2.0. Only gradual changes to the source code are allowed, ensuring
that the code is always in a mostly usable state. The protocol will
stay compatible with that of the 1.0 branch. The following features
-are planned in this branch:
+are planned or are already implemented in this branch:
**Replaceble cryptography backend**
creation of control connections as well, so that the administrator
does not have to do this manually anymore.
-**Deal with NAT**
+**Automate setting up nodes**
-The 1.0 branch by default tries to exchange packets via UDP.
-However, if one or more peers are behind a NAT, and source ports
-might be changed or packets may not arrive at all, the
-administrator had to manually enable the TCPOnly option or use
-another workaround to get tinc to work. Tinc should be able to cope
-with altered source ports, and should detect whether or not packet
-exchange via UDP works at all, and if not fall back to TCP.
+The tincctl utility should have a wizard-like interface that asks a few
+necessary questions and then creates all the configuration files. Another
+useful feature would be to allow it to export a GPG signed email to selected
+recipients, which would be able to import them with a simple command. Another
+option would be to allow a user to connect via SSH to a remote node (if he has
+an account there), and do a two-way exchange of configuration files.
## Plans for tinc 2.0
signatures, they can allow communication. Trust management should
be simple, for example using a command like
- tinc trust *foo*
+ tinc trust foo
which should let the local tinc
daemon trust information from the peer named *foo*. To authorise
the use of addresses on the VPN, a command like the following could
be used:
- tinc allow *bar* 192.168.3.0/24
+ tinc allow bar 192.168.3.0/24
This should generate a small certificate that proves that the node that
issued this command trusts node *bar* with the 192.168.3.0/24 range
the other peers in the VPN. It is also important to allow trust and
authorisation to be revoked in the same way:
- tinc distrust *foo*
+ tinc distrust foo
This should make the local tinc daemon stop trusting any information from *foo*.
- tinc deny *bar*
+ tinc deny bar
This should generate a certificate (with a newer timestamp than the previous one) denying
*bar* any access, and spread this amongst the other peers as well.