-.Dd 2008-12-22
+.Dd 2010-01-16
.Dt TINC.CONF 5
.\" Manual page created by:
.\" Ivo Timmermans
to start with an Ethernet header.
.El
+.It Va DirectOnly Li = yes | no Pq no
+When this option is enabled, packets that cannot be sent directly to the destination node,
+but which would have to be forwarded by an intermediate node, are dropped instead.
+When combined with the IndirectData option,
+packets for nodes for which we do not have a meta connection with are also dropped.
+
+.It Va Forwarding Li = off | internal | kernel Pq internal
+This option selects the way indirect packets are forwarded.
+.Bl -tag -width indent
+
+.It off
+Incoming packets that are not meant for the local node,
+but which should be forwarded to another node, are dropped.
+
+.It internal
+Incoming packets that are meant for another node are forwarded by tinc internally.
+
+.Pp
+This is the default mode, and unless you really know you need another forwarding mode, don't change it.
+
+.It kernel
+Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
+This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
+and can also help debugging.
+.El
+
.It Va GraphDumpFile Li = Ar filename Bq experimental
If this option is present,
.Nm tinc
.Va PrivateKeyFile
specified in the configuration file.
+.It Va ProcessPriority Li = low | normal | high
+When this option is used the priority of the tincd process will be adjusted.
+Increasing the priority may help to reduce latency and packet loss on the VPN.
+
+.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
+When this option is enabled tinc will only use Subnet statements which are
+present in the host config files in the local
+.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
+directory.
+
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will no longer forward information between other tinc daemons,
-and will only allow nodes and subnets on the VPN which are present in the
+and will only allow connections with nodes for which host config files are present in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory.
+Setting this options also implicitly sets StrictSubnets.
.El
.Sh HOST CONFIGURATION FILES
no secrets are revealed by sending out this information.
.Bl -tag -width indent
-.It Va Address Li = Ar address Bq recommended
+.It Va Address Li = Ar address Oo port Oc Bq recommended
The IP address or hostname of this tinc daemon on the real network.
This will only be used when trying to make an outgoing connection to this tinc daemon.
+Optionally, a port can be specified to use for this address.
Multiple
.Va Address
variables can be specified, in which case each address will be tried until a working
will turn off packet encryption.
It is best to use only those ciphers which support CBC mode.
+.It Va ClampMSS Li = yes | no Pq yes
+This option specifies whether tinc should clamp the maximum segment size (MSS)
+of TCP packets to the path MTU. This helps in situations where ICMP
+Fragmentation Needed or Packet too Big messages are dropped by firewalls.
+
.It Va Compression Li = Ar level Pq 0
This option sets the level of compression used for UDP packets.
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
After the path MTU has been discovered, it will be enforced on the VPN.
.It Va Port Li = Ar port Pq 655
-The port number on which this tinc daemon is listening for incoming connections.
+The port number on which this tinc daemon is listening for incoming connections,
+which is used if no port number is specified in an
+.Va Address
+statement.
.It Va PublicKey Li = Ar key Bq obsolete
The public RSA key of this tinc daemon.
in each host configuration file,
if you want to be able to establish a connection with that host.
-.It Va Subnet Li = Ar address Ns Op Li / Ns Ar prefixlength
+.It Va Subnet Li = Ar address Ns Op Li / Ns Ar prefixlength Ns Op Li # Ns Ar weight
The subnet which this tinc daemon will serve.
.Nm tinc
tries to look up which other daemon it should send a packet to by searching the appropriate subnet.
IPv6 subnets are notated like fec0:0:0:1:0:0:0:0/64.
MAC addresses are notated like 0:1a:2b:3c:4d:5e.
-.It Va TCPOnly Li = yes | no Pq no
+.Pp
+A Subnet can be given a weight to indicate its priority over identical Subnets
+owned by different nodes. The default weight is 10. Lower values indicate
+higher priority. Packets will be sent to the node with the highest priority,
+unless that node is not reachable, in which case the node with the next highest
+priority will be tried, and so on.
+
+.It Va TCPOnly Li = yes | no Pq no Bq obsolete
If this variable is set to yes,
then the packets are tunnelled over the TCP connection instead of a UDP connection.
This is especially useful for those who want to run a tinc daemon
from behind a masquerading firewall,
or if UDP packet routing is disabled somehow.
Setting this options also implicitly sets IndirectData.
+
+.Pp
+Since version 1.0.10, tinc will automatically detect whether communication via
+UDP is possible or not.
.El
.Sh SCRIPTS
.It Ev SUBNET
When a subnet becomes (un)reachable, this is set to the subnet.
+
+.It Ev WEIGHT
+When a subnet becomes (un)reachable, this is set to the subnet weight.
.El
.Sh FILES
projects / tinc / blobdiff