@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/}.
+An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
+any .conf file will be read.
+
These file consists of comments (lines started with a #) or assignments
in the form of
This is only used if ExperimentalProtocol is enabled.
@cindex ExperimentalProtocol
-@item ExperimentalProtocol = <yes|no> (no) [experimental]
-When this option is enabled, experimental protocol enhancements will be used.
+@item ExperimentalProtocol = <yes|no> (yes)
+When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
Ephemeral ECDH will be used for key exchanges,
and ECDSA will be used instead of RSA for authentication.
When enabled, an ECDSA key must have been generated before with
@samp{tinc generate-ecdsa-keys}.
-The experimental protocol may change at any time,
-and there is no guarantee that tinc will run stable when it is used.
@cindex Forwarding
@item Forwarding = <off|internal|kernel> (internal) [experimental]
Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery.
This feature may not work in all possible situations.
+@cindex LocalDiscoveryAddress
+@item LocalDiscoveryAddress <@var{address}>
+If this variable is specified, local discovery packets are sent to the given @var{address}.
+
@cindex Mode
@item Mode = <router|switch|hub> (router)
This option selects the way packets are routed to other daemons.
This option controls the amount of time MAC addresses are kept before they are removed.
This only has effect when Mode is set to "switch".
+@cindex MaxConnectionBurst
+@item MaxConnectionBurst = <@var{count}> (100)
+This option controls how many connections tinc accepts in quick succession.
+If there are more connections than the given number in a short time interval,
+tinc will reduce the number of accepted connections to only one per second,
+until the burst has passed.
+
@cindex Name
@item Name = <@var{name}> [required]
This is a symbolic name for this connection.
Increasing the priority may help to reduce latency and packet loss on the VPN.
@cindex Proxy
-@item Proxy = socks4 | socks4 | http | exec @var{...} [experimental]
+@item Proxy = socks4 | socks5 | http | exec @var{...} [experimental]
Use a proxy when making outgoing connections.
The following proxy types are currently supported:
Optionally, a @var{username} can be supplied which will be passed on to the proxy server.
@cindex socks5
-@item socks4 <@var{address}> <@var{port}> [<@var{username}> <@var{password}>]
+@item socks5 <@var{address}> <@var{port}> [<@var{username}> <@var{password}>]
Connect to the proxy using the SOCKS version 5 protocol.
If a @var{username} and @var{password} are given, basic username/password authentication will be used,
otherwise no authentication will be used.
pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
traffic.
-
@cindex StrictSubnets
-@item StrictSubnets <yes|no> (no) [experimental]
+@item StrictSubnets = <yes|no> (no) [experimental]
When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
+Subnets learned via connections to other nodes and which are not
+present in the local host config files are ignored.
@cindex TunnelServer
@item TunnelServer = <yes|no> (no) [experimental]
must resolve to the external IP address where the host can be reached,
not the one that is internal to the VPN.
If no port is specified, the default Port is used.
+Multiple Address variables can be specified, in which case each address will be
+tried until a working connection has been established.
@cindex Cipher
@item Cipher = <@var{cipher}> (blowfish)
@cindex scripts
Apart from reading the server and host configuration files,
tinc can also run scripts at certain moments.
-Under Windows (not Cygwin), the scripts should have the extension .bat.
+Under Windows (not Cygwin), the scripts should have the extension @file{.bat} or @file{.cmd}.
@table @file
@cindex tinc-up
@item @value{sysconfdir}/tinc/@var{netname}/subnet-down
This script is started when a Subnet becomes unreachable.
+
+@item @value{sysconfdir}/tinc/@var{netname}/invitation-created
+This script is started when a new invitation has been created.
+
+@item @value{sysconfdir}/tinc/@var{netname}/invitation-accepted
+This script is started when an invitation has been used.
+
@end table
@cindex environment variables
The scripts are started without command line arguments,
but can make use of certain environment variables.
Under UNIX like operating systems the names of environment variables must be preceded by a $ in scripts.
-Under Windows, in @file{.bat} files, they have to be put between % signs.
+Under Windows, in @file{.bat} or @file{.cmd} files, they have to be put between % signs.
@table @env
@cindex NETNAME
@item SUBNET
When a subnet becomes (un)reachable, this is set to the subnet.
+@cindex WEIGHT
+@item WEIGHT
+When a subnet becomes (un)reachable, this is set to the subnet weight.
+
+@cindex INVITATION_FILE
+@item INVITATION_FILE
+When the @file{invitation-created} script is called,
+this is set to the file where the invitation details will be stored.
+
+@cindex INVITATION_URL
+@item INVITATION_URL
+When the @file{invitation-created} script is called,
+this is set to the invitation URL that has been created.
@end table
+Do not forget that under UNIX operating systems,
+you have to make the scripts executable, using the command @samp{chmod a+x script}.
+
@c ==================================================================
@node How to configure
@item exchange-all [--force]
The same as export-all followed by import.
+@item invite @var{name}
+Prepares an invitation for a new node with the given @var{name},
+and prints a short invitation URL that can be used with the join command.
+
+@item join [@var{URL}]
+Join an existing VPN using an invitation URL created using the invite command.
+If no @var{URL} is given, it will be read from standard input.
+
@item start [tincd options]
Start @samp{tincd}, optionally with the given extra options.
@item stop
Stop @samp{tincd}.
-@item restart
-Restart @samp{tincd}.
+@item restart [tincd options]
+Restart @samp{tincd}, optionally with the given extra options.
@item reload
Partially rereads configuration files. Connections to hosts whose host
Shows the PID of the currently running @samp{tincd}.
@item generate-keys [@var{bits}]
-Generate public/private keypair of @var{bits} length. If @var{bits} is not specified,
-1024 is the default. tinc will ask where you want to store the files,
-but will default to the configuration directory (you can use the -c or -n
-option).
+Generate both RSA and ECDSA keypairs (see below) and exit.
+tinc will ask where you want to store the files, but will default to the
+configuration directory (you can use the -c or -n option).
+
+@item generate-ecdsa-keys
+Generate public/private ECDSA keypair and exit.
+
+@item generate-rsa-keys [@var{bits}]
+Generate public/private RSA keypair and exit. If @var{bits} is omitted, the
+default length will be 2048 bits. When saving keys to existing files, tinc
+will not delete the old keys; you have to remove them manually.
@item dump [reachable] nodes
Dump a list of all known nodes in the VPN.
projects / tinc / blobdiff