-.TH TINC 5 "May 2000" "tinc version 1.0" "FSF"
+.TH TINC 5 "Jan 2001" "tinc version 1.0pre4" "FSF"
.SH NAME
-tincd.conf \- tinc daemon configuration
+tinc.conf \- tinc daemon configuration
.SH "DESCRIPTION"
The files in the \fI/etc/tinc\fR directory contain runtime and
-security information for the \fBtinc\fR(8) daemon.
+security information for the \fBtincd\fR(8) daemon.
.PP
.SH "NETWORKS"
It is perfectly ok for you to run more than one tinc daemon. However,
which will assign a name to this daemon.
The effect of this is that the daemon will set its configuration
-``root'' to \fI/etc/tinc/\fBnn\fI/\fR, where \fBnn\fR is your argument
+``root'' to \fI/etc/tinc/\fBnetname\fI/\fR, where \fBnetname\fR is your argument
to the \fI-n\fR option. You'll notice that it appears in syslog as
-``tincd.\fBnn\fR''.
+``tincd.\fBnetname\fR''.
However, it is not strictly necessary that you call tinc with the -n
option. In this case, the network name would just be empty, and it
will be used as such. tinc now looks for files in \fI/etc/tinc/\fR,
-instead of \fI/etc/tinc/\fBnn\fI/\fR; the configuration file should be
-\fI/etc/tinc/tincd.conf\fR, and the passphrases are now expected to be
+instead of \fI/etc/tinc/\fBnetname\fI/\fR; the configuration file should be
+\fI/etc/tinc/tinc.conf\fR, and the passphrases are now expected to be
in \fI/etc/tinc/passphrases/\fR.
But it is highly recommended that you use this feature of tinc,
because it will be so much clearer whom your daemon talks to. Hence,
we will assume that you use it.
.PP
-.SH "PASSPHRASES"
-You should use the \fBgenauth\fR(8) program to generate passphrases.
-with, it accepts a single parameter, which is the number of bits the
-passphrase should be. Its output should be stored in
-\fI/etc/tinc/\fBnn\fI/passphrases/local\fR \-\- where \fBnn\fR stands
-for the network (See under \fBNETWORKS\fR) above.
+.SH "NAMES"
+Each tinc daemon should have a name that is unique in the network which
+it will be part of. The name will be used by other tinc daemons for
+identification. The name has to be declared in the
+\fI/etc/tinc/\fBnetname\fI/tinc.conf\fR file.
-Please see the manpage for \fBgenauth\fR to learn more about setting
-up an authentication scheme.
+To make things easy, choose something that will give unique and easy
+to rememebr names to your tinc daemon(s).
+You could try things like hostnames, owner surnames or location names.
.PP
-.SH "CONFIGURATION"
-The actual configuration of the daemon is done in the file
-\fI/etc/tinc/\fBnn\fI/tincd.conf\fR.
+.SH "PUBLIC/PRIVATE KEYS"
+You should use \fBtincd --generate-keys\fR to generate public/private
+keypairs. It will generate two keys. The private
+key should be stored in a separate file \fI/etc/tinc/\fBnetname\fI/rsa_key.priv\fR
+\-\- where \fBnetname\fR stands for the network (See under \fBNETWORKS\fR)
+above. The public key should be stored in
+the host configuration file \fI/etc/tinc/\fBnetname\fI/hosts/\fBname\fR \-\- where \fBname\fR stands
+for the name of the local tinc daemon (See \fBNAMES\fR).
+.PP
+.SH "SERVER CONFIGURATION"
+The server configuration of the daemon is done in the file
+\fI/etc/tinc/\fBnetname\fI/tinc.conf\fR.
This file consists of comments (lines started with a \fB#\fR) or
assignments in the form of
readability. If you leave it out, remember to replace it with at least
one space character.
.PP
-.SH "VARIABLES"
-.PP
-Here are all valid variables, listed in alphabetical order:
-.TP
-\fBConnectPort = \fIport\fR
-Connect to the upstream host (given with the \fBConnectTo\fR
-directive) on port \fIport\fR. \fIport\fR may be given in decimal
-(default), octal (when preceded by a single zero) or hexadecimal
-(prefixed with \fB0x\fR). \fIport\fR is the port number for both the
-UDP and the TCP (meta) connections.
-.TP
-\fBConnectTo = \fB(\fIIP address\fB|\fIhostname\fB)\fR
-Specifies which host to connect to on startup. If the
-\fBConnectPort\fR variable is omitted, then tinc will try to connect
-to port 655.
-
-If you don't specify a host with \fBConnectTo\fR, tinc won't connect
-at all, and will instead just listen for incoming connections. Only
-the initiator of a tinc VPN should need this.
+Here are all valid variables, listed in alphabetical order. The default
+value is given between parentheses.
.TP
-\fBKeyExpire = \fIs\fR
-The secret (and public) key expires after \fIs\fR seconds. The default
-is 3600 seconds, or one hour.
+\fBConnectTo\fR = <\fIname\fR>
+Specifies which host to connect to on startup. Multiple \fBConnectTo\fR variables
+may be specified, if connecting to the first one fails then tinc will try
+the next one, and so on. The names should be known to this tinc daemon
+(i.e., there should be a host configuration file for the name on the ConnectTo
+line).
-If you make it shorter, a lot of time and bandwidth is spent
-negotiating over the new keys. If you make it longer, you make
-yourself more vulnerable to crackers, because they have more data to
-work with. The best value depends on the speed of the link, and the
-amount of data that goes over it.
-.TP
-\fBListenPort = \fIport\fR
-Listen on local port \fIport\fR. The computer connecting to this
-daemon should use this number as the argument for his
-\fBConnectPort\fR. Again, the default is 655.
-.TP
-\fBMyOwnVPNIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
-The \fInetwork address\fR is the number that the daemon will propagate
-to other daemons on the network when it is identifying itself. Hence
-this will be the file name of the passphrase file that the other end
-expects to find the passphrase in.
+If you don't specify a host with \fBConnectTo\fR, tinc won't try to connect to other daemons at all,
+and will instead just listen for incoming connections.
+.TP
+\fBHostnames\fR = <\fIyes|no\fR> (no)
+This option selects whether IP addresses (both real and on the VPN) should
+be resolved. Since DNS lookups are blocking, it might affect tinc's
+efficiency, even stopping the daemon for a few seconds everytime it does
+a lookup if your DNS server is not responding.
-\fImaskbits\fR is the number of bits set to 1 in the netmask part.
+This does not affect resolving hostnames to IP addresses from the
+host configuration files.
.TP
-\fBMyVirtualIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
-This is an alias for \fBMyOwnVPNIP\fR.
+\fBInterface\fR = <\fIdevice\fR>
+If you have more than one network interface in your computer, tinc will
+by default listen on all of them for incoming connections. It is
+possible to bind tinc to a single interface like eth0 or ppp0 with this
+variable.
.TP
-\fBPassphrases = \fIdirectory\fR
-The directory where tinc will look for passphrases when someone tries
-to cennect. Please see the manpage for \fBgenauth\fR(8) for more
-information about passphrases as used by tinc.
+\fBInterfaceIP\fR = <\fIlocal address\fR>
+If your computer has more than one IP address on a single interface (for
+example if you are running virtual hosts), tinc will by default listen
+on all of them for incoming connections. It is possible to bind tinc to
+a single IP address with this variable. It is still possible to listen
+on several interfaces at the same time though, if they share the same IP
+address.
.TP
-\fBPingTimeout = \fInumber\fR
-The number of seconds of inactivity that tinc will wait before sending
-a probe to the other end. If that other end doesn't answer within that
+\fBKeyExpire\fR = <\fIseconds\fR> (3600)
+This option controls the time the encryption keys used to encrypt the data
+are valid. It is common practice to change keys at regular intervals to
+make it even harder for crackers, even though it is thought to be nearly
+impossible to crack a single key.
+.TP
+\fBName\fR = <\fIname\fR> [required]
+This is the name which identifies this tinc daemon. It must be unique for
+the virtual private network this daemon will connect to.
+.TP
+\fBPingTimeout\fR = <\fIseconds\fR> (60)
+The number of seconds of inactivity that tinc will wait before sending a
+probe to the other end. If that other end doesn't answer within that
same amount of seconds, the connection is terminated, and the others
will be notified of this.
.TP
-\fBTapDevice = \fIdevice\fR
-The ethertap device to use. Note that you can only use one device per
-daemon. The info pages of the tinc package contain more information
-about configuring an ethertap device for linux.
+\fBPrivateKey\fR = <\fIkey\fR> [obsolete]
+The private RSA key of this tinc daemon. It will allow this tinc daemon to
+authenticate itself to other daemons.
.TP
-\fBNetMask = \fImask\fR
-The mask that defines the scope of the entire VPN. This option is not used
-by the tinc daemon itself, but can be used by startup scripts to configure
-the ethertap devices correctly.
+\fBPrivateKeyFile\fR = <\fIfilename\fR> [recommended]
+The file in which the private RSA key of this tinc daemon resides.
+
+Note that there must be exactly one of \fBPrivateKey\fR or \fBPrivateKeyFile\fR
+specified in the configuration file.
+.TP
+\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0 or /dev/net/tun)
+The ethertap or tun/tap device to use. tinc will automatically detect what
+kind of tapdevice it is.
+Note that you can only use one device per
+daemon. The info pages of the tinc package contain more information
+about configuring an ethertap device for Linux.
.PP
+.SH "HOST CONFIGURATION FILES"
+The host configuration files contain all information needed to establish a
+connection to those hosts. A host configuration file is also required for the
+local tinc daemon, it will use it to read in it's listen port, public key and
+subnets.
+
+The idea is that these files are ``portable''. You can safely mail your own host
+configuration file to someone else. That other person can then copy it to his
+own hosts directory, and now his tinc daemon will be able to connect to your
+tinc daemon. Since host configuration files only contain public keys, no secrets
+are revealed by sending out this information.
+.PP
+.TP
+\fBAddress\fR = <\fIIP address\fR> [recommended]
+The real address or hostname of this tinc daemon.
+.TP
+\fBIndirectData\fR = <\fIyes\fR|\fIno\fR> (no) [experimental]
+This option specifies whether other tinc daemons besides the one you
+specified with ConnectTo can make a direct connection to you. This is
+especially useful if you are behind a firewall and it is impossible to
+make a connection from the outside to your tinc daemon. Otherwise, it
+is best to leave this option out or set it to no.
+.TP
+\fBPort\fR = <\fIport number\fR> (655)
+The port on which this tinc daemon is listening for incoming connections.
+.TP
+\fBPublicKey\fR = <\fIkey\fR> [obsolete]
+The public RSA key of this tinc daemon. It will be used to cryptographically
+verify it's identity and to set up a secure connection.
+.TP
+\fBPublicKeyFile\fR = <\fIfilename\fR> [obsolete]
+The file in which the public RSA key of this tinc daemon resides.
+
+From version 1.0pre4 on tinc will store the public key directly into the
+host configuration file in PEM format, the above two options then are not
+necessary. Either the PEM format is used, or exactly
+one of the above two options must be specified
+in each host configuration file, if you want to be able to establish a
+connection with that host.
+.TP
+\fBSubnet\fR = <\fIaddress/masklength\fR>
+The subnet which this tinc daemon will serve. tinc tries to look up which other
+daemon it should send a packet to by searching the appropiate subnet. If the
+packet matches a subnet, it will be sent to the daemon who has this subnet in his
+host configuration file. Multiple subnet lines can be specified.
+
+At the moment, this directive is only used in the host configuration file of
+the local tinc daemon itself. In upcoming versions of tinc, it will be possible to
+restrict other hosts in which subnets they server.
+
+The subnets must be in a form like \fI192.168.1.0/24\fR, where 192.168.1.0 is the
+network address and 24 is the number of bits set in the netmask. Note that subnets
+like \fI192.168.1.1/24\fR are invalid! Read a networking howto/FAQ/guide if you
+don't understand this.
+.TP
+\fBTCPonly\fR = <\fIyes\fR|\fIno\fR> (no) [experimental]
+If this variable is set to yes, then the packets are tunnelled over a
+TCP connection instead of a UDP connection. This is especially useful
+for those who want to run a tinc daemon from behind a masquerading
+firewall, or if UDP packet routing is disabled somehow. This is
+experimental code, try this at your own risk. It may not work at all.
+Setting this options also implicitly sets IndirectData.
.SH "FILES"
.TP
\fI/etc/tinc/\fR
The top directory for configuration files.
.TP
-\fI/etc/tinc/\fBnn\fI/tincd.conf\fR
-The default name of the configuration file for net
-\fBnn\fR.
+\fI/etc/tinc/\fBnetname\fI/tinc.conf\fR
+The default name of the server configuration file for net
+\fBnetname\fR.
+.TP
+\fI/etc/tinc/\fBnetname\fI/hosts/\fR
+Host configuration files are kept in this directory.
.TP
-\fI/etc/tinc/\fBnn\fI/passphrases/\fR
-Passphrases are kept in this directory. (See the section
-\fBPASSPHRASES\fR above).
+\fI/etc/tinc/\fBnetname\fI/tinc-up\fR
+If an executable file with this name exists, it will be executed
+right after the tinc daemon has connected to the tap device. It can
+be used to ifconfig the network interface.
+
+If the tapdevice is a tun/tap device, the evironment variable
+\fB$IFNAME\fR will be set to the name of the network interface.
+.TP
+\fI/etc/tinc/\fBnetname\fI/tinc-down\fR
+If an executable file with this name exists, it will be executed
+right before the tinc daemon is going to close it's connection to the
+tap device.
.PP
.SH "SEE ALSO"
-\fBtincd\fR(8), \fBgenauth\fR(8)
+\fBtincd\fR(8)
.TP
\fBhttp://tinc.nl.linux.org/\fR
+.TP
+\fBhttp://www.linuxdoc.org/LDP/nag2/\fR
.PP
The full documentation for
.B tinc
projects / tinc / blobdiff