.PP
.SH "VARIABLES"
.PP
-Here are all valid variables, listed in alphabetical order:
-.TP
-\fBAllowConnect = \fB(\fIyes\fB|\fIno\fB)\fR
-If set to \fIyes\fR, anyone may try to connect to you. If you set this
-to no, no incoming connections will be accepted. This does not affect
-the outgoing connections.
-.TP
-\fBConnectPort = \fIport\fR
-Connect to the upstream host (given with the \fBConnectTo\fR
-directive) on port \fIport\fR. \fIport\fR may be given in decimal
-(default), octal (when preceded by a single zero) or hexadecimal
-(prefixed with \fB0x\fR). \fIport\fR is the port number for both the
-UDP and the TCP (meta) connections.
-.TP
-\fBConnectTo = \fB(\fIIP address\fB|\fIhostname\fB)\fR
-Specifies which host to connect to on startup. If the
-\fBConnectPort\fR variable is omitted, then tinc will try to connect
-to port 655.
+Here are all valid variables, listed in alphabetical order. The default
+value, required or optional is given between parentheses.
+.TP
+\fBConnectPort\fR = <\fIport\fR> (655)
+Connect to the upstream host (given with the \fBConnectTo\fR directive) on
+port \fIport\fR. port may be given in decimal (default), octal (when preceded
+by a single zero) or hexadecimal (prefixed with 0x). \fIport\fR is the port
+number for both the UDP and the TCP (meta) connections.
+.TP
+\fBConnectTo\fR = <\fIIP address|hostname\fR> (optional)
+Specifies which host to connect to on startup. Multiple \fBConnectTo\fR variables
+may be specified, if connecting to the first one fails then tinc will try
+the next one, and so on. It is possible to specify hostnames for dynamic IP
+addresses (like those given on dyndns.org), tinc will not cache the resolved
+IP address.
-If you don't specify a host with \fBConnectTo\fR, tinc won't connect
-at all, and will instead just listen for incoming connections. Only
-the initiator of a tinc VPN should need this.
+If you don't specify a host with \fBConnectTo\fR, regardless of whether a
+value for \fBConnectPort\fR is given, tinc won't connect at all, and will
+instead just listen for incoming connections.
.TP
-\fBKeyExpire = \fIs\fR
-The secret (and public) key expires after \fIs\fR seconds. The default
-is 3600 seconds, or one hour.
+\fBHostnames\fR = <\fIyes|no\fR> (no)
+This option selects whether IP addresses (both real and on the VPN) should
+be resolved. Since DNS lookups are blocking, it might affect tinc's
+efficiency, even stopping the daemon for a few seconds everytime it does
+a lookup if your DNS server is not responding.
-If you make it shorter, a lot of time and bandwidth is spent
-negotiating over the new keys. If you make it longer, you make
-yourself more vulnerable to crackers, because they have more data to
-work with. The best value depends on the speed of the link, and the
-amount of data that goes over it.
-.TP
-\fBListenPort = \fIport\fR
-Listen on local port \fIport\fR. The computer connecting to this
-daemon should use this number as the argument for his
-\fBConnectPort\fR. Again, the default is 655.
-.TP
-\fBMyOwnVPNIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
-The \fInetwork address\fR is the number that the daemon will propagate
-to other daemons on the network when it is identifying itself. Hence
-this will be the file name of the passphrase file that the other end
-expects to find the passphrase in.
+This does not affect resolving hostnames to IP addresses from the configuration
+file.
+.TP
+\fBIndirectData\fR = <\fIyes|no\fR> (no)
+This option specifies whether other tinc daemons besides the one you
+specified with \fBConnectTo\fR can make a direct connection to you. This is
+especially useful if you are behind a firewall and it is impossible
+to make a connection from the outside to your tinc daemon. Otherwise,
+it is best to leave this option out or set it to no.
+.TP
+\fBInterface\fR = <\fIdevice\fR> (optional)
+If you have more than one network interface in your computer, tinc will by
+default listen on all of them for incoming connections. It is possible to
+bind tinc to a single interface like eth0 or ppp0 with this variable.
+.TP
+\fBInterfaceIP\fR = <\fIlocal address\fR> (optional)
+If your computer has more than one IP address on a single interface (for example
+if you are running virtual hosts), tinc will by default listen on all of them for
+incoming connections. It is possible to bind tinc to a single IP address with
+this variable. It is still possible to listen on several interfaces at the same
+time though, if they share the same IP address.
+.TP
+\fBKeyExpire\fR = <\fIseconds\fR> (3600)
+This option controls the time the encryption keys used to encrypt the data
+are valid. It is common practice to change keys at regular intervals to
+make it even harder for crackers, even though it is thought to be nearly
+impossible to crack a single key.
+.TP
+\fBListenPort\fR = <\fIport\fR> (655)
+Listen on local port \fIport\fR. The computer connecting to this daemon should
+use this number as the argument for his \fBConnectPort\fR.
+.TP
+\fBMyOwnVPNIP\fR = <\fIlocal address[/maskbits]\fR> (required)
+The \fIlocal address\fR is the number that the daemon will propagate to
+other daemons on the network when it is identifying itself. Hence this
+will be the file name of the passphrase file that the other end expects
+to find the passphrase in.
+
+The local address is the IP address of the tap device, not the real IP
+address of the host running tincd. Due to changes in recent kernels, it
+is also necessary that you make the ethernet (also known as MAC) address
+equal to the IP address (see the example).
\fImaskbits\fR is the number of bits set to 1 in the netmask part.
.TP
-\fBMyVirtualIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
+\fBMyVirtualIP\fR = <\fIlocal address[/maskbits]>
This is an alias for \fBMyOwnVPNIP\fR.
.TP
-\fBPassphrases = \fIdirectory\fR
-The directory where tinc will look for passphrases when someone tries
-to cennect. Please see the manpage for \fBgenauth\fR(8) for more
-information about passphrases as used by tinc.
+\fBPassphrases\fR = <\fIdirectory\fR> (/etc/tinc/NETNAME/passphrases)
+The directory where tinc will look for passphrases when someone tries to
+connect. Please see the manpage for genauth(8) for more information
+about passphrases as used by tinc.
.TP
-\fBPingTimeout = \fInumber\fR
-The number of seconds of inactivity that tinc will wait before sending
-a probe to the other end. If that other end doesn't answer within that
+\fBPingTimeout\fR = <\fIseconds\fR> (5)
+The number of seconds of inactivity that tinc will wait before sending a
+probe to the other end. If that other end doesn't answer within that
same amount of seconds, the connection is terminated, and the others
will be notified of this.
.TP
-\fBTapDevice = \fIdevice\fR
+\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0)
The ethertap device to use. Note that you can only use one device per
daemon. The info pages of the tinc package contain more information
-about configuring an ethertap device for linux.
+about configuring an ethertap device for Linux.
+.TP
+\fBTCPonly\fR = <\fIyes|no\fR> (no, experimental)
+If this variable is set to yes, then the packets are tunnelled over a TCP
+connection instead of a UDP connection. This is especially useful for those
+who want to run a tinc daemon from behind a masquerading firewall, or if
+UDP packet routing is disabled somehow. This is experimental code,
+try this at your own risk.
+.TP
+\fBVpnMask\fR = <\fImask\fR> (optional)
+The mask that defines the scope of the entire VPN. This option is not used
+by the tinc daemon itself, but can be used by startup scripts to configure
+the ethertap devices correctly.
.PP
.SH "FILES"
.TP
projects / tinc / blobdiff