TINCD(8)                                           BSD System Manager's Manual                                          TINCD(8)

     tincd — tinc VPN daemon

     tincd [-cdDKnsoLRU] [--config=DIR] [--no-detach] [--debug[=LEVEL]] [--net=NETNAME] [--option=[HOST.]KEY=VALUE] [--mlock]
           [--logfile[=FILE]] [--syslog] [--bypass-security] [--chroot] [--user=USER] [--help] [--version]

     This is the daemon of tinc, a secure virtual private network (VPN) project.  When started, tincd will read it's configura‐
     tion file to determine what virtual subnets it has to serve and to what other tinc daemons it should connect.  It will con‐
     nect to the ethertap or tun/tap device and set up a socket for incoming connections.  Optionally a script will be executed
     to further configure the virtual device.  If that succeeds, it will detach from the controlling terminal and continue in
     the background, accepting and setting up connections to other tinc daemons that are part of the virtual private network.
     Under Windows tinc will install itself as a service, which will be restarted automatically after reboots.

     -c, --config=DIR
             Read configuration files from DIR instead of /usr/local/etc/tinc/.

     -D, --no-detach
             Don't fork and detach.  This will also disable the automatic restart mechanism for fatal errors.  If not mentioned
             otherwise, this will show log messages on the standard error output.

     -d, --debug[=LEVEL]
             Increase debug level or set it to LEVEL (see below).

     -n, --net=NETNAME
             Connect to net NETNAME.  This will let tinc read all configuration files from /usr/local/etc/tinc/ NETNAME.  Speci‐
             fying .  for NETNAME is the same as not specifying any NETNAME.

     -o, --option=[HOST.]KEY=VALUE
             Without specifying a HOST, this will set server configuration variable KEY to VALUE.  If specified as
             HOST.KEY=VALUE, this will set the host configuration variable KEY of the host named HOST to VALUE.  This option can
             be used more than once to specify multiple configuration variables.

     -L, --mlock
             Lock tinc into main memory.  This will prevent sensitive data like shared private keys to be written to the system
             swap files/partitions.  This option is not supported on all platforms.

             Write log entries to a file instead of to the system logging facility.  If FILE is omitted, the default is

     -s, --syslog
             When this option is is set, tinc uses syslog instead of stderr in --no-detach mode.

             Store a cookie in FILENAME which allows tinc(8) to authenticate.  If FILE is omitted, the default is

             Disables encryption and authentication of the meta protocol.  Only useful for debugging.

     -R, --chroot
             With this option tinc chroots into the directory where network config is located (/usr/local/etc/tinc/NETNAME if -n
             option is used, or to the directory specified with -c option) after initialization.  This option is not supported
             on all platforms.

     -U, --user=USER
             setuid to the specified USER after initialization.  This option is not supported on all platforms.

     --help  Display short list of options.

             Output version information and exit.

     ALRM    Forces tincd to try to connect to all uplinks immediately.  Usually tincd attempts to do this itself, but increases
             the time it waits between the attempts each time it failed, and if tincd didn't succeed to connect to an uplink the
             first time after it started, it defaults to the maximum time of 15 minutes.

     HUP     Partially rereads configuration files.  Connections to hosts whose host config file are removed are closed.  New
             outgoing connections specified in tinc.conf will be made.  If the --logfile option is used, this will also close
             and reopen the log file, useful when log rotation is used.
     The tinc daemon can send a lot of messages to the syslog.  The higher the debug level, the more messages it will log.  Each
     level inherits all messages of the previous level:

     0       This will log a message indicating tincd has started along with a version number.  It will also log any serious er‐

     1       This will log all connections that are made with other tinc daemons.

     2       This will log status and error messages from scripts and other tinc daemons.

     3       This will log all requests that are exchanged with other tinc daemons. These include authentication, key exchange
             and connection list updates.

     4       This will log a copy of everything received on the meta socket.

     5       This will log all network traffic over the virtual private network.

             Directory containing the configuration files tinc uses.  For more information, see tinc.conf(5).

             The PID of the currently running tincd is stored in this file.

     The BindToInterface option may not work correctly.

     The cryptography in tinc is not well tested yet. Use it at your own risk!

     If you find any bugs, report them to tinc@tinc-vpn.org.

     A lot, especially security auditing.
     tinc(8), tinc.conf(5), https://www.tinc-vpn.org/, http://www.cabal.org/.

     The full documentation for tinc is maintained as a Texinfo manual.  If the info and tinc programs are properly installed at
     your site, the command info tinc should give you access to the complete manual.

     tinc comes with ABSOLUTELY NO WARRANTY.  This is free software, and you are welcome to redistribute it under certain condi‐
     tions; see the file COPYING for details.

     Ivo Timmermans
     Guus Sliepen <guus@tinc-vpn.org>

     And thanks to many others for their contributions to tinc!

                                                          June 27, 2021