- Changed license of AVL tree library to GPL.

[tinc] / doc / tinc.conf.5

.TH TINC 5 "May 2000" "tinc version 1.0" "FSF"
.SH NAME
tinc.conf \- tinc daemon configuration
.SH "DESCRIPTION"
The files in the \fI/etc/tinc\fR directory contain runtime and
security information for the \fBtinc\fR(8) daemon.
.PP
.SH "NETWORKS"
It is perfectly ok for you to run more than one tinc daemon. However,
in its default form, you will soon notice that you can't use two
different configuration files without the \fI-c\fR option.

We have thought of another way of dealing with this: network
names. This means that you call \fBtincd\fR with the \fI-n\fR argument,
which will assign a name to this daemon.

The effect of this is that the daemon will set its configuration
``root'' to \fI/etc/tinc/\fBnn\fI/\fR, where \fBnn\fR is your argument
to the \fI-n\fR option. You'll notice that it appears in syslog as
``tincd.\fBnn\fR''.

However, it is not strictly necessary that you call tinc with the -n
option. In this case, the network name would just be empty, and it
will be used as such. tinc now looks for files in \fI/etc/tinc/\fR,
instead of \fI/etc/tinc/\fBnn\fI/\fR; the configuration file should be
\fI/etc/tinc/tinc.conf\fR, and the passphrases are now expected to be
in \fI/etc/tinc/passphrases/\fR.

But it is highly recommended that you use this feature of tinc,
because it will be so much clearer whom your daemon talks to. Hence,
we will assume that you use it.
.PP
.SH "NAMES"
Each tinc daemon should have a name that is unique in the network which
it will be part of. The name will be used by other tinc daemons for
identification. The name has to be declared in the
\fI/etc/tinc/\fBnn\fI/tinc.conf\fR file.

To make things easy, choose something that will give unique and easy
to rememebr names to your tinc daemon(s).
You could try things like hostnames, owner surnames or location names.
.PP
.SH "PUBLIC/PRIVATE KEYS"
You should use \fBtincd --generate-keys\fR to generate public/private
keypairs. It will generate two keys. The line containing the private
key should be completely copied to \fI/etc/tinc/\fBnn\fI/tinc.conf\fR
\-\- where \fBnn\fR stands for the network (See under \fBNETWORKS\fR)
above. The line containing the public key should be completely copied
to \fI/etc/tinc/\fBnn\fI/hosts/\fBname\fR \-\- where \fBname\fR stands
for the name of the tinc daemon (See \fBNAMES\fR).
.PP
.SH "SERVER CONFIGURATION"
The server configuration of the daemon is done in the file
\fI/etc/tinc/\fBnn\fI/tinc.conf\fR.

This file consists of comments (lines started with a \fB#\fR) or
assignments in the form of
.PP
.Vb 1
\&    \fIVariable \fB= \fIValue\fR.
.Ve
.PP
The variable names are case insensitive, and any spaces, tabs,
newlines and carriage returns are ignored. \fINote\fR: it is not
required that you put in the \fB=\fR sign, but doing so improves
readability. If you leave it out, remember to replace it with at least
one space character.
.PP
Here are all valid variables, listed in alphabetical order. The default
value, required or optional is given between parentheses.
.TP
\fBConnectTo\fR = <\fIname\fR> (optional)
Specifies which host to connect to on startup. Multiple \fBConnectTo\fR variables
may be specified, if connecting to the first one fails then tinc will try
the next one, and so on. The names should be known to this tinc daemon
(i.e., there should be a host configuration file for the name on the ConnectTo
line).

If you don't specify a host with \fBConnectTo\fR, tinc won't connect at all,
and will instead just listen for incoming connections.
.TP
\fBHostnames\fR = <\fIyes|no\fR> (no)
This option selects whether IP addresses (both real and on the VPN) should
be resolved. Since DNS lookups are blocking, it might affect tinc's
efficiency, even stopping the daemon for a few seconds everytime it does
a lookup if your DNS server is not responding.

This does not affect resolving hostnames to IP addresses from the
host configuration files.
.TP
\fBKeyExpire\fR = <\fIseconds\fR> (3600)
This option controls the time the encryption keys used to encrypt the data
are valid. It is common practice to change keys at regular intervals to
make it even harder for crackers, even though it is thought to be nearly
impossible to crack a single key.
.TP
\fBName\fR = <\fIname\fR> (required)
This is the name which identifies this tinc daemon. It must be unique for
the virtual private network this daemon will connect to.
.TP
\fBPingTimeout\fR = <\fIseconds\fR> (5)
The number of seconds of inactivity that tinc will wait before sending a
probe to the other end. If that other end doesn't answer within that
same amount of seconds, the connection is terminated, and the others
will be notified of this.
.TP
\fBPrivateKey\fR = <\fIkey\fR> (required)
The private RSA key of this tinc daemon. It will allow this tinc daemon to
authenticate itself to other daemons.
.TP
\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0)
The ethertap or tun/tap device to use. tinc will automatically detect what
kind of tapdevice it is.
Note that you can only use one device per
daemon. The info pages of the tinc package contain more information
about configuring an ethertap device for Linux.
.PP
.SH "HOST CONFIGURATION FILES"
The host configuration files contain all information needed to establish a
connection to those hosts. A host configuration file is also required for the
local tinc daemon, it will use it to read in it's listen port, public key and
subnets.

The idea is that these files are ``portable''. You can safely mail your own host
configuration file to someone else. That other person can then copy it to his
own hosts directory, and now his tinc daemon will be able to connect to your
tinc daemon. Since host configuration files only contain public keys, no secrets
are revealed by sending out this information.
.PP
.TP
\fBAddress\fR = <\fIIP address\fR> (required)
The real address or hostname of this tinc daemon.
.TP
\fBPort\fR = <\fIport number\fR> (655)
The port on which this tinc daemon is listening for incoming connections.
.TP
\fBPublicKey\fR = <\fIkey\fR> (required)
The public RSA key of this tinc daemon. It will be used to cryptographically
verify it's identity and to set up a secure connection.
.TP
\fBSubnet\fR = <\fIaddress/masklength\fR> (optional)
The subnet which this tinc daemon will serve. tinc tries to look up which other
daemon it should send a packet to by searching the appropiate subnet. If the
packet matches a subnet, it will be sent to the daemon who has this subnet in his
host configuration file. Multiple subnet lines can be specified.

At the moment, this directive is only used in the host configuration file of
the local tinc daemon itself. In upcoming versions of tinc, it will be possible to
restrict other hosts in which subnets they server.

The subnets must be in a form like \fI192.168.1.0/24\fR, where 192.168.1.0 is the
network address and 24 is the number of bits set in the netmask. Note that subnets
like \fI192.168.1.1/24\fR are invalid! Read a networking howto/FAQ/guide if you
don't understand this.
.SH "FILES"
.TP
\fI/etc/tinc/\fR
The top directory for configuration files.
.TP
\fI/etc/tinc/\fBnn\fI/tinc.conf\fR
The default name of the server configuration file for net
\fBnn\fR.
.TP
\fI/etc/tinc/\fBnn\fI/hosts/\fR
Host configuration files are kept in this directory.
.TP
\fI/etc/tinc/\fBnn\fI/tinc-up\fR
If an executable file with this name exists, it will be executed
right after the tinc daemon has connected to the tap device. It can
be used to ifconfig the network interface.

If the tapdevice is a tun/tap device, the evironment variable
\fB$IFNAME\fR will be set to the name of the network interface.
.TP
\fI/etc/tinc/\fBnn\fI/tinc-down\fR
If an executable file with this name exists, it will be executed
right before the tinc daemon is going to close it's connection to the
tap device.
.PP
.SH "SEE ALSO"
\fBtincd\fR(8)
.TP
\fBhttp://tinc.nl.linux.org/\fR
.TP
\fBhttp://www.kernelnotes.org/guides/NAG/\fR
.PP
The full documentation for
.B tinc
is maintained as a Texinfo manual.  If the
.B info
and
.B tinc
programs are properly installed at your site, the command
.IP
.B info tinc
.PP
should give you access to the complete manual.
.PP
tinc comes with ABSOLUTELY NO WARRANTY.  This is free software,
and you are welcome to redistribute it under certain conditions;
see the file COPYING for details.