This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
-Copyright @copyright{} 1998-2013 Ivo Timmermans,
+Copyright @copyright{} 1998-2014 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@vskip 0pt plus 1filll
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
-Copyright @copyright{} 1998-2013 Ivo Timmermans,
+Copyright @copyright{} 1998-2014 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@cindex requirements
@cindex libraries
-Before you can configure or build tinc, you need to have the OpenSSL,
-zlib and lzo libraries installed on your system. If you try to configure tinc without
-having them installed, configure will give you an error message, and stop.
+Before you can configure or build tinc, you need to have the OpenSSL, zlib,
+lzo, curses and readline libraries installed on your system. If you try to
+configure tinc without having them installed, configure will give you an error
+message, and stop.
@menu
* OpenSSL::
both IPv4 and IPv6 or just IPv6 listening sockets will be created.
@cindex AutoConnect
-@item AutoConnect = <count> (0) [experimental]
-If set to a non-zero value,
-tinc will try to only have count meta connections to other nodes,
-by automatically making or breaking connections to known nodes.
-Higher values increase redundancy but also increase meta data overhead.
-When using this option, a good value is 3.
+@item AutoConnect = <yes|no> (no) [experimental]
+If set to yes, tinc will automatically set up meta connections to other nodes,
+without requiring @var{ConnectTo} variables.
@cindex BindToAddress
@item BindToAddress = <@var{address}> [<@var{port}>]
-If your computer has more than one IPv4 or IPv6 address, tinc
-will by default listen on all of them for incoming connections.
-Multiple BindToAddress variables may be specified,
-in which case listening sockets for each specified address are made.
-
-If no @var{port} is specified, the socket will be bound to the port specified by the Port option,
-or to port 655 if neither is given.
-To only bind to a specific port but not to a specific address, use "*" for the @var{address}.
+This is the same as ListenAddress, however the address given with the BindToAddress option
+will also be used for outgoing connections.
+This is useful if your computer has more than one IPv4 or IPv6 address,
+and you want tinc to only use a specific one for outgoing packets.
@cindex BindToInterface
@item BindToInterface = <@var{interface}> [experimental]
The names should be known to this tinc daemon
(i.e., there should be a host configuration file for the name on the ConnectTo line).
-If you don't specify a host with ConnectTo,
+If you don't specify a host with ConnectTo and don't enable AutoConnect,
tinc won't try to connect to other daemons at all,
and will instead just listen for incoming connections.
When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped.
-@cindex ECDSAPrivateKeyFile
-@item ECDSAPrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/ecdsa_key.priv})
-The file in which the private ECDSA key of this tinc daemon resides.
+@cindex Ed25519PrivateKeyFile
+@item Ed25519PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/ed25519_key.priv})
+The file in which the private Ed25519 key of this tinc daemon resides.
This is only used if ExperimentalProtocol is enabled.
@cindex ExperimentalProtocol
@item ExperimentalProtocol = <yes|no> (yes)
When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
Ephemeral ECDH will be used for key exchanges,
-and ECDSA will be used instead of RSA for authentication.
-When enabled, an ECDSA key must have been generated before with
-@samp{tinc generate-ecdsa-keys}.
+and Ed25519 will be used instead of RSA for authentication.
+When enabled, an Ed25519 key must have been generated before with
+@samp{tinc generate-ed25519-keys}.
@cindex Forwarding
@item Forwarding = <off|internal|kernel> (internal) [experimental]
Under Windows, this variable is used to select which network interface will be used.
If you specified a Device, this variable is almost always already correctly set.
+@cindex ListenAddress
+@item ListenAddress = <@var{address}> [<@var{port}>]
+If your computer has more than one IPv4 or IPv6 address, tinc
+will by default listen on all of them for incoming connections.
+This option can be used to restrict which addresses tinc listens on.
+Multiple ListenAddress variables may be specified,
+in which case listening sockets for each specified address are made.
+
+If no @var{port} is specified, the socket will listen on the port specified by the Port option,
+or to port 655 if neither is given.
+To only listen on a specific port but not to a specific address, use "*" for the @var{address}.
+
@cindex LocalDiscovery
@item LocalDiscovery = <yes | no> (no)
When enabled, tinc will try to detect peers that are on the same local network.
for those who want to run a tinc daemon from behind a masquerading
firewall, or if UDP packet routing is disabled somehow.
Setting this options also implicitly sets IndirectData.
+
+@cindex Weight
+@item Weight = <weight>
+If this variable is set, it overrides the weight given to connections made with
+another host. A higher weight means a lower priority is given to this
+connection when broadcasting or forwarding packets.
@end table
Name = @var{name}
@end example
-It will also create private RSA and ECDSA keys, which will be stored in the files @file{rsa_key.priv} and @file{ecdsa_key.priv}.
+It will also create private RSA and Ed25519 keys, which will be stored in the files @file{rsa_key.priv} and @file{ed25519_key.priv}.
It will also create a host configuration file @file{hosts/@var{name}},
-which will contain the corresponding public RSA and ECDSA keys.
+which will contain the corresponding public RSA and Ed25519 keys.
Finally, on UNIX operating systems, it will create an executable script @file{tinc-up},
which will initially not do anything except warning that you should edit it.
This will add a Subnet statement to your host configuration file.
Try opening the file @file{@value{sysconfdir}/tinc/@var{netname}/hosts/@var{name}} in an editor.
-You should now see a file containing the public RSA and ECDSA keys (which looks like a bunch of random characters),
+You should now see a file containing the public RSA and Ed25519 keys (which looks like a bunch of random characters),
and the following line at the bottom:
@example
A, B, C and D all have their own public/private keypairs:
The private RSA key is stored in @file{@value{sysconfdir}/tinc/company/rsa_key.priv},
-the private ECDSA key is stored in @file{@value{sysconfdir}/tinc/company/ecdsa_key.priv},
-and the public RSA and ECDSA keys are put into the host configuration file in the @file{@value{sysconfdir}/tinc/company/hosts/} directory.
+the private Ed25519 key is stored in @file{@value{sysconfdir}/tinc/company/ed25519_key.priv},
+and the public RSA and Ed25519 keys are put into the host configuration file in the @file{@value{sysconfdir}/tinc/company/hosts/} directory.
@subsubheading Starting
@cindex init
@item init [@var{name}]
-Create initial configuration files and RSA and ECDSA keypairs with default length.
+Create initial configuration files and RSA and Ed25519 keypairs with default length.
If no @var{name} for this node is given, it will be asked for.
@cindex get
@cindex generate-keys
@item generate-keys [@var{bits}]
-Generate both RSA and ECDSA keypairs (see below) and exit.
+Generate both RSA and Ed25519 keypairs (see below) and exit.
tinc will ask where you want to store the files, but will default to the
configuration directory (you can use the -c or -n option).
-@cindex generate-ecdsa-keys
-@item generate-ecdsa-keys
-Generate public/private ECDSA keypair and exit.
+@cindex generate-ed25519-keys
+@item generate-ed25519-keys
+Generate public/private Ed25519 keypair and exit.
@cindex generate-rsa-keys
@item generate-rsa-keys [@var{bits}]
from where it can be redirected to a file or piped through a program that can parse it directly,
such as tcpdump.
+@cindex network [@var{netname}]
+@item network
+If @var{netname} is given, switch to that network.
+Otherwise, display a list of all networks for which configuration files exist.
+
@end table
@c ==================================================================
Where initiator_cipher_key is the key used by session initiator to encrypt
messages sent to the responder.
-When using 521 bits EC keys, the AES-256-CTR cipher and HMAC-SHA-256 digest algorithm,
+When using 256 bits Ed25519 keys, the AES-256-CTR cipher and HMAC-SHA-256 digest algorithm,
the sizes are as follows:
@example
-ECDH_SIZE: 67 (= ceil(521/8) + 1)
-ECDSA_SIZE: 141 (= 2 * ceil(521/8) + 9)
+ECDH_SIZE: 32 (= 256/8)
+ECDSA_SIZE: 64 (= 2 * 256/8)
CIPHER_KEYSIZE: 48 (= 256/8 + 128/8)
DIGEST_KEYSIZE: 32 (= 256/8)
@end example
projects / tinc / blobdiff