Import Debian changes 1.0.21-1
tinc (1.0.21-1) unstable; urgency=low * New upstream release. - Includes fix for CVE-2013-1428.
This commit is contained in:
commit
e8daab5950
41 changed files with 2394 additions and 11278 deletions
|
@ -6,7 +6,7 @@ SUBDIRS = m4 lib src doc
|
|||
|
||||
ACLOCAL_AMFLAGS = -I m4
|
||||
|
||||
EXTRA_DIST = have.h system.h COPYING.README
|
||||
EXTRA_DIST = have.h system.h COPYING.README README.android
|
||||
|
||||
ChangeLog:
|
||||
git log > ChangeLog
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Makefile.in generated by automake 1.11.5 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.11.6 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||
|
@ -231,7 +231,7 @@ top_srcdir = @top_srcdir@
|
|||
AUTOMAKE_OPTIONS = gnu
|
||||
SUBDIRS = m4 lib src doc
|
||||
ACLOCAL_AMFLAGS = -I m4
|
||||
EXTRA_DIST = have.h system.h COPYING.README
|
||||
EXTRA_DIST = have.h system.h COPYING.README README.android
|
||||
all: config.h
|
||||
$(MAKE) $(AM_MAKEFLAGS) all-recursive
|
||||
|
||||
|
@ -544,7 +544,7 @@ distcheck: dist
|
|||
*.zip*) \
|
||||
unzip $(distdir).zip ;;\
|
||||
esac
|
||||
chmod -R a-w $(distdir); chmod a+w $(distdir)
|
||||
chmod -R a-w $(distdir); chmod u+w $(distdir)
|
||||
mkdir $(distdir)/_build
|
||||
mkdir $(distdir)/_inst
|
||||
chmod a-w $(distdir)
|
||||
|
|
32
NEWS
32
NEWS
|
@ -1,3 +1,30 @@
|
|||
Version 1.0.21 April 22 2013
|
||||
|
||||
* Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
|
||||
|
||||
Thanks to Martin Schobert for auditing tinc and reporting this vulnerability.
|
||||
|
||||
Version 1.0.20 March 03 2013
|
||||
|
||||
* Use /dev/tap0 by default on FreeBSD and NetBSD when using switch mode.
|
||||
|
||||
* Minor improvements and clarifications in the documentation.
|
||||
|
||||
* Allow tinc to be cross-compiled with Android's NDK.
|
||||
|
||||
* The discovered PMTU is now also applied to VLAN tagged traffic.
|
||||
|
||||
* The LocalDiscovery option now makes use of all addresses tinc is bound to.
|
||||
|
||||
* Fixed support for tunemu on iOS devices.
|
||||
|
||||
* The PriorityInheritance option now also works with switch mode.
|
||||
|
||||
* Fixed tinc crashing when using a SOCKS5 proxy.
|
||||
|
||||
Thanks to Mesar Hameed, Vilbrekin and Martin Schürrer for their contributions
|
||||
to this version of tinc.
|
||||
|
||||
Version 1.0.19 June 25 2012
|
||||
|
||||
* Allow :: notation in IPv6 Subnets.
|
||||
|
@ -9,6 +36,9 @@ Version 1.0.19 June 25 2012
|
|||
* Add basic support for SOCKS proxies, HTTP proxies, and proxying through an
|
||||
external command.
|
||||
|
||||
Thanks to Anthony G. Basile and Michael Tokarev for their contributions to
|
||||
this version of tinc.
|
||||
|
||||
Version 1.0.18 March 25 2012
|
||||
|
||||
* Fixed IPv6 in switch mode by turning off DecrementTTL by default.
|
||||
|
@ -35,6 +65,8 @@ Version 1.0.17 March 10 2012
|
|||
* Disabling old RSA keys when generating new ones now also works properly on
|
||||
Windows.
|
||||
|
||||
Thanks to Nick Hibma for his contribution to this version of tinc.
|
||||
|
||||
Version 1.0.16 July 23 2011
|
||||
|
||||
* Fixed a performance issue with TCP communication under Windows.
|
||||
|
|
10
README
10
README
|
@ -1,7 +1,7 @@
|
|||
This is the README file for tinc version 1.0.19. Installation
|
||||
This is the README file for tinc version 1.0.21. Installation
|
||||
instructions may be found in the INSTALL file.
|
||||
|
||||
tinc is Copyright (C) 1998-2012 by:
|
||||
tinc is Copyright (C) 1998-2013 by:
|
||||
|
||||
Ivo Timmermans,
|
||||
Guus Sliepen <guus@tinc-vpn.org>,
|
||||
|
@ -36,8 +36,8 @@ writeup describing various security issues in several VPN daemons. He showed
|
|||
that tinc lacks perfect forward security, the connection authentication could
|
||||
be done more properly, that the sequence number we use as an IV is not the best
|
||||
practice and that the default length of the HMAC for packets is too short in
|
||||
his opinion. We do not know of a way to exploit these weaknesses, but we will
|
||||
address these issues in tinc 2.0.
|
||||
his opinion. We do not know of a way to exploit these weaknesses, but these
|
||||
issues are being addressed in the tinc 1.1 branch.
|
||||
|
||||
Cryptography is a hard thing to get right. We cannot make any
|
||||
guarantees. Time, review and feedback are the only things that can
|
||||
|
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
|
|||
Compatibility
|
||||
-------------
|
||||
|
||||
Version 1.0.19 is compatible with 1.0pre8, 1.0 and later, but not with older
|
||||
Version 1.0.21 is compatible with 1.0pre8, 1.0 and later, but not with older
|
||||
versions of tinc.
|
||||
|
||||
|
||||
|
|
20
README.android
Normal file
20
README.android
Normal file
|
@ -0,0 +1,20 @@
|
|||
Quick how-o cross compile tinc for android (done from $HOME/android/):
|
||||
|
||||
- Download android NDK and setup local ARM toolchain:
|
||||
wget http://dl.google.com/android/ndk/android-ndk-r8b-linux-x86.tar.bz2
|
||||
tar xfj android-ndk-r8b-linux-x86.tar.bz2
|
||||
./android-ndk-r8b/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain
|
||||
|
||||
- Download and cross-compile openSSL for ARM:
|
||||
wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
|
||||
tar xfz openssl-1.0.1c.tar.gz
|
||||
cd openssl-1.0.1c
|
||||
./Configure dist
|
||||
make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib
|
||||
|
||||
- Clone and cross-compile tinc:
|
||||
git clone git://tinc-vpn.org/tinc
|
||||
cd tinc
|
||||
autoreconf -fsi
|
||||
CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc ./configure --host=arm-linux --disable-lzo --with-openssl-lib=$HOME/android/openssl-1.0.1c --with-openssl-include=$HOME/android/openssl-1.0.1c/include/
|
||||
make -j5
|
7
THANKS
7
THANKS
|
@ -7,6 +7,7 @@ We would like to thank the following people for their contributions to tinc:
|
|||
* Armijn Hemel
|
||||
* Brandon Black
|
||||
* Cris van Pelt
|
||||
* Darius Jahandarie
|
||||
* Delf Eldkraft
|
||||
* dnk
|
||||
* Enrique Zanardi
|
||||
|
@ -17,6 +18,7 @@ We would like to thank the following people for their contributions to tinc:
|
|||
* James MacLean
|
||||
* Jamie Briggs
|
||||
* Jason Harper
|
||||
* Jelle de Jong
|
||||
* Jeroen Ubbink
|
||||
* Jerome Etienne
|
||||
* Julien Muchembled
|
||||
|
@ -27,14 +29,18 @@ We would like to thank the following people for their contributions to tinc:
|
|||
* Mark Glines
|
||||
* Markus Goetz
|
||||
* Martin Kihlgren
|
||||
* Martin Schobert
|
||||
* Martin Schürrer
|
||||
* Matias Carrasco
|
||||
* Max Rijevski
|
||||
* Menno Smits
|
||||
* Mesar Hameed
|
||||
* Michael Tokarev
|
||||
* Miles Nordin
|
||||
* Nick Hibma
|
||||
* Nick Patavalis
|
||||
* Paul Littlefield
|
||||
* Philipp Babel
|
||||
* Robert van der Meulen
|
||||
* Rumko
|
||||
* Scott Lamb
|
||||
|
@ -42,6 +48,7 @@ We would like to thank the following people for their contributions to tinc:
|
|||
* Teemu Kiviniemi
|
||||
* Timothy Redaelli
|
||||
* Tonnerre Lombard
|
||||
* Vil Brekin
|
||||
* Wessel Dankers
|
||||
* Wouter van Heyst
|
||||
|
||||
|
|
6
aclocal.m4
vendored
6
aclocal.m4
vendored
|
@ -1,4 +1,4 @@
|
|||
# generated automatically by aclocal 1.11.5 -*- Autoconf -*-
|
||||
# generated automatically by aclocal 1.11.6 -*- Autoconf -*-
|
||||
|
||||
# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
|
||||
# 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
|
||||
|
@ -38,7 +38,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
|
|||
[am__api_version='1.11'
|
||||
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
|
||||
dnl require some minimum version. Point them to the right macro.
|
||||
m4_if([$1], [1.11.5], [],
|
||||
m4_if([$1], [1.11.6], [],
|
||||
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
|
||||
])
|
||||
|
||||
|
@ -54,7 +54,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
|
|||
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
|
||||
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
|
||||
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
|
||||
[AM_AUTOMAKE_VERSION([1.11.5])dnl
|
||||
[AM_AUTOMAKE_VERSION([1.11.6])dnl
|
||||
m4_ifndef([AC_AUTOCONF_VERSION],
|
||||
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
|
||||
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
|
||||
|
|
8
configure
vendored
8
configure
vendored
|
@ -1376,9 +1376,9 @@ Optional Features:
|
|||
(and sometimes confusing) to the casual installer
|
||||
--disable-dependency-tracking speeds up one-time build
|
||||
--enable-dependency-tracking do not reject slow dependency extractors
|
||||
--disable-uml enable support for User Mode Linux
|
||||
--disable-vde enable support for Virtual Distributed Ethernet
|
||||
--disable-tunemu enable support for the tunemu driver
|
||||
--enable-uml enable support for User Mode Linux
|
||||
--enable-vde enable support for Virtual Distributed Ethernet
|
||||
--enable-tunemu enable support for the tunemu driver
|
||||
--disable-zlib disable zlib compression support
|
||||
--disable-lzo disable lzo compression support
|
||||
--disable-jumbograms enable support for jumbograms (packets up to 9000
|
||||
|
@ -2758,7 +2758,7 @@ fi
|
|||
|
||||
# Define the identity of the package.
|
||||
PACKAGE=tinc
|
||||
VERSION=1.0.19
|
||||
VERSION=1.0.21
|
||||
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
|
|
|
@ -3,7 +3,7 @@ dnl Process this file with autoconf to produce a configure script.
|
|||
AC_PREREQ(2.61)
|
||||
AC_INIT
|
||||
AC_CONFIG_SRCDIR([src/tincd.c])
|
||||
AM_INIT_AUTOMAKE(tinc, 1.0.19)
|
||||
AM_INIT_AUTOMAKE(tinc, 1.0.21)
|
||||
AC_CONFIG_HEADERS([config.h])
|
||||
AM_MAINTAINER_MODE
|
||||
|
||||
|
@ -73,7 +73,7 @@ case $host_os in
|
|||
esac
|
||||
|
||||
AC_ARG_ENABLE(uml,
|
||||
AS_HELP_STRING([--disable-uml], [enable support for User Mode Linux]),
|
||||
AS_HELP_STRING([--enable-uml], [enable support for User Mode Linux]),
|
||||
[ AS_IF([test "x$enable_uml" = "xyes"],
|
||||
[ AC_DEFINE(ENABLE_UML, 1, [Support for UML])
|
||||
uml=true
|
||||
|
@ -84,7 +84,7 @@ AC_ARG_ENABLE(uml,
|
|||
)
|
||||
|
||||
AC_ARG_ENABLE(vde,
|
||||
AS_HELP_STRING([--disable-vde], [enable support for Virtual Distributed Ethernet]),
|
||||
AS_HELP_STRING([--enable-vde], [enable support for Virtual Distributed Ethernet]),
|
||||
[ AS_IF([test "x$enable_vde" = "xyes"],
|
||||
[ AC_CHECK_HEADERS(libvdeplug_dyn.h, [], [AC_MSG_ERROR([VDE plug header files not found.]); break])
|
||||
AC_DEFINE(ENABLE_VDE, 1, [Support for VDE])
|
||||
|
@ -96,7 +96,7 @@ AC_ARG_ENABLE(vde,
|
|||
)
|
||||
|
||||
AC_ARG_ENABLE(tunemu,
|
||||
AS_HELP_STRING([--disable-tunemu], [enable support for the tunemu driver]),
|
||||
AS_HELP_STRING([--enable-tunemu], [enable support for the tunemu driver]),
|
||||
[ AS_IF([test "x$enable_tunemu" = "xyes"],
|
||||
[ AC_DEFINE(ENABLE_TUNEMU, 1, [Support for tunemu])
|
||||
tunemu=true
|
||||
|
|
7
debian/changelog
vendored
7
debian/changelog
vendored
|
@ -1,3 +1,10 @@
|
|||
tinc (1.0.21-1) unstable; urgency=low
|
||||
|
||||
* New upstream release.
|
||||
- Includes fix for CVE-2013-1428.
|
||||
|
||||
-- Guus Sliepen <guus@debian.org> Sun, 05 May 2013 10:42:33 +0200
|
||||
|
||||
tinc (1.0.19-3) unstable; urgency=high
|
||||
|
||||
* Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
|
||||
|
|
29
debian/patches/fix-CVE-2013-1428
vendored
29
debian/patches/fix-CVE-2013-1428
vendored
|
@ -1,29 +0,0 @@
|
|||
From 17a33dfd95b1a29e90db76414eb9622df9632320 Mon Sep 17 00:00:00 2001
|
||||
From: Guus Sliepen <guus@tinc-vpn.org>
|
||||
Date: Fri, 12 Apr 2013 17:15:05 +0200
|
||||
Subject: [PATCH] Drop packets forwarded via TCP if they are too big
|
||||
(CVE-2013-1428).
|
||||
|
||||
Normally all requests sent via the meta connections are checked so that they
|
||||
cannot be larger than the input buffer. However, when packets are forwarded via
|
||||
meta connections, they are copied into a packet buffer without checking whether
|
||||
it fits into it. Since the packet buffer is allocated on the stack, this in
|
||||
effect allows an authenticated remote node to cause a stack overflow.
|
||||
|
||||
This issue was found by Martin Schobert.
|
||||
---
|
||||
src/net_packet.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/src/net_packet.c
|
||||
+++ b/src/net_packet.c
|
||||
@@ -378,6 +378,9 @@
|
||||
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
|
||||
vpn_packet_t outpkt;
|
||||
|
||||
+ if(len > sizeof outpkt.data)
|
||||
+ return;
|
||||
+
|
||||
outpkt.len = len;
|
||||
if(c->options & OPTION_TCPONLY)
|
||||
outpkt.priority = 0;
|
1
debian/patches/series
vendored
1
debian/patches/series
vendored
|
@ -1 +0,0 @@
|
|||
fix-CVE-2013-1428
|
|
@ -1,4 +1,4 @@
|
|||
# Makefile.in generated by automake 1.11.5 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.11.6 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||
|
|
|
@ -3,23 +3,19 @@
|
|||
.\" Manual page created by:
|
||||
.\" Ivo Timmermans
|
||||
.\" Guus Sliepen <guus@tinc-vpn.org>
|
||||
|
||||
.Sh NAME
|
||||
.Nm tinc.conf
|
||||
.Nd tinc daemon configuration
|
||||
|
||||
.Sh DESCRIPTION
|
||||
The files in the
|
||||
.Pa @sysconfdir@/tinc/
|
||||
directory contain runtime and security information for the tinc daemon.
|
||||
|
||||
.Sh NETWORKS
|
||||
It is perfectly ok for you to run more than one tinc daemon.
|
||||
However, in its default form,
|
||||
you will soon notice that you can't use two different configuration files without the
|
||||
.Fl c
|
||||
option.
|
||||
|
||||
.Pp
|
||||
We have thought of another way of dealing with this: network names.
|
||||
This means that you call
|
||||
|
@ -27,7 +23,6 @@ This means that you call
|
|||
with the
|
||||
.Fl n
|
||||
option, which will assign a name to this daemon.
|
||||
|
||||
.Pp
|
||||
The effect of this is that the daemon will set its configuration root to
|
||||
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / ,
|
||||
|
@ -38,7 +33,6 @@ is your argument to the
|
|||
option.
|
||||
You'll notice that messages appear in syslog as coming from
|
||||
.Nm tincd. Ns Ar NETNAME .
|
||||
|
||||
.Pp
|
||||
However, it is not strictly necessary that you call tinc with the
|
||||
.Fl n
|
||||
|
@ -54,25 +48,21 @@ the configuration file should be
|
|||
.Pa @sysconfdir@/tinc/tinc.conf ,
|
||||
and the host configuration files are now expected to be in
|
||||
.Pa @sysconfdir@/tinc/hosts/ .
|
||||
|
||||
.Pp
|
||||
But it is highly recommended that you use this feature of
|
||||
.Nm tinc ,
|
||||
because it will be so much clearer whom your daemon talks to.
|
||||
Hence, we will assume that you use it.
|
||||
|
||||
.Sh NAMES
|
||||
Each tinc daemon should have a name that is unique in the network which it will be part of.
|
||||
The name will be used by other tinc daemons for identification.
|
||||
The name has to be declared in the
|
||||
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
|
||||
file.
|
||||
|
||||
.Pp
|
||||
To make things easy,
|
||||
choose something that will give unique and easy to remember names to your tinc daemon(s).
|
||||
You could try things like hostnames, owner surnames or location names.
|
||||
|
||||
.Sh PUBLIC/PRIVATE KEYS
|
||||
You should use
|
||||
.Ic tincd -K
|
||||
|
@ -91,17 +81,14 @@ The public key should be stored in the host configuration file
|
|||
.Va NAME
|
||||
stands for the name of the local tinc daemon (see
|
||||
.Sx NAMES ) .
|
||||
|
||||
.Sh SERVER CONFIGURATION
|
||||
The server configuration of the daemon is done in the file
|
||||
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf .
|
||||
This file consists of comments (lines started with a
|
||||
.Li # )
|
||||
or assignments in the form of:
|
||||
|
||||
.Pp
|
||||
.Va Variable Li = Ar Value .
|
||||
|
||||
.Pp
|
||||
The variable names are case insensitive, and any spaces, tabs,
|
||||
newlines and carriage returns are ignored.
|
||||
|
@ -109,26 +96,22 @@ Note: it is not required that you put in the
|
|||
.Li =
|
||||
sign, but doing so improves readability.
|
||||
If you leave it out, remember to replace it with at least one space character.
|
||||
|
||||
.Pp
|
||||
The server configuration is complemented with host specific configuration (see the next section).
|
||||
Although all configuration options for the local host listed in this document can also be put in
|
||||
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf ,
|
||||
it is recommended to put host specific configuration options in the host configuration file,
|
||||
as this makes it easy to exchange with other nodes.
|
||||
|
||||
.Pp
|
||||
Here are all valid variables, listed in alphabetical order.
|
||||
The default value is given between parentheses.
|
||||
.Bl -tag -width indent
|
||||
|
||||
.It Va AddressFamily Li = ipv4 | ipv6 | any Pq any
|
||||
This option affects the address family of listening and outgoing sockets.
|
||||
If
|
||||
.Qq any
|
||||
is selected, then depending on the operating system both IPv4 and IPv6 or just
|
||||
IPv6 listening sockets will be created.
|
||||
|
||||
.It Va BindToAddress Li = Ar address Oo Ar port Oc Bq experimental
|
||||
If your computer has more than one IPv4 or IPv6 address,
|
||||
.Nm tinc
|
||||
|
@ -149,36 +132,31 @@ for the
|
|||
.Ar address .
|
||||
.Pp
|
||||
This option may not work on all platforms.
|
||||
|
||||
.It Va BindToInterface Li = Ar interface Bq experimental
|
||||
If your computer has more than one network interface,
|
||||
.Nm tinc
|
||||
will by default listen on all of them for incoming connections.
|
||||
It is possible to bind only to a single interface with this variable.
|
||||
|
||||
.Pp
|
||||
This option may not work on all platforms.
|
||||
|
||||
Also, on some platforms it will not actually bind to an interface,
|
||||
but rather to the address that the interface has at the moment a socket is created.
|
||||
.It Va Broadcast Li = no | mst | direct Po mst Pc Bq experimental
|
||||
This option selects the way broadcast packets are sent to other daemons.
|
||||
NOTE: all nodes in a VPN must use the same
|
||||
.Va Broadcast
|
||||
mode, otherwise routing loops can form.
|
||||
|
||||
.Bl -tag -width indent
|
||||
.It no
|
||||
Broadcast packets are never sent to other nodes.
|
||||
|
||||
.It mst
|
||||
Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree.
|
||||
This ensures broadcast packets reach all nodes.
|
||||
|
||||
.It direct
|
||||
Broadcast packets are sent directly to all nodes that can be reached directly.
|
||||
Broadcast packets received from other nodes are never forwarded.
|
||||
If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to.
|
||||
.El
|
||||
|
||||
.It Va ConnectTo Li = Ar name
|
||||
Specifies which other tinc daemon to connect to on startup.
|
||||
Multiple
|
||||
|
@ -189,14 +167,12 @@ The names should be known to this tinc daemon
|
|||
(i.e., there should be a host configuration file for the name on the
|
||||
.Va ConnectTo
|
||||
line).
|
||||
|
||||
.Pp
|
||||
If you don't specify a host with
|
||||
.Va ConnectTo ,
|
||||
.Nm tinc
|
||||
won't try to connect to other daemons at all,
|
||||
and will instead just listen for incoming connections.
|
||||
|
||||
.It Va DecrementTTL Li = yes | no Po no Pc Bq experimental
|
||||
When enabled,
|
||||
.Nm tinc
|
||||
|
@ -206,7 +182,6 @@ and will drop packets that have a TTL value of zero,
|
|||
in which case it will send an ICMP Time Exceeded packet back.
|
||||
.Pp
|
||||
Do not use this option if you use switch mode and want to use IPv6.
|
||||
|
||||
.It Va Device Li = Ar device Po Pa /dev/tap0 , Pa /dev/net/tun No or other depending on platform Pc
|
||||
The virtual network device to use.
|
||||
.Nm tinc
|
||||
|
@ -218,18 +193,15 @@ instead of
|
|||
.Va Device .
|
||||
The info pages of the tinc package contain more information
|
||||
about configuring the virtual network device.
|
||||
|
||||
.It Va DeviceType Li = Ar type Pq platform dependent
|
||||
The type of the virtual network device.
|
||||
Tinc will normally automatically select the right type of tun/tap interface, and this option should not be used.
|
||||
However, this option can be used to select one of the special interface types, if support for them is compiled in.
|
||||
.Bl -tag -width indent
|
||||
|
||||
.It dummy
|
||||
Use a dummy interface.
|
||||
No packets are ever read or written to a virtual network device.
|
||||
Useful for testing, or when setting up a node that only forwards packets for other nodes.
|
||||
|
||||
.It raw_socket
|
||||
Open a raw socket, and bind it to a pre-existing
|
||||
.Va Interface
|
||||
|
@ -237,7 +209,6 @@ Open a raw socket, and bind it to a pre-existing
|
|||
All packets are read from this interface.
|
||||
Packets received for the local node are written to the raw socket.
|
||||
However, at least on Linux, the operating system does not process IP packets destined for the local host.
|
||||
|
||||
.It multicast
|
||||
Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using
|
||||
.Va Device .
|
||||
|
@ -247,7 +218,6 @@ Do NOT connect multiple
|
|||
.Nm tinc
|
||||
daemons to the same multicast address, this will very likely cause routing loops.
|
||||
Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
|
||||
|
||||
.It uml Pq not compiled in by default
|
||||
Create a UNIX socket with the filename specified by
|
||||
.Va Device ,
|
||||
|
@ -256,7 +226,6 @@ or
|
|||
if not specified.
|
||||
.Nm tinc
|
||||
will wait for a User Mode Linux instance to connect to this socket.
|
||||
|
||||
.It vde Pq not compiled in by default
|
||||
Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch,
|
||||
using the UNIX socket specified by
|
||||
|
@ -265,60 +234,47 @@ or
|
|||
.Pa @localstatedir@/run/vde.ctl
|
||||
if not specified.
|
||||
.El
|
||||
|
||||
Also, in case tinc does not seem to correctly interpret packets received from the virtual network device,
|
||||
it can be used to change the way packets are interpreted:
|
||||
|
||||
.Bl -tag -width indent
|
||||
|
||||
.It tun Pq BSD and Linux
|
||||
Set type to tun.
|
||||
Depending on the platform, this can either be with or without an address family header (see below).
|
||||
|
||||
.It tunnohead Pq BSD
|
||||
Set type to tun without an address family header.
|
||||
Tinc will expect packets read from the virtual network device to start with an IP header.
|
||||
On some platforms IPv6 packets cannot be read from or written to the device in this mode.
|
||||
|
||||
.It tunifhead Pq BSD
|
||||
Set type to tun with an address family header.
|
||||
Tinc will expect packets read from the virtual network device
|
||||
to start with a four byte header containing the address family,
|
||||
followed by an IP header.
|
||||
This mode should support both IPv4 and IPv6 packets.
|
||||
|
||||
.It tap Pq BSD and Linux
|
||||
Set type to tap.
|
||||
Tinc will expect packets read from the virtual network device
|
||||
to start with an Ethernet header.
|
||||
.El
|
||||
|
||||
.It Va DirectOnly Li = yes | no Po no Pc Bq experimental
|
||||
When this option is enabled, packets that cannot be sent directly to the destination node,
|
||||
but which would have to be forwarded by an intermediate node, are dropped instead.
|
||||
When combined with the IndirectData option,
|
||||
packets for nodes for which we do not have a meta connection with are also dropped.
|
||||
|
||||
.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
|
||||
This option selects the way indirect packets are forwarded.
|
||||
.Bl -tag -width indent
|
||||
|
||||
.It off
|
||||
Incoming packets that are not meant for the local node,
|
||||
but which should be forwarded to another node, are dropped.
|
||||
|
||||
.It internal
|
||||
Incoming packets that are meant for another node are forwarded by tinc internally.
|
||||
|
||||
.Pp
|
||||
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
|
||||
|
||||
.It kernel
|
||||
Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
|
||||
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
|
||||
and can also help debugging.
|
||||
.El
|
||||
|
||||
.It Va GraphDumpFile Li = Ar filename Bq experimental
|
||||
If this option is present,
|
||||
.Nm tinc
|
||||
|
@ -331,20 +287,16 @@ If
|
|||
starts with a pipe symbol |,
|
||||
then the rest of the filename is interpreted as a shell command
|
||||
that is executed, the graph is then sent to stdin.
|
||||
|
||||
.It Va Hostnames Li = yes | no Pq no
|
||||
This option selects whether IP addresses (both real and on the VPN) should
|
||||
be resolved. Since DNS lookups are blocking, it might affect tinc's
|
||||
efficiency, even stopping the daemon for a few seconds every time it does
|
||||
a lookup if your DNS server is not responding.
|
||||
|
||||
.Pp
|
||||
This does not affect resolving hostnames to IP addresses from the
|
||||
host configuration files.
|
||||
|
||||
host configuration files, but whether hostnames should be resolved while logging.
|
||||
.It Va IffOneQueue Li = yes | no Po no Pc Bq experimental
|
||||
(Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.
|
||||
|
||||
.It Va Interface Li = Ar interface
|
||||
Defines the name of the interface corresponding to the virtual network device.
|
||||
Depending on the operating system and the type of device this may or may not actually set the name of the interface.
|
||||
|
@ -352,12 +304,10 @@ Under Windows, this variable is used to select which network interface will be u
|
|||
If you specified a
|
||||
.Va Device ,
|
||||
this variable is almost always already correctly set.
|
||||
|
||||
.It Va KeyExpire Li = Ar seconds Pq 3600
|
||||
This option controls the period the encryption keys used to encrypt the data are valid.
|
||||
It is common practice to change keys at regular intervals to make it even harder for crackers,
|
||||
even though it is thought to be nearly impossible to crack a single key.
|
||||
|
||||
.It Va LocalDiscovery Li = yes | no Po no Pc Bq experimental
|
||||
When enabled,
|
||||
.Nm tinc
|
||||
|
@ -365,54 +315,43 @@ will try to detect peers that are on the same local network.
|
|||
This will allow direct communication using LAN addresses, even if both peers are behind a NAT
|
||||
and they only ConnectTo a third node outside the NAT,
|
||||
which normally would prevent the peers from learning each other's LAN address.
|
||||
|
||||
.Pp
|
||||
Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery.
|
||||
This feature may not work in all possible situations.
|
||||
|
||||
.It Va MACExpire Li = Ar seconds Pq 600
|
||||
This option controls the amount of time MAC addresses are kept before they are removed.
|
||||
This only has effect when
|
||||
.Va Mode
|
||||
is set to
|
||||
.Qq switch .
|
||||
|
||||
.It Va MaxTimeout Li = Ar seconds Pq 900
|
||||
This is the maximum delay before trying to reconnect to other tinc daemons.
|
||||
|
||||
.It Va Mode Li = router | switch | hub Pq router
|
||||
This option selects the way packets are routed to other daemons.
|
||||
.Bl -tag -width indent
|
||||
|
||||
.It router
|
||||
In this mode
|
||||
.Va Subnet
|
||||
variables in the host configuration files will be used to form a routing table.
|
||||
Only unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode.
|
||||
|
||||
.Pp
|
||||
This is the default mode, and unless you really know you need another mode, don't change it.
|
||||
|
||||
.It switch
|
||||
In this mode the MAC addresses of the packets on the VPN will be used to
|
||||
dynamically create a routing table just like an Ethernet switch does.
|
||||
Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode
|
||||
at the cost of frequent broadcast ARP requests and routing table updates.
|
||||
|
||||
.Pp
|
||||
This mode is primarily useful if you want to bridge Ethernet segments.
|
||||
|
||||
.It hub
|
||||
This mode is almost the same as the switch mode, but instead
|
||||
every packet will be broadcast to the other daemons
|
||||
while no routing table is managed.
|
||||
.El
|
||||
|
||||
.It Va Name Li = Ar name Bq required
|
||||
This is the name which identifies this tinc daemon.
|
||||
It must be unique for the virtual private network this daemon will connect to.
|
||||
The Name may only consist of alphanumeric and underscore characters.
|
||||
|
||||
If
|
||||
.Va Name
|
||||
starts with a
|
||||
|
@ -424,38 +363,26 @@ If
|
|||
is
|
||||
.Li $HOST ,
|
||||
but no such environment variable exist, the hostname will be read using the gethostnname() system call.
|
||||
|
||||
.It Va PingInterval Li = Ar seconds Pq 60
|
||||
The number of seconds of inactivity that
|
||||
.Nm tinc
|
||||
will wait before sending a probe to the other end.
|
||||
|
||||
.It Va PingTimeout Li = Ar seconds Pq 5
|
||||
The number of seconds to wait for a response to pings or to allow meta
|
||||
connections to block. If the other end doesn't respond within this time,
|
||||
the connection is terminated,
|
||||
and the others will be notified of this.
|
||||
|
||||
.It Va PriorityInheritance Li = yes | no Po no Pc Bq experimental
|
||||
When this option is enabled the value of the TOS field of tunneled IPv4 packets
|
||||
will be inherited by the UDP packets that are sent out.
|
||||
|
||||
.It Va PrivateKey Li = Ar key Bq obsolete
|
||||
The private RSA key of this tinc daemon.
|
||||
It will allow this tinc daemon to authenticate itself to other daemons.
|
||||
|
||||
.It Va PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /rsa_key.priv Pc
|
||||
The file in which the private RSA key of this tinc daemon resides.
|
||||
Note that there must be exactly one of
|
||||
.Va PrivateKey
|
||||
or
|
||||
.Va PrivateKeyFile
|
||||
specified in the configuration file.
|
||||
|
||||
.It Va ProcessPriority Li = low | normal | high
|
||||
When this option is used the priority of the tincd process will be adjusted.
|
||||
Increasing the priority may help to reduce latency and packet loss on the VPN.
|
||||
|
||||
.It Va Proxy Li = socks4 | socks5 | http | exec Ar ... Bq experimental
|
||||
Use a proxy when making outgoing connections.
|
||||
The following proxy types are currently supported:
|
||||
|
@ -488,7 +415,6 @@ and
|
|||
.Ev REMOTEPORT
|
||||
are available.
|
||||
.El
|
||||
|
||||
.It Va ReplayWindow Li = Ar bytes Pq 16
|
||||
vhis is the size of the replay tracking window for each remote node, in bytes.
|
||||
The window is a bitfield which tracks 1 packet per bit, so for example
|
||||
|
@ -498,35 +424,29 @@ the interaction of replay tracking with underlying real packet loss and/or
|
|||
reordering. Setting this to zero will disable replay tracking completely and
|
||||
pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
|
||||
traffic.
|
||||
|
||||
.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
|
||||
When this option is enabled tinc will only use Subnet statements which are
|
||||
present in the host config files in the local
|
||||
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
|
||||
directory.
|
||||
|
||||
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
|
||||
When this option is enabled tinc will no longer forward information between other tinc daemons,
|
||||
and will only allow connections with nodes for which host config files are present in the local
|
||||
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
|
||||
directory.
|
||||
Setting this options also implicitly sets StrictSubnets.
|
||||
|
||||
.It Va UDPRcvBuf Li = Ar bytes Pq OS default
|
||||
Sets the socket receive buffer size for the UDP socket, in bytes.
|
||||
If unset, the default buffer size will be used by the operating system.
|
||||
|
||||
.It Va UDPSndBuf Li = Ar bytes Pq OS default
|
||||
Sets the socket send buffer size for the UDP socket, in bytes.
|
||||
If unset, the default buffer size will be used by the operating system.
|
||||
.El
|
||||
|
||||
.Sh HOST CONFIGURATION FILES
|
||||
The host configuration files contain all information needed
|
||||
to establish a connection to those hosts.
|
||||
A host configuration file is also required for the local tinc daemon,
|
||||
it will use it to read in it's listen port, public key and subnets.
|
||||
|
||||
.Pp
|
||||
The idea is that these files are portable.
|
||||
You can safely mail your own host configuration file to someone else.
|
||||
|
@ -535,7 +455,6 @@ and now his tinc daemon will be able to connect to your tinc daemon.
|
|||
Since host configuration files only contain public keys,
|
||||
no secrets are revealed by sending out this information.
|
||||
.Bl -tag -width indent
|
||||
|
||||
.It Va Address Li = Ar address Oo Ar port Oc Bq recommended
|
||||
The IP address or hostname of this tinc daemon on the real network.
|
||||
This will only be used when trying to make an outgoing connection to this tinc daemon.
|
||||
|
@ -544,7 +463,6 @@ Multiple
|
|||
.Va Address
|
||||
variables can be specified, in which case each address will be tried until a working
|
||||
connection has been established.
|
||||
|
||||
.It Va Cipher Li = Ar cipher Pq blowfish
|
||||
The symmetric cipher algorithm used to encrypt UDP packets.
|
||||
Any cipher supported by OpenSSL is recognised.
|
||||
|
@ -552,24 +470,20 @@ Furthermore, specifying
|
|||
.Qq none
|
||||
will turn off packet encryption.
|
||||
It is best to use only those ciphers which support CBC mode.
|
||||
|
||||
.It Va ClampMSS Li = yes | no Pq yes
|
||||
This option specifies whether tinc should clamp the maximum segment size (MSS)
|
||||
of TCP packets to the path MTU. This helps in situations where ICMP
|
||||
Fragmentation Needed or Packet too Big messages are dropped by firewalls.
|
||||
|
||||
.It Va Compression Li = Ar level Pq 0
|
||||
This option sets the level of compression used for UDP packets.
|
||||
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
|
||||
10 (fast lzo) and 11 (best lzo).
|
||||
|
||||
.It Va Digest Li = Ar digest Pq sha1
|
||||
The digest algorithm used to authenticate UDP packets.
|
||||
Any digest supported by OpenSSL is recognised.
|
||||
Furthermore, specifying
|
||||
.Qq none
|
||||
will turn off packet authentication.
|
||||
|
||||
.It Va IndirectData Li = yes | no Pq no
|
||||
This option specifies whether other tinc daemons besides the one you specified with
|
||||
.Va ConnectTo
|
||||
|
@ -577,33 +491,26 @@ can make a direct connection to you.
|
|||
This is especially useful if you are behind a firewall
|
||||
and it is impossible to make a connection from the outside to your tinc daemon.
|
||||
Otherwise, it is best to leave this option out or set it to no.
|
||||
|
||||
.It Va MACLength Li = Ar length Pq 4
|
||||
The length of the message authentication code used to authenticate UDP packets.
|
||||
Can be anything from
|
||||
.Qq 0
|
||||
up to the length of the digest produced by the digest algorithm.
|
||||
|
||||
.It Va PMTU Li = Ar mtu Po 1514 Pc
|
||||
This option controls the initial path MTU to this node.
|
||||
|
||||
.It Va PMTUDiscovery Li = yes | no Po yes Pc
|
||||
When this option is enabled, tinc will try to discover the path MTU to this node.
|
||||
After the path MTU has been discovered, it will be enforced on the VPN.
|
||||
|
||||
.It Va Port Li = Ar port Pq 655
|
||||
The port number on which this tinc daemon is listening for incoming connections,
|
||||
which is used if no port number is specified in an
|
||||
.Va Address
|
||||
statement.
|
||||
|
||||
.It Va PublicKey Li = Ar key Bq obsolete
|
||||
The public RSA key of this tinc daemon.
|
||||
It will be used to cryptographically verify it's identity and to set up a secure connection.
|
||||
|
||||
.It Va PublicKeyFile Li = Ar filename Bq obsolete
|
||||
The file in which the public RSA key of this tinc daemon resides.
|
||||
|
||||
.Pp
|
||||
From version 1.0pre4 on
|
||||
.Nm tinc
|
||||
|
@ -612,7 +519,6 @@ the above two options then are not necessary.
|
|||
Either the PEM format is used, or exactly one of the above two options must be specified
|
||||
in each host configuration file,
|
||||
if you want to be able to establish a connection with that host.
|
||||
|
||||
.It Va Subnet Li = Ar address Ns Op Li / Ns Ar prefixlength Ns Op Li # Ns Ar weight
|
||||
The subnet which this tinc daemon will serve.
|
||||
.Nm tinc
|
||||
|
@ -622,7 +528,6 @@ it will be sent to the daemon who has this subnet in his host configuration file
|
|||
Multiple
|
||||
.Va Subnet
|
||||
variables can be specified.
|
||||
|
||||
.Pp
|
||||
Subnets can either be single MAC, IPv4 or IPv6 addresses,
|
||||
in which case a subnet consisting of only that single address is assumed,
|
||||
|
@ -633,14 +538,12 @@ Note that subnets like 192.168.1.1/24 are invalid!
|
|||
Read a networking HOWTO/FAQ/guide if you don't understand this.
|
||||
IPv6 subnets are notated like fec0:0:0:1::/64.
|
||||
MAC addresses are notated like 0:1a:2b:3c:4d:5e.
|
||||
|
||||
.Pp
|
||||
A Subnet can be given a weight to indicate its priority over identical Subnets
|
||||
owned by different nodes. The default weight is 10. Lower values indicate
|
||||
higher priority. Packets will be sent to the node with the highest priority,
|
||||
unless that node is not reachable, in which case the node with the next highest
|
||||
priority will be tried, and so on.
|
||||
|
||||
.It Va TCPOnly Li = yes | no Pq no Bq obsolete
|
||||
If this variable is set to yes,
|
||||
then the packets are tunnelled over the TCP connection instead of a UDP connection.
|
||||
|
@ -648,53 +551,42 @@ This is especially useful for those who want to run a tinc daemon
|
|||
from behind a masquerading firewall,
|
||||
or if UDP packet routing is disabled somehow.
|
||||
Setting this options also implicitly sets IndirectData.
|
||||
|
||||
.Pp
|
||||
Since version 1.0.10, tinc will automatically detect whether communication via
|
||||
UDP is possible or not.
|
||||
.El
|
||||
|
||||
.Sh SCRIPTS
|
||||
Apart from reading the server and host configuration files,
|
||||
tinc can also run scripts at certain moments.
|
||||
Under Windows (not Cygwin), the scripts should have the extension
|
||||
.Pa .bat .
|
||||
.Bl -tag -width indent
|
||||
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
|
||||
This is the most important script.
|
||||
If it is present it will be executed right after the tinc daemon has been started and has connected to the virtual network device.
|
||||
It should be used to set up the corresponding network interface,
|
||||
but can also be used to start other things.
|
||||
Under Windows you can use the Network Connections control panel instead of creating this script.
|
||||
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
|
||||
This script is started right before the tinc daemon quits.
|
||||
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -up
|
||||
This script is started when the tinc daemon with name
|
||||
.Ar HOST
|
||||
becomes reachable.
|
||||
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -down
|
||||
This script is started when the tinc daemon with name
|
||||
.Ar HOST
|
||||
becomes unreachable.
|
||||
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-up
|
||||
This script is started when any host becomes reachable.
|
||||
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-down
|
||||
This script is started when any host becomes unreachable.
|
||||
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-up
|
||||
This script is started when a Subnet becomes reachable.
|
||||
The Subnet and the node it belongs to are passed in environment variables.
|
||||
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-down
|
||||
This script is started when a Subnet becomes unreachable.
|
||||
.El
|
||||
|
||||
.Pp
|
||||
The scripts are started without command line arguments, but can make use of certain environment variables.
|
||||
Under UNIX like operating systems the names of environment variables must be preceded by a
|
||||
|
@ -706,68 +598,54 @@ files, they have to be put between
|
|||
.Li %
|
||||
signs.
|
||||
.Bl -tag -width indent
|
||||
|
||||
.It Ev NETNAME
|
||||
If a netname was specified, this environment variable contains it.
|
||||
|
||||
.It Ev NAME
|
||||
Contains the name of this tinc daemon.
|
||||
|
||||
.It Ev DEVICE
|
||||
Contains the name of the virtual network device that tinc uses.
|
||||
|
||||
.It Ev INTERFACE
|
||||
Contains the name of the virtual network interface that tinc uses.
|
||||
This should be used for commands like
|
||||
.Pa ifconfig .
|
||||
|
||||
.It Ev NODE
|
||||
When a host becomes (un)reachable, this is set to its name.
|
||||
If a subnet becomes (un)reachable, this is set to the owner of that subnet.
|
||||
|
||||
.It Ev REMOTEADDRESS
|
||||
When a host becomes (un)reachable, this is set to its real address.
|
||||
|
||||
.It Ev REMOTEPORT
|
||||
When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc daemons.
|
||||
|
||||
.It Ev SUBNET
|
||||
When a subnet becomes (un)reachable, this is set to the subnet.
|
||||
|
||||
.It Ev WEIGHT
|
||||
When a subnet becomes (un)reachable, this is set to the subnet weight.
|
||||
.El
|
||||
|
||||
.Pp
|
||||
Do not forget that under UNIX operating systems, you have to make the scripts executable, using the command
|
||||
.Nm chmod Li a+x Pa script .
|
||||
.Sh FILES
|
||||
The most important files are:
|
||||
.Bl -tag -width indent
|
||||
|
||||
.It Pa @sysconfdir@/tinc/
|
||||
The top directory for configuration files.
|
||||
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
|
||||
The default name of the server configuration file for net
|
||||
.Ar NETNAME .
|
||||
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
|
||||
Host configuration files are kept in this directory.
|
||||
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
|
||||
If an executable file with this name exists,
|
||||
it will be executed right after the tinc daemon has connected to the virtual network device.
|
||||
It can be used to set up the corresponding network interface.
|
||||
|
||||
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
|
||||
If an executable file with this name exists,
|
||||
it will be executed right before the tinc daemon is going to close
|
||||
its connection to the virtual network device.
|
||||
.El
|
||||
|
||||
.Sh SEE ALSO
|
||||
.Xr tincd 8 ,
|
||||
.Pa http://www.tinc-vpn.org/ ,
|
||||
.Pa http://www.linuxdoc.org/LDP/nag2/ .
|
||||
|
||||
.Pa http://www.tldp.org/LDP/nag2/ .
|
||||
.Pp
|
||||
The full documentation for
|
||||
.Nm tinc
|
||||
|
@ -775,7 +653,6 @@ is maintained as a Texinfo manual.
|
|||
If the info and tinc programs are properly installed at your site, the command
|
||||
.Ic info tinc
|
||||
should give you access to the complete manual.
|
||||
|
||||
.Pp
|
||||
.Nm tinc
|
||||
comes with ABSOLUTELY NO WARRANTY.
|
||||
|
|
212
doc/tinc.info
212
doc/tinc.info
|
@ -8,7 +8,7 @@ END-INFO-DIR-ENTRY
|
|||
This is the info manual for tinc version 1.0.19, a Virtual Private
|
||||
Network daemon.
|
||||
|
||||
Copyright (C) 1998-2012 Ivo Timmermans, Guus Sliepen
|
||||
Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen
|
||||
<guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
|
||||
|
||||
Permission is granted to make and distribute verbatim copies of this
|
||||
|
@ -147,7 +147,7 @@ will most likely compile and run, but it will not be able to send or
|
|||
receive data packets.
|
||||
|
||||
For an up to date list of supported platforms, please check the list
|
||||
on our website: `http://www.tinc-vpn.org/platforms'.
|
||||
on our website: `http://www.tinc-vpn.org/platforms/'.
|
||||
|
||||
|
||||
File: tinc.info, Node: Preparations, Next: Installation, Prev: Introduction, Up: Top
|
||||
|
@ -209,7 +209,9 @@ File: tinc.info, Node: Configuration of FreeBSD kernels, Next: Configuration o
|
|||
--------------------------------------
|
||||
|
||||
For FreeBSD version 4.1 and higher, tun and tap drivers are included in
|
||||
the default kernel configuration. Using tap devices is recommended.
|
||||
the default kernel configuration. The tap driver can be loaded with
|
||||
`kldload if_tap', or by adding `if_tap_load="YES"' to
|
||||
`/boot/loader.conf'.
|
||||
|
||||
|
||||
File: tinc.info, Node: Configuration of OpenBSD kernels, Next: Configuration of NetBSD kernels, Prev: Configuration of FreeBSD kernels, Up: Configuring the kernel
|
||||
|
@ -303,8 +305,8 @@ For all cryptography-related functions, tinc uses the functions provided
|
|||
by the OpenSSL library.
|
||||
|
||||
If this library is not installed, you wil get an error when
|
||||
configuring tinc for build. Support for running tinc without having
|
||||
OpenSSL installed _may_ be added in the future.
|
||||
configuring tinc for build. Support for running tinc with other
|
||||
cryptographic libraries installed _may_ be added in the future.
|
||||
|
||||
You can use your operating system's package manager to install this
|
||||
if available. Make sure you install the development AND runtime
|
||||
|
@ -359,9 +361,12 @@ File: tinc.info, Node: zlib, Next: lzo, Prev: OpenSSL, Up: Libraries
|
|||
For the optional compression of UDP packets, tinc uses the functions
|
||||
provided by the zlib library.
|
||||
|
||||
If this library is not installed, you wil get an error when
|
||||
configuring tinc for build. Support for running tinc without having
|
||||
zlib installed _may_ be added in the future.
|
||||
If this library is not installed, you wil get an error when running
|
||||
the configure script. You can either install the zlib library, or
|
||||
disable support for zlib compression by using the "-disable-zlib"
|
||||
option when running the configure script. Note that if you disable
|
||||
support for zlib, the resulting binary will not work correctly on VPNs
|
||||
where zlib compression is used.
|
||||
|
||||
You can use your operating system's package manager to install this
|
||||
if available. Make sure you install the development AND runtime
|
||||
|
@ -379,11 +384,14 @@ File: tinc.info, Node: lzo, Prev: zlib, Up: Libraries
|
|||
2.2.3 lzo
|
||||
---------
|
||||
|
||||
Another form of compression is offered using the lzo library.
|
||||
Another form of compression is offered using the LZO library.
|
||||
|
||||
If this library is not installed, you wil get an error when
|
||||
configuring tinc for build. Support for running tinc without having lzo
|
||||
installed _may_ be added in the future.
|
||||
If this library is not installed, you wil get an error when running
|
||||
the configure script. You can either install the LZO library, or
|
||||
disable support for LZO compression by using the "-disable-lzo" option
|
||||
when running the configure script. Note that if you disable support for
|
||||
LZO, the resulting binary will not work correctly on VPNs where LZO
|
||||
compression is used.
|
||||
|
||||
You can use your operating system's package manager to install this
|
||||
if available. Make sure you install the development AND runtime
|
||||
|
@ -408,9 +416,9 @@ startup scripts and sample configurations.
|
|||
If you cannot use one of the precompiled packages, or you want to
|
||||
compile tinc for yourself, you can use the source. The source is
|
||||
distributed under the GNU General Public License (GPL). Download the
|
||||
source from the download page (http://www.tinc-vpn.org/download), which
|
||||
has the checksums of these files listed; you may wish to check these
|
||||
with md5sum before continuing.
|
||||
source from the download page (http://www.tinc-vpn.org/download/),
|
||||
which has the checksums of these files listed; you may wish to check
|
||||
these with md5sum before continuing.
|
||||
|
||||
Tinc comes in a convenient autoconf/automake package, which you can
|
||||
just treat the same as any other package. Which is just untar it, type
|
||||
|
@ -451,7 +459,7 @@ File: tinc.info, Node: Darwin (MacOS/X) build environment, Next: Cygwin (Windo
|
|||
In order to build tinc on Darwin, you need to install the MacOS/X
|
||||
Developer Tools from
|
||||
`http://developer.apple.com/tools/macosxtools.html' and a recent
|
||||
version of Fink from `http://fink.sourceforge.net/'.
|
||||
version of Fink from `http://www.finkproject.org/'.
|
||||
|
||||
After installation use fink to download and install the following
|
||||
packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
|
||||
|
@ -570,7 +578,7 @@ Do you want to run tinc in router mode or switch mode? These questions
|
|||
can only be answered by yourself, you will not find the answers in this
|
||||
documentation. Make sure you have an adequate understanding of
|
||||
networks in general. A good resource on networking is the Linux
|
||||
Network Administrators Guide (http://www.linuxdoc.org/LDP/nag2/).
|
||||
Network Administrators Guide (http://www.tldp.org/LDP/nag2/).
|
||||
|
||||
If you have everything clearly pictured in your mind, proceed in the
|
||||
following order: First, generate the configuration files (`tinc.conf',
|
||||
|
@ -860,7 +868,8 @@ Hostnames = <yes|no> (no)
|
|||
responding.
|
||||
|
||||
This does not affect resolving hostnames to IP addresses from the
|
||||
configuration file.
|
||||
configuration file, but whether hostnames should be resolved while
|
||||
logging.
|
||||
|
||||
Interface = <INTERFACE>
|
||||
Defines the name of the interface corresponding to the virtual
|
||||
|
@ -957,9 +966,6 @@ PrivateKeyFile = <PATH> (`/etc/tinc/NETNAME/rsa_key.priv')
|
|||
generated by `tincd --generate-keys'. It must be a full path, not
|
||||
a relative directory.
|
||||
|
||||
Note that there must be exactly one of PrivateKey or PrivateKeyFile
|
||||
specified in the configuration file.
|
||||
|
||||
ProcessPriority = <low|normal|high>
|
||||
When this option is used the priority of the tincd process will be
|
||||
adjusted. Increasing the priority may help to reduce latency and
|
||||
|
@ -1116,7 +1122,7 @@ Subnet = <ADDRESS[/PREFIXLENGTH[#WEIGHT]]>
|
|||
Prefixlength is the number of bits set to 1 in the netmask part;
|
||||
for example: netmask 255.255.255.0 would become /24, 255.255.252.0
|
||||
becomes /22. This conforms to standard CIDR notation as described
|
||||
in RFC1519 (ftp://ftp.isi.edu/in-notes/rfc1519.txt)
|
||||
in RFC1519 (http://www.ietf.org/rfc/rfc1519.txt)
|
||||
|
||||
A Subnet can be given a weight to indicate its priority over
|
||||
identical Subnets owned by different nodes. The default weight is
|
||||
|
@ -2470,7 +2476,7 @@ Concept Index
|
|||
* example: Example configuration.
|
||||
(line 6)
|
||||
* exec: Main configuration variables.
|
||||
(line 311)
|
||||
(line 309)
|
||||
* Forwarding: Main configuration variables.
|
||||
(line 152)
|
||||
* frame type: The UDP tunnel. (line 6)
|
||||
|
@ -2479,41 +2485,41 @@ Concept Index
|
|||
* Hostnames: Main configuration variables.
|
||||
(line 180)
|
||||
* http: Main configuration variables.
|
||||
(line 308)
|
||||
(line 306)
|
||||
* hub: Main configuration variables.
|
||||
(line 232)
|
||||
(line 233)
|
||||
* ID: Authentication protocol.
|
||||
(line 10)
|
||||
* IndirectData: Host configuration variables.
|
||||
(line 34)
|
||||
* INTERFACE: Scripts. (line 58)
|
||||
* Interface: Main configuration variables.
|
||||
(line 190)
|
||||
(line 191)
|
||||
* IRC: Contact information. (line 9)
|
||||
* key generation: Generating keypairs. (line 6)
|
||||
* KEY_CHANGED: The meta-protocol. (line 64)
|
||||
* KeyExpire: Main configuration variables.
|
||||
(line 237)
|
||||
(line 238)
|
||||
* libraries: Libraries. (line 6)
|
||||
* license: OpenSSL. (line 36)
|
||||
* LocalDiscovery: Main configuration variables.
|
||||
(line 198)
|
||||
(line 199)
|
||||
* lzo: lzo. (line 6)
|
||||
* MACExpire: Main configuration variables.
|
||||
(line 243)
|
||||
(line 244)
|
||||
* MACLength: Host configuration variables.
|
||||
(line 42)
|
||||
* meta-protocol: The meta-connection. (line 18)
|
||||
* META_KEY: Authentication protocol.
|
||||
(line 10)
|
||||
* Mode: Main configuration variables.
|
||||
(line 209)
|
||||
(line 210)
|
||||
* multicast: Main configuration variables.
|
||||
(line 99)
|
||||
* multiple networks: Multiple networks. (line 6)
|
||||
* NAME: Scripts. (line 52)
|
||||
* Name: Main configuration variables.
|
||||
(line 248)
|
||||
(line 249)
|
||||
* netmask: Network interfaces. (line 34)
|
||||
* NETNAME: Scripts. (line 49)
|
||||
* netname: Multiple networks. (line 6)
|
||||
|
@ -2526,9 +2532,9 @@ Concept Index
|
|||
(line 67)
|
||||
* PING: The meta-protocol. (line 89)
|
||||
* PingInterval: Main configuration variables.
|
||||
(line 259)
|
||||
(line 260)
|
||||
* PingTimeout: Main configuration variables.
|
||||
(line 263)
|
||||
(line 264)
|
||||
* platforms: Supported platforms. (line 6)
|
||||
* PMTU: Host configuration variables.
|
||||
(line 47)
|
||||
|
@ -2539,17 +2545,17 @@ Concept Index
|
|||
(line 55)
|
||||
* port numbers: Other files. (line 17)
|
||||
* PriorityInheritance: Main configuration variables.
|
||||
(line 269)
|
||||
(line 270)
|
||||
* private: Virtual Private Networks.
|
||||
(line 10)
|
||||
* PrivateKey: Main configuration variables.
|
||||
(line 274)
|
||||
(line 275)
|
||||
* PrivateKeyFile: Main configuration variables.
|
||||
(line 280)
|
||||
(line 281)
|
||||
* ProcessPriority: Main configuration variables.
|
||||
(line 288)
|
||||
(line 286)
|
||||
* Proxy: Main configuration variables.
|
||||
(line 293)
|
||||
(line 291)
|
||||
* PublicKey: Host configuration variables.
|
||||
(line 59)
|
||||
* PublicKeyFile: Host configuration variables.
|
||||
|
@ -2560,11 +2566,11 @@ Concept Index
|
|||
* REMOTEADDRESS: Scripts. (line 67)
|
||||
* REMOTEPORT: Scripts. (line 70)
|
||||
* ReplayWindow: Main configuration variables.
|
||||
(line 316)
|
||||
(line 314)
|
||||
* REQ_KEY: The meta-protocol. (line 64)
|
||||
* requirements: Libraries. (line 6)
|
||||
* router: Main configuration variables.
|
||||
(line 212)
|
||||
(line 213)
|
||||
* runtime options: Runtime options. (line 9)
|
||||
* scalability: tinc. (line 19)
|
||||
* scripts: Scripts. (line 6)
|
||||
|
@ -2572,11 +2578,11 @@ Concept Index
|
|||
(line 18)
|
||||
* signals: Signals. (line 6)
|
||||
* socks4: Main configuration variables.
|
||||
(line 297)
|
||||
(line 295)
|
||||
* socks5: Main configuration variables.
|
||||
(line 302)
|
||||
(line 300)
|
||||
* StrictSubnets: Main configuration variables.
|
||||
(line 327)
|
||||
(line 325)
|
||||
* SUBNET: Scripts. (line 74)
|
||||
* Subnet: Host configuration variables.
|
||||
(line 74)
|
||||
|
@ -2584,7 +2590,7 @@ Concept Index
|
|||
(line 96)
|
||||
* SVPN: Security. (line 11)
|
||||
* switch: Main configuration variables.
|
||||
(line 221)
|
||||
(line 222)
|
||||
* TCP: The meta-connection. (line 10)
|
||||
* TCPonly: Host configuration variables.
|
||||
(line 103)
|
||||
|
@ -2598,16 +2604,16 @@ Concept Index
|
|||
* tunifhead: Main configuration variables.
|
||||
(line 134)
|
||||
* TunnelServer: Main configuration variables.
|
||||
(line 332)
|
||||
(line 330)
|
||||
* tunnohead: Main configuration variables.
|
||||
(line 128)
|
||||
* UDP <1>: Encryption of network packets.
|
||||
(line 12)
|
||||
* UDP: The UDP tunnel. (line 30)
|
||||
* UDPRcvBuf: Main configuration variables.
|
||||
(line 339)
|
||||
(line 337)
|
||||
* UDPSndBuf: Main configuration variables.
|
||||
(line 344)
|
||||
(line 342)
|
||||
* UML: Main configuration variables.
|
||||
(line 110)
|
||||
* Universal tun/tap: Configuration of Linux kernels.
|
||||
|
@ -2632,61 +2638,61 @@ Node: Introduction1109
|
|||
Node: Virtual Private Networks1919
|
||||
Node: tinc3645
|
||||
Node: Supported platforms5172
|
||||
Node: Preparations5870
|
||||
Node: Configuring the kernel6126
|
||||
Node: Configuration of Linux kernels6535
|
||||
Node: Configuration of FreeBSD kernels7390
|
||||
Node: Configuration of OpenBSD kernels7780
|
||||
Node: Configuration of NetBSD kernels8388
|
||||
Node: Configuration of Solaris kernels8793
|
||||
Node: Configuration of Darwin (MacOS/X) kernels9454
|
||||
Node: Configuration of Windows10143
|
||||
Node: Libraries10657
|
||||
Node: OpenSSL11045
|
||||
Node: zlib13321
|
||||
Node: lzo14150
|
||||
Node: Installation14937
|
||||
Node: Building and installing tinc15952
|
||||
Node: Darwin (MacOS/X) build environment16611
|
||||
Node: Cygwin (Windows) build environment17179
|
||||
Node: MinGW (Windows) build environment17767
|
||||
Node: System files18291
|
||||
Node: Device files18556
|
||||
Node: Other files18972
|
||||
Node: Configuration19585
|
||||
Node: Configuration introduction19896
|
||||
Node: Multiple networks21169
|
||||
Node: How connections work22595
|
||||
Node: Configuration files23817
|
||||
Node: Main configuration variables25204
|
||||
Node: Host configuration variables40987
|
||||
Node: Scripts46347
|
||||
Node: How to configure49117
|
||||
Node: Generating keypairs50380
|
||||
Node: Network interfaces50879
|
||||
Node: Example configuration52727
|
||||
Node: Running tinc58050
|
||||
Node: Runtime options58640
|
||||
Node: Signals61940
|
||||
Node: Debug levels63132
|
||||
Node: Solving problems64068
|
||||
Node: Error messages65620
|
||||
Node: Sending bug reports69633
|
||||
Node: Technical information70585
|
||||
Node: The connection70816
|
||||
Node: The UDP tunnel71128
|
||||
Node: The meta-connection74189
|
||||
Node: The meta-protocol75658
|
||||
Node: Security80667
|
||||
Node: Authentication protocol81797
|
||||
Node: Encryption of network packets86801
|
||||
Node: Security issues88174
|
||||
Node: Platform specific information89791
|
||||
Node: Interface configuration90019
|
||||
Node: Routes92472
|
||||
Node: About us94388
|
||||
Node: Contact information94563
|
||||
Node: Authors94967
|
||||
Node: Concept Index95372
|
||||
Node: Preparations5871
|
||||
Node: Configuring the kernel6127
|
||||
Node: Configuration of Linux kernels6536
|
||||
Node: Configuration of FreeBSD kernels7391
|
||||
Node: Configuration of OpenBSD kernels7856
|
||||
Node: Configuration of NetBSD kernels8464
|
||||
Node: Configuration of Solaris kernels8869
|
||||
Node: Configuration of Darwin (MacOS/X) kernels9530
|
||||
Node: Configuration of Windows10219
|
||||
Node: Libraries10733
|
||||
Node: OpenSSL11121
|
||||
Node: zlib13409
|
||||
Node: lzo14435
|
||||
Node: Installation15415
|
||||
Node: Building and installing tinc16431
|
||||
Node: Darwin (MacOS/X) build environment17090
|
||||
Node: Cygwin (Windows) build environment17657
|
||||
Node: MinGW (Windows) build environment18245
|
||||
Node: System files18769
|
||||
Node: Device files19034
|
||||
Node: Other files19450
|
||||
Node: Configuration20063
|
||||
Node: Configuration introduction20374
|
||||
Node: Multiple networks21643
|
||||
Node: How connections work23069
|
||||
Node: Configuration files24291
|
||||
Node: Main configuration variables25678
|
||||
Node: Host configuration variables41406
|
||||
Node: Scripts46763
|
||||
Node: How to configure49533
|
||||
Node: Generating keypairs50796
|
||||
Node: Network interfaces51295
|
||||
Node: Example configuration53143
|
||||
Node: Running tinc58466
|
||||
Node: Runtime options59056
|
||||
Node: Signals62356
|
||||
Node: Debug levels63548
|
||||
Node: Solving problems64484
|
||||
Node: Error messages66036
|
||||
Node: Sending bug reports70049
|
||||
Node: Technical information71001
|
||||
Node: The connection71232
|
||||
Node: The UDP tunnel71544
|
||||
Node: The meta-connection74605
|
||||
Node: The meta-protocol76074
|
||||
Node: Security81083
|
||||
Node: Authentication protocol82213
|
||||
Node: Encryption of network packets87217
|
||||
Node: Security issues88590
|
||||
Node: Platform specific information90207
|
||||
Node: Interface configuration90435
|
||||
Node: Routes92888
|
||||
Node: About us94804
|
||||
Node: Contact information94979
|
||||
Node: Authors95383
|
||||
Node: Concept Index95788
|
||||
|
||||
End Tag Table
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
|
||||
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
|
||||
|
||||
Copyright @copyright{} 1998-2012 Ivo Timmermans,
|
||||
Copyright @copyright{} 1998-2013 Ivo Timmermans,
|
||||
Guus Sliepen <guus@@tinc-vpn.org> and
|
||||
Wessel Dankers <wsl@@tinc-vpn.org>.
|
||||
|
||||
|
@ -39,7 +39,7 @@ permission notice identical to this one.
|
|||
@vskip 0pt plus 1filll
|
||||
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
|
||||
|
||||
Copyright @copyright{} 1998-2012 Ivo Timmermans,
|
||||
Copyright @copyright{} 1998-2013 Ivo Timmermans,
|
||||
Guus Sliepen <guus@@tinc-vpn.org> and
|
||||
Wessel Dankers <wsl@@tinc-vpn.org>.
|
||||
|
||||
|
@ -186,7 +186,7 @@ packets.
|
|||
@cindex release
|
||||
For an up to date list of supported platforms, please check the list on
|
||||
our website:
|
||||
@uref{http://www.tinc-vpn.org/platforms}.
|
||||
@uref{http://www.tinc-vpn.org/platforms/}.
|
||||
|
||||
@c
|
||||
@c
|
||||
|
@ -261,7 +261,7 @@ alias char-major-10-200 tun
|
|||
@subsection Configuration of FreeBSD kernels
|
||||
|
||||
For FreeBSD version 4.1 and higher, tun and tap drivers are included in the default kernel configuration.
|
||||
Using tap devices is recommended.
|
||||
The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_tap_load="YES"} to @file{/boot/loader.conf}.
|
||||
|
||||
|
||||
@c ==================================================================
|
||||
|
@ -275,6 +275,7 @@ which adds a tap device to OpenBSD which should work with tinc,
|
|||
but with recent versions of OpenBSD,
|
||||
a tun device can act as a tap device by setting the link0 option with ifconfig.
|
||||
|
||||
|
||||
@c ==================================================================
|
||||
@node Configuration of NetBSD kernels
|
||||
@subsection Configuration of NetBSD kernels
|
||||
|
@ -349,7 +350,7 @@ For all cryptography-related functions, tinc uses the functions provided
|
|||
by the OpenSSL library.
|
||||
|
||||
If this library is not installed, you wil get an error when configuring
|
||||
tinc for build. Support for running tinc without having OpenSSL
|
||||
tinc for build. Support for running tinc with other cryptographic libraries
|
||||
installed @emph{may} be added in the future.
|
||||
|
||||
You can use your operating system's package manager to install this if
|
||||
|
@ -412,9 +413,11 @@ Markus F.X.J. Oberhumer
|
|||
For the optional compression of UDP packets, tinc uses the functions provided
|
||||
by the zlib library.
|
||||
|
||||
If this library is not installed, you wil get an error when configuring
|
||||
tinc for build. Support for running tinc without having zlib
|
||||
installed @emph{may} be added in the future.
|
||||
If this library is not installed, you wil get an error when running the
|
||||
configure script. You can either install the zlib library, or disable support
|
||||
for zlib compression by using the "--disable-zlib" option when running the
|
||||
configure script. Note that if you disable support for zlib, the resulting
|
||||
binary will not work correctly on VPNs where zlib compression is used.
|
||||
|
||||
You can use your operating system's package manager to install this if
|
||||
available. Make sure you install the development AND runtime versions
|
||||
|
@ -432,11 +435,13 @@ default).
|
|||
@subsection lzo
|
||||
|
||||
@cindex lzo
|
||||
Another form of compression is offered using the lzo library.
|
||||
Another form of compression is offered using the LZO library.
|
||||
|
||||
If this library is not installed, you wil get an error when configuring
|
||||
tinc for build. Support for running tinc without having lzo
|
||||
installed @emph{may} be added in the future.
|
||||
If this library is not installed, you wil get an error when running the
|
||||
configure script. You can either install the LZO library, or disable support
|
||||
for LZO compression by using the "--disable-lzo" option when running the
|
||||
configure script. Note that if you disable support for LZO, the resulting
|
||||
binary will not work correctly on VPNs where LZO compression is used.
|
||||
|
||||
You can use your operating system's package manager to install this if
|
||||
available. Make sure you install the development AND runtime versions
|
||||
|
@ -469,7 +474,7 @@ system startup scripts and sample configurations.
|
|||
If you cannot use one of the precompiled packages, or you want to compile tinc
|
||||
for yourself, you can use the source. The source is distributed under
|
||||
the GNU General Public License (GPL). Download the source from the
|
||||
@uref{http://www.tinc-vpn.org/download, download page}, which has
|
||||
@uref{http://www.tinc-vpn.org/download/, download page}, which has
|
||||
the checksums of these files listed; you may wish to check these with
|
||||
md5sum before continuing.
|
||||
|
||||
|
@ -510,7 +515,7 @@ The documentation that comes along with your distribution will tell you how to d
|
|||
|
||||
In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools
|
||||
from @uref{http://developer.apple.com/tools/macosxtools.html} and
|
||||
a recent version of Fink from @uref{http://fink.sourceforge.net/}.
|
||||
a recent version of Fink from @uref{http://www.finkproject.org/}.
|
||||
|
||||
After installation use fink to download and install the following packages:
|
||||
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
|
||||
|
@ -638,7 +643,7 @@ you will not find the answers in this documentation.
|
|||
Make sure you have an adequate understanding of networks in general.
|
||||
@cindex Network Administrators Guide
|
||||
A good resource on networking is the
|
||||
@uref{http://www.linuxdoc.org/LDP/nag2/, Linux Network Administrators Guide}.
|
||||
@uref{http://www.tldp.org/LDP/nag2/, Linux Network Administrators Guide}.
|
||||
|
||||
If you have everything clearly pictured in your mind,
|
||||
proceed in the following order:
|
||||
|
@ -943,7 +948,7 @@ tinc's efficiency, even stopping the daemon for a few seconds everytime
|
|||
it does a lookup if your DNS server is not responding.
|
||||
|
||||
This does not affect resolving hostnames to IP addresses from the
|
||||
configuration file.
|
||||
configuration file, but whether hostnames should be resolved while logging.
|
||||
|
||||
@cindex Interface
|
||||
@item Interface = <@var{interface}>
|
||||
|
@ -1041,10 +1046,6 @@ This is the full path name of the RSA private key file that was
|
|||
generated by @samp{tincd --generate-keys}. It must be a full path, not a
|
||||
relative directory.
|
||||
|
||||
Note that there must be exactly one of PrivateKey
|
||||
or PrivateKeyFile
|
||||
specified in the configuration file.
|
||||
|
||||
@cindex ProcessPriority
|
||||
@item ProcessPriority = <low|normal|high>
|
||||
When this option is used the priority of the tincd process will be adjusted.
|
||||
|
@ -1220,7 +1221,7 @@ MAC addresses are notated like 0:1a:2b:3c:4d:5e.
|
|||
Prefixlength is the number of bits set to 1 in the netmask part; for
|
||||
example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
|
||||
/22. This conforms to standard CIDR notation as described in
|
||||
@uref{ftp://ftp.isi.edu/in-notes/rfc1519.txt, RFC1519}
|
||||
@uref{http://www.ietf.org/rfc/rfc1519.txt, RFC1519}
|
||||
|
||||
@cindex Subnet weight
|
||||
A Subnet can be given a weight to indicate its priority over identical Subnets
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Makefile.in generated by automake 1.11.5 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.11.6 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||
|
|
|
@ -41,6 +41,10 @@
|
|||
#define ETH_P_IPV6 0x86DD
|
||||
#endif
|
||||
|
||||
#ifndef ETH_P_8021Q
|
||||
#define ETH_P_8021Q 0x8100
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_STRUCT_ETHER_HEADER
|
||||
struct ether_header {
|
||||
uint8_t ether_dhost[ETH_ALEN];
|
||||
|
|
10
lib/utils.c
10
lib/utils.c
|
@ -32,12 +32,14 @@ static int charhex2bin(char c) {
|
|||
return toupper(c) - 'A' + 10;
|
||||
}
|
||||
|
||||
|
||||
void hex2bin(char *src, char *dst, int length) {
|
||||
int i;
|
||||
for(i = 0; i < length; i++)
|
||||
bool hex2bin(char *src, char *dst, int length) {
|
||||
for(int i = 0; i < length; i++) {
|
||||
if(!isxdigit(src[i * 2]) || !isxdigit(src[i * 2 + 1]))
|
||||
return false;
|
||||
dst[i] = charhex2bin(src[i * 2]) * 16 + charhex2bin(src[i * 2 + 1]);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
void bin2hex(char *src, char *dst, int length) {
|
||||
int i;
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
#ifndef __TINC_UTILS_H__
|
||||
#define __TINC_UTILS_H__
|
||||
|
||||
extern void hex2bin(char *src, char *dst, int length);
|
||||
extern bool hex2bin(char *src, char *dst, int length);
|
||||
extern void bin2hex(char *src, char *dst, int length);
|
||||
|
||||
#ifdef HAVE_MINGW
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Makefile.in generated by automake 1.11.5 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.11.6 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Makefile.in generated by automake 1.11.5 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.11.6 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||
|
|
|
@ -29,17 +29,22 @@
|
|||
#include "utils.h"
|
||||
#include "xalloc.h"
|
||||
|
||||
#ifdef HAVE_TUNEMU
|
||||
#ifdef ENABLE_TUNEMU
|
||||
#include "bsd/tunemu.h"
|
||||
#endif
|
||||
|
||||
#define DEFAULT_DEVICE "/dev/tun0"
|
||||
#define DEFAULT_TUN_DEVICE "/dev/tun0"
|
||||
#if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD)
|
||||
#define DEFAULT_TAP_DEVICE "/dev/tap0"
|
||||
#else
|
||||
#define DEFAULT_TAP_DEVICE "/dev/tun0"
|
||||
#endif
|
||||
|
||||
typedef enum device_type {
|
||||
DEVICE_TYPE_TUN,
|
||||
DEVICE_TYPE_TUNIFHEAD,
|
||||
DEVICE_TYPE_TAP,
|
||||
#ifdef HAVE_TUNEMU
|
||||
#ifdef ENABLE_TUNEMU
|
||||
DEVICE_TYPE_TUNEMU,
|
||||
#endif
|
||||
} device_type_t;
|
||||
|
@ -50,7 +55,7 @@ char *iface = NULL;
|
|||
static char *device_info = NULL;
|
||||
static uint64_t device_total_in = 0;
|
||||
static uint64_t device_total_out = 0;
|
||||
#if defined(TUNEMU)
|
||||
#if defined(ENABLE_TUNEMU)
|
||||
static device_type_t device_type = DEVICE_TYPE_TUNEMU;
|
||||
#elif defined(HAVE_OPENBSD) || defined(HAVE_FREEBSD) || defined(HAVE_DRAGONFLY)
|
||||
static device_type_t device_type = DEVICE_TYPE_TUNIFHEAD;
|
||||
|
@ -61,8 +66,12 @@ static device_type_t device_type = DEVICE_TYPE_TUN;
|
|||
static bool setup_device(void) {
|
||||
char *type;
|
||||
|
||||
if(!get_config_string(lookup_config(config_tree, "Device"), &device))
|
||||
device = xstrdup(DEFAULT_DEVICE);
|
||||
if(!get_config_string(lookup_config(config_tree, "Device"), &device)) {
|
||||
if(routing_mode == RMODE_ROUTER)
|
||||
device = xstrdup(DEFAULT_TUN_DEVICE);
|
||||
else
|
||||
device = xstrdup(DEFAULT_TAP_DEVICE);
|
||||
}
|
||||
|
||||
if(!get_config_string(lookup_config(config_tree, "Interface"), &iface))
|
||||
iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
|
||||
|
@ -70,7 +79,7 @@ static bool setup_device(void) {
|
|||
if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) {
|
||||
if(!strcasecmp(type, "tun"))
|
||||
/* use default */;
|
||||
#ifdef HAVE_TUNEMU
|
||||
#ifdef ENABLE_TUNEMU
|
||||
else if(!strcasecmp(type, "tunemu"))
|
||||
device_type = DEVICE_TYPE_TUNEMU;
|
||||
#endif
|
||||
|
@ -90,7 +99,7 @@ static bool setup_device(void) {
|
|||
}
|
||||
|
||||
switch(device_type) {
|
||||
#ifdef HAVE_TUNEMU
|
||||
#ifdef ENABLE_TUNEMU
|
||||
case DEVICE_TYPE_TUNEMU: {
|
||||
char dynamic_name[256] = "";
|
||||
device_fd = tunemu_open(dynamic_name);
|
||||
|
@ -167,7 +176,7 @@ static bool setup_device(void) {
|
|||
|
||||
#endif
|
||||
break;
|
||||
#ifdef HAVE_TUNEMU
|
||||
#ifdef ENABLE_TUNEMU
|
||||
case DEVICE_TYPE_TUNEMU:
|
||||
device_info = "BSD tunemu device";
|
||||
break;
|
||||
|
@ -181,7 +190,7 @@ static bool setup_device(void) {
|
|||
|
||||
static void close_device(void) {
|
||||
switch(device_type) {
|
||||
#ifdef HAVE_TUNEMU
|
||||
#ifdef ENABLE_TUNEMU
|
||||
case DEVICE_TYPE_TUNEMU:
|
||||
tunemu_close(device_fd);
|
||||
break;
|
||||
|
@ -199,7 +208,7 @@ static bool read_packet(vpn_packet_t *packet) {
|
|||
|
||||
switch(device_type) {
|
||||
case DEVICE_TYPE_TUN:
|
||||
#ifdef HAVE_TUNEMU
|
||||
#ifdef ENABLE_TUNEMU
|
||||
case DEVICE_TYPE_TUNEMU:
|
||||
if(device_type == DEVICE_TYPE_TUNEMU)
|
||||
lenin = tunemu_read(device_fd, packet->data + 14, MTU - 14);
|
||||
|
@ -229,6 +238,7 @@ static bool read_packet(vpn_packet_t *packet) {
|
|||
return false;
|
||||
}
|
||||
|
||||
memset(packet->data, 0, 12);
|
||||
packet->len = lenin + 14;
|
||||
break;
|
||||
|
||||
|
@ -260,6 +270,7 @@ static bool read_packet(vpn_packet_t *packet) {
|
|||
return false;
|
||||
}
|
||||
|
||||
memset(packet->data, 0, 12);
|
||||
packet->len = lenin + 10;
|
||||
break;
|
||||
}
|
||||
|
@ -336,7 +347,7 @@ static bool write_packet(vpn_packet_t *packet) {
|
|||
}
|
||||
break;
|
||||
|
||||
#ifdef HAVE_TUNEMU
|
||||
#ifdef ENABLE_TUNEMU
|
||||
case DEVICE_TYPE_TUNEMU:
|
||||
if(tunemu_write(device_fd, packet->data + 14, packet->len - 14) < 0) {
|
||||
logger(LOG_ERR, "Error while writing to %s %s: %s", device_info,
|
||||
|
|
|
@ -73,6 +73,15 @@ void free_connection_partially(connection_t *c) {
|
|||
c->hischallenge = NULL;
|
||||
c->outbuf = NULL;
|
||||
|
||||
c->status.pinged = false;
|
||||
c->status.active = false;
|
||||
c->status.connecting = false;
|
||||
c->status.timeout = false;
|
||||
c->status.encryptout = false;
|
||||
c->status.decryptin = false;
|
||||
c->status.mst = false;
|
||||
|
||||
c->options = 0;
|
||||
c->buflen = 0;
|
||||
c->reqlen = 0;
|
||||
c->tcplen = 0;
|
||||
|
@ -80,6 +89,8 @@ void free_connection_partially(connection_t *c) {
|
|||
c->outbuflen = 0;
|
||||
c->outbufsize = 0;
|
||||
c->outbufstart = 0;
|
||||
c->last_ping_time = 0;
|
||||
c->last_flushed_time = 0;
|
||||
|
||||
if(c->inctx) {
|
||||
EVP_CIPHER_CTX_cleanup(c->inctx);
|
||||
|
|
|
@ -35,7 +35,7 @@ typedef struct connection_status_t {
|
|||
unsigned int pinged:1; /* sent ping */
|
||||
unsigned int active:1; /* 1 if active.. */
|
||||
unsigned int connecting:1; /* 1 if we are waiting for a non-blocking connect() to finish */
|
||||
unsigned int termreq:1; /* the termination of this connection was requested */
|
||||
unsigned int unused_termreq:1; /* the termination of this connection was requested */
|
||||
unsigned int remove:1; /* Set to 1 if you want this connection removed */
|
||||
unsigned int timeout:1; /* 1 if gotten timeout */
|
||||
unsigned int encryptout:1; /* 1 if we can encrypt outgoing traffic */
|
||||
|
|
17
src/graph.c
17
src/graph.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
graph.c -- graph algorithms
|
||||
Copyright (C) 2001-2012 Guus Sliepen <guus@tinc-vpn.org>,
|
||||
Copyright (C) 2001-2013 Guus Sliepen <guus@tinc-vpn.org>,
|
||||
2001-2005 Ivo Timmermans
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
|
@ -287,13 +287,16 @@ static void sssp_bfs(void) {
|
|||
|
||||
subnet_update(n, NULL, n->status.reachable);
|
||||
|
||||
if(!n->status.reachable)
|
||||
if(!n->status.reachable) {
|
||||
update_node_udp(n, NULL);
|
||||
else if(n->connection)
|
||||
memset(&n->status, 0, sizeof n->status);
|
||||
n->options = 0;
|
||||
} else if(n->connection) {
|
||||
send_ans_key(n);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void graph(void) {
|
||||
subnet_cache_flush();
|
||||
|
@ -315,7 +318,7 @@ void dump_graph(void) {
|
|||
node_t *n;
|
||||
edge_t *e;
|
||||
char *filename = NULL, *tmpname = NULL;
|
||||
FILE *file;
|
||||
FILE *file, *pipe = NULL;
|
||||
|
||||
if(!graph_changed || !get_config_string(lookup_config(config_tree, "GraphDumpFile"), &filename))
|
||||
return;
|
||||
|
@ -325,7 +328,7 @@ void dump_graph(void) {
|
|||
ifdebug(PROTOCOL) logger(LOG_NOTICE, "Dumping graph");
|
||||
|
||||
if(filename[0] == '|') {
|
||||
file = popen(filename + 1, "w");
|
||||
file = pipe = popen(filename + 1, "w");
|
||||
} else {
|
||||
xasprintf(&tmpname, "%s.new", filename);
|
||||
file = fopen(tmpname, "w");
|
||||
|
@ -353,8 +356,8 @@ void dump_graph(void) {
|
|||
|
||||
fprintf(file, "}\n");
|
||||
|
||||
if(filename[0] == '|') {
|
||||
pclose(file);
|
||||
if(pipe) {
|
||||
pclose(pipe);
|
||||
} else {
|
||||
fclose(file);
|
||||
#ifdef HAVE_MINGW
|
||||
|
|
|
@ -155,6 +155,7 @@ static bool read_packet(vpn_packet_t *packet) {
|
|||
return false;
|
||||
}
|
||||
|
||||
memset(packet->data, 0, 12);
|
||||
packet->len = lenin + 10;
|
||||
break;
|
||||
case DEVICE_TYPE_TAP:
|
||||
|
|
36
src/meta.c
36
src/meta.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
meta.c -- handle the meta communication
|
||||
Copyright (C) 2000-2009 Guus Sliepen <guus@tinc-vpn.org>,
|
||||
Copyright (C) 2000-2013 Guus Sliepen <guus@tinc-vpn.org>,
|
||||
2000-2005 Ivo Timmermans
|
||||
2006 Scott Lamb <slamb@slamb.org>
|
||||
|
||||
|
@ -177,15 +177,45 @@ bool receive_meta(connection_t *c) {
|
|||
|
||||
if(c->tcplen) {
|
||||
if(c->tcplen <= c->buflen) {
|
||||
if(proxytype == PROXY_SOCKS4 && c->allow_request == ID) {
|
||||
if(!c->node) {
|
||||
if(c->outgoing && proxytype == PROXY_SOCKS4 && c->allow_request == ID) {
|
||||
if(c->buffer[0] == 0 && c->buffer[1] == 0x5a) {
|
||||
logger(LOG_DEBUG, "Proxy request granted");
|
||||
} else {
|
||||
logger(LOG_ERR, "Proxy request rejected");
|
||||
return false;
|
||||
}
|
||||
} else
|
||||
} else if(c->outgoing && proxytype == PROXY_SOCKS5 && c->allow_request == ID) {
|
||||
if(c->buffer[0] != 5) {
|
||||
logger(LOG_ERR, "Invalid response from proxy server");
|
||||
return false;
|
||||
}
|
||||
if(c->buffer[1] == (char)0xff) {
|
||||
logger(LOG_ERR, "Proxy request rejected: unsuitable authentication method");
|
||||
return false;
|
||||
}
|
||||
if(c->buffer[2] != 5) {
|
||||
logger(LOG_ERR, "Invalid response from proxy server");
|
||||
return false;
|
||||
}
|
||||
if(c->buffer[3] == 0) {
|
||||
logger(LOG_DEBUG, "Proxy request granted");
|
||||
} else {
|
||||
logger(LOG_DEBUG, "Proxy request rejected");
|
||||
return false;
|
||||
}
|
||||
} else {
|
||||
logger(LOG_ERR, "c->tcplen set but c->node is NULL!");
|
||||
abort();
|
||||
}
|
||||
} else {
|
||||
if(c->allow_request == ALL) {
|
||||
receive_tcppacket(c, c->buffer, c->tcplen);
|
||||
} else {
|
||||
logger(LOG_ERR, "Got unauthorized TCP packet from %s (%s)", c->name, c->hostname);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
c->buflen -= c->tcplen;
|
||||
lenin -= c->tcplen - oldlen;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
device.c -- Interaction with Windows tap driver in a MinGW environment
|
||||
Copyright (C) 2002-2005 Ivo Timmermans,
|
||||
2002-2011 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2002-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -46,7 +46,7 @@ extern char *myport;
|
|||
|
||||
static DWORD WINAPI tapreader(void *bla) {
|
||||
int status;
|
||||
long len;
|
||||
DWORD len;
|
||||
OVERLAPPED overlapped;
|
||||
vpn_packet_t packet;
|
||||
|
||||
|
@ -91,7 +91,7 @@ static bool setup_device(void) {
|
|||
char adapterid[1024];
|
||||
char adaptername[1024];
|
||||
char tapname[1024];
|
||||
long len;
|
||||
DWORD len;
|
||||
unsigned long status;
|
||||
|
||||
bool found = false;
|
||||
|
@ -122,7 +122,7 @@ static bool setup_device(void) {
|
|||
continue;
|
||||
|
||||
len = sizeof(adaptername);
|
||||
err = RegQueryValueEx(key2, "Name", 0, 0, adaptername, &len);
|
||||
err = RegQueryValueEx(key2, "Name", 0, 0, (LPBYTE)adaptername, &len);
|
||||
|
||||
RegCloseKey(key2);
|
||||
|
||||
|
@ -222,7 +222,7 @@ static bool read_packet(vpn_packet_t *packet) {
|
|||
}
|
||||
|
||||
static bool write_packet(vpn_packet_t *packet) {
|
||||
long lenout;
|
||||
DWORD lenout;
|
||||
OVERLAPPED overlapped = {0};
|
||||
|
||||
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s",
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
device.c -- multicast socket
|
||||
Copyright (C) 2002-2005 Ivo Timmermans,
|
||||
2002-2012 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2002-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -158,7 +158,7 @@ static void close_device(void) {
|
|||
static bool read_packet(vpn_packet_t *packet) {
|
||||
int lenin;
|
||||
|
||||
if((lenin = recv(device_fd, packet->data, MTU, 0)) <= 0) {
|
||||
if((lenin = recv(device_fd, (void *)packet->data, MTU, 0)) <= 0) {
|
||||
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
|
||||
device, strerror(errno));
|
||||
return false;
|
||||
|
@ -184,7 +184,7 @@ static bool write_packet(vpn_packet_t *packet) {
|
|||
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s",
|
||||
packet->len, device_info);
|
||||
|
||||
if(sendto(device_fd, packet->data, packet->len, 0, ai->ai_addr, ai->ai_addrlen) < 0) {
|
||||
if(sendto(device_fd, (void *)packet->data, packet->len, 0, ai->ai_addr, ai->ai_addrlen) < 0) {
|
||||
logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device,
|
||||
strerror(errno));
|
||||
return false;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
net_packet.c -- Handles in- and outgoing VPN packets
|
||||
Copyright (C) 1998-2005 Ivo Timmermans,
|
||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2010 Timothy Redaelli <timothy@redaelli.eu>
|
||||
2010 Brandon Black <blblack@gmail.com>
|
||||
|
||||
|
@ -70,11 +70,15 @@ bool localdiscovery = false;
|
|||
mtuprobes == 32: send 1 burst, sleep pingtimeout second
|
||||
mtuprobes == 33: no response from other side, restart PMTU discovery process
|
||||
|
||||
Probes are sent in batches of three, with random sizes between the lower and
|
||||
upper boundaries for the MTU thus far discovered.
|
||||
Probes are sent in batches of at least three, with random sizes between the
|
||||
lower and upper boundaries for the MTU thus far discovered.
|
||||
|
||||
In case local discovery is enabled, a fourth packet is added to each batch,
|
||||
After the initial discovery, a fourth packet is added to each batch with a
|
||||
size larger than the currently known PMTU, to test if the PMTU has increased.
|
||||
|
||||
In case local discovery is enabled, another packet is added to each batch,
|
||||
which will be broadcast to the local network.
|
||||
|
||||
*/
|
||||
|
||||
void send_mtu_probe(node_t *n) {
|
||||
|
@ -126,11 +130,16 @@ void send_mtu_probe(node_t *n) {
|
|||
timeout = pingtimeout;
|
||||
}
|
||||
|
||||
for(i = 0; i < 3 + localdiscovery; i++) {
|
||||
if(n->maxmtu <= n->minmtu)
|
||||
for(i = 0; i < 4 + localdiscovery; i++) {
|
||||
if(i == 0) {
|
||||
if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
|
||||
continue;
|
||||
len = n->maxmtu + 8;
|
||||
} else if(n->maxmtu <= n->minmtu) {
|
||||
len = n->maxmtu;
|
||||
else
|
||||
} else {
|
||||
len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
|
||||
}
|
||||
|
||||
if(len < 64)
|
||||
len = 64;
|
||||
|
@ -138,7 +147,7 @@ void send_mtu_probe(node_t *n) {
|
|||
memset(packet.data, 0, 14);
|
||||
RAND_pseudo_bytes(packet.data + 14, len - 14);
|
||||
packet.len = len;
|
||||
if(i >= 3 && n->mtuprobes <= 10)
|
||||
if(i >= 4 && n->mtuprobes <= 10)
|
||||
packet.priority = -1;
|
||||
else
|
||||
packet.priority = 0;
|
||||
|
@ -164,6 +173,13 @@ void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
|
|||
send_udppacket(n, packet);
|
||||
} else {
|
||||
if(n->mtuprobes > 30) {
|
||||
if (len == n->maxmtu + 8) {
|
||||
ifdebug(TRAFFIC) logger(LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
|
||||
n->maxmtu = MTU;
|
||||
n->mtuprobes = 10;
|
||||
return;
|
||||
}
|
||||
|
||||
if(n->minmtu)
|
||||
n->mtuprobes = 30;
|
||||
else
|
||||
|
@ -378,6 +394,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
|
|||
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
|
||||
vpn_packet_t outpkt;
|
||||
|
||||
if(len > sizeof outpkt.data)
|
||||
return;
|
||||
|
||||
outpkt.len = len;
|
||||
if(c->options & OPTION_TCPONLY)
|
||||
outpkt.priority = 0;
|
||||
|
@ -500,17 +519,27 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
|
|||
struct sockaddr *sa;
|
||||
socklen_t sl;
|
||||
int sock;
|
||||
sockaddr_t broadcast;
|
||||
|
||||
/* Overloaded use of priority field: -1 means local broadcast */
|
||||
|
||||
if(origpriority == -1 && n->prevedge) {
|
||||
struct sockaddr_in in;
|
||||
in.sin_family = AF_INET;
|
||||
in.sin_addr.s_addr = -1;
|
||||
in.sin_port = n->prevedge->address.in.sin_port;
|
||||
sa = (struct sockaddr *)∈
|
||||
sl = sizeof in;
|
||||
sock = 0;
|
||||
sock = rand() % listen_sockets;
|
||||
memset(&broadcast, 0, sizeof broadcast);
|
||||
if(listen_socket[sock].sa.sa.sa_family == AF_INET6) {
|
||||
broadcast.in6.sin6_family = AF_INET6;
|
||||
broadcast.in6.sin6_addr.s6_addr[0x0] = 0xff;
|
||||
broadcast.in6.sin6_addr.s6_addr[0x1] = 0x02;
|
||||
broadcast.in6.sin6_addr.s6_addr[0xf] = 0x01;
|
||||
broadcast.in6.sin6_port = n->prevedge->address.in.sin_port;
|
||||
broadcast.in6.sin6_scope_id = listen_socket[sock].sa.in6.sin6_scope_id;
|
||||
} else {
|
||||
broadcast.in.sin_family = AF_INET;
|
||||
broadcast.in.sin_addr.s_addr = -1;
|
||||
broadcast.in.sin_port = n->prevedge->address.in.sin_port;
|
||||
}
|
||||
sa = &broadcast.sa;
|
||||
sl = SALEN(broadcast.sa);
|
||||
} else {
|
||||
if(origpriority == -1)
|
||||
origpriority = 0;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
net_setup.c -- Setup.
|
||||
Copyright (C) 1998-2005 Ivo Timmermans,
|
||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2006 Scott Lamb <slamb@slamb.org>
|
||||
2010 Brandon Black <blblack@gmail.com>
|
||||
|
||||
|
@ -55,7 +55,8 @@ proxytype_t proxytype;
|
|||
|
||||
bool read_rsa_public_key(connection_t *c) {
|
||||
FILE *fp;
|
||||
char *fname;
|
||||
char *pubname;
|
||||
char *hcfname;
|
||||
char *key;
|
||||
|
||||
if(!c->rsa_key) {
|
||||
|
@ -66,7 +67,10 @@ bool read_rsa_public_key(connection_t *c) {
|
|||
/* First, check for simple PublicKey statement */
|
||||
|
||||
if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
|
||||
BN_hex2bn(&c->rsa_key->n, key);
|
||||
if(BN_hex2bn(&c->rsa_key->n, key) != strlen(key)) {
|
||||
logger(LOG_ERR, "Invalid PublicKey for %s!", c->name);
|
||||
return false;
|
||||
}
|
||||
BN_hex2bn(&c->rsa_key->e, "FFFF");
|
||||
free(key);
|
||||
return true;
|
||||
|
@ -74,80 +78,79 @@ bool read_rsa_public_key(connection_t *c) {
|
|||
|
||||
/* Else, check for PublicKeyFile statement and read it */
|
||||
|
||||
if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname)) {
|
||||
fp = fopen(fname, "r");
|
||||
if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &pubname)) {
|
||||
fp = fopen(pubname, "r");
|
||||
|
||||
if(!fp) {
|
||||
logger(LOG_ERR, "Error reading RSA public key file `%s': %s",
|
||||
fname, strerror(errno));
|
||||
free(fname);
|
||||
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", pubname, strerror(errno));
|
||||
free(pubname);
|
||||
return false;
|
||||
}
|
||||
|
||||
free(fname);
|
||||
c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
|
||||
fclose(fp);
|
||||
|
||||
if(c->rsa_key)
|
||||
if(c->rsa_key) {
|
||||
free(pubname);
|
||||
return true; /* Woohoo. */
|
||||
}
|
||||
|
||||
/* If it fails, try PEM_read_RSA_PUBKEY. */
|
||||
fp = fopen(fname, "r");
|
||||
fp = fopen(pubname, "r");
|
||||
|
||||
if(!fp) {
|
||||
logger(LOG_ERR, "Error reading RSA public key file `%s': %s",
|
||||
fname, strerror(errno));
|
||||
free(fname);
|
||||
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", pubname, strerror(errno));
|
||||
free(pubname);
|
||||
return false;
|
||||
}
|
||||
|
||||
free(fname);
|
||||
c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
|
||||
fclose(fp);
|
||||
|
||||
if(c->rsa_key) {
|
||||
// RSA_blinding_on(c->rsa_key, NULL);
|
||||
free(pubname);
|
||||
return true;
|
||||
}
|
||||
|
||||
logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s",
|
||||
fname, strerror(errno));
|
||||
logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s", pubname, strerror(errno));
|
||||
free(pubname);
|
||||
return false;
|
||||
}
|
||||
|
||||
/* Else, check if a harnessed public key is in the config file */
|
||||
|
||||
xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
|
||||
fp = fopen(fname, "r");
|
||||
xasprintf(&hcfname, "%s/hosts/%s", confbase, c->name);
|
||||
fp = fopen(hcfname, "r");
|
||||
|
||||
if(!fp) {
|
||||
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
|
||||
free(fname);
|
||||
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", hcfname, strerror(errno));
|
||||
free(hcfname);
|
||||
return false;
|
||||
}
|
||||
|
||||
c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
|
||||
fclose(fp);
|
||||
free(fname);
|
||||
|
||||
if(c->rsa_key)
|
||||
if(c->rsa_key) {
|
||||
free(hcfname);
|
||||
return true;
|
||||
}
|
||||
|
||||
/* Try again with PEM_read_RSA_PUBKEY. */
|
||||
|
||||
xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
|
||||
fp = fopen(fname, "r");
|
||||
fp = fopen(hcfname, "r");
|
||||
|
||||
if(!fp) {
|
||||
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
|
||||
free(fname);
|
||||
logger(LOG_ERR, "Error reading RSA public key file `%s': %s", hcfname, strerror(errno));
|
||||
free(hcfname);
|
||||
return false;
|
||||
}
|
||||
|
||||
free(hcfname);
|
||||
c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
|
||||
// RSA_blinding_on(c->rsa_key, NULL);
|
||||
fclose(fp);
|
||||
free(fname);
|
||||
|
||||
if(c->rsa_key)
|
||||
return true;
|
||||
|
@ -160,7 +163,6 @@ bool read_rsa_public_key(connection_t *c) {
|
|||
static bool read_rsa_private_key(void) {
|
||||
FILE *fp;
|
||||
char *fname, *key, *pubkey;
|
||||
struct stat s;
|
||||
|
||||
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
|
||||
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
|
||||
|
@ -169,8 +171,14 @@ static bool read_rsa_private_key(void) {
|
|||
}
|
||||
myself->connection->rsa_key = RSA_new();
|
||||
// RSA_blinding_on(myself->connection->rsa_key, NULL);
|
||||
BN_hex2bn(&myself->connection->rsa_key->d, key);
|
||||
BN_hex2bn(&myself->connection->rsa_key->n, pubkey);
|
||||
if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) {
|
||||
logger(LOG_ERR, "Invalid PrivateKey for myself!");
|
||||
return false;
|
||||
}
|
||||
if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) {
|
||||
logger(LOG_ERR, "Invalid PublicKey for myself!");
|
||||
return false;
|
||||
}
|
||||
BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
|
||||
free(key);
|
||||
free(pubkey);
|
||||
|
@ -190,6 +198,8 @@ static bool read_rsa_private_key(void) {
|
|||
}
|
||||
|
||||
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
|
||||
struct stat s;
|
||||
|
||||
if(fstat(fileno(fp), &s)) {
|
||||
logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'",
|
||||
fname, strerror(errno));
|
||||
|
@ -290,7 +300,7 @@ char *get_name(void) {
|
|||
fprintf(stderr, "Invalid Name: environment variable %s does not exist\n", name + 1);
|
||||
return false;
|
||||
}
|
||||
envname = alloca(32);
|
||||
char envname[32];
|
||||
if(gethostname(envname, 32)) {
|
||||
fprintf(stderr, "Could not get hostname: %s\n", strerror(errno));
|
||||
return false;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
net_socket.c -- Handle various kinds of sockets.
|
||||
Copyright (C) 1998-2005 Ivo Timmermans,
|
||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2006 Scott Lamb <slamb@slamb.org>
|
||||
2009 Florian Forster <octo@verplant.org>
|
||||
|
||||
|
@ -64,7 +64,7 @@ static void configure_tcp(connection_t *c) {
|
|||
unsigned long arg = 1;
|
||||
|
||||
if(ioctlsocket(c->socket, FIONBIO, &arg) != 0) {
|
||||
logger(LOG_ERR, "ioctlsocket for %s: %d", c->hostname, sockstrerror(sockerrno));
|
||||
logger(LOG_ERR, "ioctlsocket for %s: %s", c->hostname, sockstrerror(sockerrno));
|
||||
}
|
||||
#endif
|
||||
|
||||
|
@ -294,9 +294,6 @@ void retry_outgoing(outgoing_t *outgoing) {
|
|||
void finish_connecting(connection_t *c) {
|
||||
ifdebug(CONNECTIONS) logger(LOG_INFO, "Connected to %s (%s)", c->name, c->hostname);
|
||||
|
||||
if(proxytype != PROXY_EXEC)
|
||||
configure_tcp(c);
|
||||
|
||||
c->last_ping_time = now;
|
||||
|
||||
send_id(c);
|
||||
|
@ -419,6 +416,7 @@ begin:
|
|||
goto begin;
|
||||
ifdebug(CONNECTIONS) logger(LOG_INFO, "Using proxy at %s port %s", proxyhost, proxyport);
|
||||
c->socket = socket(proxyai->ai_family, SOCK_STREAM, IPPROTO_TCP);
|
||||
configure_tcp(c);
|
||||
}
|
||||
|
||||
if(c->socket == -1) {
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
process.c -- process management functions
|
||||
Copyright (C) 1999-2005 Ivo Timmermans,
|
||||
2000-2011 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -47,8 +47,6 @@ extern bool use_logfile;
|
|||
static sigset_t emptysigset;
|
||||
#endif
|
||||
|
||||
static int saved_debug_level = -1;
|
||||
|
||||
static void memory_full(int size) {
|
||||
logger(LOG_ERR, "Memory exhausted (couldn't allocate %d bytes), exitting.", size);
|
||||
exit(1);
|
||||
|
@ -167,7 +165,7 @@ DWORD WINAPI controlhandler(DWORD request, DWORD type, LPVOID boe, LPVOID bah) {
|
|||
logger(LOG_NOTICE, "Got %s request", "SERVICE_CONTROL_SHUTDOWN");
|
||||
break;
|
||||
default:
|
||||
logger(LOG_WARNING, "Got unexpected request %d", request);
|
||||
logger(LOG_WARNING, "Got unexpected request %d", (int)request);
|
||||
return ERROR_CALL_NOT_IMPLEMENTED;
|
||||
}
|
||||
|
||||
|
@ -187,10 +185,8 @@ DWORD WINAPI controlhandler(DWORD request, DWORD type, LPVOID boe, LPVOID bah) {
|
|||
}
|
||||
|
||||
VOID WINAPI run_service(DWORD argc, LPTSTR* argv) {
|
||||
int err = 1;
|
||||
extern int main2(int argc, char **argv);
|
||||
|
||||
|
||||
status.dwServiceType = SERVICE_WIN32;
|
||||
status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
|
||||
status.dwWin32ExitCode = 0;
|
||||
|
@ -201,7 +197,6 @@ VOID WINAPI run_service(DWORD argc, LPTSTR* argv) {
|
|||
|
||||
if (!statushandle) {
|
||||
logger(LOG_ERR, "System call `%s' failed: %s", "RegisterServiceCtrlHandlerEx", winerror(GetLastError()));
|
||||
err = 1;
|
||||
} else {
|
||||
status.dwWaitHint = 30000;
|
||||
status.dwCurrentState = SERVICE_START_PENDING;
|
||||
|
@ -211,11 +206,10 @@ VOID WINAPI run_service(DWORD argc, LPTSTR* argv) {
|
|||
status.dwCurrentState = SERVICE_RUNNING;
|
||||
SetServiceStatus(statushandle, &status);
|
||||
|
||||
err = main2(argc, argv);
|
||||
main2(argc, argv);
|
||||
|
||||
status.dwWaitHint = 0;
|
||||
status.dwCurrentState = SERVICE_STOPPED;
|
||||
//status.dwWin32ExitCode = err;
|
||||
SetServiceStatus(statushandle, &status);
|
||||
}
|
||||
|
||||
|
@ -358,6 +352,7 @@ bool execute_script(const char *name, char **envp) {
|
|||
int status, len;
|
||||
char *scriptname;
|
||||
int i;
|
||||
char *interpreter = NULL;
|
||||
|
||||
#ifndef HAVE_MINGW
|
||||
len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name);
|
||||
|
@ -369,14 +364,22 @@ bool execute_script(const char *name, char **envp) {
|
|||
|
||||
scriptname[len - 1] = '\0';
|
||||
|
||||
#ifndef HAVE_TUNEMU
|
||||
/* First check if there is a script */
|
||||
|
||||
if(access(scriptname + 1, F_OK)) {
|
||||
free(scriptname);
|
||||
return true;
|
||||
}
|
||||
#endif
|
||||
|
||||
// Custom scripts interpreter
|
||||
if(get_config_string(lookup_config(config_tree, "ScriptsInterpreter"), &interpreter)) {
|
||||
// Force custom scripts interpreter allowing execution of scripts on android without execution flag (such as on /sdcard)
|
||||
free(scriptname);
|
||||
len = xasprintf(&scriptname, "%s \"%s/%s\"", interpreter, confbase, name);
|
||||
free(interpreter);
|
||||
if(len < 0)
|
||||
return false;
|
||||
}
|
||||
|
||||
ifdebug(STATUS) logger(LOG_INFO, "Executing script %s", name);
|
||||
|
||||
|
@ -404,8 +407,8 @@ bool execute_script(const char *name, char **envp) {
|
|||
}
|
||||
}
|
||||
|
||||
#ifdef WEXITSTATUS
|
||||
if(status != -1) {
|
||||
#ifdef WEXITSTATUS
|
||||
if(WIFEXITED(status)) { /* Child exited by itself */
|
||||
if(WEXITSTATUS(status)) {
|
||||
logger(LOG_ERR, "Script %s exited with non-zero status %d",
|
||||
|
@ -420,11 +423,11 @@ bool execute_script(const char *name, char **envp) {
|
|||
logger(LOG_ERR, "Script %s terminated abnormally", name);
|
||||
return false;
|
||||
}
|
||||
#endif
|
||||
} else {
|
||||
logger(LOG_ERR, "System call `%s' failed: %s", "system", strerror(errno));
|
||||
return false;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
return true;
|
||||
}
|
||||
|
@ -485,6 +488,8 @@ static RETSIGTYPE sighup_handler(int a) {
|
|||
}
|
||||
|
||||
static RETSIGTYPE sigint_handler(int a) {
|
||||
static int saved_debug_level = -1;
|
||||
|
||||
logger(LOG_NOTICE, "Got %s signal", "INT");
|
||||
|
||||
if(saved_debug_level != -1) {
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
protocol.c -- handle the meta-protocol, basic functions
|
||||
Copyright (C) 1999-2005 Ivo Timmermans,
|
||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -125,7 +125,7 @@ void forward_request(connection_t *from) {
|
|||
bool receive_request(connection_t *c) {
|
||||
int request;
|
||||
|
||||
if(proxytype == PROXY_HTTP && c->allow_request == ID) {
|
||||
if(c->outgoing && proxytype == PROXY_HTTP && c->allow_request == ID) {
|
||||
if(!c->buffer[0] || c->buffer[0] == '\r')
|
||||
return true;
|
||||
if(!strncasecmp(c->buffer, "HTTP/1.1 ", 9)) {
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
protocol_auth.c -- handle the meta-protocol, authentication
|
||||
Copyright (C) 1999-2005 Ivo Timmermans,
|
||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -126,7 +126,7 @@ static bool send_proxyrequest(connection_t *c) {
|
|||
}
|
||||
|
||||
bool send_id(connection_t *c) {
|
||||
if(proxytype)
|
||||
if(proxytype && c->outgoing)
|
||||
if(!send_proxyrequest(c))
|
||||
return false;
|
||||
|
||||
|
@ -244,8 +244,8 @@ bool send_metakey(connection_t *c) {
|
|||
*/
|
||||
|
||||
if(RSA_public_encrypt(len, (unsigned char *)c->outkey, (unsigned char *)buffer, c->rsa_key, RSA_NO_PADDING) != len) {
|
||||
logger(LOG_ERR, "Error during encryption of meta key for %s (%s)",
|
||||
c->name, c->hostname);
|
||||
logger(LOG_ERR, "Error during encryption of meta key for %s (%s): %s",
|
||||
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -308,13 +308,16 @@ bool metakey_h(connection_t *c) {
|
|||
|
||||
/* Convert the challenge from hexadecimal back to binary */
|
||||
|
||||
hex2bin(buffer, buffer, len);
|
||||
if(!hex2bin(buffer, buffer, len)) {
|
||||
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "METAKEY", c->name, c->hostname, "invalid key");
|
||||
return false;
|
||||
}
|
||||
|
||||
/* Decrypt the meta key */
|
||||
|
||||
if(RSA_private_decrypt(len, (unsigned char *)buffer, (unsigned char *)c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) { /* See challenge() */
|
||||
logger(LOG_ERR, "Error during decryption of meta key for %s (%s)",
|
||||
c->name, c->hostname);
|
||||
logger(LOG_ERR, "Error during decryption of meta key for %s (%s): %s",
|
||||
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -426,7 +429,10 @@ bool challenge_h(connection_t *c) {
|
|||
|
||||
/* Convert the challenge from hexadecimal back to binary */
|
||||
|
||||
hex2bin(buffer, c->mychallenge, len);
|
||||
if(!hex2bin(buffer, c->mychallenge, len)) {
|
||||
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHALLENGE", c->name, c->hostname, "invalid challenge");
|
||||
return false;
|
||||
}
|
||||
|
||||
c->allow_request = CHAL_REPLY;
|
||||
|
||||
|
@ -480,7 +486,10 @@ bool chal_reply_h(connection_t *c) {
|
|||
|
||||
/* Convert the hash to binary format */
|
||||
|
||||
hex2bin(hishash, hishash, c->outdigest->md_size);
|
||||
if(!hex2bin(hishash, hishash, c->outdigest->md_size)) {
|
||||
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHAL_REPLY", c->name, c->hostname, "invalid hash");
|
||||
return false;
|
||||
}
|
||||
|
||||
/* Calculate the hash from the challenge we sent */
|
||||
|
||||
|
|
|
@ -240,10 +240,16 @@ bool ans_key_h(connection_t *c) {
|
|||
return send_request(to->nexthop->connection, "%s", c->buffer);
|
||||
}
|
||||
|
||||
/* Don't use key material until every check has passed. */
|
||||
from->status.validkey = false;
|
||||
|
||||
/* Update our copy of the origin's packet key */
|
||||
from->outkey = xrealloc(from->outkey, strlen(key) / 2);
|
||||
from->outkeylength = strlen(key) / 2;
|
||||
hex2bin(key, from->outkey, from->outkeylength);
|
||||
if(!hex2bin(key, from->outkey, from->outkeylength)) {
|
||||
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "ANS_KEY", from->name, from->hostname, "invalid key");
|
||||
return true;
|
||||
}
|
||||
|
||||
/* Check and lookup cipher and digest algorithms */
|
||||
|
||||
|
|
112
src/route.c
112
src/route.c
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
route.c -- routing
|
||||
Copyright (C) 2000-2005 Ivo Timmermans,
|
||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -110,15 +110,22 @@ static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *pac
|
|||
mtu = via->mtu;
|
||||
|
||||
/* Find TCP header */
|
||||
int start = 0;
|
||||
int start = ether_size;
|
||||
uint16_t type = packet->data[12] << 8 | packet->data[13];
|
||||
|
||||
if(type == ETH_P_IP && packet->data[23] == 6)
|
||||
start = 14 + (packet->data[14] & 0xf) * 4;
|
||||
else if(type == ETH_P_IPV6 && packet->data[20] == 6)
|
||||
start = 14 + 40;
|
||||
if(type == ETH_P_8021Q) {
|
||||
start += 4;
|
||||
type = packet->data[16] << 8 | packet->data[17];
|
||||
}
|
||||
|
||||
if(!start || packet->len <= start + 20)
|
||||
if(type == ETH_P_IP && packet->data[start + 9] == 6)
|
||||
start += (packet->data[start] & 0xf) * 4;
|
||||
else if(type == ETH_P_IPV6 && packet->data[start + 6] == 6)
|
||||
start += 40;
|
||||
else
|
||||
return;
|
||||
|
||||
if(packet->len <= start + 20)
|
||||
return;
|
||||
|
||||
/* Use data offset field to calculate length of options field */
|
||||
|
@ -244,7 +251,7 @@ void age_subnets(void) {
|
|||
|
||||
/* RFC 792 */
|
||||
|
||||
static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, uint8_t type, uint8_t code) {
|
||||
static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
|
||||
struct ip ip = {0};
|
||||
struct icmp icmp = {0};
|
||||
|
||||
|
@ -317,7 +324,7 @@ static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, uint8_t
|
|||
|
||||
/* RFC 791 */
|
||||
|
||||
static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet) {
|
||||
static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet, length_t ether_size) {
|
||||
struct ip ip;
|
||||
vpn_packet_t fragment;
|
||||
int len, maxlen, todo;
|
||||
|
@ -333,7 +340,7 @@ static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet) {
|
|||
todo = ntohs(ip.ip_len) - ip_size;
|
||||
|
||||
if(ether_size + ip_size + todo != packet->len) {
|
||||
ifdebug(TRAFFIC) logger(LOG_WARNING, "Length of packet (%d) doesn't match length in IPv4 header (%zd)", packet->len, ether_size + ip_size + todo);
|
||||
ifdebug(TRAFFIC) logger(LOG_WARNING, "Length of packet (%d) doesn't match length in IPv4 header (%d)", packet->len, (int)(ether_size + ip_size + todo));
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -381,7 +388,7 @@ static void route_ipv4_unicast(node_t *source, vpn_packet_t *packet) {
|
|||
dest.x[2],
|
||||
dest.x[3]);
|
||||
|
||||
route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_UNKNOWN);
|
||||
route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNKNOWN);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -391,10 +398,10 @@ static void route_ipv4_unicast(node_t *source, vpn_packet_t *packet) {
|
|||
}
|
||||
|
||||
if(!subnet->owner->status.reachable)
|
||||
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
|
||||
return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_UNREACH);
|
||||
|
||||
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
|
||||
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_ANO);
|
||||
return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
|
||||
|
||||
if(priorityinheritance)
|
||||
packet->priority = packet->data[15];
|
||||
|
@ -407,15 +414,15 @@ static void route_ipv4_unicast(node_t *source, vpn_packet_t *packet) {
|
|||
}
|
||||
|
||||
if(directonly && subnet->owner != via)
|
||||
return route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_NET_ANO);
|
||||
return route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_NET_ANO);
|
||||
|
||||
if(via && packet->len > MAX(via->mtu, 590) && via != myself) {
|
||||
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
|
||||
if(packet->data[20] & 0x40) {
|
||||
packet->len = MAX(via->mtu, 590);
|
||||
route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
|
||||
route_ipv4_unreachable(source, packet, ether_size, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
|
||||
} else {
|
||||
fragment_ipv4_packet(via, packet);
|
||||
fragment_ipv4_packet(via, packet, ether_size);
|
||||
}
|
||||
|
||||
return;
|
||||
|
@ -442,7 +449,7 @@ static void route_ipv4(node_t *source, vpn_packet_t *packet) {
|
|||
|
||||
/* RFC 2463 */
|
||||
|
||||
static void route_ipv6_unreachable(node_t *source, vpn_packet_t *packet, uint8_t type, uint8_t code) {
|
||||
static void route_ipv6_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
|
||||
struct ip6_hdr ip6;
|
||||
struct icmp6_hdr icmp6 = {0};
|
||||
uint16_t checksum;
|
||||
|
@ -540,7 +547,7 @@ static void route_ipv6_unicast(node_t *source, vpn_packet_t *packet) {
|
|||
ntohs(dest.x[6]),
|
||||
ntohs(dest.x[7]));
|
||||
|
||||
route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR);
|
||||
route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -550,10 +557,10 @@ static void route_ipv6_unicast(node_t *source, vpn_packet_t *packet) {
|
|||
}
|
||||
|
||||
if(!subnet->owner->status.reachable)
|
||||
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
|
||||
return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE);
|
||||
|
||||
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
|
||||
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
|
||||
return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
|
||||
|
||||
via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
|
||||
|
||||
|
@ -563,12 +570,12 @@ static void route_ipv6_unicast(node_t *source, vpn_packet_t *packet) {
|
|||
}
|
||||
|
||||
if(directonly && subnet->owner != via)
|
||||
return route_ipv6_unreachable(source, packet, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
|
||||
return route_ipv6_unreachable(source, packet, ether_size, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN);
|
||||
|
||||
if(via && packet->len > MAX(via->mtu, 1294) && via != myself) {
|
||||
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
|
||||
packet->len = MAX(via->mtu, 1294);
|
||||
route_ipv6_unreachable(source, packet, ICMP6_PACKET_TOO_BIG, 0);
|
||||
route_ipv6_unreachable(source, packet, ether_size, ICMP6_PACKET_TOO_BIG, 0);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -829,6 +836,11 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
|
|||
if(forwarding_mode == FMODE_OFF && source != myself && subnet->owner != myself)
|
||||
return;
|
||||
|
||||
uint16_t type = packet->data[12] << 8 | packet->data[13];
|
||||
|
||||
if(priorityinheritance && type == ETH_P_IP && packet->len >= ether_size + ip_size)
|
||||
packet->priority = packet->data[15];
|
||||
|
||||
// Handle packets larger than PMTU
|
||||
|
||||
node_t *via = (subnet->owner->via == myself) ? subnet->owner->nexthop : subnet->owner->via;
|
||||
|
@ -838,18 +850,24 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
|
|||
|
||||
if(via && packet->len > via->mtu && via != myself) {
|
||||
ifdebug(TRAFFIC) logger(LOG_INFO, "Packet for %s (%s) length %d larger than MTU %d", subnet->owner->name, subnet->owner->hostname, packet->len, via->mtu);
|
||||
uint16_t type = packet->data[12] << 8 | packet->data[13];
|
||||
if(type == ETH_P_IP && packet->len > 590) {
|
||||
if(packet->data[20] & 0x40) {
|
||||
length_t ethlen = 14;
|
||||
|
||||
if(type == ETH_P_8021Q) {
|
||||
type = packet->data[16] << 8 | packet->data[17];
|
||||
ethlen += 4;
|
||||
}
|
||||
|
||||
if(type == ETH_P_IP && packet->len > 576 + ethlen) {
|
||||
if(packet->data[6 + ethlen] & 0x40) {
|
||||
packet->len = via->mtu;
|
||||
route_ipv4_unreachable(source, packet, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
|
||||
route_ipv4_unreachable(source, packet, ethlen, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED);
|
||||
} else {
|
||||
fragment_ipv4_packet(via, packet);
|
||||
fragment_ipv4_packet(via, packet, ethlen);
|
||||
}
|
||||
return;
|
||||
} else if(type == ETH_P_IPV6 && packet->len > 1294) {
|
||||
} else if(type == ETH_P_IPV6 && packet->len > 1280 + ethlen) {
|
||||
packet->len = via->mtu;
|
||||
route_ipv6_unreachable(source, packet, ICMP6_PACKET_TOO_BIG, 0);
|
||||
route_ipv6_unreachable(source, packet, ethlen, ICMP6_PACKET_TOO_BIG, 0);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
@ -861,42 +879,48 @@ static void route_mac(node_t *source, vpn_packet_t *packet) {
|
|||
|
||||
static bool do_decrement_ttl(node_t *source, vpn_packet_t *packet) {
|
||||
uint16_t type = packet->data[12] << 8 | packet->data[13];
|
||||
length_t ethlen = ether_size;
|
||||
|
||||
if(type == ETH_P_8021Q) {
|
||||
type = packet->data[16] << 8 | packet->data[17];
|
||||
ethlen += 4;
|
||||
}
|
||||
|
||||
switch (type) {
|
||||
case ETH_P_IP:
|
||||
if(!checklength(source, packet, 14 + 32))
|
||||
if(!checklength(source, packet, ethlen + ip_size))
|
||||
return false;
|
||||
|
||||
if(packet->data[22] < 1) {
|
||||
if(packet->data[25] != IPPROTO_ICMP || packet->data[46] != ICMP_TIME_EXCEEDED)
|
||||
route_ipv4_unreachable(source, packet, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL);
|
||||
if(packet->data[ethlen + 8] < 1) {
|
||||
if(packet->data[ethlen + 11] != IPPROTO_ICMP || packet->data[ethlen + 32] != ICMP_TIME_EXCEEDED)
|
||||
route_ipv4_unreachable(source, packet, ethlen, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL);
|
||||
return false;
|
||||
}
|
||||
|
||||
uint16_t old = packet->data[22] << 8 | packet->data[23];
|
||||
packet->data[22]--;
|
||||
uint16_t new = packet->data[22] << 8 | packet->data[23];
|
||||
uint16_t old = packet->data[ethlen + 8] << 8 | packet->data[ethlen + 9];
|
||||
packet->data[ethlen + 8]--;
|
||||
uint16_t new = packet->data[ethlen + 8] << 8 | packet->data[ethlen + 9];
|
||||
|
||||
uint32_t checksum = packet->data[24] << 8 | packet->data[25];
|
||||
uint32_t checksum = packet->data[ethlen + 10] << 8 | packet->data[ethlen + 11];
|
||||
checksum += old + (~new & 0xFFFF);
|
||||
while(checksum >> 16)
|
||||
checksum = (checksum & 0xFFFF) + (checksum >> 16);
|
||||
packet->data[24] = checksum >> 8;
|
||||
packet->data[25] = checksum & 0xff;
|
||||
packet->data[ethlen + 10] = checksum >> 8;
|
||||
packet->data[ethlen + 11] = checksum & 0xff;
|
||||
|
||||
return true;
|
||||
|
||||
case ETH_P_IPV6:
|
||||
if(!checklength(source, packet, 14 + 40))
|
||||
if(!checklength(source, packet, ethlen + ip6_size))
|
||||
return false;
|
||||
|
||||
if(packet->data[21] < 1) {
|
||||
if(packet->data[20] != IPPROTO_ICMPV6 || packet->data[54] != ICMP6_TIME_EXCEEDED)
|
||||
route_ipv6_unreachable(source, packet, ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT);
|
||||
if(packet->data[ethlen + 7] < 1) {
|
||||
if(packet->data[ethlen + 6] != IPPROTO_ICMPV6 || packet->data[ethlen + 40] != ICMP6_TIME_EXCEEDED)
|
||||
route_ipv6_unreachable(source, packet, ethlen, ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT);
|
||||
return false;
|
||||
}
|
||||
|
||||
packet->data[21]--;
|
||||
packet->data[ethlen + 7]--;
|
||||
|
||||
return true;
|
||||
|
||||
|
|
|
@ -151,6 +151,7 @@ static bool read_packet(vpn_packet_t *packet) {
|
|||
return false;
|
||||
}
|
||||
|
||||
memset(packet->data, 0, 12);
|
||||
packet->len = lenin + 14;
|
||||
|
||||
device_total_in += packet->len;
|
||||
|
|
27
src/tincd.c
27
src/tincd.c
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
tincd.c -- the main file for tincd
|
||||
Copyright (C) 1998-2005 Ivo Timmermans
|
||||
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2008 Max Rijevski <maksuf@gmail.com>
|
||||
2009 Michael Tokarev <mjt@tls.msk.ru>
|
||||
2010 Julien Muchembled <jm@jmuchemb.eu>
|
||||
|
@ -338,7 +338,7 @@ static bool keygen(int bits) {
|
|||
RSA *rsa_key;
|
||||
FILE *f;
|
||||
char *name = get_name();
|
||||
char *filename;
|
||||
char *pubname, *privname;
|
||||
|
||||
fprintf(stderr, "Generating %d bits keys:\n", bits);
|
||||
rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
|
||||
|
@ -349,8 +349,9 @@ static bool keygen(int bits) {
|
|||
} else
|
||||
fprintf(stderr, "Done.\n");
|
||||
|
||||
xasprintf(&filename, "%s/rsa_key.priv", confbase);
|
||||
f = ask_and_open(filename, "private RSA key");
|
||||
xasprintf(&privname, "%s/rsa_key.priv", confbase);
|
||||
f = ask_and_open(privname, "private RSA key");
|
||||
free(privname);
|
||||
|
||||
if(!f)
|
||||
return false;
|
||||
|
@ -363,14 +364,14 @@ static bool keygen(int bits) {
|
|||
fputc('\n', f);
|
||||
PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL);
|
||||
fclose(f);
|
||||
free(filename);
|
||||
|
||||
if(name)
|
||||
xasprintf(&filename, "%s/hosts/%s", confbase, name);
|
||||
xasprintf(&pubname, "%s/hosts/%s", confbase, name);
|
||||
else
|
||||
xasprintf(&filename, "%s/rsa_key.pub", confbase);
|
||||
xasprintf(&pubname, "%s/rsa_key.pub", confbase);
|
||||
|
||||
f = ask_and_open(filename, "public RSA key");
|
||||
f = ask_and_open(pubname, "public RSA key");
|
||||
free(pubname);
|
||||
|
||||
if(!f)
|
||||
return false;
|
||||
|
@ -378,7 +379,6 @@ static bool keygen(int bits) {
|
|||
fputc('\n', f);
|
||||
PEM_write_RSAPublicKey(f, rsa_key);
|
||||
fclose(f);
|
||||
free(filename);
|
||||
free(name);
|
||||
|
||||
return true;
|
||||
|
@ -391,7 +391,7 @@ static void make_names(void) {
|
|||
#ifdef HAVE_MINGW
|
||||
HKEY key;
|
||||
char installdir[1024] = "";
|
||||
long len = sizeof(installdir);
|
||||
DWORD len = sizeof(installdir);
|
||||
#endif
|
||||
|
||||
if(netname)
|
||||
|
@ -401,7 +401,7 @@ static void make_names(void) {
|
|||
|
||||
#ifdef HAVE_MINGW
|
||||
if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) {
|
||||
if(!RegQueryValueEx(key, NULL, 0, 0, installdir, &len)) {
|
||||
if(!RegQueryValueEx(key, NULL, 0, 0, (LPBYTE)installdir, &len)) {
|
||||
if(!logfilename)
|
||||
xasprintf(&logfilename, "%s/log/%s.log", identname);
|
||||
if(!confbase) {
|
||||
|
@ -467,8 +467,11 @@ static bool drop_privs() {
|
|||
"initgroups", strerror(errno));
|
||||
return false;
|
||||
}
|
||||
#ifndef __ANDROID__
|
||||
// Not supported in android NDK
|
||||
endgrent();
|
||||
endpwent();
|
||||
#endif
|
||||
}
|
||||
if (do_chroot) {
|
||||
tzset(); /* for proper timestamps in logs */
|
||||
|
@ -510,7 +513,7 @@ int main(int argc, char **argv) {
|
|||
if(show_version) {
|
||||
printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE,
|
||||
VERSION, __DATE__, __TIME__, PROT_CURRENT);
|
||||
printf("Copyright (C) 1998-2012 Ivo Timmermans, Guus Sliepen and others.\n"
|
||||
printf("Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen and others.\n"
|
||||
"See the AUTHORS file for a complete list.\n\n"
|
||||
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
|
||||
"and you are welcome to redistribute it under certain conditions;\n"
|
||||
|
|
Loading…
Reference in a new issue