No description
Find a file
Guus Sliepen 6f5ff440c9 Import Debian changes 1.0.3-4
tinc (1.0.3-4) unstable; urgency=low

  * Call debconf early in postinst so it won't get confused by output
    from other commands in the postinst script. Closes: #292920
  * If MAKEDEV doesn't know about net/tun, fall back to tun.

tinc (1.0.3-3) unstable; urgency=low

  * Fix clean rule in debian/rules.

tinc (1.0.3-2) unstable; urgency=low

  * Don't check for /dev/tap* in postinst if we don't create them anyway.
  * MAKEDEV expects net/tun instead of tun.
  * Don't ask if /dev/net/tun should be created, just do it.
    Closes: #259489, #292450
  * Move $EXTRA from init.d/tinc to /etc/default/tinc. Closes: #281366

tinc (1.0.3-1) unstable; urgency=low

  * New upstream release.
  * Adopting the package from Ivo.
  * Use invoke-rc.d, and tell user to do so as well. Closes: #223276
  * Let force-reload do the same thing as reload. Closes: #230180

tinc (1.0.2-2) unstable; urgency=low

  * debian/control: Oops, really make that automake1.7.

tinc (1.0.2-1) unstable; urgency=low

  * New upstream release:
      * Fix broken replies to CHAL_RESP.  (Closes: #217646)
  * debian/control: Updated automake build dependency to automake1.7.
    (Closes: #219360)

tinc (1.0.1-2) unstable; urgency=low

  * debian/dirs: Removed, moved contents to tinc.dirs.
    (Closes: #208591)
  * debian/docs: Renamed to tinc.docs.
  * debian/rules: Install the contents of doc/sample-config.tar.gz in
    /usr/share/doc/tinc/examples instead of /etc/tinc.
  * debian/Makefile*: Removed.

tinc (1.0.1-1) unstable; urgency=low

  * New upstream release.
  * debian/patches/001_openbsd_device.c.patch: Removed.

tinc (1.0release-1) unstable; urgency=low

  * New upstream version.  (Closes: #204639)
      * Fixes switching back to normal logging mode when killing with
        SIGINT twice.  (Closes: #175633)
      * Uses one SSL context struct for each connection, speeding up
        encrypting/decrypting data; don't throw away out of sequence
        packets.  (Closes: #188874)
      * Fixes handling of broadcast messages.  (Closes: #175632)
  * debian/rules: Use cdbs.
  * debian/control: Build-Depend on cdbs, liblzo-dev.
  * debian/patches/001_openbsd_device.c.patch: Sync openbsd/device.c to
    latest CVS version.

tinc (1.0pre8-6) unstable; urgency=low

  * debian/po/fr.po: Added French debconf translation.  (Closes: #201803)

tinc (1.0pre8-5) unstable; urgency=low

  * debian/*: Change to po-debconf, thanks to From: Michel Grentzinger
    <mic.grentz@online.fr> for the patch:
      - change debhelper dependency to 4.1.16 (according to man
        po-debconf),
      - manually add nl translation in old tinc.templates (master),
      - run debconf-gettextize debian/tinc.templates,
      - move old templates files (debian/tinc.templates.*),
      - change construction "If you say no" to "If you refuse",
  * debian/rules: Call po2debconf.
  * debian/rules: Don't copy COPYING.README to the package.
  * debian/control: Update Standards-Version.
  * debian/conffiles: Removed.
  * debian/postinst: No longer use mknod directly, use MAKEDEV.

tinc (1.0pre8-4) unstable; urgency=low

  * src/net.h, src/net_packet.c, src/net_setup.c: Apply fix from CVS
    for OpenSSL-related memory leaks.  (Closes: #189432)

tinc (1.0pre8-3) unstable; urgency=low

  * m4/openssl.m4: Updated to CVS version.  (Closes: #184400)

tinc (1.0pre8-2) unstable; urgency=low

  * debian/postinst: Create /dev/net/tun if it doesn't exist.
  * debian/tinc.modules: Add alias for /dev/net/tun.
  * debian/rules: Install tinc.modules.
  * These things together: (Closes: #151967, #153156)

tinc (1.0pre8-1) unstable; urgency=low

  * New upstream version.
  * debian/rules:
      - DEB_BUILD_OPTIONS support.
      - Enable --enable-tracing by default.

tinc (1.0pre7-3) unstable; urgency=low

  * Properly install _all_ info pages. (Closes: #144718)
2019-08-26 13:44:36 +02:00
debian Import Debian changes 1.0.3-4 2019-08-26 13:44:36 +02:00
doc Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
lib Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
m4 Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
po Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
src Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
ABOUT-NLS Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
aclocal.m4 Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
AUTHORS Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
ChangeLog Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
config.guess Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
config.h.in Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
config.rpath Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
config.sub Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
configure Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
configure.in Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
COPYING Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
COPYING.README Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
depcomp Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
have.h Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
INSTALL Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
install-sh Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
Makefile.am Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
Makefile.in Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
missing Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
mkinstalldirs Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
NEWS Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
README Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
system.h Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
THANKS Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00
TODO Import Upstream version 1.0.3 2019-08-26 13:44:36 +02:00

This is the README file for tinc version 1.0.3. Installation
instructions may be found in the INSTALL file.

tinc is Copyright (C) 1998-2004 by:

Ivo Timmermans <ivo@tinc-vpn.org>,
Guus Sliepen <guus@tinc-vpn.org>,
and others.

For a complete list of authors see the AUTHORS file.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at
your option) any later version. See the file COPYING for more details.


Security statement
------------------

In August 2000, we discovered the existence of a security hole in all versions
of tinc up to and including 1.0pre2. This had to do with the way we exchanged
keys. Since then, we have been working on a new authentication scheme to make
tinc as secure as possible. The current version uses the OpenSSL library and
uses strong authentication with RSA keys.

On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc
1.0pre4. Due to a lack of sequence numbers and a message authentication code
for each packet, an attacker could possibly disrupt certain network services or
launch a denial of service attack by replaying intercepted packets. The current
version adds sequence numbers and message authentication codes to prevent such
attacks.

On September the 15th of 2003, Peter Gutmann contacted us and showed us a
writeup describing various security issues in several VPN daemons. He showed
that tinc lacks perfect forward security, the connection authentication could
be done more properly, that the sequence number we use as an IV is not the best
practice and that the default length of the HMAC for packets is too short in
his opinion. We do not know of a way to exploit these weaknesses, but we will
address these issues in tinc 2.0.

Cryptography is a hard thing to get right. We cannot make any
guarantees. Time, review and feedback are the only things that can
prove the security of any cryptographic product. If you wish to review
tinc or give us feedback, you are stronly encouraged to do so.


Changes to configuration file format since 1.0pre5
--------------------------------------------------

Some configuration variables have different names now. Most notably "TapDevice"
should be changed into "Device", and "Device" should be changed into
"BindToDevice".

Compatibility
-------------

Version 1.0.3 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc.


Requirements
------------

Since 1.0pre3, we use OpenSSL for all cryptographic functions.  So you
need to install this library first; grab it from
http://www.openssl.org/.  You will need version 0.9.7 or later.  If
this library is not installed on you system, configure will fail.  The
manual in doc/tinc.texi contains more detailed information on how to
install this library.

Since 1.0pre6, the zlib library is used for optional compression. You need this
library whether or not you plan to enable the compression. You can find it at
http://www.gzip.org/zlib/. Because of a possible exploit in earlier versions we
recommand that you download version 1.1.4 or later.

Since 1.0, the lzo library is also used for optional compression. You need this
library whether or not you plan to enable compression. You can find it at
http://www.oberhumer.com/opensource/lzo/.

In order to compile tinc, you will need a GNU C compiler environment.


Features
--------

This version of tinc supports multiple virtual networks at once. To
use this feature, you may supply a netname via the -n or --net
options. The standard locations for the config files will then be
/etc/tinc/<net>/.

tincd regenerates its encryption key pairs. It does this on the first
activity after the keys have expired. This period is adjustable in the
configuration file, and the default time is 3600 seconds (one hour).

This version supports multiple subnets at once. They are also sorted
on subnet mask size. This means that it is possible to have
overlapping subnets on the VPN, as long as their subnet mask sizes
differ.

Since pre5, tinc can operate in several routing modes. The default mode,
"router", works exactly like the older version, and uses Subnet lines to
determine the destination of packets. The other two modes, "switch" and "hub",
allow the tinc daemons to work together like a single network switch or hub.
This is useful for bridging networks. The latter modes only work properly on
Linux, FreeBSD and Windows.

The algorithms used for encryption and generating message authentication codes
can now be changed in the configuration files. All cipher and digest algorithms
supported by OpenSSL can be used. Useful ciphers are "blowfish" (default),
"bf-ofb", "des", "des3", etcetera. Useful digests are "sha1" (default), "md5",
etcetera.

Support for routing IPv6 packets has been added. Just add Subnet lines with
IPv6 addresses (without using :: abbreviations) and use ifconfig or ip (from
the iproute package) to give the virtual network interface corresponding IPv6
addresses. tinc does not provide autoconfiguration for IPv6 hosts, if you need
it use radvd or zebra. Tunneling IPv6 packets only works on Linux, FreeBSD,
Windows and possibly OpenBSD.

It is also possible to make tunnels to other tinc daemons over IPv6 networks,
if the operating system supports IPv6.  tinc will automatically use both IPv6
and IPv4 when available, but this can be changed by adding the option
"AddressFamily = ipv4" or "AddressFamily = ipv6" to the tinc.conf file.

Normally, when started tinc will detach and run in the background. In a native
Windows environment this means tinc will intall itself as a service, which will
restart after reboots.  To prevent tinc from detaching or running as a service,
use the -D option.