @@ the decrypted information to its own virtual network device.
tunnel), there is no problem for the kernel to accept a packet.
However, if it is a 'tap' device (this is the only available type on
FreeBSD), the destination MAC address must match that of the virtual
network interface. If tinc is in it's default routing mode, ARP does
not work, so the correct destination MAC can not be known by the sending
network interface. If tinc is in its default routing mode, ARP does not
work, so the correct destination MAC can not be known by the sending
host. Tinc solves this by letting the receiving end detect the MAC
address of its own virtual network interface and overwriting the
destination MAC address of the received packet.
@ -2146,13 +2141,13 @@ Explanation is below.
client ACK 655 123 0
| | +-> options
| +----> estimated weight
+--------> listening port of client
| +----> estimated weight
+--------> listening port of client
server ACK 655 321 0
| | +-> options
| +----> estimated weight
+--------> listening port of server
| +----> estimated weight
+--------> listening port of server
--------------------------------------------------------------------------
This new scheme has several improvements, both in efficiency and
@ -2290,30 +2285,30 @@ that it encompasses the entire VPN.
For IPv4 addresses:
Linux 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Linux iproute2 'ip addr add' ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE
FreeBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
OpenBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
NetBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Solaris 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Darwin (MacOS/X) 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Windows 'netsh interface ip set address' INTERFACE 'static' ADDRESS NETMASK
Linux 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Linux iproute2 'ip addr add' ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE
FreeBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
OpenBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
NetBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Solaris 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Darwin (Mac OS X) 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Windows 'netsh interface ip set address' INTERFACE 'static' ADDRESS NETMASK
For IPv6 addresses:
Linux 'ifconfig' INTERFACE 'add' ADDRESS'/'PREFIXLENGTH
FreeBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
OpenBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
NetBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
Solaris 'ifconfig' INTERFACE 'inet6 plumb up'
'ifconfig' INTERFACE 'inet6 addif' ADDRESS ADDRESS
Darwin (MacOS/X) 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
Windows 'netsh interface ipv6 add address' INTERFACE 'static' ADDRESS/PREFIXLENGTH
Linux 'ifconfig' INTERFACE 'add' ADDRESS'/'PREFIXLENGTH
FreeBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
OpenBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
NetBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
Solaris 'ifconfig' INTERFACE 'inet6 plumb up'
'ifconfig' INTERFACE 'inet6 addif' ADDRESS ADDRESS
Darwin (Mac OS X) 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
Windows 'netsh interface ipv6 add address' INTERFACE 'static' ADDRESS/PREFIXLENGTH
On some platforms, when running tinc in switch mode, the VPN
interface must be set to tap mode with an ifconfig command:
OpenBSD 'ifconfig' INTERFACE 'link0'
OpenBSD 'ifconfig' INTERFACE 'link0'
On Linux, it is possible to create a persistent tun/tap interface
which will continue to exist even if tinc quit, although this is
@ -2321,7 +2316,7 @@ normally not required. It can be useful to set up a tun/tap interface
owned by a non-root user, so tinc can be started without needing any
root privileges at all.
Linux 'ip tuntap add dev' INTERFACE 'mode' TUN|TAP 'user' USERNAME
Linux 'ip tuntap add dev' INTERFACE 'mode' TUN|TAP 'user' USERNAME

File: tinc.info, Node: Routes, Prev: Interface configuration, Up: Platform specific information
@ -2338,26 +2333,26 @@ preferable, but not all platforms support this.
Adding routes to IPv4 subnets:
Linux 'route add -net' NETWORK_ADDRESS 'netmask' NETMASK INTERFACE
Linux iproute2 'ip route add' NETWORK_ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE
FreeBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
OpenBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
NetBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
Solaris 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface'
Darwin (MacOS/X) 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
Windows 'netsh routing ip add persistentroute' NETWORK_ADDRESS NETMASK INTERFACE
LOCAL_ADDRESS
Linux 'route add -net' NETWORK_ADDRESS 'netmask' NETMASK INTERFACE
Linux iproute2 'ip route add' NETWORK_ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE
FreeBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
OpenBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
NetBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
Solaris 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface'
Darwin (Mac OS X) 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH '-interface' INTERFACE
Windows 'netsh routing ip add persistentroute' NETWORK_ADDRESS NETMASK INTERFACE
LOCAL_ADDRESS
Adding routes to IPv6 subnets:
Linux 'route add -A inet6' NETWORK_ADDRESS'/'PREFIXLENGTH INTERFACE
Linux iproute2 'ip route add' NETWORK_ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE
FreeBSD 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
OpenBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH
NetBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH
Solaris 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface'
Darwin (MacOS/X) ?
Windows 'netsh interface ipv6 add route' NETWORK ADDRESS/PREFIXLENGTH INTERFACE
Linux 'route add -A inet6' NETWORK_ADDRESS'/'PREFIXLENGTH INTERFACE
Linux iproute2 'ip route add' NETWORK_ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE
FreeBSD 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
OpenBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH
NetBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH
Solaris 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface'
Darwin (Mac OS X) 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH '-interface' INTERFACE
Windows 'netsh interface ipv6 add route' NETWORK ADDRESS/PREFIXLENGTH INTERFACE

File: tinc.info, Node: About us, Next: Concept Index, Prev: Platform specific information, Up: Top
@ -2457,13 +2452,13 @@ Concept Index
* DEVICE: Scripts. (line 53)
* device files: Device files. (line 6)
* DeviceType: Main configuration variables.
(line 80)
(line 79)
* Digest: Host configuration variables.
(line 31)
* DirectOnly: Main configuration variables.
(line 145)
(line 144)
* dummy: Main configuration variables.
(line 87)
(line 86)
* encapsulating: The UDP tunnel. (line 30)
* encryption: Encryption of network packets.
(line 6)
@ -2471,53 +2466,53 @@ Concept Index
* example: Example configuration.
(line 6)
* exec: Main configuration variables.
(line 315)
(line 314)
* Forwarding: Main configuration variables.
(line 152)
(line 151)
* frame type: The UDP tunnel. (line 6)
* GraphDumpFile: Main configuration variables.
(line 172)
(line 171)
* Hostnames: Main configuration variables.
(line 180)
(line 179)
* http: Main configuration variables.
(line 312)
(line 311)
* hub: Main configuration variables.
(line 250)
(line 249)
* ID: Authentication protocol.
(line 10)
* IffOneQueue: Main configuration variables.
(line 191)
(line 190)
* IndirectData: Host configuration variables.
(line 36)
* Interface: Main configuration variables.
(line 194)
(line 193)
* INTERFACE: Scripts. (line 56)
* IRC: Contact information. (line 9)
* key generation: Generating keypairs. (line 6)
* KeyExpire: Main configuration variables.
(line 202)
(line 201)
* KEY_CHANGED: The meta-protocol. (line 63)
* libraries: Libraries. (line 6)
* license: OpenSSL. (line 35)
* LocalDiscovery: Main configuration variables.
(line 208)
(line 207)
* lzo: lzo. (line 6)
* MACExpire: Main configuration variables.
(line 219)
(line 218)
* MACLength: Host configuration variables.
(line 44)
* MaxTimeout: Main configuration variables.
(line 224)
(line 223)
* meta-protocol: The meta-connection. (line 18)
* META_KEY: Authentication protocol.
(line 10)
* Mode: Main configuration variables.
(line 228)
(line 227)
* multicast: Main configuration variables.
(line 99)
(line 98)
* multiple networks: Multiple networks. (line 6)
* Name: Main configuration variables.
(line 255)
(line 254)
* NAME: Scripts. (line 50)
* netmask: Network interfaces. (line 33)
* netname: Multiple networks. (line 6)
@ -2531,9 +2526,9 @@ Concept Index
(line 69)
* PING: The meta-protocol. (line 88)
* PingInterval: Main configuration variables.
(line 266)
(line 265)
* PingTimeout: Main configuration variables.
(line 270)
(line 269)
* platforms: Supported platforms. (line 6)
* PMTU: Host configuration variables.
(line 49)
@ -2544,32 +2539,32 @@ Concept Index
(line 57)
* port numbers: Other files. (line 17)
* PriorityInheritance: Main configuration variables.
(line 276)
(line 275)
* private: Virtual Private Networks.
(line 10)
* PrivateKey: Main configuration variables.
(line 281)
(line 280)
* PrivateKeyFile: Main configuration variables.
(line 287)
(line 286)
* ProcessPriority: Main configuration variables.
(line 292)
(line 291)
* Proxy: Main configuration variables.
(line 297)
(line 296)
* PublicKey: Host configuration variables.
(line 61)
* PublicKeyFile: Host configuration variables.
(line 64)
* raw_socket: Main configuration variables.
(line 92)
(line 91)
* release: Supported platforms. (line 14)
* REMOTEADDRESS: Scripts. (line 65)
* REMOTEPORT: Scripts. (line 68)
* ReplayWindow: Main configuration variables.
(line 320)
(line 319)
* requirements: Libraries. (line 6)
* REQ_KEY: The meta-protocol. (line 63)
* router: Main configuration variables.
(line 231)
(line 230)
* runtime options: Runtime options. (line 9)
* scalability: tinc. (line 19)
* scripts: Scripts. (line 6)
@ -2577,11 +2572,11 @@ Concept Index
(line 18)
* signals: Signals. (line 6)
* socks4: Main configuration variables.
(line 301)
(line 300)
* socks5: Main configuration variables.
(line 306)
(line 305)
* StrictSubnets: Main configuration variables.
(line 331)
(line 330)
* Subnet: Host configuration variables.
(line 76)
* SUBNET: Scripts. (line 72)
@ -2589,7 +2584,7 @@ Concept Index
(line 98)
* SVPN: Security. (line 11)
* switch: Main configuration variables.
(line 239)
(line 238)
* TCP: The meta-connection. (line 10)
* TCPonly: Host configuration variables.
(line 105)
@ -2601,24 +2596,24 @@ Concept Index
* tincd: tinc. (line 14)
* traditional VPNs: tinc. (line 19)
* tunifhead: Main configuration variables.
(line 134)
(line 133)
* TunnelServer: Main configuration variables.
(line 338)
(line 337)
* tunnohead: Main configuration variables.
(line 128)
(line 127)
* UDP: The UDP tunnel. (line 30)
* UDP <1>: Encryption of network packets.
(line 12)
* UDPRcvBuf: Main configuration variables.
(line 345)
(line 344)
* UDPSndBuf: Main configuration variables.
(line 350)
(line 349)
* UML: Main configuration variables.
(line 110)
(line 109)
* Universal tun/tap: Configuration of Linux kernels.
(line 6)
* VDE: Main configuration variables.
(line 115)
(line 114)
* virtual: Virtual Private Networks.
(line 18)
* virtual network device: The UDP tunnel. (line 6)
@ -2637,61 +2632,61 @@ Node: Introduction1105
Node: Virtual Private Networks1915
Node: tinc3639
Node: Supported platforms5166
Node: Preparations5865
Node: Configuring the kernel6121
Node: Configuration of Linux kernels6530
Node: Configuration of FreeBSD kernels7385
Node: Configuration of OpenBSD kernels7850
Node: Configuration of NetBSD kernels8458
Node: Configuration of Solaris kernels8863
Node: Configuration of Darwin (MacOS/X) kernels9524
Node: Configuration of Windows10213
Node: Libraries10726
Node: OpenSSL11114
Node: zlib13401
Node: lzo14428
Node: Installation15409
Node: Building and installing tinc16424
Node: Darwin (MacOS/X) build environment17083
Node: Cygwin (Windows) build environment17650
Node: MinGW (Windows) build environment18237
Node: System files18761
Node: Device files19026
Node: Other files19442
Node: Configuration20055
Node: Configuration introduction20366
Node: Multiple networks21634
Node: How connections work23059
Node: Configuration files24281
Node: Main configuration variables25776
Node: Host configuration variables41870
Node: Scripts47371
Node: How to configure50134
Node: Generating keypairs51391
Node: Network interfaces51890
Node: Example configuration53738
Node: Running tinc59063
Node: Runtime options59653
Node: Signals62955
Node: Debug levels64146
Node: Solving problems65082
Node: Error messages66634
Node: Sending bug reports70643
Node: Technical information71590
Node: The connection71821
Node: The UDP tunnel72133
Node: The meta-connection75196
Node: The meta-protocol76665
Node: Security81682
Node: Authentication protocol82815
Node: Encryption of network packets87832
Node: Security issues89208
Node: Platform specific information90835
Node: Interface configuration91063
Node: Routes93516
Node: About us95433
Node: Contact information95608
Node: Authors96012
Node: Concept Index96417
Node: Preparations5866
Node: Configuring the kernel6122
Node: Configuration of Linux kernels6532
Node: Configuration of FreeBSD kernels7387
Node: Configuration of OpenBSD kernels7852
Node: Configuration of NetBSD kernels8460
Node: Configuration of Solaris kernels8865
Node: Configuration of Darwin (Mac OS X) kernels9527
Node: Configuration of Windows10005
Node: Libraries10519
Node: OpenSSL10907
Node: zlib13195
Node: lzo14223
Node: Installation15205
Node: Building and installing tinc16220
Node: Darwin (Mac OS X) build environment16880
Node: Cygwin (Windows) build environment17462
Node: MinGW (Windows) build environment18050
Node: System files18574
Node: Device files18839
Node: Other files19255
Node: Configuration19868
Node: Configuration introduction20179
Node: Multiple networks21447
Node: How connections work22873
Node: Configuration files24095
Node: Main configuration variables25589
Node: Host configuration variables41628
Node: Scripts47131
Node: How to configure49894
Node: Generating keypairs51152
Node: Network interfaces51651
Node: Example configuration53499
Node: Running tinc58824
Node: Runtime options59414
Node: Signals62716
Node: Debug levels63907
Node: Solving problems64843
Node: Error messages66395
Node: Sending bug reports70404
Node: Technical information71351
Node: The connection71582
Node: The UDP tunnel71894
Node: The meta-connection74955
Node: The meta-protocol76424
Node: Security81441
Node: Authentication protocol82574
Node: Encryption of network packets87619
Node: Security issues88995
Node: Platform specific information90622
Node: Interface configuration90850
Node: Routes93321
Node: About us95335
Node: Contact information95510
Node: Authors95914
Node: Concept Index96319

End Tag Table

96
doc/tinc.texi
View file

@ -176,7 +176,7 @@ available too.
@section Supported platforms
@cindex platforms
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment),
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment),
with various hardware architectures. These are some of the platforms
that are supported by the universal tun/tap device driver or other virtual network device drivers.
Without such a driver, tinc will most
@ -224,7 +224,7 @@ support tinc.
* Configuration of OpenBSD kernels::
* Configuration of NetBSD kernels::
* Configuration of Solaris kernels::
* Configuration of Darwin (MacOS/X) kernels::
* Configuration of Darwin (Mac OS X) kernels::
* Configuration of Windows::
@end menu
@ -261,7 +261,7 @@ alias char-major-10-200 tun
@subsection Configuration of FreeBSD kernels
For FreeBSD version 4.1 and higher, tun and tap drivers are included in the default kernel configuration.
The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_tap_load="YES"} to @file{/boot/loader.conf}.
The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_tap_load="YES"} to @file{/boot/loader.conf}.
@c ==================================================================
@ -298,19 +298,12 @@ If the @file{net/if_tun.h} header file is missing, install it from the source pa
@c ==================================================================
@node Configuration of Darwin (MacOS/X) kernels
@subsection Configuration of Darwin (MacOS/X) kernels
@node Configuration of Darwin (Mac OS X) kernels
@subsection Configuration of Darwin (Mac OS X) kernels
Tinc on Darwin relies on a tunnel driver for its data acquisition from the kernel.
Tinc supports either the driver from @uref{http://tuntaposx.sourceforge.net/},
which supports both tun and tap style devices,
and also the driver from from @uref{http://chrisp.de/en/projects/tunnel.html}.
The former driver is recommended.
The tunnel driver must be loaded before starting tinc with the following command:
@example
kmodload tunnel
@end example
which supports both tun and tap style devices.
@c ==================================================================
@ -349,7 +342,7 @@ having them installed, configure will give you an error message, and stop.
For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library.
If this library is not installed, you wil get an error when configuring
If this library is not installed, you will get an error when configuring
tinc for build. Support for running tinc with other cryptographic libraries
installed @emph{may} be added in the future.
@ -413,7 +406,7 @@ Markus F.X.J. Oberhumer
For the optional compression of UDP packets, tinc uses the functions provided
by the zlib library.
If this library is not installed, you wil get an error when running the
If this library is not installed, you will get an error when running the
configure script. You can either install the zlib library, or disable support
for zlib compression by using the "--disable-zlib" option when running the
configure script. Note that if you disable support for zlib, the resulting
@ -437,7 +430,7 @@ default).
@cindex lzo
Another form of compression is offered using the LZO library.
If this library is not installed, you wil get an error when running the
If this library is not installed, you will get an error when running the
configure script. You can either install the LZO library, or disable support
for LZO compression by using the "--disable-lzo" option when running the
configure script. Note that if you disable support for LZO, the resulting
@ -503,19 +496,19 @@ you can use the package management tools of that distribution to install tinc.
The documentation that comes along with your distribution will tell you how to do that.
@menu
* Darwin (MacOS/X) build environment::
* Darwin (Mac OS X) build environment::
* Cygwin (Windows) build environment::
* MinGW (Windows) build environment::
@end menu
@c ==================================================================
@node Darwin (MacOS/X) build environment
@subsection Darwin (MacOS/X) build environment
@node Darwin (Mac OS X) build environment
@subsection Darwin (Mac OS X) build environment
In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools
In order to build tinc on Darwin, you need to install the Mac OS X Developer Tools
from @uref{http://developer.apple.com/tools/macosxtools.html} and
a recent version of Fink from @uref{http://www.finkproject.org/}.
preferably a recent version of Fink from @uref{http://www.finkproject.org/}.
After installation use fink to download and install the following packages:
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
@ -666,7 +659,7 @@ It is not required if you only run one tinc daemon,
it doesn't even have to be the same on all the sites of your VPN,
but it is recommended that you choose one anyway.
We will asume you use a netname throughout this document.
We will assume you use a netname throughout this document.
This means that you call tincd with the -n argument,
which will assign a netname to this daemon.
@ -694,7 +687,7 @@ reads in the configuration file tinc.conf.
If it sees one or more `ConnectTo' values pointing to other tinc daemons in that file,
it will try to connect to those other daemons.
Whether this succeeds or not and whether `ConnectTo' is specified or not,
tinc will listen for incoming connection from other deamons.
tinc will listen for incoming connection from other daemons.
If you did specify a `ConnectTo' value and the other side is not responding,
tinc will keep retrying.
This means that once started, tinc will stay running until you tell it to stop,
@ -718,7 +711,7 @@ The actual configuration of the daemon is done in the file
@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/}.
An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
An optional directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
any .conf file will be read.
These file consists of comments (lines started with a #) or assignments
@ -829,7 +822,6 @@ Do not use this option if you use switch mode and want to use IPv6.
@item Device = <@var{device}> (@file{/dev/tap0}, @file{/dev/net/tun} or other depending on platform)
The virtual network device to use.
Tinc will automatically detect what kind of device it is.
Note that you can only use one device per daemon.
Under Windows, use @var{Interface} instead of @var{Device}.
Note that you can only use one device per daemon.
See also @ref{Device files}.
@ -947,7 +939,7 @@ that is executed, the graph is then sent to stdin.
@item Hostnames = <yes|no> (no)
This option selects whether IP addresses (both real and on the VPN)
should be resolved. Since DNS lookups are blocking, it might affect
tinc's efficiency, even stopping the daemon for a few seconds everytime
tinc's efficiency, even stopping the daemon for a few seconds every time
it does a lookup if your DNS server is not responding.
This does not affect resolving hostnames to IP addresses from the
@ -1022,7 +1014,7 @@ while no routing table is managed.
@cindex Name
@item Name = <@var{name}> [required]
This is a symbolic name for this connection.
The name should consist only of alfanumeric and underscore characters (a-z, A-Z, 0-9 and _).
The name should consist only of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _).
If Name starts with a $, then the contents of the environment variable that follows will be used.
In that case, invalid characters will be converted to underscores.
@ -1049,7 +1041,7 @@ will be inherited by the UDP packets that are sent out.
@item PrivateKey = <@var{key}> [obsolete]
This is the RSA private key for tinc. However, for safety reasons it is
advised to store private keys of any kind in separate files. This prevents
accidental eavesdropping if you are editting the configuration file.
accidental eavesdropping if you are editing the configuration file.
@cindex PrivateKeyFile
@item PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/rsa_key.priv})
@ -1216,7 +1208,7 @@ connection with that host.
@cindex Subnet
@item Subnet = <@var{address}[/@var{prefixlength}[#@var{weight}]]>
The subnet which this tinc daemon will serve.
Tinc tries to look up which other daemon it should send a packet to by searching the appropiate subnet.
Tinc tries to look up which other daemon it should send a packet to by searching the appropriate subnet.
If the packet matches a subnet,
it will be sent to the daemon who has this subnet in his host configuration file.
Multiple subnet lines can be specified for each daemon.
@ -1293,11 +1285,11 @@ This script is started when any host becomes reachable.
This script is started when any host becomes unreachable.
@item @value{sysconfdir}/tinc/@var{netname}/subnet-up
This script is started when a Subnet becomes reachable.
This script is started when a subnet becomes reachable.
The Subnet and the node it belongs to are passed in environment variables.
@item @value{sysconfdir}/tinc/@var{netname}/subnet-down
This script is started when a Subnet becomes unreachable.
This script is started when a subnet becomes unreachable.
@end table
@cindex environment variables
@ -1368,7 +1360,7 @@ add `ConnectTo' values.
@subsubheading Step 2. Creating your host configuration file
If you added a line containing `Name = yourname' in the main configuarion file,
If you added a line containing `Name = yourname' in the main configuration file,
you will need to create a host configuration file @file{@value{sysconfdir}/tinc/@var{netname}/hosts/yourname}.
Adapt the following example to create a host configuration file:
@ -1938,7 +1930,7 @@ Note that you will only see this message if you specified a debug
level of 5 or higher!
@item Chances are that a @samp{Subnet = ...} line in the host configuration file of this tinc daemon is wrong.
Change it to a subnet that is accepted locally by another interface,
or if that is not the case, try changing the prefix length into /32.
or if that is not the case, try changing the prefix length into /32.
@end itemize
@item Node foo (1.2.3.4) is not reachable
@ -2022,7 +2014,7 @@ There are two possible types of virtual network devices:
and `tap' style, which are Ethernet devices and handle complete Ethernet frames.
So when tinc reads an Ethernet frame from the device, it determines its
type. When tinc is in it's default routing mode, it can handle IPv4 and IPv6
type. When tinc is in its default routing mode, it can handle IPv4 and IPv6
packets. Depending on the Subnet lines, it will send the packets off to their destination IP address.
In the `switch' and `hub' mode, tinc will use broadcasts and MAC address discovery
to deduce the destination of the packets.
@ -2053,7 +2045,7 @@ If the virtual network device is a `tun' device (a point-to-point tunnel),
there is no problem for the kernel to accept a packet.
However, if it is a `tap' device (this is the only available type on FreeBSD),
the destination MAC address must match that of the virtual network interface.
If tinc is in it's default routing mode, ARP does not work, so the correct destination MAC
If tinc is in its default routing mode, ARP does not work, so the correct destination MAC
can not be known by the sending host.
Tinc solves this by letting the receiving end detect the MAC address of its own virtual network interface
and overwriting the destination MAC address of the received packet.
@ -2177,7 +2169,7 @@ message
------------------------------------------------------------------
REQ_KEY origin destination
| +--> name of the tinc daemon it wants the key from
+----------> name of the daemon that wants the key
+----------> name of the daemon that wants the key
ANS_KEY origin destination 4ae0b0a82d6e0078 91 64 4
| | \______________/ | | +--> MAC length
@ -2312,13 +2304,13 @@ their identity. Further information is exchanged.
client ACK 655 123 0
| | +-> options
| +----> estimated weight
+--------> listening port of client
| +----> estimated weight
+--------> listening port of client
server ACK 655 321 0
| | +-> options
| +----> estimated weight
+--------> listening port of server
| +----> estimated weight
+--------> listening port of server
--------------------------------------------------------------------------
@end example
@ -2446,7 +2438,7 @@ netmask should be such that it encompasses the entire VPN.
For IPv4 addresses:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Linux iproute2
@ -2459,7 +2451,7 @@ For IPv4 addresses:
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Solaris
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Darwin (MacOS/X)
@item Darwin (Mac OS X)
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Windows
@tab @code{netsh interface ip set address} @var{interface} @code{static} @var{address} @var{netmask}
@ -2467,7 +2459,7 @@ For IPv4 addresses:
For IPv6 addresses:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ifconfig} @var{interface} @code{add} @var{address}@code{/}@var{prefixlength}
@item FreeBSD
@ -2480,7 +2472,7 @@ For IPv6 addresses:
@tab @code{ifconfig} @var{interface} @code{inet6 plumb up}
@item
@tab @code{ifconfig} @var{interface} @code{inet6 addif} @var{address} @var{address}
@item Darwin (MacOS/X)
@item Darwin (Mac OS X)
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
@item Windows
@tab @code{netsh interface ipv6 add address} @var{interface} @code{static} @var{address}/@var{prefixlength}
@ -2488,7 +2480,7 @@ For IPv6 addresses:
On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item OpenBSD
@tab @code{ifconfig} @var{interface} @code{link0}
@end multitable
@ -2498,7 +2490,7 @@ continue to exist even if tinc quit, although this is normally not required.
It can be useful to set up a tun/tap interface owned by a non-root user, so
tinc can be started without needing any root privileges at all.
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ip tuntap add dev} @var{interface} @code{mode} @var{tun|tap} @code{user} @var{username}
@end multitable
@ -2516,7 +2508,7 @@ support this.
Adding routes to IPv4 subnets:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{route add -net} @var{network_address} @code{netmask} @var{netmask} @var{interface}
@item Linux iproute2
@ -2529,15 +2521,15 @@ Adding routes to IPv4 subnets:
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
@item Solaris
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
@item Darwin (MacOS/X)
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
@item Darwin (Mac OS X)
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @code{-interface} @var{interface}
@item Windows
@tab @code{netsh routing ip add persistentroute} @var{network_address} @var{netmask} @var{interface} @var{local_address}
@end multitable
Adding routes to IPv6 subnets:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{route add -A inet6} @var{network_address}@code{/}@var{prefixlength} @var{interface}
@item Linux iproute2
@ -2550,8 +2542,8 @@ Adding routes to IPv6 subnets:
@tab @code{route add -inet6} @var{network_address} @var{local_address} @code{-prefixlen} @var{prefixlength}
@item Solaris
@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
@item Darwin (MacOS/X)
@tab ?
@item Darwin (Mac OS X)
@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @code{-interface} @var{interface}
@item Windows
@tab @code{netsh interface ipv6 add route} @var{network address}/@var{prefixlength} @var{interface}
@end multitable