- Updated PROTOCOL (a bit)

[tinc] / doc / tinc.conf.5

.TH TINC 5 "May 2000" "tinc version 1.0" "FSF"
.SH NAME
tincd.conf \- tinc daemon configuration
.SH "DESCRIPTION"
The files in the \fI/etc/tinc\fR directory contain runtime and
security information for the \fBtinc\fR(8) daemon.
.PP
.SH "NETWORKS"
It is perfectly ok for you to run more than one tinc daemon. However,
in its default form, you will soon notice that you can't use two
different configuration files without the \fI-c\fR option.

We have thought of another way of dealing with this: network
names. This means that you call \fBtincd\fR with the \fI-n\fR argument,
which will assign a name to this daemon.

The effect of this is that the daemon will set its configuration
``root'' to \fI/etc/tinc/\fBnn\fI/\fR, where \fBnn\fR is your argument
to the \fI-n\fR option. You'll notice that it appears in syslog as
``tincd.\fBnn\fR''.

However, it is not strictly necessary that you call tinc with the -n
option. In this case, the network name would just be empty, and it
will be used as such. tinc now looks for files in \fI/etc/tinc/\fR,
instead of \fI/etc/tinc/\fBnn\fI/\fR; the configuration file should be
\fI/etc/tinc/tincd.conf\fR, and the passphrases are now expected to be
in \fI/etc/tinc/passphrases/\fR.

But it is highly recommended that you use this feature of tinc,
because it will be so much clearer whom your daemon talks to. Hence,
we will assume that you use it.
.PP
.SH "PASSPHRASES"
You should use the \fBgenauth\fR(8) program to generate passphrases.
with, it accepts a single parameter, which is the number of bits the
passphrase should be. Its output should be stored in
\fI/etc/tinc/\fBnn\fI/passphrases/local\fR \-\- where \fBnn\fR stands
for the network (See under \fBNETWORKS\fR) above.

Please see the manpage for \fBgenauth\fR to learn more about setting
up an authentication scheme.
.PP
.SH "CONFIGURATION"
The actual configuration of the daemon is done in the file
\fI/etc/tinc/\fBnn\fI/tincd.conf\fR.

This file consists of comments (lines started with a \fB#\fR) or
assignments in the form of
.PP
.Vb 1
\&    \fIVariable \fB= \fIValue\fR.
.Ve
.PP
The variable names are case insensitive, and any spaces, tabs,
newlines and carriage returns are ignored. \fINote\fR: it is not
required that you put in the \fB=\fR sign, but doing so improves
readability. If you leave it out, remember to replace it with at least
one space character.
.PP
.SH "VARIABLES"
.PP
Here are all valid variables, listed in alphabetical order:
.TP
\fBConnectPort = \fIport\fR
Connect to the upstream host (given with the \fBConnectTo\fR
directive) on port \fIport\fR. \fIport\fR may be given in decimal
(default), octal (when preceded by a single zero) or hexadecimal
(prefixed with \fB0x\fR). \fIport\fR is the port number for both the
UDP and the TCP (meta) connections.
.TP
\fBConnectTo = \fB(\fIIP address\fB|\fIhostname\fB)\fR
Specifies which host to connect to on startup. If the
\fBConnectPort\fR variable is omitted, then tinc will try to connect
to port 655.

If you don't specify a host with \fBConnectTo\fR, tinc won't connect
at all, and will instead just listen for incoming connections. Only
the initiator of a tinc VPN should need this.
.TP
\fBKeyExpire = \fIs\fR
The secret (and public) key expires after \fIs\fR seconds. The default
is 3600 seconds, or one hour.

If you make it shorter, a lot of time and bandwidth is spent
negotiating over the new keys. If you make it longer, you make
yourself more vulnerable to crackers, because they have more data to
work with. The best value depends on the speed of the link, and the
amount of data that goes over it.
.TP
\fBListenPort = \fIport\fR
Listen on local port \fIport\fR. The computer connecting to this
daemon should use this number as the argument for his
\fBConnectPort\fR. Again, the default is 655.
.TP
\fBMyOwnVPNIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
The \fInetwork address\fR is the number that the daemon will propagate
to other daemons on the network when it is identifying itself. Hence
this will be the file name of the passphrase file that the other end
expects to find the passphrase in.

\fImaskbits\fR is the number of bits set to 1 in the netmask part.
.TP
\fBMyVirtualIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
This is an alias for \fBMyOwnVPNIP\fR.
.TP
\fBPassphrases = \fIdirectory\fR
The directory where tinc will look for passphrases when someone tries
to cennect. Please see the manpage for \fBgenauth\fR(8) for more
information about passphrases as used by tinc.
.TP
\fBPingTimeout = \fInumber\fR
The number of seconds of inactivity that tinc will wait before sending
a probe to the other end. If that other end doesn't answer within that
same amount of seconds, the connection is terminated, and the others
will be notified of this.
.TP
\fBTapDevice = \fIdevice\fR
The ethertap device to use. Note that you can only use one device per
daemon. The info pages of the tinc package contain more information
about configuring an ethertap device for linux.
.TP
\fBNetMask = \fImask\fR
The mask that defines the scope of the entire VPN. This option is not used
by the tinc daemon itself, but can be used by startup scripts to configure
the ethertap devices correctly.
.PP
.SH "FILES"
.TP
\fI/etc/tinc/\fR
The top directory for configuration files.
.TP
\fI/etc/tinc/\fBnn\fI/tincd.conf\fR
The default name of the configuration file for net
\fBnn\fR.
.TP
\fI/etc/tinc/\fBnn\fI/passphrases/\fR
Passphrases are kept in this directory. (See the section
\fBPASSPHRASES\fR above).
.PP
.SH "SEE ALSO"
\fBtincd\fR(8), \fBgenauth\fR(8)
.TP
\fBhttp://tinc.nl.linux.org/\fR
.PP
The full documentation for
.B tinc
is maintained as a Texinfo manual.  If the
.B info
and
.B tinc
programs are properly installed at your site, the command
.IP
.B info tinc
.PP
should give you access to the complete manual.
.PP
tinc comes with ABSOLUTELY NO WARRANTY.  This is free software,
and you are welcome to redistribute it under certain conditions;
see the file COPYING for details.