TINC.CONF(5) BSD File Formats Manual TINC.CONF(5)
NAME
tinc.conf — tinc daemon configuration
DESCRIPTION
The files in the /etc/tinc/ directory contain runtime and security information for the tinc daemon.
NETWORKS
To distinguish multiple instances of tinc running on one computer, you can use the -n option to assign a network name to
each tinc daemon.
The effect of this option is that the daemon will set its configuration root to /etc/tinc/NETNAME/, where NETNAME is your
argument to the -n option. You'll notice that messages appear in syslog as coming from tincd.NETNAME, and on Linux, unless
specified otherwise, the name of the virtual network interface will be the same as the network name.
It is recommended that you use network names even if you run only one instance of tinc. However, you can choose not to use
the -n option. In this case, the network name would just be empty, and tinc now looks for files in /etc/tinc/, instead of
/etc/tinc/NETNAME/; the configuration file should be /etc/tinc/tinc.conf, and the host configuration files are now expected
to be in /etc/tinc/hosts/.
NAMES
Each tinc daemon should have a name that is unique in the network which it will be part of. The name will be used by other
tinc daemons for identification. The name has to be declared in the /etc/tinc/NETNAME/tinc.conf file.
To make things easy, choose something that will give unique and easy to remember names to your tinc daemon(s). You could
try things like hostnames, owner surnames or location names. However, you are only allowed to use alphanumerical charac‐
ters (a-z, A-Z, and 0-9) and underscores (_) in the name.
If you have not configured tinc yet, you can easily create a basic configuration using the following command:
tinc -n NETNAME init NAME
You can further change the configuration as needed either by manually editing the configuration files, or by using tinc(8).
The tinc init command will have generated both RSA and ECDSA public/private keypairs. The private keys should be stored in
files named rsa_key.priv and ecdsa_key.priv in the directory /etc/tinc/NETNAME/ The public keys should be stored in the
host configuration file /etc/tinc/NETNAME/hosts/NAME. The RSA keys are used for backwards compatibility with tinc version
1.0. If you are upgrading from version 1.0 to 1.1, you can keep the old configuration files, but you will need to create
ECDSA keys using the following command:
tinc -n NETNAME generate-ecdsa-keys
The server configuration of the daemon is done in the file /etc/tinc/NETNAME/tinc.conf. This file consists of comments
(lines started with a #) or assignments in the form of:
Variable = Value.
The variable names are case insensitive, and any spaces, tabs, newlines and carriage returns are ignored. Note: it is not
required that you put in the = sign, but doing so improves readability. If you leave it out, remember to replace it with
at least one space character.
The server configuration is complemented with host specific configuration (see the next section). Although all configura‐
tion options for the local host listed in this document can also be put in /etc/tinc/NETNAME/tinc.conf, it is recommended
to put host specific configuration options in the host configuration file, as this makes it easy to exchange with other
nodes.
You can edit the config file manually, but it is recommended that you use tinc(8) to change configuration variables for
you.
Here are all valid variables, listed in alphabetical order. The default value is given between parentheses.
AddressFamily = ipv4 | ipv6 | any (any)
This option affects the address family of listening and outgoing sockets. If "any" is selected, then depending on
the operating system both IPv4 and IPv6 or just IPv6 listening sockets will be created.
AutoConnect = count (0) [experimental]
If set to a non-zero value, tinc.conf will try to only have count meta connections to other nodes, by automatically
making or breaking connections to known nodes. Higher values increase redundancy but also increase meta data over‐
head. When using this option, a good value is 3.
BindToAddress = address [port]
If your computer has more than one IPv4 or IPv6 address, tinc will by default listen on all of them for incoming
connections. Multiple BindToAddress variables may be specified, in which case listening sockets for each specified
address are made.
If no port is specified, the socket will be bound to the port specified by the Port option, or to port 655 if nei‐
ther is given. To only bind to a specific port but not to a specific address, use * for the address.
BindToInterface = interface [experimental]
If your computer has more than one network interface, tinc will by default listen on all of them for incoming con‐
nections. It is possible to bind only to a single interface with this variable.
This option may not work on all platforms. Also, on some platforms it will not actually bind to an interface, but
rather to the address that the interface has at the moment a socket is created.
Broadcast = no | mst | direct (mst) [experimental]
This option selects the way broadcast packets are sent to other daemons. NOTE: all nodes in a VPN must use the
same Broadcast mode, otherwise routing loops can form.
no Broadcast packets are never sent to other nodes.
mst Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree. This ensures broadcast pack‐
ets reach all nodes.
direct Broadcast packets are sent directly to all nodes that can be reached directly. Broadcast packets received
from other nodes are never forwarded. If the IndirectData option is also set, broadcast packets will only
be sent to nodes which we have a meta connection to.
ConnectTo = name
Specifies which other tinc daemon to connect to on startup. Multiple ConnectTo variables may be specified, in
which case outgoing connections to each specified tinc daemon are made. The names should be known to this tinc
daemon (i.e., there should be a host configuration file for the name on the ConnectTo line).
If you don't specify a host with ConnectTo, tinc won't try to connect to other daemons at all, and will instead
just listen for incoming connections.
DecrementTTL = yes | no (no) [experimental]
When enabled, tinc will decrement the Time To Live field in IPv4 packets, or the Hop Limit field in IPv6 packets,
before forwarding a received packet to the virtual network device or to another node, and will drop packets that
have a TTL value of zero, in which case it will send an ICMP Time Exceeded packet back.
Do not use this option if you use switch mode and want to use IPv6.
Device = device (/dev/tap0, /dev/net/tun or other depending on platform)
The virtual network device to use. tinc will automatically detect what kind of device it is. Note that you can
only use one device per daemon. Under Windows, use Interface instead of Device. The info pages of the tinc pack‐
age contain more information about configuring the virtual network device.
DeviceType = type (platform dependent)
The type of the virtual network device. Tinc will normally automatically select the right type of tun/tap inter‐
face, and this option should not be used. However, this option can be used to select one of the special interface
types, if support for them is compiled in.
dummy Use a dummy interface. No packets are ever read or written to a virtual network device. Useful for test‐
ing, or when setting up a node that only forwards packets for other nodes.
raw_socket
Open a raw socket, and bind it to a pre-existing Interface (eth0 by default). All packets are read from
this interface. Packets received for the local node are written to the raw socket. However, at least on
Linux, the operating system does not process IP packets destined for the local host.
multicast
Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL
value specified using Device. Packets are read from and written to this multicast socket. This can be
used to connect to UML, QEMU or KVM instances listening on the same multicast address. Do NOT connect mul‐
tiple tinc daemons to the same multicast address, this will very likely cause routing loops. Also note
that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
uml (not compiled in by default)
Create a UNIX socket with the filename specified by Device, or /var/run/NETNAME.umlsocket if not specified.
tinc will wait for a User Mode Linux instance to connect to this socket.
vde (not compiled in by default)
Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch, using the UNIX socket
specified by Device, or /var/run/vde.ctl if not specified.
Also, in case tinc does not seem to correctly interpret packets received from the virtual network device, it can be
used to change the way packets are interpreted:
tun (BSD and Linux)
Set type to tun. Depending on the platform, this can either be with or without an address family header
(see below).
tunnohead (BSD)
Set type to tun without an address family header. Tinc will expect packets read from the virtual network
device to start with an IP header. On some platforms IPv6 packets cannot be read from or written to the
device in this mode.
tunifhead (BSD)
Set type to tun with an address family header. Tinc will expect packets read from the virtual network
device to start with a four byte header containing the address family, followed by an IP header. This mode
should support both IPv4 and IPv6 packets.
tap (BSD and Linux)
Set type to tap. Tinc will expect packets read from the virtual network device to start with an Ethernet
header.
DirectOnly = yes | no (no) [experimental]
When this option is enabled, packets that cannot be sent directly to the destination node, but which would have to
be forwarded by an intermediate node, are dropped instead. When combined with the IndirectData option, packets for
nodes for which we do not have a meta connection with are also dropped.
ECDSAPrivateKeyFile = filename (/etc/tinc/NETNAME/ecdsa_key.priv)
The file in which the private ECDSA key of this tinc daemon resides. This is only used if ExperimentalProtocol is
enabled.
ExperimentalProtocol = yes | no (no) [experimental]
When this option is enabled, experimental protocol enhancements will be used. Ephemeral ECDH will be used for key
exchanges, and ECDSA will be used instead of RSA for authentication. When enabled, an ECDSA key must have been
generated before with tinc generate-ecdsa-keys. The experimental protocol may change at any time, and there is no
guarantee that tinc will run stable when it is used.
Forwarding = off | internal | kernel (internal) [experimental]
This option selects the way indirect packets are forwarded.
off Incoming packets that are not meant for the local node, but which should be forwarded to another node, are
dropped.
internal
Incoming packets that are meant for another node are forwarded by tinc internally.
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
kernel Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
This is less efficient, but allows the kernel to apply its routing and firewall rules on them, and can also
help debugging.
Hostnames = yes | no (no)
This option selects whether IP addresses (both real and on the VPN) should be resolved. Since DNS lookups are
blocking, it might affect tinc's efficiency, even stopping the daemon for a few seconds every time it does a lookup
if your DNS server is not responding.
This does not affect resolving hostnames to IP addresses from the host configuration files, but whether hostnames
should be resolved while logging.
IffOneQueue = yes | no (no) [experimental]
(Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.
Interface = interface
Defines the name of the interface corresponding to the virtual network device. Depending on the operating system
and the type of device this may or may not actually set the name of the interface. Under Windows, this variable is
used to select which network interface will be used. If you specified a Device, this variable is almost always
already correctly set.
KeyExpire = seconds (3600)
This option controls the period the encryption keys used to encrypt the data are valid. It is common practice to
change keys at regular intervals to make it even harder for crackers, even though it is thought to be nearly impos‐
sible to crack a single key.
LocalDiscovery = yes | no (no)
When enabled, tinc will try to detect peers that are on the same local network. This will allow direct communica‐
tion using LAN addresses, even if both peers are behind a NAT and they only ConnectTo a third node outside the NAT,
which normally would prevent the peers from learning each other's LAN address.
Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery. This
feature may not work in all possible situations.
MACExpire = seconds (600)
This option controls the amount of time MAC addresses are kept before they are removed. This only has effect when
Mode is set to "switch".
MaxTimeout = seconds (900)
This is the maximum delay before trying to reconnect to other tinc daemons.
Mode = router | switch | hub (router)
This option selects the way packets are routed to other daemons.
router In this mode Subnet variables in the host configuration files will be used to form a routing table. Only
packets of routable protocols (IPv4 and IPv6) are supported in this mode.
This is the default mode, and unless you really know you need another mode, don't change it.
switch In this mode the MAC addresses of the packets on the VPN will be used to dynamically create a routing table
just like an Ethernet switch does. Unicast, multicast and broadcast packets of every protocol that runs
over Ethernet are supported in this mode at the cost of frequent broadcast ARP requests and routing table
updates.
This mode is primarily useful if you want to bridge Ethernet segments.
hub This mode is almost the same as the switch mode, but instead every packet will be broadcast to the other
daemons while no routing table is managed.
Name = name [required]
This is the name which identifies this tinc daemon. It must be unique for the virtual private network this daemon
will connect to. The Name may only consist of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is
case sensitive. If Name starts with a $, then the contents of the environment variable that follows will be used.
In that case, invalid characters will be converted to underscores. If Name is $HOST, but no such environment vari‐
able exist, the hostname will be read using the gethostname() system call.
PingInterval = seconds (60)
The number of seconds of inactivity that tinc will wait before sending a probe to the other end.
PingTimeout = seconds (5)
The number of seconds to wait for a response to pings or to allow meta connections to block. If the other end
doesn't respond within this time, the connection is terminated, and the others will be notified of this.
PriorityInheritance = yes | no (no) [experimental]
When this option is enabled the value of the TOS field of tunneled IPv4 packets will be inherited by the UDP pack‐
ets that are sent out.
PrivateKey = key [obsolete]
The private RSA key of this tinc daemon. It will allow this tinc daemon to authenticate itself to other daemons.
PrivateKeyFile = filename (/etc/tinc/NETNAME/rsa_key.priv)
The file in which the private RSA key of this tinc daemon resides.
ProcessPriority = low | normal | high
When this option is used the priority of the tincd process will be adjusted. Increasing the priority may help to
reduce latency and packet loss on the VPN.
Proxy = socks4 | socks5 | http | exec ... [experimental]
Use a proxy when making outgoing connections. The following proxy types are currently supported:
socks4 address port [username]
Connects to the proxy using the SOCKS version 4 protocol. Optionally, a username can be supplied which
will be passed on to the proxy server. Only IPv4 connections can be proxied using SOCKS 4.
socks5 address port [username password]
Connect to the proxy using the SOCKS version 5 protocol. If a username and password are given, basic user‐
name/password authentication will be used, otherwise no authentication will be used.
http address port
Connects to the proxy and sends a HTTP CONNECT request.
exec command
Executes the given command which should set up the outgoing connection. The environment variables NAME,
NODE, REMOTEADDRES and REMOTEPORT are available.
ReplayWindow = bytes (16)
This is the size of the replay tracking window for each remote node, in bytes. The window is a bitfield which
tracks 1 packet per bit, so for example the default setting of 16 will track up to 128 packets in the window. In
high bandwidth scenarios, setting this to a higher value can reduce packet loss from the interaction of replay
tracking with underlying real packet loss and/or reordering. Setting this to zero will disable replay tracking
completely and pass all traffic, but leaves tinc vulnerable to replay-based attacks on your traffic.
StrictSubnets = yes | no (no) [experimental]
When this option is enabled tinc will only use Subnet statements which are present in the host config files in the
local /etc/tinc/NETNAME/hosts/ directory.
TunnelServer = yes | no (no) [experimental]
When this option is enabled tinc will no longer forward information between other tinc daemons, and will only allow
connections with nodes for which host config files are present in the local /etc/tinc/NETNAME/hosts/ directory.
Setting this options also implicitly sets StrictSubnets.
UDPRcvBuf = bytes (OS default)
Sets the socket receive buffer size for the UDP socket, in bytes. If unset, the default buffer size will be used
by the operating system.
UDPSndBuf = bytes (OS default)
Sets the socket send buffer size for the UDP socket, in bytes. If unset, the default buffer size will be used by
the operating system.
The host configuration files contain all information needed to establish a connection to those hosts. A host configuration
file is also required for the local tinc daemon, it will use it to read in it's listen port, public key and subnets.
The idea is that these files are portable. You can safely mail your own host configuration file to someone else. That
other person can then copy it to his own hosts directory, and now his tinc daemon will be able to connect to your tinc dae‐
mon. Since host configuration files only contain public keys, no secrets are revealed by sending out this information.
Address = address [port] [recommended]
The IP address or hostname of this tinc daemon on the real network. This will only be used when trying to make an
outgoing connection to this tinc daemon. Optionally, a port can be specified to use for this address. Multiple
Address variables can be specified, in which case each address will be tried until a working connection has been
established.
Cipher = cipher (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets. Any cipher supported by OpenSSL is recognised. Fur‐
thermore, specifying "none" will turn off packet encryption. It is best to use only those ciphers which support
CBC mode. This option has no effect for connections between nodes using ExperimentalProtocol.
ClampMSS = yes | no (yes)
This option specifies whether tinc should clamp the maximum segment size (MSS) of TCP packets to the path MTU. This
helps in situations where ICMP Fragmentation Needed or Packet too Big messages are dropped by firewalls.
Compression = level (0)
This option sets the level of compression used for UDP packets. Possible values are 0 (off), 1 (fast zlib) and any
integer up to 9 (best zlib), 10 (fast lzo) and 11 (best lzo).
Digest = digest (sha1)
The digest algorithm used to authenticate UDP packets. Any digest supported by OpenSSL is recognised. Further‐
more, specifying "none" will turn off packet authentication. This option has no effect for connections between
nodes using ExperimentalProtocol.
IndirectData = yes | no (no)
When set to yes, other nodes which do not already have a meta connection to you will not try to establish direct
communication with you. It is best to leave this option out or set it to no.
MACLength = length (4)
The length of the message authentication code used to authenticate UDP packets. Can be anything from "0" up to the
length of the digest produced by the digest algorithm. This option has no effect for connections between nodes
using ExperimentalProtocol.
PMTU = mtu (1514)
This option controls the initial path MTU to this node.
PMTUDiscovery = yes | no (yes)
When this option is enabled, tinc will try to discover the path MTU to this node. After the path MTU has been dis‐
covered, it will be enforced on the VPN.
Port = port (655)
The port number on which this tinc daemon is listening for incoming connections, which is used if no port number is
specified in an Address statement.
PublicKey = key [obsolete]
The public RSA key of this tinc daemon. It will be used to cryptographically verify it's identity and to set up a
secure connection.
PublicKeyFile = filename [obsolete]
The file in which the public RSA key of this tinc daemon resides.
From version 1.0pre4 on tinc will store the public key directly into the host configuration file in PEM format, the
above two options then are not necessary. Either the PEM format is used, or exactly one of the above two options
must be specified in each host configuration file, if you want to be able to establish a connection with that host.
Subnet = address[/prefixlength[#weight]]
The subnet which this tinc daemon will serve. tinc tries to look up which other daemon it should send a packet to
by searching the appropriate subnet. If the packet matches a subnet, it will be sent to the daemon who has this
subnet in his host configuration file. Multiple Subnet variables can be specified.
Subnets can either be single MAC, IPv4 or IPv6 addresses, in which case a subnet consisting of only that single
address is assumed, or they can be a IPv4 or IPv6 network address with a prefixlength. For example, IPv4 subnets
must be in a form like 192.168.1.0/24, where 192.168.1.0 is the network address and 24 is the number of bits set in
the netmask. Note that subnets like 192.168.1.1/24 are invalid! Read a networking HOWTO/FAQ/guide if you don't
understand this. IPv6 subnets are notated like fec0:0:0:1::/64. MAC addresses are notated like 0:1a:2b:3c:4d:5e.
A Subnet can be given a weight to indicate its priority over identical Subnets owned by different nodes. The
default weight is 10. Lower values indicate higher priority. Packets will be sent to the node with the highest pri‐
ority, unless that node is not reachable, in which case the node with the next highest priority will be tried, and
so on.
TCPOnly = yes | no (no [obsolete])
If this variable is set to yes, then the packets are tunnelled over the TCP connection instead of a UDP connection.
This is especially useful for those who want to run a tinc daemon from behind a masquerading firewall, or if UDP
packet routing is disabled somehow. Setting this options also implicitly sets IndirectData.
Since version 1.0.10, tinc will automatically detect whether communication via UDP is possible or not.
SCRIPTS
Apart from reading the server and host configuration files, tinc can also run scripts at certain moments. Under Windows
(not Cygwin), the scripts should have the extension .bat.
/etc/tinc/NETNAME/tinc-up
This is the most important script. If it is present it will be executed right after the tinc daemon has been
started and has connected to the virtual network device. It should be used to set up the corresponding network
interface, but can also be used to start other things. Under Windows you can use the Network Connections control
panel instead of creating this script.
/etc/tinc/NETNAME/tinc-down
This script is started right before the tinc daemon quits.
/etc/tinc/NETNAME/hosts/HOST-up
This script is started when the tinc daemon with name HOST becomes reachable.
/etc/tinc/NETNAME/hosts/HOST-down
This script is started when the tinc daemon with name HOST becomes unreachable.
/etc/tinc/NETNAME/host-up
This script is started when any host becomes reachable.
/etc/tinc/NETNAME/host-down
This script is started when any host becomes unreachable.
/etc/tinc/NETNAME/subnet-up
This script is started when a Subnet becomes reachable. The Subnet and the node it belongs to are passed in envi‐
ronment variables.
/etc/tinc/NETNAME/subnet-down
This script is started when a Subnet becomes unreachable.
The scripts are started without command line arguments, but can make use of certain environment variables. Under UNIX like
operating systems the names of environment variables must be preceded by a $ in scripts. Under Windows, in .bat files,
they have to be put between % signs.
NETNAME
If a netname was specified, this environment variable contains it.
NAME Contains the name of this tinc daemon.
DEVICE Contains the name of the virtual network device that tinc uses.
INTERFACE
Contains the name of the virtual network interface that tinc uses. This should be used for commands like ifconfig.
NODE When a host becomes (un)reachable, this is set to its name. If a subnet becomes (un)reachable, this is set to the
owner of that subnet.
REMOTEADDRESS
When a host becomes (un)reachable, this is set to its real address.
REMOTEPORT
When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc dae‐
mons.
SUBNET When a subnet becomes (un)reachable, this is set to the subnet.
WEIGHT When a subnet becomes (un)reachable, this is set to the subnet weight.
Do not forget that under UNIX operating systems, you have to make the scripts executable, using the command chmod a+x
script.
FILES
The most important files are:
/etc/tinc/
The top directory for configuration files.
/etc/tinc/NETNAME/tinc.conf
The default name of the server configuration file for net NETNAME.
/etc/tinc/NETNAME/hosts/
Host configuration files are kept in this directory.
/etc/tinc/NETNAME/tinc-up
If an executable file with this name exists, it will be executed right after the tinc daemon has connected to the
virtual network device. It can be used to set up the corresponding network interface.
/etc/tinc/NETNAME/tinc-down
If an executable file with this name exists, it will be executed right before the tinc daemon is going to close its
connection to the virtual network device.
tincd(8), tinc(8), http://www.tinc-vpn.org/, http://www.tldp.org/LDP/nag2/.
The full documentation for tinc is maintained as a Texinfo manual. If the info and tinc programs are properly installed at
your site, the command info tinc should give you access to the complete manual.
tinc comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain condi‐
tions; see the file COPYING for details.
April 22, 2013