TINC.CONF(5)                                         BSD File Formats Manual                                        TINC.CONF(5)

NAME
     tinc.conf — tinc daemon configuration

DESCRIPTION
     The files in the /etc/tinc/ directory contain runtime and security information for the tinc daemon.

NETWORKS
     To distinguish multiple instances of tinc running on one computer, you can use the -n option to assign a network name to
     each tinc daemon.

     The effect of this option is that the daemon will set its configuration root to /etc/tinc/NETNAME/, where NETNAME is your
     argument to the -n option.  You'll notice that messages appear in syslog as coming from tincd.NETNAME, and on Linux, unless
     specified otherwise, the name of the virtual network interface will be the same as the network name.

     It is recommended that you use network names even if you run only one instance of tinc.  However, you can choose not to use
     the -n option.  In this case, the network name would just be empty, and tinc now looks for files in /etc/tinc/, instead of
     /etc/tinc/NETNAME/; the configuration file should be /etc/tinc/tinc.conf, and the host configuration files are now expected
     to be in /etc/tinc/hosts/.

NAMES
     Each tinc daemon should have a name that is unique in the network which it will be part of.  The name will be used by other
     tinc daemons for identification.  The name has to be declared in the /etc/tinc/NETNAME/tinc.conf file.

     To make things easy, choose something that will give unique and easy to remember names to your tinc daemon(s).  You could
     try things like hostnames, owner surnames or location names.  However, you are only allowed to use alphanumerical charac‐
     ters (a-z, A-Z, and 0-9) and underscores (_) in the name.
     If you have not configured tinc yet, you can easily create a basic configuration using the following command:

           tinc -n NETNAME init NAME

     You can further change the configuration as needed either by manually editing the configuration files, or by using tinc(8).
     The tinc init command will have generated both RSA and ECDSA public/private keypairs.  The private keys should be stored in
     files named rsa_key.priv and ecdsa_key.priv in the directory /etc/tinc/NETNAME/ The public keys should be stored in the
     host configuration file /etc/tinc/NETNAME/hosts/NAME.  The RSA keys are used for backwards compatibility with tinc version
     1.0.  If you are upgrading from version 1.0 to 1.1, you can keep the old configuration files, but you will need to create
     ECDSA keys using the following command:

           tinc -n NETNAME generate-ecdsa-keys
     The server configuration of the daemon is done in the file /etc/tinc/NETNAME/tinc.conf.  This file consists of comments
     (lines started with a #) or assignments in the form of:

     Variable = Value.

     The variable names are case insensitive, and any spaces, tabs, newlines and carriage returns are ignored.  Note: it is not
     required that you put in the = sign, but doing so improves readability.  If you leave it out, remember to replace it with
     at least one space character.

     The server configuration is complemented with host specific configuration (see the next section).  Although all configura‐
     tion options for the local host listed in this document can also be put in /etc/tinc/NETNAME/tinc.conf, it is recommended
     to put host specific configuration options in the host configuration file, as this makes it easy to exchange with other
     nodes.

     You can edit the config file manually, but it is recommended that you use tinc(8) to change configuration variables for
     you.

     Here are all valid variables, listed in alphabetical order.  The default value is given between parentheses.

     AddressFamily = ipv4 | ipv6 | any (any)
             This option affects the address family of listening and outgoing sockets.  If "any" is selected, then depending on
             the operating system both IPv4 and IPv6 or just IPv6 listening sockets will be created.

     AutoConnect = count (0) [experimental]
             If set to a non-zero value, tinc.conf will try to only have count meta connections to other nodes, by automatically
             making or breaking connections to known nodes.  Higher values increase redundancy but also increase meta data over‐
             head.  When using this option, a good value is 3.

     BindToAddress = address [port]
             This is the same as ListenAddress, however the address given with the BindToAddress option will also be used for
             outgoing connections. This is useful if your computer has more than one IPv4 or IPv6 address, and you want tinc to
             only use a specific one for outgoing packets.

     BindToInterface = interface [experimental]
             If your computer has more than one network interface, tinc will by default listen on all of them for incoming con‐
             nections.  It is possible to bind only to a single interface with this variable.

             This option may not work on all platforms.  Also, on some platforms it will not actually bind to an interface, but
             rather to the address that the interface has at the moment a socket is created.

     Broadcast = no | mst | direct (mst) [experimental]
             This option selects the way broadcast packets are sent to other daemons.  NOTE: all nodes in a VPN must use the
             same Broadcast mode, otherwise routing loops can form.

             no      Broadcast packets are never sent to other nodes.

             mst     Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree.  This ensures broadcast pack‐
                     ets reach all nodes.

             direct  Broadcast packets are sent directly to all nodes that can be reached directly.  Broadcast packets received
                     from other nodes are never forwarded.  If the IndirectData option is also set, broadcast packets will only
                     be sent to nodes which we have a meta connection to.

     ConnectTo = name
             Specifies which other tinc daemon to connect to on startup.  Multiple ConnectTo variables may be specified, in
             which case outgoing connections to each specified tinc daemon are made.  The names should be known to this tinc
             daemon (i.e., there should be a host configuration file for the name on the ConnectTo line).

             If you don't specify a host with ConnectTo, tinc won't try to connect to other daemons at all, and will instead
             just listen for incoming connections.

     DecrementTTL = yes | no (no) [experimental]
             When enabled, tinc will decrement the Time To Live field in IPv4 packets, or the Hop Limit field in IPv6 packets,
             before forwarding a received packet to the virtual network device or to another node, and will drop packets that
             have a TTL value of zero, in which case it will send an ICMP Time Exceeded packet back.

             Do not use this option if you use switch mode and want to use IPv6.

     Device = device (/dev/tap0, /dev/net/tun or other depending on platform)
             The virtual network device to use.  tinc will automatically detect what kind of device it is.  Note that you can
             only use one device per daemon.  Under Windows, use Interface instead of Device.  The info pages of the tinc pack‐
             age contain more information about configuring the virtual network device.

     DeviceType = type (platform dependent)
             The type of the virtual network device.  Tinc will normally automatically select the right type of tun/tap inter‐
             face, and this option should not be used.  However, this option can be used to select one of the special interface
             types, if support for them is compiled in.

             dummy   Use a dummy interface.  No packets are ever read or written to a virtual network device.  Useful for test‐
                     ing, or when setting up a node that only forwards packets for other nodes.

             raw_socket
                     Open a raw socket, and bind it to a pre-existing Interface (eth0 by default).  All packets are read from
                     this interface.  Packets received for the local node are written to the raw socket.  However, at least on
                     Linux, the operating system does not process IP packets destined for the local host.

             multicast
                     Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL
                     value specified using Device.  Packets are read from and written to this multicast socket.  This can be
                     used to connect to UML, QEMU or KVM instances listening on the same multicast address.  Do NOT connect mul‐
                     tiple tinc daemons to the same multicast address, this will very likely cause routing loops.  Also note
                     that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.

             uml (not compiled in by default)
                     Create a UNIX socket with the filename specified by Device, or /var/run/NETNAME.umlsocket if not specified.
                     tinc will wait for a User Mode Linux instance to connect to this socket.

             vde (not compiled in by default)
                     Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch, using the UNIX socket
                     specified by Device, or /var/run/vde.ctl if not specified.
             Also, in case tinc does not seem to correctly interpret packets received from the virtual network device, it can be
             used to change the way packets are interpreted:

             tun (BSD and Linux)
                     Set type to tun.  Depending on the platform, this can either be with or without an address family header
                     (see below).

             tunnohead (BSD)
                     Set type to tun without an address family header.  Tinc will expect packets read from the virtual network
                     device to start with an IP header.  On some platforms IPv6 packets cannot be read from or written to the
                     device in this mode.

             tunifhead (BSD)
                     Set type to tun with an address family header.  Tinc will expect packets read from the virtual network
                     device to start with a four byte header containing the address family, followed by an IP header.  This mode
                     should support both IPv4 and IPv6 packets.

             tap (BSD and Linux)
                     Set type to tap.  Tinc will expect packets read from the virtual network device to start with an Ethernet
                     header.

     DirectOnly = yes | no (no) [experimental]
             When this option is enabled, packets that cannot be sent directly to the destination node, but which would have to
             be forwarded by an intermediate node, are dropped instead.  When combined with the IndirectData option, packets for
             nodes for which we do not have a meta connection with are also dropped.

     ECDSAPrivateKeyFile = filename (/etc/tinc/NETNAME/ecdsa_key.priv)
             The file in which the private ECDSA key of this tinc daemon resides.  This is only used if ExperimentalProtocol is
             enabled.

     ExperimentalProtocol = yes | no (yes)
             When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
             Ephemeral ECDH will be used for key exchanges, and ECDSA will be used instead of RSA for authentication.  When
             enabled, an ECDSA key must have been generated before with tinc generate-ecdsa-keys.

     Forwarding = off | internal | kernel (internal) [experimental]
             This option selects the way indirect packets are forwarded.

             off     Incoming packets that are not meant for the local node, but which should be forwarded to another node, are
                     dropped.

             internal
                     Incoming packets that are meant for another node are forwarded by tinc internally.

                     This is the default mode, and unless you really know you need another forwarding mode, don't change it.

             kernel  Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
                     This is less efficient, but allows the kernel to apply its routing and firewall rules on them, and can also
                     help debugging.

     Hostnames = yes | no (no)
             This option selects whether IP addresses (both real and on the VPN) should be resolved. Since DNS lookups are
             blocking, it might affect tinc's efficiency, even stopping the daemon for a few seconds every time it does a lookup
             if your DNS server is not responding.

             This does not affect resolving hostnames to IP addresses from the host configuration files, but whether hostnames
             should be resolved while logging.

     IffOneQueue = yes | no (no) [experimental]
             (Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.

     Interface = interface
             Defines the name of the interface corresponding to the virtual network device.  Depending on the operating system
             and the type of device this may or may not actually set the name of the interface.  Under Windows, this variable is
             used to select which network interface will be used.  If you specified a Device, this variable is almost always
             already correctly set.

     KeyExpire = seconds (3600)
             This option controls the period the encryption keys used to encrypt the data are valid.  It is common practice to
             change keys at regular intervals to make it even harder for crackers, even though it is thought to be nearly impos‐
             sible to crack a single key.

     ListenAddress = address [port]
             If your computer has more than one IPv4 or IPv6 address, tinc will by default listen on all of them for incoming
             connections.  This option can be used to restrict which addresses tinc listens on.  Multiple ListenAddress vari‐
             ables may be specified, in which case listening sockets for each specified address are made.

             If no port is specified, the socket will listen on the port specified by the Port option, or to port 655 if neither
             is given.  To only listen on a specific port but not on a specific address, use * for the address.

     LocalDiscovery = yes | no (no)
             When enabled, tinc will try to detect peers that are on the same local network.  This will allow direct communica‐
             tion using LAN addresses, even if both peers are behind a NAT and they only ConnectTo a third node outside the NAT,
             which normally would prevent the peers from learning each other's LAN address.

             Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery.  This
             feature may not work in all possible situations.

     LocalDiscoveryAddress = address
             If this variable is specified, local discovery packets are sent to the given address.

     MACExpire = seconds (600)
             This option controls the amount of time MAC addresses are kept before they are removed.  This only has effect when
             Mode is set to "switch".

     MaxConnectionBurst = count (100)
             This option controls how many connections tinc accepts in quick succession.  If there are more connections than the
             given number in a short time interval, tinc will reduce the number of accepted connections to only one per second,
             until the burst has passed.

     MaxTimeout = seconds (900)
             This is the maximum delay before trying to reconnect to other tinc daemons.

     Mode = router | switch | hub (router)
             This option selects the way packets are routed to other daemons.

             router  In this mode Subnet variables in the host configuration files will be used to form a routing table.  Only
                     packets of routable protocols (IPv4 and IPv6) are supported in this mode.

                     This is the default mode, and unless you really know you need another mode, don't change it.

             switch  In this mode the MAC addresses of the packets on the VPN will be used to dynamically create a routing table
                     just like an Ethernet switch does.  Unicast, multicast and broadcast packets of every protocol that runs
                     over Ethernet are supported in this mode at the cost of frequent broadcast ARP requests and routing table
                     updates.

                     This mode is primarily useful if you want to bridge Ethernet segments.

             hub     This mode is almost the same as the switch mode, but instead every packet will be broadcast to the other
                     daemons while no routing table is managed.

     Name = name [required]
             This is the name which identifies this tinc daemon.  It must be unique for the virtual private network this daemon
             will connect to.  The Name may only consist of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is
             case sensitive.  If Name starts with a $, then the contents of the environment variable that follows will be used.
             In that case, invalid characters will be converted to underscores.  If Name is $HOST, but no such environment vari‐
             able exist, the hostname will be read using the gethostname() system call.

     PingInterval = seconds (60)
             The number of seconds of inactivity that tinc will wait before sending a probe to the other end.

     PingTimeout = seconds (5)
             The number of seconds to wait for a response to pings or to allow meta connections to block. If the other end
             doesn't respond within this time, the connection is terminated, and the others will be notified of this.

     PriorityInheritance = yes | no (no) [experimental]
             When this option is enabled the value of the TOS field of tunneled IPv4 packets will be inherited by the UDP pack‐
             ets that are sent out.

     PrivateKey = key [obsolete]
             The private RSA key of this tinc daemon.  It will allow this tinc daemon to authenticate itself to other daemons.

     PrivateKeyFile = filename (/etc/tinc/NETNAME/rsa_key.priv)
             The file in which the private RSA key of this tinc daemon resides.

     ProcessPriority = low | normal | high
             When this option is used the priority of the tincd process will be adjusted.  Increasing the priority may help to
             reduce latency and packet loss on the VPN.

     Proxy = socks4 | socks5 | http | exec ... [experimental]
             Use a proxy when making outgoing connections.  The following proxy types are currently supported:

             socks4 address port [username]
                     Connects to the proxy using the SOCKS version 4 protocol.  Optionally, a username can be supplied which
                     will be passed on to the proxy server.  Only IPv4 connections can be proxied using SOCKS 4.

             socks5 address port [username password]
                     Connect to the proxy using the SOCKS version 5 protocol.  If a username and password are given, basic user‐
                     name/password authentication will be used, otherwise no authentication will be used.

             http address port
                     Connects to the proxy and sends a HTTP CONNECT request.

             exec command
                     Executes the given command which should set up the outgoing connection.  The environment variables NAME,
                     NODE, REMOTEADDRES and REMOTEPORT are available.

     ReplayWindow = bytes (16)
             This is the size of the replay tracking window for each remote node, in bytes.  The window is a bitfield which
             tracks 1 packet per bit, so for example the default setting of 16 will track up to 128 packets in the window. In
             high bandwidth scenarios, setting this to a higher value can reduce packet loss from the interaction of replay
             tracking with underlying real packet loss and/or reordering. Setting this to zero will disable replay tracking com‐
             pletely and pass all traffic, but leaves tinc vulnerable to replay-based attacks on your traffic.

     StrictSubnets = yes | no (no) [experimental]
             When this option is enabled tinc will only use Subnet statements which are present in the host config files in the
             local /etc/tinc/NETNAME/hosts/ directory. Subnets learned via connections to other nodes and which are not present
             in the local host config files are ignored.

     TunnelServer = yes | no (no) [experimental]
             When this option is enabled tinc will no longer forward information between other tinc daemons, and will only allow
             connections with nodes for which host config files are present in the local /etc/tinc/NETNAME/hosts/ directory.
             Setting this options also implicitly sets StrictSubnets.

     UDPRcvBuf = bytes (OS default)
             Sets the socket receive buffer size for the UDP socket, in bytes.  If unset, the default buffer size will be used
             by the operating system.

     UDPSndBuf = bytes (OS default)
             Sets the socket send buffer size for the UDP socket, in bytes.  If unset, the default buffer size will be used by
             the operating system.
     The host configuration files contain all information needed to establish a connection to those hosts.  A host configuration
     file is also required for the local tinc daemon, it will use it to read in it's listen port, public key and subnets.

     The idea is that these files are portable.  You can safely mail your own host configuration file to someone else.  That
     other person can then copy it to his own hosts directory, and now his tinc daemon will be able to connect to your tinc dae‐
     mon.  Since host configuration files only contain public keys, no secrets are revealed by sending out this information.

     Address = address [port] [recommended]
             The IP address or hostname of this tinc daemon on the real network.  This will only be used when trying to make an
             outgoing connection to this tinc daemon.  Optionally, a port can be specified to use for this address.  Multiple
             Address variables can be specified, in which case each address will be tried until a working connection has been
             established.

     Cipher = cipher (blowfish)
             The symmetric cipher algorithm used to encrypt UDP packets.  Any cipher supported by OpenSSL is recognised.  Fur‐
             thermore, specifying "none" will turn off packet encryption.  It is best to use only those ciphers which support
             CBC mode.  This option has no effect for connections between nodes using ExperimentalProtocol.

     ClampMSS = yes | no (yes)
             This option specifies whether tinc should clamp the maximum segment size (MSS) of TCP packets to the path MTU. This
             helps in situations where ICMP Fragmentation Needed or Packet too Big messages are dropped by firewalls.

     Compression = level (0)
             This option sets the level of compression used for UDP packets.  Possible values are 0 (off), 1 (fast zlib) and any
             integer up to 9 (best zlib), 10 (fast lzo) and 11 (best lzo).

     Digest = digest (sha1)
             The digest algorithm used to authenticate UDP packets.  Any digest supported by OpenSSL is recognised.  Further‐
             more, specifying "none" will turn off packet authentication.  This option has no effect for connections between
             nodes using ExperimentalProtocol.

     IndirectData = yes | no (no)
             When set to yes, other nodes which do not already have a meta connection to you will not try to establish direct
             communication with you.  It is best to leave this option out or set it to no.

     MACLength = length (4)
             The length of the message authentication code used to authenticate UDP packets.  Can be anything from "0" up to the
             length of the digest produced by the digest algorithm.  This option has no effect for connections between nodes
             using ExperimentalProtocol.

     PMTU = mtu (1514)
             This option controls the initial path MTU to this node.

     PMTUDiscovery = yes | no (yes)
             When this option is enabled, tinc will try to discover the path MTU to this node.  After the path MTU has been dis‐
             covered, it will be enforced on the VPN.

     Port = port (655)
             The port number on which this tinc daemon is listening for incoming connections, which is used if no port number is
             specified in an Address statement.

     PublicKey = key [obsolete]
             The public RSA key of this tinc daemon.  It will be used to cryptographically verify it's identity and to set up a
             secure connection.

     PublicKeyFile = filename [obsolete]
             The file in which the public RSA key of this tinc daemon resides.

             From version 1.0pre4 on tinc will store the public key directly into the host configuration file in PEM format, the
             above two options then are not necessary.  Either the PEM format is used, or exactly one of the above two options
             must be specified in each host configuration file, if you want to be able to establish a connection with that host.

     Subnet = address[/prefixlength[#weight]]
             The subnet which this tinc daemon will serve.  tinc tries to look up which other daemon it should send a packet to
             by searching the appropriate subnet.  If the packet matches a subnet, it will be sent to the daemon who has this
             subnet in his host configuration file.  Multiple Subnet variables can be specified.

             Subnets can either be single MAC, IPv4 or IPv6 addresses, in which case a subnet consisting of only that single
             address is assumed, or they can be a IPv4 or IPv6 network address with a prefixlength.  For example, IPv4 subnets
             must be in a form like 192.168.1.0/24, where 192.168.1.0 is the network address and 24 is the number of bits set in
             the netmask.  Note that subnets like 192.168.1.1/24 are invalid!  Read a networking HOWTO/FAQ/guide if you don't
             understand this.  IPv6 subnets are notated like fec0:0:0:1::/64.  MAC addresses are notated like 0:1a:2b:3c:4d:5e.

             A Subnet can be given a weight to indicate its priority over identical Subnets owned by different nodes. The
             default weight is 10. Lower values indicate higher priority. Packets will be sent to the node with the highest pri‐
             ority, unless that node is not reachable, in which case the node with the next highest priority will be tried, and
             so on.

     TCPOnly = yes | no (no [obsolete])
             If this variable is set to yes, then the packets are tunnelled over the TCP connection instead of a UDP connection.
             This is especially useful for those who want to run a tinc daemon from behind a masquerading firewall, or if UDP
             packet routing is disabled somehow.  Setting this options also implicitly sets IndirectData.

             Since version 1.0.10, tinc will automatically detect whether communication via UDP is possible or not.

     Weight = weight
             If this variable is set, it overrides the weight given to connections made with another host. A higher weight means
             a lower priority is given to this connection when broadcasting or forwarding packets.

SCRIPTS
     Apart from reading the server and host configuration files, tinc can also run scripts at certain moments.  Under Windows
     (not Cygwin), the scripts should have the extension .bat or cmd.

     /etc/tinc/NETNAME/tinc-up
             This is the most important script.  If it is present it will be executed right after the tinc daemon has been
             started and has connected to the virtual network device.  It should be used to set up the corresponding network
             interface, but can also be used to start other things.  Under Windows you can use the Network Connections control
             panel instead of creating this script.

     /etc/tinc/NETNAME/tinc-down
             This script is started right before the tinc daemon quits.

     /etc/tinc/NETNAME/hosts/HOST-up
             This script is started when the tinc daemon with name HOST becomes reachable.

     /etc/tinc/NETNAME/hosts/HOST-down
             This script is started when the tinc daemon with name HOST becomes unreachable.

     /etc/tinc/NETNAME/host-up
             This script is started when any host becomes reachable.

     /etc/tinc/NETNAME/host-down
             This script is started when any host becomes unreachable.

     /etc/tinc/NETNAME/subnet-up
             This script is started when a Subnet becomes reachable.  The Subnet and the node it belongs to are passed in envi‐
             ronment variables.

     /etc/tinc/NETNAME/subnet-down
             This script is started when a Subnet becomes unreachable.

     /etc/tinc/NETNAME/invitation-created
             This script is started when a new invitation has been created.

     /etc/tinc/NETNAME/invitation-accepted
             This script is started when an invitation has been used.

     The scripts are started without command line arguments, but can make use of certain environment variables.  Under UNIX like
     operating systems the names of environment variables must be preceded by a $ in scripts.  Under Windows, in .bat or .cmd
     files, they have to be put between % signs.

     NETNAME
             If a netname was specified, this environment variable contains it.

     NAME    Contains the name of this tinc daemon.

     DEVICE  Contains the name of the virtual network device that tinc uses.

     INTERFACE
             Contains the name of the virtual network interface that tinc uses.  This should be used for commands like ifconfig.

     NODE    When a host becomes (un)reachable, this is set to its name.  If a subnet becomes (un)reachable, this is set to the
             owner of that subnet.

     REMOTEADDRESS
             When a host becomes (un)reachable, this is set to its real address.

     REMOTEPORT
             When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc dae‐
             mons.

     SUBNET  When a subnet becomes (un)reachable, this is set to the subnet.

     WEIGHT  When a subnet becomes (un)reachable, this is set to the subnet weight.

     INVITATION_FILE
             When the invitation-created script is called, this is set to the file where the invitation details will be stored.

     INVITATION_URL
             When the invitation-created script is called, this is set to the invitation URL that has been created.

     Do not forget that under UNIX operating systems, you have to make the scripts executable, using the command chmod a+x
     script.

FILES
     The most important files are:

     /etc/tinc/
             The top directory for configuration files.

     /etc/tinc/NETNAME/tinc.conf
             The default name of the server configuration file for net NETNAME.

     /etc/tinc/NETNAME/conf.d/
             Optional directory from which any .conf file will be loaded

     /etc/tinc/NETNAME/hosts/
             Host configuration files are kept in this directory.

     /etc/tinc/NETNAME/tinc-up
             If an executable file with this name exists, it will be executed right after the tinc daemon has connected to the
             virtual network device.  It can be used to set up the corresponding network interface.

     /etc/tinc/NETNAME/tinc-down
             If an executable file with this name exists, it will be executed right before the tinc daemon is going to close its
             connection to the virtual network device.
     tincd(8), tinc(8), http://www.tinc-vpn.org/, http://www.tldp.org/LDP/nag2/.

     The full documentation for tinc is maintained as a Texinfo manual.  If the info and tinc programs are properly installed at
     your site, the command info tinc should give you access to the complete manual.

     tinc comes with ABSOLUTELY NO WARRANTY.  This is free software, and you are welcome to redistribute it under certain condi‐
     tions; see the file COPYING for details.

                                                        February 7, 2014