lagertonne/tinc
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Wiki Activity

Import Upstream version 1.0.18

Browse source
This commit is contained in:
Guus Sliepen 2019-08-26 13:44:42 +02:00
parent b9a1c8df12
commit e5d35e092f
19 changed files with 581 additions and 123 deletions
Download patch file Download diff file Expand all files Collapse all files

29
doc/tinc.conf.5.in
View file

@ -129,7 +129,7 @@ If
is selected, then depending on the operating system both IPv4 and IPv6 or just
IPv6 listening sockets will be created.
.It Va BindToAddress Li = Ar address Bq experimental
.It Va BindToAddress Li = Ar address Oo Ar port Oc Bq experimental
If your computer has more than one IPv4 or IPv6 address,
.Nm tinc
will by default listen on all of them for incoming connections.
@ -137,7 +137,16 @@ Multiple
.Va BindToAddress
variables may be specified,
in which case listening sockets for each specified address are made.
.Pp
If no
.Ar port
is specified, the socket will be bound to the port specified by the
.Va Port
option, or to port 655 if neither is given.
To only bind to a specific port but not to a specific address, use
.Li *
for the
.Ar address .
.Pp
This option may not work on all platforms.
@ -171,13 +180,15 @@ If you don't specify a host with
won't try to connect to other daemons at all,
and will instead just listen for incoming connections.
.It Va DecrementTTL Li = yes | no Po yes Pc
.It Va DecrementTTL Li = yes | no Po no Pc Bq experimental
When enabled,
.Nm tinc
will decrement the Time To Live field in IPv4 packets, or the Hop Limit field in IPv6 packets,
before forwarding a received packet to the virtual network device or to another node,
and will drop packets that have a TTL value of zero,
in which case it will send an ICMP Time Exceeded packet back.
.Pp
Do not use this option if you use switch mode and want to use IPv6.
.It Va Device Li = Ar device Po Pa /dev/tap0 , Pa /dev/net/tun No or other depending on platform Pc
The virtual network device to use.
@ -210,6 +221,16 @@ All packets are read from this interface.
Packets received for the local node are written to the raw socket.
However, at least on Linux, the operating system does not process IP packets destined for the local host.
.It multicast
Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using
.Va Device .
Packets are read from and written to this multicast socket.
This can be used to connect to UML, QEMU or KVM instances listening on the same multicast address.
Do NOT connect multiple
.Nm tinc
daemons to the same multicast address, this will very likely cause routing loops.
Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
.It uml Pq not compiled in by default
Create a UNIX socket with the filename specified by
.Va Device ,
@ -452,7 +473,7 @@ Since host configuration files only contain public keys,
no secrets are revealed by sending out this information.
.Bl -tag -width indent
.It Va Address Li = Ar address Oo port Oc Bq recommended
.It Va Address Li = Ar address Oo Ar port Oc Bq recommended
The IP address or hostname of this tinc daemon on the real network.
This will only be used when trying to make an outgoing connection to this tinc daemon.
Optionally, a port can be specified to use for this address.

167
doc/tinc.info
View file

@ -684,12 +684,17 @@ AddressFamily = <ipv4|ipv6|any> (any)
system both IPv4 and IPv6 or just IPv6 listening sockets will be
created.
BindToAddress = <ADDRESS> [experimental]
BindToAddress = <ADDRESS> [<PORT>] [experimental]
If your computer has more than one IPv4 or IPv6 address, tinc will
by default listen on all of them for incoming connections.
Multiple BindToAddress variables may be specified, in which case
listening sockets for each specified address are made.
If no PORT is specified, the socket will be bound to the port
specified by the Port option, or to port 655 if neither is given.
To only bind to a specific port but not to a specific address, use
"*" for the ADDRESS.
This option may not work on all platforms.
BindToInterface = <INTERFACE> [experimental]
@ -715,13 +720,15 @@ ConnectTo = <NAME>
connect to other daemons at all, and will instead just listen for
incoming connections.
DecrementTTL = <yes | no> (yes)
DecrementTTL = <yes | no> (no) [experimental]
When enabled, tinc will decrement the Time To Live field in IPv4
packets, or the Hop Limit field in IPv6 packets, before forwarding
a received packet to the virtual network device or to another node,
and will drop packets that have a TTL value of zero, in which case
it will send an ICMP Time Exceeded packet back.
Do not use this option if you use switch mode and want to use IPv6.
Device = <DEVICE> (`/dev/tap0', `/dev/net/tun' or other depending on platform)
The virtual network device to use. Tinc will automatically detect
what kind of device it is. Note that you can only use one device
@ -748,6 +755,17 @@ DeviceType = <TYPE> (platform dependent)
socket. However, at least on Linux, the operating system
does not process IP packets destined for the local host.
multicast
Open a multicast UDP socket and bind it to the address and
port (separated by spaces) and optionally a TTL value
specified using DEVICE. Packets are read from and written to
this multicast socket. This can be used to connect to UML,
QEMU or KVM instances listening on the same multicast address.
Do NOT connect multiple tinc daemons to the same multicast
address, this will very likely cause routing loops. Also
note that this can cause decrypted VPN packets to be sent out
on a real network if misconfigured.
uml (not compiled in by default)
Create a UNIX socket with the filename specified by DEVICE,
or `/var/run/NETNAME.umlsocket' if not specified. Tinc will
@ -2246,6 +2264,19 @@ Solaris `ifconfig' INTERFACE `inet6 plumb up'
Darwin (MacOS/X) `ifconfig' INTERFACE `inet6' ADDRESS `prefixlen' PREFIXLENGTH
Windows `netsh interface ipv6 add address' INTERFACE `static' ADDRESS/PREFIXLENGTH
On some platforms, when running tinc in switch mode, the VPN
interface must be set to tap mode with an ifconfig command:
OpenBSD `ifconfig' INTERFACE `link0'
On Linux, it is possible to create a persistent tun/tap interface
which will continue to exist even if tinc quit, although this is
normally not required. It can be useful to set up a tun/tap interface
owned by a non-root user, so tinc can be started without needing any
root privileges at all.
Linux `ip tuntap add dev' INTERFACE `mode' TUN|TAP `user' USERNAME

File: tinc.info, Node: Routes, Prev: Interface configuration, Up: Platform specific information
@ -2346,9 +2377,9 @@ Concept Index
* BindToAddress: Main configuration variables.
(line 12)
* BindToInterface: Main configuration variables.
(line 20)
(line 25)
* Broadcast: Main configuration variables.
(line 28)
(line 33)
* Cabal: Security. (line 6)
* CHAL_REPLY: Authentication protocol.
(line 10)
@ -2367,27 +2398,27 @@ Concept Index
(line 24)
* connection: The connection. (line 6)
* ConnectTo: Main configuration variables.
(line 32)
(line 37)
* daemon: Running tinc. (line 11)
* data-protocol: The meta-connection. (line 18)
* debug level: Runtime options. (line 17)
* debug levels: Debug levels. (line 6)
* DecrementTTL: Main configuration variables.
(line 43)
(line 48)
* DEL_EDGE: The meta-protocol. (line 47)
* DEL_SUBNET: The meta-protocol. (line 47)
* DEVICE: Scripts. (line 55)
* Device: Main configuration variables.
(line 50)
(line 57)
* device files: Device files. (line 6)
* DeviceType: Main configuration variables.
(line 57)
(line 64)
* Digest: Host configuration variables.
(line 29)
* DirectOnly: Main configuration variables.
(line 111)
(line 129)
* dummy: Main configuration variables.
(line 64)
(line 71)
* encapsulating: The UDP tunnel. (line 30)
* encryption: Encryption of network packets.
(line 6)
@ -2395,44 +2426,46 @@ Concept Index
* example: Example configuration.
(line 6)
* Forwarding: Main configuration variables.
(line 118)
(line 136)
* frame type: The UDP tunnel. (line 6)
* GraphDumpFile: Main configuration variables.
(line 138)
(line 156)
* Hostnames: Main configuration variables.
(line 146)
(line 164)
* hub: Main configuration variables.
(line 198)
(line 216)
* ID: Authentication protocol.
(line 10)
* IndirectData: Host configuration variables.
(line 34)
* INTERFACE: Scripts. (line 58)
* Interface: Main configuration variables.
(line 156)
(line 174)
* IRC: Contact information. (line 9)
* key generation: Generating keypairs. (line 6)
* KEY_CHANGED: The meta-protocol. (line 64)
* KeyExpire: Main configuration variables.
(line 203)
(line 221)
* libraries: Libraries. (line 6)
* license: OpenSSL. (line 36)
* LocalDiscovery: Main configuration variables.
(line 164)
(line 182)
* lzo: lzo. (line 6)
* MACExpire: Main configuration variables.
(line 209)
(line 227)
* MACLength: Host configuration variables.
(line 42)
* meta-protocol: The meta-connection. (line 18)
* META_KEY: Authentication protocol.
(line 10)
* Mode: Main configuration variables.
(line 175)
(line 193)
* multicast: Main configuration variables.
(line 83)
* multiple networks: Multiple networks. (line 6)
* NAME: Scripts. (line 52)
* Name: Main configuration variables.
(line 214)
(line 232)
* netmask: Network interfaces. (line 34)
* NETNAME: Scripts. (line 49)
* netname: Multiple networks. (line 6)
@ -2445,9 +2478,9 @@ Concept Index
(line 67)
* PING: The meta-protocol. (line 89)
* PingInterval: Main configuration variables.
(line 219)
(line 237)
* PingTimeout: Main configuration variables.
(line 223)
(line 241)
* platforms: Supported platforms. (line 6)
* PMTU: Host configuration variables.
(line 47)
@ -2458,30 +2491,30 @@ Concept Index
(line 55)
* port numbers: Other files. (line 17)
* PriorityInheritance: Main configuration variables.
(line 229)
(line 247)
* private: Virtual Private Networks.
(line 10)
* PrivateKey: Main configuration variables.
(line 234)
(line 252)
* PrivateKeyFile: Main configuration variables.
(line 240)
(line 258)
* ProcessPriority: Main configuration variables.
(line 248)
(line 266)
* PublicKey: Host configuration variables.
(line 59)
* PublicKeyFile: Host configuration variables.
(line 62)
* raw_socket: Main configuration variables.
(line 69)
(line 76)
* release: Supported platforms. (line 14)
* REMOTEADDRESS: Scripts. (line 67)
* REMOTEPORT: Scripts. (line 70)
* ReplayWindow: Main configuration variables.
(line 253)
(line 271)
* REQ_KEY: The meta-protocol. (line 64)
* requirements: Libraries. (line 6)
* router: Main configuration variables.
(line 178)
(line 196)
* runtime options: Runtime options. (line 9)
* scalability: tinc. (line 19)
* scripts: Scripts. (line 6)
@ -2489,7 +2522,7 @@ Concept Index
(line 18)
* signals: Signals. (line 6)
* StrictSubnets: Main configuration variables.
(line 264)
(line 282)
* SUBNET: Scripts. (line 74)
* Subnet: Host configuration variables.
(line 74)
@ -2497,7 +2530,7 @@ Concept Index
(line 97)
* SVPN: Security. (line 11)
* switch: Main configuration variables.
(line 187)
(line 205)
* TCP: The meta-connection. (line 10)
* TCPonly: Host configuration variables.
(line 104)
@ -2509,24 +2542,24 @@ Concept Index
* tincd: tinc. (line 14)
* traditional VPNs: tinc. (line 19)
* tunifhead: Main configuration variables.
(line 100)
(line 118)
* TunnelServer: Main configuration variables.
(line 269)
(line 287)
* tunnohead: Main configuration variables.
(line 94)
(line 112)
* UDP <1>: Encryption of network packets.
(line 12)
* UDP: The UDP tunnel. (line 30)
* UDPRcvBuf: Main configuration variables.
(line 276)
(line 294)
* UDPSndBuf: Main configuration variables.
(line 281)
(line 299)
* UML: Main configuration variables.
(line 76)
(line 94)
* Universal tun/tap: Configuration of Linux kernels.
(line 6)
* VDE: Main configuration variables.
(line 81)
(line 99)
* virtual: Virtual Private Networks.
(line 18)
* virtual network device: The UDP tunnel. (line 6)
@ -2572,34 +2605,34 @@ Node: Multiple networks21169
Node: How connections work22595
Node: Configuration files23817
Node: Main configuration variables25204
Node: Host configuration variables38105
Node: Scripts43516
Node: How to configure46286
Node: Generating keypairs47549
Node: Network interfaces48048
Node: Example configuration49896
Node: Running tinc55219
Node: Runtime options55809
Node: Signals59109
Node: Debug levels60301
Node: Solving problems61237
Node: Error messages62789
Node: Sending bug reports66802
Node: Technical information67754
Node: The connection67985
Node: The UDP tunnel68297
Node: The meta-connection71358
Node: The meta-protocol72827
Node: Security77836
Node: Authentication protocol78966
Node: Encryption of network packets83970
Node: Security issues85343
Node: Platform specific information86960
Node: Interface configuration87188
Node: Routes89087
Node: About us91003
Node: Contact information91178
Node: Authors91582
Node: Concept Index91987
Node: Host configuration variables39057
Node: Scripts44468
Node: How to configure47238
Node: Generating keypairs48501
Node: Network interfaces49000
Node: Example configuration50848
Node: Running tinc56171
Node: Runtime options56761
Node: Signals60061
Node: Debug levels61253
Node: Solving problems62189
Node: Error messages63741
Node: Sending bug reports67754
Node: Technical information68706
Node: The connection68937
Node: The UDP tunnel69249
Node: The meta-connection72310
Node: The meta-protocol73779
Node: Security78788
Node: Authentication protocol79918
Node: Encryption of network packets84922
Node: Security issues86295
Node: Platform specific information87912
Node: Interface configuration88140
Node: Routes90593
Node: About us92509
Node: Contact information92684
Node: Authors93088
Node: Concept Index93493

End Tag Table

35
doc/tinc.texi
View file

@ -756,12 +756,16 @@ If any is selected, then depending on the operating system
both IPv4 and IPv6 or just IPv6 listening sockets will be created.
@cindex BindToAddress
@item BindToAddress = <@var{address}> [experimental]
@item BindToAddress = <@var{address}> [<@var{port}>] [experimental]
If your computer has more than one IPv4 or IPv6 address, tinc
will by default listen on all of them for incoming connections.
Multiple BindToAddress variables may be specified,
in which case listening sockets for each specified address are made.
If no @var{port} is specified, the socket will be bound to the port specified by the Port option,
or to port 655 if neither is given.
To only bind to a specific port but not to a specific address, use "*" for the @var{address}.
This option may not work on all platforms.
@cindex BindToInterface
@ -790,12 +794,14 @@ tinc won't try to connect to other daemons at all,
and will instead just listen for incoming connections.
@cindex DecrementTTL
@item DecrementTTL = <yes | no> (yes)
@item DecrementTTL = <yes | no> (no) [experimental]
When enabled, tinc will decrement the Time To Live field in IPv4 packets, or the Hop Limit field in IPv6 packets,
before forwarding a received packet to the virtual network device or to another node,
and will drop packets that have a TTL value of zero,
in which case it will send an ICMP Time Exceeded packet back.
Do not use this option if you use switch mode and want to use IPv6.
@cindex Device
@item Device = <@var{device}> (@file{/dev/tap0}, @file{/dev/net/tun} or other depending on platform)
The virtual network device to use.
@ -826,6 +832,14 @@ All packets are read from this interface.
Packets received for the local node are written to the raw socket.
However, at least on Linux, the operating system does not process IP packets destined for the local host.
@cindex multicast
@item multicast
Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using @var{Device}.
Packets are read from and written to this multicast socket.
This can be used to connect to UML, QEMU or KVM instances listening on the same multicast address.
Do NOT connect multiple tinc daemons to the same multicast address, this will very likely cause routing loops.
Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
@cindex UML
@item uml (not compiled in by default)
Create a UNIX socket with the filename specified by
@ -2390,7 +2404,6 @@ For IPv4 addresses:
@tab @code{netsh interface ip set address} @var{interface} @code{static} @var{address} @var{netmask}
@end multitable
For IPv6 addresses:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@ -2412,6 +2425,22 @@ For IPv6 addresses:
@tab @code{netsh interface ipv6 add address} @var{interface} @code{static} @var{address}/@var{prefixlength}
@end multitable
On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item OpenBSD
@tab @code{ifconfig} @var{interface} @code{link0}
@end multitable
On Linux, it is possible to create a persistent tun/tap interface which will
continue to exist even if tinc quit, although this is normally not required.
It can be useful to set up a tun/tap interface owned by a non-root user, so
tinc can be started without needing any root privileges at all.
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ip tuntap add dev} @var{interface} @code{mode} @var{tun|tap} @code{user} @var{username}
@end multitable
@c ==================================================================
@node Routes