Import Upstream version 1.1~pre17
This commit is contained in:
parent
bc8ca65653
commit
b511a112e6
216 changed files with 43313 additions and 18448 deletions
|
|
@ -1,23 +1,13 @@
|
|||
## Process this file with automake to get Makefile.in
|
||||
|
||||
info_TEXINFOS = tinc.texi
|
||||
tinc_TEXINFOS = tincinclude.texi
|
||||
|
||||
man_MANS = tincd.8 tinc.8 tinc.conf.5 tinc-gui.8
|
||||
|
||||
EXTRA_DIST = tincinclude.texi.in tincd.8.in tinc.8.in tinc.conf.5.in tinc-gui.8.in sample-config.tar.gz
|
||||
EXTRA_DIST = tincinclude.texi.in tincd.8.in tinc.8.in tinc.conf.5.in tinc-gui.8.in sample-config
|
||||
|
||||
CLEANFILES = *.html tincd.8 tinc.8 tinc.conf.5 tinc-gui.8 tincinclude.texi sample-config.tar.gz
|
||||
|
||||
# Use `ginstall' in the definition of man_MANS to avoid
|
||||
# confusion with the `install' target. The install rule transforms `ginstall'
|
||||
# to install before applying any user-specified name transformations.
|
||||
transform = s/ginstall/install/; @program_transform_name@
|
||||
|
||||
# For additional rules usually of interest only to the maintainer,
|
||||
# see GNUmakefile and Makefile.maint.
|
||||
|
||||
sample-config.tar.gz: sample-config
|
||||
$(AM_V_GEN)GZIP=$(GZIP_ENV) $(AMTAR) chozf $@ --exclude .svn $<
|
||||
CLEANFILES = *.html tincd.8 tinc.8 tinc.conf.5 tinc-gui.8 tincinclude.texi
|
||||
|
||||
tincd.8.html: tincd.8
|
||||
$(AM_V_GEN)w3mman2html $? > $@
|
||||
|
|
@ -35,21 +25,20 @@ substitute = sed \
|
|||
-e s,'@PACKAGE\@',"$(PACKAGE)",g \
|
||||
-e s,'@VERSION\@',"$(VERSION)",g \
|
||||
-e s,'@sysconfdir\@',"$(sysconfdir)",g \
|
||||
-e s,'@runstatedir\@',"$(runstatedir)",g \
|
||||
-e s,'@localstatedir\@',"$(localstatedir)",g
|
||||
|
||||
tincd.8: tincd.8.in
|
||||
$(AM_V_GEN)$(substitute) $? > $@
|
||||
tincd.8: $(srcdir)/tincd.8.in
|
||||
$(AM_V_GEN)$(substitute) $(srcdir)/tincd.8.in > $@
|
||||
|
||||
tinc.8: tinc.8.in
|
||||
$(AM_V_GEN)$(substitute) $? > $@
|
||||
tinc.8: $(srcdir)/tinc.8.in
|
||||
$(AM_V_GEN)$(substitute) $(srcdir)/tinc.8.in > $@
|
||||
|
||||
tinc-gui.8: tinc-gui.8.in
|
||||
$(AM_V_GEN)$(substitute) $? > $@
|
||||
tinc-gui.8: $(srcdir)/tinc-gui.8.in
|
||||
$(AM_V_GEN)$(substitute) $(srcdir)/tinc-gui.8.in > $@
|
||||
|
||||
tinc.conf.5: tinc.conf.5.in
|
||||
$(AM_V_GEN)$(substitute) $? > $@
|
||||
tinc.conf.5: $(srcdir)/tinc.conf.5.in
|
||||
$(AM_V_GEN)$(substitute) $(srcdir)/tinc.conf.5.in > $@
|
||||
|
||||
tincinclude.texi: tincinclude.texi.in
|
||||
$(AM_V_GEN)$(substitute) $? > $@
|
||||
|
||||
tinc.texi: tincinclude.texi
|
||||
tincinclude.texi: $(srcdir)/tincinclude.texi.in
|
||||
$(AM_V_GEN)$(substitute) $(srcdir)/tincinclude.texi.in > $@
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# Makefile.in generated by automake 1.15.1 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.16.1 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994-2017 Free Software Foundation, Inc.
|
||||
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
|
||||
|
||||
# This Makefile.in is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
|
|
@ -78,6 +78,7 @@ install_sh_DATA = $(install_sh) -c -m 644
|
|||
install_sh_PROGRAM = $(install_sh) -c
|
||||
install_sh_SCRIPT = $(install_sh) -c
|
||||
INSTALL_HEADER = $(INSTALL_DATA)
|
||||
transform = $(program_transform_name)
|
||||
NORMAL_INSTALL = :
|
||||
PRE_INSTALL = :
|
||||
POST_INSTALL = :
|
||||
|
|
@ -93,6 +94,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
|
|||
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
|
||||
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
|
||||
$(top_srcdir)/m4/ax_check_link_flag.m4 \
|
||||
$(top_srcdir)/m4/ax_code_coverage.m4 \
|
||||
$(top_srcdir)/m4/ax_require_defined.m4 \
|
||||
$(top_srcdir)/m4/curses.m4 $(top_srcdir)/m4/libgcrypt.m4 \
|
||||
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/miniupnpc.m4 \
|
||||
|
|
@ -198,13 +200,8 @@ man8dir = $(mandir)/man8
|
|||
NROFF = nroff
|
||||
MANS = $(man_MANS)
|
||||
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
|
||||
am__DIST_COMMON = $(srcdir)/Makefile.in texinfo.tex
|
||||
am__DIST_COMMON = $(srcdir)/Makefile.in $(tinc_TEXINFOS) texinfo.tex
|
||||
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
||||
|
||||
# Use `ginstall' in the definition of man_MANS to avoid
|
||||
# confusion with the `install' target. The install rule transforms `ginstall'
|
||||
# to install before applying any user-specified name transformations.
|
||||
transform = s/ginstall/install/; @program_transform_name@
|
||||
ACLOCAL = @ACLOCAL@
|
||||
AMTAR = @AMTAR@
|
||||
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
|
||||
|
|
@ -215,6 +212,12 @@ AWK = @AWK@
|
|||
CC = @CC@
|
||||
CCDEPMODE = @CCDEPMODE@
|
||||
CFLAGS = @CFLAGS@
|
||||
CODE_COVERAGE_CFLAGS = @CODE_COVERAGE_CFLAGS@
|
||||
CODE_COVERAGE_CPPFLAGS = @CODE_COVERAGE_CPPFLAGS@
|
||||
CODE_COVERAGE_CXXFLAGS = @CODE_COVERAGE_CXXFLAGS@
|
||||
CODE_COVERAGE_ENABLED = @CODE_COVERAGE_ENABLED@
|
||||
CODE_COVERAGE_LDFLAGS = @CODE_COVERAGE_LDFLAGS@
|
||||
CODE_COVERAGE_LIBS = @CODE_COVERAGE_LIBS@
|
||||
CPP = @CPP@
|
||||
CPPFLAGS = @CPPFLAGS@
|
||||
CURSES_LIBS = @CURSES_LIBS@
|
||||
|
|
@ -226,16 +229,18 @@ ECHO_N = @ECHO_N@
|
|||
ECHO_T = @ECHO_T@
|
||||
EGREP = @EGREP@
|
||||
EXEEXT = @EXEEXT@
|
||||
GCOV = @GCOV@
|
||||
GENHTML = @GENHTML@
|
||||
GREP = @GREP@
|
||||
INSTALL = @INSTALL@
|
||||
INSTALL_DATA = @INSTALL_DATA@
|
||||
INSTALL_PROGRAM = @INSTALL_PROGRAM@
|
||||
INSTALL_SCRIPT = @INSTALL_SCRIPT@
|
||||
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
|
||||
LCOV = @LCOV@
|
||||
LDFLAGS = @LDFLAGS@
|
||||
LIBOBJS = @LIBOBJS@
|
||||
LIBS = @LIBS@
|
||||
LN_S = @LN_S@
|
||||
LTLIBOBJS = @LTLIBOBJS@
|
||||
MAKEINFO = @MAKEINFO@
|
||||
MINIUPNPC_LIBS = @MINIUPNPC_LIBS@
|
||||
|
|
@ -250,6 +255,7 @@ PACKAGE_URL = @PACKAGE_URL@
|
|||
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||
PATH_SEPARATOR = @PATH_SEPARATOR@
|
||||
READLINE_LIBS = @READLINE_LIBS@
|
||||
SED = @SED@
|
||||
SET_MAKE = @SET_MAKE@
|
||||
SHELL = @SHELL@
|
||||
STRIP = @STRIP@
|
||||
|
|
@ -307,13 +313,15 @@ top_build_prefix = @top_build_prefix@
|
|||
top_builddir = @top_builddir@
|
||||
top_srcdir = @top_srcdir@
|
||||
info_TEXINFOS = tinc.texi
|
||||
tinc_TEXINFOS = tincinclude.texi
|
||||
man_MANS = tincd.8 tinc.8 tinc.conf.5 tinc-gui.8
|
||||
EXTRA_DIST = tincinclude.texi.in tincd.8.in tinc.8.in tinc.conf.5.in tinc-gui.8.in sample-config.tar.gz
|
||||
CLEANFILES = *.html tincd.8 tinc.8 tinc.conf.5 tinc-gui.8 tincinclude.texi sample-config.tar.gz
|
||||
EXTRA_DIST = tincinclude.texi.in tincd.8.in tinc.8.in tinc.conf.5.in tinc-gui.8.in sample-config
|
||||
CLEANFILES = *.html tincd.8 tinc.8 tinc.conf.5 tinc-gui.8 tincinclude.texi
|
||||
substitute = sed \
|
||||
-e s,'@PACKAGE\@',"$(PACKAGE)",g \
|
||||
-e s,'@VERSION\@',"$(VERSION)",g \
|
||||
-e s,'@sysconfdir\@',"$(sysconfdir)",g \
|
||||
-e s,'@runstatedir\@',"$(runstatedir)",g \
|
||||
-e s,'@localstatedir\@',"$(localstatedir)",g
|
||||
|
||||
all: all-am
|
||||
|
|
@ -337,8 +345,8 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
|
|||
*config.status*) \
|
||||
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
|
||||
*) \
|
||||
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
|
||||
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
|
||||
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
|
||||
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
|
||||
esac;
|
||||
|
||||
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
|
||||
|
|
@ -393,10 +401,10 @@ $(am__aclocal_m4_deps):
|
|||
else \
|
||||
rm -rf $(@:.html=.htp); exit 1; \
|
||||
fi
|
||||
$(srcdir)/tinc.info: tinc.texi
|
||||
tinc.dvi: tinc.texi
|
||||
tinc.pdf: tinc.texi
|
||||
tinc.html: tinc.texi
|
||||
$(srcdir)/tinc.info: tinc.texi $(tinc_TEXINFOS)
|
||||
tinc.dvi: tinc.texi $(tinc_TEXINFOS)
|
||||
tinc.pdf: tinc.texi $(tinc_TEXINFOS)
|
||||
tinc.html: tinc.texi $(tinc_TEXINFOS)
|
||||
.dvi.ps:
|
||||
$(AM_V_DVIPS)TEXINPUTS="$(am__TEXINFO_TEX_DIR)$(PATH_SEPARATOR)$$TEXINPUTS" \
|
||||
$(DVIPS) $(AM_V_texinfo) -o $@ $<
|
||||
|
|
@ -583,7 +591,10 @@ ctags CTAGS:
|
|||
cscope cscopelist:
|
||||
|
||||
|
||||
distdir: $(DISTFILES)
|
||||
distdir: $(BUILT_SOURCES)
|
||||
$(MAKE) $(AM_MAKEFLAGS) distdir-am
|
||||
|
||||
distdir-am: $(DISTFILES)
|
||||
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||
list='$(DISTFILES)'; \
|
||||
|
|
@ -835,12 +846,6 @@ uninstall-man: uninstall-man5 uninstall-man8
|
|||
.PRECIOUS: Makefile
|
||||
|
||||
|
||||
# For additional rules usually of interest only to the maintainer,
|
||||
# see GNUmakefile and Makefile.maint.
|
||||
|
||||
sample-config.tar.gz: sample-config
|
||||
$(AM_V_GEN)GZIP=$(GZIP_ENV) $(AMTAR) chozf $@ --exclude .svn $<
|
||||
|
||||
tincd.8.html: tincd.8
|
||||
$(AM_V_GEN)w3mman2html $? > $@
|
||||
|
||||
|
|
@ -853,22 +858,20 @@ tinc-gui.8.html: tinc-gui.8
|
|||
tinc.conf.5.html: tinc.conf.5
|
||||
$(AM_V_GEN)w3mman2html $? > $@
|
||||
|
||||
tincd.8: tincd.8.in
|
||||
$(AM_V_GEN)$(substitute) $? > $@
|
||||
tincd.8: $(srcdir)/tincd.8.in
|
||||
$(AM_V_GEN)$(substitute) $(srcdir)/tincd.8.in > $@
|
||||
|
||||
tinc.8: tinc.8.in
|
||||
$(AM_V_GEN)$(substitute) $? > $@
|
||||
tinc.8: $(srcdir)/tinc.8.in
|
||||
$(AM_V_GEN)$(substitute) $(srcdir)/tinc.8.in > $@
|
||||
|
||||
tinc-gui.8: tinc-gui.8.in
|
||||
$(AM_V_GEN)$(substitute) $? > $@
|
||||
tinc-gui.8: $(srcdir)/tinc-gui.8.in
|
||||
$(AM_V_GEN)$(substitute) $(srcdir)/tinc-gui.8.in > $@
|
||||
|
||||
tinc.conf.5: tinc.conf.5.in
|
||||
$(AM_V_GEN)$(substitute) $? > $@
|
||||
tinc.conf.5: $(srcdir)/tinc.conf.5.in
|
||||
$(AM_V_GEN)$(substitute) $(srcdir)/tinc.conf.5.in > $@
|
||||
|
||||
tincinclude.texi: tincinclude.texi.in
|
||||
$(AM_V_GEN)$(substitute) $? > $@
|
||||
|
||||
tinc.texi: tincinclude.texi
|
||||
tincinclude.texi: $(srcdir)/tincinclude.texi.in
|
||||
$(AM_V_GEN)$(substitute) $(srcdir)/tincinclude.texi.in > $@
|
||||
|
||||
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
||||
# Otherwise a system limit (for SysV at least) may be exceeded.
|
||||
|
|
|
|||
Binary file not shown.
15
doc/sample-config/hosts/alpha
Normal file
15
doc/sample-config/hosts/alpha
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
# Sample host configuration file
|
||||
|
||||
# The real IP address of this tinc host. Can be used by other tinc hosts.
|
||||
Address = 123.234.35.67
|
||||
|
||||
# Portnumber for incoming connections. Default is 655.
|
||||
Port = 655
|
||||
|
||||
# Subnet on the virtual private network that is local for this host.
|
||||
Subnet = 192.168.1.0/24
|
||||
|
||||
# The public key generated by `tincd -n example -K' is stored here
|
||||
-----BEGIN RSA PUBLIC KEY-----
|
||||
...
|
||||
-----END RSA PUBLIC KEY-----
|
||||
16
doc/sample-config/hosts/beta
Normal file
16
doc/sample-config/hosts/beta
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
# Sample host configuration file
|
||||
# This file was generated by host beta.
|
||||
|
||||
# The real IP address of this tinc host. Can be used by other tinc hosts.
|
||||
Address = 123.45.67.189
|
||||
|
||||
# Portnumber for incoming connections. Default is 655.
|
||||
Port = 6500
|
||||
|
||||
# Subnet on the virtual private network that is local for this host.
|
||||
Subnet = 192.168.2.0/24
|
||||
|
||||
# The public key generated by `tincd -n example -K' is stored here
|
||||
-----BEGIN RSA PUBLIC KEY-----
|
||||
...
|
||||
-----END RSA PUBLIC KEY-----
|
||||
1
doc/sample-config/rsa_key.priv
Normal file
1
doc/sample-config/rsa_key.priv
Normal file
|
|
@ -0,0 +1 @@
|
|||
# Generate this file with `tincd -n example -K`
|
||||
4
doc/sample-config/tinc-down
Normal file
4
doc/sample-config/tinc-down
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
#!/bin/sh
|
||||
# This file closes down the tap device.
|
||||
|
||||
ifconfig $INTERFACE down
|
||||
11
doc/sample-config/tinc-up
Normal file
11
doc/sample-config/tinc-up
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/sh
|
||||
# This file sets up the tap device.
|
||||
# It gives you the freedom to do anything you want with it.
|
||||
# Use the correct name for the tap device:
|
||||
# The environment variable $INTERFACE is set to the right name
|
||||
# on most platforms, but if it doesn't work try to set it manually.
|
||||
|
||||
# Give it the right ip and netmask. Remember, the subnet of the
|
||||
# tap device must be larger than that of the individual Subnets
|
||||
# as defined in the host configuration file!
|
||||
ifconfig $INTERFACE 192.168.1.1 netmask 255.255.0.0
|
||||
22
doc/sample-config/tinc.conf
Normal file
22
doc/sample-config/tinc.conf
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
# Sample tinc configuration file
|
||||
|
||||
# This is a comment.
|
||||
# Spaces and tabs are eliminated.
|
||||
# The = sign isn't strictly necessary any longer, though you may want
|
||||
# to leave it in as it improves readability :)
|
||||
# Variable names are treated case insensitive.
|
||||
|
||||
# The name of this tinc host. Required.
|
||||
Name = alpha
|
||||
|
||||
# The internet host to connect with.
|
||||
# Comment these out to make yourself a listen-only connection
|
||||
# You must use the name of another tinc host.
|
||||
# May be used multiple times for redundance.
|
||||
ConnectTo = beta
|
||||
|
||||
# The tap device tinc will use.
|
||||
# Default is /dev/tap0 for ethertap or FreeBSD,
|
||||
# /dev/tun0 for Solaris and OpenBSD,
|
||||
# and /dev/net/tun for Linux tun/tap device.
|
||||
Device = /dev/net/tun
|
||||
5266
doc/texinfo.tex
5266
doc/texinfo.tex
File diff suppressed because it is too large
Load diff
|
|
@ -30,7 +30,7 @@ Use the cookie from
|
|||
.Ar FILENAME
|
||||
to authenticate with a running tinc daemon.
|
||||
If unspecified, the default is
|
||||
.Pa @localstatedir@/run/tinc. Ns Ar NETNAME Ns Pa .pid.
|
||||
.Pa @runstatedir@/tinc. Ns Ar NETNAME Ns Pa .pid.
|
||||
.It Fl -help
|
||||
Display short list of options.
|
||||
.El
|
||||
|
|
|
|||
|
|
@ -7,10 +7,11 @@
|
|||
.Nd tinc VPN control
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
.Op Fl cn
|
||||
.Op Fl bcn
|
||||
.Op Fl -config Ns = Ns Ar DIR
|
||||
.Op Fl -net Ns = Ns Ar NETNAME
|
||||
.Op Fl -pidfile Ns = Ns Ar FILENAME
|
||||
.Op Fl -batch
|
||||
.Op Fl -force
|
||||
.Op Fl -help
|
||||
.Op Fl -version
|
||||
|
|
@ -54,7 +55,9 @@ Use the cookie from
|
|||
.Ar FILENAME
|
||||
to authenticate with a running tinc daemon.
|
||||
If unspecified, the default is
|
||||
.Pa @localstatedir@/run/tinc. Ns Ar NETNAME Ns Pa .pid.
|
||||
.Pa @runstatedir@/tinc. Ns Ar NETNAME Ns Pa .pid.
|
||||
.It Fl b, -batch
|
||||
Don't ask for anything (non-interactive mode).
|
||||
.It Fl -force
|
||||
Force some commands to work despite warnings.
|
||||
.It Fl -help
|
||||
|
|
@ -249,7 +252,7 @@ to allow a signature from any node whose public key is known.
|
|||
If no
|
||||
.Ar filename
|
||||
is given, the file is read from standard input.
|
||||
If the verification is succesful,
|
||||
If the verification is successful,
|
||||
a copy of the input with the signature removed is written to standard output,
|
||||
and the exit code will be zero.
|
||||
If the verification failed,
|
||||
|
|
|
|||
|
|
@ -114,7 +114,7 @@ If
|
|||
.Qq any
|
||||
is selected, then depending on the operating system both IPv4 and IPv6 or just
|
||||
IPv6 listening sockets will be created.
|
||||
.It Va AutoConnect Li = yes | no Po no Pc Bq experimental
|
||||
.It Va AutoConnect Li = yes | no Po yes
|
||||
If set to yes,
|
||||
.Nm tinc
|
||||
will automatically set up meta connections to other nodes,
|
||||
|
|
@ -177,7 +177,7 @@ line).
|
|||
.Pp
|
||||
If you don't specify a host with
|
||||
.Va ConnectTo
|
||||
and don't enable
|
||||
and have disabled
|
||||
.Va AutoConnect ,
|
||||
.Nm tinc
|
||||
won't try to connect to other daemons at all,
|
||||
|
|
@ -242,7 +242,7 @@ Packets received for the local node are written to it.
|
|||
Create a UNIX socket with the filename specified by
|
||||
.Va Device ,
|
||||
or
|
||||
.Pa @localstatedir@/run/ Ns Ar NETNAME Ns Pa .umlsocket
|
||||
.Pa @runstatedir@/ Ns Ar NETNAME Ns Pa .umlsocket
|
||||
if not specified.
|
||||
.Nm tinc
|
||||
will wait for a User Mode Linux instance to connect to this socket.
|
||||
|
|
@ -251,7 +251,7 @@ Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch,
|
|||
using the UNIX socket specified by
|
||||
.Va Device ,
|
||||
or
|
||||
.Pa @localstatedir@/run/vde.ctl
|
||||
.Pa @runstatedir@/vde.ctl
|
||||
if not specified.
|
||||
.El
|
||||
Also, in case tinc does not seem to correctly interpret packets received from the virtual network device,
|
||||
|
|
@ -306,10 +306,16 @@ Incoming packets that are meant for another node are forwarded by tinc internall
|
|||
.Pp
|
||||
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
|
||||
.It kernel
|
||||
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
|
||||
Incoming packets using the legacy protocol are always sent to the TUN/TAP device,
|
||||
even if the packets are not for the local node.
|
||||
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
|
||||
and can also help debugging.
|
||||
Incoming packets using the SPTPS protocol are dropped, since they are end-to-end encrypted.
|
||||
.El
|
||||
.It Va FWMark Li = Ar value Po 0 Pc Bq experimental
|
||||
When set to a non-zero value, all TCP and UDP sockets created by tinc will use the given value as the firewall mark.
|
||||
This can be used for mark-based routing or for packet filtering.
|
||||
This option is currently only supported on Linux.
|
||||
.It Va Hostnames Li = yes | no Pq no
|
||||
This option selects whether IP addresses (both real and on the VPN) should
|
||||
be resolved. Since DNS lookups are blocking, it might affect tinc's
|
||||
|
|
@ -786,7 +792,7 @@ its connection to the virtual network device.
|
|||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /invitations/
|
||||
This directory contains outstanding invitations.
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /invitation-data
|
||||
After a succesful join, this file contains a copy of the invitation data received.
|
||||
After a successful join, this file contains a copy of the invitation data received.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr tincd 8 ,
|
||||
|
|
|
|||
518
doc/tinc.info
518
doc/tinc.info
|
|
@ -1,14 +1,14 @@
|
|||
This is tinc.info, produced by makeinfo version 6.4.90 from tinc.texi.
|
||||
This is tinc.info, produced by makeinfo version 6.5 from tinc.texi.
|
||||
|
||||
INFO-DIR-SECTION Networking tools
|
||||
START-INFO-DIR-ENTRY
|
||||
* tinc: (tinc). The tinc Manual.
|
||||
END-INFO-DIR-ENTRY
|
||||
|
||||
This is the info manual for tinc version 1.1pre14-62-g958a751e, a
|
||||
Virtual Private Network daemon.
|
||||
This is the info manual for tinc version 1.1pre17, a Virtual Private
|
||||
Network daemon.
|
||||
|
||||
Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen
|
||||
Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen
|
||||
<guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
|
||||
|
||||
Permission is granted to make and distribute verbatim copies of this
|
||||
|
|
@ -119,7 +119,7 @@ both the receiving and sending end, it has become largely
|
|||
runtime-configurable--in short, it has become a full-fledged
|
||||
professional package.
|
||||
|
||||
Tinc also allows more than two sites to connect to eachother and form a
|
||||
Tinc also allows more than two sites to connect to each other and form a
|
||||
single VPN. Traditionally VPNs are created by making tunnels, which only
|
||||
have two endpoints. Larger VPNs with more sites are created by adding
|
||||
more tunnels. Tinc takes another approach: only endpoints are
|
||||
|
|
@ -285,7 +285,7 @@ File: tinc.info, Node: Libraries, Prev: Configuring the kernel, Up: Preparati
|
|||
=============
|
||||
|
||||
Before you can configure or build tinc, you need to have the LibreSSL or
|
||||
OpenSSL, zlib, lzo, curses and readline libraries installed on your
|
||||
OpenSSL, zlib, LZO, curses and readline libraries installed on your
|
||||
system. If you try to configure tinc without having them installed,
|
||||
configure will give you an error message, and stop.
|
||||
|
||||
|
|
@ -293,7 +293,7 @@ configure will give you an error message, and stop.
|
|||
|
||||
* LibreSSL/OpenSSL::
|
||||
* zlib::
|
||||
* lzo::
|
||||
* LZO::
|
||||
* libcurses::
|
||||
* libreadline::
|
||||
|
||||
|
|
@ -306,7 +306,7 @@ File: tinc.info, Node: LibreSSL/OpenSSL, Next: zlib, Up: Libraries
|
|||
For all cryptography-related functions, tinc uses the functions provided
|
||||
by the LibreSSL or the OpenSSL library.
|
||||
|
||||
If this library is not installed, you wil get an error when configuring
|
||||
If this library is not installed, you will get an error when configuring
|
||||
tinc for build. Support for running tinc with other cryptographic
|
||||
libraries installed _may_ be added in the future.
|
||||
|
||||
|
|
@ -316,7 +316,7 @@ of this package.
|
|||
|
||||
If your operating system comes neither with LibreSSL or OpenSSL, you
|
||||
have to install one manually. It is recommended that you get the latest
|
||||
version of LibreSSL from <http://www.libressl.org/>. Instructions on
|
||||
version of LibreSSL from <https://www.libressl.org/>. Instructions on
|
||||
how to configure, build and install this package are included within the
|
||||
package. Please make sure you build development and runtime libraries
|
||||
(which is the default).
|
||||
|
|
@ -357,7 +357,7 @@ present the following exemption:
|
|||
Markus F.X.J. Oberhumer
|
||||
|
||||
|
||||
File: tinc.info, Node: zlib, Next: lzo, Prev: LibreSSL/OpenSSL, Up: Libraries
|
||||
File: tinc.info, Node: zlib, Next: LZO, Prev: LibreSSL/OpenSSL, Up: Libraries
|
||||
|
||||
2.2.2 zlib
|
||||
----------
|
||||
|
|
@ -365,7 +365,7 @@ File: tinc.info, Node: zlib, Next: lzo, Prev: LibreSSL/OpenSSL, Up: Librarie
|
|||
For the optional compression of UDP packets, tinc uses the functions
|
||||
provided by the zlib library.
|
||||
|
||||
If this library is not installed, you wil get an error when running the
|
||||
If this library is not installed, you will get an error when running the
|
||||
configure script. You can either install the zlib library, or disable
|
||||
support for zlib compression by using the "-disable-zlib" option when
|
||||
running the configure script. Note that if you disable support for
|
||||
|
|
@ -377,19 +377,19 @@ available. Make sure you install the development AND runtime versions
|
|||
of this package.
|
||||
|
||||
If you have to install zlib manually, you can get the source code from
|
||||
<http://www.zlib.net/>. Instructions on how to configure, build and
|
||||
<https://zlib.net/>. Instructions on how to configure, build and
|
||||
install this package are included within the package. Please make sure
|
||||
you build development and runtime libraries (which is the default).
|
||||
|
||||
|
||||
File: tinc.info, Node: lzo, Next: libcurses, Prev: zlib, Up: Libraries
|
||||
File: tinc.info, Node: LZO, Next: libcurses, Prev: zlib, Up: Libraries
|
||||
|
||||
2.2.3 lzo
|
||||
2.2.3 LZO
|
||||
---------
|
||||
|
||||
Another form of compression is offered using the LZO library.
|
||||
|
||||
If this library is not installed, you wil get an error when running the
|
||||
If this library is not installed, you will get an error when running the
|
||||
configure script. You can either install the LZO library, or disable
|
||||
support for LZO compression by using the "-disable-lzo" option when
|
||||
running the configure script. Note that if you disable support for LZO,
|
||||
|
|
@ -400,29 +400,29 @@ You can use your operating system's package manager to install this if
|
|||
available. Make sure you install the development AND runtime versions
|
||||
of this package.
|
||||
|
||||
If you have to install lzo manually, you can get the source code from
|
||||
If you have to install LZO manually, you can get the source code from
|
||||
<https://www.oberhumer.com/opensource/lzo/>. Instructions on how to
|
||||
configure, build and install this package are included within the
|
||||
package. Please make sure you build development and runtime libraries
|
||||
(which is the default).
|
||||
|
||||
|
||||
File: tinc.info, Node: libcurses, Next: libreadline, Prev: lzo, Up: Libraries
|
||||
File: tinc.info, Node: libcurses, Next: libreadline, Prev: LZO, Up: Libraries
|
||||
|
||||
2.2.4 libcurses
|
||||
---------------
|
||||
|
||||
For the "tinc top" command, tinc requires a curses library.
|
||||
|
||||
If this library is not installed, you wil get an error when running the
|
||||
If this library is not installed, you will get an error when running the
|
||||
configure script. You can either install a suitable curses library, or
|
||||
disable all functionality that depends on a curses library by using the
|
||||
"-disable-curses" option when running the configure script.
|
||||
|
||||
There are several curses libraries. It is recommended that you install
|
||||
"ncurses" (<http://invisible-island.net/ncurses/>), however other curses
|
||||
libraries should also work. In particular, "PDCurses"
|
||||
(<http://pdcurses.sourceforge.net/>) is recommended if you want to
|
||||
"ncurses" (<https://invisible-island.net/ncurses/>), however other
|
||||
curses libraries should also work. In particular, "PDCurses"
|
||||
(<https://pdcurses.sourceforge.io/>) is recommended if you want to
|
||||
compile tinc for Windows.
|
||||
|
||||
You can use your operating system's package manager to install this if
|
||||
|
|
@ -438,7 +438,7 @@ File: tinc.info, Node: libreadline, Prev: libcurses, Up: Libraries
|
|||
For the "tinc" command's shell functionality, tinc uses the readline
|
||||
library.
|
||||
|
||||
If this library is not installed, you wil get an error when running the
|
||||
If this library is not installed, you will get an error when running the
|
||||
configure script. You can either install a suitable readline library,
|
||||
or disable all functionality that depends on a readline library by using
|
||||
the "-disable-readline" option when running the configure script.
|
||||
|
|
@ -448,7 +448,7 @@ available. Make sure you install the development AND runtime versions
|
|||
of this package.
|
||||
|
||||
If you have to install libreadline manually, you can get the source code
|
||||
from <http://www.gnu.org/software/readline/>. Instructions on how to
|
||||
from <https://www.gnu.org/software/readline/>. Instructions on how to
|
||||
configure, build and install this package are included within the
|
||||
package. Please make sure you build development and runtime libraries
|
||||
(which is the default).
|
||||
|
|
@ -625,7 +625,7 @@ Do you want to run tinc in router mode or switch mode? These questions
|
|||
can only be answered by yourself, you will not find the answers in this
|
||||
documentation. Make sure you have an adequate understanding of networks
|
||||
in general. A good resource on networking is the Linux Network
|
||||
Administrators Guide (http://www.tldp.org/LDP/nag2/).
|
||||
Administrators Guide (https://www.tldp.org/LDP/nag2/).
|
||||
|
||||
If you have everything clearly pictured in your mind, proceed in the
|
||||
following order: First, create the initial configuration files and
|
||||
|
|
@ -651,7 +651,7 @@ assign a NETNAME to your VPN. It is not required if you only run one
|
|||
tinc daemon, it doesn't even have to be the same on all the nodes of
|
||||
your VPN, but it is recommended that you choose one anyway.
|
||||
|
||||
We will asume you use a netname throughout this document. This means
|
||||
We will assume you use a netname throughout this document. This means
|
||||
that you call tinc with the -n argument, which will specify the netname.
|
||||
|
||||
The effect of this option is that tinc will set its configuration root
|
||||
|
|
@ -675,22 +675,17 @@ File: tinc.info, Node: How connections work, Next: Configuration files, Prev:
|
|||
========================
|
||||
|
||||
When tinc starts up, it parses the command-line options and then reads
|
||||
in the configuration file tinc.conf. If it sees one or more 'ConnectTo'
|
||||
values pointing to other tinc daemons in that file, it will try to
|
||||
connect to those other daemons. Whether this succeeds or not and
|
||||
whether 'ConnectTo' is specified or not, tinc will listen for incoming
|
||||
connection from other deamons. If you did specify a 'ConnectTo' value
|
||||
and the other side is not responding, tinc will keep retrying. This
|
||||
means that once started, tinc will stay running until you tell it to
|
||||
stop, and failures to connect to other tinc daemons will not stop your
|
||||
tinc daemon for trying again later. This means you don't have to
|
||||
intervene if there are temporary network problems.
|
||||
in the configuration file tinc.conf. It will then start listening for
|
||||
incoming connection from other daemons, and will by default also
|
||||
automatically try to connect to known peers. By default, tinc will try
|
||||
to keep at least 3 working meta-connections alive at all times.
|
||||
|
||||
There is no real distinction between a server and a client in tinc. If
|
||||
you wish, you can view a tinc daemon without a 'ConnectTo' value as a
|
||||
server, and one which does specify such a value as a client. It does
|
||||
not matter if two tinc daemons have a 'ConnectTo' value pointing to each
|
||||
other however.
|
||||
you wish, you can view a tinc daemon without a 'ConnectTo' statement in
|
||||
tinc.conf and 'AutoConnect = no' as a server, and one which does have
|
||||
one or more 'ConnectTo' statements or 'Autoconnect = yes' (which is the
|
||||
default) as a client. It does not matter if two tinc daemons have a
|
||||
'ConnectTo' value pointing to each other however.
|
||||
|
||||
Connections specified using 'ConnectTo' are so-called meta-connections.
|
||||
Tinc daemons exchange information about all other daemon they know about
|
||||
|
|
@ -712,7 +707,7 @@ might also prevent direct communication. In that case, VPN packets
|
|||
between A and C will be forwarded by B.
|
||||
|
||||
In effect, all nodes in the VPN will be able to talk to each other, as
|
||||
long as their is a path of meta-connections between them, and whenever
|
||||
long as there is a path of meta-connections between them, and whenever
|
||||
possible, two nodes will communicate with each other directly.
|
||||
|
||||
|
||||
|
|
@ -725,8 +720,8 @@ The actual configuration of the daemon is done in the file
|
|||
'/etc/tinc/NETNAME/tinc.conf' and at least one other file in the
|
||||
directory '/etc/tinc/NETNAME/hosts/'.
|
||||
|
||||
An optionnal directory '/etc/tinc/NETNAME/conf.d' can be added from
|
||||
which any .conf file will be read.
|
||||
An optional directory '/etc/tinc/NETNAME/conf.d' can be added from which
|
||||
any .conf file will be read.
|
||||
|
||||
These file consists of comments (lines started with a #) or assignments
|
||||
in the form of
|
||||
|
|
@ -771,7 +766,7 @@ AddressFamily = <ipv4|ipv6|any> (any)
|
|||
system both IPv4 and IPv6 or just IPv6 listening sockets will be
|
||||
created.
|
||||
|
||||
AutoConnect = <yes|no> (no) [experimental]
|
||||
AutoConnect = <yes|no> (yes)
|
||||
If set to yes, tinc will automatically set up meta connections to
|
||||
other nodes, without requiring CONNECTTO variables.
|
||||
|
||||
|
|
@ -831,7 +826,7 @@ ConnectTo = <NAME>
|
|||
names should be known to this tinc daemon (i.e., there should be a
|
||||
host configuration file for the name on the ConnectTo line).
|
||||
|
||||
If you don't specify a host with ConnectTo and don't enable
|
||||
If you don't specify a host with ConnectTo and have disabled
|
||||
AutoConnect, tinc won't try to connect to other daemons at all, and
|
||||
will instead just listen for incoming connections.
|
||||
|
||||
|
|
@ -966,16 +961,24 @@ Forwarding = <off|internal|kernel> (internal) [experimental]
|
|||
another forwarding mode, don't change it.
|
||||
|
||||
kernel
|
||||
Incoming packets are always sent to the TUN/TAP device, even
|
||||
if the packets are not for the local node. This is less
|
||||
efficient, but allows the kernel to apply its routing and
|
||||
firewall rules on them, and can also help debugging.
|
||||
Incoming packets using the legacy protocol are always sent to
|
||||
the TUN/TAP device, even if the packets are not for the local
|
||||
node. This is less efficient, but allows the kernel to apply
|
||||
its routing and firewall rules on them, and can also help
|
||||
debugging. Incoming packets using the SPTPS protocol are
|
||||
dropped, since they are end-to-end encrypted.
|
||||
|
||||
FWMark = <VALUE> (0) [experimental]
|
||||
When set to a non-zero value, all TCP and UDP sockets created by
|
||||
tinc will use the given value as the firewall mark. This can be
|
||||
used for mark-based routing or for packet filtering. This option
|
||||
is currently only supported on Linux.
|
||||
|
||||
Hostnames = <yes|no> (no)
|
||||
This option selects whether IP addresses (both real and on the VPN)
|
||||
should be resolved. Since DNS lookups are blocking, it might
|
||||
affect tinc's efficiency, even stopping the daemon for a few
|
||||
seconds everytime it does a lookup if your DNS server is not
|
||||
seconds every time it does a lookup if your DNS server is not
|
||||
responding.
|
||||
|
||||
This does not affect resolving hostnames to IP addresses from the
|
||||
|
|
@ -1093,7 +1096,7 @@ PriorityInheritance = <yes|no> (no) [experimental]
|
|||
PrivateKey = <KEY> [obsolete]
|
||||
This is the RSA private key for tinc. However, for safety reasons
|
||||
it is advised to store private keys of any kind in separate files.
|
||||
This prevents accidental eavesdropping if you are editting the
|
||||
This prevents accidental eavesdropping if you are editing the
|
||||
configuration file.
|
||||
|
||||
PrivateKeyFile = <PATH> ('/etc/tinc/NETNAME/rsa_key.priv')
|
||||
|
|
@ -1243,7 +1246,7 @@ ClampMSS = <yes|no> (yes)
|
|||
Compression = <LEVEL> (0)
|
||||
This option sets the level of compression used for UDP packets.
|
||||
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9
|
||||
(best zlib), 10 (fast lzo) and 11 (best lzo).
|
||||
(best zlib), 10 (fast LZO) and 11 (best LZO).
|
||||
|
||||
Digest = <DIGEST> (sha1)
|
||||
The digest algorithm used to authenticate UDP packets using the
|
||||
|
|
@ -1299,9 +1302,9 @@ PublicKeyFile = <PATH> [obsolete]
|
|||
Subnet = <ADDRESS[/PREFIXLENGTH[#WEIGHT]]>
|
||||
The subnet which this tinc daemon will serve. Tinc tries to look
|
||||
up which other daemon it should send a packet to by searching the
|
||||
appropiate subnet. If the packet matches a subnet, it will be sent
|
||||
to the daemon who has this subnet in his host configuration file.
|
||||
Multiple subnet lines can be specified for each daemon.
|
||||
appropriate subnet. If the packet matches a subnet, it will be
|
||||
sent to the daemon who has this subnet in his host configuration
|
||||
file. Multiple subnet lines can be specified for each daemon.
|
||||
|
||||
Subnets can either be single MAC, IPv4 or IPv6 addresses, in which
|
||||
case a subnet consisting of only that single address is assumed, or
|
||||
|
|
@ -1513,26 +1516,14 @@ run:
|
|||
|
||||
tinc -n NETNAME add address foo.example.org
|
||||
|
||||
If you already know to which daemons your daemon should make
|
||||
meta-connections, you should configure that now as well. Suppose you
|
||||
want to connect to a daemon named "bar", run:
|
||||
|
||||
tinc -n NETNAME add connectto bar
|
||||
|
||||
Note that you specify the Name of the other daemon here, not an IP
|
||||
address or hostname! When you start tinc, and it tries to make a
|
||||
connection to "bar", it will look for a host configuration file named
|
||||
'hosts/bar', and will read Address statements and public keys from that
|
||||
file.
|
||||
|
||||
Step 2. Exchanging configuration files.
|
||||
.......................................
|
||||
|
||||
If your daemon has a ConnectTo = bar statement in its 'tinc.conf' file,
|
||||
or if bar has a ConnectTo your daemon, then you both need each other's
|
||||
host configuration files. You should send 'hosts/NAME' to bar, and bar
|
||||
should send you his file which you should move to 'hosts/bar'. If you
|
||||
are on a UNIX platform, you can easily send an email containing the
|
||||
In order for two tinc daemons to be able to connect to each other, they
|
||||
each need the other's host configuration files. So if you want foo to
|
||||
be able to connect with bar, You should send 'hosts/NAME' to bar, and
|
||||
bar should send you his file which you should move to 'hosts/bar'. If
|
||||
you are on a UNIX platform, you can easily send an email containing the
|
||||
necessary information using the following command (assuming the owner of
|
||||
bar has the email address bar@example.org):
|
||||
|
||||
|
|
@ -1552,10 +1543,9 @@ following command:
|
|||
| ssh bar.example.org tinc -n NETNAME exchange \
|
||||
| tinc -n NETNAME import
|
||||
|
||||
You should repeat this for all nodes you ConnectTo, or which ConnectTo
|
||||
you. However, remember that you do not need to ConnectTo all nodes in
|
||||
the VPN; it is only necessary to create one or a few meta-connections,
|
||||
after the connections are made tinc will learn about all the other nodes
|
||||
You can repeat this for a few other nodes as well. It is not necessary
|
||||
to manually exchange host config files between all nodes; after the
|
||||
initial connections are made tinc will learn about all the other nodes
|
||||
in the VPN, and will automatically make other connections as necessary.
|
||||
|
||||
|
||||
|
|
@ -1692,11 +1682,9 @@ In '/etc/tinc/company/tinc-up':
|
|||
and in '/etc/tinc/company/tinc.conf':
|
||||
|
||||
Name = BranchB
|
||||
ConnectTo = BranchA
|
||||
|
||||
Note here that the internal address (on eth0) doesn't have to be the
|
||||
same as on the VPN interface. Also, ConnectTo is given so that this
|
||||
node will always try to connect to BranchA.
|
||||
same as on the VPN interface.
|
||||
|
||||
On all hosts, in '/etc/tinc/company/hosts/BranchB':
|
||||
|
||||
|
|
@ -1722,7 +1710,6 @@ In '/etc/tinc/company/tinc-up':
|
|||
and in '/etc/tinc/company/tinc.conf':
|
||||
|
||||
Name = BranchC
|
||||
ConnectTo = BranchA
|
||||
|
||||
C already has another daemon that runs on port 655, so they have to
|
||||
reserve another port for tinc. It knows the portnumber it has to listen
|
||||
|
|
@ -1753,7 +1740,6 @@ In '/etc/tinc/company/tinc-up':
|
|||
and in '/etc/tinc/company/tinc.conf':
|
||||
|
||||
Name = BranchD
|
||||
ConnectTo = BranchC
|
||||
|
||||
D will be connecting to C, which has a tincd running for this network on
|
||||
port 2000. It knows the port number from the host configuration file.
|
||||
|
|
@ -1861,6 +1847,9 @@ command line options.
|
|||
facility. If FILE is omitted, the default is
|
||||
'/var/log/tinc.NETNAME.log'.
|
||||
|
||||
'--pidfile=FILE'
|
||||
Write PID to FILE instead of '/var/run/tinc.NETNAME.pid'.
|
||||
|
||||
'--bypass-security'
|
||||
Disables encryption and authentication. Only useful for debugging.
|
||||
|
||||
|
|
@ -1871,12 +1860,16 @@ command line options.
|
|||
chroot is performed after all the initialization is done, after
|
||||
writing pid files and opening network sockets.
|
||||
|
||||
Note that this option alone does not do any good without -U/-user,
|
||||
below.
|
||||
This option is best used in combination with the -U/-user option
|
||||
described below.
|
||||
|
||||
Note also that tinc can't run scripts anymore (such as tinc-down or
|
||||
host-up), unless it's setup to be runnable inside chroot
|
||||
environment.
|
||||
You will need to ensure the chroot environment contains all the
|
||||
files necessary for tinc to run correctly. Most importantly, for
|
||||
tinc to be able to resolve hostnames inside the chroot environment,
|
||||
you must copy '/etc/resolv.conf' into the chroot directory. If you
|
||||
want to be able to run scripts other than 'tinc-up' in the chroot,
|
||||
you must ensure the appropriate shell is also installed in the
|
||||
chroot, along with all its dependencies.
|
||||
|
||||
This option is not supported on all platforms.
|
||||
'-U, --user=USER'
|
||||
|
|
@ -2150,6 +2143,9 @@ File: tinc.info, Node: tinc runtime options, Next: tinc environment variables,
|
|||
daemon. If unspecified, the default is
|
||||
'/var/run/tinc.NETNAME.pid'.
|
||||
|
||||
'-b, --batch'
|
||||
Don't ask for anything (non-interactive mode).
|
||||
|
||||
'--force'
|
||||
Force some commands to work despite warnings.
|
||||
|
||||
|
|
@ -2353,8 +2349,8 @@ File: tinc.info, Node: tinc commands, Next: tinc examples, Prev: tinc environ
|
|||
NAME of the node must be given, or can be "." to check against the
|
||||
local node's public key, or "*" to allow a signature from any node
|
||||
whose public key is known. If no FILENAME is given, the file is
|
||||
read from standard input. If the verification is succesful, a copy
|
||||
of the input with the signature removed is written to standard
|
||||
read from standard input. If the verification is successful, a
|
||||
copy of the input with the signature removed is written to standard
|
||||
output, and the exit code will be zero. If the verification
|
||||
failed, nothing will be written to standard output, and the exit
|
||||
code will be non-zero.
|
||||
|
|
@ -2376,7 +2372,7 @@ Examples of changing the configuration using tinc:
|
|||
tinc -n vpn init foo
|
||||
tinc -n vpn add Subnet 192.168.1.0/24
|
||||
tinc -n vpn add bar.Address bar.example.com
|
||||
tinc -n vpn add ConnectTo bar
|
||||
tinc -n vpn set Mode switch
|
||||
tinc -n vpn export | gpg --clearsign | mail -s "My config" vpnmaster@example.com
|
||||
|
||||
|
||||
|
|
@ -2400,7 +2396,7 @@ can be changed using the following keys:
|
|||
|
||||
<c>
|
||||
Toggle between displaying current traffic rates (in packets and
|
||||
bytes per second) and cummulative traffic (total packets and bytes
|
||||
bytes per second) and cumulative traffic (total packets and bytes
|
||||
since the tinc daemon started).
|
||||
|
||||
<n>
|
||||
|
|
@ -2528,7 +2524,8 @@ invite' command looks like this:
|
|||
The file is basically a concatenation of several host config blocks.
|
||||
Each host config block starts with 'Name = ...'. Lines that look like
|
||||
'#---#' are not important, it just makes it easier for humans to read
|
||||
the file.
|
||||
the file. However, the first line of an invitation file _must_ always
|
||||
start with 'Name = ...'.
|
||||
|
||||
The first host config block is always the one representing the invitee.
|
||||
So the first Name statement determines the name that the invitee will
|
||||
|
|
@ -2582,7 +2579,7 @@ When an invitation is generated, the "invitation-created" script is
|
|||
called (if it exists) right after the invitation file is written, but
|
||||
before the URL has been written to stdout. This allows one to change
|
||||
the invitation file automatically before the invitation URL is passed to
|
||||
the invitee. Here is an example shell script that aproximately
|
||||
the invitee. Here is an example shell script that approximately
|
||||
recreates the default invitation file:
|
||||
|
||||
#!/bin/sh
|
||||
|
|
@ -2684,8 +2681,7 @@ correct destination MAC address. In those modes every interface should
|
|||
have a unique MAC address, so make sure they are not the same. Because
|
||||
switch and hub modes rely on MAC addresses to function correctly, these
|
||||
modes cannot be used on the following operating systems which don't have
|
||||
a 'tap' style virtual network device: OpenBSD, NetBSD, Darwin and
|
||||
Solaris.
|
||||
a 'tap' style virtual network device: NetBSD, Darwin and Solaris.
|
||||
|
||||
|
||||
File: tinc.info, Node: The meta-connection, Prev: The UDP tunnel, Up: The connection
|
||||
|
|
@ -3189,14 +3185,29 @@ too short, and he doesn't like tinc's use of RSA during authentication.
|
|||
We do not know of a security hole in the legacy protocol of tinc, but it
|
||||
is not as strong as TLS or IPsec.
|
||||
|
||||
The Sweet32 attack affects versions of tinc prior to 1.0.30.
|
||||
|
||||
On September 6th, 2018, Michael Yonly contacted us and provided
|
||||
proof-of-concept code that allowed a remote attacker to create an
|
||||
authenticated, one-way connection with a node, and also that there was a
|
||||
possibility for a man-in-the-middle to force UDP packets from a node to
|
||||
be sent in plaintext. The first issue was trivial to exploit on tinc
|
||||
versions prior to 1.0.30, but the changes in 1.0.30 to mitigate the
|
||||
Sweet32 attack made this weakness much harder to exploit. These issues
|
||||
have been fixed in tinc 1.0.35.
|
||||
|
||||
This version of tinc comes with an improved protocol, called Simple
|
||||
Peer-to-Peer Security, which aims to be as strong as TLS with one of the
|
||||
strongest cipher suites.
|
||||
Peer-to-Peer Security (SPTPS), which aims to be as strong as TLS with
|
||||
one of the strongest cipher suites. None of the above security issues
|
||||
affected SPTPS. However, be aware that SPTPS is only used between nodes
|
||||
running tinc 1.1pre* or later, and in a VPN with nodes running different
|
||||
versions, the security might only be as good as that of the oldest
|
||||
version.
|
||||
|
||||
Cryptography is a hard thing to get right. We cannot make any
|
||||
guarantees. Time, review and feedback are the only things that can
|
||||
prove the security of any cryptographic product. If you wish to review
|
||||
tinc or give us feedback, you are stronly encouraged to do so.
|
||||
tinc or give us feedback, you are strongly encouraged to do so.
|
||||
|
||||
|
||||
File: tinc.info, Node: Platform specific information, Next: About us, Prev: Technical information, Up: Top
|
||||
|
|
@ -3208,6 +3219,7 @@ File: tinc.info, Node: Platform specific information, Next: About us, Prev: T
|
|||
|
||||
* Interface configuration::
|
||||
* Routes::
|
||||
* Automatically starting tinc::
|
||||
|
||||
|
||||
File: tinc.info, Node: Interface configuration, Next: Routes, Up: Platform specific information
|
||||
|
|
@ -3246,11 +3258,6 @@ Solaris 'ifconfig' INTERFACE 'inet6 plumb up'
|
|||
Darwin (MacOS/X) 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
|
||||
Windows 'netsh interface ipv6 add address' INTERFACE 'static' ADDRESS/PREFIXLENGTH
|
||||
|
||||
On some platforms, when running tinc in switch mode, the VPN interface
|
||||
must be set to tap mode with an ifconfig command:
|
||||
|
||||
OpenBSD 'ifconfig' INTERFACE 'link0'
|
||||
|
||||
On Linux, it is possible to create a persistent tun/tap interface which
|
||||
will continue to exist even if tinc quit, although this is normally not
|
||||
required. It can be useful to set up a tun/tap interface owned by a
|
||||
|
|
@ -3260,7 +3267,7 @@ privileges at all.
|
|||
Linux 'ip tuntap add dev' INTERFACE 'mode' TUN|TAP 'user' USERNAME
|
||||
|
||||
|
||||
File: tinc.info, Node: Routes, Prev: Interface configuration, Up: Platform specific information
|
||||
File: tinc.info, Node: Routes, Next: Automatically starting tinc, Prev: Interface configuration, Up: Platform specific information
|
||||
|
||||
9.2 Routes
|
||||
==========
|
||||
|
|
@ -3295,6 +3302,72 @@ Solaris 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRE
|
|||
Darwin (MacOS/X) ?
|
||||
Windows 'netsh interface ipv6 add route' NETWORK ADDRESS/PREFIXLENGTH INTERFACE
|
||||
|
||||
|
||||
File: tinc.info, Node: Automatically starting tinc, Prev: Routes, Up: Platform specific information
|
||||
|
||||
9.3 Automatically starting tinc
|
||||
===============================
|
||||
|
||||
* Menu:
|
||||
|
||||
* Linux::
|
||||
* Windows::
|
||||
* Other platforms::
|
||||
|
||||
|
||||
File: tinc.info, Node: Linux, Next: Windows, Up: Automatically starting tinc
|
||||
|
||||
9.3.1 Linux
|
||||
-----------
|
||||
|
||||
There are many Linux distributions, and historically, many of them had
|
||||
their own way of starting programs at boot time. Today, a number of
|
||||
major Linux distributions have chosen to use systemd as their init
|
||||
system. Tinc ships with systemd service files that allow you to start
|
||||
and stop tinc using systemd. There are two service files:
|
||||
'tinc.service' is used to globally enable or disable all tinc daemons
|
||||
managed by systemd, and 'tinc@NETNAME.service' is used to enable or
|
||||
disable specific tinc daemons. So if one has created a tinc network
|
||||
with netname 'foo', then you have to run the following two commands to
|
||||
ensure it is started at boot time:
|
||||
|
||||
systemctl enable tinc
|
||||
systemctl enable tinc@foo
|
||||
|
||||
To start the tinc daemon immediately if it wasn't already running, use
|
||||
the following command:
|
||||
|
||||
systemctl start tinc@foo
|
||||
|
||||
You can also use 'systemctl start tinc', this will start all tinc
|
||||
daemons that are enabled. You can stop and disable tinc networks in the
|
||||
same way.
|
||||
|
||||
If your system is not using systemd, then you have to look up your
|
||||
distribution's way of starting tinc at boot time.
|
||||
|
||||
|
||||
File: tinc.info, Node: Windows, Next: Other platforms, Prev: Linux, Up: Automatically starting tinc
|
||||
|
||||
9.3.2 Windows
|
||||
-------------
|
||||
|
||||
On Windows, if tinc is started with the 'tinc start' command without
|
||||
using the '-D' or '--no-detach' option, it will automatically register
|
||||
itself as a service that is started at boot time. When tinc is stopped
|
||||
using the 'tinc stop' command, it will also automatically unregister
|
||||
itself. Once tinc is registered as a service, it is also possible to
|
||||
stop and start tinc using the Windows Services Manager.
|
||||
|
||||
|
||||
File: tinc.info, Node: Other platforms, Prev: Windows, Up: Automatically starting tinc
|
||||
|
||||
9.3.3 Other platforms
|
||||
---------------------
|
||||
|
||||
On platforms other than the ones mentioned in the earlier sections, you
|
||||
have to look up your platform's way of starting programs at boot time.
|
||||
|
||||
|
||||
File: tinc.info, Node: About us, Next: Concept Index, Prev: Platform specific information, Up: Top
|
||||
|
||||
|
|
@ -3354,6 +3427,8 @@ Concept Index
|
|||
* ANS_KEY: The meta-protocol. (line 63)
|
||||
* AutoConnect: Main configuration variables.
|
||||
(line 12)
|
||||
* batch: tinc runtime options.
|
||||
(line 18)
|
||||
* binary package: Building and installing tinc.
|
||||
(line 9)
|
||||
* BindToAddress: Main configuration variables.
|
||||
|
|
@ -3376,7 +3451,7 @@ Concept Index
|
|||
* ClampMSS: Host configuration variables.
|
||||
(line 22)
|
||||
* client: How connections work.
|
||||
(line 18)
|
||||
(line 12)
|
||||
* command line: Runtime options. (line 9)
|
||||
* command line interface: Controlling tinc. (line 6)
|
||||
* Compression: Host configuration variables.
|
||||
|
|
@ -3422,7 +3497,7 @@ Concept Index
|
|||
* exchange: tinc commands. (line 48)
|
||||
* exchange-all: tinc commands. (line 51)
|
||||
* exec: Main configuration variables.
|
||||
(line 365)
|
||||
(line 373)
|
||||
* ExperimentalProtocol: Main configuration variables.
|
||||
(line 185)
|
||||
* export: tinc commands. (line 36)
|
||||
|
|
@ -3433,38 +3508,40 @@ Concept Index
|
|||
(line 192)
|
||||
* frame type: The UDP tunnel. (line 6)
|
||||
* fsck: tinc commands. (line 160)
|
||||
* FWMark: Main configuration variables.
|
||||
(line 214)
|
||||
* generate-ed25519-keys: tinc commands. (line 86)
|
||||
* generate-keys: tinc commands. (line 81)
|
||||
* generate-rsa-keys: tinc commands. (line 89)
|
||||
* get: tinc commands. (line 11)
|
||||
* graph: tinc commands. (line 108)
|
||||
* Hostnames: Main configuration variables.
|
||||
(line 212)
|
||||
(line 220)
|
||||
* http: Main configuration variables.
|
||||
(line 362)
|
||||
(line 370)
|
||||
* hub: Main configuration variables.
|
||||
(line 280)
|
||||
(line 288)
|
||||
* ID: Legacy authentication protocol.
|
||||
(line 6)
|
||||
* Ifconfig: Invitation file format.
|
||||
(line 35)
|
||||
(line 36)
|
||||
* import: tinc commands. (line 43)
|
||||
* IndirectData: Host configuration variables.
|
||||
(line 40)
|
||||
* info: tinc commands. (line 120)
|
||||
* init: tinc commands. (line 6)
|
||||
* Interface: Main configuration variables.
|
||||
(line 223)
|
||||
(line 231)
|
||||
* INTERFACE: Scripts. (line 75)
|
||||
* InvitationExpire: Main configuration variables.
|
||||
(line 285)
|
||||
(line 293)
|
||||
* INVITATION_FILE: Scripts. (line 98)
|
||||
* INVITATION_URL: Scripts. (line 102)
|
||||
* invite: tinc commands. (line 54)
|
||||
* IRC: Contact information. (line 9)
|
||||
* join: tinc commands. (line 59)
|
||||
* KeyExpire: Main configuration variables.
|
||||
(line 288)
|
||||
(line 296)
|
||||
* KEY_CHANGED: The meta-protocol. (line 63)
|
||||
* legacy authentication protocol: Legacy authentication protocol.
|
||||
(line 6)
|
||||
|
|
@ -3474,31 +3551,31 @@ Concept Index
|
|||
* LibreSSL: LibreSSL/OpenSSL. (line 6)
|
||||
* license: LibreSSL/OpenSSL. (line 38)
|
||||
* ListenAddress: Main configuration variables.
|
||||
(line 231)
|
||||
(line 239)
|
||||
* LocalDiscovery: Main configuration variables.
|
||||
(line 243)
|
||||
(line 251)
|
||||
* log: tinc commands. (line 130)
|
||||
* LogLevel: Main configuration variables.
|
||||
(line 254)
|
||||
* lzo: lzo. (line 6)
|
||||
(line 262)
|
||||
* LZO: LZO. (line 6)
|
||||
* MACExpire: Main configuration variables.
|
||||
(line 294)
|
||||
(line 302)
|
||||
* MACLength: Host configuration variables.
|
||||
(line 45)
|
||||
* MaxConnectionBurst: Main configuration variables.
|
||||
(line 299)
|
||||
(line 307)
|
||||
* meta-protocol: The meta-connection. (line 18)
|
||||
* META_KEY: Legacy authentication protocol.
|
||||
(line 6)
|
||||
* Mode: Main configuration variables.
|
||||
(line 258)
|
||||
(line 266)
|
||||
* MTUInfoInterval: Host configuration variables.
|
||||
(line 60)
|
||||
* multicast: Main configuration variables.
|
||||
(line 118)
|
||||
* multiple networks: Multiple networks. (line 6)
|
||||
* Name: Main configuration variables.
|
||||
(line 305)
|
||||
(line 313)
|
||||
* NAME: Scripts. (line 69)
|
||||
* netmask: Network interfaces. (line 39)
|
||||
* netname: Multiple networks. (line 6)
|
||||
|
|
@ -3517,9 +3594,9 @@ Concept Index
|
|||
* pid: tinc commands. (line 78)
|
||||
* PING: The meta-protocol. (line 88)
|
||||
* PingInterval: Main configuration variables.
|
||||
(line 316)
|
||||
(line 324)
|
||||
* PingTimeout: Main configuration variables.
|
||||
(line 320)
|
||||
(line 328)
|
||||
* platforms: Supported platforms. (line 6)
|
||||
* PMTU: Host configuration variables.
|
||||
(line 52)
|
||||
|
|
@ -3530,17 +3607,17 @@ Concept Index
|
|||
(line 65)
|
||||
* port numbers: Other files. (line 17)
|
||||
* PriorityInheritance: Main configuration variables.
|
||||
(line 326)
|
||||
(line 334)
|
||||
* private: Virtual Private Networks.
|
||||
(line 10)
|
||||
* PrivateKey: Main configuration variables.
|
||||
(line 331)
|
||||
(line 339)
|
||||
* PrivateKeyFile: Main configuration variables.
|
||||
(line 337)
|
||||
(line 345)
|
||||
* ProcessPriority: Main configuration variables.
|
||||
(line 342)
|
||||
(line 350)
|
||||
* Proxy: Main configuration variables.
|
||||
(line 347)
|
||||
(line 355)
|
||||
* PublicKey: Host configuration variables.
|
||||
(line 69)
|
||||
* PublicKeyFile: Host configuration variables.
|
||||
|
|
@ -3553,40 +3630,41 @@ Concept Index
|
|||
* REMOTEADDRESS: Scripts. (line 84)
|
||||
* REMOTEPORT: Scripts. (line 87)
|
||||
* ReplayWindow: Main configuration variables.
|
||||
(line 370)
|
||||
(line 378)
|
||||
* requirements: Libraries. (line 6)
|
||||
* REQ_KEY: The meta-protocol. (line 63)
|
||||
* restart: tinc commands. (line 70)
|
||||
* retry: tinc commands. (line 135)
|
||||
* Route: Invitation file format.
|
||||
(line 51)
|
||||
(line 52)
|
||||
* router: Main configuration variables.
|
||||
(line 261)
|
||||
(line 269)
|
||||
* runtime options: Runtime options. (line 9)
|
||||
* scalability: tinc. (line 19)
|
||||
* scripts: Scripts. (line 6)
|
||||
* server: How connections work.
|
||||
(line 18)
|
||||
(line 12)
|
||||
* set: tinc commands. (line 16)
|
||||
* shell: Controlling tinc. (line 11)
|
||||
* sign: tinc commands. (line 172)
|
||||
* signals: Signals. (line 6)
|
||||
* socks4: Main configuration variables.
|
||||
(line 351)
|
||||
(line 359)
|
||||
* socks5: Main configuration variables.
|
||||
(line 356)
|
||||
(line 364)
|
||||
* SPTPS: Simple Peer-to-Peer Security.
|
||||
(line 6)
|
||||
* start: tinc commands. (line 64)
|
||||
* stop: tinc commands. (line 67)
|
||||
* StrictSubnets: Main configuration variables.
|
||||
(line 381)
|
||||
(line 389)
|
||||
* Subnet: Host configuration variables.
|
||||
(line 84)
|
||||
* SUBNET: Scripts. (line 91)
|
||||
* SVPN: Security. (line 11)
|
||||
* switch: Main configuration variables.
|
||||
(line 269)
|
||||
(line 277)
|
||||
* systemd: Linux. (line 6)
|
||||
* TCP: The meta-connection. (line 10)
|
||||
* TCPonly: Host configuration variables.
|
||||
(line 113)
|
||||
|
|
@ -3602,36 +3680,36 @@ Concept Index
|
|||
* tunifhead: Main configuration variables.
|
||||
(line 158)
|
||||
* TunnelServer: Main configuration variables.
|
||||
(line 388)
|
||||
(line 396)
|
||||
* tunnohead: Main configuration variables.
|
||||
(line 152)
|
||||
* UDP: The UDP tunnel. (line 30)
|
||||
* UDP <1>: Encryption of network packets.
|
||||
(line 11)
|
||||
* UDPDiscoveryInterval: Main configuration variables.
|
||||
(line 408)
|
||||
(line 416)
|
||||
* UDPDiscoveryKeepaliveInterval: Main configuration variables.
|
||||
(line 402)
|
||||
(line 410)
|
||||
* UDPDiscoveryTimeout: Main configuration variables.
|
||||
(line 412)
|
||||
(line 420)
|
||||
* UDPDiscovey: Main configuration variables.
|
||||
(line 395)
|
||||
(line 403)
|
||||
* UDPInfoInterval: Main configuration variables.
|
||||
(line 417)
|
||||
(line 425)
|
||||
* UDPRcvBuf: Main configuration variables.
|
||||
(line 421)
|
||||
(line 429)
|
||||
* UDPSndBuf: Main configuration variables.
|
||||
(line 427)
|
||||
(line 435)
|
||||
* UML: Main configuration variables.
|
||||
(line 134)
|
||||
* Universal tun/tap: Configuration of Linux kernels.
|
||||
(line 6)
|
||||
* UPnP: Main configuration variables.
|
||||
(line 433)
|
||||
(line 441)
|
||||
* UPnPDiscoverWait: Main configuration variables.
|
||||
(line 444)
|
||||
(line 452)
|
||||
* UPnPRefreshPeriod: Main configuration variables.
|
||||
(line 448)
|
||||
(line 456)
|
||||
* utun: Main configuration variables.
|
||||
(line 165)
|
||||
* VDE: Main configuration variables.
|
||||
|
|
@ -3652,78 +3730,82 @@ Concept Index
|
|||
|
||||
|
||||
Tag Table:
|
||||
Node: Top824
|
||||
Node: Introduction1160
|
||||
Node: Virtual Private Networks1964
|
||||
Node: tinc3676
|
||||
Node: Supported platforms5188
|
||||
Node: Preparations5885
|
||||
Node: Configuring the kernel6141
|
||||
Node: Configuration of Linux kernels6550
|
||||
Node: Configuration of FreeBSD kernels7399
|
||||
Node: Configuration of OpenBSD kernels7864
|
||||
Node: Configuration of NetBSD kernels8221
|
||||
Node: Configuration of Solaris kernels8623
|
||||
Node: Configuration of Darwin (MacOS/X) kernels9285
|
||||
Node: Configuration of Windows10098
|
||||
Node: Libraries10637
|
||||
Node: LibreSSL/OpenSSL11094
|
||||
Node: zlib13620
|
||||
Node: lzo14642
|
||||
Node: libcurses15633
|
||||
Node: libreadline16543
|
||||
Node: Installation17480
|
||||
Node: Building and installing tinc18384
|
||||
Node: Darwin (MacOS/X) build environment19040
|
||||
Node: Cygwin (Windows) build environment19599
|
||||
Node: MinGW (Windows) build environment20184
|
||||
Node: System files20772
|
||||
Node: Device files21037
|
||||
Node: Other files21450
|
||||
Node: Configuration22063
|
||||
Node: Configuration introduction22350
|
||||
Node: Multiple networks23871
|
||||
Node: How connections work25238
|
||||
Node: Configuration files27799
|
||||
Node: Main configuration variables29431
|
||||
Node: Host configuration variables50412
|
||||
Node: Scripts56482
|
||||
Node: How to configure60382
|
||||
Node: Network interfaces64866
|
||||
Node: Example configuration67245
|
||||
Node: Running tinc72344
|
||||
Node: Runtime options72931
|
||||
Node: Signals75791
|
||||
Node: Debug levels76640
|
||||
Node: Solving problems77576
|
||||
Node: Error messages79002
|
||||
Node: Sending bug reports83319
|
||||
Node: Controlling tinc84266
|
||||
Node: tinc runtime options85002
|
||||
Node: tinc environment variables85751
|
||||
Node: tinc commands86080
|
||||
Node: tinc examples92938
|
||||
Node: tinc top93500
|
||||
Node: Invitations95085
|
||||
Node: How invitations work95748
|
||||
Node: Invitation file format98041
|
||||
Node: Writing an invitation-created script100966
|
||||
Node: Technical information102028
|
||||
Node: The connection102258
|
||||
Node: The UDP tunnel102570
|
||||
Node: The meta-connection105615
|
||||
Node: The meta-protocol107073
|
||||
Node: Security112056
|
||||
Node: Legacy authentication protocol113393
|
||||
Node: Simple Peer-to-Peer Security118010
|
||||
Node: Encryption of network packets123655
|
||||
Node: Security issues126293
|
||||
Node: Platform specific information128040
|
||||
Node: Interface configuration128268
|
||||
Node: Routes130709
|
||||
Node: About us132620
|
||||
Node: Contact information132797
|
||||
Node: Authors133200
|
||||
Node: Concept Index133604
|
||||
Node: Top808
|
||||
Node: Introduction1144
|
||||
Node: Virtual Private Networks1948
|
||||
Node: tinc3660
|
||||
Node: Supported platforms5173
|
||||
Node: Preparations5870
|
||||
Node: Configuring the kernel6126
|
||||
Node: Configuration of Linux kernels6535
|
||||
Node: Configuration of FreeBSD kernels7384
|
||||
Node: Configuration of OpenBSD kernels7849
|
||||
Node: Configuration of NetBSD kernels8206
|
||||
Node: Configuration of Solaris kernels8608
|
||||
Node: Configuration of Darwin (MacOS/X) kernels9270
|
||||
Node: Configuration of Windows10083
|
||||
Node: Libraries10622
|
||||
Node: LibreSSL/OpenSSL11079
|
||||
Node: zlib13607
|
||||
Node: LZO14627
|
||||
Node: libcurses15619
|
||||
Node: libreadline16531
|
||||
Node: Installation17470
|
||||
Node: Building and installing tinc18374
|
||||
Node: Darwin (MacOS/X) build environment19030
|
||||
Node: Cygwin (Windows) build environment19589
|
||||
Node: MinGW (Windows) build environment20174
|
||||
Node: System files20762
|
||||
Node: Device files21027
|
||||
Node: Other files21440
|
||||
Node: Configuration22053
|
||||
Node: Configuration introduction22340
|
||||
Node: Multiple networks23862
|
||||
Node: How connections work25230
|
||||
Node: Configuration files27494
|
||||
Node: Main configuration variables29125
|
||||
Node: Host configuration variables50523
|
||||
Node: Scripts56595
|
||||
Node: How to configure60495
|
||||
Node: Network interfaces64406
|
||||
Node: Example configuration66785
|
||||
Node: Running tinc71726
|
||||
Node: Runtime options72313
|
||||
Node: Signals75581
|
||||
Node: Debug levels76430
|
||||
Node: Solving problems77366
|
||||
Node: Error messages78792
|
||||
Node: Sending bug reports83109
|
||||
Node: Controlling tinc84056
|
||||
Node: tinc runtime options84792
|
||||
Node: tinc environment variables85608
|
||||
Node: tinc commands85937
|
||||
Node: tinc examples92796
|
||||
Node: tinc top93356
|
||||
Node: Invitations94940
|
||||
Node: How invitations work95603
|
||||
Node: Invitation file format97896
|
||||
Node: Writing an invitation-created script100907
|
||||
Node: Technical information101970
|
||||
Node: The connection102200
|
||||
Node: The UDP tunnel102512
|
||||
Node: The meta-connection105548
|
||||
Node: The meta-protocol107006
|
||||
Node: Security111989
|
||||
Node: Legacy authentication protocol113326
|
||||
Node: Simple Peer-to-Peer Security117943
|
||||
Node: Encryption of network packets123588
|
||||
Node: Security issues126226
|
||||
Node: Platform specific information128818
|
||||
Node: Interface configuration129078
|
||||
Node: Routes131348
|
||||
Node: Automatically starting tinc133295
|
||||
Node: Linux133518
|
||||
Node: Windows134730
|
||||
Node: Other platforms135274
|
||||
Node: About us135556
|
||||
Node: Contact information135733
|
||||
Node: Authors136136
|
||||
Node: Concept Index136540
|
||||
|
||||
End Tag Table
|
||||
|
|
|
|||
242
doc/tinc.texi
242
doc/tinc.texi
|
|
@ -15,7 +15,7 @@
|
|||
|
||||
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
|
||||
|
||||
Copyright @copyright{} 1998-2017 Ivo Timmermans,
|
||||
Copyright @copyright{} 1998-2018 Ivo Timmermans,
|
||||
Guus Sliepen <guus@@tinc-vpn.org> and
|
||||
Wessel Dankers <wsl@@tinc-vpn.org>.
|
||||
|
||||
|
|
@ -43,7 +43,7 @@ permission notice identical to this one.
|
|||
@vskip 0pt plus 1filll
|
||||
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
|
||||
|
||||
Copyright @copyright{} 1998-2017 Ivo Timmermans,
|
||||
Copyright @copyright{} 1998-2018 Ivo Timmermans,
|
||||
Guus Sliepen <guus@@tinc-vpn.org> and
|
||||
Wessel Dankers <wsl@@tinc-vpn.org>.
|
||||
|
||||
|
|
@ -161,7 +161,7 @@ professional package.
|
|||
|
||||
@cindex traditional VPNs
|
||||
@cindex scalability
|
||||
Tinc also allows more than two sites to connect to eachother and form a single VPN.
|
||||
Tinc also allows more than two sites to connect to each other and form a single VPN.
|
||||
Traditionally VPNs are created by making tunnels, which only have two endpoints.
|
||||
Larger VPNs with more sites are created by adding more tunnels.
|
||||
Tinc takes another approach: only endpoints are specified,
|
||||
|
|
@ -331,14 +331,14 @@ as explained in the rest of the documentation.
|
|||
@cindex requirements
|
||||
@cindex libraries
|
||||
Before you can configure or build tinc, you need to have the LibreSSL or OpenSSL, zlib,
|
||||
lzo, curses and readline libraries installed on your system. If you try to
|
||||
LZO, curses and readline libraries installed on your system. If you try to
|
||||
configure tinc without having them installed, configure will give you an error
|
||||
message, and stop.
|
||||
|
||||
@menu
|
||||
* LibreSSL/OpenSSL::
|
||||
* zlib::
|
||||
* lzo::
|
||||
* LZO::
|
||||
* libcurses::
|
||||
* libreadline::
|
||||
@end menu
|
||||
|
|
@ -353,7 +353,7 @@ message, and stop.
|
|||
For all cryptography-related functions, tinc uses the functions provided
|
||||
by the LibreSSL or the OpenSSL library.
|
||||
|
||||
If this library is not installed, you wil get an error when configuring
|
||||
If this library is not installed, you will get an error when configuring
|
||||
tinc for build. Support for running tinc with other cryptographic libraries
|
||||
installed @emph{may} be added in the future.
|
||||
|
||||
|
|
@ -363,7 +363,7 @@ of this package.
|
|||
|
||||
If your operating system comes neither with LibreSSL or OpenSSL, you have to
|
||||
install one manually. It is recommended that you get the latest version of
|
||||
LibreSSL from @url{http://www.libressl.org/}. Instructions on how to
|
||||
LibreSSL from @url{https://www.libressl.org/}. Instructions on how to
|
||||
configure, build and install this package are included within the package.
|
||||
Please make sure you build development and runtime libraries (which is the
|
||||
default).
|
||||
|
|
@ -419,7 +419,7 @@ Markus F.X.J. Oberhumer
|
|||
For the optional compression of UDP packets, tinc uses the functions provided
|
||||
by the zlib library.
|
||||
|
||||
If this library is not installed, you wil get an error when running the
|
||||
If this library is not installed, you will get an error when running the
|
||||
configure script. You can either install the zlib library, or disable support
|
||||
for zlib compression by using the "--disable-zlib" option when running the
|
||||
configure script. Note that if you disable support for zlib, the resulting
|
||||
|
|
@ -430,20 +430,20 @@ available. Make sure you install the development AND runtime versions
|
|||
of this package.
|
||||
|
||||
If you have to install zlib manually, you can get the source code
|
||||
from @url{http://www.zlib.net/}. Instructions on how to configure,
|
||||
from @url{https://zlib.net/}. Instructions on how to configure,
|
||||
build and install this package are included within the package. Please
|
||||
make sure you build development and runtime libraries (which is the
|
||||
default).
|
||||
|
||||
|
||||
@c ==================================================================
|
||||
@node lzo
|
||||
@subsection lzo
|
||||
@node LZO
|
||||
@subsection LZO
|
||||
|
||||
@cindex lzo
|
||||
@cindex LZO
|
||||
Another form of compression is offered using the LZO library.
|
||||
|
||||
If this library is not installed, you wil get an error when running the
|
||||
If this library is not installed, you will get an error when running the
|
||||
configure script. You can either install the LZO library, or disable support
|
||||
for LZO compression by using the "--disable-lzo" option when running the
|
||||
configure script. Note that if you disable support for LZO, the resulting
|
||||
|
|
@ -453,7 +453,7 @@ You can use your operating system's package manager to install this if
|
|||
available. Make sure you install the development AND runtime versions
|
||||
of this package.
|
||||
|
||||
If you have to install lzo manually, you can get the source code
|
||||
If you have to install LZO manually, you can get the source code
|
||||
from @url{https://www.oberhumer.com/opensource/lzo/}. Instructions on how to configure,
|
||||
build and install this package are included within the package. Please
|
||||
make sure you build development and runtime libraries (which is the
|
||||
|
|
@ -467,15 +467,15 @@ default).
|
|||
@cindex libcurses
|
||||
For the "tinc top" command, tinc requires a curses library.
|
||||
|
||||
If this library is not installed, you wil get an error when running the
|
||||
If this library is not installed, you will get an error when running the
|
||||
configure script. You can either install a suitable curses library, or disable
|
||||
all functionality that depends on a curses library by using the
|
||||
"--disable-curses" option when running the configure script.
|
||||
|
||||
There are several curses libraries. It is recommended that you install
|
||||
"ncurses" (@url{http://invisible-island.net/ncurses/}),
|
||||
"ncurses" (@url{https://invisible-island.net/ncurses/}),
|
||||
however other curses libraries should also work.
|
||||
In particular, "PDCurses" (@url{http://pdcurses.sourceforge.net/})
|
||||
In particular, "PDCurses" (@url{https://pdcurses.sourceforge.io/})
|
||||
is recommended if you want to compile tinc for Windows.
|
||||
|
||||
You can use your operating system's package manager to install this if
|
||||
|
|
@ -490,7 +490,7 @@ of this package.
|
|||
@cindex libreadline
|
||||
For the "tinc" command's shell functionality, tinc uses the readline library.
|
||||
|
||||
If this library is not installed, you wil get an error when running the
|
||||
If this library is not installed, you will get an error when running the
|
||||
configure script. You can either install a suitable readline library, or
|
||||
disable all functionality that depends on a readline library by using the
|
||||
"--disable-readline" option when running the configure script.
|
||||
|
|
@ -500,7 +500,7 @@ available. Make sure you install the development AND runtime versions
|
|||
of this package.
|
||||
|
||||
If you have to install libreadline manually, you can get the source code from
|
||||
@url{http://www.gnu.org/software/readline/}. Instructions on how to configure,
|
||||
@url{https://www.gnu.org/software/readline/}. Instructions on how to configure,
|
||||
build and install this package are included within the package. Please make
|
||||
sure you build development and runtime libraries (which is the default).
|
||||
|
||||
|
|
@ -691,7 +691,7 @@ you will not find the answers in this documentation.
|
|||
Make sure you have an adequate understanding of networks in general.
|
||||
@cindex Network Administrators Guide
|
||||
A good resource on networking is the
|
||||
@uref{http://www.tldp.org/LDP/nag2/, Linux Network Administrators Guide}.
|
||||
@uref{https://www.tldp.org/LDP/nag2/, Linux Network Administrators Guide}.
|
||||
|
||||
If you have everything clearly pictured in your mind,
|
||||
proceed in the following order:
|
||||
|
|
@ -721,7 +721,7 @@ It is not required if you only run one tinc daemon,
|
|||
it doesn't even have to be the same on all the nodes of your VPN,
|
||||
but it is recommended that you choose one anyway.
|
||||
|
||||
We will asume you use a netname throughout this document.
|
||||
We will assume you use a netname throughout this document.
|
||||
This means that you call tinc with the -n argument,
|
||||
which will specify the netname.
|
||||
|
||||
|
|
@ -744,22 +744,15 @@ and the host configuration files are expected to be in @file{@value{sysconfdir}/
|
|||
|
||||
When tinc starts up, it parses the command-line options and then
|
||||
reads in the configuration file tinc.conf.
|
||||
If it sees one or more `ConnectTo' values pointing to other tinc daemons in that file,
|
||||
it will try to connect to those other daemons.
|
||||
Whether this succeeds or not and whether `ConnectTo' is specified or not,
|
||||
tinc will listen for incoming connection from other deamons.
|
||||
If you did specify a `ConnectTo' value and the other side is not responding,
|
||||
tinc will keep retrying.
|
||||
This means that once started, tinc will stay running until you tell it to stop,
|
||||
and failures to connect to other tinc daemons will not stop your tinc daemon
|
||||
for trying again later.
|
||||
This means you don't have to intervene if there are temporary network problems.
|
||||
It will then start listening for incoming connection from other daemons,
|
||||
and will by default also automatically try to connect to known peers.
|
||||
By default, tinc will try to keep at least 3 working meta-connections alive at all times.
|
||||
|
||||
@cindex client
|
||||
@cindex server
|
||||
There is no real distinction between a server and a client in tinc.
|
||||
If you wish, you can view a tinc daemon without a `ConnectTo' value as a server,
|
||||
and one which does specify such a value as a client.
|
||||
If you wish, you can view a tinc daemon without a `ConnectTo' statement in tinc.conf and `AutoConnect = no' as a server,
|
||||
and one which does have one or more `ConnectTo' statements or `Autoconnect = yes' (which is the default) as a client.
|
||||
It does not matter if two tinc daemons have a `ConnectTo' value pointing to each other however.
|
||||
|
||||
Connections specified using `ConnectTo' are so-called meta-connections.
|
||||
|
|
@ -778,7 +771,7 @@ It is not always possible to do this however, and firewalls might also prevent d
|
|||
In that case, VPN packets between A and C will be forwarded by B.
|
||||
|
||||
In effect, all nodes in the VPN will be able to talk to each other, as long as
|
||||
their is a path of meta-connections between them, and whenever possible, two
|
||||
there is a path of meta-connections between them, and whenever possible, two
|
||||
nodes will communicate with each other directly.
|
||||
|
||||
|
||||
|
|
@ -790,7 +783,7 @@ The actual configuration of the daemon is done in the file
|
|||
@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory
|
||||
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/}.
|
||||
|
||||
An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
|
||||
An optional directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
|
||||
any .conf file will be read.
|
||||
|
||||
These file consists of comments (lines started with a #) or assignments
|
||||
|
|
@ -839,7 +832,7 @@ If any is selected, then depending on the operating system
|
|||
both IPv4 and IPv6 or just IPv6 listening sockets will be created.
|
||||
|
||||
@cindex AutoConnect
|
||||
@item AutoConnect = <yes|no> (no) [experimental]
|
||||
@item AutoConnect = <yes|no> (yes)
|
||||
If set to yes, tinc will automatically set up meta connections to other nodes,
|
||||
without requiring @var{ConnectTo} variables.
|
||||
|
||||
|
|
@ -900,7 +893,7 @@ in which case outgoing connections to each specified tinc daemon are made.
|
|||
The names should be known to this tinc daemon
|
||||
(i.e., there should be a host configuration file for the name on the ConnectTo line).
|
||||
|
||||
If you don't specify a host with ConnectTo and don't enable AutoConnect,
|
||||
If you don't specify a host with ConnectTo and have disabled AutoConnect,
|
||||
tinc won't try to connect to other daemons at all,
|
||||
and will instead just listen for incoming connections.
|
||||
|
||||
|
|
@ -967,7 +960,7 @@ Packets received for the local node are written to it.
|
|||
@cindex UML
|
||||
@item uml (not compiled in by default)
|
||||
Create a UNIX socket with the filename specified by
|
||||
@var{Device}, or @file{@value{localstatedir}/run/@var{netname}.umlsocket}
|
||||
@var{Device}, or @file{@value{runstatedir}/@var{netname}.umlsocket}
|
||||
if not specified.
|
||||
Tinc will wait for a User Mode Linux instance to connect to this socket.
|
||||
|
||||
|
|
@ -975,7 +968,7 @@ Tinc will wait for a User Mode Linux instance to connect to this socket.
|
|||
@item vde (not compiled in by default)
|
||||
Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch,
|
||||
using the UNIX socket specified by
|
||||
@var{Device}, or @file{@value{localstatedir}/run/vde.ctl}
|
||||
@var{Device}, or @file{@value{runstatedir}/vde.ctl}
|
||||
if not specified.
|
||||
@end table
|
||||
|
||||
|
|
@ -1048,16 +1041,24 @@ Incoming packets that are meant for another node are forwarded by tinc internall
|
|||
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
|
||||
|
||||
@item kernel
|
||||
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
|
||||
Incoming packets using the legacy protocol are always sent to the TUN/TAP device,
|
||||
even if the packets are not for the local node.
|
||||
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
|
||||
and can also help debugging.
|
||||
Incoming packets using the SPTPS protocol are dropped, since they are end-to-end encrypted.
|
||||
@end table
|
||||
|
||||
@cindex FWMark
|
||||
@item FWMark = <@var{value}> (0) [experimental]
|
||||
When set to a non-zero value, all TCP and UDP sockets created by tinc will use the given value as the firewall mark.
|
||||
This can be used for mark-based routing or for packet filtering.
|
||||
This option is currently only supported on Linux.
|
||||
|
||||
@cindex Hostnames
|
||||
@item Hostnames = <yes|no> (no)
|
||||
This option selects whether IP addresses (both real and on the VPN)
|
||||
should be resolved. Since DNS lookups are blocking, it might affect
|
||||
tinc's efficiency, even stopping the daemon for a few seconds everytime
|
||||
tinc's efficiency, even stopping the daemon for a few seconds every time
|
||||
it does a lookup if your DNS server is not responding.
|
||||
|
||||
This does not affect resolving hostnames to IP addresses from the
|
||||
|
|
@ -1179,7 +1180,7 @@ will be inherited by the UDP packets that are sent out.
|
|||
@item PrivateKey = <@var{key}> [obsolete]
|
||||
This is the RSA private key for tinc. However, for safety reasons it is
|
||||
advised to store private keys of any kind in separate files. This prevents
|
||||
accidental eavesdropping if you are editting the configuration file.
|
||||
accidental eavesdropping if you are editing the configuration file.
|
||||
|
||||
@cindex PrivateKeyFile
|
||||
@item PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/rsa_key.priv})
|
||||
|
|
@ -1335,7 +1336,7 @@ Fragmentation Needed or Packet too Big messages are dropped by firewalls.
|
|||
@item Compression = <@var{level}> (0)
|
||||
This option sets the level of compression used for UDP packets.
|
||||
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
|
||||
10 (fast lzo) and 11 (best lzo).
|
||||
10 (fast LZO) and 11 (best LZO).
|
||||
|
||||
@cindex Digest
|
||||
@item Digest = <@var{digest}> (sha1)
|
||||
|
|
@ -1396,7 +1397,7 @@ connection with that host.
|
|||
@cindex Subnet
|
||||
@item Subnet = <@var{address}[/@var{prefixlength}[#@var{weight}]]>
|
||||
The subnet which this tinc daemon will serve.
|
||||
Tinc tries to look up which other daemon it should send a packet to by searching the appropiate subnet.
|
||||
Tinc tries to look up which other daemon it should send a packet to by searching the appropriate subnet.
|
||||
If the packet matches a subnet,
|
||||
it will be sent to the daemon who has this subnet in his host configuration file.
|
||||
Multiple subnet lines can be specified for each daemon.
|
||||
|
|
@ -1626,23 +1627,11 @@ For example, if your hostname is foo.example.org, run:
|
|||
tinc -n @var{netname} add address foo.example.org
|
||||
@end example
|
||||
|
||||
If you already know to which daemons your daemon should make meta-connections,
|
||||
you should configure that now as well.
|
||||
Suppose you want to connect to a daemon named "bar", run:
|
||||
|
||||
@example
|
||||
tinc -n @var{netname} add connectto bar
|
||||
@end example
|
||||
|
||||
Note that you specify the Name of the other daemon here, not an IP address or hostname!
|
||||
When you start tinc, and it tries to make a connection to "bar",
|
||||
it will look for a host configuration file named @file{hosts/bar},
|
||||
and will read Address statements and public keys from that file.
|
||||
|
||||
@subsubheading Step 2. Exchanging configuration files.
|
||||
|
||||
If your daemon has a ConnectTo = bar statement in its @file{tinc.conf} file,
|
||||
or if bar has a ConnectTo your daemon, then you both need each other's host configuration files.
|
||||
In order for two tinc daemons to be able to connect to each other,
|
||||
they each need the other's host configuration files.
|
||||
So if you want foo to be able to connect with bar,
|
||||
You should send @file{hosts/@var{name}} to bar, and bar should send you his file which you should move to @file{hosts/bar}.
|
||||
If you are on a UNIX platform, you can easily send an email containing the necessary information using the following command
|
||||
(assuming the owner of bar has the email address bar@@example.org):
|
||||
|
|
@ -1668,10 +1657,9 @@ tinc -n @var{netname} export \
|
|||
| tinc -n @var{netname} import
|
||||
@end example
|
||||
|
||||
You should repeat this for all nodes you ConnectTo, or which ConnectTo you.
|
||||
However, remember that you do not need to ConnectTo all nodes in the VPN;
|
||||
it is only necessary to create one or a few meta-connections,
|
||||
after the connections are made tinc will learn about all the other nodes in the VPN,
|
||||
You can repeat this for a few other nodes as well.
|
||||
It is not necessary to manually exchange host config files between all nodes;
|
||||
after the initial connections are made tinc will learn about all the other nodes in the VPN,
|
||||
and will automatically make other connections as necessary.
|
||||
|
||||
|
||||
|
|
@ -1817,12 +1805,10 @@ and in @file{@value{sysconfdir}/tinc/company/tinc.conf}:
|
|||
|
||||
@example
|
||||
Name = BranchB
|
||||
ConnectTo = BranchA
|
||||
@end example
|
||||
|
||||
Note here that the internal address (on eth0) doesn't have to be the
|
||||
same as on the VPN interface. Also, ConnectTo is given so that this node will
|
||||
always try to connect to BranchA.
|
||||
same as on the VPN interface.
|
||||
|
||||
On all hosts, in @file{@value{sysconfdir}/tinc/company/hosts/BranchB}:
|
||||
|
||||
|
|
@ -1853,7 +1839,6 @@ and in @file{@value{sysconfdir}/tinc/company/tinc.conf}:
|
|||
|
||||
@example
|
||||
Name = BranchC
|
||||
ConnectTo = BranchA
|
||||
@end example
|
||||
|
||||
C already has another daemon that runs on port 655, so they have to
|
||||
|
|
@ -1890,7 +1875,6 @@ and in @file{@value{sysconfdir}/tinc/company/tinc.conf}:
|
|||
|
||||
@example
|
||||
Name = BranchD
|
||||
ConnectTo = BranchC
|
||||
@end example
|
||||
|
||||
D will be connecting to C, which has a tincd running for this network on
|
||||
|
|
@ -1983,7 +1967,7 @@ Specifying . for @var{netname} is the same as not specifying any @var{netname}.
|
|||
@item --pidfile=@var{filename}
|
||||
Store a cookie in @var{filename} which allows tinc to authenticate.
|
||||
If unspecified, the default is
|
||||
@file{@value{localstatedir}/run/tinc.@var{netname}.pid}.
|
||||
@file{@value{runstatedir}/tinc.@var{netname}.pid}.
|
||||
|
||||
@item -o, --option=[@var{HOST}.]@var{KEY}=@var{VALUE}
|
||||
Without specifying a @var{HOST}, this will set server configuration variable @var{KEY} to @var{VALUE}.
|
||||
|
|
@ -2001,6 +1985,9 @@ This option is not supported on all platforms.
|
|||
Write log entries to a file instead of to the system logging facility.
|
||||
If @var{file} is omitted, the default is @file{@value{localstatedir}/log/tinc.@var{netname}.log}.
|
||||
|
||||
@item --pidfile=@var{file}
|
||||
Write PID to @var{file} instead of @file{@value{runstatedir}/tinc.@var{netname}.pid}.
|
||||
|
||||
@item --bypass-security
|
||||
Disables encryption and authentication.
|
||||
Only useful for debugging.
|
||||
|
|
@ -2012,10 +1999,14 @@ located (@file{@value{sysconfdir}/tinc/@var{netname}/} as determined by
|
|||
The chroot is performed after all the initialization is done, after
|
||||
writing pid files and opening network sockets.
|
||||
|
||||
Note that this option alone does not do any good without -U/--user, below.
|
||||
This option is best used in combination with the -U/--user option described below.
|
||||
|
||||
Note also that tinc can't run scripts anymore (such as tinc-down or host-up),
|
||||
unless it's setup to be runnable inside chroot environment.
|
||||
You will need to ensure the chroot environment contains all the files necessary
|
||||
for tinc to run correctly.
|
||||
Most importantly, for tinc to be able to resolve hostnames inside the chroot environment,
|
||||
you must copy @file{/etc/resolv.conf} into the chroot directory.
|
||||
If you want to be able to run scripts other than @file{tinc-up} in the chroot,
|
||||
you must ensure the appropriate shell is also installed in the chroot, along with all its dependencies.
|
||||
|
||||
This option is not supported on all platforms.
|
||||
@item -U, --user=@var{user}
|
||||
|
|
@ -2295,7 +2286,11 @@ Use configuration for net @var{netname}. @xref{Multiple networks}.
|
|||
@item --pidfile=@var{filename}
|
||||
Use the cookie from @var{filename} to authenticate with a running tinc daemon.
|
||||
If unspecified, the default is
|
||||
@file{@value{localstatedir}/run/tinc.@var{netname}.pid}.
|
||||
@file{@value{runstatedir}/tinc.@var{netname}.pid}.
|
||||
|
||||
@cindex batch
|
||||
@item -b, --batch
|
||||
Don't ask for anything (non-interactive mode).
|
||||
|
||||
@item --force
|
||||
Force some commands to work despite warnings.
|
||||
|
|
@ -2523,7 +2518,7 @@ The @var{name} of the node must be given,
|
|||
or can be "." to check against the local node's public key,
|
||||
or "*" to allow a signature from any node whose public key is known.
|
||||
If no @var{filename} is given, the file is read from standard input.
|
||||
If the verification is succesful, a copy of the input with the signature removed is written to standard output, and the exit code will be zero.
|
||||
If the verification is successful, a copy of the input with the signature removed is written to standard output, and the exit code will be zero.
|
||||
If the verification failed, nothing will be written to standard output, and the exit code will be non-zero.
|
||||
|
||||
@end table
|
||||
|
|
@ -2546,7 +2541,7 @@ Examples of changing the configuration using tinc:
|
|||
tinc -n vpn init foo
|
||||
tinc -n vpn add Subnet 192.168.1.0/24
|
||||
tinc -n vpn add bar.Address bar.example.com
|
||||
tinc -n vpn add ConnectTo bar
|
||||
tinc -n vpn set Mode switch
|
||||
tinc -n vpn export | gpg --clearsign | mail -s "My config" vpnmaster@@example.com
|
||||
@end example
|
||||
|
||||
|
|
@ -2571,7 +2566,7 @@ Intervals lower than 0.1 seconds are not allowed.
|
|||
|
||||
@item c
|
||||
Toggle between displaying current traffic rates (in packets and bytes per second)
|
||||
and cummulative traffic (total packets and bytes since the tinc daemon started).
|
||||
and cumulative traffic (total packets and bytes since the tinc daemon started).
|
||||
|
||||
@item n
|
||||
Sort the list of nodes by name.
|
||||
|
|
@ -2696,6 +2691,8 @@ Address = server.example.com
|
|||
The file is basically a concatenation of several host config blocks. Each host
|
||||
config block starts with @code{Name = ...}. Lines that look like @code{#---#}
|
||||
are not important, it just makes it easier for humans to read the file.
|
||||
However, the first line of an invitation file @emph{must} always start with
|
||||
@code{Name = ...}.
|
||||
|
||||
The first host config block is always the one representing the invitee. So the
|
||||
first Name statement determines the name that the invitee will get. From the
|
||||
|
|
@ -2744,7 +2741,7 @@ When an invitation is generated, the "invitation-created" script is called (if
|
|||
it exists) right after the invitation file is written, but before the URL has
|
||||
been written to stdout. This allows one to change the invitation file
|
||||
automatically before the invitation URL is passed to the invitee. Here is an
|
||||
example shell script that aproximately recreates the default invitation file:
|
||||
example shell script that approximately recreates the default invitation file:
|
||||
|
||||
@example
|
||||
#!/bin/sh
|
||||
|
|
@ -2846,7 +2843,7 @@ In switch or hub modes ARP does work so the sender already knows the correct des
|
|||
In those modes every interface should have a unique MAC address, so make sure they are not the same.
|
||||
Because switch and hub modes rely on MAC addresses to function correctly,
|
||||
these modes cannot be used on the following operating systems which don't have a `tap' style virtual network device:
|
||||
OpenBSD, NetBSD, Darwin and Solaris.
|
||||
NetBSD, Darwin and Solaris.
|
||||
|
||||
|
||||
@c ==================================================================
|
||||
|
|
@ -3378,13 +3375,27 @@ that tinc's default length of 4 bytes for the MAC is too short, and he doesn't
|
|||
like tinc's use of RSA during authentication. We do not know of a security hole
|
||||
in the legacy protocol of tinc, but it is not as strong as TLS or IPsec.
|
||||
|
||||
This version of tinc comes with an improved protocol, called Simple Peer-to-Peer Security,
|
||||
which aims to be as strong as TLS with one of the strongest cipher suites.
|
||||
The Sweet32 attack affects versions of tinc prior to 1.0.30.
|
||||
|
||||
On September 6th, 2018, Michael Yonly contacted us and provided
|
||||
proof-of-concept code that allowed a remote attacker to create an
|
||||
authenticated, one-way connection with a node, and also that there was a
|
||||
possibility for a man-in-the-middle to force UDP packets from a node to be sent
|
||||
in plaintext. The first issue was trivial to exploit on tinc versions prior to
|
||||
1.0.30, but the changes in 1.0.30 to mitigate the Sweet32 attack made this
|
||||
weakness much harder to exploit. These issues have been fixed in tinc 1.0.35.
|
||||
|
||||
This version of tinc comes with an improved protocol, called Simple
|
||||
Peer-to-Peer Security (SPTPS), which aims to be as strong as TLS with one of
|
||||
the strongest cipher suites. None of the above security issues affected SPTPS.
|
||||
However, be aware that SPTPS is only used between nodes running tinc 1.1pre* or
|
||||
later, and in a VPN with nodes running different versions, the security might
|
||||
only be as good as that of the oldest version.
|
||||
|
||||
Cryptography is a hard thing to get right. We cannot make any
|
||||
guarantees. Time, review and feedback are the only things that can
|
||||
prove the security of any cryptographic product. If you wish to review
|
||||
tinc or give us feedback, you are stronly encouraged to do so.
|
||||
tinc or give us feedback, you are strongly encouraged to do so.
|
||||
|
||||
|
||||
@c ==================================================================
|
||||
|
|
@ -3394,6 +3405,7 @@ tinc or give us feedback, you are stronly encouraged to do so.
|
|||
@menu
|
||||
* Interface configuration::
|
||||
* Routes::
|
||||
* Automatically starting tinc::
|
||||
@end menu
|
||||
|
||||
@c ==================================================================
|
||||
|
|
@ -3450,13 +3462,6 @@ For IPv6 addresses:
|
|||
@tab @code{netsh interface ipv6 add address} @var{interface} @code{static} @var{address}/@var{prefixlength}
|
||||
@end multitable
|
||||
|
||||
On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command:
|
||||
|
||||
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@item OpenBSD
|
||||
@tab @code{ifconfig} @var{interface} @code{link0}
|
||||
@end multitable
|
||||
|
||||
On Linux, it is possible to create a persistent tun/tap interface which will
|
||||
continue to exist even if tinc quit, although this is normally not required.
|
||||
It can be useful to set up a tun/tap interface owned by a non-root user, so
|
||||
|
|
@ -3520,6 +3525,67 @@ Adding routes to IPv6 subnets:
|
|||
@tab @code{netsh interface ipv6 add route} @var{network address}/@var{prefixlength} @var{interface}
|
||||
@end multitable
|
||||
|
||||
@c ==================================================================
|
||||
@node Automatically starting tinc
|
||||
@section Automatically starting tinc
|
||||
|
||||
@menu
|
||||
* Linux::
|
||||
* Windows::
|
||||
* Other platforms::
|
||||
@end menu
|
||||
|
||||
@c ==================================================================
|
||||
@node Linux
|
||||
@subsection Linux
|
||||
|
||||
@cindex systemd
|
||||
There are many Linux distributions, and historically, many of them had their
|
||||
own way of starting programs at boot time. Today, a number of major Linux
|
||||
distributions have chosen to use systemd as their init system. Tinc ships with
|
||||
systemd service files that allow you to start and stop tinc using systemd.
|
||||
There are two service files: @code{tinc.service} is used to globally enable or
|
||||
disable all tinc daemons managed by systemd, and
|
||||
@code{tinc@@@var{netname}.service} is used to enable or disable specific tinc
|
||||
daemons. So if one has created a tinc network with netname @code{foo}, then
|
||||
you have to run the following two commands to ensure it is started at boot
|
||||
time:
|
||||
|
||||
@example
|
||||
systemctl enable tinc
|
||||
systemctl enable tinc@@foo
|
||||
@end example
|
||||
|
||||
To start the tinc daemon immediately if it wasn't already running, use the
|
||||
following command:
|
||||
|
||||
@example
|
||||
systemctl start tinc@@foo
|
||||
@end example
|
||||
|
||||
You can also use @samp{systemctl start tinc}, this will start all tinc daemons
|
||||
that are enabled. You can stop and disable tinc networks in the same way.
|
||||
|
||||
If your system is not using systemd, then you have to look up your
|
||||
distribution's way of starting tinc at boot time.
|
||||
|
||||
@c ==================================================================
|
||||
@node Windows
|
||||
@subsection Windows
|
||||
|
||||
On Windows, if tinc is started with the @code{tinc start} command without using
|
||||
the @code{-D} or @code{--no-detach} option, it will automatically register
|
||||
itself as a service that is started at boot time. When tinc is stopped using
|
||||
the @code{tinc stop} command, it will also automatically unregister itself.
|
||||
Once tinc is registered as a service, it is also possible to stop and start
|
||||
tinc using the Windows Services Manager.
|
||||
|
||||
@c ==================================================================
|
||||
@node Other platforms
|
||||
@subsection Other platforms
|
||||
|
||||
On platforms other than the ones mentioned in the earlier sections, you have to
|
||||
look up your platform's way of starting programs at boot time.
|
||||
|
||||
@c ==================================================================
|
||||
@node About us
|
||||
|
|
|
|||
|
|
@ -100,7 +100,7 @@ to authenticate.
|
|||
If
|
||||
.Ar FILE
|
||||
is omitted, the default is
|
||||
.Pa @localstatedir@/run/tinc. Ns Ar NETNAME Ns Pa .pid.
|
||||
.Pa @runstatedir@/tinc. Ns Ar NETNAME Ns Pa .pid.
|
||||
.It Fl -bypass-security
|
||||
Disables encryption and authentication of the meta protocol.
|
||||
Only useful for debugging.
|
||||
|
|
@ -173,7 +173,7 @@ This will log all network traffic over the virtual private network.
|
|||
Directory containing the configuration files tinc uses.
|
||||
For more information, see
|
||||
.Xr tinc.conf 5 .
|
||||
.It Pa @localstatedir@/run/tinc. Ns Ar NETNAME Ns Pa .pid
|
||||
.It Pa @runstatedir@/tinc. Ns Ar NETNAME Ns Pa .pid
|
||||
The PID of the currently running
|
||||
.Nm
|
||||
is stored in this file.
|
||||
|
|
|
|||
5
doc/tincinclude.texi
Normal file
5
doc/tincinclude.texi
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
@set VERSION 1.1pre17
|
||||
@set PACKAGE tinc
|
||||
@set sysconfdir /etc
|
||||
@set localstatedir /var
|
||||
@set runstatedir /var/run
|
||||
|
|
@ -2,3 +2,4 @@
|
|||
@set PACKAGE @PACKAGE@
|
||||
@set sysconfdir @sysconfdir@
|
||||
@set localstatedir @localstatedir@
|
||||
@set runstatedir @runstatedir@
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue