Import Debian changes 1.0.21-1
tinc (1.0.21-1) unstable; urgency=low * New upstream release. - Includes fix for CVE-2013-1428.
This commit is contained in:
commit
e8daab5950
41 changed files with 2394 additions and 11278 deletions
|
@ -6,7 +6,7 @@ SUBDIRS = m4 lib src doc
|
||||||
|
|
||||||
ACLOCAL_AMFLAGS = -I m4
|
ACLOCAL_AMFLAGS = -I m4
|
||||||
|
|
||||||
EXTRA_DIST = have.h system.h COPYING.README
|
EXTRA_DIST = have.h system.h COPYING.README README.android
|
||||||
|
|
||||||
ChangeLog:
|
ChangeLog:
|
||||||
git log > ChangeLog
|
git log > ChangeLog
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Makefile.in generated by automake 1.11.5 from Makefile.am.
|
# Makefile.in generated by automake 1.11.6 from Makefile.am.
|
||||||
# @configure_input@
|
# @configure_input@
|
||||||
|
|
||||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||||
|
@ -231,7 +231,7 @@ top_srcdir = @top_srcdir@
|
||||||
AUTOMAKE_OPTIONS = gnu
|
AUTOMAKE_OPTIONS = gnu
|
||||||
SUBDIRS = m4 lib src doc
|
SUBDIRS = m4 lib src doc
|
||||||
ACLOCAL_AMFLAGS = -I m4
|
ACLOCAL_AMFLAGS = -I m4
|
||||||
EXTRA_DIST = have.h system.h COPYING.README
|
EXTRA_DIST = have.h system.h COPYING.README README.android
|
||||||
all: config.h
|
all: config.h
|
||||||
$(MAKE) $(AM_MAKEFLAGS) all-recursive
|
$(MAKE) $(AM_MAKEFLAGS) all-recursive
|
||||||
|
|
||||||
|
@ -544,7 +544,7 @@ distcheck: dist
|
||||||
*.zip*) \
|
*.zip*) \
|
||||||
unzip $(distdir).zip ;;\
|
unzip $(distdir).zip ;;\
|
||||||
esac
|
esac
|
||||||
chmod -R a-w $(distdir); chmod a+w $(distdir)
|
chmod -R a-w $(distdir); chmod u+w $(distdir)
|
||||||
mkdir $(distdir)/_build
|
mkdir $(distdir)/_build
|
||||||
mkdir $(distdir)/_inst
|
mkdir $(distdir)/_inst
|
||||||
chmod a-w $(distdir)
|
chmod a-w $(distdir)
|
||||||
|
|
32
NEWS
32
NEWS
|
@ -1,3 +1,30 @@
|
||||||
|
Version 1.0.21 April 22 2013
|
||||||
|
|
||||||
|
* Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
|
||||||
|
|
||||||
|
Thanks to Martin Schobert for auditing tinc and reporting this vulnerability.
|
||||||
|
|
||||||
|
Version 1.0.20 March 03 2013
|
||||||
|
|
||||||
|
* Use /dev/tap0 by default on FreeBSD and NetBSD when using switch mode.
|
||||||
|
|
||||||
|
* Minor improvements and clarifications in the documentation.
|
||||||
|
|
||||||
|
* Allow tinc to be cross-compiled with Android's NDK.
|
||||||
|
|
||||||
|
* The discovered PMTU is now also applied to VLAN tagged traffic.
|
||||||
|
|
||||||
|
* The LocalDiscovery option now makes use of all addresses tinc is bound to.
|
||||||
|
|
||||||
|
* Fixed support for tunemu on iOS devices.
|
||||||
|
|
||||||
|
* The PriorityInheritance option now also works with switch mode.
|
||||||
|
|
||||||
|
* Fixed tinc crashing when using a SOCKS5 proxy.
|
||||||
|
|
||||||
|
Thanks to Mesar Hameed, Vilbrekin and Martin Schürrer for their contributions
|
||||||
|
to this version of tinc.
|
||||||
|
|
||||||
Version 1.0.19 June 25 2012
|
Version 1.0.19 June 25 2012
|
||||||
|
|
||||||
* Allow :: notation in IPv6 Subnets.
|
* Allow :: notation in IPv6 Subnets.
|
||||||
|
@ -9,6 +36,9 @@ Version 1.0.19 June 25 2012
|
||||||
* Add basic support for SOCKS proxies, HTTP proxies, and proxying through an
|
* Add basic support for SOCKS proxies, HTTP proxies, and proxying through an
|
||||||
external command.
|
external command.
|
||||||
|
|
||||||
|
Thanks to Anthony G. Basile and Michael Tokarev for their contributions to
|
||||||
|
this version of tinc.
|
||||||
|
|
||||||
Version 1.0.18 March 25 2012
|
Version 1.0.18 March 25 2012
|
||||||
|
|
||||||
* Fixed IPv6 in switch mode by turning off DecrementTTL by default.
|
* Fixed IPv6 in switch mode by turning off DecrementTTL by default.
|
||||||
|
@ -35,6 +65,8 @@ Version 1.0.17 March 10 2012
|
||||||
* Disabling old RSA keys when generating new ones now also works properly on
|
* Disabling old RSA keys when generating new ones now also works properly on
|
||||||
Windows.
|
Windows.
|
||||||
|
|
||||||
|
Thanks to Nick Hibma for his contribution to this version of tinc.
|
||||||
|
|
||||||
Version 1.0.16 July 23 2011
|
Version 1.0.16 July 23 2011
|
||||||
|
|
||||||
* Fixed a performance issue with TCP communication under Windows.
|
* Fixed a performance issue with TCP communication under Windows.
|
||||||
|
|
10
README
10
README
|
@ -1,7 +1,7 @@
|
||||||
This is the README file for tinc version 1.0.19. Installation
|
This is the README file for tinc version 1.0.21. Installation
|
||||||
instructions may be found in the INSTALL file.
|
instructions may be found in the INSTALL file.
|
||||||
|
|
||||||
tinc is Copyright (C) 1998-2012 by:
|
tinc is Copyright (C) 1998-2013 by:
|
||||||
|
|
||||||
Ivo Timmermans,
|
Ivo Timmermans,
|
||||||
Guus Sliepen <guus@tinc-vpn.org>,
|
Guus Sliepen <guus@tinc-vpn.org>,
|
||||||
|
@ -36,8 +36,8 @@ writeup describing various security issues in several VPN daemons. He showed
|
||||||
that tinc lacks perfect forward security, the connection authentication could
|
that tinc lacks perfect forward security, the connection authentication could
|
||||||
be done more properly, that the sequence number we use as an IV is not the best
|
be done more properly, that the sequence number we use as an IV is not the best
|
||||||
practice and that the default length of the HMAC for packets is too short in
|
practice and that the default length of the HMAC for packets is too short in
|
||||||
his opinion. We do not know of a way to exploit these weaknesses, but we will
|
his opinion. We do not know of a way to exploit these weaknesses, but these
|
||||||
address these issues in tinc 2.0.
|
issues are being addressed in the tinc 1.1 branch.
|
||||||
|
|
||||||
Cryptography is a hard thing to get right. We cannot make any
|
Cryptography is a hard thing to get right. We cannot make any
|
||||||
guarantees. Time, review and feedback are the only things that can
|
guarantees. Time, review and feedback are the only things that can
|
||||||
|
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
|
||||||
Compatibility
|
Compatibility
|
||||||
-------------
|
-------------
|
||||||
|
|
||||||
Version 1.0.19 is compatible with 1.0pre8, 1.0 and later, but not with older
|
Version 1.0.21 is compatible with 1.0pre8, 1.0 and later, but not with older
|
||||||
versions of tinc.
|
versions of tinc.
|
||||||
|
|
||||||
|
|
||||||
|
|
20
README.android
Normal file
20
README.android
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
Quick how-o cross compile tinc for android (done from $HOME/android/):
|
||||||
|
|
||||||
|
- Download android NDK and setup local ARM toolchain:
|
||||||
|
wget http://dl.google.com/android/ndk/android-ndk-r8b-linux-x86.tar.bz2
|
||||||
|
tar xfj android-ndk-r8b-linux-x86.tar.bz2
|
||||||
|
./android-ndk-r8b/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain
|
||||||
|
|
||||||
|
- Download and cross-compile openSSL for ARM:
|
||||||
|
wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
|
||||||
|
tar xfz openssl-1.0.1c.tar.gz
|
||||||
|
cd openssl-1.0.1c
|
||||||
|
./Configure dist
|
||||||
|
make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib
|
||||||
|
|
||||||
|
- Clone and cross-compile tinc:
|
||||||
|
git clone git://tinc-vpn.org/tinc
|
||||||
|
cd tinc
|
||||||
|
autoreconf -fsi
|
||||||
|
CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc ./configure --host=arm-linux --disable-lzo --with-openssl-lib=$HOME/android/openssl-1.0.1c --with-openssl-include=$HOME/android/openssl-1.0.1c/include/
|
||||||
|
make -j5
|
7
THANKS
7
THANKS
|
@ -7,6 +7,7 @@ We would like to thank the following people for their contributions to tinc:
|
||||||
* Armijn Hemel
|
* Armijn Hemel
|
||||||
* Brandon Black
|
* Brandon Black
|
||||||
* Cris van Pelt
|
* Cris van Pelt
|
||||||
|
* Darius Jahandarie
|
||||||
* Delf Eldkraft
|
* Delf Eldkraft
|
||||||
* dnk
|
* dnk
|
||||||
* Enrique Zanardi
|
* Enrique Zanardi
|
||||||
|
@ -17,6 +18,7 @@ We would like to thank the following people for their contributions to tinc:
|
||||||
* James MacLean
|
* James MacLean
|
||||||
* Jamie Briggs
|
* Jamie Briggs
|
||||||
* Jason Harper
|
* Jason Harper
|
||||||
|
* Jelle de Jong
|
||||||
* Jeroen Ubbink
|
* Jeroen Ubbink
|
||||||
* Jerome Etienne
|
* Jerome Etienne
|
||||||
* Julien Muchembled
|
* Julien Muchembled
|
||||||
|
@ -27,14 +29,18 @@ We would like to thank the following people for their contributions to tinc:
|
||||||
* Mark Glines
|
* Mark Glines
|
||||||
* Markus Goetz
|
* Markus Goetz
|
||||||
* Martin Kihlgren
|
* Martin Kihlgren
|
||||||
|
* Martin Schobert
|
||||||
|
* Martin Schürrer
|
||||||
* Matias Carrasco
|
* Matias Carrasco
|
||||||
* Max Rijevski
|
* Max Rijevski
|
||||||
* Menno Smits
|
* Menno Smits
|
||||||
|
* Mesar Hameed
|
||||||
* Michael Tokarev
|
* Michael Tokarev
|
||||||
* Miles Nordin
|
* Miles Nordin
|
||||||
* Nick Hibma
|
* Nick Hibma
|
||||||
* Nick Patavalis
|
* Nick Patavalis
|
||||||
* Paul Littlefield
|
* Paul Littlefield
|
||||||
|
* Philipp Babel
|
||||||
* Robert van der Meulen
|
* Robert van der Meulen
|
||||||
* Rumko
|
* Rumko
|
||||||
* Scott Lamb
|
* Scott Lamb
|
||||||
|
@ -42,6 +48,7 @@ We would like to thank the following people for their contributions to tinc:
|
||||||
* Teemu Kiviniemi
|
* Teemu Kiviniemi
|
||||||
* Timothy Redaelli
|
* Timothy Redaelli
|
||||||
* Tonnerre Lombard
|
* Tonnerre Lombard
|
||||||
|
* Vil Brekin
|
||||||
* Wessel Dankers
|
* Wessel Dankers
|
||||||
* Wouter van Heyst
|
* Wouter van Heyst
|
||||||
|
|
||||||
|
|
6
aclocal.m4
vendored
6
aclocal.m4
vendored
|
@ -1,4 +1,4 @@
|
||||||
# generated automatically by aclocal 1.11.5 -*- Autoconf -*-
|
# generated automatically by aclocal 1.11.6 -*- Autoconf -*-
|
||||||
|
|
||||||
# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
|
# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
|
||||||
# 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
|
# 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
|
||||||
|
@ -38,7 +38,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
|
||||||
[am__api_version='1.11'
|
[am__api_version='1.11'
|
||||||
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
|
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
|
||||||
dnl require some minimum version. Point them to the right macro.
|
dnl require some minimum version. Point them to the right macro.
|
||||||
m4_if([$1], [1.11.5], [],
|
m4_if([$1], [1.11.6], [],
|
||||||
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
|
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
|
||||||
])
|
])
|
||||||
|
|
||||||
|
@ -54,7 +54,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
|
||||||
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
|
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
|
||||||
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
|
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
|
||||||
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
|
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
|
||||||
[AM_AUTOMAKE_VERSION([1.11.5])dnl
|
[AM_AUTOMAKE_VERSION([1.11.6])dnl
|
||||||
m4_ifndef([AC_AUTOCONF_VERSION],
|
m4_ifndef([AC_AUTOCONF_VERSION],
|
||||||
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
|
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
|
||||||
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
|
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
|
||||||
|
|
8
configure
vendored
8
configure
vendored
|
@ -1376,9 +1376,9 @@ Optional Features:
|
||||||
(and sometimes confusing) to the casual installer
|
(and sometimes confusing) to the casual installer
|
||||||
--disable-dependency-tracking speeds up one-time build
|
--disable-dependency-tracking speeds up one-time build
|
||||||
--enable-dependency-tracking do not reject slow dependency extractors
|
--enable-dependency-tracking do not reject slow dependency extractors
|
||||||
--disable-uml enable support for User Mode Linux
|
--enable-uml enable support for User Mode Linux
|
||||||
--disable-vde enable support for Virtual Distributed Ethernet
|
--enable-vde enable support for Virtual Distributed Ethernet
|
||||||
--disable-tunemu enable support for the tunemu driver
|
--enable-tunemu enable support for the tunemu driver
|
||||||
--disable-zlib disable zlib compression support
|
--disable-zlib disable zlib compression support
|
||||||
--disable-lzo disable lzo compression support
|
--disable-lzo disable lzo compression support
|
||||||
--disable-jumbograms enable support for jumbograms (packets up to 9000
|
--disable-jumbograms enable support for jumbograms (packets up to 9000
|
||||||
|
@ -2758,7 +2758,7 @@ fi
|
||||||
|
|
||||||
# Define the identity of the package.
|
# Define the identity of the package.
|
||||||
PACKAGE=tinc
|
PACKAGE=tinc
|
||||||
VERSION=1.0.19
|
VERSION=1.0.21
|
||||||
|
|
||||||
|
|
||||||
cat >>confdefs.h <<_ACEOF
|
cat >>confdefs.h <<_ACEOF
|
||||||
|
|
|
@ -3,7 +3,7 @@ dnl Process this file with autoconf to produce a configure script.
|
||||||
AC_PREREQ(2.61)
|
AC_PREREQ(2.61)
|
||||||
AC_INIT
|
AC_INIT
|
||||||
AC_CONFIG_SRCDIR([src/tincd.c])
|
AC_CONFIG_SRCDIR([src/tincd.c])
|
||||||
AM_INIT_AUTOMAKE(tinc, 1.0.19)
|
AM_INIT_AUTOMAKE(tinc, 1.0.21)
|
||||||
AC_CONFIG_HEADERS([config.h])
|
AC_CONFIG_HEADERS([config.h])
|
||||||
AM_MAINTAINER_MODE
|
AM_MAINTAINER_MODE
|
||||||
|
|
||||||
|
@ -73,7 +73,7 @@ case $host_os in
|
||||||
esac
|
esac
|
||||||
|
|
||||||
AC_ARG_ENABLE(uml,
|
AC_ARG_ENABLE(uml,
|
||||||
AS_HELP_STRING([--disable-uml], [enable support for User Mode Linux]),
|
AS_HELP_STRING([--enable-uml], [enable support for User Mode Linux]),
|
||||||
[ AS_IF([test "x$enable_uml" = "xyes"],
|
[ AS_IF([test "x$enable_uml" = "xyes"],
|
||||||
[ AC_DEFINE(ENABLE_UML, 1, [Support for UML])
|
[ AC_DEFINE(ENABLE_UML, 1, [Support for UML])
|
||||||
uml=true
|
uml=true
|
||||||
|
@ -84,7 +84,7 @@ AC_ARG_ENABLE(uml,
|
||||||
)
|
)
|
||||||
|
|
||||||
AC_ARG_ENABLE(vde,
|
AC_ARG_ENABLE(vde,
|
||||||
AS_HELP_STRING([--disable-vde], [enable support for Virtual Distributed Ethernet]),
|
AS_HELP_STRING([--enable-vde], [enable support for Virtual Distributed Ethernet]),
|
||||||
[ AS_IF([test "x$enable_vde" = "xyes"],
|
[ AS_IF([test "x$enable_vde" = "xyes"],
|
||||||
[ AC_CHECK_HEADERS(libvdeplug_dyn.h, [], [AC_MSG_ERROR([VDE plug header files not found.]); break])
|
[ AC_CHECK_HEADERS(libvdeplug_dyn.h, [], [AC_MSG_ERROR([VDE plug header files not found.]); break])
|
||||||
AC_DEFINE(ENABLE_VDE, 1, [Support for VDE])
|
AC_DEFINE(ENABLE_VDE, 1, [Support for VDE])
|
||||||
|
@ -96,7 +96,7 @@ AC_ARG_ENABLE(vde,
|
||||||
)
|
)
|
||||||
|
|
||||||
AC_ARG_ENABLE(tunemu,
|
AC_ARG_ENABLE(tunemu,
|
||||||
AS_HELP_STRING([--disable-tunemu], [enable support for the tunemu driver]),
|
AS_HELP_STRING([--enable-tunemu], [enable support for the tunemu driver]),
|
||||||
[ AS_IF([test "x$enable_tunemu" = "xyes"],
|
[ AS_IF([test "x$enable_tunemu" = "xyes"],
|
||||||
[ AC_DEFINE(ENABLE_TUNEMU, 1, [Support for tunemu])
|
[ AC_DEFINE(ENABLE_TUNEMU, 1, [Support for tunemu])
|
||||||
tunemu=true
|
tunemu=true
|
||||||
|
|
7
debian/changelog
vendored
7
debian/changelog
vendored
|
@ -1,3 +1,10 @@
|
||||||
|
tinc (1.0.21-1) unstable; urgency=low
|
||||||
|
|
||||||
|
* New upstream release.
|
||||||
|
- Includes fix for CVE-2013-1428.
|
||||||
|
|
||||||
|
-- Guus Sliepen <guus@debian.org> Sun, 05 May 2013 10:42:33 +0200
|
||||||
|
|
||||||
tinc (1.0.19-3) unstable; urgency=high
|
tinc (1.0.19-3) unstable; urgency=high
|
||||||
|
|
||||||
* Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
|
* Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
|
||||||
|
|
29
debian/patches/fix-CVE-2013-1428
vendored
29
debian/patches/fix-CVE-2013-1428
vendored
|
@ -1,29 +0,0 @@
|
||||||
From 17a33dfd95b1a29e90db76414eb9622df9632320 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Guus Sliepen <guus@tinc-vpn.org>
|
|
||||||
Date: Fri, 12 Apr 2013 17:15:05 +0200
|
|
||||||
Subject: [PATCH] Drop packets forwarded via TCP if they are too big
|
|
||||||
(CVE-2013-1428).
|
|
||||||
|
|
||||||
Normally all requests sent via the meta connections are checked so that they
|
|
||||||
cannot be larger than the input buffer. However, when packets are forwarded via
|
|
||||||
meta connections, they are copied into a packet buffer without checking whether
|
|
||||||
it fits into it. Since the packet buffer is allocated on the stack, this in
|
|
||||||
effect allows an authenticated remote node to cause a stack overflow.
|
|
||||||
|
|
||||||
This issue was found by Martin Schobert.
|
|
||||||
---
|
|
||||||
src/net_packet.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
--- a/src/net_packet.c
|
|
||||||
+++ b/src/net_packet.c
|
|
||||||
@@ -378,6 +378,9 @@
|
|
||||||
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
|
|
||||||
vpn_packet_t outpkt;
|
|
||||||
|
|
||||||
+ if(len > sizeof outpkt.data)
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
outpkt.len = len;
|
|
||||||
if(c->options & OPTION_TCPONLY)
|
|
||||||
outpkt.priority = 0;
|
|
1
debian/patches/series
vendored
1
debian/patches/series
vendored
|
@ -1 +0,0 @@
|
||||||
fix-CVE-2013-1428
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Makefile.in generated by automake 1.11.5 from Makefile.am.
|
# Makefile.in generated by automake 1.11.6 from Makefile.am.
|
||||||
# @configure_input@
|
# @configure_input@
|
||||||
|
|
||||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||||
|
|
|
@ -3,23 +3,19 @@
|
||||||
.\" Manual page created by:
|
.\" Manual page created by:
|
||||||
.\" Ivo Timmermans
|
.\" Ivo Timmermans
|
||||||
.\" Guus Sliepen <guus@tinc-vpn.org>
|
.\" Guus Sliepen <guus@tinc-vpn.org>
|
||||||
|
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
.Nm tinc.conf
|
.Nm tinc.conf
|
||||||
.Nd tinc daemon configuration
|
.Nd tinc daemon configuration
|
||||||
|
|
||||||
.Sh DESCRIPTION
|
.Sh DESCRIPTION
|
||||||
The files in the
|
The files in the
|
||||||
.Pa @sysconfdir@/tinc/
|
.Pa @sysconfdir@/tinc/
|
||||||
directory contain runtime and security information for the tinc daemon.
|
directory contain runtime and security information for the tinc daemon.
|
||||||
|
|
||||||
.Sh NETWORKS
|
.Sh NETWORKS
|
||||||
It is perfectly ok for you to run more than one tinc daemon.
|
It is perfectly ok for you to run more than one tinc daemon.
|
||||||
However, in its default form,
|
However, in its default form,
|
||||||
you will soon notice that you can't use two different configuration files without the
|
you will soon notice that you can't use two different configuration files without the
|
||||||
.Fl c
|
.Fl c
|
||||||
option.
|
option.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
We have thought of another way of dealing with this: network names.
|
We have thought of another way of dealing with this: network names.
|
||||||
This means that you call
|
This means that you call
|
||||||
|
@ -27,7 +23,6 @@ This means that you call
|
||||||
with the
|
with the
|
||||||
.Fl n
|
.Fl n
|
||||||
option, which will assign a name to this daemon.
|
option, which will assign a name to this daemon.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
The effect of this is that the daemon will set its configuration root to
|
The effect of this is that the daemon will set its configuration root to
|
||||||
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / ,
|
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / ,
|
||||||
|
@ -38,7 +33,6 @@ is your argument to the
|
||||||
option.
|
option.
|
||||||
You'll notice that messages appear in syslog as coming from
|
You'll notice that messages appear in syslog as coming from
|
||||||
.Nm tincd. Ns Ar NETNAME .
|
.Nm tincd. Ns Ar NETNAME .
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
However, it is not strictly necessary that you call tinc with the
|
However, it is not strictly necessary that you call tinc with the
|
||||||
.Fl n
|
.Fl n
|
||||||
|
@ -54,25 +48,21 @@ the configuration file should be
|
||||||
.Pa @sysconfdir@/tinc/tinc.conf ,
|
.Pa @sysconfdir@/tinc/tinc.conf ,
|
||||||
and the host configuration files are now expected to be in
|
and the host configuration files are now expected to be in
|
||||||
.Pa @sysconfdir@/tinc/hosts/ .
|
.Pa @sysconfdir@/tinc/hosts/ .
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
But it is highly recommended that you use this feature of
|
But it is highly recommended that you use this feature of
|
||||||
.Nm tinc ,
|
.Nm tinc ,
|
||||||
because it will be so much clearer whom your daemon talks to.
|
because it will be so much clearer whom your daemon talks to.
|
||||||
Hence, we will assume that you use it.
|
Hence, we will assume that you use it.
|
||||||
|
|
||||||
.Sh NAMES
|
.Sh NAMES
|
||||||
Each tinc daemon should have a name that is unique in the network which it will be part of.
|
Each tinc daemon should have a name that is unique in the network which it will be part of.
|
||||||
The name will be used by other tinc daemons for identification.
|
The name will be used by other tinc daemons for identification.
|
||||||
The name has to be declared in the
|
The name has to be declared in the
|
||||||
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
|
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
|
||||||
file.
|
file.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
To make things easy,
|
To make things easy,
|
||||||
choose something that will give unique and easy to remember names to your tinc daemon(s).
|
choose something that will give unique and easy to remember names to your tinc daemon(s).
|
||||||
You could try things like hostnames, owner surnames or location names.
|
You could try things like hostnames, owner surnames or location names.
|
||||||
|
|
||||||
.Sh PUBLIC/PRIVATE KEYS
|
.Sh PUBLIC/PRIVATE KEYS
|
||||||
You should use
|
You should use
|
||||||
.Ic tincd -K
|
.Ic tincd -K
|
||||||
|
@ -91,17 +81,14 @@ The public key should be stored in the host configuration file
|
||||||
.Va NAME
|
.Va NAME
|
||||||
stands for the name of the local tinc daemon (see
|
stands for the name of the local tinc daemon (see
|
||||||
.Sx NAMES ) .
|
.Sx NAMES ) .
|
||||||
|
|
||||||
.Sh SERVER CONFIGURATION
|
.Sh SERVER CONFIGURATION
|
||||||
The server configuration of the daemon is done in the file
|
The server configuration of the daemon is done in the file
|
||||||
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf .
|
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf .
|
||||||
This file consists of comments (lines started with a
|
This file consists of comments (lines started with a
|
||||||
.Li # )
|
.Li # )
|
||||||
or assignments in the form of:
|
or assignments in the form of:
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
.Va Variable Li = Ar Value .
|
.Va Variable Li = Ar Value .
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
The variable names are case insensitive, and any spaces, tabs,
|
The variable names are case insensitive, and any spaces, tabs,
|
||||||
newlines and carriage returns are ignored.
|
newlines and carriage returns are ignored.
|
||||||
|
@ -109,26 +96,22 @@ Note: it is not required that you put in the
|
||||||
.Li =
|
.Li =
|
||||||
sign, but doing so improves readability.
|
sign, but doing so improves readability.
|
||||||
If you leave it out, remember to replace it with at least one space character.
|
If you leave it out, remember to replace it with at least one space character.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
The server configuration is complemented with host specific configuration (see the next section).
|
The server configuration is complemented with host specific configuration (see the next section).
|
||||||
Although all configuration options for the local host listed in this document can also be put in
|
Although all configuration options for the local host listed in this document can also be put in
|
||||||
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf ,
|
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf ,
|
||||||
it is recommended to put host specific configuration options in the host configuration file,
|
it is recommended to put host specific configuration options in the host configuration file,
|
||||||
as this makes it easy to exchange with other nodes.
|
as this makes it easy to exchange with other nodes.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
Here are all valid variables, listed in alphabetical order.
|
Here are all valid variables, listed in alphabetical order.
|
||||||
The default value is given between parentheses.
|
The default value is given between parentheses.
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
|
|
||||||
.It Va AddressFamily Li = ipv4 | ipv6 | any Pq any
|
.It Va AddressFamily Li = ipv4 | ipv6 | any Pq any
|
||||||
This option affects the address family of listening and outgoing sockets.
|
This option affects the address family of listening and outgoing sockets.
|
||||||
If
|
If
|
||||||
.Qq any
|
.Qq any
|
||||||
is selected, then depending on the operating system both IPv4 and IPv6 or just
|
is selected, then depending on the operating system both IPv4 and IPv6 or just
|
||||||
IPv6 listening sockets will be created.
|
IPv6 listening sockets will be created.
|
||||||
|
|
||||||
.It Va BindToAddress Li = Ar address Oo Ar port Oc Bq experimental
|
.It Va BindToAddress Li = Ar address Oo Ar port Oc Bq experimental
|
||||||
If your computer has more than one IPv4 or IPv6 address,
|
If your computer has more than one IPv4 or IPv6 address,
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
|
@ -149,36 +132,31 @@ for the
|
||||||
.Ar address .
|
.Ar address .
|
||||||
.Pp
|
.Pp
|
||||||
This option may not work on all platforms.
|
This option may not work on all platforms.
|
||||||
|
|
||||||
.It Va BindToInterface Li = Ar interface Bq experimental
|
.It Va BindToInterface Li = Ar interface Bq experimental
|
||||||
If your computer has more than one network interface,
|
If your computer has more than one network interface,
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
will by default listen on all of them for incoming connections.
|
will by default listen on all of them for incoming connections.
|
||||||
It is possible to bind only to a single interface with this variable.
|
It is possible to bind only to a single interface with this variable.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
This option may not work on all platforms.
|
This option may not work on all platforms.
|
||||||
|
Also, on some platforms it will not actually bind to an interface,
|
||||||
|
but rather to the address that the interface has at the moment a socket is created.
|
||||||
.It Va Broadcast Li = no | mst | direct Po mst Pc Bq experimental
|
.It Va Broadcast Li = no | mst | direct Po mst Pc Bq experimental
|
||||||
This option selects the way broadcast packets are sent to other daemons.
|
This option selects the way broadcast packets are sent to other daemons.
|
||||||
NOTE: all nodes in a VPN must use the same
|
NOTE: all nodes in a VPN must use the same
|
||||||
.Va Broadcast
|
.Va Broadcast
|
||||||
mode, otherwise routing loops can form.
|
mode, otherwise routing loops can form.
|
||||||
|
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
.It no
|
.It no
|
||||||
Broadcast packets are never sent to other nodes.
|
Broadcast packets are never sent to other nodes.
|
||||||
|
|
||||||
.It mst
|
.It mst
|
||||||
Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree.
|
Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree.
|
||||||
This ensures broadcast packets reach all nodes.
|
This ensures broadcast packets reach all nodes.
|
||||||
|
|
||||||
.It direct
|
.It direct
|
||||||
Broadcast packets are sent directly to all nodes that can be reached directly.
|
Broadcast packets are sent directly to all nodes that can be reached directly.
|
||||||
Broadcast packets received from other nodes are never forwarded.
|
Broadcast packets received from other nodes are never forwarded.
|
||||||
If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to.
|
If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to.
|
||||||
.El
|
.El
|
||||||
|
|
||||||
.It Va ConnectTo Li = Ar name
|
.It Va ConnectTo Li = Ar name
|
||||||
Specifies which other tinc daemon to connect to on startup.
|
Specifies which other tinc daemon to connect to on startup.
|
||||||
Multiple
|
Multiple
|
||||||
|
@ -189,14 +167,12 @@ The names should be known to this tinc daemon
|
||||||
(i.e., there should be a host configuration file for the name on the
|
(i.e., there should be a host configuration file for the name on the
|
||||||
.Va ConnectTo
|
.Va ConnectTo
|
||||||
line).
|
line).
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
If you don't specify a host with
|
If you don't specify a host with
|
||||||
.Va ConnectTo ,
|
.Va ConnectTo ,
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
won't try to connect to other daemons at all,
|
won't try to connect to other daemons at all,
|
||||||
and will instead just listen for incoming connections.
|
and will instead just listen for incoming connections.
|
||||||
|
|
||||||
.It Va DecrementTTL Li = yes | no Po no Pc Bq experimental
|
.It Va DecrementTTL Li = yes | no Po no Pc Bq experimental
|
||||||
When enabled,
|
When enabled,
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
|
@ -206,7 +182,6 @@ and will drop packets that have a TTL value of zero,
|
||||||
in which case it will send an ICMP Time Exceeded packet back.
|
in which case it will send an ICMP Time Exceeded packet back.
|
||||||
.Pp
|
.Pp
|
||||||
Do not use this option if you use switch mode and want to use IPv6.
|
Do not use this option if you use switch mode and want to use IPv6.
|
||||||
|
|
||||||
.It Va Device Li = Ar device Po Pa /dev/tap0 , Pa /dev/net/tun No or other depending on platform Pc
|
.It Va Device Li = Ar device Po Pa /dev/tap0 , Pa /dev/net/tun No or other depending on platform Pc
|
||||||
The virtual network device to use.
|
The virtual network device to use.
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
|
@ -218,18 +193,15 @@ instead of
|
||||||
.Va Device .
|
.Va Device .
|
||||||
The info pages of the tinc package contain more information
|
The info pages of the tinc package contain more information
|
||||||
about configuring the virtual network device.
|
about configuring the virtual network device.
|
||||||
|
|
||||||
.It Va DeviceType Li = Ar type Pq platform dependent
|
.It Va DeviceType Li = Ar type Pq platform dependent
|
||||||
The type of the virtual network device.
|
The type of the virtual network device.
|
||||||
Tinc will normally automatically select the right type of tun/tap interface, and this option should not be used.
|
Tinc will normally automatically select the right type of tun/tap interface, and this option should not be used.
|
||||||
However, this option can be used to select one of the special interface types, if support for them is compiled in.
|
However, this option can be used to select one of the special interface types, if support for them is compiled in.
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
|
|
||||||
.It dummy
|
.It dummy
|
||||||
Use a dummy interface.
|
Use a dummy interface.
|
||||||
No packets are ever read or written to a virtual network device.
|
No packets are ever read or written to a virtual network device.
|
||||||
Useful for testing, or when setting up a node that only forwards packets for other nodes.
|
Useful for testing, or when setting up a node that only forwards packets for other nodes.
|
||||||
|
|
||||||
.It raw_socket
|
.It raw_socket
|
||||||
Open a raw socket, and bind it to a pre-existing
|
Open a raw socket, and bind it to a pre-existing
|
||||||
.Va Interface
|
.Va Interface
|
||||||
|
@ -237,7 +209,6 @@ Open a raw socket, and bind it to a pre-existing
|
||||||
All packets are read from this interface.
|
All packets are read from this interface.
|
||||||
Packets received for the local node are written to the raw socket.
|
Packets received for the local node are written to the raw socket.
|
||||||
However, at least on Linux, the operating system does not process IP packets destined for the local host.
|
However, at least on Linux, the operating system does not process IP packets destined for the local host.
|
||||||
|
|
||||||
.It multicast
|
.It multicast
|
||||||
Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using
|
Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using
|
||||||
.Va Device .
|
.Va Device .
|
||||||
|
@ -247,7 +218,6 @@ Do NOT connect multiple
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
daemons to the same multicast address, this will very likely cause routing loops.
|
daemons to the same multicast address, this will very likely cause routing loops.
|
||||||
Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
|
Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
|
||||||
|
|
||||||
.It uml Pq not compiled in by default
|
.It uml Pq not compiled in by default
|
||||||
Create a UNIX socket with the filename specified by
|
Create a UNIX socket with the filename specified by
|
||||||
.Va Device ,
|
.Va Device ,
|
||||||
|
@ -256,7 +226,6 @@ or
|
||||||
if not specified.
|
if not specified.
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
will wait for a User Mode Linux instance to connect to this socket.
|
will wait for a User Mode Linux instance to connect to this socket.
|
||||||
|
|
||||||
.It vde Pq not compiled in by default
|
.It vde Pq not compiled in by default
|
||||||
Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch,
|
Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch,
|
||||||
using the UNIX socket specified by
|
using the UNIX socket specified by
|
||||||
|
@ -265,60 +234,47 @@ or
|
||||||
.Pa @localstatedir@/run/vde.ctl
|
.Pa @localstatedir@/run/vde.ctl
|
||||||
if not specified.
|
if not specified.
|
||||||
.El
|
.El
|
||||||
|
|
||||||
Also, in case tinc does not seem to correctly interpret packets received from the virtual network device,
|
Also, in case tinc does not seem to correctly interpret packets received from the virtual network device,
|
||||||
it can be used to change the way packets are interpreted:
|
it can be used to change the way packets are interpreted:
|
||||||
|
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
|
|
||||||
.It tun Pq BSD and Linux
|
.It tun Pq BSD and Linux
|
||||||
Set type to tun.
|
Set type to tun.
|
||||||
Depending on the platform, this can either be with or without an address family header (see below).
|
Depending on the platform, this can either be with or without an address family header (see below).
|
||||||
|
|
||||||
.It tunnohead Pq BSD
|
.It tunnohead Pq BSD
|
||||||
Set type to tun without an address family header.
|
Set type to tun without an address family header.
|
||||||
Tinc will expect packets read from the virtual network device to start with an IP header.
|
Tinc will expect packets read from the virtual network device to start with an IP header.
|
||||||
On some platforms IPv6 packets cannot be read from or written to the device in this mode.
|
On some platforms IPv6 packets cannot be read from or written to the device in this mode.
|
||||||
|
|
||||||
.It tunifhead Pq BSD
|
.It tunifhead Pq BSD
|
||||||
Set type to tun with an address family header.
|
Set type to tun with an address family header.
|
||||||
Tinc will expect packets read from the virtual network device
|
Tinc will expect packets read from the virtual network device
|
||||||
to start with a four byte header containing the address family,
|
to start with a four byte header containing the address family,
|
||||||
followed by an IP header.
|
followed by an IP header.
|
||||||
This mode should support both IPv4 and IPv6 packets.
|
This mode should support both IPv4 and IPv6 packets.
|
||||||
|
|
||||||
.It tap Pq BSD and Linux
|
.It tap Pq BSD and Linux
|
||||||
Set type to tap.
|
Set type to tap.
|
||||||
Tinc will expect packets read from the virtual network device
|
Tinc will expect packets read from the virtual network device
|
||||||
to start with an Ethernet header.
|
to start with an Ethernet header.
|
||||||
.El
|
.El
|
||||||
|
|
||||||
.It Va DirectOnly Li = yes | no Po no Pc Bq experimental
|
.It Va DirectOnly Li = yes | no Po no Pc Bq experimental
|
||||||
When this option is enabled, packets that cannot be sent directly to the destination node,
|
When this option is enabled, packets that cannot be sent directly to the destination node,
|
||||||
but which would have to be forwarded by an intermediate node, are dropped instead.
|
but which would have to be forwarded by an intermediate node, are dropped instead.
|
||||||
When combined with the IndirectData option,
|
When combined with the IndirectData option,
|
||||||
packets for nodes for which we do not have a meta connection with are also dropped.
|
packets for nodes for which we do not have a meta connection with are also dropped.
|
||||||
|
|
||||||
.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
|
.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
|
||||||
This option selects the way indirect packets are forwarded.
|
This option selects the way indirect packets are forwarded.
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
|
|
||||||
.It off
|
.It off
|
||||||
Incoming packets that are not meant for the local node,
|
Incoming packets that are not meant for the local node,
|
||||||
but which should be forwarded to another node, are dropped.
|
but which should be forwarded to another node, are dropped.
|
||||||
|
|
||||||
.It internal
|
.It internal
|
||||||
Incoming packets that are meant for another node are forwarded by tinc internally.
|
Incoming packets that are meant for another node are forwarded by tinc internally.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
|
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
|
||||||
|
|
||||||
.It kernel
|
.It kernel
|
||||||
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
|
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
|
||||||
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
|
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
|
||||||
and can also help debugging.
|
and can also help debugging.
|
||||||
.El
|
.El
|
||||||
|
|
||||||
.It Va GraphDumpFile Li = Ar filename Bq experimental
|
.It Va GraphDumpFile Li = Ar filename Bq experimental
|
||||||
If this option is present,
|
If this option is present,
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
|
@ -331,20 +287,16 @@ If
|
||||||
starts with a pipe symbol |,
|
starts with a pipe symbol |,
|
||||||
then the rest of the filename is interpreted as a shell command
|
then the rest of the filename is interpreted as a shell command
|
||||||
that is executed, the graph is then sent to stdin.
|
that is executed, the graph is then sent to stdin.
|
||||||
|
|
||||||
.It Va Hostnames Li = yes | no Pq no
|
.It Va Hostnames Li = yes | no Pq no
|
||||||
This option selects whether IP addresses (both real and on the VPN) should
|
This option selects whether IP addresses (both real and on the VPN) should
|
||||||
be resolved. Since DNS lookups are blocking, it might affect tinc's
|
be resolved. Since DNS lookups are blocking, it might affect tinc's
|
||||||
efficiency, even stopping the daemon for a few seconds every time it does
|
efficiency, even stopping the daemon for a few seconds every time it does
|
||||||
a lookup if your DNS server is not responding.
|
a lookup if your DNS server is not responding.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
This does not affect resolving hostnames to IP addresses from the
|
This does not affect resolving hostnames to IP addresses from the
|
||||||
host configuration files.
|
host configuration files, but whether hostnames should be resolved while logging.
|
||||||
|
|
||||||
.It Va IffOneQueue Li = yes | no Po no Pc Bq experimental
|
.It Va IffOneQueue Li = yes | no Po no Pc Bq experimental
|
||||||
(Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.
|
(Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.
|
||||||
|
|
||||||
.It Va Interface Li = Ar interface
|
.It Va Interface Li = Ar interface
|
||||||
Defines the name of the interface corresponding to the virtual network device.
|
Defines the name of the interface corresponding to the virtual network device.
|
||||||
Depending on the operating system and the type of device this may or may not actually set the name of the interface.
|
Depending on the operating system and the type of device this may or may not actually set the name of the interface.
|
||||||
|
@ -352,12 +304,10 @@ Under Windows, this variable is used to select which network interface will be u
|
||||||
If you specified a
|
If you specified a
|
||||||
.Va Device ,
|
.Va Device ,
|
||||||
this variable is almost always already correctly set.
|
this variable is almost always already correctly set.
|
||||||
|
|
||||||
.It Va KeyExpire Li = Ar seconds Pq 3600
|
.It Va KeyExpire Li = Ar seconds Pq 3600
|
||||||
This option controls the period the encryption keys used to encrypt the data are valid.
|
This option controls the period the encryption keys used to encrypt the data are valid.
|
||||||
It is common practice to change keys at regular intervals to make it even harder for crackers,
|
It is common practice to change keys at regular intervals to make it even harder for crackers,
|
||||||
even though it is thought to be nearly impossible to crack a single key.
|
even though it is thought to be nearly impossible to crack a single key.
|
||||||
|
|
||||||
.It Va LocalDiscovery Li = yes | no Po no Pc Bq experimental
|
.It Va LocalDiscovery Li = yes | no Po no Pc Bq experimental
|
||||||
When enabled,
|
When enabled,
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
|
@ -365,54 +315,43 @@ will try to detect peers that are on the same local network.
|
||||||
This will allow direct communication using LAN addresses, even if both peers are behind a NAT
|
This will allow direct communication using LAN addresses, even if both peers are behind a NAT
|
||||||
and they only ConnectTo a third node outside the NAT,
|
and they only ConnectTo a third node outside the NAT,
|
||||||
which normally would prevent the peers from learning each other's LAN address.
|
which normally would prevent the peers from learning each other's LAN address.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery.
|
Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery.
|
||||||
This feature may not work in all possible situations.
|
This feature may not work in all possible situations.
|
||||||
|
|
||||||
.It Va MACExpire Li = Ar seconds Pq 600
|
.It Va MACExpire Li = Ar seconds Pq 600
|
||||||
This option controls the amount of time MAC addresses are kept before they are removed.
|
This option controls the amount of time MAC addresses are kept before they are removed.
|
||||||
This only has effect when
|
This only has effect when
|
||||||
.Va Mode
|
.Va Mode
|
||||||
is set to
|
is set to
|
||||||
.Qq switch .
|
.Qq switch .
|
||||||
|
|
||||||
.It Va MaxTimeout Li = Ar seconds Pq 900
|
.It Va MaxTimeout Li = Ar seconds Pq 900
|
||||||
This is the maximum delay before trying to reconnect to other tinc daemons.
|
This is the maximum delay before trying to reconnect to other tinc daemons.
|
||||||
|
|
||||||
.It Va Mode Li = router | switch | hub Pq router
|
.It Va Mode Li = router | switch | hub Pq router
|
||||||
This option selects the way packets are routed to other daemons.
|
This option selects the way packets are routed to other daemons.
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
|
|
||||||
.It router
|
.It router
|
||||||
In this mode
|
In this mode
|
||||||
.Va Subnet
|
.Va Subnet
|
||||||
variables in the host configuration files will be used to form a routing table.
|
variables in the host configuration files will be used to form a routing table.
|
||||||
Only unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode.
|
Only unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
This is the default mode, and unless you really know you need another mode, don't change it.
|
This is the default mode, and unless you really know you need another mode, don't change it.
|
||||||
|
|
||||||
.It switch
|
.It switch
|
||||||
In this mode the MAC addresses of the packets on the VPN will be used to
|
In this mode the MAC addresses of the packets on the VPN will be used to
|
||||||
dynamically create a routing table just like an Ethernet switch does.
|
dynamically create a routing table just like an Ethernet switch does.
|
||||||
Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode
|
Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode
|
||||||
at the cost of frequent broadcast ARP requests and routing table updates.
|
at the cost of frequent broadcast ARP requests and routing table updates.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
This mode is primarily useful if you want to bridge Ethernet segments.
|
This mode is primarily useful if you want to bridge Ethernet segments.
|
||||||
|
|
||||||
.It hub
|
.It hub
|
||||||
This mode is almost the same as the switch mode, but instead
|
This mode is almost the same as the switch mode, but instead
|
||||||
every packet will be broadcast to the other daemons
|
every packet will be broadcast to the other daemons
|
||||||
while no routing table is managed.
|
while no routing table is managed.
|
||||||
.El
|
.El
|
||||||
|
|
||||||
.It Va Name Li = Ar name Bq required
|
.It Va Name Li = Ar name Bq required
|
||||||
This is the name which identifies this tinc daemon.
|
This is the name which identifies this tinc daemon.
|
||||||
It must be unique for the virtual private network this daemon will connect to.
|
It must be unique for the virtual private network this daemon will connect to.
|
||||||
The Name may only consist of alphanumeric and underscore characters.
|
The Name may only consist of alphanumeric and underscore characters.
|
||||||
|
|
||||||
If
|
If
|
||||||
.Va Name
|
.Va Name
|
||||||
starts with a
|
starts with a
|
||||||
|
@ -424,38 +363,26 @@ If
|
||||||
is
|
is
|
||||||
.Li $HOST ,
|
.Li $HOST ,
|
||||||
but no such environment variable exist, the hostname will be read using the gethostnname() system call.
|
but no such environment variable exist, the hostname will be read using the gethostnname() system call.
|
||||||
|
|
||||||
.It Va PingInterval Li = Ar seconds Pq 60
|
.It Va PingInterval Li = Ar seconds Pq 60
|
||||||
The number of seconds of inactivity that
|
The number of seconds of inactivity that
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
will wait before sending a probe to the other end.
|
will wait before sending a probe to the other end.
|
||||||
|
|
||||||
.It Va PingTimeout Li = Ar seconds Pq 5
|
.It Va PingTimeout Li = Ar seconds Pq 5
|
||||||
The number of seconds to wait for a response to pings or to allow meta
|
The number of seconds to wait for a response to pings or to allow meta
|
||||||
connections to block. If the other end doesn't respond within this time,
|
connections to block. If the other end doesn't respond within this time,
|
||||||
the connection is terminated,
|
the connection is terminated,
|
||||||
and the others will be notified of this.
|
and the others will be notified of this.
|
||||||
|
|
||||||
.It Va PriorityInheritance Li = yes | no Po no Pc Bq experimental
|
.It Va PriorityInheritance Li = yes | no Po no Pc Bq experimental
|
||||||
When this option is enabled the value of the TOS field of tunneled IPv4 packets
|
When this option is enabled the value of the TOS field of tunneled IPv4 packets
|
||||||
will be inherited by the UDP packets that are sent out.
|
will be inherited by the UDP packets that are sent out.
|
||||||
|
|
||||||
.It Va PrivateKey Li = Ar key Bq obsolete
|
.It Va PrivateKey Li = Ar key Bq obsolete
|
||||||
The private RSA key of this tinc daemon.
|
The private RSA key of this tinc daemon.
|
||||||
It will allow this tinc daemon to authenticate itself to other daemons.
|
It will allow this tinc daemon to authenticate itself to other daemons.
|
||||||
|
|
||||||
.It Va PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /rsa_key.priv Pc
|
.It Va PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /rsa_key.priv Pc
|
||||||
The file in which the private RSA key of this tinc daemon resides.
|
The file in which the private RSA key of this tinc daemon resides.
|
||||||
Note that there must be exactly one of
|
|
||||||
.Va PrivateKey
|
|
||||||
or
|
|
||||||
.Va PrivateKeyFile
|
|
||||||
specified in the configuration file.
|
|
||||||
|
|
||||||
.It Va ProcessPriority Li = low | normal | high
|
.It Va ProcessPriority Li = low | normal | high
|
||||||
When this option is used the priority of the tincd process will be adjusted.
|
When this option is used the priority of the tincd process will be adjusted.
|
||||||
Increasing the priority may help to reduce latency and packet loss on the VPN.
|
Increasing the priority may help to reduce latency and packet loss on the VPN.
|
||||||
|
|
||||||
.It Va Proxy Li = socks4 | socks5 | http | exec Ar ... Bq experimental
|
.It Va Proxy Li = socks4 | socks5 | http | exec Ar ... Bq experimental
|
||||||
Use a proxy when making outgoing connections.
|
Use a proxy when making outgoing connections.
|
||||||
The following proxy types are currently supported:
|
The following proxy types are currently supported:
|
||||||
|
@ -488,7 +415,6 @@ and
|
||||||
.Ev REMOTEPORT
|
.Ev REMOTEPORT
|
||||||
are available.
|
are available.
|
||||||
.El
|
.El
|
||||||
|
|
||||||
.It Va ReplayWindow Li = Ar bytes Pq 16
|
.It Va ReplayWindow Li = Ar bytes Pq 16
|
||||||
vhis is the size of the replay tracking window for each remote node, in bytes.
|
vhis is the size of the replay tracking window for each remote node, in bytes.
|
||||||
The window is a bitfield which tracks 1 packet per bit, so for example
|
The window is a bitfield which tracks 1 packet per bit, so for example
|
||||||
|
@ -498,35 +424,29 @@ the interaction of replay tracking with underlying real packet loss and/or
|
||||||
reordering. Setting this to zero will disable replay tracking completely and
|
reordering. Setting this to zero will disable replay tracking completely and
|
||||||
pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
|
pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
|
||||||
traffic.
|
traffic.
|
||||||
|
|
||||||
.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
|
.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
|
||||||
When this option is enabled tinc will only use Subnet statements which are
|
When this option is enabled tinc will only use Subnet statements which are
|
||||||
present in the host config files in the local
|
present in the host config files in the local
|
||||||
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
|
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
|
||||||
directory.
|
directory.
|
||||||
|
|
||||||
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
|
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
|
||||||
When this option is enabled tinc will no longer forward information between other tinc daemons,
|
When this option is enabled tinc will no longer forward information between other tinc daemons,
|
||||||
and will only allow connections with nodes for which host config files are present in the local
|
and will only allow connections with nodes for which host config files are present in the local
|
||||||
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
|
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
|
||||||
directory.
|
directory.
|
||||||
Setting this options also implicitly sets StrictSubnets.
|
Setting this options also implicitly sets StrictSubnets.
|
||||||
|
|
||||||
.It Va UDPRcvBuf Li = Ar bytes Pq OS default
|
.It Va UDPRcvBuf Li = Ar bytes Pq OS default
|
||||||
Sets the socket receive buffer size for the UDP socket, in bytes.
|
Sets the socket receive buffer size for the UDP socket, in bytes.
|
||||||
If unset, the default buffer size will be used by the operating system.
|
If unset, the default buffer size will be used by the operating system.
|
||||||
|
|
||||||
.It Va UDPSndBuf Li = Ar bytes Pq OS default
|
.It Va UDPSndBuf Li = Ar bytes Pq OS default
|
||||||
Sets the socket send buffer size for the UDP socket, in bytes.
|
Sets the socket send buffer size for the UDP socket, in bytes.
|
||||||
If unset, the default buffer size will be used by the operating system.
|
If unset, the default buffer size will be used by the operating system.
|
||||||
.El
|
.El
|
||||||
|
|
||||||
.Sh HOST CONFIGURATION FILES
|
.Sh HOST CONFIGURATION FILES
|
||||||
The host configuration files contain all information needed
|
The host configuration files contain all information needed
|
||||||
to establish a connection to those hosts.
|
to establish a connection to those hosts.
|
||||||
A host configuration file is also required for the local tinc daemon,
|
A host configuration file is also required for the local tinc daemon,
|
||||||
it will use it to read in it's listen port, public key and subnets.
|
it will use it to read in it's listen port, public key and subnets.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
The idea is that these files are portable.
|
The idea is that these files are portable.
|
||||||
You can safely mail your own host configuration file to someone else.
|
You can safely mail your own host configuration file to someone else.
|
||||||
|
@ -535,7 +455,6 @@ and now his tinc daemon will be able to connect to your tinc daemon.
|
||||||
Since host configuration files only contain public keys,
|
Since host configuration files only contain public keys,
|
||||||
no secrets are revealed by sending out this information.
|
no secrets are revealed by sending out this information.
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
|
|
||||||
.It Va Address Li = Ar address Oo Ar port Oc Bq recommended
|
.It Va Address Li = Ar address Oo Ar port Oc Bq recommended
|
||||||
The IP address or hostname of this tinc daemon on the real network.
|
The IP address or hostname of this tinc daemon on the real network.
|
||||||
This will only be used when trying to make an outgoing connection to this tinc daemon.
|
This will only be used when trying to make an outgoing connection to this tinc daemon.
|
||||||
|
@ -544,7 +463,6 @@ Multiple
|
||||||
.Va Address
|
.Va Address
|
||||||
variables can be specified, in which case each address will be tried until a working
|
variables can be specified, in which case each address will be tried until a working
|
||||||
connection has been established.
|
connection has been established.
|
||||||
|
|
||||||
.It Va Cipher Li = Ar cipher Pq blowfish
|
.It Va Cipher Li = Ar cipher Pq blowfish
|
||||||
The symmetric cipher algorithm used to encrypt UDP packets.
|
The symmetric cipher algorithm used to encrypt UDP packets.
|
||||||
Any cipher supported by OpenSSL is recognised.
|
Any cipher supported by OpenSSL is recognised.
|
||||||
|
@ -552,24 +470,20 @@ Furthermore, specifying
|
||||||
.Qq none
|
.Qq none
|
||||||
will turn off packet encryption.
|
will turn off packet encryption.
|
||||||
It is best to use only those ciphers which support CBC mode.
|
It is best to use only those ciphers which support CBC mode.
|
||||||
|
|
||||||
.It Va ClampMSS Li = yes | no Pq yes
|
.It Va ClampMSS Li = yes | no Pq yes
|
||||||
This option specifies whether tinc should clamp the maximum segment size (MSS)
|
This option specifies whether tinc should clamp the maximum segment size (MSS)
|
||||||
of TCP packets to the path MTU. This helps in situations where ICMP
|
of TCP packets to the path MTU. This helps in situations where ICMP
|
||||||
Fragmentation Needed or Packet too Big messages are dropped by firewalls.
|
Fragmentation Needed or Packet too Big messages are dropped by firewalls.
|
||||||
|
|
||||||
.It Va Compression Li = Ar level Pq 0
|
.It Va Compression Li = Ar level Pq 0
|
||||||
This option sets the level of compression used for UDP packets.
|
This option sets the level of compression used for UDP packets.
|
||||||
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
|
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
|
||||||
10 (fast lzo) and 11 (best lzo).
|
10 (fast lzo) and 11 (best lzo).
|
||||||
|
|
||||||
.It Va Digest Li = Ar digest Pq sha1
|
.It Va Digest Li = Ar digest Pq sha1
|
||||||
The digest algorithm used to authenticate UDP packets.
|
The digest algorithm used to authenticate UDP packets.
|
||||||
Any digest supported by OpenSSL is recognised.
|
Any digest supported by OpenSSL is recognised.
|
||||||
Furthermore, specifying
|
Furthermore, specifying
|
||||||
.Qq none
|
.Qq none
|
||||||
will turn off packet authentication.
|
will turn off packet authentication.
|
||||||
|
|
||||||
.It Va IndirectData Li = yes | no Pq no
|
.It Va IndirectData Li = yes | no Pq no
|
||||||
This option specifies whether other tinc daemons besides the one you specified with
|
This option specifies whether other tinc daemons besides the one you specified with
|
||||||
.Va ConnectTo
|
.Va ConnectTo
|
||||||
|
@ -577,33 +491,26 @@ can make a direct connection to you.
|
||||||
This is especially useful if you are behind a firewall
|
This is especially useful if you are behind a firewall
|
||||||
and it is impossible to make a connection from the outside to your tinc daemon.
|
and it is impossible to make a connection from the outside to your tinc daemon.
|
||||||
Otherwise, it is best to leave this option out or set it to no.
|
Otherwise, it is best to leave this option out or set it to no.
|
||||||
|
|
||||||
.It Va MACLength Li = Ar length Pq 4
|
.It Va MACLength Li = Ar length Pq 4
|
||||||
The length of the message authentication code used to authenticate UDP packets.
|
The length of the message authentication code used to authenticate UDP packets.
|
||||||
Can be anything from
|
Can be anything from
|
||||||
.Qq 0
|
.Qq 0
|
||||||
up to the length of the digest produced by the digest algorithm.
|
up to the length of the digest produced by the digest algorithm.
|
||||||
|
|
||||||
.It Va PMTU Li = Ar mtu Po 1514 Pc
|
.It Va PMTU Li = Ar mtu Po 1514 Pc
|
||||||
This option controls the initial path MTU to this node.
|
This option controls the initial path MTU to this node.
|
||||||
|
|
||||||
.It Va PMTUDiscovery Li = yes | no Po yes Pc
|
.It Va PMTUDiscovery Li = yes | no Po yes Pc
|
||||||
When this option is enabled, tinc will try to discover the path MTU to this node.
|
When this option is enabled, tinc will try to discover the path MTU to this node.
|
||||||
After the path MTU has been discovered, it will be enforced on the VPN.
|
After the path MTU has been discovered, it will be enforced on the VPN.
|
||||||
|
|
||||||
.It Va Port Li = Ar port Pq 655
|
.It Va Port Li = Ar port Pq 655
|
||||||
The port number on which this tinc daemon is listening for incoming connections,
|
The port number on which this tinc daemon is listening for incoming connections,
|
||||||
which is used if no port number is specified in an
|
which is used if no port number is specified in an
|
||||||
.Va Address
|
.Va Address
|
||||||
statement.
|
statement.
|
||||||
|
|
||||||
.It Va PublicKey Li = Ar key Bq obsolete
|
.It Va PublicKey Li = Ar key Bq obsolete
|
||||||
The public RSA key of this tinc daemon.
|
The public RSA key of this tinc daemon.
|
||||||
It will be used to cryptographically verify it's identity and to set up a secure connection.
|
It will be used to cryptographically verify it's identity and to set up a secure connection.
|
||||||
|
|
||||||
.It Va PublicKeyFile Li = Ar filename Bq obsolete
|
.It Va PublicKeyFile Li = Ar filename Bq obsolete
|
||||||
The file in which the public RSA key of this tinc daemon resides.
|
The file in which the public RSA key of this tinc daemon resides.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
From version 1.0pre4 on
|
From version 1.0pre4 on
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
|
@ -612,7 +519,6 @@ the above two options then are not necessary.
|
||||||
Either the PEM format is used, or exactly one of the above two options must be specified
|
Either the PEM format is used, or exactly one of the above two options must be specified
|
||||||
in each host configuration file,
|
in each host configuration file,
|
||||||
if you want to be able to establish a connection with that host.
|
if you want to be able to establish a connection with that host.
|
||||||
|
|
||||||
.It Va Subnet Li = Ar address Ns Op Li / Ns Ar prefixlength Ns Op Li # Ns Ar weight
|
.It Va Subnet Li = Ar address Ns Op Li / Ns Ar prefixlength Ns Op Li # Ns Ar weight
|
||||||
The subnet which this tinc daemon will serve.
|
The subnet which this tinc daemon will serve.
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
|
@ -622,7 +528,6 @@ it will be sent to the daemon who has this subnet in his host configuration file
|
||||||
Multiple
|
Multiple
|
||||||
.Va Subnet
|
.Va Subnet
|
||||||
variables can be specified.
|
variables can be specified.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
Subnets can either be single MAC, IPv4 or IPv6 addresses,
|
Subnets can either be single MAC, IPv4 or IPv6 addresses,
|
||||||
in which case a subnet consisting of only that single address is assumed,
|
in which case a subnet consisting of only that single address is assumed,
|
||||||
|
@ -633,14 +538,12 @@ Note that subnets like 192.168.1.1/24 are invalid!
|
||||||
Read a networking HOWTO/FAQ/guide if you don't understand this.
|
Read a networking HOWTO/FAQ/guide if you don't understand this.
|
||||||
IPv6 subnets are notated like fec0:0:0:1::/64.
|
IPv6 subnets are notated like fec0:0:0:1::/64.
|
||||||
MAC addresses are notated like 0:1a:2b:3c:4d:5e.
|
MAC addresses are notated like 0:1a:2b:3c:4d:5e.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
A Subnet can be given a weight to indicate its priority over identical Subnets
|
A Subnet can be given a weight to indicate its priority over identical Subnets
|
||||||
owned by different nodes. The default weight is 10. Lower values indicate
|
owned by different nodes. The default weight is 10. Lower values indicate
|
||||||
higher priority. Packets will be sent to the node with the highest priority,
|
higher priority. Packets will be sent to the node with the highest priority,
|
||||||
unless that node is not reachable, in which case the node with the next highest
|
unless that node is not reachable, in which case the node with the next highest
|
||||||
priority will be tried, and so on.
|
priority will be tried, and so on.
|
||||||
|
|
||||||
.It Va TCPOnly Li = yes | no Pq no Bq obsolete
|
.It Va TCPOnly Li = yes | no Pq no Bq obsolete
|
||||||
If this variable is set to yes,
|
If this variable is set to yes,
|
||||||
then the packets are tunnelled over the TCP connection instead of a UDP connection.
|
then the packets are tunnelled over the TCP connection instead of a UDP connection.
|
||||||
|
@ -648,53 +551,42 @@ This is especially useful for those who want to run a tinc daemon
|
||||||
from behind a masquerading firewall,
|
from behind a masquerading firewall,
|
||||||
or if UDP packet routing is disabled somehow.
|
or if UDP packet routing is disabled somehow.
|
||||||
Setting this options also implicitly sets IndirectData.
|
Setting this options also implicitly sets IndirectData.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
Since version 1.0.10, tinc will automatically detect whether communication via
|
Since version 1.0.10, tinc will automatically detect whether communication via
|
||||||
UDP is possible or not.
|
UDP is possible or not.
|
||||||
.El
|
.El
|
||||||
|
|
||||||
.Sh SCRIPTS
|
.Sh SCRIPTS
|
||||||
Apart from reading the server and host configuration files,
|
Apart from reading the server and host configuration files,
|
||||||
tinc can also run scripts at certain moments.
|
tinc can also run scripts at certain moments.
|
||||||
Under Windows (not Cygwin), the scripts should have the extension
|
Under Windows (not Cygwin), the scripts should have the extension
|
||||||
.Pa .bat .
|
.Pa .bat .
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
|
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
|
||||||
This is the most important script.
|
This is the most important script.
|
||||||
If it is present it will be executed right after the tinc daemon has been started and has connected to the virtual network device.
|
If it is present it will be executed right after the tinc daemon has been started and has connected to the virtual network device.
|
||||||
It should be used to set up the corresponding network interface,
|
It should be used to set up the corresponding network interface,
|
||||||
but can also be used to start other things.
|
but can also be used to start other things.
|
||||||
Under Windows you can use the Network Connections control panel instead of creating this script.
|
Under Windows you can use the Network Connections control panel instead of creating this script.
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
|
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
|
||||||
This script is started right before the tinc daemon quits.
|
This script is started right before the tinc daemon quits.
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -up
|
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -up
|
||||||
This script is started when the tinc daemon with name
|
This script is started when the tinc daemon with name
|
||||||
.Ar HOST
|
.Ar HOST
|
||||||
becomes reachable.
|
becomes reachable.
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -down
|
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -down
|
||||||
This script is started when the tinc daemon with name
|
This script is started when the tinc daemon with name
|
||||||
.Ar HOST
|
.Ar HOST
|
||||||
becomes unreachable.
|
becomes unreachable.
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-up
|
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-up
|
||||||
This script is started when any host becomes reachable.
|
This script is started when any host becomes reachable.
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-down
|
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-down
|
||||||
This script is started when any host becomes unreachable.
|
This script is started when any host becomes unreachable.
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-up
|
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-up
|
||||||
This script is started when a Subnet becomes reachable.
|
This script is started when a Subnet becomes reachable.
|
||||||
The Subnet and the node it belongs to are passed in environment variables.
|
The Subnet and the node it belongs to are passed in environment variables.
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-down
|
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-down
|
||||||
This script is started when a Subnet becomes unreachable.
|
This script is started when a Subnet becomes unreachable.
|
||||||
.El
|
.El
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
The scripts are started without command line arguments, but can make use of certain environment variables.
|
The scripts are started without command line arguments, but can make use of certain environment variables.
|
||||||
Under UNIX like operating systems the names of environment variables must be preceded by a
|
Under UNIX like operating systems the names of environment variables must be preceded by a
|
||||||
|
@ -706,68 +598,54 @@ files, they have to be put between
|
||||||
.Li %
|
.Li %
|
||||||
signs.
|
signs.
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
|
|
||||||
.It Ev NETNAME
|
.It Ev NETNAME
|
||||||
If a netname was specified, this environment variable contains it.
|
If a netname was specified, this environment variable contains it.
|
||||||
|
|
||||||
.It Ev NAME
|
.It Ev NAME
|
||||||
Contains the name of this tinc daemon.
|
Contains the name of this tinc daemon.
|
||||||
|
|
||||||
.It Ev DEVICE
|
.It Ev DEVICE
|
||||||
Contains the name of the virtual network device that tinc uses.
|
Contains the name of the virtual network device that tinc uses.
|
||||||
|
|
||||||
.It Ev INTERFACE
|
.It Ev INTERFACE
|
||||||
Contains the name of the virtual network interface that tinc uses.
|
Contains the name of the virtual network interface that tinc uses.
|
||||||
This should be used for commands like
|
This should be used for commands like
|
||||||
.Pa ifconfig .
|
.Pa ifconfig .
|
||||||
|
|
||||||
.It Ev NODE
|
.It Ev NODE
|
||||||
When a host becomes (un)reachable, this is set to its name.
|
When a host becomes (un)reachable, this is set to its name.
|
||||||
If a subnet becomes (un)reachable, this is set to the owner of that subnet.
|
If a subnet becomes (un)reachable, this is set to the owner of that subnet.
|
||||||
|
|
||||||
.It Ev REMOTEADDRESS
|
.It Ev REMOTEADDRESS
|
||||||
When a host becomes (un)reachable, this is set to its real address.
|
When a host becomes (un)reachable, this is set to its real address.
|
||||||
|
|
||||||
.It Ev REMOTEPORT
|
.It Ev REMOTEPORT
|
||||||
When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc daemons.
|
When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc daemons.
|
||||||
|
|
||||||
.It Ev SUBNET
|
.It Ev SUBNET
|
||||||
When a subnet becomes (un)reachable, this is set to the subnet.
|
When a subnet becomes (un)reachable, this is set to the subnet.
|
||||||
|
|
||||||
.It Ev WEIGHT
|
.It Ev WEIGHT
|
||||||
When a subnet becomes (un)reachable, this is set to the subnet weight.
|
When a subnet becomes (un)reachable, this is set to the subnet weight.
|
||||||
.El
|
.El
|
||||||
|
.Pp
|
||||||
|
Do not forget that under UNIX operating systems, you have to make the scripts executable, using the command
|
||||||
|
.Nm chmod Li a+x Pa script .
|
||||||
.Sh FILES
|
.Sh FILES
|
||||||
The most important files are:
|
The most important files are:
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/
|
.It Pa @sysconfdir@/tinc/
|
||||||
The top directory for configuration files.
|
The top directory for configuration files.
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
|
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
|
||||||
The default name of the server configuration file for net
|
The default name of the server configuration file for net
|
||||||
.Ar NETNAME .
|
.Ar NETNAME .
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
|
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
|
||||||
Host configuration files are kept in this directory.
|
Host configuration files are kept in this directory.
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
|
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
|
||||||
If an executable file with this name exists,
|
If an executable file with this name exists,
|
||||||
it will be executed right after the tinc daemon has connected to the virtual network device.
|
it will be executed right after the tinc daemon has connected to the virtual network device.
|
||||||
It can be used to set up the corresponding network interface.
|
It can be used to set up the corresponding network interface.
|
||||||
|
|
||||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
|
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
|
||||||
If an executable file with this name exists,
|
If an executable file with this name exists,
|
||||||
it will be executed right before the tinc daemon is going to close
|
it will be executed right before the tinc daemon is going to close
|
||||||
its connection to the virtual network device.
|
its connection to the virtual network device.
|
||||||
.El
|
.El
|
||||||
|
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr tincd 8 ,
|
.Xr tincd 8 ,
|
||||||
.Pa http://www.tinc-vpn.org/ ,
|
.Pa http://www.tinc-vpn.org/ ,
|
||||||
.Pa http://www.linuxdoc.org/LDP/nag2/ .
|
.Pa http://www.tldp.org/LDP/nag2/ .
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
The full documentation for
|
The full documentation for
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
|
@ -775,7 +653,6 @@ is maintained as a Texinfo manual.
|
||||||
If the info and tinc programs are properly installed at your site, the command
|
If the info and tinc programs are properly installed at your site, the command
|
||||||
.Ic info tinc
|
.Ic info tinc
|
||||||
should give you access to the complete manual.
|
should give you access to the complete manual.
|
||||||
|
|
||||||
.Pp
|
.Pp
|
||||||
.Nm tinc
|
.Nm tinc
|
||||||
comes with ABSOLUTELY NO WARRANTY.
|
comes with ABSOLUTELY NO WARRANTY.
|
||||||
|
|
212
doc/tinc.info
212
doc/tinc.info
|
@ -8,7 +8,7 @@ END-INFO-DIR-ENTRY
|
||||||
This is the info manual for tinc version 1.0.19, a Virtual Private
|
This is the info manual for tinc version 1.0.19, a Virtual Private
|
||||||
Network daemon.
|
Network daemon.
|
||||||
|
|
||||||
Copyright (C) 1998-2012 Ivo Timmermans, Guus Sliepen
|
Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen
|
||||||
<guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
|
<guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
|
||||||
|
|
||||||
Permission is granted to make and distribute verbatim copies of this
|
Permission is granted to make and distribute verbatim copies of this
|
||||||
|
@ -147,7 +147,7 @@ will most likely compile and run, but it will not be able to send or
|
||||||
receive data packets.
|
receive data packets.
|
||||||
|
|
||||||
For an up to date list of supported platforms, please check the list
|
For an up to date list of supported platforms, please check the list
|
||||||
on our website: `http://www.tinc-vpn.org/platforms'.
|
on our website: `http://www.tinc-vpn.org/platforms/'.
|
||||||
|
|
||||||
|
|
||||||
File: tinc.info, Node: Preparations, Next: Installation, Prev: Introduction, Up: Top
|
File: tinc.info, Node: Preparations, Next: Installation, Prev: Introduction, Up: Top
|
||||||
|
@ -209,7 +209,9 @@ File: tinc.info, Node: Configuration of FreeBSD kernels, Next: Configuration o
|
||||||
--------------------------------------
|
--------------------------------------
|
||||||
|
|
||||||
For FreeBSD version 4.1 and higher, tun and tap drivers are included in
|
For FreeBSD version 4.1 and higher, tun and tap drivers are included in
|
||||||
the default kernel configuration. Using tap devices is recommended.
|
the default kernel configuration. The tap driver can be loaded with
|
||||||
|
`kldload if_tap', or by adding `if_tap_load="YES"' to
|
||||||
|
`/boot/loader.conf'.
|
||||||
|
|
||||||
|
|
||||||
File: tinc.info, Node: Configuration of OpenBSD kernels, Next: Configuration of NetBSD kernels, Prev: Configuration of FreeBSD kernels, Up: Configuring the kernel
|
File: tinc.info, Node: Configuration of OpenBSD kernels, Next: Configuration of NetBSD kernels, Prev: Configuration of FreeBSD kernels, Up: Configuring the kernel
|
||||||
|
@ -303,8 +305,8 @@ For all cryptography-related functions, tinc uses the functions provided
|
||||||
by the OpenSSL library.
|
by the OpenSSL library.
|
||||||
|
|
||||||
If this library is not installed, you wil get an error when
|
If this library is not installed, you wil get an error when
|
||||||
configuring tinc for build. Support for running tinc without having
|
configuring tinc for build. Support for running tinc with other
|
||||||
OpenSSL installed _may_ be added in the future.
|
cryptographic libraries installed _may_ be added in the future.
|
||||||
|
|
||||||
You can use your operating system's package manager to install this
|
You can use your operating system's package manager to install this
|
||||||
if available. Make sure you install the development AND runtime
|
if available. Make sure you install the development AND runtime
|
||||||
|
@ -359,9 +361,12 @@ File: tinc.info, Node: zlib, Next: lzo, Prev: OpenSSL, Up: Libraries
|
||||||
For the optional compression of UDP packets, tinc uses the functions
|
For the optional compression of UDP packets, tinc uses the functions
|
||||||
provided by the zlib library.
|
provided by the zlib library.
|
||||||
|
|
||||||
If this library is not installed, you wil get an error when
|
If this library is not installed, you wil get an error when running
|
||||||
configuring tinc for build. Support for running tinc without having
|
the configure script. You can either install the zlib library, or
|
||||||
zlib installed _may_ be added in the future.
|
disable support for zlib compression by using the "-disable-zlib"
|
||||||
|
option when running the configure script. Note that if you disable
|
||||||
|
support for zlib, the resulting binary will not work correctly on VPNs
|
||||||
|
where zlib compression is used.
|
||||||
|
|
||||||
You can use your operating system's package manager to install this
|
You can use your operating system's package manager to install this
|
||||||
if available. Make sure you install the development AND runtime
|
if available. Make sure you install the development AND runtime
|
||||||
|
@ -379,11 +384,14 @@ File: tinc.info, Node: lzo, Prev: zlib, Up: Libraries
|
||||||
2.2.3 lzo
|
2.2.3 lzo
|
||||||
---------
|
---------
|
||||||
|
|
||||||
Another form of compression is offered using the lzo library.
|
Another form of compression is offered using the LZO library.
|
||||||
|
|
||||||
If this library is not installed, you wil get an error when
|
If this library is not installed, you wil get an error when running
|
||||||
configuring tinc for build. Support for running tinc without having lzo
|
the configure script. You can either install the LZO library, or
|
||||||
installed _may_ be added in the future.
|
disable support for LZO compression by using the "-disable-lzo" option
|
||||||
|
when running the configure script. Note that if you disable support for
|
||||||
|
LZO, the resulting binary will not work correctly on VPNs where LZO
|
||||||
|
compression is used.
|
||||||
|
|
||||||
You can use your operating system's package manager to install this
|
You can use your operating system's package manager to install this
|
||||||
if available. Make sure you install the development AND runtime
|
if available. Make sure you install the development AND runtime
|
||||||
|
@ -408,9 +416,9 @@ startup scripts and sample configurations.
|
||||||
If you cannot use one of the precompiled packages, or you want to
|
If you cannot use one of the precompiled packages, or you want to
|
||||||
compile tinc for yourself, you can use the source. The source is
|
compile tinc for yourself, you can use the source. The source is
|
||||||
distributed under the GNU General Public License (GPL). Download the
|
distributed under the GNU General Public License (GPL). Download the
|
||||||
source from the download page (http://www.tinc-vpn.org/download), which
|
source from the download page (http://www.tinc-vpn.org/download/),
|
||||||
has the checksums of these files listed; you may wish to check these
|
which has the checksums of these files listed; you may wish to check
|
||||||
with md5sum before continuing.
|
these with md5sum before continuing.
|
||||||
|
|
||||||
Tinc comes in a convenient autoconf/automake package, which you can
|
Tinc comes in a convenient autoconf/automake package, which you can
|
||||||
just treat the same as any other package. Which is just untar it, type
|
just treat the same as any other package. Which is just untar it, type
|
||||||
|
@ -451,7 +459,7 @@ File: tinc.info, Node: Darwin (MacOS/X) build environment, Next: Cygwin (Windo
|
||||||
In order to build tinc on Darwin, you need to install the MacOS/X
|
In order to build tinc on Darwin, you need to install the MacOS/X
|
||||||
Developer Tools from
|
Developer Tools from
|
||||||
`http://developer.apple.com/tools/macosxtools.html' and a recent
|
`http://developer.apple.com/tools/macosxtools.html' and a recent
|
||||||
version of Fink from `http://fink.sourceforge.net/'.
|
version of Fink from `http://www.finkproject.org/'.
|
||||||
|
|
||||||
After installation use fink to download and install the following
|
After installation use fink to download and install the following
|
||||||
packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
|
packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
|
||||||
|
@ -570,7 +578,7 @@ Do you want to run tinc in router mode or switch mode? These questions
|
||||||
can only be answered by yourself, you will not find the answers in this
|
can only be answered by yourself, you will not find the answers in this
|
||||||
documentation. Make sure you have an adequate understanding of
|
documentation. Make sure you have an adequate understanding of
|
||||||
networks in general. A good resource on networking is the Linux
|
networks in general. A good resource on networking is the Linux
|
||||||
Network Administrators Guide (http://www.linuxdoc.org/LDP/nag2/).
|
Network Administrators Guide (http://www.tldp.org/LDP/nag2/).
|
||||||
|
|
||||||
If you have everything clearly pictured in your mind, proceed in the
|
If you have everything clearly pictured in your mind, proceed in the
|
||||||
following order: First, generate the configuration files (`tinc.conf',
|
following order: First, generate the configuration files (`tinc.conf',
|
||||||
|
@ -860,7 +868,8 @@ Hostnames = <yes|no> (no)
|
||||||
responding.
|
responding.
|
||||||
|
|
||||||
This does not affect resolving hostnames to IP addresses from the
|
This does not affect resolving hostnames to IP addresses from the
|
||||||
configuration file.
|
configuration file, but whether hostnames should be resolved while
|
||||||
|
logging.
|
||||||
|
|
||||||
Interface = <INTERFACE>
|
Interface = <INTERFACE>
|
||||||
Defines the name of the interface corresponding to the virtual
|
Defines the name of the interface corresponding to the virtual
|
||||||
|
@ -957,9 +966,6 @@ PrivateKeyFile = <PATH> (`/etc/tinc/NETNAME/rsa_key.priv')
|
||||||
generated by `tincd --generate-keys'. It must be a full path, not
|
generated by `tincd --generate-keys'. It must be a full path, not
|
||||||
a relative directory.
|
a relative directory.
|
||||||
|
|
||||||
Note that there must be exactly one of PrivateKey or PrivateKeyFile
|
|
||||||
specified in the configuration file.
|
|
||||||
|
|
||||||
ProcessPriority = <low|normal|high>
|
ProcessPriority = <low|normal|high>
|
||||||
When this option is used the priority of the tincd process will be
|
When this option is used the priority of the tincd process will be
|
||||||
adjusted. Increasing the priority may help to reduce latency and
|
adjusted. Increasing the priority may help to reduce latency and
|
||||||
|
@ -1116,7 +1122,7 @@ Subnet = <ADDRESS[/PREFIXLENGTH[#WEIGHT]]>
|
||||||
Prefixlength is the number of bits set to 1 in the netmask part;
|
Prefixlength is the number of bits set to 1 in the netmask part;
|
||||||
for example: netmask 255.255.255.0 would become /24, 255.255.252.0
|
for example: netmask 255.255.255.0 would become /24, 255.255.252.0
|
||||||
becomes /22. This conforms to standard CIDR notation as described
|
becomes /22. This conforms to standard CIDR notation as described
|
||||||
in RFC1519 (ftp://ftp.isi.edu/in-notes/rfc1519.txt)
|
in RFC1519 (http://www.ietf.org/rfc/rfc1519.txt)
|
||||||
|
|
||||||
A Subnet can be given a weight to indicate its priority over
|
A Subnet can be given a weight to indicate its priority over
|
||||||
identical Subnets owned by different nodes. The default weight is
|
identical Subnets owned by different nodes. The default weight is
|
||||||
|
@ -2470,7 +2476,7 @@ Concept Index
|
||||||
* example: Example configuration.
|
* example: Example configuration.
|
||||||
(line 6)
|
(line 6)
|
||||||
* exec: Main configuration variables.
|
* exec: Main configuration variables.
|
||||||
(line 311)
|
(line 309)
|
||||||
* Forwarding: Main configuration variables.
|
* Forwarding: Main configuration variables.
|
||||||
(line 152)
|
(line 152)
|
||||||
* frame type: The UDP tunnel. (line 6)
|
* frame type: The UDP tunnel. (line 6)
|
||||||
|
@ -2479,41 +2485,41 @@ Concept Index
|
||||||
* Hostnames: Main configuration variables.
|
* Hostnames: Main configuration variables.
|
||||||
(line 180)
|
(line 180)
|
||||||
* http: Main configuration variables.
|
* http: Main configuration variables.
|
||||||
(line 308)
|
(line 306)
|
||||||
* hub: Main configuration variables.
|
* hub: Main configuration variables.
|
||||||
(line 232)
|
(line 233)
|
||||||
* ID: Authentication protocol.
|
* ID: Authentication protocol.
|
||||||
(line 10)
|
(line 10)
|
||||||
* IndirectData: Host configuration variables.
|
* IndirectData: Host configuration variables.
|
||||||
(line 34)
|
(line 34)
|
||||||
* INTERFACE: Scripts. (line 58)
|
* INTERFACE: Scripts. (line 58)
|
||||||
* Interface: Main configuration variables.
|
* Interface: Main configuration variables.
|
||||||
(line 190)
|
(line 191)
|
||||||
* IRC: Contact information. (line 9)
|
* IRC: Contact information. (line 9)
|
||||||
* key generation: Generating keypairs. (line 6)
|
* key generation: Generating keypairs. (line 6)
|
||||||
* KEY_CHANGED: The meta-protocol. (line 64)
|
* KEY_CHANGED: The meta-protocol. (line 64)
|
||||||
* KeyExpire: Main configuration variables.
|
* KeyExpire: Main configuration variables.
|
||||||
(line 237)
|
(line 238)
|
||||||
* libraries: Libraries. (line 6)
|
* libraries: Libraries. (line 6)
|
||||||
* license: OpenSSL. (line 36)
|
* license: OpenSSL. (line 36)
|
||||||
* LocalDiscovery: Main configuration variables.
|
* LocalDiscovery: Main configuration variables.
|
||||||
(line 198)
|
(line 199)
|
||||||
* lzo: lzo. (line 6)
|
* lzo: lzo. (line 6)
|
||||||
* MACExpire: Main configuration variables.
|
* MACExpire: Main configuration variables.
|
||||||
(line 243)
|
(line 244)
|
||||||
* MACLength: Host configuration variables.
|
* MACLength: Host configuration variables.
|
||||||
(line 42)
|
(line 42)
|
||||||
* meta-protocol: The meta-connection. (line 18)
|
* meta-protocol: The meta-connection. (line 18)
|
||||||
* META_KEY: Authentication protocol.
|
* META_KEY: Authentication protocol.
|
||||||
(line 10)
|
(line 10)
|
||||||
* Mode: Main configuration variables.
|
* Mode: Main configuration variables.
|
||||||
(line 209)
|
(line 210)
|
||||||
* multicast: Main configuration variables.
|
* multicast: Main configuration variables.
|
||||||
(line 99)
|
(line 99)
|
||||||
* multiple networks: Multiple networks. (line 6)
|
* multiple networks: Multiple networks. (line 6)
|
||||||
* NAME: Scripts. (line 52)
|
* NAME: Scripts. (line 52)
|
||||||
* Name: Main configuration variables.
|
* Name: Main configuration variables.
|
||||||
(line 248)
|
(line 249)
|
||||||
* netmask: Network interfaces. (line 34)
|
* netmask: Network interfaces. (line 34)
|
||||||
* NETNAME: Scripts. (line 49)
|
* NETNAME: Scripts. (line 49)
|
||||||
* netname: Multiple networks. (line 6)
|
* netname: Multiple networks. (line 6)
|
||||||
|
@ -2526,9 +2532,9 @@ Concept Index
|
||||||
(line 67)
|
(line 67)
|
||||||
* PING: The meta-protocol. (line 89)
|
* PING: The meta-protocol. (line 89)
|
||||||
* PingInterval: Main configuration variables.
|
* PingInterval: Main configuration variables.
|
||||||
(line 259)
|
(line 260)
|
||||||
* PingTimeout: Main configuration variables.
|
* PingTimeout: Main configuration variables.
|
||||||
(line 263)
|
(line 264)
|
||||||
* platforms: Supported platforms. (line 6)
|
* platforms: Supported platforms. (line 6)
|
||||||
* PMTU: Host configuration variables.
|
* PMTU: Host configuration variables.
|
||||||
(line 47)
|
(line 47)
|
||||||
|
@ -2539,17 +2545,17 @@ Concept Index
|
||||||
(line 55)
|
(line 55)
|
||||||
* port numbers: Other files. (line 17)
|
* port numbers: Other files. (line 17)
|
||||||
* PriorityInheritance: Main configuration variables.
|
* PriorityInheritance: Main configuration variables.
|
||||||
(line 269)
|
(line 270)
|
||||||
* private: Virtual Private Networks.
|
* private: Virtual Private Networks.
|
||||||
(line 10)
|
(line 10)
|
||||||
* PrivateKey: Main configuration variables.
|
* PrivateKey: Main configuration variables.
|
||||||
(line 274)
|
(line 275)
|
||||||
* PrivateKeyFile: Main configuration variables.
|
* PrivateKeyFile: Main configuration variables.
|
||||||
(line 280)
|
(line 281)
|
||||||
* ProcessPriority: Main configuration variables.
|
* ProcessPriority: Main configuration variables.
|
||||||
(line 288)
|
(line 286)
|
||||||
* Proxy: Main configuration variables.
|
* Proxy: Main configuration variables.
|
||||||
(line 293)
|
(line 291)
|
||||||
* PublicKey: Host configuration variables.
|
* PublicKey: Host configuration variables.
|
||||||
(line 59)
|
(line 59)
|
||||||
* PublicKeyFile: Host configuration variables.
|
* PublicKeyFile: Host configuration variables.
|
||||||
|
@ -2560,11 +2566,11 @@ Concept Index
|
||||||
* REMOTEADDRESS: Scripts. (line 67)
|
* REMOTEADDRESS: Scripts. (line 67)
|
||||||
* REMOTEPORT: Scripts. (line 70)
|
* REMOTEPORT: Scripts. (line 70)
|
||||||
* ReplayWindow: Main configuration variables.
|
* ReplayWindow: Main configuration variables.
|
||||||
(line 316)
|
(line 314)
|
||||||
* REQ_KEY: The meta-protocol. (line 64)
|
* REQ_KEY: The meta-protocol. (line 64)
|
||||||
* requirements: Libraries. (line 6)
|
* requirements: Libraries. (line 6)
|
||||||
* router: Main configuration variables.
|
* router: Main configuration variables.
|
||||||
(line 212)
|
(line 213)
|
||||||
* runtime options: Runtime options. (line 9)
|
* runtime options: Runtime options. (line 9)
|
||||||
* scalability: tinc. (line 19)
|
* scalability: tinc. (line 19)
|
||||||
* scripts: Scripts. (line 6)
|
* scripts: Scripts. (line 6)
|
||||||
|
@ -2572,11 +2578,11 @@ Concept Index
|
||||||
(line 18)
|
(line 18)
|
||||||
* signals: Signals. (line 6)
|
* signals: Signals. (line 6)
|
||||||
* socks4: Main configuration variables.
|
* socks4: Main configuration variables.
|
||||||
(line 297)
|
(line 295)
|
||||||
* socks5: Main configuration variables.
|
* socks5: Main configuration variables.
|
||||||
(line 302)
|
(line 300)
|
||||||
* StrictSubnets: Main configuration variables.
|
* StrictSubnets: Main configuration variables.
|
||||||
(line 327)
|
(line 325)
|
||||||
* SUBNET: Scripts. (line 74)
|
* SUBNET: Scripts. (line 74)
|
||||||
* Subnet: Host configuration variables.
|
* Subnet: Host configuration variables.
|
||||||
(line 74)
|
(line 74)
|
||||||
|
@ -2584,7 +2590,7 @@ Concept Index
|
||||||
(line 96)
|
(line 96)
|
||||||
* SVPN: Security. (line 11)
|
* SVPN: Security. (line 11)
|
||||||
* switch: Main configuration variables.
|
* switch: Main configuration variables.
|
||||||
(line 221)
|
(line 222)
|
||||||
* TCP: The meta-connection. (line 10)
|
* TCP: The meta-connection. (line 10)
|
||||||
* TCPonly: Host configuration variables.
|
* TCPonly: Host configuration variables.
|
||||||
(line 103)
|
(line 103)
|
||||||
|
@ -2598,16 +2604,16 @@ Concept Index
|
||||||
* tunifhead: Main configuration variables.
|
* tunifhead: Main configuration variables.
|
||||||
(line 134)
|
(line 134)
|
||||||
* TunnelServer: Main configuration variables.
|
* TunnelServer: Main configuration variables.
|
||||||
(line 332)
|
(line 330)
|
||||||
* tunnohead: Main configuration variables.
|
* tunnohead: Main configuration variables.
|
||||||
(line 128)
|
(line 128)
|
||||||
* UDP <1>: Encryption of network packets.
|
* UDP <1>: Encryption of network packets.
|
||||||
(line 12)
|
(line 12)
|
||||||
* UDP: The UDP tunnel. (line 30)
|
* UDP: The UDP tunnel. (line 30)
|
||||||
* UDPRcvBuf: Main configuration variables.
|
* UDPRcvBuf: Main configuration variables.
|
||||||
(line 339)
|
(line 337)
|
||||||
* UDPSndBuf: Main configuration variables.
|
* UDPSndBuf: Main configuration variables.
|
||||||
(line 344)
|
(line 342)
|
||||||
* UML: Main configuration variables.
|
* UML: Main configuration variables.
|
||||||
(line 110)
|
(line 110)
|
||||||
* Universal tun/tap: Configuration of Linux kernels.
|
* Universal tun/tap: Configuration of Linux kernels.
|
||||||
|
@ -2632,61 +2638,61 @@ Node: Introduction1109
|
||||||
Node: Virtual Private Networks1919
|
Node: Virtual Private Networks1919
|
||||||
Node: tinc3645
|
Node: tinc3645
|
||||||
Node: Supported platforms5172
|
Node: Supported platforms5172
|
||||||
Node: Preparations5870
|
Node: Preparations5871
|
||||||
Node: Configuring the kernel6126
|
Node: Configuring the kernel6127
|
||||||
Node: Configuration of Linux kernels6535
|
Node: Configuration of Linux kernels6536
|
||||||
Node: Configuration of FreeBSD kernels7390
|
Node: Configuration of FreeBSD kernels7391
|
||||||
Node: Configuration of OpenBSD kernels7780
|
Node: Configuration of OpenBSD kernels7856
|
||||||
Node: Configuration of NetBSD kernels8388
|
Node: Configuration of NetBSD kernels8464
|
||||||
Node: Configuration of Solaris kernels8793
|
Node: Configuration of Solaris kernels8869
|
||||||
Node: Configuration of Darwin (MacOS/X) kernels9454
|
Node: Configuration of Darwin (MacOS/X) kernels9530
|
||||||
Node: Configuration of Windows10143
|
Node: Configuration of Windows10219
|
||||||
Node: Libraries10657
|
Node: Libraries10733
|
||||||
Node: OpenSSL11045
|
Node: OpenSSL11121
|
||||||
Node: zlib13321
|
Node: zlib13409
|
||||||
Node: lzo14150
|
Node: lzo14435
|
||||||
Node: Installation14937
|
Node: Installation15415
|
||||||
Node: Building and installing tinc15952
|
Node: Building and installing tinc16431
|
||||||
Node: Darwin (MacOS/X) build environment16611
|
Node: Darwin (MacOS/X) build environment17090
|
||||||
Node: Cygwin (Windows) build environment17179
|
Node: Cygwin (Windows) build environment17657
|
||||||
Node: MinGW (Windows) build environment17767
|
Node: MinGW (Windows) build environment18245
|
||||||
Node: System files18291
|
Node: System files18769
|
||||||
Node: Device files18556
|
Node: Device files19034
|
||||||
Node: Other files18972
|
Node: Other files19450
|
||||||
Node: Configuration19585
|
Node: Configuration20063
|
||||||
Node: Configuration introduction19896
|
Node: Configuration introduction20374
|
||||||
Node: Multiple networks21169
|
Node: Multiple networks21643
|
||||||
Node: How connections work22595
|
Node: How connections work23069
|
||||||
Node: Configuration files23817
|
Node: Configuration files24291
|
||||||
Node: Main configuration variables25204
|
Node: Main configuration variables25678
|
||||||
Node: Host configuration variables40987
|
Node: Host configuration variables41406
|
||||||
Node: Scripts46347
|
Node: Scripts46763
|
||||||
Node: How to configure49117
|
Node: How to configure49533
|
||||||
Node: Generating keypairs50380
|
Node: Generating keypairs50796
|
||||||
Node: Network interfaces50879
|
Node: Network interfaces51295
|
||||||
Node: Example configuration52727
|
Node: Example configuration53143
|
||||||
Node: Running tinc58050
|
Node: Running tinc58466
|
||||||
Node: Runtime options58640
|
Node: Runtime options59056
|
||||||
Node: Signals61940
|
Node: Signals62356
|
||||||
Node: Debug levels63132
|
Node: Debug levels63548
|
||||||
Node: Solving problems64068
|
Node: Solving problems64484
|
||||||
Node: Error messages65620
|
Node: Error messages66036
|
||||||
Node: Sending bug reports69633
|
Node: Sending bug reports70049
|
||||||
Node: Technical information70585
|
Node: Technical information71001
|
||||||
Node: The connection70816
|
Node: The connection71232
|
||||||
Node: The UDP tunnel71128
|
Node: The UDP tunnel71544
|
||||||
Node: The meta-connection74189
|
Node: The meta-connection74605
|
||||||
Node: The meta-protocol75658
|
Node: The meta-protocol76074
|
||||||
Node: Security80667
|
Node: Security81083
|
||||||
Node: Authentication protocol81797
|
Node: Authentication protocol82213
|
||||||
Node: Encryption of network packets86801
|
Node: Encryption of network packets87217
|
||||||
Node: Security issues88174
|
Node: Security issues88590
|
||||||
Node: Platform specific information89791
|
Node: Platform specific information90207
|
||||||
Node: Interface configuration90019
|
Node: Interface configuration90435
|
||||||
Node: Routes92472
|
Node: Routes92888
|
||||||
Node: About us94388
|
Node: About us94804
|
||||||
Node: Contact information94563
|
Node: Contact information94979
|
||||||
Node: Authors94967
|
Node: Authors95383
|
||||||
Node: Concept Index95372
|
Node: Concept Index95788
|
||||||
|
|
||||||
End Tag Table
|
End Tag Table
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
|
|
||||||
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
|
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
|
||||||
|
|
||||||
Copyright @copyright{} 1998-2012 Ivo Timmermans,
|
Copyright @copyright{} 1998-2013 Ivo Timmermans,
|
||||||
Guus Sliepen <guus@@tinc-vpn.org> and
|
Guus Sliepen <guus@@tinc-vpn.org> and
|
||||||
Wessel Dankers <wsl@@tinc-vpn.org>.
|
Wessel Dankers <wsl@@tinc-vpn.org>.
|
||||||
|
|
||||||
|
@ -39,7 +39,7 @@ permission notice identical to this one.
|
||||||
@vskip 0pt plus 1filll
|
@vskip 0pt plus 1filll
|
||||||
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
|
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
|
||||||
|
|
||||||
Copyright @copyright{} 1998-2012 Ivo Timmermans,
|
Copyright @copyright{} 1998-2013 Ivo Timmermans,
|
||||||
Guus Sliepen <guus@@tinc-vpn.org> and
|
Guus Sliepen <guus@@tinc-vpn.org> and
|
||||||
Wessel Dankers <wsl@@tinc-vpn.org>.
|
Wessel Dankers <wsl@@tinc-vpn.org>.
|
||||||
|
|
||||||
|
@ -186,7 +186,7 @@ packets.
|
||||||
@cindex release
|
@cindex release
|
||||||
For an up to date list of supported platforms, please check the list on
|
For an up to date list of supported platforms, please check the list on
|
||||||
our website:
|
our website:
|
||||||
@uref{http://www.tinc-vpn.org/platforms}.
|
@uref{http://www.tinc-vpn.org/platforms/}.
|
||||||
|
|
||||||
@c
|
@c
|
||||||
@c
|
@c
|
||||||
|
@ -261,7 +261,7 @@ alias char-major-10-200 tun
|
||||||
@subsection Configuration of FreeBSD kernels
|
@subsection Configuration of FreeBSD kernels
|
||||||
|
|
||||||
For FreeBSD version 4.1 and higher, tun and tap drivers are included in the default kernel configuration.
|
For FreeBSD version 4.1 and higher, tun and tap drivers are included in the default kernel configuration.
|
||||||
Using tap devices is recommended.
|
The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_tap_load="YES"} to @file{/boot/loader.conf}.
|
||||||
|
|
||||||
|
|
||||||
@c ==================================================================
|
@c ==================================================================
|
||||||
|
@ -275,6 +275,7 @@ which adds a tap device to OpenBSD which should work with tinc,
|
||||||
but with recent versions of OpenBSD,
|
but with recent versions of OpenBSD,
|
||||||
a tun device can act as a tap device by setting the link0 option with ifconfig.
|
a tun device can act as a tap device by setting the link0 option with ifconfig.
|
||||||
|
|
||||||
|
|
||||||
@c ==================================================================
|
@c ==================================================================
|
||||||
@node Configuration of NetBSD kernels
|
@node Configuration of NetBSD kernels
|
||||||
@subsection Configuration of NetBSD kernels
|
@subsection Configuration of NetBSD kernels
|
||||||
|
@ -349,7 +350,7 @@ For all cryptography-related functions, tinc uses the functions provided
|
||||||
by the OpenSSL library.
|
by the OpenSSL library.
|
||||||
|
|
||||||
If this library is not installed, you wil get an error when configuring
|
If this library is not installed, you wil get an error when configuring
|
||||||
tinc for build. Support for running tinc without having OpenSSL
|
tinc for build. Support for running tinc with other cryptographic libraries
|
||||||
installed @emph{may} be added in the future.
|
installed @emph{may} be added in the future.
|
||||||
|
|
||||||
You can use your operating system's package manager to install this if
|
You can use your operating system's package manager to install this if
|
||||||
|
@ -412,9 +413,11 @@ Markus F.X.J. Oberhumer
|
||||||
For the optional compression of UDP packets, tinc uses the functions provided
|
For the optional compression of UDP packets, tinc uses the functions provided
|
||||||
by the zlib library.
|
by the zlib library.
|
||||||
|
|
||||||
If this library is not installed, you wil get an error when configuring
|
If this library is not installed, you wil get an error when running the
|
||||||
tinc for build. Support for running tinc without having zlib
|
configure script. You can either install the zlib library, or disable support
|
||||||
installed @emph{may} be added in the future.
|
for zlib compression by using the "--disable-zlib" option when running the
|
||||||
|
configure script. Note that if you disable support for zlib, the resulting
|
||||||
|
binary will not work correctly on VPNs where zlib compression is used.
|
||||||
|
|
||||||
You can use your operating system's package manager to install this if
|
You can use your operating system's package manager to install this if
|
||||||
available. Make sure you install the development AND runtime versions
|
available. Make sure you install the development AND runtime versions
|
||||||
|
@ -432,11 +435,13 @@ default).
|
||||||
@subsection lzo
|
@subsection lzo
|
||||||
|
|
||||||
@cindex lzo
|
@cindex lzo
|
||||||
Another form of compression is offered using the lzo library.
|
Another form of compression is offered using the LZO library.
|
||||||
|
|
||||||
If this library is not installed, you wil get an error when configuring
|
If this library is not installed, you wil get an error when running the
|
||||||
tinc for build. Support for running tinc without having lzo
|
configure script. You can either install the LZO library, or disable support
|
||||||
installed @emph{may} be added in the future.
|
for LZO compression by using the "--disable-lzo" option when running the
|
||||||
|
configure script. Note that if you disable support for LZO, the resulting
|
||||||
|
binary will not work correctly on VPNs where LZO compression is used.
|
||||||
|
|
||||||
You can use your operating system's package manager to install this if
|
You can use your operating system's package manager to install this if
|
||||||
available. Make sure you install the development AND runtime versions
|
available. Make sure you install the development AND runtime versions
|
||||||
|
@ -469,7 +474,7 @@ system startup scripts and sample configurations.
|
||||||
If you cannot use one of the precompiled packages, or you want to compile tinc
|
If you cannot use one of the precompiled packages, or you want to compile tinc
|
||||||
for yourself, you can use the source. The source is distributed under
|
for yourself, you can use the source. The source is distributed under
|
||||||
the GNU General Public License (GPL). Download the source from the
|
the GNU General Public License (GPL). Download the source from the
|
||||||
@uref{http://www.tinc-vpn.org/download, download page}, which has
|
@uref{http://www.tinc-vpn.org/download/, download page}, which has
|
||||||
the checksums of these files listed; you may wish to check these with
|
the checksums of these files listed; you may wish to check these with
|
||||||
md5sum before continuing.
|
md5sum before continuing.
|
||||||
|
|
||||||
|
@ -510,7 +515,7 @@ The documentation that comes along with your distribution will tell you how to d
|
||||||
|
|
||||||
In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools
|
In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools
|
||||||
from @uref{http://developer.apple.com/tools/macosxtools.html} and
|
from @uref{http://developer.apple.com/tools/macosxtools.html} and
|
||||||
a recent version of Fink from @uref{http://fink.sourceforge.net/}.
|
a recent version of Fink from @uref{http://www.finkproject.org/}.
|
||||||
|
|
||||||
After installation use fink to download and install the following packages:
|
After installation use fink to download and install the following packages:
|
||||||
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
|
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
|
||||||
|
@ -638,7 +643,7 @@ you will not find the answers in this documentation.
|
||||||
Make sure you have an adequate understanding of networks in general.
|
Make sure you have an adequate understanding of networks in general.
|
||||||
@cindex Network Administrators Guide
|
@cindex Network Administrators Guide
|
||||||
A good resource on networking is the
|
A good resource on networking is the
|
||||||
@uref{http://www.linuxdoc.org/LDP/nag2/, Linux Network Administrators Guide}.
|
@uref{http://www.tldp.org/LDP/nag2/, Linux Network Administrators Guide}.
|
||||||
|
|
||||||
If you have everything clearly pictured in your mind,
|
If you have everything clearly pictured in your mind,
|
||||||
proceed in the following order:
|
proceed in the following order:
|
||||||
|
@ -943,7 +948,7 @@ tinc's efficiency, even stopping the daemon for a few seconds everytime
|
||||||
it does a lookup if your DNS server is not responding.
|
it does a lookup if your DNS server is not responding.
|
||||||
|
|
||||||
This does not affect resolving hostnames to IP addresses from the
|
This does not affect resolving hostnames to IP addresses from the
|
||||||
configuration file.
|
configuration file, but whether hostnames should be resolved while logging.
|
||||||
|
|
||||||
@cindex Interface
|
@cindex Interface
|
||||||
@item Interface = <@var{interface}>
|
@item Interface = <@var{interface}>
|
||||||
|
@ -1041,10 +1046,6 @@ This is the full path name of the RSA private key file that was
|
||||||
generated by @samp{tincd --generate-keys}. It must be a full path, not a
|
generated by @samp{tincd --generate-keys}. It must be a full path, not a
|
||||||
relative directory.
|
relative directory.
|
||||||
|
|
||||||
Note that there must be exactly one of PrivateKey
|
|
||||||
or PrivateKeyFile
|
|
||||||
specified in the configuration file.
|
|
||||||
|
|
||||||
@cindex ProcessPriority
|
@cindex ProcessPriority
|
||||||
@item ProcessPriority = <low|normal|high>
|
@item ProcessPriority = <low|normal|high>
|
||||||
When this option is used the priority of the tincd process will be adjusted.
|
When this option is used the priority of the tincd process will be adjusted.
|
||||||
|
@ -1220,7 +1221,7 @@ MAC addresses are notated like 0:1a:2b:3c:4d:5e.
|
||||||
Prefixlength is the number of bits set to 1 in the netmask part; for
|
Prefixlength is the number of bits set to 1 in the netmask part; for
|
||||||
example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
|
example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
|
||||||
/22. This conforms to standard CIDR notation as described in
|
/22. This conforms to standard CIDR notation as described in
|
||||||
@uref{ftp://ftp.isi.edu/in-notes/rfc1519.txt, RFC1519}
|
@uref{http://www.ietf.org/rfc/rfc1519.txt, RFC1519}
|
||||||
|
|
||||||
@cindex Subnet weight
|
@cindex Subnet weight
|
||||||
A Subnet can be given a weight to indicate its priority over identical Subnets
|
A Subnet can be given a weight to indicate its priority over identical Subnets
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Makefile.in generated by automake 1.11.5 from Makefile.am.
|
# Makefile.in generated by automake 1.11.6 from Makefile.am.
|
||||||
# @configure_input@
|
# @configure_input@
|
||||||
|
|
||||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||||
|
|
|
@ -41,6 +41,10 @@
|
||||||
#define ETH_P_IPV6 0x86DD
|
#define ETH_P_IPV6 0x86DD
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifndef ETH_P_8021Q
|
||||||
|
#define ETH_P_8021Q 0x8100
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifndef HAVE_STRUCT_ETHER_HEADER
|
#ifndef HAVE_STRUCT_ETHER_HEADER
|
||||||
struct ether_header {
|
struct ether_header {
|
||||||
uint8_t ether_dhost[ETH_ALEN];
|
uint8_t ether_dhost[ETH_ALEN];
|
||||||
|
|
10
lib/utils.c
10
lib/utils.c
|
@ -32,12 +32,14 @@ static int charhex2bin(char c) {
|
||||||
return toupper(c) - 'A' + 10;
|
return toupper(c) - 'A' + 10;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool hex2bin(char *src, char *dst, int length) {
|
||||||
void hex2bin(char *src, char *dst, int length) {
|
for(int i = 0; i < length; i++) {
|
||||||
int i;
|
if(!isxdigit(src[i * 2]) || !isxdigit(src[i * 2 + 1]))
|
||||||
for(i = 0; i < length; i++)
|
return false;
|
||||||
dst[i] = charhex2bin(src[i * 2]) * 16 + charhex2bin(src[i * 2 + 1]);
|
dst[i] = charhex2bin(src[i * 2]) * 16 + charhex2bin(src[i * 2 + 1]);
|
||||||
}
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
void bin2hex(char *src, char *dst, int length) {
|
void bin2hex(char *src, char *dst, int length) {
|
||||||
int i;
|
int i;
|
||||||
|
|
|
@ -21,7 +21,7 @@
|
||||||
#ifndef __TINC_UTILS_H__
|
#ifndef __TINC_UTILS_H__
|
||||||
#define __TINC_UTILS_H__
|
#define __TINC_UTILS_H__
|
||||||
|
|
||||||
extern void hex2bin(char *src, char *dst, int length);
|
extern bool hex2bin(char *src, char *dst, int length);
|
||||||
extern void bin2hex(char *src, char *dst, int length);
|
extern void bin2hex(char *src, char *dst, int length);
|
||||||
|
|
||||||
#ifdef HAVE_MINGW
|
#ifdef HAVE_MINGW
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Makefile.in generated by automake 1.11.5 from Makefile.am.
|
# Makefile.in generated by automake 1.11.6 from Makefile.am.
|
||||||
# @configure_input@
|
# @configure_input@
|
||||||
|
|
||||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Makefile.in generated by automake 1.11.5 from Makefile.am.
|
# Makefile.in generated by automake 1.11.6 from Makefile.am.
|
||||||
# @configure_input@
|
# @configure_input@
|
||||||
|
|
||||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||||
|
|
|
@ -29,17 +29,22 @@
|
||||||
#include "utils.h"
|
#include "utils.h"
|
||||||
#include "xalloc.h"
|
#include "xalloc.h"
|
||||||
|
|
||||||
#ifdef HAVE_TUNEMU
|
#ifdef ENABLE_TUNEMU
|
||||||
#include "bsd/tunemu.h"
|
#include "bsd/tunemu.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#define DEFAULT_DEVICE "/dev/tun0"
|
#define DEFAULT_TUN_DEVICE "/dev/tun0"
|
||||||
|
#if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD)
|
||||||
|
#define DEFAULT_TAP_DEVICE "/dev/tap0"
|
||||||
|
#else
|
||||||
|
#define DEFAULT_TAP_DEVICE "/dev/tun0"
|
||||||
|
#endif
|
||||||
|
|
||||||
typedef enum device_type {
|
typedef enum device_type {
|
||||||
DEVICE_TYPE_TUN,
|
DEVICE_TYPE_TUN,
|
||||||
DEVICE_TYPE_TUNIFHEAD,
|
DEVICE_TYPE_TUNIFHEAD,
|
||||||
DEVICE_TYPE_TAP,
|
DEVICE_TYPE_TAP,
|
||||||
#ifdef HAVE_TUNEMU
|
#ifdef ENABLE_TUNEMU
|
||||||
DEVICE_TYPE_TUNEMU,
|
DEVICE_TYPE_TUNEMU,
|
||||||
#endif
|
#endif
|
||||||
} device_type_t;
|
} device_type_t;
|
||||||
|
@ -50,7 +55,7 @@ char *iface = NULL;
|
||||||
static char *device_info = NULL;
|
static char *device_info = NULL;
|
||||||
static uint64_t device_total_in = 0;
|
static uint64_t device_total_in = 0;
|
||||||
static uint64_t device_total_out = 0;
|
static uint64_t device_total_out = 0;
|
||||||
#if defined(TUNEMU)
|
#if defined(ENABLE_TUNEMU)
|
||||||
static device_type_t device_type = DEVICE_TYPE_TUNEMU;
|
static device_type_t device_type = DEVICE_TYPE_TUNEMU;
|
||||||
#elif defined(HAVE_OPENBSD) || defined(HAVE_FREEBSD) || defined(HAVE_DRAGONFLY)
|
#elif defined(HAVE_OPENBSD) || defined(HAVE_FREEBSD) || defined(HAVE_DRAGONFLY)
|
||||||
static device_type_t device_type = DEVICE_TYPE_TUNIFHEAD;
|
static device_type_t device_type = DEVICE_TYPE_TUNIFHEAD;
|
||||||
|
@ -61,8 +66,12 @@ static device_type_t device_type = DEVICE_TYPE_TUN;
|
||||||
static bool setup_device(void) {
|
static bool setup_device(void) {
|
||||||
char *type;
|
char *type;
|
||||||
|
|
||||||
if(!get_config_string(lookup_config(config_tree, "Device"), &device))
|
if(!get_config_string(lookup_config(config_tree, "Device"), &device)) {
|
||||||
device = xstrdup(DEFAULT_DEVICE);
|
if(routing_mode == RMODE_ROUTER)
|
||||||
|
device = xstrdup(DEFAULT_TUN_DEVICE);
|
||||||
|
else
|
||||||
|
device = xstrdup(DEFAULT_TAP_DEVICE);
|
||||||
|
}
|
||||||
|
|
||||||
if(!get_config_string(lookup_config(config_tree, "Interface"), &iface))
|
if(!get_config_string(lookup_config(config_tree, "Interface"), &iface))
|
||||||
iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
|
iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
|
||||||
|
@ -70,7 +79,7 @@ static bool setup_device(void) {
|
||||||
if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) {
|
if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) {
|
||||||
if(!strcasecmp(type, "tun"))
|
if(!strcasecmp(type, "tun"))
|
||||||
/* use default */;
|
/* use default */;
|
||||||
#ifdef HAVE_TUNEMU
|
#ifdef ENABLE_TUNEMU
|
||||||
else if(!strcasecmp(type, "tunemu"))
|
else if(!strcasecmp(type, "tunemu"))
|
||||||
device_type = DEVICE_TYPE_TUNEMU;
|
device_type = DEVICE_TYPE_TUNEMU;
|
||||||
#endif
|
#endif
|
||||||
|
@ -90,7 +99,7 @@ static bool setup_device(void) {
|
||||||
}
|
}
|
||||||
|
|
||||||
switch(device_type) {
|
switch(device_type) {
|
||||||
#ifdef HAVE_TUNEMU
|
#ifdef ENABLE_TUNEMU
|
||||||
case DEVICE_TYPE_TUNEMU: {
|
case DEVICE_TYPE_TUNEMU: {
|
||||||
char dynamic_name[256] = "";
|
char dynamic_name[256] = "";
|
||||||
device_fd = tunemu_open(dynamic_name);
|
device_fd = tunemu_open(dynamic_name);
|
||||||
|
@ -167,7 +176,7 @@ static bool setup_device(void) {
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
break;
|
break;
|
||||||
#ifdef HAVE_TUNEMU
|
#ifdef ENABLE_TUNEMU
|
||||||
case DEVICE_TYPE_TUNEMU:
|
case DEVICE_TYPE_TUNEMU:
|
||||||
device_info = "BSD tunemu device";
|
device_info = "BSD tunemu device";
|
||||||
break;
|
break;
|
||||||
|
@ -181,7 +190,7 @@ static bool setup_device(void) {
|
||||||
|
|
||||||
static void close_device(void) {
|
static void close_device(void) {
|
||||||
switch(device_type) {
|
switch(device_type) {
|
||||||
#ifdef HAVE_TUNEMU
|
#ifdef ENABLE_TUNEMU
|
||||||
case DEVICE_TYPE_TUNEMU:
|
case DEVICE_TYPE_TUNEMU:
|
||||||
tunemu_close(device_fd);
|
tunemu_close(device_fd);
|
||||||
break;
|
break;
|
||||||
|
@ -199,7 +208,7 @@ static bool read_packet(vpn_packet_t *packet) {
|
||||||
|
|
||||||
switch(device_type) {
|
switch(device_type) {
|
||||||
case DEVICE_TYPE_TUN:
|
case DEVICE_TYPE_TUN:
|
||||||
#ifdef HAVE_TUNEMU
|
#ifdef ENABLE_TUNEMU
|
||||||
case DEVICE_TYPE_TUNEMU:
|
case DEVICE_TYPE_TUNEMU:
|
||||||
if(device_type == DEVICE_TYPE_TUNEMU)
|
if(device_type == DEVICE_TYPE_TUNEMU)
|
||||||
lenin = tunemu_read(device_fd, packet->data + 14, MTU - 14);
|
lenin = tunemu_read(device_fd, packet->data + 14, MTU - 14);
|
||||||
|
@ -229,6 +238,7 @@ static bool read_packet(vpn_packet_t *packet) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
memset(packet->data, 0, 12);
|
||||||
packet->len = lenin + 14;
|
packet->len = lenin + 14;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
@ -260,6 +270,7 @@ static bool read_packet(vpn_packet_t *packet) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
memset(packet->data, 0, 12);
|
||||||
packet->len = lenin + 10;
|
packet->len = lenin + 10;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -336,7 +347,7 @@ static bool write_packet(vpn_packet_t *packet) {
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifdef HAVE_TUNEMU
|
#ifdef ENABLE_TUNEMU
|
||||||
case DEVICE_TYPE_TUNEMU:
|
case DEVICE_TYPE_TUNEMU:
|
||||||
if(tunemu_write(device_fd, packet->data + 14, packet->len - 14) < 0) {
|
if(tunemu_write(device_fd, packet->data + 14, packet->len - 14) < 0) {
|
||||||
logger(LOG_ERR, "Error while writing to %s %s: %s", device_info,
|
logger(LOG_ERR, "Error while writing to %s %s: %s", device_info,
|
||||||
|
|
|
@ -73,6 +73,15 @@ void free_connection_partially(connection_t *c) {
|
||||||
c->hischallenge = NULL;
|
c->hischallenge = NULL;
|
||||||
c->outbuf = NULL;
|
c->outbuf = NULL;
|
||||||
|
|
||||||
|
c->status.pinged = false;
|
||||||
|
c->status.active = false;
|
||||||
|
c->status.connecting = false;
|
||||||
|
c->status.timeout = false;
|
||||||
|
c->status.encryptout = false;
|
||||||
|
c->status.decryptin = false;
|
||||||
|
c->status.mst = false;
|
||||||
|
|
||||||
|
c->options = 0;
|
||||||
c->buflen = 0;
|
c->buflen = 0;
|
||||||
c->reqlen = 0;
|
c->reqlen = 0;
|
||||||
c->tcplen = 0;
|
c->tcplen = 0;
|
||||||
|
@ -80,6 +89,8 @@ void free_connection_partially(connection_t *c) {
|
||||||
c->outbuflen = 0;
|
c->outbuflen = 0;
|
||||||
c->outbufsize = 0;
|
c->outbufsize = 0;
|
||||||
c->outbufstart = 0;
|
c->outbufstart = 0;
|
||||||
|
c->last_ping_time = 0;
|
||||||
|
c->last_flushed_time = 0;
|
||||||
|
|
||||||
if(c->inctx) {
|
if(c->inctx) {
|
||||||
EVP_CIPHER_CTX_cleanup(c->inctx);
|
EVP_CIPHER_CTX_cleanup(c->inctx);
|
||||||
|
|
|
@ -35,7 +35,7 @@ typedef struct connection_status_t {
|
||||||
unsigned int pinged:1; /* sent ping */
|
unsigned int pinged:1; /* sent ping */
|
||||||
unsigned int active:1; /* 1 if active.. */
|
unsigned int active:1; /* 1 if active.. */
|
||||||
unsigned int connecting:1; /* 1 if we are waiting for a non-blocking connect() to finish */
|
unsigned int connecting:1; /* 1 if we are waiting for a non-blocking connect() to finish */
|
||||||
unsigned int termreq:1; /* the termination of this connection was requested */
|
unsigned int unused_termreq:1; /* the termination of this connection was requested */
|
||||||
unsigned int remove:1; /* Set to 1 if you want this connection removed */
|
unsigned int remove:1; /* Set to 1 if you want this connection removed */
|
||||||
unsigned int timeout:1; /* 1 if gotten timeout */
|
unsigned int timeout:1; /* 1 if gotten timeout */
|
||||||
unsigned int encryptout:1; /* 1 if we can encrypt outgoing traffic */
|
unsigned int encryptout:1; /* 1 if we can encrypt outgoing traffic */
|
||||||
|
|
17
src/graph.c
17
src/graph.c
|
@ -1,6 +1,6 @@
|
||||||
/*
|
/*
|
||||||
graph.c -- graph algorithms
|
graph.c -- graph algorithms
|
||||||
Copyright (C) 2001-2012 Guus Sliepen <guus@tinc-vpn.org>,
|
Copyright (C) 2001-2013 Guus Sliepen <guus@tinc-vpn.org>,
|
||||||
2001-2005 Ivo Timmermans
|
2001-2005 Ivo Timmermans
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
|
@ -287,13 +287,16 @@ static void sssp_bfs(void) {
|
||||||
|
|
||||||
subnet_update(n, NULL, n->status.reachable);
|
subnet_update(n, NULL, n->status.reachable);
|
||||||
|
|
||||||
if(!n->status.reachable)
|
if(!n->status.reachable) {
|
||||||
update_node_udp(n, NULL);
|
update_node_udp(n, NULL);
|
||||||
else if(n->connection)
|
memset(&n->status, 0, sizeof n->status);
|
||||||
|
n->options = 0;
|
||||||
|
} else if(n->connection) {
|
||||||
send_ans_key(n);
|
send_ans_key(n);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
void graph(void) {
|
void graph(void) {
|
||||||
subnet_cache_flush();
|
subnet_cache_flush();
|
||||||
|
@ -315,7 +318,7 @@ void dump_graph(void) {
|
||||||
node_t *n;
|
node_t *n;
|
||||||
edge_t *e;
|
edge_t *e;
|
||||||
char *filename = NULL, *tmpname = NULL;
|
char *filename = NULL, *tmpname = NULL;
|
||||||
FILE *file;
|
FILE *file, *pipe = NULL;
|
||||||
|
|
||||||
if(!graph_changed || !get_config_string(lookup_config(config_tree, "GraphDumpFile"), &filename))
|
if(!graph_changed || !get_config_string(lookup_config(config_tree, "GraphDumpFile"), &filename))
|
||||||
return;
|
return;
|
||||||
|
@ -325,7 +328,7 @@ void dump_graph(void) {
|
||||||
ifdebug(PROTOCOL) logger(LOG_NOTICE, "Dumping graph");
|
ifdebug(PROTOCOL) logger(LOG_NOTICE, "Dumping graph");
|
||||||
|
|
||||||
if(filename[0] == '|') {
|
if(filename[0] == '|') {
|
||||||
file = popen(filename + 1, "w");
|
file = pipe = popen(filename + 1, "w");
|
||||||
} else {
|
} else {
|
||||||
xasprintf(&tmpname, "%s.new", filename);
|
xasprintf(&tmpname, "%s.new", filename);
|
||||||
file = fopen(tmpname, "w");
|
file = fopen(tmpname, "w");
|
||||||
|
@ -353,8 +356,8 @@ void dump_graph(void) {
|
||||||
|
|
||||||
fprintf(file, "}\n");
|
fprintf(file, "}\n");
|
||||||
|
|
||||||
if(filename[0] == '|') {
|
if(pipe) {
|
||||||
pclose(file);
|
pclose(pipe);
|
||||||
} else {
|
} else {
|
||||||
fclose(file);
|
fclose(file);
|
||||||
#ifdef HAVE_MINGW
|
#ifdef HAVE_MINGW
|
||||||
|
|
|
@ -155,6 +155,7 @@ static bool read_packet(vpn_packet_t *packet) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
memset(packet->data, 0, 12);
|
||||||
packet->len = lenin + 10;
|
packet->len = lenin + 10;
|
||||||
break;
|
break;
|
||||||
case DEVICE_TYPE_TAP:
|
case DEVICE_TYPE_TAP:
|
||||||
|
|
36
src/meta.c
36
src/meta.c
|
@ -1,6 +1,6 @@
|
||||||
/*
|
/*
|
||||||
meta.c -- handle the meta communication
|
meta.c -- handle the meta communication
|
||||||
Copyright (C) 2000-2009 Guus Sliepen <guus@tinc-vpn.org>,
|
Copyright (C) 2000-2013 Guus Sliepen <guus@tinc-vpn.org>,
|
||||||
2000-2005 Ivo Timmermans
|
2000-2005 Ivo Timmermans
|
||||||
2006 Scott Lamb <slamb@slamb.org>
|
2006 Scott Lamb <slamb@slamb.org>
|
||||||
|
|
||||||
|
@ -177,15 +177,45 @@ bool receive_meta(connection_t *c) {
|
||||||
|
|
||||||
if(c->tcplen) {
|
if(c->tcplen) {
|
||||||
if(c->tcplen <= c->buflen) {
|
if(c->tcplen <= c->buflen) {
|
||||||
if(proxytype == PROXY_SOCKS4 && c->allow_request == ID) {
|
if(!c->node) {
|
||||||
|
if(c->outgoing && proxytype == PROXY_SOCKS4 && c->allow_request == ID) {
|
||||||
if(c->buffer[0] == 0 && c->buffer[1] == 0x5a) {
|
if(c->buffer[0] == 0 && c->buffer[1] == 0x5a) {
|
||||||
logger(LOG_DEBUG, "Proxy request granted");
|
logger(LOG_DEBUG, "Proxy request granted");
|
||||||
} else {
|
} else {
|
||||||
logger(LOG_ERR, "Proxy request rejected");
|
logger(LOG_ERR, "Proxy request rejected");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
} else
|
} else if(c->outgoing && proxytype == PROXY_SOCKS5 && c->allow_request == ID) {
|
||||||
|
if(c->buffer[0] != 5) {
|
||||||
|
logger(LOG_ERR, "Invalid response from proxy server");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if(c->buffer[1] == (char)0xff) {
|
||||||
|
logger(LOG_ERR, "Proxy request rejected: unsuitable authentication method");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if(c->buffer[2] != 5) {
|
||||||
|
logger(LOG_ERR, "Invalid response from proxy server");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if(c->buffer[3] == 0) {
|
||||||
|
logger(LOG_DEBUG, "Proxy request granted");
|
||||||
|
} else {
|
||||||
|
logger(LOG_DEBUG, "Proxy request rejected");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
logger(LOG_ERR, "c->tcplen set but c->node is NULL!");
|
||||||
|
abort();
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if(c->allow_request == ALL) {
|
||||||
receive_tcppacket(c, c->buffer, c->tcplen);
|
receive_tcppacket(c, c->buffer, c->tcplen);
|
||||||
|
} else {
|
||||||
|
logger(LOG_ERR, "Got unauthorized TCP packet from %s (%s)", c->name, c->hostname);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
c->buflen -= c->tcplen;
|
c->buflen -= c->tcplen;
|
||||||
lenin -= c->tcplen - oldlen;
|
lenin -= c->tcplen - oldlen;
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
device.c -- Interaction with Windows tap driver in a MinGW environment
|
device.c -- Interaction with Windows tap driver in a MinGW environment
|
||||||
Copyright (C) 2002-2005 Ivo Timmermans,
|
Copyright (C) 2002-2005 Ivo Timmermans,
|
||||||
2002-2011 Guus Sliepen <guus@tinc-vpn.org>
|
2002-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
it under the terms of the GNU General Public License as published by
|
it under the terms of the GNU General Public License as published by
|
||||||
|
@ -46,7 +46,7 @@ extern char *myport;
|
||||||
|
|
||||||
static DWORD WINAPI tapreader(void *bla) {
|
static DWORD WINAPI tapreader(void *bla) {
|
||||||
int status;
|
int status;
|
||||||
long len;
|
DWORD len;
|
||||||
OVERLAPPED overlapped;
|
OVERLAPPED overlapped;
|
||||||
vpn_packet_t packet;
|
vpn_packet_t packet;
|
||||||
|
|
||||||
|
@ -91,7 +91,7 @@ static bool setup_device(void) {
|
||||||
char adapterid[1024];
|
char adapterid[1024];
|
||||||
char adaptername[1024];
|
char adaptername[1024];
|
||||||
char tapname[1024];
|
char tapname[1024];
|
||||||
long len;
|
DWORD len;
|
||||||
unsigned long status;
|
unsigned long status;
|
||||||
|
|
||||||
bool found = false;
|
bool found = false;
|
||||||
|
@ -122,7 +122,7 @@ static bool setup_device(void) {
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
len = sizeof(adaptername);
|
len = sizeof(adaptername);
|
||||||
err = RegQueryValueEx(key2, "Name", 0, 0, adaptername, &len);
|
err = RegQueryValueEx(key2, "Name", 0, 0, (LPBYTE)adaptername, &len);
|
||||||
|
|
||||||
RegCloseKey(key2);
|
RegCloseKey(key2);
|
||||||
|
|
||||||
|
@ -222,7 +222,7 @@ static bool read_packet(vpn_packet_t *packet) {
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool write_packet(vpn_packet_t *packet) {
|
static bool write_packet(vpn_packet_t *packet) {
|
||||||
long lenout;
|
DWORD lenout;
|
||||||
OVERLAPPED overlapped = {0};
|
OVERLAPPED overlapped = {0};
|
||||||
|
|
||||||
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s",
|
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s",
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
device.c -- multicast socket
|
device.c -- multicast socket
|
||||||
Copyright (C) 2002-2005 Ivo Timmermans,
|
Copyright (C) 2002-2005 Ivo Timmermans,
|
||||||
2002-2012 Guus Sliepen <guus@tinc-vpn.org>
|
2002-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
it under the terms of the GNU General Public License as published by
|
it under the terms of the GNU General Public License as published by
|
||||||
|
@ -158,7 +158,7 @@ static void close_device(void) {
|
||||||
static bool read_packet(vpn_packet_t *packet) {
|
static bool read_packet(vpn_packet_t *packet) {
|
||||||
int lenin;
|
int lenin;
|
||||||
|
|
||||||
if((lenin = recv(device_fd, packet->data, MTU, 0)) <= 0) {
|
if((lenin = recv(device_fd, (void *)packet->data, MTU, 0)) <= 0) {
|
||||||
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
|
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
|
||||||
device, strerror(errno));
|
device, strerror(errno));
|
||||||
return false;
|
return false;
|
||||||
|
@ -184,7 +184,7 @@ static bool write_packet(vpn_packet_t *packet) {
|
||||||
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s",
|
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s",
|
||||||
packet->len, device_info);
|
packet->len, device_info);
|
||||||
|
|
||||||
if(sendto(device_fd, packet->data, packet->len, 0, ai->ai_addr, ai->ai_addrlen) < 0) {
|
if(sendto(device_fd, (void *)packet->data, packet->len, 0, ai->ai_addr, ai->ai_addrlen) < 0) {
|
||||||
logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device,
|
logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device,
|
||||||
strerror(errno));
|
strerror(errno));
|
||||||
return false;
|
return false;
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
net_packet.c -- Handles in- and outgoing VPN packets
|
net_packet.c -- Handles in- and outgoing VPN packets
|
||||||
Copyright (C) 1998-2005 Ivo Timmermans,
|
Copyright (C) 1998-2005 Ivo Timmermans,
|
||||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||||
2010 Timothy Redaelli <timothy@redaelli.eu>
|
2010 Timothy Redaelli <timothy@redaelli.eu>
|
||||||
2010 Brandon Black <blblack@gmail.com>
|
2010 Brandon Black <blblack@gmail.com>
|
||||||
|
|
||||||
|
@ -70,11 +70,15 @@ bool localdiscovery = false;
|
||||||
mtuprobes == 32: send 1 burst, sleep pingtimeout second
|
mtuprobes == 32: send 1 burst, sleep pingtimeout second
|
||||||
mtuprobes == 33: no response from other side, restart PMTU discovery process
|
mtuprobes == 33: no response from other side, restart PMTU discovery process
|
||||||
|
|
||||||
Probes are sent in batches of three, with random sizes between the lower and
|
Probes are sent in batches of at least three, with random sizes between the
|
||||||
upper boundaries for the MTU thus far discovered.
|
lower and upper boundaries for the MTU thus far discovered.
|
||||||
|
|
||||||
In case local discovery is enabled, a fourth packet is added to each batch,
|
After the initial discovery, a fourth packet is added to each batch with a
|
||||||
|
size larger than the currently known PMTU, to test if the PMTU has increased.
|
||||||
|
|
||||||
|
In case local discovery is enabled, another packet is added to each batch,
|
||||||
which will be broadcast to the local network.
|
which will be broadcast to the local network.
|
||||||
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
void send_mtu_probe(node_t *n) {
|
void send_mtu_probe(node_t *n) {
|
||||||
|
@ -126,11 +130,16 @@ void send_mtu_probe(node_t *n) {
|
||||||
timeout = pingtimeout;
|
timeout = pingtimeout;
|
||||||
}
|
}
|
||||||
|
|
||||||
for(i = 0; i < 3 + localdiscovery; i++) {
|
for(i = 0; i < 4 + localdiscovery; i++) {
|
||||||
if(n->maxmtu <= n->minmtu)
|
if(i == 0) {
|
||||||
|
if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
|
||||||
|
continue;
|
||||||
|
len = n->maxmtu + 8;
|
||||||
|
} else if(n->maxmtu <= n->minmtu) {
|
||||||
len = n->maxmtu;
|
len = n->maxmtu;
|
||||||
else
|
} else {
|
||||||
len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
|
len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
|
||||||
|
}
|
||||||
|
|
||||||
if(len < 64)
|
if(len < 64)
|
||||||
len = 64;
|
len = 64;
|
||||||
|
@ -138,7 +147,7 @@ void send_mtu_probe(node_t *n) {
|
||||||
memset(packet.data, 0, 14);
|
memset(packet.data, 0, 14);
|
||||||
RAND_pseudo_bytes(packet.data + 14, len - 14);
|
RAND_pseudo_bytes(packet.data + 14, len - 14);
|
||||||
packet.len = len;
|
packet.len = len;
|
||||||
if(i >= 3 && n->mtuprobes <= 10)
|
if(i >= 4 && n->mtuprobes <= 10)
|
||||||
packet.priority = -1;
|
packet.priority = -1;
|
||||||
else
|
else
|
||||||
packet.priority = 0;
|
packet.priority = 0;
|
||||||
|
@ -164,6 +173,13 @@ void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
|
||||||
send_udppacket(n, packet);
|
send_udppacket(n, packet);
|
||||||
} else {
|
} else {
|
||||||
if(n->mtuprobes > 30) {
|
if(n->mtuprobes > 30) {
|
||||||
|
if (len == n->maxmtu + 8) {
|
||||||
|
ifdebug(TRAFFIC) logger(LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
|
||||||
|
n->maxmtu = MTU;
|
||||||
|
n->mtuprobes = 10;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if(n->minmtu)
|
if(n->minmtu)
|
||||||
n->mtuprobes = 30;
|
n->mtuprobes = 30;
|
||||||
else
|
else
|
||||||
|
@ -378,6 +394,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
|
||||||
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
|
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
|
||||||
vpn_packet_t outpkt;
|
vpn_packet_t outpkt;
|
||||||
|
|
||||||
|
if(len > sizeof outpkt.data)
|
||||||
|
return;
|
||||||
|
|
||||||
outpkt.len = len;
|
outpkt.len = len;
|
||||||
if(c->options & OPTION_TCPONLY)
|
if(c->options & OPTION_TCPONLY)
|
||||||
outpkt.priority = 0;
|
outpkt.priority = 0;
|
||||||
|
@ -500,17 +519,27 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
|
||||||
struct sockaddr *sa;
|
struct sockaddr *sa;
|
||||||
socklen_t sl;
|
socklen_t sl;
|
||||||
int sock;
|
int sock;
|
||||||
|
sockaddr_t broadcast;
|
||||||
|
|
||||||
/* Overloaded use of priority field: -1 means local broadcast */
|
/* Overloaded use of priority field: -1 means local broadcast */
|
||||||
|
|
||||||
if(origpriority == -1 && n->prevedge) {
|
if(origpriority == -1 && n->prevedge) {
|
||||||
struct sockaddr_in in;
|
sock = rand() % listen_sockets;
|
||||||
in.sin_family = AF_INET;
|
memset(&broadcast, 0, sizeof broadcast);
|
||||||
in.sin_addr.s_addr = -1;
|
if(listen_socket[sock].sa.sa.sa_family == AF_INET6) {
|
||||||
in.sin_port = n->prevedge->address.in.sin_port;
|
broadcast.in6.sin6_family = AF_INET6;
|
||||||
sa = (struct sockaddr *)∈
|
broadcast.in6.sin6_addr.s6_addr[0x0] = 0xff;
|
||||||
sl = sizeof in;
|
broadcast.in6.sin6_addr.s6_addr[0x1] = 0x02;
|
||||||
sock = 0;
|
broadcast.in6.sin6_addr.s6_addr[0xf] = 0x01;
|
||||||
|
broadcast.in6.sin6_port = n->prevedge->address.in.sin_port;
|
||||||
|
broadcast.in6.sin6_scope_id = listen_socket[sock].sa.in6.sin6_scope_id;
|
||||||
|
} else {
|
||||||
|
broadcast.in.sin_family = AF_INET;
|
||||||
|
broadcast.in.sin_addr.s_addr = -1;
|
||||||
|
broadcast.in.sin_port = n->prevedge->address.in.sin_port;
|
||||||
|
}
|
||||||
|
sa = &broadcast.sa;
|
||||||
|
sl = SALEN(broadcast.sa);
|
||||||
} else {
|
} else {
|
||||||
if(origpriority == -1)
|
if(origpriority == -1)
|
||||||
origpriority = 0;
|
origpriority = 0;
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
net_setup.c -- Setup.
|
net_setup.c -- Setup.
|
||||||
Copyright (C) 1998-2005 Ivo Timmermans,
|
Copyright (C) 1998-2005 Ivo Timmermans,
|
||||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||||
2006 Scott Lamb <slamb@slamb.org>
|
2006 Scott Lamb <slamb@slamb.org>
|
||||||
2010 Brandon Black <blblack@gmail.com>
|
2010 Brandon Black <blblack@gmail.com>
|
||||||
|
|
||||||
|
@ -55,7 +55,8 @@ proxytype_t proxytype;
|
||||||
|
|
||||||
bool read_rsa_public_key(connection_t *c) {
|
bool read_rsa_public_key(connection_t *c) {
|
||||||
FILE *fp;
|
FILE *fp;
|
||||||
char *fname;
|
char *pubname;
|
||||||
|
char *hcfname;
|
||||||
char *key;
|
char *key;
|
||||||
|
|
||||||
if(!c->rsa_key) {
|
if(!c->rsa_key) {
|
||||||
|
@ -66,7 +67,10 @@ bool read_rsa_public_key(connection_t *c) {
|
||||||
/* First, check for simple PublicKey statement */
|
/* First, check for simple PublicKey statement */
|
||||||
|
|
||||||
if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
|
if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
|
||||||
BN_hex2bn(&c->rsa_key->n, key);
|
if(BN_hex2bn(&c->rsa_key->n, key) != strlen(key)) {
|
||||||
|
logger(LOG_ERR, "Invalid PublicKey for %s!", c->name);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
BN_hex2bn(&c->rsa_key->e, "FFFF");
|
BN_hex2bn(&c->rsa_key->e, "FFFF");
|
||||||
free(key);
|
free(key);
|
||||||
return true;
|
return true;
|
||||||
|
@ -74,80 +78,79 @@ bool read_rsa_public_key(connection_t *c) {
|
||||||
|
|
||||||
/* Else, check for PublicKeyFile statement and read it */
|
/* Else, check for PublicKeyFile statement and read it */
|
||||||
|
|
||||||
if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname)) {
|
if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &pubname)) {
|
||||||
fp = fopen(fname, "r");
|
fp = fopen(pubname, "r");
|
||||||
|
|
||||||
if(!fp) {
|
if(!fp) {
|
||||||
logger(LOG_ERR, "Error reading RSA public key file `%s': %s",
|
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", pubname, strerror(errno));
|
||||||
fname, strerror(errno));
|
free(pubname);
|
||||||
free(fname);
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
free(fname);
|
|
||||||
c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
|
c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
|
||||||
fclose(fp);
|
fclose(fp);
|
||||||
|
|
||||||
if(c->rsa_key)
|
if(c->rsa_key) {
|
||||||
|
free(pubname);
|
||||||
return true; /* Woohoo. */
|
return true; /* Woohoo. */
|
||||||
|
}
|
||||||
|
|
||||||
/* If it fails, try PEM_read_RSA_PUBKEY. */
|
/* If it fails, try PEM_read_RSA_PUBKEY. */
|
||||||
fp = fopen(fname, "r");
|
fp = fopen(pubname, "r");
|
||||||
|
|
||||||
if(!fp) {
|
if(!fp) {
|
||||||
logger(LOG_ERR, "Error reading RSA public key file `%s': %s",
|
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", pubname, strerror(errno));
|
||||||
fname, strerror(errno));
|
free(pubname);
|
||||||
free(fname);
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
free(fname);
|
|
||||||
c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
|
c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
|
||||||
fclose(fp);
|
fclose(fp);
|
||||||
|
|
||||||
if(c->rsa_key) {
|
if(c->rsa_key) {
|
||||||
// RSA_blinding_on(c->rsa_key, NULL);
|
// RSA_blinding_on(c->rsa_key, NULL);
|
||||||
|
free(pubname);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s",
|
logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s", pubname, strerror(errno));
|
||||||
fname, strerror(errno));
|
free(pubname);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Else, check if a harnessed public key is in the config file */
|
/* Else, check if a harnessed public key is in the config file */
|
||||||
|
|
||||||
xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
|
xasprintf(&hcfname, "%s/hosts/%s", confbase, c->name);
|
||||||
fp = fopen(fname, "r");
|
fp = fopen(hcfname, "r");
|
||||||
|
|
||||||
if(!fp) {
|
if(!fp) {
|
||||||
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
|
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", hcfname, strerror(errno));
|
||||||
free(fname);
|
free(hcfname);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
|
c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
|
||||||
fclose(fp);
|
fclose(fp);
|
||||||
free(fname);
|
|
||||||
|
|
||||||
if(c->rsa_key)
|
if(c->rsa_key) {
|
||||||
|
free(hcfname);
|
||||||
return true;
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
/* Try again with PEM_read_RSA_PUBKEY. */
|
/* Try again with PEM_read_RSA_PUBKEY. */
|
||||||
|
|
||||||
xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
|
fp = fopen(hcfname, "r");
|
||||||
fp = fopen(fname, "r");
|
|
||||||
|
|
||||||
if(!fp) {
|
if(!fp) {
|
||||||
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
|
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", hcfname, strerror(errno));
|
||||||
free(fname);
|
free(hcfname);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
free(hcfname);
|
||||||
c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
|
c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
|
||||||
// RSA_blinding_on(c->rsa_key, NULL);
|
// RSA_blinding_on(c->rsa_key, NULL);
|
||||||
fclose(fp);
|
fclose(fp);
|
||||||
free(fname);
|
|
||||||
|
|
||||||
if(c->rsa_key)
|
if(c->rsa_key)
|
||||||
return true;
|
return true;
|
||||||
|
@ -160,7 +163,6 @@ bool read_rsa_public_key(connection_t *c) {
|
||||||
static bool read_rsa_private_key(void) {
|
static bool read_rsa_private_key(void) {
|
||||||
FILE *fp;
|
FILE *fp;
|
||||||
char *fname, *key, *pubkey;
|
char *fname, *key, *pubkey;
|
||||||
struct stat s;
|
|
||||||
|
|
||||||
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
|
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
|
||||||
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
|
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
|
||||||
|
@ -169,8 +171,14 @@ static bool read_rsa_private_key(void) {
|
||||||
}
|
}
|
||||||
myself->connection->rsa_key = RSA_new();
|
myself->connection->rsa_key = RSA_new();
|
||||||
// RSA_blinding_on(myself->connection->rsa_key, NULL);
|
// RSA_blinding_on(myself->connection->rsa_key, NULL);
|
||||||
BN_hex2bn(&myself->connection->rsa_key->d, key);
|
if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) {
|
||||||
BN_hex2bn(&myself->connection->rsa_key->n, pubkey);
|
logger(LOG_ERR, "Invalid PrivateKey for myself!");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) {
|
||||||
|
logger(LOG_ERR, "Invalid PublicKey for myself!");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
|
BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
|
||||||
free(key);
|
free(key);
|
||||||
free(pubkey);
|
free(pubkey);
|
||||||
|
@ -190,6 +198,8 @@ static bool read_rsa_private_key(void) {
|
||||||
}
|
}
|
||||||
|
|
||||||
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
|
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
|
||||||
|
struct stat s;
|
||||||
|
|
||||||
if(fstat(fileno(fp), &s)) {
|
if(fstat(fileno(fp), &s)) {
|
||||||
logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'",
|
logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'",
|
||||||
fname, strerror(errno));
|
fname, strerror(errno));
|
||||||
|
@ -290,7 +300,7 @@ char *get_name(void) {
|
||||||
fprintf(stderr, "Invalid Name: environment variable %s does not exist\n", name + 1);
|
fprintf(stderr, "Invalid Name: environment variable %s does not exist\n", name + 1);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
envname = alloca(32);
|
char envname[32];
|
||||||
if(gethostname(envname, 32)) {
|
if(gethostname(envname, 32)) {
|
||||||
fprintf(stderr, "Could not get hostname: %s\n", strerror(errno));
|
fprintf(stderr, "Could not get hostname: %s\n", strerror(errno));
|
||||||
return false;
|
return false;
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
net_socket.c -- Handle various kinds of sockets.
|
net_socket.c -- Handle various kinds of sockets.
|
||||||
Copyright (C) 1998-2005 Ivo Timmermans,
|
Copyright (C) 1998-2005 Ivo Timmermans,
|
||||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||||
2006 Scott Lamb <slamb@slamb.org>
|
2006 Scott Lamb <slamb@slamb.org>
|
||||||
2009 Florian Forster <octo@verplant.org>
|
2009 Florian Forster <octo@verplant.org>
|
||||||
|
|
||||||
|
@ -64,7 +64,7 @@ static void configure_tcp(connection_t *c) {
|
||||||
unsigned long arg = 1;
|
unsigned long arg = 1;
|
||||||
|
|
||||||
if(ioctlsocket(c->socket, FIONBIO, &arg) != 0) {
|
if(ioctlsocket(c->socket, FIONBIO, &arg) != 0) {
|
||||||
logger(LOG_ERR, "ioctlsocket for %s: %d", c->hostname, sockstrerror(sockerrno));
|
logger(LOG_ERR, "ioctlsocket for %s: %s", c->hostname, sockstrerror(sockerrno));
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -294,9 +294,6 @@ void retry_outgoing(outgoing_t *outgoing) {
|
||||||
void finish_connecting(connection_t *c) {
|
void finish_connecting(connection_t *c) {
|
||||||
ifdebug(CONNECTIONS) logger(LOG_INFO, "Connected to %s (%s)", c->name, c->hostname);
|
ifdebug(CONNECTIONS) logger(LOG_INFO, "Connected to %s (%s)", c->name, c->hostname);
|
||||||
|
|
||||||
if(proxytype != PROXY_EXEC)
|
|
||||||
configure_tcp(c);
|
|
||||||
|
|
||||||
c->last_ping_time = now;
|
c->last_ping_time = now;
|
||||||
|
|
||||||
send_id(c);
|
send_id(c);
|
||||||
|
@ -419,6 +416,7 @@ begin:
|
||||||
goto begin;
|
goto begin;
|
||||||
ifdebug(CONNECTIONS) logger(LOG_INFO, "Using proxy at %s port %s", proxyhost, proxyport);
|
ifdebug(CONNECTIONS) logger(LOG_INFO, "Using proxy at %s port %s", proxyhost, proxyport);
|
||||||
c->socket = socket(proxyai->ai_family, SOCK_STREAM, IPPROTO_TCP);
|
c->socket = socket(proxyai->ai_family, SOCK_STREAM, IPPROTO_TCP);
|
||||||
|
configure_tcp(c);
|
||||||
}
|
}
|
||||||
|
|
||||||
if(c->socket == -1) {
|
if(c->socket == -1) {
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
process.c -- process management functions
|
process.c -- process management functions
|
||||||
Copyright (C) 1999-2005 Ivo Timmermans,
|
Copyright (C) 1999-2005 Ivo Timmermans,
|
||||||
2000-2011 Guus Sliepen <guus@tinc-vpn.org>
|
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
it under the terms of the GNU General Public License as published by
|
it under the terms of the GNU General Public License as published by
|
||||||
|
@ -47,8 +47,6 @@ extern bool use_logfile;
|
||||||
static sigset_t emptysigset;
|
static sigset_t emptysigset;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static int saved_debug_level = -1;
|
|
||||||
|
|
||||||
static void memory_full(int size) {
|
static void memory_full(int size) {
|
||||||
logger(LOG_ERR, "Memory exhausted (couldn't allocate %d bytes), exitting.", size);
|
logger(LOG_ERR, "Memory exhausted (couldn't allocate %d bytes), exitting.", size);
|
||||||
exit(1);
|
exit(1);
|
||||||
|
@ -167,7 +165,7 @@ DWORD WINAPI controlhandler(DWORD request, DWORD type, LPVOID boe, LPVOID bah) {
|
||||||
logger(LOG_NOTICE, "Got %s request", "SERVICE_CONTROL_SHUTDOWN");
|
logger(LOG_NOTICE, "Got %s request", "SERVICE_CONTROL_SHUTDOWN");
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
logger(LOG_WARNING, "Got unexpected request %d", request);
|
logger(LOG_WARNING, "Got unexpected request %d", (int)request);
|
||||||
return ERROR_CALL_NOT_IMPLEMENTED;
|
return ERROR_CALL_NOT_IMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -187,10 +185,8 @@ DWORD WINAPI controlhandler(DWORD request, DWORD type, LPVOID boe, LPVOID bah) {
|
||||||
}
|
}
|
||||||
|
|
||||||
VOID WINAPI run_service(DWORD argc, LPTSTR* argv) {
|
VOID WINAPI run_service(DWORD argc, LPTSTR* argv) {
|
||||||
int err = 1;
|
|
||||||
extern int main2(int argc, char **argv);
|
extern int main2(int argc, char **argv);
|
||||||
|
|
||||||
|
|
||||||
status.dwServiceType = SERVICE_WIN32;
|
status.dwServiceType = SERVICE_WIN32;
|
||||||
status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
|
status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
|
||||||
status.dwWin32ExitCode = 0;
|
status.dwWin32ExitCode = 0;
|
||||||
|
@ -201,7 +197,6 @@ VOID WINAPI run_service(DWORD argc, LPTSTR* argv) {
|
||||||
|
|
||||||
if (!statushandle) {
|
if (!statushandle) {
|
||||||
logger(LOG_ERR, "System call `%s' failed: %s", "RegisterServiceCtrlHandlerEx", winerror(GetLastError()));
|
logger(LOG_ERR, "System call `%s' failed: %s", "RegisterServiceCtrlHandlerEx", winerror(GetLastError()));
|
||||||
err = 1;
|
|
||||||
} else {
|
} else {
|
||||||
status.dwWaitHint = 30000;
|
status.dwWaitHint = 30000;
|
||||||
status.dwCurrentState = SERVICE_START_PENDING;
|
status.dwCurrentState = SERVICE_START_PENDING;
|
||||||
|
@ -211,11 +206,10 @@ VOID WINAPI run_service(DWORD argc, LPTSTR* argv) {
|
||||||
status.dwCurrentState = SERVICE_RUNNING;
|
status.dwCurrentState = SERVICE_RUNNING;
|
||||||
SetServiceStatus(statushandle, &status);
|
SetServiceStatus(statushandle, &status);
|
||||||
|
|
||||||
err = main2(argc, argv);
|
main2(argc, argv);
|
||||||
|
|
||||||
status.dwWaitHint = 0;
|
status.dwWaitHint = 0;
|
||||||
status.dwCurrentState = SERVICE_STOPPED;
|
status.dwCurrentState = SERVICE_STOPPED;
|
||||||
//status.dwWin32ExitCode = err;
|
|
||||||
SetServiceStatus(statushandle, &status);
|
SetServiceStatus(statushandle, &status);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -358,6 +352,7 @@ bool execute_script(const char *name, char **envp) {
|
||||||
int status, len;
|
int status, len;
|
||||||
char *scriptname;
|
char *scriptname;
|
||||||
int i;
|
int i;
|
||||||
|
char *interpreter = NULL;
|
||||||
|
|
||||||
#ifndef HAVE_MINGW
|
#ifndef HAVE_MINGW
|
||||||
len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name);
|
len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name);
|
||||||
|
@ -369,14 +364,22 @@ bool execute_script(const char *name, char **envp) {
|
||||||
|
|
||||||
scriptname[len - 1] = '\0';
|
scriptname[len - 1] = '\0';
|
||||||
|
|
||||||
#ifndef HAVE_TUNEMU
|
|
||||||
/* First check if there is a script */
|
/* First check if there is a script */
|
||||||
|
|
||||||
if(access(scriptname + 1, F_OK)) {
|
if(access(scriptname + 1, F_OK)) {
|
||||||
free(scriptname);
|
free(scriptname);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
|
// Custom scripts interpreter
|
||||||
|
if(get_config_string(lookup_config(config_tree, "ScriptsInterpreter"), &interpreter)) {
|
||||||
|
// Force custom scripts interpreter allowing execution of scripts on android without execution flag (such as on /sdcard)
|
||||||
|
free(scriptname);
|
||||||
|
len = xasprintf(&scriptname, "%s \"%s/%s\"", interpreter, confbase, name);
|
||||||
|
free(interpreter);
|
||||||
|
if(len < 0)
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
ifdebug(STATUS) logger(LOG_INFO, "Executing script %s", name);
|
ifdebug(STATUS) logger(LOG_INFO, "Executing script %s", name);
|
||||||
|
|
||||||
|
@ -404,8 +407,8 @@ bool execute_script(const char *name, char **envp) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WEXITSTATUS
|
|
||||||
if(status != -1) {
|
if(status != -1) {
|
||||||
|
#ifdef WEXITSTATUS
|
||||||
if(WIFEXITED(status)) { /* Child exited by itself */
|
if(WIFEXITED(status)) { /* Child exited by itself */
|
||||||
if(WEXITSTATUS(status)) {
|
if(WEXITSTATUS(status)) {
|
||||||
logger(LOG_ERR, "Script %s exited with non-zero status %d",
|
logger(LOG_ERR, "Script %s exited with non-zero status %d",
|
||||||
|
@ -420,11 +423,11 @@ bool execute_script(const char *name, char **envp) {
|
||||||
logger(LOG_ERR, "Script %s terminated abnormally", name);
|
logger(LOG_ERR, "Script %s terminated abnormally", name);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
} else {
|
} else {
|
||||||
logger(LOG_ERR, "System call `%s' failed: %s", "system", strerror(errno));
|
logger(LOG_ERR, "System call `%s' failed: %s", "system", strerror(errno));
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
#endif
|
#endif
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -485,6 +488,8 @@ static RETSIGTYPE sighup_handler(int a) {
|
||||||
}
|
}
|
||||||
|
|
||||||
static RETSIGTYPE sigint_handler(int a) {
|
static RETSIGTYPE sigint_handler(int a) {
|
||||||
|
static int saved_debug_level = -1;
|
||||||
|
|
||||||
logger(LOG_NOTICE, "Got %s signal", "INT");
|
logger(LOG_NOTICE, "Got %s signal", "INT");
|
||||||
|
|
||||||
if(saved_debug_level != -1) {
|
if(saved_debug_level != -1) {
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
protocol.c -- handle the meta-protocol, basic functions
|
protocol.c -- handle the meta-protocol, basic functions
|
||||||
Copyright (C) 1999-2005 Ivo Timmermans,
|
Copyright (C) 1999-2005 Ivo Timmermans,
|
||||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
it under the terms of the GNU General Public License as published by
|
it under the terms of the GNU General Public License as published by
|
||||||
|
@ -125,7 +125,7 @@ void forward_request(connection_t *from) {
|
||||||
bool receive_request(connection_t *c) {
|
bool receive_request(connection_t *c) {
|
||||||
int request;
|
int request;
|
||||||
|
|
||||||
if(proxytype == PROXY_HTTP && c->allow_request == ID) {
|
if(c->outgoing && proxytype == PROXY_HTTP && c->allow_request == ID) {
|
||||||
if(!c->buffer[0] || c->buffer[0] == '\r')
|
if(!c->buffer[0] || c->buffer[0] == '\r')
|
||||||
return true;
|
return true;
|
||||||
if(!strncasecmp(c->buffer, "HTTP/1.1 ", 9)) {
|
if(!strncasecmp(c->buffer, "HTTP/1.1 ", 9)) {
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
protocol_auth.c -- handle the meta-protocol, authentication
|
protocol_auth.c -- handle the meta-protocol, authentication
|
||||||
Copyright (C) 1999-2005 Ivo Timmermans,
|
Copyright (C) 1999-2005 Ivo Timmermans,
|
||||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
it under the terms of the GNU General Public License as published by
|
it under the terms of the GNU General Public License as published by
|
||||||
|
@ -126,7 +126,7 @@ static bool send_proxyrequest(connection_t *c) {
|
||||||
}
|
}
|
||||||
|
|
||||||
bool send_id(connection_t *c) {
|
bool send_id(connection_t *c) {
|
||||||
if(proxytype)
|
if(proxytype && c->outgoing)
|
||||||
if(!send_proxyrequest(c))
|
if(!send_proxyrequest(c))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -244,8 +244,8 @@ bool send_metakey(connection_t *c) {
|
||||||
*/
|
*/
|
||||||
|
|
||||||
if(RSA_public_encrypt(len, (unsigned char *)c->outkey, (unsigned char *)buffer, c->rsa_key, RSA_NO_PADDING) != len) {
|
if(RSA_public_encrypt(len, (unsigned char *)c->outkey, (unsigned char *)buffer, c->rsa_key, RSA_NO_PADDING) != len) {
|
||||||
logger(LOG_ERR, "Error during encryption of meta key for %s (%s)",
|
logger(LOG_ERR, "Error during encryption of meta key for %s (%s): %s",
|
||||||
c->name, c->hostname);
|
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -308,13 +308,16 @@ bool metakey_h(connection_t *c) {
|
||||||
|
|
||||||
/* Convert the challenge from hexadecimal back to binary */
|
/* Convert the challenge from hexadecimal back to binary */
|
||||||
|
|
||||||
hex2bin(buffer, buffer, len);
|
if(!hex2bin(buffer, buffer, len)) {
|
||||||
|
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "METAKEY", c->name, c->hostname, "invalid key");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
/* Decrypt the meta key */
|
/* Decrypt the meta key */
|
||||||
|
|
||||||
if(RSA_private_decrypt(len, (unsigned char *)buffer, (unsigned char *)c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) { /* See challenge() */
|
if(RSA_private_decrypt(len, (unsigned char *)buffer, (unsigned char *)c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) { /* See challenge() */
|
||||||
logger(LOG_ERR, "Error during decryption of meta key for %s (%s)",
|
logger(LOG_ERR, "Error during decryption of meta key for %s (%s): %s",
|
||||||
c->name, c->hostname);
|
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -426,7 +429,10 @@ bool challenge_h(connection_t *c) {
|
||||||
|
|
||||||
/* Convert the challenge from hexadecimal back to binary */
|
/* Convert the challenge from hexadecimal back to binary */
|
||||||
|
|
||||||
hex2bin(buffer, c->mychallenge, len);
|
if(!hex2bin(buffer, c->mychallenge, len)) {
|
||||||
|
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHALLENGE", c->name, c->hostname, "invalid challenge");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
c->allow_request = CHAL_REPLY;
|
c->allow_request = CHAL_REPLY;
|
||||||
|
|
||||||
|
@ -480,7 +486,10 @@ bool chal_reply_h(connection_t *c) {
|
||||||
|
|
||||||
/* Convert the hash to binary format */
|
/* Convert the hash to binary format */
|
||||||
|
|
||||||
hex2bin(hishash, hishash, c->outdigest->md_size);
|
if(!hex2bin(hishash, hishash, c->outdigest->md_size)) {
|
||||||
|
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHAL_REPLY", c->name, c->hostname, "invalid hash");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
/* Calculate the hash from the challenge we sent */
|
/* Calculate the hash from the challenge we sent */
|
||||||
|
|
||||||
|
|
|
@ -240,10 +240,16 @@ bool ans_key_h(connection_t *c) {
|
||||||
return send_request(to->nexthop->connection, "%s", c->buffer);
|
return send_request(to->nexthop->connection, "%s", c->buffer);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Don't use key material until every check has passed. */
|
||||||
|
from->status.validkey = false;
|
||||||
|
|
||||||
/* Update our copy of the origin's packet key */
|
/* Update our copy of the origin's packet key */
|
||||||
from->outkey = xrealloc(from->outkey, strlen(key) / 2);
|
from->outkey = xrealloc(from->outkey, strlen(key) / 2);
|
||||||
from->outkeylength = strlen(key) / 2;
|
from->outkeylength = strlen(key) / 2;
|
||||||
hex2bin(key, from->outkey, from->outkeylength);
|
if(!hex2bin(key, from->outkey, from->outkeylength)) {
|
||||||
|
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "ANS_KEY", from->name, from->hostname, "invalid key");
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
/* Check and lookup cipher and digest algorithms */
|
/* Check and lookup cipher and digest algorithms */
|
||||||
|
|
||||||
|
|
112
src/route.c
112
src/route.c
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
route.c -- routing
|
route.c -- routing
|
||||||
Copyright (C) 2000-2005 Ivo Timmermans,
|
Copyright (C) 2000-2005 Ivo Timmermans,
|
||||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
it under the terms of the GNU General Public License as published by
|
it under the terms of the GNU General Public License as published by
|
||||||
|
@ -110,15 +110,22 @@ static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *pac
|
||||||
mtu = via->mtu;
|
mtu = via->mtu;
|
||||||
|
|
||||||
/* Find TCP header */
|
/* Find TCP header */
|
||||||
int start = 0;
|
int start = ether_size;
|
||||||
uint16_t type = packet->data[12] << 8 | packet->data[13];
|
uint16_t type = packet->data[12] << 8 | packet->data[13];
|
||||||
|
|
||||||
if(type == ETH_P_IP && packet->data[23] == 6)
|
if(type == ETH_P_8021Q) {
|
||||||
start = 14 + (packet->data[14] & 0xf) * 4;
|
start += 4;
|
||||||
else if(type == ETH_P_IPV6 && packet->data[20] == 6)
|
type = packet->data[16] << 8 | packet->data[17];
|
||||||
start = 14 + 40;
|
}
|
||||||
|
|
||||||
if(!start || packet->len <= start + 20)
|
if(type == ETH_P_IP && packet->data[start + 9] == 6)
|
||||||
|
start += (packet->data[start] & 0xf) * 4;
|
||||||
|
else if(type == ETH_P_IPV6 && packet->data[start + 6] == 6)
|
||||||
|
start += 40;
|
||||||
|
else
|
||||||
|
return;
|
||||||
|
|
||||||
|
if(packet->len <= start + 20)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
/* Use data offset field to calculate length of options field */
|
/* Use data offset field to calculate length of options field */
|
||||||
|
@ -244,7 +251,7 @@ void age_subnets(void) {
|
||||||
|
|
||||||
/* RFC 792 */
|
/* RFC 792 */
|
||||||
|
|
||||||
static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, uint8_t type, uint8_t code) {
|
static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
|
||||||
struct ip ip = {0};
|
struct ip ip = {0};
|
||||||
struct icmp icmp = {0};
|
struct icmp icmp = {0};
|
||||||
|
|
||||||
|
@ -317,7 +324,7 @@ static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, uint8_t
|
||||||
|
|
||||||
/* RFC 791 */
|
/* RFC 791 */
|
||||||
|
|
||||||
static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet) {
|
static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet, length_t ether_size) {
|
||||||
struct ip ip;
|
struct ip ip;
|
||||||
vpn_packet_t fragment;
|
vpn_packet_t fragment;
|
||||||
int len, maxlen, todo;
|
int len, maxlen, todo;
|
||||||
|
@ -333,7 +340,7 @@ static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet) {
|
||||||
todo = ntohs(ip.ip_len) - ip_size;
|
todo = ntohs(ip.ip_len) - ip_size;
|
||||||
|
|
||||||
if(ether_size + ip_size + todo != packet->len) {
|
if(ether_size + ip_size + todo != packet->len) {
|
||||||
ifdebug(TRAFFIC) logger(LOG_WARNING, "Length of packet (%d) doesn't match length in IPv4 header (%zd)", packet->len, ether_size + ip_size + todo);
|
ifdebug(TRAFFIC) logger(LOG_WARNING, "Length of packet (%d) doesn't match length in IPv4 header (%d)", packet->len, (int)(ether_size + ip_size + todo));
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -381,7 +388,7 @@ static void route_ipv4_unicast(node_t *source, vpn_packet_t *packet) {
|
||||||
dest.x[2],
|
dest.x[2],
|
||||||
dest.x[3]);
|
dest.x[3]);
|
||||||
|
|
||||||
route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_UNKNOWN);
|
route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNKNOWN);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -391,10 +398,10 @@ static void route_ipv4_unicast(node_t *source, vpn_packet_t *packet) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!subnet->owner->status.reachable)
|
if(!subnet->owner->status.reachable)
|
||||||
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
|
return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
|
||||||
|
|
||||||
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
|
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
|
||||||
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_ANO);
|
return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
|
||||||
|
|
||||||
if(priorityinheritance)
|
if(priorityinheritance)
|
||||||
packet->priority = packet->data[15];
|
packet->priority = packet->data[15];
|
||||||
|
@ -407,15 +414,15 @@ static void route_ipv4_unicast(node_t *source, vpn_packet_t *packet) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if(directonly && subnet->owner != via)
|
if(directonly && subnet->owner != via)
|
||||||
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_ANO);
|
return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
|
||||||
|
|
||||||
if(via && packet->len > MAX(via->mtu, 590) && via != myself) {
|
if(via && packet->len > MAX(via->mtu, 590) && via != myself) {
|
||||||
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
|
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
|
||||||
if(packet->data[20] & 0x40) {
|
if(packet->data[20] & 0x40) {
|
||||||
packet->len = MAX(via->mtu, 590);
|
packet->len = MAX(via->mtu, 590);
|
||||||
route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
|
route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
|
||||||
} else {
|
} else {
|
||||||
fragment_ipv4_packet(via, packet);
|
fragment_ipv4_packet(via, packet, ether_size);
|
||||||
}
|
}
|
||||||
|
|
||||||
return;
|
return;
|
||||||
|
@ -442,7 +449,7 @@ static void route_ipv4(node_t *source, vpn_packet_t *packet) {
|
||||||
|
|
||||||
/* RFC 2463 */
|
/* RFC 2463 */
|
||||||
|
|
||||||
static void route_ipv6_unreachable(node_t *source, vpn_packet_t *packet, uint8_t type, uint8_t code) {
|
static void route_ipv6_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
|
||||||
struct ip6_hdr ip6;
|
struct ip6_hdr ip6;
|
||||||
struct icmp6_hdr icmp6 = {0};
|
struct icmp6_hdr icmp6 = {0};
|
||||||
uint16_t checksum;
|
uint16_t checksum;
|
||||||
|
@ -540,7 +547,7 @@ static void route_ipv6_unicast(node_t *source, vpn_packet_t *packet) {
|
||||||
ntohs(dest.x[6]),
|
ntohs(dest.x[6]),
|
||||||
ntohs(dest.x[7]));
|
ntohs(dest.x[7]));
|
||||||
|
|
||||||
route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR);
|
route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -550,10 +557,10 @@ static void route_ipv6_unicast(node_t *source, vpn_packet_t *packet) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!subnet->owner->status.reachable)
|
if(!subnet->owner->status.reachable)
|
||||||
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
|
return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
|
||||||
|
|
||||||
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
|
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
|
||||||
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
|
return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
|
||||||
|
|
||||||
via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
|
via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
|
||||||
|
|
||||||
|
@ -563,12 +570,12 @@ static void route_ipv6_unicast(node_t *source, vpn_packet_t *packet) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if(directonly && subnet->owner != via)
|
if(directonly && subnet->owner != via)
|
||||||
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
|
return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
|
||||||
|
|
||||||
if(via && packet->len > MAX(via->mtu, 1294) && via != myself) {
|
if(via && packet->len > MAX(via->mtu, 1294) && via != myself) {
|
||||||
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
|
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
|
||||||
packet->len = MAX(via->mtu, 1294);
|
packet->len = MAX(via->mtu, 1294);
|
||||||
route_ipv6_unreachable(source, packet, ICMP6_PACKET_TOO_BIG, 0);
|
route_ipv6_unreachable(source, packet, ether_size, ICMP6_PACKET_TOO_BIG, 0);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -829,6 +836,11 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
|
||||||
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
|
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
uint16_t type = packet->data[12] << 8 | packet->data[13];
|
||||||
|
|
||||||
|
if(priorityinheritance && type == ETH_P_IP && packet->len >= ether_size + ip_size)
|
||||||
|
packet->priority = packet->data[15];
|
||||||
|
|
||||||
// Handle packets larger than PMTU
|
// Handle packets larger than PMTU
|
||||||
|
|
||||||
node_t *via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
|
node_t *via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
|
||||||
|
@ -838,18 +850,24 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
|
||||||
|
|
||||||
if(via && packet->len > via->mtu && via != myself) {
|
if(via && packet->len > via->mtu && via != myself) {
|
||||||
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
|
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
|
||||||
uint16_t type = packet->data[12] << 8 | packet->data[13];
|
length_t ethlen = 14;
|
||||||
if(type == ETH_P_IP && packet->len > 590) {
|
|
||||||
if(packet->data[20] & 0x40) {
|
if(type == ETH_P_8021Q) {
|
||||||
|
type = packet->data[16] << 8 | packet->data[17];
|
||||||
|
ethlen += 4;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(type == ETH_P_IP && packet->len > 576 + ethlen) {
|
||||||
|
if(packet->data[6 + ethlen] & 0x40) {
|
||||||
packet->len = via->mtu;
|
packet->len = via->mtu;
|
||||||
route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
|
route_ipv4_unreachable(source, packet, ethlen, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
|
||||||
} else {
|
} else {
|
||||||
fragment_ipv4_packet(via, packet);
|
fragment_ipv4_packet(via, packet, ethlen);
|
||||||
}
|
}
|
||||||
return;
|
return;
|
||||||
} else if(type == ETH_P_IPV6 && packet->len > 1294) {
|
} else if(type == ETH_P_IPV6 && packet->len > 1280 + ethlen) {
|
||||||
packet->len = via->mtu;
|
packet->len = via->mtu;
|
||||||
route_ipv6_unreachable(source, packet, ICMP6_PACKET_TOO_BIG, 0);
|
route_ipv6_unreachable(source, packet, ethlen, ICMP6_PACKET_TOO_BIG, 0);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -861,42 +879,48 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
|
||||||
|
|
||||||
static bool do_decrement_ttl(node_t *source, vpn_packet_t *packet) {
|
static bool do_decrement_ttl(node_t *source, vpn_packet_t *packet) {
|
||||||
uint16_t type = packet->data[12] << 8 | packet->data[13];
|
uint16_t type = packet->data[12] << 8 | packet->data[13];
|
||||||
|
length_t ethlen = ether_size;
|
||||||
|
|
||||||
|
if(type == ETH_P_8021Q) {
|
||||||
|
type = packet->data[16] << 8 | packet->data[17];
|
||||||
|
ethlen += 4;
|
||||||
|
}
|
||||||
|
|
||||||
switch (type) {
|
switch (type) {
|
||||||
case ETH_P_IP:
|
case ETH_P_IP:
|
||||||
if(!checklength(source, packet, 14 + 32))
|
if(!checklength(source, packet, ethlen + ip_size))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if(packet->data[22] < 1) {
|
if(packet->data[ethlen + 8] < 1) {
|
||||||
if(packet->data[25] != IPPROTO_ICMP || packet->data[46] != ICMP_TIME_EXCEEDED)
|
if(packet->data[ethlen + 11] != IPPROTO_ICMP || packet->data[ethlen + 32] != ICMP_TIME_EXCEEDED)
|
||||||
route_ipv4_unreachable(source, packet, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL);
|
route_ipv4_unreachable(source, packet, ethlen, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
uint16_t old = packet->data[22] << 8 | packet->data[23];
|
uint16_t old = packet->data[ethlen + 8] << 8 | packet->data[ethlen + 9];
|
||||||
packet->data[22]--;
|
packet->data[ethlen + 8]--;
|
||||||
uint16_t new = packet->data[22] << 8 | packet->data[23];
|
uint16_t new = packet->data[ethlen + 8] << 8 | packet->data[ethlen + 9];
|
||||||
|
|
||||||
uint32_t checksum = packet->data[24] << 8 | packet->data[25];
|
uint32_t checksum = packet->data[ethlen + 10] << 8 | packet->data[ethlen + 11];
|
||||||
checksum += old + (~new & 0xFFFF);
|
checksum += old + (~new & 0xFFFF);
|
||||||
while(checksum >> 16)
|
while(checksum >> 16)
|
||||||
checksum = (checksum & 0xFFFF) + (checksum >> 16);
|
checksum = (checksum & 0xFFFF) + (checksum >> 16);
|
||||||
packet->data[24] = checksum >> 8;
|
packet->data[ethlen + 10] = checksum >> 8;
|
||||||
packet->data[25] = checksum & 0xff;
|
packet->data[ethlen + 11] = checksum & 0xff;
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
case ETH_P_IPV6:
|
case ETH_P_IPV6:
|
||||||
if(!checklength(source, packet, 14 + 40))
|
if(!checklength(source, packet, ethlen + ip6_size))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if(packet->data[21] < 1) {
|
if(packet->data[ethlen + 7] < 1) {
|
||||||
if(packet->data[20] != IPPROTO_ICMPV6 || packet->data[54] != ICMP6_TIME_EXCEEDED)
|
if(packet->data[ethlen + 6] != IPPROTO_ICMPV6 || packet->data[ethlen + 40] != ICMP6_TIME_EXCEEDED)
|
||||||
route_ipv6_unreachable(source, packet, ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT);
|
route_ipv6_unreachable(source, packet, ethlen, ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
packet->data[21]--;
|
packet->data[ethlen + 7]--;
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
|
|
|
@ -151,6 +151,7 @@ static bool read_packet(vpn_packet_t *packet) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
memset(packet->data, 0, 12);
|
||||||
packet->len = lenin + 14;
|
packet->len = lenin + 14;
|
||||||
|
|
||||||
device_total_in += packet->len;
|
device_total_in += packet->len;
|
||||||
|
|
27
src/tincd.c
27
src/tincd.c
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
tincd.c -- the main file for tincd
|
tincd.c -- the main file for tincd
|
||||||
Copyright (C) 1998-2005 Ivo Timmermans
|
Copyright (C) 1998-2005 Ivo Timmermans
|
||||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||||
2008 Max Rijevski <maksuf@gmail.com>
|
2008 Max Rijevski <maksuf@gmail.com>
|
||||||
2009 Michael Tokarev <mjt@tls.msk.ru>
|
2009 Michael Tokarev <mjt@tls.msk.ru>
|
||||||
2010 Julien Muchembled <jm@jmuchemb.eu>
|
2010 Julien Muchembled <jm@jmuchemb.eu>
|
||||||
|
@ -338,7 +338,7 @@ static bool keygen(int bits) {
|
||||||
RSA *rsa_key;
|
RSA *rsa_key;
|
||||||
FILE *f;
|
FILE *f;
|
||||||
char *name = get_name();
|
char *name = get_name();
|
||||||
char *filename;
|
char *pubname, *privname;
|
||||||
|
|
||||||
fprintf(stderr, "Generating %d bits keys:\n", bits);
|
fprintf(stderr, "Generating %d bits keys:\n", bits);
|
||||||
rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
|
rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
|
||||||
|
@ -349,8 +349,9 @@ static bool keygen(int bits) {
|
||||||
} else
|
} else
|
||||||
fprintf(stderr, "Done.\n");
|
fprintf(stderr, "Done.\n");
|
||||||
|
|
||||||
xasprintf(&filename, "%s/rsa_key.priv", confbase);
|
xasprintf(&privname, "%s/rsa_key.priv", confbase);
|
||||||
f = ask_and_open(filename, "private RSA key");
|
f = ask_and_open(privname, "private RSA key");
|
||||||
|
free(privname);
|
||||||
|
|
||||||
if(!f)
|
if(!f)
|
||||||
return false;
|
return false;
|
||||||
|
@ -363,14 +364,14 @@ static bool keygen(int bits) {
|
||||||
fputc('\n', f);
|
fputc('\n', f);
|
||||||
PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL);
|
PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL);
|
||||||
fclose(f);
|
fclose(f);
|
||||||
free(filename);
|
|
||||||
|
|
||||||
if(name)
|
if(name)
|
||||||
xasprintf(&filename, "%s/hosts/%s", confbase, name);
|
xasprintf(&pubname, "%s/hosts/%s", confbase, name);
|
||||||
else
|
else
|
||||||
xasprintf(&filename, "%s/rsa_key.pub", confbase);
|
xasprintf(&pubname, "%s/rsa_key.pub", confbase);
|
||||||
|
|
||||||
f = ask_and_open(filename, "public RSA key");
|
f = ask_and_open(pubname, "public RSA key");
|
||||||
|
free(pubname);
|
||||||
|
|
||||||
if(!f)
|
if(!f)
|
||||||
return false;
|
return false;
|
||||||
|
@ -378,7 +379,6 @@ static bool keygen(int bits) {
|
||||||
fputc('\n', f);
|
fputc('\n', f);
|
||||||
PEM_write_RSAPublicKey(f, rsa_key);
|
PEM_write_RSAPublicKey(f, rsa_key);
|
||||||
fclose(f);
|
fclose(f);
|
||||||
free(filename);
|
|
||||||
free(name);
|
free(name);
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
@ -391,7 +391,7 @@ static void make_names(void) {
|
||||||
#ifdef HAVE_MINGW
|
#ifdef HAVE_MINGW
|
||||||
HKEY key;
|
HKEY key;
|
||||||
char installdir[1024] = "";
|
char installdir[1024] = "";
|
||||||
long len = sizeof(installdir);
|
DWORD len = sizeof(installdir);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if(netname)
|
if(netname)
|
||||||
|
@ -401,7 +401,7 @@ static void make_names(void) {
|
||||||
|
|
||||||
#ifdef HAVE_MINGW
|
#ifdef HAVE_MINGW
|
||||||
if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) {
|
if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) {
|
||||||
if(!RegQueryValueEx(key, NULL, 0, 0, installdir, &len)) {
|
if(!RegQueryValueEx(key, NULL, 0, 0, (LPBYTE)installdir, &len)) {
|
||||||
if(!logfilename)
|
if(!logfilename)
|
||||||
xasprintf(&logfilename, "%s/log/%s.log", identname);
|
xasprintf(&logfilename, "%s/log/%s.log", identname);
|
||||||
if(!confbase) {
|
if(!confbase) {
|
||||||
|
@ -467,8 +467,11 @@ static bool drop_privs() {
|
||||||
"initgroups", strerror(errno));
|
"initgroups", strerror(errno));
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
#ifndef __ANDROID__
|
||||||
|
// Not supported in android NDK
|
||||||
endgrent();
|
endgrent();
|
||||||
endpwent();
|
endpwent();
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
if (do_chroot) {
|
if (do_chroot) {
|
||||||
tzset(); /* for proper timestamps in logs */
|
tzset(); /* for proper timestamps in logs */
|
||||||
|
@ -510,7 +513,7 @@ int main(int argc, char **argv) {
|
||||||
if(show_version) {
|
if(show_version) {
|
||||||
printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE,
|
printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE,
|
||||||
VERSION, __DATE__, __TIME__, PROT_CURRENT);
|
VERSION, __DATE__, __TIME__, PROT_CURRENT);
|
||||||
printf("Copyright (C) 1998-2012 Ivo Timmermans, Guus Sliepen and others.\n"
|
printf("Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen and others.\n"
|
||||||
"See the AUTHORS file for a complete list.\n\n"
|
"See the AUTHORS file for a complete list.\n\n"
|
||||||
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
|
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
|
||||||
"and you are welcome to redistribute it under certain conditions;\n"
|
"and you are welcome to redistribute it under certain conditions;\n"
|
||||||
|
|
Loading…
Reference in a new issue