Higher values increase redundancy but also increase meta data overhead.
When using this option, a good value is 3.
.It Va BindToAddress Li = Ar address Op Ar port
-If your computer has more than one IPv4 or IPv6 address,
-.Nm tinc
-will by default listen on all of them for incoming connections.
-Multiple
+This is the same as
+.Va ListenAddress ,
+however the address given with the
.Va BindToAddress
-variables may be specified,
-in which case listening sockets for each specified address are made.
-.Pp
-If no
-.Ar port
-is specified, the socket will be bound to the port specified by the
-.Va Port
-option, or to port 655 if neither is given.
-To only bind to a specific port but not to a specific address, use
-.Li *
-for the
-.Ar address .
+option will also be used for outgoing connections. This is useful if your
+computer has more than one IPv4 or IPv6 address, and you want
+.Nm tinc
+to only use a specific one for outgoing packets.
.It Va BindToInterface Li = Ar interface Bq experimental
If your computer has more than one network interface,
.Nm tinc
This is only used if
.Va ExperimentalProtocol
is enabled.
-.It Va ExperimentalProtocol Li = yes | no Po no Pc Bq experimental
-When this option is enabled, experimental protocol enhancements will be used.
+.It Va ExperimentalProtocol Li = yes | no Pq yes
+When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
Ephemeral ECDH will be used for key exchanges,
and ECDSA will be used instead of RSA for authentication.
When enabled, an ECDSA key must have been generated before with
.Nm tinc generate-ecdsa-keys .
-The experimental protocol may change at any time,
-and there is no guarantee that tinc will run stable when it is used.
.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
This option selects the way indirect packets are forwarded.
.Bl -tag -width indent
This option controls the period the encryption keys used to encrypt the data are valid.
It is common practice to change keys at regular intervals to make it even harder for crackers,
even though it is thought to be nearly impossible to crack a single key.
+.It Va ListenAddress Li = Ar address Op Ar port
+If your computer has more than one IPv4 or IPv6 address,
+.Nm tinc
+will by default listen on all of them for incoming connections.
+This option can be used to restrict which addresses tinc listens on.
+Multiple
+.Va ListenAddress
+variables may be specified,
+in which case listening sockets for each specified address are made.
+.Pp
+If no
+.Ar port
+is specified, the socket will listen on the port specified by the
+.Va Port
+option, or to port 655 if neither is given.
+To only listen on a specific port but not on a specific address, use
+.Li *
+for the
+.Ar address .
.It Va LocalDiscovery Li = yes | no Pq no
When enabled,
.Nm tinc
.Pp
Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery.
This feature may not work in all possible situations.
+.It Va LocalDiscoveryAddress Li = Ar address
+If this variable is specified, local discovery packets are sent to the given
+.Ar address .
.It Va MACExpire Li = Ar seconds Pq 600
This option controls the amount of time MAC addresses are kept before they are removed.
This only has effect when
.Va Mode
is set to
.Qq switch .
+.It Va MaxConnectionBurst Li = Ar count Pq 100
+This option controls how many connections tinc accepts in quick succession.
+If there are more connections than the given number in a short time interval,
+tinc will reduce the number of accepted connections to only one per second,
+until the burst has passed.
.It Va MaxTimeout Li = Ar seconds Pq 900
This is the maximum delay before trying to reconnect to other tinc daemons.
.It Va Mode Li = router | switch | hub Pq router
.It Va ReplayWindow Li = Ar bytes Pq 16
This is the size of the replay tracking window for each remote node, in bytes.
The window is a bitfield which tracks 1 packet per bit, so for example
-the default setting of 16 will track up to 128 packets in the window. In high
+the default setting of 16 will track up to 128 packets in the window. In high
bandwidth scenarios, setting this to a higher value can reduce packet loss from
the interaction of replay tracking with underlying real packet loss and/or
-reordering. Setting this to zero will disable replay tracking completely and
+reordering. Setting this to zero will disable replay tracking completely and
pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
traffic.
.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
-directory.
+directory. Subnets learned via connections to other nodes and which are not
+present in the local host config files are ignored.
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow connections with nodes for which host config files are present in the local
MAC addresses are notated like 0:1a:2b:3c:4d:5e.
.Pp
A Subnet can be given a weight to indicate its priority over identical Subnets
-owned by different nodes. The default weight is 10. Lower values indicate
+owned by different nodes. The default weight is 10. Lower values indicate
higher priority. Packets will be sent to the node with the highest priority,
unless that node is not reachable, in which case the node with the next highest
priority will be tried, and so on.
Apart from reading the server and host configuration files,
tinc can also run scripts at certain moments.
Under Windows (not Cygwin), the scripts should have the extension
-.Pa .bat .
+.Pa .bat
+or
+.Pa cmd .
.Bl -tag -width indent
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
This is the most important script.
The Subnet and the node it belongs to are passed in environment variables.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-down
This script is started when a Subnet becomes unreachable.
+.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /invitation-created
+This script is started when a new invitation has been created.
+.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /invitation-accepted
+This script is started when an invitation has been used.
.El
.Pp
The scripts are started without command line arguments, but can make use of certain environment variables.
in scripts.
Under Windows, in
.Pa .bat
+or
+.Pa .cmd
files, they have to be put between
.Li %
signs.
When a subnet becomes (un)reachable, this is set to the subnet.
.It Ev WEIGHT
When a subnet becomes (un)reachable, this is set to the subnet weight.
+.It Ev INVITATION_FILE
+When the
+.Pa invitation-created
+script is called, this is set to the file where the invitation details will be stored.
+.It Ev INVITATION_URL
+When the
+.Pa invitation-created
+script is called, this is set to the invitation URL that has been created.
.El
.Pp
Do not forget that under UNIX operating systems, you have to make the scripts executable, using the command
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
The default name of the server configuration file for net
.Ar NETNAME .
+.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /conf.d/
+Optional directory from which any .conf file will be loaded
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
Host configuration files are kept in this directory.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
projects / tinc / blobdiff