-This is the README file for tinc version 1.1pre5. Installation
+This is the README file for tinc version 1.1pre17. Installation
instructions may be found in the INSTALL file.
-tinc is Copyright (C) 1998-2013 by:
-
-Ivo Timmermans,
-Guus Sliepen <guus@tinc-vpn.org>,
-and others.
+tinc is Copyright © 1998-2018 Ivo Timmermans, Guus Sliepen <guus@tinc-vpn.org>, and others.
For a complete list of authors see the AUTHORS file.
please use one of the 1.0.x versions if you need a stable version of tinc.
Although tinc 1.1 will be protocol compatible with tinc 1.0.x, the
-functionality of the tincctl program may still change, and the control socket
+functionality of the tinc program may still change, and the control socket
protocol is not fixed yet.
This version uses an experimental and unfinished cryptographic protocol. Use it
at your own risk.
+When connecting to nodes that use the legacy protocol used in tinc 1.0, be
+aware that any security issues in tinc 1.0 will apply to tinc 1.1 as well. On
+September 6th, 2018, Michael Yonly contacted us and provided proof-of-concept
+code that allowed a remote attacker to create an authenticated, one-way
+connection with a node using the legacy protocol, and also that there was a
+possibility for a man-in-the-middle to force UDP packets from a node to be sent
+in plaintext. The first issue was trivial to exploit on tinc versions prior to
+1.0.30, but the changes in 1.0.30 to mitigate the Sweet32 attack made this
+weakness much harder to exploit. These issues have been fixed in tinc 1.0.35
+and tinc 1.1pre17. The new protocol in the tinc 1.1 branch is not susceptible
+to these issues. However, be aware that SPTPS is only used between nodes
+running tinc 1.1pre* or later, and in a VPN with nodes running different
+versions, the security might only be as good as that of the oldest version.
+
Compatibility
-------------
-Version 1.1pre5 is compatible with 1.0pre8, 1.0 and later, but not with older
+Version 1.1pre17 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc.
When the ExperimentalProtocol option is used, tinc is still compatible with
-1.0.X and 1.1pre5 itself, but not with any other 1.1preX version.
+1.0.X, 1.1pre11 and later, but not with any version between 1.1pre1 and
+1.1pre10.
Requirements
In order to compile tinc, you will need a GNU C compiler environment. Please
ensure you have the latest stable versions of all the required libraries:
-- OpenSSL (http://www.openssl.org/) version 1.0.0 or later.
+- LibreSSL (http://www.libressl.org/) or OpenSSL (https://openssl.org/) version 1.0.0 or later.
The following libraries are used by default, but can be disabled if necessary:
-- zlib (http://www.gzip.org/zlib/)
-- lzo (http://www.oberhumer.com/opensource/lzo/)
-- ncurses (http://invisible-island.net/ncurses/)
-- readline (ftp://ftp.gnu.org/pub/gnu/readline/)
+- zlib (https://zlib.net/)
+- LZO (https://www.oberhumer.com/opensource/lzo/)
+- ncurses (https://invisible-island.net/ncurses/)
+- readline (https://cnswww.cns.cwru.edu/php/chet/readline/rltop.html)
Features
connections automatically. When direct connections are not possible, data will
be forwarded by intermediate nodes.
-By default, nodes authenticate each other using 2048 bit RSA (or 521 bit
-ECDSA*) keys. Traffic is encrypted using Blowfish in CBC mode (or AES-256 in
-CTR mode*), authenticated using HMAC-SHA1 (or HMAC-SHA-256*), and is protected
-against replay attacks.
-
-*) When using the ExperimentalProtocol option.
+Tinc 1.1 support two protocols. The first is a legacy protocol that provides
+backwards compatibility with tinc 1.0 nodes, and which by default uses 2048 bit
+RSA keys for authentication, and encrypts traffic using AES256 in CBC mode
+and HMAC-SHA256. The second is a new protocol which uses Curve25519 keys for
+authentication, and encrypts traffic using Chacha20-Poly1305, and provides
+forward secrecy.
Tinc fully supports IPv6.
Ethernet network switch or hub.
Normally, when started tinc will detach and run in the background. In a native
-Windows environment this means tinc will intall itself as a service, which will
-restart after reboots. To prevent tinc from detaching or running as a service,
+Windows environment this means tinc will install itself as a service, which will
+restart after reboots. To prevent tinc from detaching or running as a service,
use the -D option.
-The status of the VPN can be queried using the "tincctl" tool, which connects
+The status of the VPN can be queried using the "tinc" command, which connects
to a running tinc daemon via a control connection. The same tool also makes it
easy to start and stop tinc, and to change its configuration.