-.Dd 2012-09-27
+.Dd 2013-01-14
.Dt TINC.CONF 5
.\" Manual page created by:
.\" Ivo Timmermans
.Sh INITIAL CONFIGURATION
If you have not configured tinc yet, you can easily create a basic configuration using the following command:
.Bd -literal -offset indent
-.Nm tincctl Fl n Ar NETNAME Li init Ar NAME
+.Nm tinc Fl n Ar NETNAME Li init Ar NAME
.Ed
.Pp
You can further change the configuration as needed either by manually editing the configuration files,
or by using
-.Xr tincctl 8 .
+.Xr tinc 8 .
.Sh PUBLIC/PRIVATE KEYS
The
-.Nm tincctl Li init
+.Nm tinc Li init
command will have generated both RSA and ECDSA public/private keypairs.
The private keys should be stored in files named
.Pa rsa_key.priv
If you are upgrading from version 1.0 to 1.1, you can keep the old configuration files,
but you will need to create ECDSA keys using the following command:
.Bd -literal -offset indent
-.Nm tincctl Fl n Ar NETNAME Li generate-ecdsa-keys
+.Nm tinc Fl n Ar NETNAME Li generate-ecdsa-keys
.Ed
.Sh SERVER CONFIGURATION
The server configuration of the daemon is done in the file
as this makes it easy to exchange with other nodes.
.Pp
You can edit the config file manually, but it is recommended that you use
-.Xr tincctl 8
+.Xr tinc 8
to change configuration variables for you.
.Pp
Here are all valid variables, listed in alphabetical order.
.Qq any
is selected, then depending on the operating system both IPv4 and IPv6 or just
IPv6 listening sockets will be created.
+.It Va AutoConnect Li = Ar count Po 0 Pc Bq experimental
+If set to a non-zero value,
+.Nm
+will try to only have
+.Ar count
+meta connections to other nodes,
+by automatically making or breaking connections to known nodes.
+Higher values increase redundancy but also increase meta data overhead.
+When using this option, a good value is 3.
.It Va BindToAddress Li = Ar address Op Ar port
If your computer has more than one IPv4 or IPv6 address,
.Nm tinc
This is only used if
.Va ExperimentalProtocol
is enabled.
-.It Va ExperimentalProtocol Li = yes | no Po no Pc Bq experimental
-When this option is enabled, experimental protocol enhancements will be used.
+.It Va ExperimentalProtocol Li = yes | no Pq yes
+When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
Ephemeral ECDH will be used for key exchanges,
and ECDSA will be used instead of RSA for authentication.
When enabled, an ECDSA key must have been generated before with
-.Nm tincctl generate-ecdsa-keys .
-The experimental protocol may change at any time,
-and there is no guarantee that tinc will run stable when it is used.
+.Nm tinc generate-ecdsa-keys .
.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
This option selects the way indirect packets are forwarded.
.Bl -tag -width indent
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
and can also help debugging.
.El
-.It Va GraphDumpFile Li = Ar filename
-If this option is present,
-.Nm tinc
-will dump the current network graph to the file
-.Ar filename
-every minute, unless there were no changes to the graph.
-The file is in a format that can be read by graphviz tools.
-If
-.Ar filename
-starts with a pipe symbol |,
-then the rest of the filename is interpreted as a shell command
-that is executed, the graph is then sent to stdin.
.It Va Hostnames Li = yes | no Pq no
This option selects whether IP addresses (both real and on the VPN) should
be resolved. Since DNS lookups are blocking, it might affect tinc's
In this mode
.Va Subnet
variables in the host configuration files will be used to form a routing table.
-Only unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode.
+Only packets of routable protocols (IPv4 and IPv6) are supported in this mode.
.Pp
This is the default mode, and unless you really know you need another mode, don't change it.
.It switch
.It Va Name Li = Ar name Bq required
This is the name which identifies this tinc daemon.
It must be unique for the virtual private network this daemon will connect to.
-The Name may only consist of alphanumeric and underscore characters.
+The Name may only consist of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is case sensitive.
If
.Va Name
starts with a
.Va Name
is
.Li $HOST ,
-but no such environment variable exist, the hostname will be read using the gethostnname() system call.
+but no such environment variable exist, the hostname will be read using the gethostname() system call.
.It Va PingInterval Li = Ar seconds Pq 60
The number of seconds of inactivity that
.Nm tinc
It will allow this tinc daemon to authenticate itself to other daemons.
.It Va PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /rsa_key.priv Pc
The file in which the private RSA key of this tinc daemon resides.
-Note that there must be exactly one of
-.Va PrivateKey
-or
-.Va PrivateKeyFile
-specified in the configuration file.
.It Va ProcessPriority Li = low | normal | high
When this option is used the priority of the
.Nm tincd
are available.
.El
.It Va ReplayWindow Li = Ar bytes Pq 16
-vhis is the size of the replay tracking window for each remote node, in bytes.
+This is the size of the replay tracking window for each remote node, in bytes.
The window is a bitfield which tracks 1 packet per bit, so for example
the default setting of 16 will track up to 128 packets in the window. In high
bandwidth scenarios, setting this to a higher value can reduce packet loss from
.Qq none
will turn off packet encryption.
It is best to use only those ciphers which support CBC mode.
+This option has no effect for connections between nodes using
+.Va ExperimentalProtocol .
.It Va ClampMSS Li = yes | no Pq yes
This option specifies whether tinc should clamp the maximum segment size (MSS)
of TCP packets to the path MTU. This helps in situations where ICMP
Furthermore, specifying
.Qq none
will turn off packet authentication.
+This option has no effect for connections between nodes using
+.Va ExperimentalProtocol .
.It Va IndirectData Li = yes | no Pq no
-This option specifies whether other tinc daemons besides the one you specified with
-.Va ConnectTo
-can make a direct connection to you.
-This is especially useful if you are behind a firewall
-and it is impossible to make a connection from the outside to your tinc daemon.
-Otherwise, it is best to leave this option out or set it to no.
+When set to yes, other nodes which do not already have a meta connection to you
+will not try to establish direct communication with you.
+It is best to leave this option out or set it to no.
.It Va MACLength Li = Ar length Pq 4
The length of the message authentication code used to authenticate UDP packets.
Can be anything from
.Qq 0
up to the length of the digest produced by the digest algorithm.
+This option has no effect for connections between nodes using
+.Va ExperimentalProtocol .
.It Va PMTU Li = Ar mtu Po 1514 Pc
This option controls the initial path MTU to this node.
.It Va PMTUDiscovery Li = yes | no Po yes Pc
.El
.Sh SEE ALSO
.Xr tincd 8 ,
-.Xr tincctl 8 ,
+.Xr tinc 8 ,
.Pa http://www.tinc-vpn.org/ ,
.Pa http://www.tldp.org/LDP/nag2/ .
.Pp
projects / tinc / blobdiff