-.TH TINC 5 "March 1999" "tinc version 0.2.16" "FSF"
+.TH TINC 5 "May 2000" "tinc version 1.0" "FSF"
.SH NAME
-tincd.conf \- tinc daemon configuration
+tinc.conf \- tinc daemon configuration
.SH "DESCRIPTION"
The files in the \fI/etc/tinc\fR directory contain runtime and
security information for the \fBtinc\fR(8) daemon.
option. In this case, the network name would just be empty, and it
will be used as such. tinc now looks for files in \fI/etc/tinc/\fR,
instead of \fI/etc/tinc/\fBnn\fI/\fR; the configuration file should be
-\fI/etc/tinc/tincd.conf\fR, and the passphrases are now expected to be
+\fI/etc/tinc/tinc.conf\fR, and the passphrases are now expected to be
in \fI/etc/tinc/passphrases/\fR.
But it is highly recommended that you use this feature of tinc,
because it will be so much clearer whom your daemon talks to. Hence,
we will assume that you use it.
.PP
-.SH "PASSPHRASES"
-You should use the \fBgenauth\fR(8) program to generate passphrases.
-with, it accepts a single parameter, which is the number of bits the
-passphrase should be. Its output should be stored in
-\fI/etc/tinc/\fBnn\fI/passphrases/local\fR \-\- where \fBnn\fR stands
-for the network (See under \fBNETWORKS\fR) above.
+.SH "NAMES"
+Each tinc daemon should have a name that is unique in the network which
+it will be part of. The name will be used by other tinc daemons for
+identification. The name has to be declared in the
+\fI/etc/tinc/\fBnn\fI/tinc.conf\fR file.
-Please see the manpage for \fBgenauth\fR to learn more about setting
-up an authentication scheme.
+To make things easy, choose something that will give unique and easy
+to rememebr names to your tinc daemon(s).
+You could try things like hostnames, owner surnames or location names.
.PP
-.SH "CONFIGURATION"
-The actual configuration of the daemon is done in the file
-\fI/etc/tinc/\fBnn\fI/tincd.conf\fR.
+.SH "PUBLIC/PRIVATE KEYS"
+You should use \fBtincd --generate-keys\fR to generate public/private
+keypairs. It will generate two keys. The line containing the private
+key should be completely copied to \fI/etc/tinc/\fBnn\fI/tinc.conf\fR
+\-\- where \fBnn\fR stands for the network (See under \fBNETWORKS\fR)
+above. The line containing the public key should be completely copied
+to \fI/etc/tinc/\fBnn\fI/hosts/\fBname\fR \-\- where \fBname\fR stands
+for the name of the tinc daemon (See \fBNAMES\fR).
+.PP
+.SH "SERVER CONFIGURATION"
+The server configuration of the daemon is done in the file
+\fI/etc/tinc/\fBnn\fI/tinc.conf\fR.
This file consists of comments (lines started with a \fB#\fR) or
assignments in the form of
readability. If you leave it out, remember to replace it with at least
one space character.
.PP
-.SH "VARIABLES"
-.PP
-Here are all valid variables, listed in alphabetical order:
-.TP
-\fBAllowConnect = \fB(\fIyes\fB|\fIno\fB)\fR
-If set to \fIyes\fR, anyone may try to connect to you. If you set this
-to no, no incoming connections will be accepted. This does not affect
-the outgoing connections.
-.TP
-\fBConnectPort = \fIport\fR
-Connect to the upstream host (given with the \fBConnectTo\fR
-directive) on port \fIport\fR. \fIport\fR may be given in decimal
-(default), octal (when preceded by a single zero) or hexadecimal
-(prefixed with \fB0x\fR). \fIport\fR is the port number for both the
-UDP and the TCP (meta) connections.
-.TP
-\fBConnectTo = \fB(\fIIP address\fB|\fIhostname\fB)\fR
-Specifies which host to connect to on startup. If the
-\fBConnectPort\fR variable is omitted, then tinc will try to connect
-to port 655.
-
-If you don't specify a host with \fBConnectTo\fR, tinc won't connect
-at all, and will instead just listen for incoming connections. Only
-the initiator of a tinc VPN should need this.
+Here are all valid variables, listed in alphabetical order. The default
+value, required or optional is given between parentheses.
.TP
-\fBKeyExpire = \fIs\fR
-The secret (and public) key expires after \fIs\fR seconds. The default
-is 3600 seconds, or one hour.
+\fBConnectTo\fR = <\fIname\fR> (optional)
+Specifies which host to connect to on startup. Multiple \fBConnectTo\fR variables
+may be specified, if connecting to the first one fails then tinc will try
+the next one, and so on. The names should be known to this tinc daemon
+(i.e., there should be a host configuration file for the name on the ConnectTo
+line).
-If you make it shorter, a lot of time and bandwidth is spent
-negotiating over the new keys. If you make it longer, you make
-yourself more vulnerable to crackers, because they have more data to
-work with. The best value depends on the speed of the link, and the
-amount of data that goes over it.
-.TP
-\fBListenPort = \fIport\fR
-Listen on local port \fIport\fR. The computer connecting to this
-daemon should use this number as the argument for his
-\fBConnectPort\fR. Again, the default is 655.
-.TP
-\fBMyOwnVPNIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
-The \fInetwork address\fR is the number that the daemon will propagate
-to other daemons on the network when it is identifying itself. Hence
-this will be the file name of the passphrase file that the other end
-expects to find the passphrase in.
+If you don't specify a host with \fBConnectTo\fR, tinc won't connect at all,
+and will instead just listen for incoming connections.
+.TP
+\fBHostnames\fR = <\fIyes|no\fR> (no)
+This option selects whether IP addresses (both real and on the VPN) should
+be resolved. Since DNS lookups are blocking, it might affect tinc's
+efficiency, even stopping the daemon for a few seconds everytime it does
+a lookup if your DNS server is not responding.
-\fImaskbits\fR is the number of bits set to 1 in the netmask part.
+This does not affect resolving hostnames to IP addresses from the
+host configuration files.
.TP
-\fBMyVirtualIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
-This is an alias for \fBMyOwnVPNIP\fR.
+\fBKeyExpire\fR = <\fIseconds\fR> (3600)
+This option controls the time the encryption keys used to encrypt the data
+are valid. It is common practice to change keys at regular intervals to
+make it even harder for crackers, even though it is thought to be nearly
+impossible to crack a single key.
.TP
-\fBPassphrases = \fIdirectory\fR
-The directory where tinc will look for passphrases when someone tries
-to cennect. Please see the manpage for \fBgenauth\fR(8) for more
-information about passphrases as used by tinc.
+\fBName\fR = <\fIname\fR> (required)
+This is the name which identifies this tinc daemon. It must be unique for
+the virtual private network this daemon will connect to.
.TP
-\fBPingTimeout = \fInumber\fR
-The number of seconds of inactivity that tinc will wait before sending
-a probe to the other end. If that other end doesn't answer within that
+\fBPingTimeout\fR = <\fIseconds\fR> (5)
+The number of seconds of inactivity that tinc will wait before sending a
+probe to the other end. If that other end doesn't answer within that
same amount of seconds, the connection is terminated, and the others
will be notified of this.
.TP
-\fBTapDevice = \fIdevice\fR
-The ethertap device to use. Note that you can only use one device per
+\fBPrivateKey\fR = <\fIkey\fR> (required)
+The private RSA key of this tinc daemon. It will allow this tinc daemon to
+authenticate itself to other daemons.
+.TP
+\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0)
+The ethertap or tun/tap device to use. tinc will automatically detect what
+kind of tapdevice it is.
+Note that you can only use one device per
daemon. The info pages of the tinc package contain more information
-about configuring an ethertap device for linux.
+about configuring an ethertap device for Linux.
.PP
+.SH "HOST CONFIGURATION FILES"
+The host configuration files contain all information needed to establish a
+connection to those hosts. A host configuration file is also required for the
+local tinc daemon, it will use it to read in it's listen port, public key and
+subnets.
+
+The idea is that these files are ``portable''. You can safely mail your own host
+configuration file to someone else. That other person can then copy it to his
+own hosts directory, and now his tinc daemon will be able to connect to your
+tinc daemon. Since host configuration files only contain public keys, no secrets
+are revealed by sending out this information.
+.PP
+.TP
+\fBAddress\fR = <\fIIP address\fR> (required)
+The real address or hostname of this tinc daemon.
+.TP
+\fBPort\fR = <\fIport number\fR> (655)
+The port on which this tinc daemon is listening for incoming connections.
+.TP
+\fBPublicKey\fR = <\fIkey\fR> (required)
+The public RSA key of this tinc daemon. It will be used to cryptographically
+verify it's identity and to set up a secure connection.
+.TP
+\fBSubnet\fR = <\fIaddress/masklength\fR> (optional)
+The subnet which this tinc daemon will serve. tinc tries to look up which other
+daemon it should send a packet to by searching the appropiate subnet. If the
+packet matches a subnet, it will be sent to the daemon who has this subnet in his
+host configuration file. Multiple subnet lines can be specified.
+
+At the moment, this directive is only used in the host configuration file of
+the local tinc daemon itself. In upcoming versions of tinc, it will be possible to
+restrict other hosts in which subnets they server.
+
+The subnets must be in a form like \fI192.168.1.0/24\fR, where 192.168.1.0 is the
+network address and 24 is the number of bits set in the netmask. Note that subnets
+like \fI192.168.1.1/24\fR are invalid! Read a networking howto/FAQ/guide if you
+don't understand this.
.SH "FILES"
.TP
\fI/etc/tinc/\fR
The top directory for configuration files.
.TP
-\fI/etc/tinc/\fBnn\fI/tincd.conf\fR
-The default name of the configuration file for net
+\fI/etc/tinc/\fBnn\fI/tinc.conf\fR
+The default name of the server configuration file for net
\fBnn\fR.
.TP
-\fI/etc/tinc/\fBnn\fI/passphrases/\fR
-Passphrases are kept in this directory. (See the section
-\fBPASSPHRASES\fR above).
+\fI/etc/tinc/\fBnn\fI/hosts/\fR
+Host configuration files are kept in this directory.
+.TP
+\fI/etc/tinc/\fBnn\fI/tinc-up\fR
+If an executable file with this name exists, it will be executed
+right after the tinc daemon has connected to the tap device. It can
+be used to ifconfig the network interface.
+
+If the tapdevice is a tun/tap device, the evironment variable
+\fB$IFNAME\fR will be set to the name of the network interface.
+.TP
+\fI/etc/tinc/\fBnn\fI/tinc-down\fR
+If an executable file with this name exists, it will be executed
+right before the tinc daemon is going to close it's connection to the
+tap device.
.PP
.SH "SEE ALSO"
-\fBtincd\fR(8), \fBgenauth\fR(8)
+\fBtincd\fR(8)
.TP
\fBhttp://tinc.nl.linux.org/\fR
+.TP
+\fBhttp://www.kernelnotes.org/guides/NAG/\fR
.PP
The full documentation for
.B tinc
projects / tinc / blobdiff