Import Debian changes 1.0.21-1

tinc (1.0.21-1) unstable; urgency=low

  * New upstream release.
    - Includes fix for CVE-2013-1428.
This commit is contained in:
Guus Sliepen 2013-05-05 10:42:33 +02:00
commit e8daab5950
41 changed files with 2394 additions and 11278 deletions

12465
ChangeLog

File diff suppressed because it is too large Load diff

View file

@ -6,7 +6,7 @@ SUBDIRS = m4 lib src doc
ACLOCAL_AMFLAGS = -I m4 ACLOCAL_AMFLAGS = -I m4
EXTRA_DIST = have.h system.h COPYING.README EXTRA_DIST = have.h system.h COPYING.README README.android
ChangeLog: ChangeLog:
git log > ChangeLog git log > ChangeLog

View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.11.5 from Makefile.am. # Makefile.in generated by automake 1.11.6 from Makefile.am.
# @configure_input@ # @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@ -231,7 +231,7 @@ top_srcdir = @top_srcdir@
AUTOMAKE_OPTIONS = gnu AUTOMAKE_OPTIONS = gnu
SUBDIRS = m4 lib src doc SUBDIRS = m4 lib src doc
ACLOCAL_AMFLAGS = -I m4 ACLOCAL_AMFLAGS = -I m4
EXTRA_DIST = have.h system.h COPYING.README EXTRA_DIST = have.h system.h COPYING.README README.android
all: config.h all: config.h
$(MAKE) $(AM_MAKEFLAGS) all-recursive $(MAKE) $(AM_MAKEFLAGS) all-recursive
@ -544,7 +544,7 @@ distcheck: dist
*.zip*) \ *.zip*) \
unzip $(distdir).zip ;;\ unzip $(distdir).zip ;;\
esac esac
chmod -R a-w $(distdir); chmod a+w $(distdir) chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build mkdir $(distdir)/_build
mkdir $(distdir)/_inst mkdir $(distdir)/_inst
chmod a-w $(distdir) chmod a-w $(distdir)

32
NEWS
View file

@ -1,3 +1,30 @@
Version 1.0.21 April 22 2013
* Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
Thanks to Martin Schobert for auditing tinc and reporting this vulnerability.
Version 1.0.20 March 03 2013
* Use /dev/tap0 by default on FreeBSD and NetBSD when using switch mode.
* Minor improvements and clarifications in the documentation.
* Allow tinc to be cross-compiled with Android's NDK.
* The discovered PMTU is now also applied to VLAN tagged traffic.
* The LocalDiscovery option now makes use of all addresses tinc is bound to.
* Fixed support for tunemu on iOS devices.
* The PriorityInheritance option now also works with switch mode.
* Fixed tinc crashing when using a SOCKS5 proxy.
Thanks to Mesar Hameed, Vilbrekin and Martin Schürrer for their contributions
to this version of tinc.
Version 1.0.19 June 25 2012 Version 1.0.19 June 25 2012
* Allow :: notation in IPv6 Subnets. * Allow :: notation in IPv6 Subnets.
@ -9,6 +36,9 @@ Version 1.0.19 June 25 2012
* Add basic support for SOCKS proxies, HTTP proxies, and proxying through an * Add basic support for SOCKS proxies, HTTP proxies, and proxying through an
external command. external command.
Thanks to Anthony G. Basile and Michael Tokarev for their contributions to
this version of tinc.
Version 1.0.18 March 25 2012 Version 1.0.18 March 25 2012
* Fixed IPv6 in switch mode by turning off DecrementTTL by default. * Fixed IPv6 in switch mode by turning off DecrementTTL by default.
@ -35,6 +65,8 @@ Version 1.0.17 March 10 2012
* Disabling old RSA keys when generating new ones now also works properly on * Disabling old RSA keys when generating new ones now also works properly on
Windows. Windows.
Thanks to Nick Hibma for his contribution to this version of tinc.
Version 1.0.16 July 23 2011 Version 1.0.16 July 23 2011
* Fixed a performance issue with TCP communication under Windows. * Fixed a performance issue with TCP communication under Windows.

10
README
View file

@ -1,7 +1,7 @@
This is the README file for tinc version 1.0.19. Installation This is the README file for tinc version 1.0.21. Installation
instructions may be found in the INSTALL file. instructions may be found in the INSTALL file.
tinc is Copyright (C) 1998-2012 by: tinc is Copyright (C) 1998-2013 by:
Ivo Timmermans, Ivo Timmermans,
Guus Sliepen <guus@tinc-vpn.org>, Guus Sliepen <guus@tinc-vpn.org>,
@ -36,8 +36,8 @@ writeup describing various security issues in several VPN daemons. He showed
that tinc lacks perfect forward security, the connection authentication could that tinc lacks perfect forward security, the connection authentication could
be done more properly, that the sequence number we use as an IV is not the best be done more properly, that the sequence number we use as an IV is not the best
practice and that the default length of the HMAC for packets is too short in practice and that the default length of the HMAC for packets is too short in
his opinion. We do not know of a way to exploit these weaknesses, but we will his opinion. We do not know of a way to exploit these weaknesses, but these
address these issues in tinc 2.0. issues are being addressed in the tinc 1.1 branch.
Cryptography is a hard thing to get right. We cannot make any Cryptography is a hard thing to get right. We cannot make any
guarantees. Time, review and feedback are the only things that can guarantees. Time, review and feedback are the only things that can
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
Compatibility Compatibility
------------- -------------
Version 1.0.19 is compatible with 1.0pre8, 1.0 and later, but not with older Version 1.0.21 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc. versions of tinc.

20
README.android Normal file
View file

@ -0,0 +1,20 @@
Quick how-o cross compile tinc for android (done from $HOME/android/):
- Download android NDK and setup local ARM toolchain:
wget http://dl.google.com/android/ndk/android-ndk-r8b-linux-x86.tar.bz2
tar xfj android-ndk-r8b-linux-x86.tar.bz2
./android-ndk-r8b/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain
- Download and cross-compile openSSL for ARM:
wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
tar xfz openssl-1.0.1c.tar.gz
cd openssl-1.0.1c
./Configure dist
make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib
- Clone and cross-compile tinc:
git clone git://tinc-vpn.org/tinc
cd tinc
autoreconf -fsi
CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc ./configure --host=arm-linux --disable-lzo --with-openssl-lib=$HOME/android/openssl-1.0.1c --with-openssl-include=$HOME/android/openssl-1.0.1c/include/
make -j5

7
THANKS
View file

@ -7,6 +7,7 @@ We would like to thank the following people for their contributions to tinc:
* Armijn Hemel * Armijn Hemel
* Brandon Black * Brandon Black
* Cris van Pelt * Cris van Pelt
* Darius Jahandarie
* Delf Eldkraft * Delf Eldkraft
* dnk * dnk
* Enrique Zanardi * Enrique Zanardi
@ -17,6 +18,7 @@ We would like to thank the following people for their contributions to tinc:
* James MacLean * James MacLean
* Jamie Briggs * Jamie Briggs
* Jason Harper * Jason Harper
* Jelle de Jong
* Jeroen Ubbink * Jeroen Ubbink
* Jerome Etienne * Jerome Etienne
* Julien Muchembled * Julien Muchembled
@ -27,14 +29,18 @@ We would like to thank the following people for their contributions to tinc:
* Mark Glines * Mark Glines
* Markus Goetz * Markus Goetz
* Martin Kihlgren * Martin Kihlgren
* Martin Schobert
* Martin Schürrer
* Matias Carrasco * Matias Carrasco
* Max Rijevski * Max Rijevski
* Menno Smits * Menno Smits
* Mesar Hameed
* Michael Tokarev * Michael Tokarev
* Miles Nordin * Miles Nordin
* Nick Hibma * Nick Hibma
* Nick Patavalis * Nick Patavalis
* Paul Littlefield * Paul Littlefield
* Philipp Babel
* Robert van der Meulen * Robert van der Meulen
* Rumko * Rumko
* Scott Lamb * Scott Lamb
@ -42,6 +48,7 @@ We would like to thank the following people for their contributions to tinc:
* Teemu Kiviniemi * Teemu Kiviniemi
* Timothy Redaelli * Timothy Redaelli
* Tonnerre Lombard * Tonnerre Lombard
* Vil Brekin
* Wessel Dankers * Wessel Dankers
* Wouter van Heyst * Wouter van Heyst

6
aclocal.m4 vendored
View file

@ -1,4 +1,4 @@
# generated automatically by aclocal 1.11.5 -*- Autoconf -*- # generated automatically by aclocal 1.11.6 -*- Autoconf -*-
# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
# 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation, # 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
@ -38,7 +38,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
[am__api_version='1.11' [am__api_version='1.11'
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
dnl require some minimum version. Point them to the right macro. dnl require some minimum version. Point them to the right macro.
m4_if([$1], [1.11.5], [], m4_if([$1], [1.11.6], [],
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
]) ])
@ -54,7 +54,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
[AM_AUTOMAKE_VERSION([1.11.5])dnl [AM_AUTOMAKE_VERSION([1.11.6])dnl
m4_ifndef([AC_AUTOCONF_VERSION], m4_ifndef([AC_AUTOCONF_VERSION],
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])

8
configure vendored
View file

@ -1376,9 +1376,9 @@ Optional Features:
(and sometimes confusing) to the casual installer (and sometimes confusing) to the casual installer
--disable-dependency-tracking speeds up one-time build --disable-dependency-tracking speeds up one-time build
--enable-dependency-tracking do not reject slow dependency extractors --enable-dependency-tracking do not reject slow dependency extractors
--disable-uml enable support for User Mode Linux --enable-uml enable support for User Mode Linux
--disable-vde enable support for Virtual Distributed Ethernet --enable-vde enable support for Virtual Distributed Ethernet
--disable-tunemu enable support for the tunemu driver --enable-tunemu enable support for the tunemu driver
--disable-zlib disable zlib compression support --disable-zlib disable zlib compression support
--disable-lzo disable lzo compression support --disable-lzo disable lzo compression support
--disable-jumbograms enable support for jumbograms (packets up to 9000 --disable-jumbograms enable support for jumbograms (packets up to 9000
@ -2758,7 +2758,7 @@ fi
# Define the identity of the package. # Define the identity of the package.
PACKAGE=tinc PACKAGE=tinc
VERSION=1.0.19 VERSION=1.0.21
cat >>confdefs.h <<_ACEOF cat >>confdefs.h <<_ACEOF

View file

@ -3,7 +3,7 @@ dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.61) AC_PREREQ(2.61)
AC_INIT AC_INIT
AC_CONFIG_SRCDIR([src/tincd.c]) AC_CONFIG_SRCDIR([src/tincd.c])
AM_INIT_AUTOMAKE(tinc, 1.0.19) AM_INIT_AUTOMAKE(tinc, 1.0.21)
AC_CONFIG_HEADERS([config.h]) AC_CONFIG_HEADERS([config.h])
AM_MAINTAINER_MODE AM_MAINTAINER_MODE
@ -73,7 +73,7 @@ case $host_os in
esac esac
AC_ARG_ENABLE(uml, AC_ARG_ENABLE(uml,
AS_HELP_STRING([--disable-uml], [enable support for User Mode Linux]), AS_HELP_STRING([--enable-uml], [enable support for User Mode Linux]),
[ AS_IF([test "x$enable_uml" = "xyes"], [ AS_IF([test "x$enable_uml" = "xyes"],
[ AC_DEFINE(ENABLE_UML, 1, [Support for UML]) [ AC_DEFINE(ENABLE_UML, 1, [Support for UML])
uml=true uml=true
@ -84,7 +84,7 @@ AC_ARG_ENABLE(uml,
) )
AC_ARG_ENABLE(vde, AC_ARG_ENABLE(vde,
AS_HELP_STRING([--disable-vde], [enable support for Virtual Distributed Ethernet]), AS_HELP_STRING([--enable-vde], [enable support for Virtual Distributed Ethernet]),
[ AS_IF([test "x$enable_vde" = "xyes"], [ AS_IF([test "x$enable_vde" = "xyes"],
[ AC_CHECK_HEADERS(libvdeplug_dyn.h, [], [AC_MSG_ERROR([VDE plug header files not found.]); break]) [ AC_CHECK_HEADERS(libvdeplug_dyn.h, [], [AC_MSG_ERROR([VDE plug header files not found.]); break])
AC_DEFINE(ENABLE_VDE, 1, [Support for VDE]) AC_DEFINE(ENABLE_VDE, 1, [Support for VDE])
@ -96,7 +96,7 @@ AC_ARG_ENABLE(vde,
) )
AC_ARG_ENABLE(tunemu, AC_ARG_ENABLE(tunemu,
AS_HELP_STRING([--disable-tunemu], [enable support for the tunemu driver]), AS_HELP_STRING([--enable-tunemu], [enable support for the tunemu driver]),
[ AS_IF([test "x$enable_tunemu" = "xyes"], [ AS_IF([test "x$enable_tunemu" = "xyes"],
[ AC_DEFINE(ENABLE_TUNEMU, 1, [Support for tunemu]) [ AC_DEFINE(ENABLE_TUNEMU, 1, [Support for tunemu])
tunemu=true tunemu=true

7
debian/changelog vendored
View file

@ -1,3 +1,10 @@
tinc (1.0.21-1) unstable; urgency=low
* New upstream release.
- Includes fix for CVE-2013-1428.
-- Guus Sliepen <guus@debian.org> Sun, 05 May 2013 10:42:33 +0200
tinc (1.0.19-3) unstable; urgency=high tinc (1.0.19-3) unstable; urgency=high
* Drop packets forwarded via TCP if they are too big (CVE-2013-1428). * Drop packets forwarded via TCP if they are too big (CVE-2013-1428).

View file

@ -1,29 +0,0 @@
From 17a33dfd95b1a29e90db76414eb9622df9632320 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri, 12 Apr 2013 17:15:05 +0200
Subject: [PATCH] Drop packets forwarded via TCP if they are too big
(CVE-2013-1428).
Normally all requests sent via the meta connections are checked so that they
cannot be larger than the input buffer. However, when packets are forwarded via
meta connections, they are copied into a packet buffer without checking whether
it fits into it. Since the packet buffer is allocated on the stack, this in
effect allows an authenticated remote node to cause a stack overflow.
This issue was found by Martin Schobert.
---
src/net_packet.c | 3 +++
1 file changed, 3 insertions(+)
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -378,6 +378,9 @@
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
vpn_packet_t outpkt;
+ if(len > sizeof outpkt.data)
+ return;
+
outpkt.len = len;
if(c->options & OPTION_TCPONLY)
outpkt.priority = 0;

View file

@ -1 +0,0 @@
fix-CVE-2013-1428

View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.11.5 from Makefile.am. # Makefile.in generated by automake 1.11.6 from Makefile.am.
# @configure_input@ # @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,

View file

@ -3,23 +3,19 @@
.\" Manual page created by: .\" Manual page created by:
.\" Ivo Timmermans .\" Ivo Timmermans
.\" Guus Sliepen <guus@tinc-vpn.org> .\" Guus Sliepen <guus@tinc-vpn.org>
.Sh NAME .Sh NAME
.Nm tinc.conf .Nm tinc.conf
.Nd tinc daemon configuration .Nd tinc daemon configuration
.Sh DESCRIPTION .Sh DESCRIPTION
The files in the The files in the
.Pa @sysconfdir@/tinc/ .Pa @sysconfdir@/tinc/
directory contain runtime and security information for the tinc daemon. directory contain runtime and security information for the tinc daemon.
.Sh NETWORKS .Sh NETWORKS
It is perfectly ok for you to run more than one tinc daemon. It is perfectly ok for you to run more than one tinc daemon.
However, in its default form, However, in its default form,
you will soon notice that you can't use two different configuration files without the you will soon notice that you can't use two different configuration files without the
.Fl c .Fl c
option. option.
.Pp .Pp
We have thought of another way of dealing with this: network names. We have thought of another way of dealing with this: network names.
This means that you call This means that you call
@ -27,7 +23,6 @@ This means that you call
with the with the
.Fl n .Fl n
option, which will assign a name to this daemon. option, which will assign a name to this daemon.
.Pp .Pp
The effect of this is that the daemon will set its configuration root to The effect of this is that the daemon will set its configuration root to
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / , .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / ,
@ -38,7 +33,6 @@ is your argument to the
option. option.
You'll notice that messages appear in syslog as coming from You'll notice that messages appear in syslog as coming from
.Nm tincd. Ns Ar NETNAME . .Nm tincd. Ns Ar NETNAME .
.Pp .Pp
However, it is not strictly necessary that you call tinc with the However, it is not strictly necessary that you call tinc with the
.Fl n .Fl n
@ -54,25 +48,21 @@ the configuration file should be
.Pa @sysconfdir@/tinc/tinc.conf , .Pa @sysconfdir@/tinc/tinc.conf ,
and the host configuration files are now expected to be in and the host configuration files are now expected to be in
.Pa @sysconfdir@/tinc/hosts/ . .Pa @sysconfdir@/tinc/hosts/ .
.Pp .Pp
But it is highly recommended that you use this feature of But it is highly recommended that you use this feature of
.Nm tinc , .Nm tinc ,
because it will be so much clearer whom your daemon talks to. because it will be so much clearer whom your daemon talks to.
Hence, we will assume that you use it. Hence, we will assume that you use it.
.Sh NAMES .Sh NAMES
Each tinc daemon should have a name that is unique in the network which it will be part of. Each tinc daemon should have a name that is unique in the network which it will be part of.
The name will be used by other tinc daemons for identification. The name will be used by other tinc daemons for identification.
The name has to be declared in the The name has to be declared in the
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
file. file.
.Pp .Pp
To make things easy, To make things easy,
choose something that will give unique and easy to remember names to your tinc daemon(s). choose something that will give unique and easy to remember names to your tinc daemon(s).
You could try things like hostnames, owner surnames or location names. You could try things like hostnames, owner surnames or location names.
.Sh PUBLIC/PRIVATE KEYS .Sh PUBLIC/PRIVATE KEYS
You should use You should use
.Ic tincd -K .Ic tincd -K
@ -91,17 +81,14 @@ The public key should be stored in the host configuration file
.Va NAME .Va NAME
stands for the name of the local tinc daemon (see stands for the name of the local tinc daemon (see
.Sx NAMES ) . .Sx NAMES ) .
.Sh SERVER CONFIGURATION .Sh SERVER CONFIGURATION
The server configuration of the daemon is done in the file The server configuration of the daemon is done in the file
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf . .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf .
This file consists of comments (lines started with a This file consists of comments (lines started with a
.Li # ) .Li # )
or assignments in the form of: or assignments in the form of:
.Pp .Pp
.Va Variable Li = Ar Value . .Va Variable Li = Ar Value .
.Pp .Pp
The variable names are case insensitive, and any spaces, tabs, The variable names are case insensitive, and any spaces, tabs,
newlines and carriage returns are ignored. newlines and carriage returns are ignored.
@ -109,26 +96,22 @@ Note: it is not required that you put in the
.Li = .Li =
sign, but doing so improves readability. sign, but doing so improves readability.
If you leave it out, remember to replace it with at least one space character. If you leave it out, remember to replace it with at least one space character.
.Pp .Pp
The server configuration is complemented with host specific configuration (see the next section). The server configuration is complemented with host specific configuration (see the next section).
Although all configuration options for the local host listed in this document can also be put in Although all configuration options for the local host listed in this document can also be put in
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf , .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf ,
it is recommended to put host specific configuration options in the host configuration file, it is recommended to put host specific configuration options in the host configuration file,
as this makes it easy to exchange with other nodes. as this makes it easy to exchange with other nodes.
.Pp .Pp
Here are all valid variables, listed in alphabetical order. Here are all valid variables, listed in alphabetical order.
The default value is given between parentheses. The default value is given between parentheses.
.Bl -tag -width indent .Bl -tag -width indent
.It Va AddressFamily Li = ipv4 | ipv6 | any Pq any .It Va AddressFamily Li = ipv4 | ipv6 | any Pq any
This option affects the address family of listening and outgoing sockets. This option affects the address family of listening and outgoing sockets.
If If
.Qq any .Qq any
is selected, then depending on the operating system both IPv4 and IPv6 or just is selected, then depending on the operating system both IPv4 and IPv6 or just
IPv6 listening sockets will be created. IPv6 listening sockets will be created.
.It Va BindToAddress Li = Ar address Oo Ar port Oc Bq experimental .It Va BindToAddress Li = Ar address Oo Ar port Oc Bq experimental
If your computer has more than one IPv4 or IPv6 address, If your computer has more than one IPv4 or IPv6 address,
.Nm tinc .Nm tinc
@ -149,36 +132,31 @@ for the
.Ar address . .Ar address .
.Pp .Pp
This option may not work on all platforms. This option may not work on all platforms.
.It Va BindToInterface Li = Ar interface Bq experimental .It Va BindToInterface Li = Ar interface Bq experimental
If your computer has more than one network interface, If your computer has more than one network interface,
.Nm tinc .Nm tinc
will by default listen on all of them for incoming connections. will by default listen on all of them for incoming connections.
It is possible to bind only to a single interface with this variable. It is possible to bind only to a single interface with this variable.
.Pp .Pp
This option may not work on all platforms. This option may not work on all platforms.
Also, on some platforms it will not actually bind to an interface,
but rather to the address that the interface has at the moment a socket is created.
.It Va Broadcast Li = no | mst | direct Po mst Pc Bq experimental .It Va Broadcast Li = no | mst | direct Po mst Pc Bq experimental
This option selects the way broadcast packets are sent to other daemons. This option selects the way broadcast packets are sent to other daemons.
NOTE: all nodes in a VPN must use the same NOTE: all nodes in a VPN must use the same
.Va Broadcast .Va Broadcast
mode, otherwise routing loops can form. mode, otherwise routing loops can form.
.Bl -tag -width indent .Bl -tag -width indent
.It no .It no
Broadcast packets are never sent to other nodes. Broadcast packets are never sent to other nodes.
.It mst .It mst
Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree. Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree.
This ensures broadcast packets reach all nodes. This ensures broadcast packets reach all nodes.
.It direct .It direct
Broadcast packets are sent directly to all nodes that can be reached directly. Broadcast packets are sent directly to all nodes that can be reached directly.
Broadcast packets received from other nodes are never forwarded. Broadcast packets received from other nodes are never forwarded.
If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to. If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to.
.El .El
.It Va ConnectTo Li = Ar name .It Va ConnectTo Li = Ar name
Specifies which other tinc daemon to connect to on startup. Specifies which other tinc daemon to connect to on startup.
Multiple Multiple
@ -189,14 +167,12 @@ The names should be known to this tinc daemon
(i.e., there should be a host configuration file for the name on the (i.e., there should be a host configuration file for the name on the
.Va ConnectTo .Va ConnectTo
line). line).
.Pp .Pp
If you don't specify a host with If you don't specify a host with
.Va ConnectTo , .Va ConnectTo ,
.Nm tinc .Nm tinc
won't try to connect to other daemons at all, won't try to connect to other daemons at all,
and will instead just listen for incoming connections. and will instead just listen for incoming connections.
.It Va DecrementTTL Li = yes | no Po no Pc Bq experimental .It Va DecrementTTL Li = yes | no Po no Pc Bq experimental
When enabled, When enabled,
.Nm tinc .Nm tinc
@ -206,7 +182,6 @@ and will drop packets that have a TTL value of zero,
in which case it will send an ICMP Time Exceeded packet back. in which case it will send an ICMP Time Exceeded packet back.
.Pp .Pp
Do not use this option if you use switch mode and want to use IPv6. Do not use this option if you use switch mode and want to use IPv6.
.It Va Device Li = Ar device Po Pa /dev/tap0 , Pa /dev/net/tun No or other depending on platform Pc .It Va Device Li = Ar device Po Pa /dev/tap0 , Pa /dev/net/tun No or other depending on platform Pc
The virtual network device to use. The virtual network device to use.
.Nm tinc .Nm tinc
@ -218,18 +193,15 @@ instead of
.Va Device . .Va Device .
The info pages of the tinc package contain more information The info pages of the tinc package contain more information
about configuring the virtual network device. about configuring the virtual network device.
.It Va DeviceType Li = Ar type Pq platform dependent .It Va DeviceType Li = Ar type Pq platform dependent
The type of the virtual network device. The type of the virtual network device.
Tinc will normally automatically select the right type of tun/tap interface, and this option should not be used. Tinc will normally automatically select the right type of tun/tap interface, and this option should not be used.
However, this option can be used to select one of the special interface types, if support for them is compiled in. However, this option can be used to select one of the special interface types, if support for them is compiled in.
.Bl -tag -width indent .Bl -tag -width indent
.It dummy .It dummy
Use a dummy interface. Use a dummy interface.
No packets are ever read or written to a virtual network device. No packets are ever read or written to a virtual network device.
Useful for testing, or when setting up a node that only forwards packets for other nodes. Useful for testing, or when setting up a node that only forwards packets for other nodes.
.It raw_socket .It raw_socket
Open a raw socket, and bind it to a pre-existing Open a raw socket, and bind it to a pre-existing
.Va Interface .Va Interface
@ -237,7 +209,6 @@ Open a raw socket, and bind it to a pre-existing
All packets are read from this interface. All packets are read from this interface.
Packets received for the local node are written to the raw socket. Packets received for the local node are written to the raw socket.
However, at least on Linux, the operating system does not process IP packets destined for the local host. However, at least on Linux, the operating system does not process IP packets destined for the local host.
.It multicast .It multicast
Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using
.Va Device . .Va Device .
@ -247,7 +218,6 @@ Do NOT connect multiple
.Nm tinc .Nm tinc
daemons to the same multicast address, this will very likely cause routing loops. daemons to the same multicast address, this will very likely cause routing loops.
Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured. Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
.It uml Pq not compiled in by default .It uml Pq not compiled in by default
Create a UNIX socket with the filename specified by Create a UNIX socket with the filename specified by
.Va Device , .Va Device ,
@ -256,7 +226,6 @@ or
if not specified. if not specified.
.Nm tinc .Nm tinc
will wait for a User Mode Linux instance to connect to this socket. will wait for a User Mode Linux instance to connect to this socket.
.It vde Pq not compiled in by default .It vde Pq not compiled in by default
Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch, Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch,
using the UNIX socket specified by using the UNIX socket specified by
@ -265,60 +234,47 @@ or
.Pa @localstatedir@/run/vde.ctl .Pa @localstatedir@/run/vde.ctl
if not specified. if not specified.
.El .El
Also, in case tinc does not seem to correctly interpret packets received from the virtual network device, Also, in case tinc does not seem to correctly interpret packets received from the virtual network device,
it can be used to change the way packets are interpreted: it can be used to change the way packets are interpreted:
.Bl -tag -width indent .Bl -tag -width indent
.It tun Pq BSD and Linux .It tun Pq BSD and Linux
Set type to tun. Set type to tun.
Depending on the platform, this can either be with or without an address family header (see below). Depending on the platform, this can either be with or without an address family header (see below).
.It tunnohead Pq BSD .It tunnohead Pq BSD
Set type to tun without an address family header. Set type to tun without an address family header.
Tinc will expect packets read from the virtual network device to start with an IP header. Tinc will expect packets read from the virtual network device to start with an IP header.
On some platforms IPv6 packets cannot be read from or written to the device in this mode. On some platforms IPv6 packets cannot be read from or written to the device in this mode.
.It tunifhead Pq BSD .It tunifhead Pq BSD
Set type to tun with an address family header. Set type to tun with an address family header.
Tinc will expect packets read from the virtual network device Tinc will expect packets read from the virtual network device
to start with a four byte header containing the address family, to start with a four byte header containing the address family,
followed by an IP header. followed by an IP header.
This mode should support both IPv4 and IPv6 packets. This mode should support both IPv4 and IPv6 packets.
.It tap Pq BSD and Linux .It tap Pq BSD and Linux
Set type to tap. Set type to tap.
Tinc will expect packets read from the virtual network device Tinc will expect packets read from the virtual network device
to start with an Ethernet header. to start with an Ethernet header.
.El .El
.It Va DirectOnly Li = yes | no Po no Pc Bq experimental .It Va DirectOnly Li = yes | no Po no Pc Bq experimental
When this option is enabled, packets that cannot be sent directly to the destination node, When this option is enabled, packets that cannot be sent directly to the destination node,
but which would have to be forwarded by an intermediate node, are dropped instead. but which would have to be forwarded by an intermediate node, are dropped instead.
When combined with the IndirectData option, When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped. packets for nodes for which we do not have a meta connection with are also dropped.
.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental .It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
This option selects the way indirect packets are forwarded. This option selects the way indirect packets are forwarded.
.Bl -tag -width indent .Bl -tag -width indent
.It off .It off
Incoming packets that are not meant for the local node, Incoming packets that are not meant for the local node,
but which should be forwarded to another node, are dropped. but which should be forwarded to another node, are dropped.
.It internal .It internal
Incoming packets that are meant for another node are forwarded by tinc internally. Incoming packets that are meant for another node are forwarded by tinc internally.
.Pp .Pp
This is the default mode, and unless you really know you need another forwarding mode, don't change it. This is the default mode, and unless you really know you need another forwarding mode, don't change it.
.It kernel .It kernel
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node. Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
This is less efficient, but allows the kernel to apply its routing and firewall rules on them, This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
and can also help debugging. and can also help debugging.
.El .El
.It Va GraphDumpFile Li = Ar filename Bq experimental .It Va GraphDumpFile Li = Ar filename Bq experimental
If this option is present, If this option is present,
.Nm tinc .Nm tinc
@ -331,20 +287,16 @@ If
starts with a pipe symbol |, starts with a pipe symbol |,
then the rest of the filename is interpreted as a shell command then the rest of the filename is interpreted as a shell command
that is executed, the graph is then sent to stdin. that is executed, the graph is then sent to stdin.
.It Va Hostnames Li = yes | no Pq no .It Va Hostnames Li = yes | no Pq no
This option selects whether IP addresses (both real and on the VPN) should This option selects whether IP addresses (both real and on the VPN) should
be resolved. Since DNS lookups are blocking, it might affect tinc's be resolved. Since DNS lookups are blocking, it might affect tinc's
efficiency, even stopping the daemon for a few seconds every time it does efficiency, even stopping the daemon for a few seconds every time it does
a lookup if your DNS server is not responding. a lookup if your DNS server is not responding.
.Pp .Pp
This does not affect resolving hostnames to IP addresses from the This does not affect resolving hostnames to IP addresses from the
host configuration files. host configuration files, but whether hostnames should be resolved while logging.
.It Va IffOneQueue Li = yes | no Po no Pc Bq experimental .It Va IffOneQueue Li = yes | no Po no Pc Bq experimental
(Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices. (Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.
.It Va Interface Li = Ar interface .It Va Interface Li = Ar interface
Defines the name of the interface corresponding to the virtual network device. Defines the name of the interface corresponding to the virtual network device.
Depending on the operating system and the type of device this may or may not actually set the name of the interface. Depending on the operating system and the type of device this may or may not actually set the name of the interface.
@ -352,12 +304,10 @@ Under Windows, this variable is used to select which network interface will be u
If you specified a If you specified a
.Va Device , .Va Device ,
this variable is almost always already correctly set. this variable is almost always already correctly set.
.It Va KeyExpire Li = Ar seconds Pq 3600 .It Va KeyExpire Li = Ar seconds Pq 3600
This option controls the period the encryption keys used to encrypt the data are valid. This option controls the period the encryption keys used to encrypt the data are valid.
It is common practice to change keys at regular intervals to make it even harder for crackers, It is common practice to change keys at regular intervals to make it even harder for crackers,
even though it is thought to be nearly impossible to crack a single key. even though it is thought to be nearly impossible to crack a single key.
.It Va LocalDiscovery Li = yes | no Po no Pc Bq experimental .It Va LocalDiscovery Li = yes | no Po no Pc Bq experimental
When enabled, When enabled,
.Nm tinc .Nm tinc
@ -365,54 +315,43 @@ will try to detect peers that are on the same local network.
This will allow direct communication using LAN addresses, even if both peers are behind a NAT This will allow direct communication using LAN addresses, even if both peers are behind a NAT
and they only ConnectTo a third node outside the NAT, and they only ConnectTo a third node outside the NAT,
which normally would prevent the peers from learning each other's LAN address. which normally would prevent the peers from learning each other's LAN address.
.Pp .Pp
Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery. Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery.
This feature may not work in all possible situations. This feature may not work in all possible situations.
.It Va MACExpire Li = Ar seconds Pq 600 .It Va MACExpire Li = Ar seconds Pq 600
This option controls the amount of time MAC addresses are kept before they are removed. This option controls the amount of time MAC addresses are kept before they are removed.
This only has effect when This only has effect when
.Va Mode .Va Mode
is set to is set to
.Qq switch . .Qq switch .
.It Va MaxTimeout Li = Ar seconds Pq 900 .It Va MaxTimeout Li = Ar seconds Pq 900
This is the maximum delay before trying to reconnect to other tinc daemons. This is the maximum delay before trying to reconnect to other tinc daemons.
.It Va Mode Li = router | switch | hub Pq router .It Va Mode Li = router | switch | hub Pq router
This option selects the way packets are routed to other daemons. This option selects the way packets are routed to other daemons.
.Bl -tag -width indent .Bl -tag -width indent
.It router .It router
In this mode In this mode
.Va Subnet .Va Subnet
variables in the host configuration files will be used to form a routing table. variables in the host configuration files will be used to form a routing table.
Only unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode. Only unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode.
.Pp .Pp
This is the default mode, and unless you really know you need another mode, don't change it. This is the default mode, and unless you really know you need another mode, don't change it.
.It switch .It switch
In this mode the MAC addresses of the packets on the VPN will be used to In this mode the MAC addresses of the packets on the VPN will be used to
dynamically create a routing table just like an Ethernet switch does. dynamically create a routing table just like an Ethernet switch does.
Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode
at the cost of frequent broadcast ARP requests and routing table updates. at the cost of frequent broadcast ARP requests and routing table updates.
.Pp .Pp
This mode is primarily useful if you want to bridge Ethernet segments. This mode is primarily useful if you want to bridge Ethernet segments.
.It hub .It hub
This mode is almost the same as the switch mode, but instead This mode is almost the same as the switch mode, but instead
every packet will be broadcast to the other daemons every packet will be broadcast to the other daemons
while no routing table is managed. while no routing table is managed.
.El .El
.It Va Name Li = Ar name Bq required .It Va Name Li = Ar name Bq required
This is the name which identifies this tinc daemon. This is the name which identifies this tinc daemon.
It must be unique for the virtual private network this daemon will connect to. It must be unique for the virtual private network this daemon will connect to.
The Name may only consist of alphanumeric and underscore characters. The Name may only consist of alphanumeric and underscore characters.
If If
.Va Name .Va Name
starts with a starts with a
@ -424,38 +363,26 @@ If
is is
.Li $HOST , .Li $HOST ,
but no such environment variable exist, the hostname will be read using the gethostnname() system call. but no such environment variable exist, the hostname will be read using the gethostnname() system call.
.It Va PingInterval Li = Ar seconds Pq 60 .It Va PingInterval Li = Ar seconds Pq 60
The number of seconds of inactivity that The number of seconds of inactivity that
.Nm tinc .Nm tinc
will wait before sending a probe to the other end. will wait before sending a probe to the other end.
.It Va PingTimeout Li = Ar seconds Pq 5 .It Va PingTimeout Li = Ar seconds Pq 5
The number of seconds to wait for a response to pings or to allow meta The number of seconds to wait for a response to pings or to allow meta
connections to block. If the other end doesn't respond within this time, connections to block. If the other end doesn't respond within this time,
the connection is terminated, the connection is terminated,
and the others will be notified of this. and the others will be notified of this.
.It Va PriorityInheritance Li = yes | no Po no Pc Bq experimental .It Va PriorityInheritance Li = yes | no Po no Pc Bq experimental
When this option is enabled the value of the TOS field of tunneled IPv4 packets When this option is enabled the value of the TOS field of tunneled IPv4 packets
will be inherited by the UDP packets that are sent out. will be inherited by the UDP packets that are sent out.
.It Va PrivateKey Li = Ar key Bq obsolete .It Va PrivateKey Li = Ar key Bq obsolete
The private RSA key of this tinc daemon. The private RSA key of this tinc daemon.
It will allow this tinc daemon to authenticate itself to other daemons. It will allow this tinc daemon to authenticate itself to other daemons.
.It Va PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /rsa_key.priv Pc .It Va PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /rsa_key.priv Pc
The file in which the private RSA key of this tinc daemon resides. The file in which the private RSA key of this tinc daemon resides.
Note that there must be exactly one of
.Va PrivateKey
or
.Va PrivateKeyFile
specified in the configuration file.
.It Va ProcessPriority Li = low | normal | high .It Va ProcessPriority Li = low | normal | high
When this option is used the priority of the tincd process will be adjusted. When this option is used the priority of the tincd process will be adjusted.
Increasing the priority may help to reduce latency and packet loss on the VPN. Increasing the priority may help to reduce latency and packet loss on the VPN.
.It Va Proxy Li = socks4 | socks5 | http | exec Ar ... Bq experimental .It Va Proxy Li = socks4 | socks5 | http | exec Ar ... Bq experimental
Use a proxy when making outgoing connections. Use a proxy when making outgoing connections.
The following proxy types are currently supported: The following proxy types are currently supported:
@ -488,7 +415,6 @@ and
.Ev REMOTEPORT .Ev REMOTEPORT
are available. are available.
.El .El
.It Va ReplayWindow Li = Ar bytes Pq 16 .It Va ReplayWindow Li = Ar bytes Pq 16
vhis is the size of the replay tracking window for each remote node, in bytes. vhis is the size of the replay tracking window for each remote node, in bytes.
The window is a bitfield which tracks 1 packet per bit, so for example The window is a bitfield which tracks 1 packet per bit, so for example
@ -498,35 +424,29 @@ the interaction of replay tracking with underlying real packet loss and/or
reordering. Setting this to zero will disable replay tracking completely and reordering. Setting this to zero will disable replay tracking completely and
pass all traffic, but leaves tinc vulnerable to replay-based attacks on your pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
traffic. traffic.
.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental .It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will only use Subnet statements which are When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local present in the host config files in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory. directory.
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental .It Va TunnelServer Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will no longer forward information between other tinc daemons, When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow connections with nodes for which host config files are present in the local and will only allow connections with nodes for which host config files are present in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory. directory.
Setting this options also implicitly sets StrictSubnets. Setting this options also implicitly sets StrictSubnets.
.It Va UDPRcvBuf Li = Ar bytes Pq OS default .It Va UDPRcvBuf Li = Ar bytes Pq OS default
Sets the socket receive buffer size for the UDP socket, in bytes. Sets the socket receive buffer size for the UDP socket, in bytes.
If unset, the default buffer size will be used by the operating system. If unset, the default buffer size will be used by the operating system.
.It Va UDPSndBuf Li = Ar bytes Pq OS default .It Va UDPSndBuf Li = Ar bytes Pq OS default
Sets the socket send buffer size for the UDP socket, in bytes. Sets the socket send buffer size for the UDP socket, in bytes.
If unset, the default buffer size will be used by the operating system. If unset, the default buffer size will be used by the operating system.
.El .El
.Sh HOST CONFIGURATION FILES .Sh HOST CONFIGURATION FILES
The host configuration files contain all information needed The host configuration files contain all information needed
to establish a connection to those hosts. to establish a connection to those hosts.
A host configuration file is also required for the local tinc daemon, A host configuration file is also required for the local tinc daemon,
it will use it to read in it's listen port, public key and subnets. it will use it to read in it's listen port, public key and subnets.
.Pp .Pp
The idea is that these files are portable. The idea is that these files are portable.
You can safely mail your own host configuration file to someone else. You can safely mail your own host configuration file to someone else.
@ -535,7 +455,6 @@ and now his tinc daemon will be able to connect to your tinc daemon.
Since host configuration files only contain public keys, Since host configuration files only contain public keys,
no secrets are revealed by sending out this information. no secrets are revealed by sending out this information.
.Bl -tag -width indent .Bl -tag -width indent
.It Va Address Li = Ar address Oo Ar port Oc Bq recommended .It Va Address Li = Ar address Oo Ar port Oc Bq recommended
The IP address or hostname of this tinc daemon on the real network. The IP address or hostname of this tinc daemon on the real network.
This will only be used when trying to make an outgoing connection to this tinc daemon. This will only be used when trying to make an outgoing connection to this tinc daemon.
@ -544,7 +463,6 @@ Multiple
.Va Address .Va Address
variables can be specified, in which case each address will be tried until a working variables can be specified, in which case each address will be tried until a working
connection has been established. connection has been established.
.It Va Cipher Li = Ar cipher Pq blowfish .It Va Cipher Li = Ar cipher Pq blowfish
The symmetric cipher algorithm used to encrypt UDP packets. The symmetric cipher algorithm used to encrypt UDP packets.
Any cipher supported by OpenSSL is recognised. Any cipher supported by OpenSSL is recognised.
@ -552,24 +470,20 @@ Furthermore, specifying
.Qq none .Qq none
will turn off packet encryption. will turn off packet encryption.
It is best to use only those ciphers which support CBC mode. It is best to use only those ciphers which support CBC mode.
.It Va ClampMSS Li = yes | no Pq yes .It Va ClampMSS Li = yes | no Pq yes
This option specifies whether tinc should clamp the maximum segment size (MSS) This option specifies whether tinc should clamp the maximum segment size (MSS)
of TCP packets to the path MTU. This helps in situations where ICMP of TCP packets to the path MTU. This helps in situations where ICMP
Fragmentation Needed or Packet too Big messages are dropped by firewalls. Fragmentation Needed or Packet too Big messages are dropped by firewalls.
.It Va Compression Li = Ar level Pq 0 .It Va Compression Li = Ar level Pq 0
This option sets the level of compression used for UDP packets. This option sets the level of compression used for UDP packets.
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
10 (fast lzo) and 11 (best lzo). 10 (fast lzo) and 11 (best lzo).
.It Va Digest Li = Ar digest Pq sha1 .It Va Digest Li = Ar digest Pq sha1
The digest algorithm used to authenticate UDP packets. The digest algorithm used to authenticate UDP packets.
Any digest supported by OpenSSL is recognised. Any digest supported by OpenSSL is recognised.
Furthermore, specifying Furthermore, specifying
.Qq none .Qq none
will turn off packet authentication. will turn off packet authentication.
.It Va IndirectData Li = yes | no Pq no .It Va IndirectData Li = yes | no Pq no
This option specifies whether other tinc daemons besides the one you specified with This option specifies whether other tinc daemons besides the one you specified with
.Va ConnectTo .Va ConnectTo
@ -577,33 +491,26 @@ can make a direct connection to you.
This is especially useful if you are behind a firewall This is especially useful if you are behind a firewall
and it is impossible to make a connection from the outside to your tinc daemon. and it is impossible to make a connection from the outside to your tinc daemon.
Otherwise, it is best to leave this option out or set it to no. Otherwise, it is best to leave this option out or set it to no.
.It Va MACLength Li = Ar length Pq 4 .It Va MACLength Li = Ar length Pq 4
The length of the message authentication code used to authenticate UDP packets. The length of the message authentication code used to authenticate UDP packets.
Can be anything from Can be anything from
.Qq 0 .Qq 0
up to the length of the digest produced by the digest algorithm. up to the length of the digest produced by the digest algorithm.
.It Va PMTU Li = Ar mtu Po 1514 Pc .It Va PMTU Li = Ar mtu Po 1514 Pc
This option controls the initial path MTU to this node. This option controls the initial path MTU to this node.
.It Va PMTUDiscovery Li = yes | no Po yes Pc .It Va PMTUDiscovery Li = yes | no Po yes Pc
When this option is enabled, tinc will try to discover the path MTU to this node. When this option is enabled, tinc will try to discover the path MTU to this node.
After the path MTU has been discovered, it will be enforced on the VPN. After the path MTU has been discovered, it will be enforced on the VPN.
.It Va Port Li = Ar port Pq 655 .It Va Port Li = Ar port Pq 655
The port number on which this tinc daemon is listening for incoming connections, The port number on which this tinc daemon is listening for incoming connections,
which is used if no port number is specified in an which is used if no port number is specified in an
.Va Address .Va Address
statement. statement.
.It Va PublicKey Li = Ar key Bq obsolete .It Va PublicKey Li = Ar key Bq obsolete
The public RSA key of this tinc daemon. The public RSA key of this tinc daemon.
It will be used to cryptographically verify it's identity and to set up a secure connection. It will be used to cryptographically verify it's identity and to set up a secure connection.
.It Va PublicKeyFile Li = Ar filename Bq obsolete .It Va PublicKeyFile Li = Ar filename Bq obsolete
The file in which the public RSA key of this tinc daemon resides. The file in which the public RSA key of this tinc daemon resides.
.Pp .Pp
From version 1.0pre4 on From version 1.0pre4 on
.Nm tinc .Nm tinc
@ -612,7 +519,6 @@ the above two options then are not necessary.
Either the PEM format is used, or exactly one of the above two options must be specified Either the PEM format is used, or exactly one of the above two options must be specified
in each host configuration file, in each host configuration file,
if you want to be able to establish a connection with that host. if you want to be able to establish a connection with that host.
.It Va Subnet Li = Ar address Ns Op Li / Ns Ar prefixlength Ns Op Li # Ns Ar weight .It Va Subnet Li = Ar address Ns Op Li / Ns Ar prefixlength Ns Op Li # Ns Ar weight
The subnet which this tinc daemon will serve. The subnet which this tinc daemon will serve.
.Nm tinc .Nm tinc
@ -622,7 +528,6 @@ it will be sent to the daemon who has this subnet in his host configuration file
Multiple Multiple
.Va Subnet .Va Subnet
variables can be specified. variables can be specified.
.Pp .Pp
Subnets can either be single MAC, IPv4 or IPv6 addresses, Subnets can either be single MAC, IPv4 or IPv6 addresses,
in which case a subnet consisting of only that single address is assumed, in which case a subnet consisting of only that single address is assumed,
@ -633,14 +538,12 @@ Note that subnets like 192.168.1.1/24 are invalid!
Read a networking HOWTO/FAQ/guide if you don't understand this. Read a networking HOWTO/FAQ/guide if you don't understand this.
IPv6 subnets are notated like fec0:0:0:1::/64. IPv6 subnets are notated like fec0:0:0:1::/64.
MAC addresses are notated like 0:1a:2b:3c:4d:5e. MAC addresses are notated like 0:1a:2b:3c:4d:5e.
.Pp .Pp
A Subnet can be given a weight to indicate its priority over identical Subnets A Subnet can be given a weight to indicate its priority over identical Subnets
owned by different nodes. The default weight is 10. Lower values indicate owned by different nodes. The default weight is 10. Lower values indicate
higher priority. Packets will be sent to the node with the highest priority, higher priority. Packets will be sent to the node with the highest priority,
unless that node is not reachable, in which case the node with the next highest unless that node is not reachable, in which case the node with the next highest
priority will be tried, and so on. priority will be tried, and so on.
.It Va TCPOnly Li = yes | no Pq no Bq obsolete .It Va TCPOnly Li = yes | no Pq no Bq obsolete
If this variable is set to yes, If this variable is set to yes,
then the packets are tunnelled over the TCP connection instead of a UDP connection. then the packets are tunnelled over the TCP connection instead of a UDP connection.
@ -648,53 +551,42 @@ This is especially useful for those who want to run a tinc daemon
from behind a masquerading firewall, from behind a masquerading firewall,
or if UDP packet routing is disabled somehow. or if UDP packet routing is disabled somehow.
Setting this options also implicitly sets IndirectData. Setting this options also implicitly sets IndirectData.
.Pp .Pp
Since version 1.0.10, tinc will automatically detect whether communication via Since version 1.0.10, tinc will automatically detect whether communication via
UDP is possible or not. UDP is possible or not.
.El .El
.Sh SCRIPTS .Sh SCRIPTS
Apart from reading the server and host configuration files, Apart from reading the server and host configuration files,
tinc can also run scripts at certain moments. tinc can also run scripts at certain moments.
Under Windows (not Cygwin), the scripts should have the extension Under Windows (not Cygwin), the scripts should have the extension
.Pa .bat . .Pa .bat .
.Bl -tag -width indent .Bl -tag -width indent
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
This is the most important script. This is the most important script.
If it is present it will be executed right after the tinc daemon has been started and has connected to the virtual network device. If it is present it will be executed right after the tinc daemon has been started and has connected to the virtual network device.
It should be used to set up the corresponding network interface, It should be used to set up the corresponding network interface,
but can also be used to start other things. but can also be used to start other things.
Under Windows you can use the Network Connections control panel instead of creating this script. Under Windows you can use the Network Connections control panel instead of creating this script.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
This script is started right before the tinc daemon quits. This script is started right before the tinc daemon quits.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -up .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -up
This script is started when the tinc daemon with name This script is started when the tinc daemon with name
.Ar HOST .Ar HOST
becomes reachable. becomes reachable.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -down .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -down
This script is started when the tinc daemon with name This script is started when the tinc daemon with name
.Ar HOST .Ar HOST
becomes unreachable. becomes unreachable.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-up .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-up
This script is started when any host becomes reachable. This script is started when any host becomes reachable.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-down .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-down
This script is started when any host becomes unreachable. This script is started when any host becomes unreachable.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-up .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-up
This script is started when a Subnet becomes reachable. This script is started when a Subnet becomes reachable.
The Subnet and the node it belongs to are passed in environment variables. The Subnet and the node it belongs to are passed in environment variables.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-down .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-down
This script is started when a Subnet becomes unreachable. This script is started when a Subnet becomes unreachable.
.El .El
.Pp .Pp
The scripts are started without command line arguments, but can make use of certain environment variables. The scripts are started without command line arguments, but can make use of certain environment variables.
Under UNIX like operating systems the names of environment variables must be preceded by a Under UNIX like operating systems the names of environment variables must be preceded by a
@ -706,68 +598,54 @@ files, they have to be put between
.Li % .Li %
signs. signs.
.Bl -tag -width indent .Bl -tag -width indent
.It Ev NETNAME .It Ev NETNAME
If a netname was specified, this environment variable contains it. If a netname was specified, this environment variable contains it.
.It Ev NAME .It Ev NAME
Contains the name of this tinc daemon. Contains the name of this tinc daemon.
.It Ev DEVICE .It Ev DEVICE
Contains the name of the virtual network device that tinc uses. Contains the name of the virtual network device that tinc uses.
.It Ev INTERFACE .It Ev INTERFACE
Contains the name of the virtual network interface that tinc uses. Contains the name of the virtual network interface that tinc uses.
This should be used for commands like This should be used for commands like
.Pa ifconfig . .Pa ifconfig .
.It Ev NODE .It Ev NODE
When a host becomes (un)reachable, this is set to its name. When a host becomes (un)reachable, this is set to its name.
If a subnet becomes (un)reachable, this is set to the owner of that subnet. If a subnet becomes (un)reachable, this is set to the owner of that subnet.
.It Ev REMOTEADDRESS .It Ev REMOTEADDRESS
When a host becomes (un)reachable, this is set to its real address. When a host becomes (un)reachable, this is set to its real address.
.It Ev REMOTEPORT .It Ev REMOTEPORT
When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc daemons. When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc daemons.
.It Ev SUBNET .It Ev SUBNET
When a subnet becomes (un)reachable, this is set to the subnet. When a subnet becomes (un)reachable, this is set to the subnet.
.It Ev WEIGHT .It Ev WEIGHT
When a subnet becomes (un)reachable, this is set to the subnet weight. When a subnet becomes (un)reachable, this is set to the subnet weight.
.El .El
.Pp
Do not forget that under UNIX operating systems, you have to make the scripts executable, using the command
.Nm chmod Li a+x Pa script .
.Sh FILES .Sh FILES
The most important files are: The most important files are:
.Bl -tag -width indent .Bl -tag -width indent
.It Pa @sysconfdir@/tinc/ .It Pa @sysconfdir@/tinc/
The top directory for configuration files. The top directory for configuration files.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
The default name of the server configuration file for net The default name of the server configuration file for net
.Ar NETNAME . .Ar NETNAME .
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
Host configuration files are kept in this directory. Host configuration files are kept in this directory.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
If an executable file with this name exists, If an executable file with this name exists,
it will be executed right after the tinc daemon has connected to the virtual network device. it will be executed right after the tinc daemon has connected to the virtual network device.
It can be used to set up the corresponding network interface. It can be used to set up the corresponding network interface.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
If an executable file with this name exists, If an executable file with this name exists,
it will be executed right before the tinc daemon is going to close it will be executed right before the tinc daemon is going to close
its connection to the virtual network device. its connection to the virtual network device.
.El .El
.Sh SEE ALSO .Sh SEE ALSO
.Xr tincd 8 , .Xr tincd 8 ,
.Pa http://www.tinc-vpn.org/ , .Pa http://www.tinc-vpn.org/ ,
.Pa http://www.linuxdoc.org/LDP/nag2/ . .Pa http://www.tldp.org/LDP/nag2/ .
.Pp .Pp
The full documentation for The full documentation for
.Nm tinc .Nm tinc
@ -775,7 +653,6 @@ is maintained as a Texinfo manual.
If the info and tinc programs are properly installed at your site, the command If the info and tinc programs are properly installed at your site, the command
.Ic info tinc .Ic info tinc
should give you access to the complete manual. should give you access to the complete manual.
.Pp .Pp
.Nm tinc .Nm tinc
comes with ABSOLUTELY NO WARRANTY. comes with ABSOLUTELY NO WARRANTY.

View file

@ -8,7 +8,7 @@ END-INFO-DIR-ENTRY
This is the info manual for tinc version 1.0.19, a Virtual Private This is the info manual for tinc version 1.0.19, a Virtual Private
Network daemon. Network daemon.
Copyright (C) 1998-2012 Ivo Timmermans, Guus Sliepen Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen
<guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>. <guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
Permission is granted to make and distribute verbatim copies of this Permission is granted to make and distribute verbatim copies of this
@ -147,7 +147,7 @@ will most likely compile and run, but it will not be able to send or
receive data packets. receive data packets.
For an up to date list of supported platforms, please check the list For an up to date list of supported platforms, please check the list
on our website: `http://www.tinc-vpn.org/platforms'. on our website: `http://www.tinc-vpn.org/platforms/'.
 
File: tinc.info, Node: Preparations, Next: Installation, Prev: Introduction, Up: Top File: tinc.info, Node: Preparations, Next: Installation, Prev: Introduction, Up: Top
@ -209,7 +209,9 @@ File: tinc.info, Node: Configuration of FreeBSD kernels, Next: Configuration o
-------------------------------------- --------------------------------------
For FreeBSD version 4.1 and higher, tun and tap drivers are included in For FreeBSD version 4.1 and higher, tun and tap drivers are included in
the default kernel configuration. Using tap devices is recommended. the default kernel configuration. The tap driver can be loaded with
`kldload if_tap', or by adding `if_tap_load="YES"' to
`/boot/loader.conf'.
 
File: tinc.info, Node: Configuration of OpenBSD kernels, Next: Configuration of NetBSD kernels, Prev: Configuration of FreeBSD kernels, Up: Configuring the kernel File: tinc.info, Node: Configuration of OpenBSD kernels, Next: Configuration of NetBSD kernels, Prev: Configuration of FreeBSD kernels, Up: Configuring the kernel
@ -303,8 +305,8 @@ For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library. by the OpenSSL library.
If this library is not installed, you wil get an error when If this library is not installed, you wil get an error when
configuring tinc for build. Support for running tinc without having configuring tinc for build. Support for running tinc with other
OpenSSL installed _may_ be added in the future. cryptographic libraries installed _may_ be added in the future.
You can use your operating system's package manager to install this You can use your operating system's package manager to install this
if available. Make sure you install the development AND runtime if available. Make sure you install the development AND runtime
@ -359,9 +361,12 @@ File: tinc.info, Node: zlib, Next: lzo, Prev: OpenSSL, Up: Libraries
For the optional compression of UDP packets, tinc uses the functions For the optional compression of UDP packets, tinc uses the functions
provided by the zlib library. provided by the zlib library.
If this library is not installed, you wil get an error when If this library is not installed, you wil get an error when running
configuring tinc for build. Support for running tinc without having the configure script. You can either install the zlib library, or
zlib installed _may_ be added in the future. disable support for zlib compression by using the "-disable-zlib"
option when running the configure script. Note that if you disable
support for zlib, the resulting binary will not work correctly on VPNs
where zlib compression is used.
You can use your operating system's package manager to install this You can use your operating system's package manager to install this
if available. Make sure you install the development AND runtime if available. Make sure you install the development AND runtime
@ -379,11 +384,14 @@ File: tinc.info, Node: lzo, Prev: zlib, Up: Libraries
2.2.3 lzo 2.2.3 lzo
--------- ---------
Another form of compression is offered using the lzo library. Another form of compression is offered using the LZO library.
If this library is not installed, you wil get an error when If this library is not installed, you wil get an error when running
configuring tinc for build. Support for running tinc without having lzo the configure script. You can either install the LZO library, or
installed _may_ be added in the future. disable support for LZO compression by using the "-disable-lzo" option
when running the configure script. Note that if you disable support for
LZO, the resulting binary will not work correctly on VPNs where LZO
compression is used.
You can use your operating system's package manager to install this You can use your operating system's package manager to install this
if available. Make sure you install the development AND runtime if available. Make sure you install the development AND runtime
@ -408,9 +416,9 @@ startup scripts and sample configurations.
If you cannot use one of the precompiled packages, or you want to If you cannot use one of the precompiled packages, or you want to
compile tinc for yourself, you can use the source. The source is compile tinc for yourself, you can use the source. The source is
distributed under the GNU General Public License (GPL). Download the distributed under the GNU General Public License (GPL). Download the
source from the download page (http://www.tinc-vpn.org/download), which source from the download page (http://www.tinc-vpn.org/download/),
has the checksums of these files listed; you may wish to check these which has the checksums of these files listed; you may wish to check
with md5sum before continuing. these with md5sum before continuing.
Tinc comes in a convenient autoconf/automake package, which you can Tinc comes in a convenient autoconf/automake package, which you can
just treat the same as any other package. Which is just untar it, type just treat the same as any other package. Which is just untar it, type
@ -451,7 +459,7 @@ File: tinc.info, Node: Darwin (MacOS/X) build environment, Next: Cygwin (Windo
In order to build tinc on Darwin, you need to install the MacOS/X In order to build tinc on Darwin, you need to install the MacOS/X
Developer Tools from Developer Tools from
`http://developer.apple.com/tools/macosxtools.html' and a recent `http://developer.apple.com/tools/macosxtools.html' and a recent
version of Fink from `http://fink.sourceforge.net/'. version of Fink from `http://www.finkproject.org/'.
After installation use fink to download and install the following After installation use fink to download and install the following
packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo. packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
@ -570,7 +578,7 @@ Do you want to run tinc in router mode or switch mode? These questions
can only be answered by yourself, you will not find the answers in this can only be answered by yourself, you will not find the answers in this
documentation. Make sure you have an adequate understanding of documentation. Make sure you have an adequate understanding of
networks in general. A good resource on networking is the Linux networks in general. A good resource on networking is the Linux
Network Administrators Guide (http://www.linuxdoc.org/LDP/nag2/). Network Administrators Guide (http://www.tldp.org/LDP/nag2/).
If you have everything clearly pictured in your mind, proceed in the If you have everything clearly pictured in your mind, proceed in the
following order: First, generate the configuration files (`tinc.conf', following order: First, generate the configuration files (`tinc.conf',
@ -860,7 +868,8 @@ Hostnames = <yes|no> (no)
responding. responding.
This does not affect resolving hostnames to IP addresses from the This does not affect resolving hostnames to IP addresses from the
configuration file. configuration file, but whether hostnames should be resolved while
logging.
Interface = <INTERFACE> Interface = <INTERFACE>
Defines the name of the interface corresponding to the virtual Defines the name of the interface corresponding to the virtual
@ -957,9 +966,6 @@ PrivateKeyFile = <PATH> (`/etc/tinc/NETNAME/rsa_key.priv')
generated by `tincd --generate-keys'. It must be a full path, not generated by `tincd --generate-keys'. It must be a full path, not
a relative directory. a relative directory.
Note that there must be exactly one of PrivateKey or PrivateKeyFile
specified in the configuration file.
ProcessPriority = <low|normal|high> ProcessPriority = <low|normal|high>
When this option is used the priority of the tincd process will be When this option is used the priority of the tincd process will be
adjusted. Increasing the priority may help to reduce latency and adjusted. Increasing the priority may help to reduce latency and
@ -1116,7 +1122,7 @@ Subnet = <ADDRESS[/PREFIXLENGTH[#WEIGHT]]>
Prefixlength is the number of bits set to 1 in the netmask part; Prefixlength is the number of bits set to 1 in the netmask part;
for example: netmask 255.255.255.0 would become /24, 255.255.252.0 for example: netmask 255.255.255.0 would become /24, 255.255.252.0
becomes /22. This conforms to standard CIDR notation as described becomes /22. This conforms to standard CIDR notation as described
in RFC1519 (ftp://ftp.isi.edu/in-notes/rfc1519.txt) in RFC1519 (http://www.ietf.org/rfc/rfc1519.txt)
A Subnet can be given a weight to indicate its priority over A Subnet can be given a weight to indicate its priority over
identical Subnets owned by different nodes. The default weight is identical Subnets owned by different nodes. The default weight is
@ -2470,7 +2476,7 @@ Concept Index
* example: Example configuration. * example: Example configuration.
(line 6) (line 6)
* exec: Main configuration variables. * exec: Main configuration variables.
(line 311) (line 309)
* Forwarding: Main configuration variables. * Forwarding: Main configuration variables.
(line 152) (line 152)
* frame type: The UDP tunnel. (line 6) * frame type: The UDP tunnel. (line 6)
@ -2479,41 +2485,41 @@ Concept Index
* Hostnames: Main configuration variables. * Hostnames: Main configuration variables.
(line 180) (line 180)
* http: Main configuration variables. * http: Main configuration variables.
(line 308) (line 306)
* hub: Main configuration variables. * hub: Main configuration variables.
(line 232) (line 233)
* ID: Authentication protocol. * ID: Authentication protocol.
(line 10) (line 10)
* IndirectData: Host configuration variables. * IndirectData: Host configuration variables.
(line 34) (line 34)
* INTERFACE: Scripts. (line 58) * INTERFACE: Scripts. (line 58)
* Interface: Main configuration variables. * Interface: Main configuration variables.
(line 190) (line 191)
* IRC: Contact information. (line 9) * IRC: Contact information. (line 9)
* key generation: Generating keypairs. (line 6) * key generation: Generating keypairs. (line 6)
* KEY_CHANGED: The meta-protocol. (line 64) * KEY_CHANGED: The meta-protocol. (line 64)
* KeyExpire: Main configuration variables. * KeyExpire: Main configuration variables.
(line 237) (line 238)
* libraries: Libraries. (line 6) * libraries: Libraries. (line 6)
* license: OpenSSL. (line 36) * license: OpenSSL. (line 36)
* LocalDiscovery: Main configuration variables. * LocalDiscovery: Main configuration variables.
(line 198) (line 199)
* lzo: lzo. (line 6) * lzo: lzo. (line 6)
* MACExpire: Main configuration variables. * MACExpire: Main configuration variables.
(line 243) (line 244)
* MACLength: Host configuration variables. * MACLength: Host configuration variables.
(line 42) (line 42)
* meta-protocol: The meta-connection. (line 18) * meta-protocol: The meta-connection. (line 18)
* META_KEY: Authentication protocol. * META_KEY: Authentication protocol.
(line 10) (line 10)
* Mode: Main configuration variables. * Mode: Main configuration variables.
(line 209) (line 210)
* multicast: Main configuration variables. * multicast: Main configuration variables.
(line 99) (line 99)
* multiple networks: Multiple networks. (line 6) * multiple networks: Multiple networks. (line 6)
* NAME: Scripts. (line 52) * NAME: Scripts. (line 52)
* Name: Main configuration variables. * Name: Main configuration variables.
(line 248) (line 249)
* netmask: Network interfaces. (line 34) * netmask: Network interfaces. (line 34)
* NETNAME: Scripts. (line 49) * NETNAME: Scripts. (line 49)
* netname: Multiple networks. (line 6) * netname: Multiple networks. (line 6)
@ -2526,9 +2532,9 @@ Concept Index
(line 67) (line 67)
* PING: The meta-protocol. (line 89) * PING: The meta-protocol. (line 89)
* PingInterval: Main configuration variables. * PingInterval: Main configuration variables.
(line 259) (line 260)
* PingTimeout: Main configuration variables. * PingTimeout: Main configuration variables.
(line 263) (line 264)
* platforms: Supported platforms. (line 6) * platforms: Supported platforms. (line 6)
* PMTU: Host configuration variables. * PMTU: Host configuration variables.
(line 47) (line 47)
@ -2539,17 +2545,17 @@ Concept Index
(line 55) (line 55)
* port numbers: Other files. (line 17) * port numbers: Other files. (line 17)
* PriorityInheritance: Main configuration variables. * PriorityInheritance: Main configuration variables.
(line 269) (line 270)
* private: Virtual Private Networks. * private: Virtual Private Networks.
(line 10) (line 10)
* PrivateKey: Main configuration variables. * PrivateKey: Main configuration variables.
(line 274) (line 275)
* PrivateKeyFile: Main configuration variables. * PrivateKeyFile: Main configuration variables.
(line 280) (line 281)
* ProcessPriority: Main configuration variables. * ProcessPriority: Main configuration variables.
(line 288) (line 286)
* Proxy: Main configuration variables. * Proxy: Main configuration variables.
(line 293) (line 291)
* PublicKey: Host configuration variables. * PublicKey: Host configuration variables.
(line 59) (line 59)
* PublicKeyFile: Host configuration variables. * PublicKeyFile: Host configuration variables.
@ -2560,11 +2566,11 @@ Concept Index
* REMOTEADDRESS: Scripts. (line 67) * REMOTEADDRESS: Scripts. (line 67)
* REMOTEPORT: Scripts. (line 70) * REMOTEPORT: Scripts. (line 70)
* ReplayWindow: Main configuration variables. * ReplayWindow: Main configuration variables.
(line 316) (line 314)
* REQ_KEY: The meta-protocol. (line 64) * REQ_KEY: The meta-protocol. (line 64)
* requirements: Libraries. (line 6) * requirements: Libraries. (line 6)
* router: Main configuration variables. * router: Main configuration variables.
(line 212) (line 213)
* runtime options: Runtime options. (line 9) * runtime options: Runtime options. (line 9)
* scalability: tinc. (line 19) * scalability: tinc. (line 19)
* scripts: Scripts. (line 6) * scripts: Scripts. (line 6)
@ -2572,11 +2578,11 @@ Concept Index
(line 18) (line 18)
* signals: Signals. (line 6) * signals: Signals. (line 6)
* socks4: Main configuration variables. * socks4: Main configuration variables.
(line 297) (line 295)
* socks5: Main configuration variables. * socks5: Main configuration variables.
(line 302) (line 300)
* StrictSubnets: Main configuration variables. * StrictSubnets: Main configuration variables.
(line 327) (line 325)
* SUBNET: Scripts. (line 74) * SUBNET: Scripts. (line 74)
* Subnet: Host configuration variables. * Subnet: Host configuration variables.
(line 74) (line 74)
@ -2584,7 +2590,7 @@ Concept Index
(line 96) (line 96)
* SVPN: Security. (line 11) * SVPN: Security. (line 11)
* switch: Main configuration variables. * switch: Main configuration variables.
(line 221) (line 222)
* TCP: The meta-connection. (line 10) * TCP: The meta-connection. (line 10)
* TCPonly: Host configuration variables. * TCPonly: Host configuration variables.
(line 103) (line 103)
@ -2598,16 +2604,16 @@ Concept Index
* tunifhead: Main configuration variables. * tunifhead: Main configuration variables.
(line 134) (line 134)
* TunnelServer: Main configuration variables. * TunnelServer: Main configuration variables.
(line 332) (line 330)
* tunnohead: Main configuration variables. * tunnohead: Main configuration variables.
(line 128) (line 128)
* UDP <1>: Encryption of network packets. * UDP <1>: Encryption of network packets.
(line 12) (line 12)
* UDP: The UDP tunnel. (line 30) * UDP: The UDP tunnel. (line 30)
* UDPRcvBuf: Main configuration variables. * UDPRcvBuf: Main configuration variables.
(line 339) (line 337)
* UDPSndBuf: Main configuration variables. * UDPSndBuf: Main configuration variables.
(line 344) (line 342)
* UML: Main configuration variables. * UML: Main configuration variables.
(line 110) (line 110)
* Universal tun/tap: Configuration of Linux kernels. * Universal tun/tap: Configuration of Linux kernels.
@ -2632,61 +2638,61 @@ Node: Introduction1109
Node: Virtual Private Networks1919 Node: Virtual Private Networks1919
Node: tinc3645 Node: tinc3645
Node: Supported platforms5172 Node: Supported platforms5172
Node: Preparations5870 Node: Preparations5871
Node: Configuring the kernel6126 Node: Configuring the kernel6127
Node: Configuration of Linux kernels6535 Node: Configuration of Linux kernels6536
Node: Configuration of FreeBSD kernels7390 Node: Configuration of FreeBSD kernels7391
Node: Configuration of OpenBSD kernels7780 Node: Configuration of OpenBSD kernels7856
Node: Configuration of NetBSD kernels8388 Node: Configuration of NetBSD kernels8464
Node: Configuration of Solaris kernels8793 Node: Configuration of Solaris kernels8869
Node: Configuration of Darwin (MacOS/X) kernels9454 Node: Configuration of Darwin (MacOS/X) kernels9530
Node: Configuration of Windows10143 Node: Configuration of Windows10219
Node: Libraries10657 Node: Libraries10733
Node: OpenSSL11045 Node: OpenSSL11121
Node: zlib13321 Node: zlib13409
Node: lzo14150 Node: lzo14435
Node: Installation14937 Node: Installation15415
Node: Building and installing tinc15952 Node: Building and installing tinc16431
Node: Darwin (MacOS/X) build environment16611 Node: Darwin (MacOS/X) build environment17090
Node: Cygwin (Windows) build environment17179 Node: Cygwin (Windows) build environment17657
Node: MinGW (Windows) build environment17767 Node: MinGW (Windows) build environment18245
Node: System files18291 Node: System files18769
Node: Device files18556 Node: Device files19034
Node: Other files18972 Node: Other files19450
Node: Configuration19585 Node: Configuration20063
Node: Configuration introduction19896 Node: Configuration introduction20374
Node: Multiple networks21169 Node: Multiple networks21643
Node: How connections work22595 Node: How connections work23069
Node: Configuration files23817 Node: Configuration files24291
Node: Main configuration variables25204 Node: Main configuration variables25678
Node: Host configuration variables40987 Node: Host configuration variables41406
Node: Scripts46347 Node: Scripts46763
Node: How to configure49117 Node: How to configure49533
Node: Generating keypairs50380 Node: Generating keypairs50796
Node: Network interfaces50879 Node: Network interfaces51295
Node: Example configuration52727 Node: Example configuration53143
Node: Running tinc58050 Node: Running tinc58466
Node: Runtime options58640 Node: Runtime options59056
Node: Signals61940 Node: Signals62356
Node: Debug levels63132 Node: Debug levels63548
Node: Solving problems64068 Node: Solving problems64484
Node: Error messages65620 Node: Error messages66036
Node: Sending bug reports69633 Node: Sending bug reports70049
Node: Technical information70585 Node: Technical information71001
Node: The connection70816 Node: The connection71232
Node: The UDP tunnel71128 Node: The UDP tunnel71544
Node: The meta-connection74189 Node: The meta-connection74605
Node: The meta-protocol75658 Node: The meta-protocol76074
Node: Security80667 Node: Security81083
Node: Authentication protocol81797 Node: Authentication protocol82213
Node: Encryption of network packets86801 Node: Encryption of network packets87217
Node: Security issues88174 Node: Security issues88590
Node: Platform specific information89791 Node: Platform specific information90207
Node: Interface configuration90019 Node: Interface configuration90435
Node: Routes92472 Node: Routes92888
Node: About us94388 Node: About us94804
Node: Contact information94563 Node: Contact information94979
Node: Authors94967 Node: Authors95383
Node: Concept Index95372 Node: Concept Index95788
 
End Tag Table End Tag Table

View file

@ -15,7 +15,7 @@
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon. This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2012 Ivo Timmermans, Copyright @copyright{} 1998-2013 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>. Wessel Dankers <wsl@@tinc-vpn.org>.
@ -39,7 +39,7 @@ permission notice identical to this one.
@vskip 0pt plus 1filll @vskip 0pt plus 1filll
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon. This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2012 Ivo Timmermans, Copyright @copyright{} 1998-2013 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>. Wessel Dankers <wsl@@tinc-vpn.org>.
@ -186,7 +186,7 @@ packets.
@cindex release @cindex release
For an up to date list of supported platforms, please check the list on For an up to date list of supported platforms, please check the list on
our website: our website:
@uref{http://www.tinc-vpn.org/platforms}. @uref{http://www.tinc-vpn.org/platforms/}.
@c @c
@c @c
@ -261,7 +261,7 @@ alias char-major-10-200 tun
@subsection Configuration of FreeBSD kernels @subsection Configuration of FreeBSD kernels
For FreeBSD version 4.1 and higher, tun and tap drivers are included in the default kernel configuration. For FreeBSD version 4.1 and higher, tun and tap drivers are included in the default kernel configuration.
Using tap devices is recommended. The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_tap_load="YES"} to @file{/boot/loader.conf}.
@c ================================================================== @c ==================================================================
@ -275,6 +275,7 @@ which adds a tap device to OpenBSD which should work with tinc,
but with recent versions of OpenBSD, but with recent versions of OpenBSD,
a tun device can act as a tap device by setting the link0 option with ifconfig. a tun device can act as a tap device by setting the link0 option with ifconfig.
@c ================================================================== @c ==================================================================
@node Configuration of NetBSD kernels @node Configuration of NetBSD kernels
@subsection Configuration of NetBSD kernels @subsection Configuration of NetBSD kernels
@ -349,7 +350,7 @@ For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library. by the OpenSSL library.
If this library is not installed, you wil get an error when configuring If this library is not installed, you wil get an error when configuring
tinc for build. Support for running tinc without having OpenSSL tinc for build. Support for running tinc with other cryptographic libraries
installed @emph{may} be added in the future. installed @emph{may} be added in the future.
You can use your operating system's package manager to install this if You can use your operating system's package manager to install this if
@ -412,9 +413,11 @@ Markus F.X.J. Oberhumer
For the optional compression of UDP packets, tinc uses the functions provided For the optional compression of UDP packets, tinc uses the functions provided
by the zlib library. by the zlib library.
If this library is not installed, you wil get an error when configuring If this library is not installed, you wil get an error when running the
tinc for build. Support for running tinc without having zlib configure script. You can either install the zlib library, or disable support
installed @emph{may} be added in the future. for zlib compression by using the "--disable-zlib" option when running the
configure script. Note that if you disable support for zlib, the resulting
binary will not work correctly on VPNs where zlib compression is used.
You can use your operating system's package manager to install this if You can use your operating system's package manager to install this if
available. Make sure you install the development AND runtime versions available. Make sure you install the development AND runtime versions
@ -432,11 +435,13 @@ default).
@subsection lzo @subsection lzo
@cindex lzo @cindex lzo
Another form of compression is offered using the lzo library. Another form of compression is offered using the LZO library.
If this library is not installed, you wil get an error when configuring If this library is not installed, you wil get an error when running the
tinc for build. Support for running tinc without having lzo configure script. You can either install the LZO library, or disable support
installed @emph{may} be added in the future. for LZO compression by using the "--disable-lzo" option when running the
configure script. Note that if you disable support for LZO, the resulting
binary will not work correctly on VPNs where LZO compression is used.
You can use your operating system's package manager to install this if You can use your operating system's package manager to install this if
available. Make sure you install the development AND runtime versions available. Make sure you install the development AND runtime versions
@ -469,7 +474,7 @@ system startup scripts and sample configurations.
If you cannot use one of the precompiled packages, or you want to compile tinc If you cannot use one of the precompiled packages, or you want to compile tinc
for yourself, you can use the source. The source is distributed under for yourself, you can use the source. The source is distributed under
the GNU General Public License (GPL). Download the source from the the GNU General Public License (GPL). Download the source from the
@uref{http://www.tinc-vpn.org/download, download page}, which has @uref{http://www.tinc-vpn.org/download/, download page}, which has
the checksums of these files listed; you may wish to check these with the checksums of these files listed; you may wish to check these with
md5sum before continuing. md5sum before continuing.
@ -510,7 +515,7 @@ The documentation that comes along with your distribution will tell you how to d
In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools
from @uref{http://developer.apple.com/tools/macosxtools.html} and from @uref{http://developer.apple.com/tools/macosxtools.html} and
a recent version of Fink from @uref{http://fink.sourceforge.net/}. a recent version of Fink from @uref{http://www.finkproject.org/}.
After installation use fink to download and install the following packages: After installation use fink to download and install the following packages:
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo. autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
@ -638,7 +643,7 @@ you will not find the answers in this documentation.
Make sure you have an adequate understanding of networks in general. Make sure you have an adequate understanding of networks in general.
@cindex Network Administrators Guide @cindex Network Administrators Guide
A good resource on networking is the A good resource on networking is the
@uref{http://www.linuxdoc.org/LDP/nag2/, Linux Network Administrators Guide}. @uref{http://www.tldp.org/LDP/nag2/, Linux Network Administrators Guide}.
If you have everything clearly pictured in your mind, If you have everything clearly pictured in your mind,
proceed in the following order: proceed in the following order:
@ -943,7 +948,7 @@ tinc's efficiency, even stopping the daemon for a few seconds everytime
it does a lookup if your DNS server is not responding. it does a lookup if your DNS server is not responding.
This does not affect resolving hostnames to IP addresses from the This does not affect resolving hostnames to IP addresses from the
configuration file. configuration file, but whether hostnames should be resolved while logging.
@cindex Interface @cindex Interface
@item Interface = <@var{interface}> @item Interface = <@var{interface}>
@ -1041,10 +1046,6 @@ This is the full path name of the RSA private key file that was
generated by @samp{tincd --generate-keys}. It must be a full path, not a generated by @samp{tincd --generate-keys}. It must be a full path, not a
relative directory. relative directory.
Note that there must be exactly one of PrivateKey
or PrivateKeyFile
specified in the configuration file.
@cindex ProcessPriority @cindex ProcessPriority
@item ProcessPriority = <low|normal|high> @item ProcessPriority = <low|normal|high>
When this option is used the priority of the tincd process will be adjusted. When this option is used the priority of the tincd process will be adjusted.
@ -1220,7 +1221,7 @@ MAC addresses are notated like 0:1a:2b:3c:4d:5e.
Prefixlength is the number of bits set to 1 in the netmask part; for Prefixlength is the number of bits set to 1 in the netmask part; for
example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
/22. This conforms to standard CIDR notation as described in /22. This conforms to standard CIDR notation as described in
@uref{ftp://ftp.isi.edu/in-notes/rfc1519.txt, RFC1519} @uref{http://www.ietf.org/rfc/rfc1519.txt, RFC1519}
@cindex Subnet weight @cindex Subnet weight
A Subnet can be given a weight to indicate its priority over identical Subnets A Subnet can be given a weight to indicate its priority over identical Subnets

View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.11.5 from Makefile.am. # Makefile.in generated by automake 1.11.6 from Makefile.am.
# @configure_input@ # @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,

View file

@ -41,6 +41,10 @@
#define ETH_P_IPV6 0x86DD #define ETH_P_IPV6 0x86DD
#endif #endif
#ifndef ETH_P_8021Q
#define ETH_P_8021Q 0x8100
#endif
#ifndef HAVE_STRUCT_ETHER_HEADER #ifndef HAVE_STRUCT_ETHER_HEADER
struct ether_header { struct ether_header {
uint8_t ether_dhost[ETH_ALEN]; uint8_t ether_dhost[ETH_ALEN];

View file

@ -32,12 +32,14 @@ static int charhex2bin(char c) {
return toupper(c) - 'A' + 10; return toupper(c) - 'A' + 10;
} }
bool hex2bin(char *src, char *dst, int length) {
void hex2bin(char *src, char *dst, int length) { for(int i = 0; i < length; i++) {
int i; if(!isxdigit(src[i * 2]) || !isxdigit(src[i * 2 + 1]))
for(i = 0; i < length; i++) return false;
dst[i] = charhex2bin(src[i * 2]) * 16 + charhex2bin(src[i * 2 + 1]); dst[i] = charhex2bin(src[i * 2]) * 16 + charhex2bin(src[i * 2 + 1]);
} }
return true;
}
void bin2hex(char *src, char *dst, int length) { void bin2hex(char *src, char *dst, int length) {
int i; int i;

View file

@ -21,7 +21,7 @@
#ifndef __TINC_UTILS_H__ #ifndef __TINC_UTILS_H__
#define __TINC_UTILS_H__ #define __TINC_UTILS_H__
extern void hex2bin(char *src, char *dst, int length); extern bool hex2bin(char *src, char *dst, int length);
extern void bin2hex(char *src, char *dst, int length); extern void bin2hex(char *src, char *dst, int length);
#ifdef HAVE_MINGW #ifdef HAVE_MINGW

View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.11.5 from Makefile.am. # Makefile.in generated by automake 1.11.6 from Makefile.am.
# @configure_input@ # @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,

View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.11.5 from Makefile.am. # Makefile.in generated by automake 1.11.6 from Makefile.am.
# @configure_input@ # @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,

View file

@ -29,17 +29,22 @@
#include "utils.h" #include "utils.h"
#include "xalloc.h" #include "xalloc.h"
#ifdef HAVE_TUNEMU #ifdef ENABLE_TUNEMU
#include "bsd/tunemu.h" #include "bsd/tunemu.h"
#endif #endif
#define DEFAULT_DEVICE "/dev/tun0" #define DEFAULT_TUN_DEVICE "/dev/tun0"
#if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD)
#define DEFAULT_TAP_DEVICE "/dev/tap0"
#else
#define DEFAULT_TAP_DEVICE "/dev/tun0"
#endif
typedef enum device_type { typedef enum device_type {
DEVICE_TYPE_TUN, DEVICE_TYPE_TUN,
DEVICE_TYPE_TUNIFHEAD, DEVICE_TYPE_TUNIFHEAD,
DEVICE_TYPE_TAP, DEVICE_TYPE_TAP,
#ifdef HAVE_TUNEMU #ifdef ENABLE_TUNEMU
DEVICE_TYPE_TUNEMU, DEVICE_TYPE_TUNEMU,
#endif #endif
} device_type_t; } device_type_t;
@ -50,7 +55,7 @@ char *iface = NULL;
static char *device_info = NULL; static char *device_info = NULL;
static uint64_t device_total_in = 0; static uint64_t device_total_in = 0;
static uint64_t device_total_out = 0; static uint64_t device_total_out = 0;
#if defined(TUNEMU) #if defined(ENABLE_TUNEMU)
static device_type_t device_type = DEVICE_TYPE_TUNEMU; static device_type_t device_type = DEVICE_TYPE_TUNEMU;
#elif defined(HAVE_OPENBSD) || defined(HAVE_FREEBSD) || defined(HAVE_DRAGONFLY) #elif defined(HAVE_OPENBSD) || defined(HAVE_FREEBSD) || defined(HAVE_DRAGONFLY)
static device_type_t device_type = DEVICE_TYPE_TUNIFHEAD; static device_type_t device_type = DEVICE_TYPE_TUNIFHEAD;
@ -61,8 +66,12 @@ static device_type_t device_type = DEVICE_TYPE_TUN;
static bool setup_device(void) { static bool setup_device(void) {
char *type; char *type;
if(!get_config_string(lookup_config(config_tree, "Device"), &device)) if(!get_config_string(lookup_config(config_tree, "Device"), &device)) {
device = xstrdup(DEFAULT_DEVICE); if(routing_mode == RMODE_ROUTER)
device = xstrdup(DEFAULT_TUN_DEVICE);
else
device = xstrdup(DEFAULT_TAP_DEVICE);
}
if(!get_config_string(lookup_config(config_tree, "Interface"), &iface)) if(!get_config_string(lookup_config(config_tree, "Interface"), &iface))
iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device); iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
@ -70,7 +79,7 @@ static bool setup_device(void) {
if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) { if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) {
if(!strcasecmp(type, "tun")) if(!strcasecmp(type, "tun"))
/* use default */; /* use default */;
#ifdef HAVE_TUNEMU #ifdef ENABLE_TUNEMU
else if(!strcasecmp(type, "tunemu")) else if(!strcasecmp(type, "tunemu"))
device_type = DEVICE_TYPE_TUNEMU; device_type = DEVICE_TYPE_TUNEMU;
#endif #endif
@ -90,7 +99,7 @@ static bool setup_device(void) {
} }
switch(device_type) { switch(device_type) {
#ifdef HAVE_TUNEMU #ifdef ENABLE_TUNEMU
case DEVICE_TYPE_TUNEMU: { case DEVICE_TYPE_TUNEMU: {
char dynamic_name[256] = ""; char dynamic_name[256] = "";
device_fd = tunemu_open(dynamic_name); device_fd = tunemu_open(dynamic_name);
@ -167,7 +176,7 @@ static bool setup_device(void) {
#endif #endif
break; break;
#ifdef HAVE_TUNEMU #ifdef ENABLE_TUNEMU
case DEVICE_TYPE_TUNEMU: case DEVICE_TYPE_TUNEMU:
device_info = "BSD tunemu device"; device_info = "BSD tunemu device";
break; break;
@ -181,7 +190,7 @@ static bool setup_device(void) {
static void close_device(void) { static void close_device(void) {
switch(device_type) { switch(device_type) {
#ifdef HAVE_TUNEMU #ifdef ENABLE_TUNEMU
case DEVICE_TYPE_TUNEMU: case DEVICE_TYPE_TUNEMU:
tunemu_close(device_fd); tunemu_close(device_fd);
break; break;
@ -199,7 +208,7 @@ static bool read_packet(vpn_packet_t *packet) {
switch(device_type) { switch(device_type) {
case DEVICE_TYPE_TUN: case DEVICE_TYPE_TUN:
#ifdef HAVE_TUNEMU #ifdef ENABLE_TUNEMU
case DEVICE_TYPE_TUNEMU: case DEVICE_TYPE_TUNEMU:
if(device_type == DEVICE_TYPE_TUNEMU) if(device_type == DEVICE_TYPE_TUNEMU)
lenin = tunemu_read(device_fd, packet->data + 14, MTU - 14); lenin = tunemu_read(device_fd, packet->data + 14, MTU - 14);
@ -229,6 +238,7 @@ static bool read_packet(vpn_packet_t *packet) {
return false; return false;
} }
memset(packet->data, 0, 12);
packet->len = lenin + 14; packet->len = lenin + 14;
break; break;
@ -260,6 +270,7 @@ static bool read_packet(vpn_packet_t *packet) {
return false; return false;
} }
memset(packet->data, 0, 12);
packet->len = lenin + 10; packet->len = lenin + 10;
break; break;
} }
@ -336,7 +347,7 @@ static bool write_packet(vpn_packet_t *packet) {
} }
break; break;
#ifdef HAVE_TUNEMU #ifdef ENABLE_TUNEMU
case DEVICE_TYPE_TUNEMU: case DEVICE_TYPE_TUNEMU:
if(tunemu_write(device_fd, packet->data + 14, packet->len - 14) < 0) { if(tunemu_write(device_fd, packet->data + 14, packet->len - 14) < 0) {
logger(LOG_ERR, "Error while writing to %s %s: %s", device_info, logger(LOG_ERR, "Error while writing to %s %s: %s", device_info,

View file

@ -73,6 +73,15 @@ void free_connection_partially(connection_t *c) {
c->hischallenge = NULL; c->hischallenge = NULL;
c->outbuf = NULL; c->outbuf = NULL;
c->status.pinged = false;
c->status.active = false;
c->status.connecting = false;
c->status.timeout = false;
c->status.encryptout = false;
c->status.decryptin = false;
c->status.mst = false;
c->options = 0;
c->buflen = 0; c->buflen = 0;
c->reqlen = 0; c->reqlen = 0;
c->tcplen = 0; c->tcplen = 0;
@ -80,6 +89,8 @@ void free_connection_partially(connection_t *c) {
c->outbuflen = 0; c->outbuflen = 0;
c->outbufsize = 0; c->outbufsize = 0;
c->outbufstart = 0; c->outbufstart = 0;
c->last_ping_time = 0;
c->last_flushed_time = 0;
if(c->inctx) { if(c->inctx) {
EVP_CIPHER_CTX_cleanup(c->inctx); EVP_CIPHER_CTX_cleanup(c->inctx);

View file

@ -35,7 +35,7 @@ typedef struct connection_status_t {
unsigned int pinged:1; /* sent ping */ unsigned int pinged:1; /* sent ping */
unsigned int active:1; /* 1 if active.. */ unsigned int active:1; /* 1 if active.. */
unsigned int connecting:1; /* 1 if we are waiting for a non-blocking connect() to finish */ unsigned int connecting:1; /* 1 if we are waiting for a non-blocking connect() to finish */
unsigned int termreq:1; /* the termination of this connection was requested */ unsigned int unused_termreq:1; /* the termination of this connection was requested */
unsigned int remove:1; /* Set to 1 if you want this connection removed */ unsigned int remove:1; /* Set to 1 if you want this connection removed */
unsigned int timeout:1; /* 1 if gotten timeout */ unsigned int timeout:1; /* 1 if gotten timeout */
unsigned int encryptout:1; /* 1 if we can encrypt outgoing traffic */ unsigned int encryptout:1; /* 1 if we can encrypt outgoing traffic */

View file

@ -1,6 +1,6 @@
/* /*
graph.c -- graph algorithms graph.c -- graph algorithms
Copyright (C) 2001-2012 Guus Sliepen <guus@tinc-vpn.org>, Copyright (C) 2001-2013 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans 2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -287,13 +287,16 @@ static void sssp_bfs(void) {
subnet_update(n, NULL, n->status.reachable); subnet_update(n, NULL, n->status.reachable);
if(!n->status.reachable) if(!n->status.reachable) {
update_node_udp(n, NULL); update_node_udp(n, NULL);
else if(n->connection) memset(&n->status, 0, sizeof n->status);
n->options = 0;
} else if(n->connection) {
send_ans_key(n); send_ans_key(n);
} }
} }
} }
}
void graph(void) { void graph(void) {
subnet_cache_flush(); subnet_cache_flush();
@ -315,7 +318,7 @@ void dump_graph(void) {
node_t *n; node_t *n;
edge_t *e; edge_t *e;
char *filename = NULL, *tmpname = NULL; char *filename = NULL, *tmpname = NULL;
FILE *file; FILE *file, *pipe = NULL;
if(!graph_changed || !get_config_string(lookup_config(config_tree, "GraphDumpFile"), &filename)) if(!graph_changed || !get_config_string(lookup_config(config_tree, "GraphDumpFile"), &filename))
return; return;
@ -325,7 +328,7 @@ void dump_graph(void) {
ifdebug(PROTOCOL) logger(LOG_NOTICE, "Dumping graph"); ifdebug(PROTOCOL) logger(LOG_NOTICE, "Dumping graph");
if(filename[0] == '|') { if(filename[0] == '|') {
file = popen(filename + 1, "w"); file = pipe = popen(filename + 1, "w");
} else { } else {
xasprintf(&tmpname, "%s.new", filename); xasprintf(&tmpname, "%s.new", filename);
file = fopen(tmpname, "w"); file = fopen(tmpname, "w");
@ -353,8 +356,8 @@ void dump_graph(void) {
fprintf(file, "}\n"); fprintf(file, "}\n");
if(filename[0] == '|') { if(pipe) {
pclose(file); pclose(pipe);
} else { } else {
fclose(file); fclose(file);
#ifdef HAVE_MINGW #ifdef HAVE_MINGW

View file

@ -155,6 +155,7 @@ static bool read_packet(vpn_packet_t *packet) {
return false; return false;
} }
memset(packet->data, 0, 12);
packet->len = lenin + 10; packet->len = lenin + 10;
break; break;
case DEVICE_TYPE_TAP: case DEVICE_TYPE_TAP:

View file

@ -1,6 +1,6 @@
/* /*
meta.c -- handle the meta communication meta.c -- handle the meta communication
Copyright (C) 2000-2009 Guus Sliepen <guus@tinc-vpn.org>, Copyright (C) 2000-2013 Guus Sliepen <guus@tinc-vpn.org>,
2000-2005 Ivo Timmermans 2000-2005 Ivo Timmermans
2006 Scott Lamb <slamb@slamb.org> 2006 Scott Lamb <slamb@slamb.org>
@ -177,15 +177,45 @@ bool receive_meta(connection_t *c) {
if(c->tcplen) { if(c->tcplen) {
if(c->tcplen <= c->buflen) { if(c->tcplen <= c->buflen) {
if(proxytype == PROXY_SOCKS4 && c->allow_request == ID) { if(!c->node) {
if(c->outgoing && proxytype == PROXY_SOCKS4 && c->allow_request == ID) {
if(c->buffer[0] == 0 && c->buffer[1] == 0x5a) { if(c->buffer[0] == 0 && c->buffer[1] == 0x5a) {
logger(LOG_DEBUG, "Proxy request granted"); logger(LOG_DEBUG, "Proxy request granted");
} else { } else {
logger(LOG_ERR, "Proxy request rejected"); logger(LOG_ERR, "Proxy request rejected");
return false; return false;
} }
} else } else if(c->outgoing && proxytype == PROXY_SOCKS5 && c->allow_request == ID) {
if(c->buffer[0] != 5) {
logger(LOG_ERR, "Invalid response from proxy server");
return false;
}
if(c->buffer[1] == (char)0xff) {
logger(LOG_ERR, "Proxy request rejected: unsuitable authentication method");
return false;
}
if(c->buffer[2] != 5) {
logger(LOG_ERR, "Invalid response from proxy server");
return false;
}
if(c->buffer[3] == 0) {
logger(LOG_DEBUG, "Proxy request granted");
} else {
logger(LOG_DEBUG, "Proxy request rejected");
return false;
}
} else {
logger(LOG_ERR, "c->tcplen set but c->node is NULL!");
abort();
}
} else {
if(c->allow_request == ALL) {
receive_tcppacket(c, c->buffer, c->tcplen); receive_tcppacket(c, c->buffer, c->tcplen);
} else {
logger(LOG_ERR, "Got unauthorized TCP packet from %s (%s)", c->name, c->hostname);
return false;
}
}
c->buflen -= c->tcplen; c->buflen -= c->tcplen;
lenin -= c->tcplen - oldlen; lenin -= c->tcplen - oldlen;

View file

@ -1,7 +1,7 @@
/* /*
device.c -- Interaction with Windows tap driver in a MinGW environment device.c -- Interaction with Windows tap driver in a MinGW environment
Copyright (C) 2002-2005 Ivo Timmermans, Copyright (C) 2002-2005 Ivo Timmermans,
2002-2011 Guus Sliepen <guus@tinc-vpn.org> 2002-2013 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -46,7 +46,7 @@ extern char *myport;
static DWORD WINAPI tapreader(void *bla) { static DWORD WINAPI tapreader(void *bla) {
int status; int status;
long len; DWORD len;
OVERLAPPED overlapped; OVERLAPPED overlapped;
vpn_packet_t packet; vpn_packet_t packet;
@ -91,7 +91,7 @@ static bool setup_device(void) {
char adapterid[1024]; char adapterid[1024];
char adaptername[1024]; char adaptername[1024];
char tapname[1024]; char tapname[1024];
long len; DWORD len;
unsigned long status; unsigned long status;
bool found = false; bool found = false;
@ -122,7 +122,7 @@ static bool setup_device(void) {
continue; continue;
len = sizeof(adaptername); len = sizeof(adaptername);
err = RegQueryValueEx(key2, "Name", 0, 0, adaptername, &len); err = RegQueryValueEx(key2, "Name", 0, 0, (LPBYTE)adaptername, &len);
RegCloseKey(key2); RegCloseKey(key2);
@ -222,7 +222,7 @@ static bool read_packet(vpn_packet_t *packet) {
} }
static bool write_packet(vpn_packet_t *packet) { static bool write_packet(vpn_packet_t *packet) {
long lenout; DWORD lenout;
OVERLAPPED overlapped = {0}; OVERLAPPED overlapped = {0};
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s", ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s",

View file

@ -1,7 +1,7 @@
/* /*
device.c -- multicast socket device.c -- multicast socket
Copyright (C) 2002-2005 Ivo Timmermans, Copyright (C) 2002-2005 Ivo Timmermans,
2002-2012 Guus Sliepen <guus@tinc-vpn.org> 2002-2013 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -158,7 +158,7 @@ static void close_device(void) {
static bool read_packet(vpn_packet_t *packet) { static bool read_packet(vpn_packet_t *packet) {
int lenin; int lenin;
if((lenin = recv(device_fd, packet->data, MTU, 0)) <= 0) { if((lenin = recv(device_fd, (void *)packet->data, MTU, 0)) <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
device, strerror(errno)); device, strerror(errno));
return false; return false;
@ -184,7 +184,7 @@ static bool write_packet(vpn_packet_t *packet) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s", ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s",
packet->len, device_info); packet->len, device_info);
if(sendto(device_fd, packet->data, packet->len, 0, ai->ai_addr, ai->ai_addrlen) < 0) { if(sendto(device_fd, (void *)packet->data, packet->len, 0, ai->ai_addr, ai->ai_addrlen) < 0) {
logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device, logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device,
strerror(errno)); strerror(errno));
return false; return false;

View file

@ -1,7 +1,7 @@
/* /*
net_packet.c -- Handles in- and outgoing VPN packets net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2012 Guus Sliepen <guus@tinc-vpn.org> 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2010 Timothy Redaelli <timothy@redaelli.eu> 2010 Timothy Redaelli <timothy@redaelli.eu>
2010 Brandon Black <blblack@gmail.com> 2010 Brandon Black <blblack@gmail.com>
@ -70,11 +70,15 @@ bool localdiscovery = false;
mtuprobes == 32: send 1 burst, sleep pingtimeout second mtuprobes == 32: send 1 burst, sleep pingtimeout second
mtuprobes == 33: no response from other side, restart PMTU discovery process mtuprobes == 33: no response from other side, restart PMTU discovery process
Probes are sent in batches of three, with random sizes between the lower and Probes are sent in batches of at least three, with random sizes between the
upper boundaries for the MTU thus far discovered. lower and upper boundaries for the MTU thus far discovered.
In case local discovery is enabled, a fourth packet is added to each batch, After the initial discovery, a fourth packet is added to each batch with a
size larger than the currently known PMTU, to test if the PMTU has increased.
In case local discovery is enabled, another packet is added to each batch,
which will be broadcast to the local network. which will be broadcast to the local network.
*/ */
void send_mtu_probe(node_t *n) { void send_mtu_probe(node_t *n) {
@ -126,11 +130,16 @@ void send_mtu_probe(node_t *n) {
timeout = pingtimeout; timeout = pingtimeout;
} }
for(i = 0; i < 3 + localdiscovery; i++) { for(i = 0; i < 4 + localdiscovery; i++) {
if(n->maxmtu <= n->minmtu) if(i == 0) {
if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
continue;
len = n->maxmtu + 8;
} else if(n->maxmtu <= n->minmtu) {
len = n->maxmtu; len = n->maxmtu;
else } else {
len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu); len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
}
if(len < 64) if(len < 64)
len = 64; len = 64;
@ -138,7 +147,7 @@ void send_mtu_probe(node_t *n) {
memset(packet.data, 0, 14); memset(packet.data, 0, 14);
RAND_pseudo_bytes(packet.data + 14, len - 14); RAND_pseudo_bytes(packet.data + 14, len - 14);
packet.len = len; packet.len = len;
if(i >= 3 && n->mtuprobes <= 10) if(i >= 4 && n->mtuprobes <= 10)
packet.priority = -1; packet.priority = -1;
else else
packet.priority = 0; packet.priority = 0;
@ -164,6 +173,13 @@ void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
send_udppacket(n, packet); send_udppacket(n, packet);
} else { } else {
if(n->mtuprobes > 30) { if(n->mtuprobes > 30) {
if (len == n->maxmtu + 8) {
ifdebug(TRAFFIC) logger(LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
n->maxmtu = MTU;
n->mtuprobes = 10;
return;
}
if(n->minmtu) if(n->minmtu)
n->mtuprobes = 30; n->mtuprobes = 30;
else else
@ -378,6 +394,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
void receive_tcppacket(connection_t *c, const char *buffer, int len) { void receive_tcppacket(connection_t *c, const char *buffer, int len) {
vpn_packet_t outpkt; vpn_packet_t outpkt;
if(len > sizeof outpkt.data)
return;
outpkt.len = len; outpkt.len = len;
if(c->options & OPTION_TCPONLY) if(c->options & OPTION_TCPONLY)
outpkt.priority = 0; outpkt.priority = 0;
@ -500,17 +519,27 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
struct sockaddr *sa; struct sockaddr *sa;
socklen_t sl; socklen_t sl;
int sock; int sock;
sockaddr_t broadcast;
/* Overloaded use of priority field: -1 means local broadcast */ /* Overloaded use of priority field: -1 means local broadcast */
if(origpriority == -1 && n->prevedge) { if(origpriority == -1 && n->prevedge) {
struct sockaddr_in in; sock = rand() % listen_sockets;
in.sin_family = AF_INET; memset(&broadcast, 0, sizeof broadcast);
in.sin_addr.s_addr = -1; if(listen_socket[sock].sa.sa.sa_family == AF_INET6) {
in.sin_port = n->prevedge->address.in.sin_port; broadcast.in6.sin6_family = AF_INET6;
sa = (struct sockaddr *)&in; broadcast.in6.sin6_addr.s6_addr[0x0] = 0xff;
sl = sizeof in; broadcast.in6.sin6_addr.s6_addr[0x1] = 0x02;
sock = 0; broadcast.in6.sin6_addr.s6_addr[0xf] = 0x01;
broadcast.in6.sin6_port = n->prevedge->address.in.sin_port;
broadcast.in6.sin6_scope_id = listen_socket[sock].sa.in6.sin6_scope_id;
} else {
broadcast.in.sin_family = AF_INET;
broadcast.in.sin_addr.s_addr = -1;
broadcast.in.sin_port = n->prevedge->address.in.sin_port;
}
sa = &broadcast.sa;
sl = SALEN(broadcast.sa);
} else { } else {
if(origpriority == -1) if(origpriority == -1)
origpriority = 0; origpriority = 0;

View file

@ -1,7 +1,7 @@
/* /*
net_setup.c -- Setup. net_setup.c -- Setup.
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2012 Guus Sliepen <guus@tinc-vpn.org> 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org> 2006 Scott Lamb <slamb@slamb.org>
2010 Brandon Black <blblack@gmail.com> 2010 Brandon Black <blblack@gmail.com>
@ -55,7 +55,8 @@ proxytype_t proxytype;
bool read_rsa_public_key(connection_t *c) { bool read_rsa_public_key(connection_t *c) {
FILE *fp; FILE *fp;
char *fname; char *pubname;
char *hcfname;
char *key; char *key;
if(!c->rsa_key) { if(!c->rsa_key) {
@ -66,7 +67,10 @@ bool read_rsa_public_key(connection_t *c) {
/* First, check for simple PublicKey statement */ /* First, check for simple PublicKey statement */
if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) { if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
BN_hex2bn(&c->rsa_key->n, key); if(BN_hex2bn(&c->rsa_key->n, key) != strlen(key)) {
logger(LOG_ERR, "Invalid PublicKey for %s!", c->name);
return false;
}
BN_hex2bn(&c->rsa_key->e, "FFFF"); BN_hex2bn(&c->rsa_key->e, "FFFF");
free(key); free(key);
return true; return true;
@ -74,80 +78,79 @@ bool read_rsa_public_key(connection_t *c) {
/* Else, check for PublicKeyFile statement and read it */ /* Else, check for PublicKeyFile statement and read it */
if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname)) { if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &pubname)) {
fp = fopen(fname, "r"); fp = fopen(pubname, "r");
if(!fp) { if(!fp) {
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", logger(LOG_ERR, "Error reading RSA public key file `%s': %s", pubname, strerror(errno));
fname, strerror(errno)); free(pubname);
free(fname);
return false; return false;
} }
free(fname);
c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL); c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
fclose(fp); fclose(fp);
if(c->rsa_key) if(c->rsa_key) {
free(pubname);
return true; /* Woohoo. */ return true; /* Woohoo. */
}
/* If it fails, try PEM_read_RSA_PUBKEY. */ /* If it fails, try PEM_read_RSA_PUBKEY. */
fp = fopen(fname, "r"); fp = fopen(pubname, "r");
if(!fp) { if(!fp) {
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", logger(LOG_ERR, "Error reading RSA public key file `%s': %s", pubname, strerror(errno));
fname, strerror(errno)); free(pubname);
free(fname);
return false; return false;
} }
free(fname);
c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL); c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
fclose(fp); fclose(fp);
if(c->rsa_key) { if(c->rsa_key) {
// RSA_blinding_on(c->rsa_key, NULL); // RSA_blinding_on(c->rsa_key, NULL);
free(pubname);
return true; return true;
} }
logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s", logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s", pubname, strerror(errno));
fname, strerror(errno)); free(pubname);
return false; return false;
} }
/* Else, check if a harnessed public key is in the config file */ /* Else, check if a harnessed public key is in the config file */
xasprintf(&fname, "%s/hosts/%s", confbase, c->name); xasprintf(&hcfname, "%s/hosts/%s", confbase, c->name);
fp = fopen(fname, "r"); fp = fopen(hcfname, "r");
if(!fp) { if(!fp) {
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno)); logger(LOG_ERR, "Error reading RSA public key file `%s': %s", hcfname, strerror(errno));
free(fname); free(hcfname);
return false; return false;
} }
c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL); c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
fclose(fp); fclose(fp);
free(fname);
if(c->rsa_key) if(c->rsa_key) {
free(hcfname);
return true; return true;
}
/* Try again with PEM_read_RSA_PUBKEY. */ /* Try again with PEM_read_RSA_PUBKEY. */
xasprintf(&fname, "%s/hosts/%s", confbase, c->name); fp = fopen(hcfname, "r");
fp = fopen(fname, "r");
if(!fp) { if(!fp) {
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno)); logger(LOG_ERR, "Error reading RSA public key file `%s': %s", hcfname, strerror(errno));
free(fname); free(hcfname);
return false; return false;
} }
free(hcfname);
c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL); c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
// RSA_blinding_on(c->rsa_key, NULL); // RSA_blinding_on(c->rsa_key, NULL);
fclose(fp); fclose(fp);
free(fname);
if(c->rsa_key) if(c->rsa_key)
return true; return true;
@ -160,7 +163,6 @@ bool read_rsa_public_key(connection_t *c) {
static bool read_rsa_private_key(void) { static bool read_rsa_private_key(void) {
FILE *fp; FILE *fp;
char *fname, *key, *pubkey; char *fname, *key, *pubkey;
struct stat s;
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) { if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) { if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
@ -169,8 +171,14 @@ static bool read_rsa_private_key(void) {
} }
myself->connection->rsa_key = RSA_new(); myself->connection->rsa_key = RSA_new();
// RSA_blinding_on(myself->connection->rsa_key, NULL); // RSA_blinding_on(myself->connection->rsa_key, NULL);
BN_hex2bn(&myself->connection->rsa_key->d, key); if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) {
BN_hex2bn(&myself->connection->rsa_key->n, pubkey); logger(LOG_ERR, "Invalid PrivateKey for myself!");
return false;
}
if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) {
logger(LOG_ERR, "Invalid PublicKey for myself!");
return false;
}
BN_hex2bn(&myself->connection->rsa_key->e, "FFFF"); BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
free(key); free(key);
free(pubkey); free(pubkey);
@ -190,6 +198,8 @@ static bool read_rsa_private_key(void) {
} }
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN) #if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
struct stat s;
if(fstat(fileno(fp), &s)) { if(fstat(fileno(fp), &s)) {
logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'", logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'",
fname, strerror(errno)); fname, strerror(errno));
@ -290,7 +300,7 @@ char *get_name(void) {
fprintf(stderr, "Invalid Name: environment variable %s does not exist\n", name + 1); fprintf(stderr, "Invalid Name: environment variable %s does not exist\n", name + 1);
return false; return false;
} }
envname = alloca(32); char envname[32];
if(gethostname(envname, 32)) { if(gethostname(envname, 32)) {
fprintf(stderr, "Could not get hostname: %s\n", strerror(errno)); fprintf(stderr, "Could not get hostname: %s\n", strerror(errno));
return false; return false;

View file

@ -1,7 +1,7 @@
/* /*
net_socket.c -- Handle various kinds of sockets. net_socket.c -- Handle various kinds of sockets.
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2012 Guus Sliepen <guus@tinc-vpn.org> 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org> 2006 Scott Lamb <slamb@slamb.org>
2009 Florian Forster <octo@verplant.org> 2009 Florian Forster <octo@verplant.org>
@ -64,7 +64,7 @@ static void configure_tcp(connection_t *c) {
unsigned long arg = 1; unsigned long arg = 1;
if(ioctlsocket(c->socket, FIONBIO, &arg) != 0) { if(ioctlsocket(c->socket, FIONBIO, &arg) != 0) {
logger(LOG_ERR, "ioctlsocket for %s: %d", c->hostname, sockstrerror(sockerrno)); logger(LOG_ERR, "ioctlsocket for %s: %s", c->hostname, sockstrerror(sockerrno));
} }
#endif #endif
@ -294,9 +294,6 @@ void retry_outgoing(outgoing_t *outgoing) {
void finish_connecting(connection_t *c) { void finish_connecting(connection_t *c) {
ifdebug(CONNECTIONS) logger(LOG_INFO, "Connected to %s (%s)", c->name, c->hostname); ifdebug(CONNECTIONS) logger(LOG_INFO, "Connected to %s (%s)", c->name, c->hostname);
if(proxytype != PROXY_EXEC)
configure_tcp(c);
c->last_ping_time = now; c->last_ping_time = now;
send_id(c); send_id(c);
@ -419,6 +416,7 @@ begin:
goto begin; goto begin;
ifdebug(CONNECTIONS) logger(LOG_INFO, "Using proxy at %s port %s", proxyhost, proxyport); ifdebug(CONNECTIONS) logger(LOG_INFO, "Using proxy at %s port %s", proxyhost, proxyport);
c->socket = socket(proxyai->ai_family, SOCK_STREAM, IPPROTO_TCP); c->socket = socket(proxyai->ai_family, SOCK_STREAM, IPPROTO_TCP);
configure_tcp(c);
} }
if(c->socket == -1) { if(c->socket == -1) {

View file

@ -1,7 +1,7 @@
/* /*
process.c -- process management functions process.c -- process management functions
Copyright (C) 1999-2005 Ivo Timmermans, Copyright (C) 1999-2005 Ivo Timmermans,
2000-2011 Guus Sliepen <guus@tinc-vpn.org> 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -47,8 +47,6 @@ extern bool use_logfile;
static sigset_t emptysigset; static sigset_t emptysigset;
#endif #endif
static int saved_debug_level = -1;
static void memory_full(int size) { static void memory_full(int size) {
logger(LOG_ERR, "Memory exhausted (couldn't allocate %d bytes), exitting.", size); logger(LOG_ERR, "Memory exhausted (couldn't allocate %d bytes), exitting.", size);
exit(1); exit(1);
@ -167,7 +165,7 @@ DWORD WINAPI controlhandler(DWORD request, DWORD type, LPVOID boe, LPVOID bah) {
logger(LOG_NOTICE, "Got %s request", "SERVICE_CONTROL_SHUTDOWN"); logger(LOG_NOTICE, "Got %s request", "SERVICE_CONTROL_SHUTDOWN");
break; break;
default: default:
logger(LOG_WARNING, "Got unexpected request %d", request); logger(LOG_WARNING, "Got unexpected request %d", (int)request);
return ERROR_CALL_NOT_IMPLEMENTED; return ERROR_CALL_NOT_IMPLEMENTED;
} }
@ -187,10 +185,8 @@ DWORD WINAPI controlhandler(DWORD request, DWORD type, LPVOID boe, LPVOID bah) {
} }
VOID WINAPI run_service(DWORD argc, LPTSTR* argv) { VOID WINAPI run_service(DWORD argc, LPTSTR* argv) {
int err = 1;
extern int main2(int argc, char **argv); extern int main2(int argc, char **argv);
status.dwServiceType = SERVICE_WIN32; status.dwServiceType = SERVICE_WIN32;
status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN; status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
status.dwWin32ExitCode = 0; status.dwWin32ExitCode = 0;
@ -201,7 +197,6 @@ VOID WINAPI run_service(DWORD argc, LPTSTR* argv) {
if (!statushandle) { if (!statushandle) {
logger(LOG_ERR, "System call `%s' failed: %s", "RegisterServiceCtrlHandlerEx", winerror(GetLastError())); logger(LOG_ERR, "System call `%s' failed: %s", "RegisterServiceCtrlHandlerEx", winerror(GetLastError()));
err = 1;
} else { } else {
status.dwWaitHint = 30000; status.dwWaitHint = 30000;
status.dwCurrentState = SERVICE_START_PENDING; status.dwCurrentState = SERVICE_START_PENDING;
@ -211,11 +206,10 @@ VOID WINAPI run_service(DWORD argc, LPTSTR* argv) {
status.dwCurrentState = SERVICE_RUNNING; status.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus(statushandle, &status); SetServiceStatus(statushandle, &status);
err = main2(argc, argv); main2(argc, argv);
status.dwWaitHint = 0; status.dwWaitHint = 0;
status.dwCurrentState = SERVICE_STOPPED; status.dwCurrentState = SERVICE_STOPPED;
//status.dwWin32ExitCode = err;
SetServiceStatus(statushandle, &status); SetServiceStatus(statushandle, &status);
} }
@ -358,6 +352,7 @@ bool execute_script(const char *name, char **envp) {
int status, len; int status, len;
char *scriptname; char *scriptname;
int i; int i;
char *interpreter = NULL;
#ifndef HAVE_MINGW #ifndef HAVE_MINGW
len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name); len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name);
@ -369,14 +364,22 @@ bool execute_script(const char *name, char **envp) {
scriptname[len - 1] = '\0'; scriptname[len - 1] = '\0';
#ifndef HAVE_TUNEMU
/* First check if there is a script */ /* First check if there is a script */
if(access(scriptname + 1, F_OK)) { if(access(scriptname + 1, F_OK)) {
free(scriptname); free(scriptname);
return true; return true;
} }
#endif
// Custom scripts interpreter
if(get_config_string(lookup_config(config_tree, "ScriptsInterpreter"), &interpreter)) {
// Force custom scripts interpreter allowing execution of scripts on android without execution flag (such as on /sdcard)
free(scriptname);
len = xasprintf(&scriptname, "%s \"%s/%s\"", interpreter, confbase, name);
free(interpreter);
if(len < 0)
return false;
}
ifdebug(STATUS) logger(LOG_INFO, "Executing script %s", name); ifdebug(STATUS) logger(LOG_INFO, "Executing script %s", name);
@ -404,8 +407,8 @@ bool execute_script(const char *name, char **envp) {
} }
} }
#ifdef WEXITSTATUS
if(status != -1) { if(status != -1) {
#ifdef WEXITSTATUS
if(WIFEXITED(status)) { /* Child exited by itself */ if(WIFEXITED(status)) { /* Child exited by itself */
if(WEXITSTATUS(status)) { if(WEXITSTATUS(status)) {
logger(LOG_ERR, "Script %s exited with non-zero status %d", logger(LOG_ERR, "Script %s exited with non-zero status %d",
@ -420,11 +423,11 @@ bool execute_script(const char *name, char **envp) {
logger(LOG_ERR, "Script %s terminated abnormally", name); logger(LOG_ERR, "Script %s terminated abnormally", name);
return false; return false;
} }
#endif
} else { } else {
logger(LOG_ERR, "System call `%s' failed: %s", "system", strerror(errno)); logger(LOG_ERR, "System call `%s' failed: %s", "system", strerror(errno));
return false; return false;
} }
#endif
#endif #endif
return true; return true;
} }
@ -485,6 +488,8 @@ static RETSIGTYPE sighup_handler(int a) {
} }
static RETSIGTYPE sigint_handler(int a) { static RETSIGTYPE sigint_handler(int a) {
static int saved_debug_level = -1;
logger(LOG_NOTICE, "Got %s signal", "INT"); logger(LOG_NOTICE, "Got %s signal", "INT");
if(saved_debug_level != -1) { if(saved_debug_level != -1) {

View file

@ -1,7 +1,7 @@
/* /*
protocol.c -- handle the meta-protocol, basic functions protocol.c -- handle the meta-protocol, basic functions
Copyright (C) 1999-2005 Ivo Timmermans, Copyright (C) 1999-2005 Ivo Timmermans,
2000-2012 Guus Sliepen <guus@tinc-vpn.org> 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -125,7 +125,7 @@ void forward_request(connection_t *from) {
bool receive_request(connection_t *c) { bool receive_request(connection_t *c) {
int request; int request;
if(proxytype == PROXY_HTTP && c->allow_request == ID) { if(c->outgoing && proxytype == PROXY_HTTP && c->allow_request == ID) {
if(!c->buffer[0] || c->buffer[0] == '\r') if(!c->buffer[0] || c->buffer[0] == '\r')
return true; return true;
if(!strncasecmp(c->buffer, "HTTP/1.1 ", 9)) { if(!strncasecmp(c->buffer, "HTTP/1.1 ", 9)) {

View file

@ -1,7 +1,7 @@
/* /*
protocol_auth.c -- handle the meta-protocol, authentication protocol_auth.c -- handle the meta-protocol, authentication
Copyright (C) 1999-2005 Ivo Timmermans, Copyright (C) 1999-2005 Ivo Timmermans,
2000-2012 Guus Sliepen <guus@tinc-vpn.org> 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -126,7 +126,7 @@ static bool send_proxyrequest(connection_t *c) {
} }
bool send_id(connection_t *c) { bool send_id(connection_t *c) {
if(proxytype) if(proxytype && c->outgoing)
if(!send_proxyrequest(c)) if(!send_proxyrequest(c))
return false; return false;
@ -244,8 +244,8 @@ bool send_metakey(connection_t *c) {
*/ */
if(RSA_public_encrypt(len, (unsigned char *)c->outkey, (unsigned char *)buffer, c->rsa_key, RSA_NO_PADDING) != len) { if(RSA_public_encrypt(len, (unsigned char *)c->outkey, (unsigned char *)buffer, c->rsa_key, RSA_NO_PADDING) != len) {
logger(LOG_ERR, "Error during encryption of meta key for %s (%s)", logger(LOG_ERR, "Error during encryption of meta key for %s (%s): %s",
c->name, c->hostname); c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false; return false;
} }
@ -308,13 +308,16 @@ bool metakey_h(connection_t *c) {
/* Convert the challenge from hexadecimal back to binary */ /* Convert the challenge from hexadecimal back to binary */
hex2bin(buffer, buffer, len); if(!hex2bin(buffer, buffer, len)) {
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "METAKEY", c->name, c->hostname, "invalid key");
return false;
}
/* Decrypt the meta key */ /* Decrypt the meta key */
if(RSA_private_decrypt(len, (unsigned char *)buffer, (unsigned char *)c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) { /* See challenge() */ if(RSA_private_decrypt(len, (unsigned char *)buffer, (unsigned char *)c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) { /* See challenge() */
logger(LOG_ERR, "Error during decryption of meta key for %s (%s)", logger(LOG_ERR, "Error during decryption of meta key for %s (%s): %s",
c->name, c->hostname); c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false; return false;
} }
@ -426,7 +429,10 @@ bool challenge_h(connection_t *c) {
/* Convert the challenge from hexadecimal back to binary */ /* Convert the challenge from hexadecimal back to binary */
hex2bin(buffer, c->mychallenge, len); if(!hex2bin(buffer, c->mychallenge, len)) {
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHALLENGE", c->name, c->hostname, "invalid challenge");
return false;
}
c->allow_request = CHAL_REPLY; c->allow_request = CHAL_REPLY;
@ -480,7 +486,10 @@ bool chal_reply_h(connection_t *c) {
/* Convert the hash to binary format */ /* Convert the hash to binary format */
hex2bin(hishash, hishash, c->outdigest->md_size); if(!hex2bin(hishash, hishash, c->outdigest->md_size)) {
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHAL_REPLY", c->name, c->hostname, "invalid hash");
return false;
}
/* Calculate the hash from the challenge we sent */ /* Calculate the hash from the challenge we sent */

View file

@ -240,10 +240,16 @@ bool ans_key_h(connection_t *c) {
return send_request(to->nexthop->connection, "%s", c->buffer); return send_request(to->nexthop->connection, "%s", c->buffer);
} }
/* Don't use key material until every check has passed. */
from->status.validkey = false;
/* Update our copy of the origin's packet key */ /* Update our copy of the origin's packet key */
from->outkey = xrealloc(from->outkey, strlen(key) / 2); from->outkey = xrealloc(from->outkey, strlen(key) / 2);
from->outkeylength = strlen(key) / 2; from->outkeylength = strlen(key) / 2;
hex2bin(key, from->outkey, from->outkeylength); if(!hex2bin(key, from->outkey, from->outkeylength)) {
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "ANS_KEY", from->name, from->hostname, "invalid key");
return true;
}
/* Check and lookup cipher and digest algorithms */ /* Check and lookup cipher and digest algorithms */

View file

@ -1,7 +1,7 @@
/* /*
route.c -- routing route.c -- routing
Copyright (C) 2000-2005 Ivo Timmermans, Copyright (C) 2000-2005 Ivo Timmermans,
2000-2012 Guus Sliepen <guus@tinc-vpn.org> 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -110,15 +110,22 @@ static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *pac
mtu = via->mtu; mtu = via->mtu;
/* Find TCP header */ /* Find TCP header */
int start = 0; int start = ether_size;
uint16_t type = packet->data[12] << 8 | packet->data[13]; uint16_t type = packet->data[12] << 8 | packet->data[13];
if(type == ETH_P_IP && packet->data[23] == 6) if(type == ETH_P_8021Q) {
start = 14 + (packet->data[14] & 0xf) * 4; start += 4;
else if(type == ETH_P_IPV6 && packet->data[20] == 6) type = packet->data[16] << 8 | packet->data[17];
start = 14 + 40; }
if(!start || packet->len <= start + 20) if(type == ETH_P_IP && packet->data[start + 9] == 6)
start += (packet->data[start] & 0xf) * 4;
else if(type == ETH_P_IPV6 && packet->data[start + 6] == 6)
start += 40;
else
return;
if(packet->len <= start + 20)
return; return;
/* Use data offset field to calculate length of options field */ /* Use data offset field to calculate length of options field */
@ -244,7 +251,7 @@ void age_subnets(void) {
/* RFC 792 */ /* RFC 792 */
static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, uint8_t type, uint8_t code) { static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
struct ip ip = {0}; struct ip ip = {0};
struct icmp icmp = {0}; struct icmp icmp = {0};
@ -317,7 +324,7 @@ static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, uint8_t
/* RFC 791 */ /* RFC 791 */
static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet) { static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet, length_t ether_size) {
struct ip ip; struct ip ip;
vpn_packet_t fragment; vpn_packet_t fragment;
int len, maxlen, todo; int len, maxlen, todo;
@ -333,7 +340,7 @@ static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet) {
todo = ntohs(ip.ip_len) - ip_size; todo = ntohs(ip.ip_len) - ip_size;
if(ether_size + ip_size + todo != packet->len) { if(ether_size + ip_size + todo != packet->len) {
ifdebug(TRAFFIC) logger(LOG_WARNING, "Length of packet (%d) doesn't match length in IPv4 header (%zd)", packet->len, ether_size + ip_size + todo); ifdebug(TRAFFIC) logger(LOG_WARNING, "Length of packet (%d) doesn't match length in IPv4 header (%d)", packet->len, (int)(ether_size + ip_size + todo));
return; return;
} }
@ -381,7 +388,7 @@ static void route_ipv4_unicast(node_t *source, vpn_packet_t *packet) {
dest.x[2], dest.x[2],
dest.x[3]); dest.x[3]);
route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_UNKNOWN); route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNKNOWN);
return; return;
} }
@ -391,10 +398,10 @@ static void route_ipv4_unicast(node_t *source, vpn_packet_t *packet) {
} }
if(!subnet->owner->status.reachable) if(!subnet->owner->status.reachable)
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_UNREACH); return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself) if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_ANO); return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
if(priorityinheritance) if(priorityinheritance)
packet->priority = packet->data[15]; packet->priority = packet->data[15];
@ -407,15 +414,15 @@ static void route_ipv4_unicast(node_t *source, vpn_packet_t *packet) {
} }
if(directonly && subnet->owner != via) if(directonly && subnet->owner != via)
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_ANO); return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
if(via && packet->len > MAX(via->mtu, 590) && via != myself) { if(via && packet->len > MAX(via->mtu, 590) && via != myself) {
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu); ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
if(packet->data[20] & 0x40) { if(packet->data[20] & 0x40) {
packet->len = MAX(via->mtu, 590); packet->len = MAX(via->mtu, 590);
route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED); route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
} else { } else {
fragment_ipv4_packet(via, packet); fragment_ipv4_packet(via, packet, ether_size);
} }
return; return;
@ -442,7 +449,7 @@ static void route_ipv4(node_t *source, vpn_packet_t *packet) {
/* RFC 2463 */ /* RFC 2463 */
static void route_ipv6_unreachable(node_t *source, vpn_packet_t *packet, uint8_t type, uint8_t code) { static void route_ipv6_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
struct ip6_hdr ip6; struct ip6_hdr ip6;
struct icmp6_hdr icmp6 = {0}; struct icmp6_hdr icmp6 = {0};
uint16_t checksum; uint16_t checksum;
@ -540,7 +547,7 @@ static void route_ipv6_unicast(node_t *source, vpn_packet_t *packet) {
ntohs(dest.x[6]), ntohs(dest.x[6]),
ntohs(dest.x[7])); ntohs(dest.x[7]));
route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR); route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR);
return; return;
} }
@ -550,10 +557,10 @@ static void route_ipv6_unicast(node_t *source, vpn_packet_t *packet) {
} }
if(!subnet->owner->status.reachable) if(!subnet->owner->status.reachable)
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE); return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself) if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN); return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via; via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
@ -563,12 +570,12 @@ static void route_ipv6_unicast(node_t *source, vpn_packet_t *packet) {
} }
if(directonly && subnet->owner != via) if(directonly && subnet->owner != via)
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN); return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
if(via && packet->len > MAX(via->mtu, 1294) && via != myself) { if(via && packet->len > MAX(via->mtu, 1294) && via != myself) {
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu); ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
packet->len = MAX(via->mtu, 1294); packet->len = MAX(via->mtu, 1294);
route_ipv6_unreachable(source, packet, ICMP6_PACKET_TOO_BIG, 0); route_ipv6_unreachable(source, packet, ether_size, ICMP6_PACKET_TOO_BIG, 0);
return; return;
} }
@ -829,6 +836,11 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself) if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
return; return;
uint16_t type = packet->data[12] << 8 | packet->data[13];
if(priorityinheritance && type == ETH_P_IP && packet->len >= ether_size + ip_size)
packet->priority = packet->data[15];
// Handle packets larger than PMTU // Handle packets larger than PMTU
node_t *via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via; node_t *via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
@ -838,18 +850,24 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
if(via && packet->len > via->mtu && via != myself) { if(via && packet->len > via->mtu && via != myself) {
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu); ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
uint16_t type = packet->data[12] << 8 | packet->data[13]; length_t ethlen = 14;
if(type == ETH_P_IP && packet->len > 590) {
if(packet->data[20] & 0x40) { if(type == ETH_P_8021Q) {
type = packet->data[16] << 8 | packet->data[17];
ethlen += 4;
}
if(type == ETH_P_IP && packet->len > 576 + ethlen) {
if(packet->data[6 + ethlen] & 0x40) {
packet->len = via->mtu; packet->len = via->mtu;
route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED); route_ipv4_unreachable(source, packet, ethlen, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
} else { } else {
fragment_ipv4_packet(via, packet); fragment_ipv4_packet(via, packet, ethlen);
} }
return; return;
} else if(type == ETH_P_IPV6 && packet->len > 1294) { } else if(type == ETH_P_IPV6 && packet->len > 1280 + ethlen) {
packet->len = via->mtu; packet->len = via->mtu;
route_ipv6_unreachable(source, packet, ICMP6_PACKET_TOO_BIG, 0); route_ipv6_unreachable(source, packet, ethlen, ICMP6_PACKET_TOO_BIG, 0);
return; return;
} }
} }
@ -861,42 +879,48 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
static bool do_decrement_ttl(node_t *source, vpn_packet_t *packet) { static bool do_decrement_ttl(node_t *source, vpn_packet_t *packet) {
uint16_t type = packet->data[12] << 8 | packet->data[13]; uint16_t type = packet->data[12] << 8 | packet->data[13];
length_t ethlen = ether_size;
if(type == ETH_P_8021Q) {
type = packet->data[16] << 8 | packet->data[17];
ethlen += 4;
}
switch (type) { switch (type) {
case ETH_P_IP: case ETH_P_IP:
if(!checklength(source, packet, 14 + 32)) if(!checklength(source, packet, ethlen + ip_size))
return false; return false;
if(packet->data[22] < 1) { if(packet->data[ethlen + 8] < 1) {
if(packet->data[25] != IPPROTO_ICMP || packet->data[46] != ICMP_TIME_EXCEEDED) if(packet->data[ethlen + 11] != IPPROTO_ICMP || packet->data[ethlen + 32] != ICMP_TIME_EXCEEDED)
route_ipv4_unreachable(source, packet, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL); route_ipv4_unreachable(source, packet, ethlen, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL);
return false; return false;
} }
uint16_t old = packet->data[22] << 8 | packet->data[23]; uint16_t old = packet->data[ethlen + 8] << 8 | packet->data[ethlen + 9];
packet->data[22]--; packet->data[ethlen + 8]--;
uint16_t new = packet->data[22] << 8 | packet->data[23]; uint16_t new = packet->data[ethlen + 8] << 8 | packet->data[ethlen + 9];
uint32_t checksum = packet->data[24] << 8 | packet->data[25]; uint32_t checksum = packet->data[ethlen + 10] << 8 | packet->data[ethlen + 11];
checksum += old + (~new & 0xFFFF); checksum += old + (~new & 0xFFFF);
while(checksum >> 16) while(checksum >> 16)
checksum = (checksum & 0xFFFF) + (checksum >> 16); checksum = (checksum & 0xFFFF) + (checksum >> 16);
packet->data[24] = checksum >> 8; packet->data[ethlen + 10] = checksum >> 8;
packet->data[25] = checksum & 0xff; packet->data[ethlen + 11] = checksum & 0xff;
return true; return true;
case ETH_P_IPV6: case ETH_P_IPV6:
if(!checklength(source, packet, 14 + 40)) if(!checklength(source, packet, ethlen + ip6_size))
return false; return false;
if(packet->data[21] < 1) { if(packet->data[ethlen + 7] < 1) {
if(packet->data[20] != IPPROTO_ICMPV6 || packet->data[54] != ICMP6_TIME_EXCEEDED) if(packet->data[ethlen + 6] != IPPROTO_ICMPV6 || packet->data[ethlen + 40] != ICMP6_TIME_EXCEEDED)
route_ipv6_unreachable(source, packet, ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT); route_ipv6_unreachable(source, packet, ethlen, ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT);
return false; return false;
} }
packet->data[21]--; packet->data[ethlen + 7]--;
return true; return true;

View file

@ -151,6 +151,7 @@ static bool read_packet(vpn_packet_t *packet) {
return false; return false;
} }
memset(packet->data, 0, 12);
packet->len = lenin + 14; packet->len = lenin + 14;
device_total_in += packet->len; device_total_in += packet->len;

View file

@ -1,7 +1,7 @@
/* /*
tincd.c -- the main file for tincd tincd.c -- the main file for tincd
Copyright (C) 1998-2005 Ivo Timmermans Copyright (C) 1998-2005 Ivo Timmermans
2000-2012 Guus Sliepen <guus@tinc-vpn.org> 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2008 Max Rijevski <maksuf@gmail.com> 2008 Max Rijevski <maksuf@gmail.com>
2009 Michael Tokarev <mjt@tls.msk.ru> 2009 Michael Tokarev <mjt@tls.msk.ru>
2010 Julien Muchembled <jm@jmuchemb.eu> 2010 Julien Muchembled <jm@jmuchemb.eu>
@ -338,7 +338,7 @@ static bool keygen(int bits) {
RSA *rsa_key; RSA *rsa_key;
FILE *f; FILE *f;
char *name = get_name(); char *name = get_name();
char *filename; char *pubname, *privname;
fprintf(stderr, "Generating %d bits keys:\n", bits); fprintf(stderr, "Generating %d bits keys:\n", bits);
rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL); rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
@ -349,8 +349,9 @@ static bool keygen(int bits) {
} else } else
fprintf(stderr, "Done.\n"); fprintf(stderr, "Done.\n");
xasprintf(&filename, "%s/rsa_key.priv", confbase); xasprintf(&privname, "%s/rsa_key.priv", confbase);
f = ask_and_open(filename, "private RSA key"); f = ask_and_open(privname, "private RSA key");
free(privname);
if(!f) if(!f)
return false; return false;
@ -363,14 +364,14 @@ static bool keygen(int bits) {
fputc('\n', f); fputc('\n', f);
PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL); PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL);
fclose(f); fclose(f);
free(filename);
if(name) if(name)
xasprintf(&filename, "%s/hosts/%s", confbase, name); xasprintf(&pubname, "%s/hosts/%s", confbase, name);
else else
xasprintf(&filename, "%s/rsa_key.pub", confbase); xasprintf(&pubname, "%s/rsa_key.pub", confbase);
f = ask_and_open(filename, "public RSA key"); f = ask_and_open(pubname, "public RSA key");
free(pubname);
if(!f) if(!f)
return false; return false;
@ -378,7 +379,6 @@ static bool keygen(int bits) {
fputc('\n', f); fputc('\n', f);
PEM_write_RSAPublicKey(f, rsa_key); PEM_write_RSAPublicKey(f, rsa_key);
fclose(f); fclose(f);
free(filename);
free(name); free(name);
return true; return true;
@ -391,7 +391,7 @@ static void make_names(void) {
#ifdef HAVE_MINGW #ifdef HAVE_MINGW
HKEY key; HKEY key;
char installdir[1024] = ""; char installdir[1024] = "";
long len = sizeof(installdir); DWORD len = sizeof(installdir);
#endif #endif
if(netname) if(netname)
@ -401,7 +401,7 @@ static void make_names(void) {
#ifdef HAVE_MINGW #ifdef HAVE_MINGW
if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) { if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) {
if(!RegQueryValueEx(key, NULL, 0, 0, installdir, &len)) { if(!RegQueryValueEx(key, NULL, 0, 0, (LPBYTE)installdir, &len)) {
if(!logfilename) if(!logfilename)
xasprintf(&logfilename, "%s/log/%s.log", identname); xasprintf(&logfilename, "%s/log/%s.log", identname);
if(!confbase) { if(!confbase) {
@ -467,8 +467,11 @@ static bool drop_privs() {
"initgroups", strerror(errno)); "initgroups", strerror(errno));
return false; return false;
} }
#ifndef __ANDROID__
// Not supported in android NDK
endgrent(); endgrent();
endpwent(); endpwent();
#endif
} }
if (do_chroot) { if (do_chroot) {
tzset(); /* for proper timestamps in logs */ tzset(); /* for proper timestamps in logs */
@ -510,7 +513,7 @@ int main(int argc, char **argv) {
if(show_version) { if(show_version) {
printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE, printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE,
VERSION, __DATE__, __TIME__, PROT_CURRENT); VERSION, __DATE__, __TIME__, PROT_CURRENT);
printf("Copyright (C) 1998-2012 Ivo Timmermans, Guus Sliepen and others.\n" printf("Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen and others.\n"
"See the AUTHORS file for a complete list.\n\n" "See the AUTHORS file for a complete list.\n\n"
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
"and you are welcome to redistribute it under certain conditions;\n" "and you are welcome to redistribute it under certain conditions;\n"