TINC.CONF(5) BSD File Formats Manual TINC.CONF(5) NAME tinc.conf — tinc daemon configuration DESCRIPTION The files in the /usr/local/etc/tinc/ directory contain runtime and security information for the tinc daemon. NETWORKS To distinguish multiple instances of tinc running on one computer, you can use the -n option to assign a network name to each tinc daemon. The effect of this option is that the daemon will set its configuration root to /usr/local/etc/tinc/NETNAME/, where NETNAME is your argument to the -n option. You'll notice that messages appear in syslog as coming from tincd.NETNAME, and on Linux, unless specified otherwise, the name of the virtual network interface will be the same as the network name. It is recommended that you use network names even if you run only one instance of tinc. However, you can choose not to use the -n option. In this case, the network name would just be empty, and tinc now looks for files in /usr/local/etc/tinc/, instead of /usr/local/etc/tinc/NETNAME/; the configuration file should be /usr/local/etc/tinc/tinc.conf, and the host con‐ figuration files are now expected to be in /usr/local/etc/tinc/hosts/. NAMES Each tinc daemon must have a name that is unique in the network which it will be part of. The name will be used by other tinc daemons for identification. The name has to be declared in the /usr/local/etc/tinc/NETNAME/tinc.conf file. To make things easy, choose something that will give unique and easy to remember names to your tinc daemon(s). You could try things like hostnames, owner surnames or location names. However, you are only allowed to use alphanumerical charac‐ ters (a-z, A-Z, and 0-9) and underscores (_) in the name. If you have not configured tinc yet, you can easily create a basic configuration using the following command: tinc -n NETNAME init NAME You can further change the configuration as needed either by manually editing the configuration files, or by using tinc(8). The tinc init command will have generated both RSA and Ed25519 public/private key pairs. The private keys should be stored in files named rsa_key.priv and ed25519_key.priv in the directory /usr/local/etc/tinc/NETNAME/ The public keys should be stored in the host configuration file /usr/local/etc/tinc/NETNAME/hosts/NAME. The RSA keys are used for backwards compati‐ bility with tinc version 1.0. If you are upgrading from version 1.0 to 1.1, you can keep the old configuration files, but you will need to create Ed25519 keys using the following command: tinc -n NETNAME generate-ed25519-keys The server configuration of the daemon is done in the file /usr/local/etc/tinc/NETNAME/tinc.conf. This file consists of comments (lines started with a #) or assignments in the form of: Variable = Value. The variable names are case insensitive, and any spaces, tabs, newlines and carriage returns are ignored. Note: it is not required that you put in the = sign, but doing so improves readability. If you leave it out, remember to replace it with at least one space character. The server configuration is complemented with host specific configuration (see the next section). Although all configura‐ tion options for the local host listed in this document can also be put in /usr/local/etc/tinc/NETNAME/tinc.conf, it is recommended to put host specific configuration options in the host configuration file, as this makes it easy to exchange with other nodes. You can edit the config file manually, but it is recommended that you use tinc(8) to change configuration variables for you. Here are all valid variables, listed in alphabetical order. The default value is given between parentheses. AddressFamily = ipv4 | ipv6 | any (any) This option affects the address family of listening and outgoing sockets. If "any" is selected, then depending on the operating system both IPv4 and IPv6 or just IPv6 listening sockets will be created. AutoConnect = yes | no (yes) If set to yes, tinc will automatically set up meta connections to other nodes, without requiring ConnectTo vari‐ ables. Note: it is not possible to connect to nodes using zero (system-assigned) ports in this way. BindToAddress = address [port] This is the same as ListenAddress, however the address given with the BindToAddress option will also be used for outgoing connections. This is useful if your computer has more than one IPv4 or IPv6 address, and you want tinc to only use a specific one for outgoing packets. BindToInterface = interface [experimental] If your computer has more than one network interface, tinc will by default listen on all of them for incoming con‐ nections. It is possible to bind only to a single interface with this variable. This option may not work on all platforms. Also, on some platforms it will not actually bind to an interface, but rather to the address that the interface has at the moment a socket is created. Broadcast = no | mst | direct (mst) [experimental] This option selects the way broadcast packets are sent to other daemons. NOTE: all nodes in a VPN must use the same Broadcast mode, otherwise routing loops can form. no Broadcast packets are never sent to other nodes. mst Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree. This ensures broadcast pack‐ ets reach all nodes. direct Broadcast packets are sent directly to all nodes that can be reached directly. Broadcast packets received from other nodes are never forwarded. If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to. BroadcastSubnet = address[/prefixlength] Declares a broadcast subnet. Any packet with a destination address falling into such a subnet will be routed as a broadcast (provided all nodes have it declared). This is most useful to declare subnet broadcast addresses (e.g. 10.42.255.255), otherwise tinc won't know what to do with them. Note that global broadcast addresses (MAC ff:ff:ff:ff:ff:ff, IPv4 255.255.255.255), as well as multicast space (IPv4 224.0.0.0/4, IPv6 ff00::/8) are always considered broadcast addresses and don't need to be declared. ConnectTo = name Specifies which other tinc daemon to connect to on startup. Multiple ConnectTo variables may be specified, in which case outgoing connections to each specified tinc daemon are made. The names should be known to this tinc daemon (i.e., there should be a host configuration file for the name on the ConnectTo line). If you don't specify a host with ConnectTo and have disabled AutoConnect, tinc won't try to connect to other dae‐ mons at all, and will instead just listen for incoming connections. DecrementTTL = yes | no (no) [experimental] When enabled, tinc will decrement the Time To Live field in IPv4 packets, or the Hop Limit field in IPv6 packets, before forwarding a received packet to the virtual network device or to another node, and will drop packets that have a TTL value of zero, in which case it will send an ICMP Time Exceeded packet back. Do not use this option if you use switch mode and want to use IPv6. Device = device (/dev/tap0, /dev/net/tun or other depending on platform) The virtual network device to use. tinc will automatically detect what kind of device it is. Note that you can only use one device per daemon. Under Windows, use Interface instead of Device. The info pages of the tinc pack‐ age contain more information about configuring the virtual network device. DeviceStandby = yes | no (no) When disabled, tinc calls tinc-up on startup, and tinc-down on shutdown. When enabled, tinc will only call tinc-up when at least one node is reachable, and will call tinc-down as soon as no nodes are reachable. On Windows, this also determines when the virtual network interface "cable" is "plugged". DeviceType = type (platform dependent) The type of the virtual network device. Tinc will normally automatically select the right type of tun/tap inter‐ face, and this option should not be used. However, this option can be used to select one of the special interface types, if support for them is compiled in. dummy Use a dummy interface. No packets are ever read or written to a virtual network device. Useful for test‐ ing, or when setting up a node that only forwards packets for other nodes. raw_socket Open a raw socket, and bind it to a pre-existing Interface (eth0 by default). All packets are read from this interface. Packets received for the local node are written to the raw socket. However, at least on Linux, the operating system does not process IP packets destined for the local host. multicast Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using Device. Packets are read from and written to this multicast socket. This can be used to connect to UML, QEMU or KVM instances listening on the same multicast address. Do NOT connect mul‐ tiple tinc daemons to the same multicast address, this will very likely cause routing loops. Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured. fd Use a file descriptor, given directly as an integer or passed through a unix domain socket. On Linux, an abstract socket address can be specified by using "@" as a prefix. All packets are read from this inter‐ face. Packets received for the local node are written to it. uml (not compiled in by default) Create a UNIX socket with the filename specified by Device, or /usr/local/var/run/NETNAME.umlsocket if not specified. tinc will wait for a User Mode Linux instance to connect to this socket. vde (not compiled in by default) Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch, using the UNIX socket specified by Device, or /usr/local/var/run/vde.ctl if not specified. Also, in case tinc does not seem to correctly interpret packets received from the virtual network device, it can be used to change the way packets are interpreted: tun (BSD and Linux) Set type to tun. Depending on the platform, this can either be with or without an address family header (see below). tunnohead (BSD) Set type to tun without an address family header. Tinc will expect packets read from the virtual network device to start with an IP header. On some platforms IPv6 packets cannot be read from or written to the device in this mode. tunifhead (BSD) Set type to tun with an address family header. Tinc will expect packets read from the virtual network de‐ vice to start with a four byte header containing the address family, followed by an IP header. This mode should support both IPv4 and IPv6 packets. utun (OS X) Set type to utun. This is only supported on OS X version 10.6.8 and higher, but doesn't require the tunta‐ posx module. This mode should support both IPv4 and IPv6 packets. tap (BSD and Linux) Set type to tap. Tinc will expect packets read from the virtual network device to start with an Ethernet header. DirectOnly = yes | no (no) [experimental] When this option is enabled, packets that cannot be sent directly to the destination node, but which would have to be forwarded by an intermediate node, are dropped instead. When combined with the IndirectData option, packets for nodes for which we do not have a meta connection with are also dropped. Ed25519PrivateKeyFile = filename (/usr/local/etc/tinc/NETNAME/ed25519_key.priv) The file in which the private Ed25519 key of this tinc daemon resides. This is only used if ExperimentalProtocol is enabled. ExperimentalProtocol = yes | no (yes) When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it. Ephemeral ECDH will be used for key exchanges, and Ed25519 will be used instead of RSA for authentication. When enabled, an Ed25519 key must have been generated before with tinc generate-ed25519-keys. Forwarding = off | internal | kernel (internal) [experimental] This option selects the way indirect packets are forwarded. off Incoming packets that are not meant for the local node, but which should be forwarded to another node, are dropped. internal Incoming packets that are meant for another node are forwarded by tinc internally. This is the default mode, and unless you really know you need another forwarding mode, don't change it. kernel Incoming packets using the legacy protocol are always sent to the TUN/TAP device, even if the packets are not for the local node. This is less efficient, but allows the kernel to apply its routing and firewall rules on them, and can also help debugging. Incoming packets using the SPTPS protocol are dropped, since they are end-to-end encrypted. FWMark = value (0) [experimental] When set to a non-zero value, all TCP and UDP sockets created by tinc will use the given value as the firewall mark. This can be used for mark-based routing or for packet filtering. This option is currently only supported on Linux. Hostnames = yes | no (no) This option selects whether IP addresses (both real and on the VPN) should be resolved. Since DNS lookups are blocking, it might affect tinc's efficiency, even stopping the daemon for a few seconds every time it does a lookup if your DNS server is not responding. This does not affect resolving hostnames to IP addresses from the host configuration files, but whether hostnames should be resolved while logging. IffOneQueue = yes | no (no) [experimental] (Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices. Interface = interface Defines the name of the interface corresponding to the virtual network device. Depending on the operating system and the type of device this may or may not actually set the name of the interface. Under Windows, this variable is used to select which network interface will be used. If you specified a Device, this variable is almost always al‐ ready correctly set. InvitationExpire = seconds (604800) This option controls the period invitations are valid. KeyExpire = seconds (3600) This option controls the period the encryption keys used to encrypt the data are valid. It is common practice to change keys at regular intervals to make it even harder for crackers, even though it is thought to be nearly impos‐ sible to crack a single key. ListenAddress = address [port] If your computer has more than one IPv4 or IPv6 address, tinc will by default listen on all of them for incoming connections. This option can be used to restrict which addresses tinc listens on. Multiple ListenAddress vari‐ ables may be specified, in which case listening sockets for each specified address are made. If no port is specified, the socket will listen on the port specified by the Port option, or to port 655 if neither is given. To only listen on a specific port but not on a specific address, use * for the address. If port is set to zero, it will be randomly assigned by the system. This is useful to randomize source ports of UDP packets, which can improve UDP hole punching reliability. In this case it is recommended to set AddressFamily as well, otherwise tinc will assign different ports to different address families but other nodes can only know of one. LocalDiscovery = yes | no (yes) When enabled, tinc will try to detect peers that are on the same local network. This will allow direct communica‐ tion using LAN addresses, even if both peers are behind a NAT and they only ConnectTo a third node outside the NAT, which normally would prevent the peers from learning each other's LAN address. Currently, local discovery is implemented by sending some packets to the local address of the node during UDP dis‐ covery. This will not work with old nodes that don't transmit their local address. LogLevel = level (0) This option controls the verbosity of the logging. The higher the debug level, the more messages it will log. MACExpire = seconds (600) This option controls the amount of time MAC addresses are kept before they are removed. This only has effect when Mode is set to "switch". MaxConnectionBurst = count (100) This option controls how many connections tinc accepts in quick succession. If there are more connections than the given number in a short time interval, tinc will reduce the number of accepted connections to only one per second, until the burst has passed. MaxTimeout = seconds (900) This is the maximum delay before trying to reconnect to other tinc daemons. Mode = router | switch | hub (router) This option selects the way packets are routed to other daemons. router In this mode Subnet variables in the host configuration files will be used to form a routing table. Only packets of routable protocols (IPv4 and IPv6) are supported in this mode. This is the default mode, and unless you really know you need another mode, don't change it. switch In this mode the MAC addresses of the packets on the VPN will be used to dynamically create a routing table just like an Ethernet switch does. Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode at the cost of frequent broadcast ARP requests and routing table updates. This mode is primarily useful if you want to bridge Ethernet segments. hub This mode is almost the same as the switch mode, but instead every packet will be broadcast to the other daemons while no routing table is managed. Name = name [required] This is the name which identifies this tinc daemon. It must be unique for the virtual private network this daemon will connect to. Name may only consist of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is case sensitive. If Name starts with a $, then the contents of the environment variable that follows will be used. In that case, invalid characters will be converted to underscores. If Name is $HOST, but no such environment vari‐ able exist, the hostname will be read using the gethostname() system call. PingInterval = seconds (60) The number of seconds of inactivity that tinc will wait before sending a probe to the other end. PingTimeout = seconds (5) The number of seconds to wait for a response to pings or to allow meta connections to block. If the other end doesn't respond within this time, the connection is terminated, and the others will be notified of this. PriorityInheritance = yes | no (no) [experimental] When this option is enabled the value of the TOS field of tunneled IPv4 packets will be inherited by the UDP pack‐ ets that are sent out. PrivateKey = key [obsolete] The private RSA key of this tinc daemon. It will allow this tinc daemon to authenticate itself to other daemons. PrivateKeyFile = filename (/usr/local/etc/tinc/NETNAME/rsa_key.priv) The file in which the private RSA key of this tinc daemon resides. ProcessPriority = low | normal | high When this option is used the priority of the tincd process will be adjusted. Increasing the priority may help to reduce latency and packet loss on the VPN. Proxy = socks4 | socks5 | http | exec ... [experimental] Use a proxy when making outgoing connections. The following proxy types are currently supported: socks4 address port [username] Connects to the proxy using the SOCKS version 4 protocol. Optionally, a username can be supplied which will be passed on to the proxy server. Only IPv4 connections can be proxied using SOCKS 4. socks5 address port [username password] Connect to the proxy using the SOCKS version 5 protocol. If a username and password are given, basic user‐ name/password authentication will be used, otherwise no authentication will be used. http address port Connects to the proxy and sends a HTTP CONNECT request. exec command Executes the given command which should set up the outgoing connection. The environment variables NAME, NODE, REMOTEADDRES and REMOTEPORT are available. ReplayWindow = bytes (32) This is the size of the replay tracking window for each remote node, in bytes. The window is a bitfield which tracks 1 packet per bit, so for example the default setting of 32 will track up to 256 packets in the window. In high bandwidth scenarios, setting this to a higher value can reduce packet loss from the interaction of replay tracking with underlying real packet loss and/or reordering. Setting this to zero will disable replay tracking com‐ pletely and pass all traffic, but leaves tinc vulnerable to replay-based attacks on your traffic. StrictSubnets = yes | no (no) [experimental] When this option is enabled tinc will only use Subnet statements which are present in the host config files in the local /usr/local/etc/tinc/NETNAME/hosts/ directory. Subnets learned via connections to other nodes and which are not present in the local host config files are ignored. TunnelServer = yes | no (no) [experimental] When this option is enabled tinc will no longer forward information between other tinc daemons, and will only allow connections with nodes for which host config files are present in the local /usr/local/etc/tinc/NETNAME/hosts/ di‐ rectory. Setting this options also implicitly sets StrictSubnets. UDPDiscovery = yes | no (yes) When this option is enabled tinc will try to establish UDP connectivity to nodes, using TCP while it determines if a node is reachable over UDP. If it is disabled, tinc always assumes a node is reachable over UDP. Note that tinc will never use UDP with nodes that have TCPOnly enabled. UDPDiscoveryKeepaliveInterval = seconds (9) The minimum amount of time between sending UDP ping datagrams to check UDP connectivity once it has been estab‐ lished. Note that these pings are large, since they are used to verify link MTU as well. UDPDiscoveryInterval = seconds (2) The minimum amount of time between sending UDP ping datagrams to try to establish UDP connectivity. UDPDiscoveryTimeout = seconds (30) If tinc doesn't receive any UDP ping replies over the specified interval, it will assume UDP communication is bro‐ ken and will fall back to TCP. UDPInfoInterval = seconds (5) The minimum amount of time between sending periodic updates about UDP addresses, which are mostly useful for UDP hole punching. UDPRcvBuf = bytes (1048576) Sets the socket receive buffer size for the UDP socket, in bytes. If set to zero, the default buffer size will be used by the operating system. Note: this setting can have a significant impact on performance, especially raw throughput. UDPSndBuf = bytes (1048576) Sets the socket send buffer size for the UDP socket, in bytes. If set to zero, the default buffer size will be used by the operating system. Note: this setting can have a significant impact on performance, especially raw throughput. UPnP = yes | udponly | no (no) If this option is enabled then tinc will search for UPnP-IGD devices on the local network. It will then create and maintain port mappings for tinc's listening TCP and UDP ports. If set to "udponly", tinc will only create a map‐ ping for its UDP (data) port, not for its TCP (metaconnection) port. Note that tinc must have been built with miniupnpc support for this feature to be available. Furthermore, be advised that enabling this can have security implications, because the miniupnpc library that tinc uses might not be well-hardened with regard to malicious UPnP replies. UPnPDiscoverWait = seconds (5) The amount of time to wait for replies when probing the local network for UPnP devices. UPnPRefreshPeriod = seconds (60) How often tinc will re-add the port mapping, in case it gets reset on the UPnP device. This also controls the dura‐ tion of the port mapping itself, which will be set to twice that duration. The host configuration files contain all information needed to establish a connection to those hosts. A host configuration file is also required for the local tinc daemon, it will use it to read in it's listen port, public key and subnets. The idea is that these files are portable. You can safely mail your own host configuration file to someone else. That other person can then copy it to his own hosts directory, and now his tinc daemon will be able to connect to your tinc dae‐ mon. Since host configuration files only contain public keys, no secrets are revealed by sending out this information. Address = address [port] [recommended] The IP address or hostname of this tinc daemon on the real network. This will only be used when trying to make an outgoing connection to this tinc daemon. Optionally, a port can be specified to use for this address. Multiple Address variables can be specified, in which case each address will be tried until a working connection has been established. Cipher = cipher (blowfish) The symmetric cipher algorithm used to encrypt UDP packets. Any cipher supported by LibreSSL or OpenSSL is recog‐ nised. Furthermore, specifying "none" will turn off packet encryption. It is best to use only those ciphers which support CBC mode. This option has no effect for connections between nodes using ExperimentalProtocol. ClampMSS = yes | no (yes) This option specifies whether tinc should clamp the maximum segment size (MSS) of TCP packets to the path MTU. This helps in situations where ICMP Fragmentation Needed or Packet too Big messages are dropped by firewalls. Compression = level (0) This option sets the level of compression used for UDP packets. Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), 10 (fast lzo) and 11 (best lzo). Digest = digest (sha1) The digest algorithm used to authenticate UDP packets. Any digest supported by LibreSSL or OpenSSL is recognised. Furthermore, specifying "none" will turn off packet authentication. This option has no effect for connections be‐ tween nodes using ExperimentalProtocol. IndirectData = yes | no (no) When set to yes, only nodes which already have a meta connection to you will try to establish direct communication with you. It is best to leave this option out or set it to no. MACLength = length (4) The length of the message authentication code used to authenticate UDP packets. Can be anything from "0" up to the length of the digest produced by the digest algorithm. This option has no effect for connections between nodes us‐ ing ExperimentalProtocol. PMTU = mtu (1514) This option controls the initial path MTU to this node. PMTUDiscovery = yes | no (yes) When this option is enabled, tinc will try to discover the path MTU to this node. After the path MTU has been dis‐ covered, it will be enforced on the VPN. MTUInfoInterval = seconds (5) The minimum amount of time between sending periodic updates about relay path MTU. Useful for quickly determining MTU to indirect nodes. Port = port (655) The port number on which this tinc daemon is listening for incoming connections, which is used if no port number is specified in an Address statement. If this is set to zero, the port will be randomly assigned by the system. This is useful to randomize source ports of UDP packets, which can improve UDP hole punching reliability. When setting Port to zero it is recommended to set AddressFamily as well, otherwise tinc will assign different ports to different address families but other nodes can only know of one. PublicKey = key [obsolete] The public RSA key of this tinc daemon. It will be used to cryptographically verify it's identity and to set up a secure connection. PublicKeyFile = filename [obsolete] The file in which the public RSA key of this tinc daemon resides. From version 1.0pre4 on tinc will store the public key directly into the host configuration file in PEM format, the above two options then are not necessary. Either the PEM format is used, or exactly one of the above two options must be specified in each host configuration file, if you want to be able to establish a connection with that host. Subnet = address[/prefixlength[#weight]] The subnet which this tinc daemon will serve. tinc tries to look up which other daemon it should send a packet to by searching the appropriate subnet. If the packet matches a subnet, it will be sent to the daemon who has this subnet in his host configuration file. Multiple Subnet variables can be specified. Subnets can either be single MAC, IPv4 or IPv6 addresses, in which case a subnet consisting of only that single ad‐ dress is assumed, or they can be a IPv4 or IPv6 network address with a prefixlength. For example, IPv4 subnets must be in a form like 192.168.1.0/24, where 192.168.1.0 is the network address and 24 is the number of bits set in the netmask. Note that subnets like 192.168.1.1/24 are invalid! Read a networking HOWTO/FAQ/guide if you don't understand this. IPv6 subnets are notated like fec0:0:0:1::/64. MAC addresses are notated like 0:1a:2b:3c:4d:5e. A Subnet can be given a weight to indicate its priority over identical Subnets owned by different nodes. The de‐ fault weight is 10. Lower values indicate higher priority. Packets will be sent to the node with the highest prior‐ ity, unless that node is not reachable, in which case the node with the next highest priority will be tried, and so on. TCPOnly = yes | no (no [obsolete]) If this variable is set to yes, then the packets are tunnelled over the TCP connection instead of a UDP connection. This is especially useful for those who want to run a tinc daemon from behind a masquerading firewall, or if UDP packet routing is disabled somehow. Setting this options also implicitly sets IndirectData. Since version 1.0.10, tinc will automatically detect whether communication via UDP is possible or not. Weight = weight If this variable is set, it overrides the weight given to connections made with another host. A higher weight means a lower priority is given to this connection when broadcasting or forwarding packets. SCRIPTS Apart from reading the server and host configuration files, tinc can also run scripts at certain moments. Below is a list of filenames of scripts and a description of when they are run. A script is only run if it exists and if it is executable. Scripts are run synchronously; this means that tinc will temporarily stop processing packets until the called script fin‐ ishes executing. This guarantees that scripts will execute in the exact same order as the events that trigger them. If you need to run commands asynchronously, you have to ensure yourself that they are being run in the background. Under Windows, the scripts must have the extension .bat or .cmd. /usr/local/etc/tinc/NETNAME/tinc-up This is the most important script. If it is present it will be executed right after the tinc daemon has been started and has connected to the virtual network device (or when the first node becomes reachable if DeviceStandby is used). It should be used to set up the corresponding network interface, but can also be used to start other things. Under Windows you can use the Network Connections control panel instead of creating this script. /usr/local/etc/tinc/NETNAME/tinc-down This script is started right before the tinc daemon quits (or when the last node becomes unreachable if DeviceStandby is used). /usr/local/etc/tinc/NETNAME/hosts/HOST-up This script is started when the tinc daemon with name HOST becomes reachable. /usr/local/etc/tinc/NETNAME/hosts/HOST-down This script is started when the tinc daemon with name HOST becomes unreachable. /usr/local/etc/tinc/NETNAME/host-up This script is started when any host becomes reachable. /usr/local/etc/tinc/NETNAME/host-down This script is started when any host becomes unreachable. /usr/local/etc/tinc/NETNAME/subnet-up This script is started when a Subnet becomes reachable. The Subnet and the node it belongs to are passed in envi‐ ronment variables. /usr/local/etc/tinc/NETNAME/subnet-down This script is started when a Subnet becomes unreachable. /usr/local/etc/tinc/NETNAME/invitation-created This script is started when a new invitation has been created. /usr/local/etc/tinc/NETNAME/invitation-accepted This script is started when an invitation has been used. The scripts are started without command line arguments, but can make use of certain environment variables. Under UNIX like operating systems the names of environment variables must be preceded by a $ in scripts. Under Windows, in .bat or .cmd files, they have to be put between % signs. NETNAME If a netname was specified, this environment variable contains it. NAME Contains the name of this tinc daemon. DEVICE Contains the name of the virtual network device that tinc uses. INTERFACE Contains the name of the virtual network interface that tinc uses. This should be used for commands like ifconfig. NODE When a host becomes (un)reachable, this is set to its name. If a subnet becomes (un)reachable, this is set to the owner of that subnet. REMOTEADDRESS When a host becomes (un)reachable, this is set to its real address. REMOTEPORT When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc dae‐ mons. SUBNET When a subnet becomes (un)reachable, this is set to the subnet. WEIGHT When a subnet becomes (un)reachable, this is set to the subnet weight. INVITATION_FILE When the invitation-created script is called, this is set to the file where the invitation details will be stored. INVITATION_URL When the invitation-created script is called, this is set to the invitation URL that has been created. Do not forget that under UNIX operating systems, you have to make the scripts executable, using the command chmod a+x script. FILES The most important files are: /usr/local/etc/tinc/ The top directory for configuration files. /usr/local/etc/tinc/NETNAME/tinc.conf The default name of the server configuration file for net NETNAME. /usr/local/etc/tinc/NETNAME/conf.d/ Optional directory from which any .conf file will be loaded /usr/local/etc/tinc/NETNAME/hosts/ Host configuration files are kept in this directory. /usr/local/etc/tinc/NETNAME/tinc-up If an executable file with this name exists, it will be executed right after the tinc daemon has connected to the virtual network device. It can be used to set up the corresponding network interface. /usr/local/etc/tinc/NETNAME/tinc-down If an executable file with this name exists, it will be executed right before the tinc daemon is going to close its connection to the virtual network device. /usr/local/etc/tinc/NETNAME/invitations/ This directory contains outstanding invitations. /usr/local/etc/tinc/NETNAME/invitation-data After a successful join, this file contains a copy of the invitation data received. tincd(8), tinc(8), https://www.tinc-vpn.org/, http://www.tldp.org/LDP/nag2/. The full documentation for tinc is maintained as a Texinfo manual. If the info and tinc programs are properly installed at your site, the command info tinc should give you access to the complete manual. tinc comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain condi‐ tions; see the file COPYING for details. June 27, 2021