TINC.CONF(5)                                         BSD File Formats Manual                                        TINC.CONF(5)

NAME
     tinc.conf — tinc daemon configuration

DESCRIPTION
     The files in the /usr/local/etc/tinc/ directory contain runtime and security information for the tinc daemon.

NETWORKS
     To distinguish multiple instances of tinc running on one computer, you can use the -n option to assign a network name to
     each tinc daemon.

     The effect of this option is that the daemon will set its configuration root to /usr/local/etc/tinc/NETNAME/, where NETNAME
     is your argument to the -n option.  You'll notice that messages appear in syslog as coming from tincd.NETNAME, and on
     Linux, unless specified otherwise, the name of the virtual network interface will be the same as the network name.

     It is recommended that you use network names even if you run only one instance of tinc.  However, you can choose not to use
     the -n option.  In this case, the network name would just be empty, and tinc now looks for files in /usr/local/etc/tinc/,
     instead of /usr/local/etc/tinc/NETNAME/; the configuration file should be /usr/local/etc/tinc/tinc.conf, and the host con‐
     figuration files are now expected to be in /usr/local/etc/tinc/hosts/.

NAMES
     Each tinc daemon must have a name that is unique in the network which it will be part of.  The name will be used by other
     tinc daemons for identification.  The name has to be declared in the /usr/local/etc/tinc/NETNAME/tinc.conf file.

     To make things easy, choose something that will give unique and easy to remember names to your tinc daemon(s).  You could
     try things like hostnames, owner surnames or location names.  However, you are only allowed to use alphanumerical charac‐
     ters (a-z, A-Z, and 0-9) and underscores (_) in the name.
     If you have not configured tinc yet, you can easily create a basic configuration using the following command:

           tinc -n NETNAME init NAME

     You can further change the configuration as needed either by manually editing the configuration files, or by using tinc(8).
     The tinc init command will have generated both RSA and Ed25519 public/private key pairs.  The private keys should be stored
     in files named rsa_key.priv and ed25519_key.priv in the directory /usr/local/etc/tinc/NETNAME/ The public keys should be
     stored in the host configuration file /usr/local/etc/tinc/NETNAME/hosts/NAME.  The RSA keys are used for backwards compati‐
     bility with tinc version 1.0.  If you are upgrading from version 1.0 to 1.1, you can keep the old configuration files, but
     you will need to create Ed25519 keys using the following command:

           tinc -n NETNAME generate-ed25519-keys
     The server configuration of the daemon is done in the file /usr/local/etc/tinc/NETNAME/tinc.conf.  This file consists of
     comments (lines started with a #) or assignments in the form of:

     Variable = Value.

     The variable names are case insensitive, and any spaces, tabs, newlines and carriage returns are ignored.  Note: it is not
     required that you put in the = sign, but doing so improves readability.  If you leave it out, remember to replace it with
     at least one space character.

     The server configuration is complemented with host specific configuration (see the next section).  Although all configura‐
     tion options for the local host listed in this document can also be put in /usr/local/etc/tinc/NETNAME/tinc.conf, it is
     recommended to put host specific configuration options in the host configuration file, as this makes it easy to exchange
     with other nodes.

     You can edit the config file manually, but it is recommended that you use tinc(8) to change configuration variables for
     you.

     Here are all valid variables, listed in alphabetical order.  The default value is given between parentheses.

     AddressFamily = ipv4 | ipv6 | any (any)
             This option affects the address family of listening and outgoing sockets.  If "any" is selected, then depending on
             the operating system both IPv4 and IPv6 or just IPv6 listening sockets will be created.

     AutoConnect = yes | no (yes)
             If set to yes, tinc will automatically set up meta connections to other nodes, without requiring ConnectTo vari‐
             ables.

             Note: it is not possible to connect to nodes using zero (system-assigned) ports in this way.

     BindToAddress = address [port]
             This is the same as ListenAddress, however the address given with the BindToAddress option will also be used for
             outgoing connections. This is useful if your computer has more than one IPv4 or IPv6 address, and you want tinc to
             only use a specific one for outgoing packets.

     BindToInterface = interface [experimental]
             If your computer has more than one network interface, tinc will by default listen on all of them for incoming con‐
             nections.  It is possible to bind only to a single interface with this variable.

             This option may not work on all platforms.  Also, on some platforms it will not actually bind to an interface, but
             rather to the address that the interface has at the moment a socket is created.

     Broadcast = no | mst | direct (mst) [experimental]
             This option selects the way broadcast packets are sent to other daemons.  NOTE: all nodes in a VPN must use the
             same Broadcast mode, otherwise routing loops can form.

             no      Broadcast packets are never sent to other nodes.

             mst     Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree.  This ensures broadcast pack‐
                     ets reach all nodes.

             direct  Broadcast packets are sent directly to all nodes that can be reached directly.  Broadcast packets received
                     from other nodes are never forwarded.  If the IndirectData option is also set, broadcast packets will only
                     be sent to nodes which we have a meta connection to.

     BroadcastSubnet = address[/prefixlength]
             Declares a broadcast subnet. Any packet with a destination address falling into such a subnet will be routed as a
             broadcast (provided all nodes have it declared).  This is most useful to declare subnet broadcast addresses (e.g.
             10.42.255.255), otherwise tinc won't know what to do with them.

             Note that global broadcast addresses (MAC ff:ff:ff:ff:ff:ff, IPv4 255.255.255.255), as well as multicast space
             (IPv4 224.0.0.0/4, IPv6 ff00::/8) are always considered broadcast addresses and don't need to be declared.

     ConnectTo = name
             Specifies which other tinc daemon to connect to on startup.  Multiple ConnectTo variables may be specified, in
             which case outgoing connections to each specified tinc daemon are made.  The names should be known to this tinc
             daemon (i.e., there should be a host configuration file for the name on the ConnectTo line).

             If you don't specify a host with ConnectTo and have disabled AutoConnect, tinc won't try to connect to other dae‐
             mons at all, and will instead just listen for incoming connections.

     DecrementTTL = yes | no (no) [experimental]
             When enabled, tinc will decrement the Time To Live field in IPv4 packets, or the Hop Limit field in IPv6 packets,
             before forwarding a received packet to the virtual network device or to another node, and will drop packets that
             have a TTL value of zero, in which case it will send an ICMP Time Exceeded packet back.

             Do not use this option if you use switch mode and want to use IPv6.

     Device = device (/dev/tap0, /dev/net/tun or other depending on platform)
             The virtual network device to use.  tinc will automatically detect what kind of device it is.  Note that you can
             only use one device per daemon.  Under Windows, use Interface instead of Device.  The info pages of the tinc pack‐
             age contain more information about configuring the virtual network device.

     DeviceStandby = yes | no (no)
             When disabled, tinc calls tinc-up on startup, and tinc-down on shutdown. When enabled, tinc will only call tinc-up
             when at least one node is reachable, and will call tinc-down as soon as no nodes are reachable.  On Windows, this
             also determines when the virtual network interface "cable" is "plugged".

     DeviceType = type (platform dependent)
             The type of the virtual network device.  Tinc will normally automatically select the right type of tun/tap inter‐
             face, and this option should not be used.  However, this option can be used to select one of the special interface
             types, if support for them is compiled in.

             dummy   Use a dummy interface.  No packets are ever read or written to a virtual network device.  Useful for test‐
                     ing, or when setting up a node that only forwards packets for other nodes.

             raw_socket
                     Open a raw socket, and bind it to a pre-existing Interface (eth0 by default).  All packets are read from
                     this interface.  Packets received for the local node are written to the raw socket.  However, at least on
                     Linux, the operating system does not process IP packets destined for the local host.

             multicast
                     Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL
                     value specified using Device.  Packets are read from and written to this multicast socket.  This can be
                     used to connect to UML, QEMU or KVM instances listening on the same multicast address.  Do NOT connect mul‐
                     tiple tinc daemons to the same multicast address, this will very likely cause routing loops.  Also note
                     that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.

             fd      Use a file descriptor, given directly as an integer or passed through a unix domain socket.  On Linux, an
                     abstract socket address can be specified by using "@" as a prefix.  All packets are read from this inter‐
                     face.  Packets received for the local node are written to it.

             uml (not compiled in by default)
                     Create a UNIX socket with the filename specified by Device, or /usr/local/var/run/NETNAME.umlsocket if not
                     specified.  tinc will wait for a User Mode Linux instance to connect to this socket.

             vde (not compiled in by default)
                     Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch, using the UNIX socket
                     specified by Device, or /usr/local/var/run/vde.ctl if not specified.
             Also, in case tinc does not seem to correctly interpret packets received from the virtual network device, it can be
             used to change the way packets are interpreted:

             tun (BSD and Linux)
                     Set type to tun.  Depending on the platform, this can either be with or without an address family header
                     (see below).

             tunnohead (BSD)
                     Set type to tun without an address family header.  Tinc will expect packets read from the virtual network
                     device to start with an IP header.  On some platforms IPv6 packets cannot be read from or written to the
                     device in this mode.

             tunifhead (BSD)
                     Set type to tun with an address family header.  Tinc will expect packets read from the virtual network de‐
                     vice to start with a four byte header containing the address family, followed by an IP header.  This mode
                     should support both IPv4 and IPv6 packets.

             utun (OS X)
                     Set type to utun.  This is only supported on OS X version 10.6.8 and higher, but doesn't require the tunta‐
                     posx module.  This mode should support both IPv4 and IPv6 packets.

             tap (BSD and Linux)
                     Set type to tap.  Tinc will expect packets read from the virtual network device to start with an Ethernet
                     header.

     DirectOnly = yes | no (no) [experimental]
             When this option is enabled, packets that cannot be sent directly to the destination node, but which would have to
             be forwarded by an intermediate node, are dropped instead.  When combined with the IndirectData option, packets for
             nodes for which we do not have a meta connection with are also dropped.

     Ed25519PrivateKeyFile = filename (/usr/local/etc/tinc/NETNAME/ed25519_key.priv)
             The file in which the private Ed25519 key of this tinc daemon resides.  This is only used if ExperimentalProtocol
             is enabled.

     ExperimentalProtocol = yes | no (yes)
             When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
             Ephemeral ECDH will be used for key exchanges, and Ed25519 will be used instead of RSA for authentication.  When
             enabled, an Ed25519 key must have been generated before with tinc generate-ed25519-keys.

     Forwarding = off | internal | kernel (internal) [experimental]
             This option selects the way indirect packets are forwarded.

             off     Incoming packets that are not meant for the local node, but which should be forwarded to another node, are
                     dropped.

             internal
                     Incoming packets that are meant for another node are forwarded by tinc internally.

                     This is the default mode, and unless you really know you need another forwarding mode, don't change it.

             kernel  Incoming packets using the legacy protocol are always sent to the TUN/TAP device, even if the packets are
                     not for the local node.  This is less efficient, but allows the kernel to apply its routing and firewall
                     rules on them, and can also help debugging.  Incoming packets using the SPTPS protocol are dropped, since
                     they are end-to-end encrypted.

     FWMark = value (0) [experimental]
             When set to a non-zero value, all TCP and UDP sockets created by tinc will use the given value as the firewall
             mark.  This can be used for mark-based routing or for packet filtering.  This option is currently only supported on
             Linux.

     Hostnames = yes | no (no)
             This option selects whether IP addresses (both real and on the VPN) should be resolved. Since DNS lookups are
             blocking, it might affect tinc's efficiency, even stopping the daemon for a few seconds every time it does a lookup
             if your DNS server is not responding.

             This does not affect resolving hostnames to IP addresses from the host configuration files, but whether hostnames
             should be resolved while logging.

     IffOneQueue = yes | no (no) [experimental]
             (Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.

     Interface = interface
             Defines the name of the interface corresponding to the virtual network device.  Depending on the operating system
             and the type of device this may or may not actually set the name of the interface.  Under Windows, this variable is
             used to select which network interface will be used.  If you specified a Device, this variable is almost always al‐
             ready correctly set.

     InvitationExpire = seconds (604800)
             This option controls the period invitations are valid.

     KeyExpire = seconds (3600)
             This option controls the period the encryption keys used to encrypt the data are valid.  It is common practice to
             change keys at regular intervals to make it even harder for crackers, even though it is thought to be nearly impos‐
             sible to crack a single key.

     ListenAddress = address [port]
             If your computer has more than one IPv4 or IPv6 address, tinc will by default listen on all of them for incoming
             connections.  This option can be used to restrict which addresses tinc listens on.  Multiple ListenAddress vari‐
             ables may be specified, in which case listening sockets for each specified address are made.

             If no port is specified, the socket will listen on the port specified by the Port option, or to port 655 if neither
             is given.  To only listen on a specific port but not on a specific address, use * for the address.

             If port is set to zero, it will be randomly assigned by the system. This is useful to randomize source ports of UDP
             packets, which can improve UDP hole punching reliability. In this case it is recommended to set AddressFamily as
             well, otherwise tinc will assign different ports to different address families but other nodes can only know of
             one.

     LocalDiscovery = yes | no (yes)
             When enabled, tinc will try to detect peers that are on the same local network.  This will allow direct communica‐
             tion using LAN addresses, even if both peers are behind a NAT and they only ConnectTo a third node outside the NAT,
             which normally would prevent the peers from learning each other's LAN address.

             Currently, local discovery is implemented by sending some packets to the local address of the node during UDP dis‐
             covery. This will not work with old nodes that don't transmit their local address.

     LogLevel = level (0)
             This option controls the verbosity of the logging. The higher the debug level, the more messages it will log.

     MACExpire = seconds (600)
             This option controls the amount of time MAC addresses are kept before they are removed.  This only has effect when
             Mode is set to "switch".

     MaxConnectionBurst = count (100)
             This option controls how many connections tinc accepts in quick succession.  If there are more connections than the
             given number in a short time interval, tinc will reduce the number of accepted connections to only one per second,
             until the burst has passed.

     MaxTimeout = seconds (900)
             This is the maximum delay before trying to reconnect to other tinc daemons.

     Mode = router | switch | hub (router)
             This option selects the way packets are routed to other daemons.

             router  In this mode Subnet variables in the host configuration files will be used to form a routing table.  Only
                     packets of routable protocols (IPv4 and IPv6) are supported in this mode.

                     This is the default mode, and unless you really know you need another mode, don't change it.

             switch  In this mode the MAC addresses of the packets on the VPN will be used to dynamically create a routing table
                     just like an Ethernet switch does.  Unicast, multicast and broadcast packets of every protocol that runs
                     over Ethernet are supported in this mode at the cost of frequent broadcast ARP requests and routing table
                     updates.

                     This mode is primarily useful if you want to bridge Ethernet segments.

             hub     This mode is almost the same as the switch mode, but instead every packet will be broadcast to the other
                     daemons while no routing table is managed.

     Name = name [required]
             This is the name which identifies this tinc daemon.  It must be unique for the virtual private network this daemon
             will connect to.  Name may only consist of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is
             case sensitive.  If Name starts with a $, then the contents of the environment variable that follows will be used.
             In that case, invalid characters will be converted to underscores.  If Name is $HOST, but no such environment vari‐
             able exist, the hostname will be read using the gethostname() system call.

     PingInterval = seconds (60)
             The number of seconds of inactivity that tinc will wait before sending a probe to the other end.

     PingTimeout = seconds (5)
             The number of seconds to wait for a response to pings or to allow meta connections to block. If the other end
             doesn't respond within this time, the connection is terminated, and the others will be notified of this.

     PriorityInheritance = yes | no (no) [experimental]
             When this option is enabled the value of the TOS field of tunneled IPv4 packets will be inherited by the UDP pack‐
             ets that are sent out.

     PrivateKey = key [obsolete]
             The private RSA key of this tinc daemon.  It will allow this tinc daemon to authenticate itself to other daemons.

     PrivateKeyFile = filename (/usr/local/etc/tinc/NETNAME/rsa_key.priv)
             The file in which the private RSA key of this tinc daemon resides.

     ProcessPriority = low | normal | high
             When this option is used the priority of the tincd process will be adjusted.  Increasing the priority may help to
             reduce latency and packet loss on the VPN.

     Proxy = socks4 | socks5 | http | exec ... [experimental]
             Use a proxy when making outgoing connections.  The following proxy types are currently supported:

             socks4 address port [username]
                     Connects to the proxy using the SOCKS version 4 protocol.  Optionally, a username can be supplied which
                     will be passed on to the proxy server.  Only IPv4 connections can be proxied using SOCKS 4.

             socks5 address port [username password]
                     Connect to the proxy using the SOCKS version 5 protocol.  If a username and password are given, basic user‐
                     name/password authentication will be used, otherwise no authentication will be used.

             http address port
                     Connects to the proxy and sends a HTTP CONNECT request.

             exec command
                     Executes the given command which should set up the outgoing connection.  The environment variables NAME,
                     NODE, REMOTEADDRES and REMOTEPORT are available.

     ReplayWindow = bytes (32)
             This is the size of the replay tracking window for each remote node, in bytes.  The window is a bitfield which
             tracks 1 packet per bit, so for example the default setting of 32 will track up to 256 packets in the window. In
             high bandwidth scenarios, setting this to a higher value can reduce packet loss from the interaction of replay
             tracking with underlying real packet loss and/or reordering. Setting this to zero will disable replay tracking com‐
             pletely and pass all traffic, but leaves tinc vulnerable to replay-based attacks on your traffic.

     StrictSubnets = yes | no (no) [experimental]
             When this option is enabled tinc will only use Subnet statements which are present in the host config files in the
             local /usr/local/etc/tinc/NETNAME/hosts/ directory. Subnets learned via connections to other nodes and which are
             not present in the local host config files are ignored.

     TunnelServer = yes | no (no) [experimental]
             When this option is enabled tinc will no longer forward information between other tinc daemons, and will only allow
             connections with nodes for which host config files are present in the local /usr/local/etc/tinc/NETNAME/hosts/ di‐
             rectory.  Setting this options also implicitly sets StrictSubnets.

     UDPDiscovery = yes | no (yes)
             When this option is enabled tinc will try to establish UDP connectivity to nodes, using TCP while it determines if
             a node is reachable over UDP. If it is disabled, tinc always assumes a node is reachable over UDP.  Note that tinc
             will never use UDP with nodes that have TCPOnly enabled.

     UDPDiscoveryKeepaliveInterval = seconds (9)
             The minimum amount of time between sending UDP ping datagrams to check UDP connectivity once it has been estab‐
             lished.  Note that these pings are large, since they are used to verify link MTU as well.

     UDPDiscoveryInterval = seconds (2)
             The minimum amount of time between sending UDP ping datagrams to try to establish UDP connectivity.

     UDPDiscoveryTimeout = seconds (30)
             If tinc doesn't receive any UDP ping replies over the specified interval, it will assume UDP communication is bro‐
             ken and will fall back to TCP.

     UDPInfoInterval = seconds (5)
             The minimum amount of time between sending periodic updates about UDP addresses, which are mostly useful for UDP
             hole punching.

     UDPRcvBuf = bytes (1048576)
             Sets the socket receive buffer size for the UDP socket, in bytes.  If set to zero, the default buffer size will be
             used by the operating system.  Note: this setting can have a significant impact on performance, especially raw
             throughput.

     UDPSndBuf = bytes (1048576)
             Sets the socket send buffer size for the UDP socket, in bytes.  If set to zero, the default buffer size will be
             used by the operating system.  Note: this setting can have a significant impact on performance, especially raw
             throughput.

     UPnP = yes | udponly | no (no)
             If this option is enabled then tinc will search for UPnP-IGD devices on the local network.  It will then create and
             maintain port mappings for tinc's listening TCP and UDP ports.  If set to "udponly", tinc will only create a map‐
             ping for its UDP (data) port, not for its TCP (metaconnection) port.  Note that tinc must have been built with
             miniupnpc support for this feature to be available.  Furthermore, be advised that enabling this can have security
             implications, because the miniupnpc library that tinc uses might not be well-hardened with regard to malicious UPnP
             replies.

     UPnPDiscoverWait = seconds (5)
             The amount of time to wait for replies when probing the local network for UPnP devices.

     UPnPRefreshPeriod = seconds (60)
             How often tinc will re-add the port mapping, in case it gets reset on the UPnP device. This also controls the dura‐
             tion of the port mapping itself, which will be set to twice that duration.
     The host configuration files contain all information needed to establish a connection to those hosts.  A host configuration
     file is also required for the local tinc daemon, it will use it to read in it's listen port, public key and subnets.

     The idea is that these files are portable.  You can safely mail your own host configuration file to someone else.  That
     other person can then copy it to his own hosts directory, and now his tinc daemon will be able to connect to your tinc dae‐
     mon.  Since host configuration files only contain public keys, no secrets are revealed by sending out this information.

     Address = address [port] [recommended]
             The IP address or hostname of this tinc daemon on the real network.  This will only be used when trying to make an
             outgoing connection to this tinc daemon.  Optionally, a port can be specified to use for this address.  Multiple
             Address variables can be specified, in which case each address will be tried until a working connection has been
             established.

     Cipher = cipher (blowfish)
             The symmetric cipher algorithm used to encrypt UDP packets.  Any cipher supported by LibreSSL or OpenSSL is recog‐
             nised.  Furthermore, specifying "none" will turn off packet encryption.  It is best to use only those ciphers which
             support CBC mode.  This option has no effect for connections between nodes using ExperimentalProtocol.

     ClampMSS = yes | no (yes)
             This option specifies whether tinc should clamp the maximum segment size (MSS) of TCP packets to the path MTU. This
             helps in situations where ICMP Fragmentation Needed or Packet too Big messages are dropped by firewalls.

     Compression = level (0)
             This option sets the level of compression used for UDP packets.  Possible values are 0 (off), 1 (fast zlib) and any
             integer up to 9 (best zlib), 10 (fast lzo) and 11 (best lzo).

     Digest = digest (sha1)
             The digest algorithm used to authenticate UDP packets.  Any digest supported by LibreSSL or OpenSSL is recognised.
             Furthermore, specifying "none" will turn off packet authentication.  This option has no effect for connections be‐
             tween nodes using ExperimentalProtocol.

     IndirectData = yes | no (no)
             When set to yes, only nodes which already have a meta connection to you will try to establish direct communication
             with you.  It is best to leave this option out or set it to no.

     MACLength = length (4)
             The length of the message authentication code used to authenticate UDP packets.  Can be anything from "0" up to the
             length of the digest produced by the digest algorithm.  This option has no effect for connections between nodes us‐
             ing ExperimentalProtocol.

     PMTU = mtu (1514)
             This option controls the initial path MTU to this node.

     PMTUDiscovery = yes | no (yes)
             When this option is enabled, tinc will try to discover the path MTU to this node.  After the path MTU has been dis‐
             covered, it will be enforced on the VPN.

     MTUInfoInterval = seconds (5)
             The minimum amount of time between sending periodic updates about relay path MTU. Useful for quickly determining
             MTU to indirect nodes.

     Port = port (655)
             The port number on which this tinc daemon is listening for incoming connections, which is used if no port number is
             specified in an Address statement.

             If this is set to zero, the port will be randomly assigned by the system. This is useful to randomize source ports
             of UDP packets, which can improve UDP hole punching reliability. When setting Port to zero it is recommended to set
             AddressFamily as well, otherwise tinc will assign different ports to different address families but other nodes can
             only know of one.

     PublicKey = key [obsolete]
             The public RSA key of this tinc daemon.  It will be used to cryptographically verify it's identity and to set up a
             secure connection.

     PublicKeyFile = filename [obsolete]
             The file in which the public RSA key of this tinc daemon resides.

             From version 1.0pre4 on tinc will store the public key directly into the host configuration file in PEM format, the
             above two options then are not necessary.  Either the PEM format is used, or exactly one of the above two options
             must be specified in each host configuration file, if you want to be able to establish a connection with that host.

     Subnet = address[/prefixlength[#weight]]
             The subnet which this tinc daemon will serve.  tinc tries to look up which other daemon it should send a packet to
             by searching the appropriate subnet.  If the packet matches a subnet, it will be sent to the daemon who has this
             subnet in his host configuration file.  Multiple Subnet variables can be specified.

             Subnets can either be single MAC, IPv4 or IPv6 addresses, in which case a subnet consisting of only that single ad‐
             dress is assumed, or they can be a IPv4 or IPv6 network address with a prefixlength.  For example, IPv4 subnets
             must be in a form like 192.168.1.0/24, where 192.168.1.0 is the network address and 24 is the number of bits set in
             the netmask.  Note that subnets like 192.168.1.1/24 are invalid!  Read a networking HOWTO/FAQ/guide if you don't
             understand this.  IPv6 subnets are notated like fec0:0:0:1::/64.  MAC addresses are notated like 0:1a:2b:3c:4d:5e.

             A Subnet can be given a weight to indicate its priority over identical Subnets owned by different nodes. The de‐
             fault weight is 10. Lower values indicate higher priority. Packets will be sent to the node with the highest prior‐
             ity, unless that node is not reachable, in which case the node with the next highest priority will be tried, and so
             on.

     TCPOnly = yes | no (no [obsolete])
             If this variable is set to yes, then the packets are tunnelled over the TCP connection instead of a UDP connection.
             This is especially useful for those who want to run a tinc daemon from behind a masquerading firewall, or if UDP
             packet routing is disabled somehow.  Setting this options also implicitly sets IndirectData.

             Since version 1.0.10, tinc will automatically detect whether communication via UDP is possible or not.

     Weight = weight
             If this variable is set, it overrides the weight given to connections made with another host. A higher weight means
             a lower priority is given to this connection when broadcasting or forwarding packets.

SCRIPTS
     Apart from reading the server and host configuration files, tinc can also run scripts at certain moments.  Below is a list
     of filenames of scripts and a description of when they are run.  A script is only run if it exists and if it is executable.

     Scripts are run synchronously; this means that tinc will temporarily stop processing packets until the called script fin‐
     ishes executing.  This guarantees that scripts will execute in the exact same order as the events that trigger them.  If
     you need to run commands asynchronously, you have to ensure yourself that they are being run in the background.

     Under Windows, the scripts must have the extension .bat or .cmd.

     /usr/local/etc/tinc/NETNAME/tinc-up
             This is the most important script.  If it is present it will be executed right after the tinc daemon has been
             started and has connected to the virtual network device (or when the first node becomes reachable if DeviceStandby
             is used).  It should be used to set up the corresponding network interface, but can also be used to start other
             things.

             Under Windows you can use the Network Connections control panel instead of creating this script.

     /usr/local/etc/tinc/NETNAME/tinc-down
             This script is started right before the tinc daemon quits (or when the last node becomes unreachable if
             DeviceStandby is used).

     /usr/local/etc/tinc/NETNAME/hosts/HOST-up
             This script is started when the tinc daemon with name HOST becomes reachable.

     /usr/local/etc/tinc/NETNAME/hosts/HOST-down
             This script is started when the tinc daemon with name HOST becomes unreachable.

     /usr/local/etc/tinc/NETNAME/host-up
             This script is started when any host becomes reachable.

     /usr/local/etc/tinc/NETNAME/host-down
             This script is started when any host becomes unreachable.

     /usr/local/etc/tinc/NETNAME/subnet-up
             This script is started when a Subnet becomes reachable.  The Subnet and the node it belongs to are passed in envi‐
             ronment variables.

     /usr/local/etc/tinc/NETNAME/subnet-down
             This script is started when a Subnet becomes unreachable.

     /usr/local/etc/tinc/NETNAME/invitation-created
             This script is started when a new invitation has been created.

     /usr/local/etc/tinc/NETNAME/invitation-accepted
             This script is started when an invitation has been used.

     The scripts are started without command line arguments, but can make use of certain environment variables.  Under UNIX like
     operating systems the names of environment variables must be preceded by a $ in scripts.  Under Windows, in .bat or .cmd
     files, they have to be put between % signs.

     NETNAME
             If a netname was specified, this environment variable contains it.

     NAME    Contains the name of this tinc daemon.

     DEVICE  Contains the name of the virtual network device that tinc uses.

     INTERFACE
             Contains the name of the virtual network interface that tinc uses.  This should be used for commands like ifconfig.

     NODE    When a host becomes (un)reachable, this is set to its name.  If a subnet becomes (un)reachable, this is set to the
             owner of that subnet.

     REMOTEADDRESS
             When a host becomes (un)reachable, this is set to its real address.

     REMOTEPORT
             When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc dae‐
             mons.

     SUBNET  When a subnet becomes (un)reachable, this is set to the subnet.

     WEIGHT  When a subnet becomes (un)reachable, this is set to the subnet weight.

     INVITATION_FILE
             When the invitation-created script is called, this is set to the file where the invitation details will be stored.

     INVITATION_URL
             When the invitation-created script is called, this is set to the invitation URL that has been created.

     Do not forget that under UNIX operating systems, you have to make the scripts executable, using the command chmod a+x
     script.

FILES
     The most important files are:

     /usr/local/etc/tinc/
             The top directory for configuration files.

     /usr/local/etc/tinc/NETNAME/tinc.conf
             The default name of the server configuration file for net NETNAME.

     /usr/local/etc/tinc/NETNAME/conf.d/
             Optional directory from which any .conf file will be loaded

     /usr/local/etc/tinc/NETNAME/hosts/
             Host configuration files are kept in this directory.

     /usr/local/etc/tinc/NETNAME/tinc-up
             If an executable file with this name exists, it will be executed right after the tinc daemon has connected to the
             virtual network device.  It can be used to set up the corresponding network interface.

     /usr/local/etc/tinc/NETNAME/tinc-down
             If an executable file with this name exists, it will be executed right before the tinc daemon is going to close its
             connection to the virtual network device.

     /usr/local/etc/tinc/NETNAME/invitations/
             This directory contains outstanding invitations.

     /usr/local/etc/tinc/NETNAME/invitation-data
             After a successful join, this file contains a copy of the invitation data received.
     tincd(8), tinc(8), https://www.tinc-vpn.org/, http://www.tldp.org/LDP/nag2/.

     The full documentation for tinc is maintained as a Texinfo manual.  If the info and tinc programs are properly installed at
     your site, the command info tinc should give you access to the complete manual.

     tinc comes with ABSOLUTELY NO WARRANTY.  This is free software, and you are welcome to redistribute it under certain condi‐
     tions; see the file COPYING for details.

                                                          June 27, 2021