@cindex UML
@item uml (not compiled in by default)
Create a UNIX socket with the filename specified by
-@var{Device}, or @file{@value{localstatedir}/run/@var{netname}.umlsocket}
+@var{Device}, or @file{@value{runstatedir}/@var{netname}.umlsocket}
if not specified.
Tinc will wait for a User Mode Linux instance to connect to this socket.
@item vde (not compiled in by default)
Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch,
using the UNIX socket specified by
-@var{Device}, or @file{@value{localstatedir}/run/vde.ctl}
+@var{Device}, or @file{@value{runstatedir}/vde.ctl}
if not specified.
@end table
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
@item kernel
-Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
+Incoming packets using the legacy protocol are always sent to the TUN/TAP device,
+even if the packets are not for the local node.
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
and can also help debugging.
+Incoming packets using the SPTPS protocol are dropped, since they are end-to-end encrypted.
@end table
@cindex Hostnames
@item --pidfile=@var{filename}
Store a cookie in @var{filename} which allows tinc to authenticate.
If unspecified, the default is
-@file{@value{localstatedir}/run/tinc.@var{netname}.pid}.
+@file{@value{runstatedir}/tinc.@var{netname}.pid}.
@item -o, --option=[@var{HOST}.]@var{KEY}=@var{VALUE}
Without specifying a @var{HOST}, this will set server configuration variable @var{KEY} to @var{VALUE}.
Write log entries to a file instead of to the system logging facility.
If @var{file} is omitted, the default is @file{@value{localstatedir}/log/tinc.@var{netname}.log}.
+@item --pidfile=@var{file}
+Write PID to @var{file} instead of @file{@value{runstatedir}/tinc.@var{netname}.pid}.
+
@item --bypass-security
Disables encryption and authentication.
Only useful for debugging.
The chroot is performed after all the initialization is done, after
writing pid files and opening network sockets.
-Note that this option alone does not do any good without -U/--user, below.
+This option is best used in combination with the -U/--user option described below.
-Note also that tinc can't run scripts anymore (such as tinc-down or host-up),
-unless it's setup to be runnable inside chroot environment.
+You will need to ensure the chroot environment contains all the files necessary
+for tinc to run correctly.
+Most importantly, for tinc to be able to resolve hostnames inside the chroot environment,
+you must copy @file{/etc/resolv.conf} into the chroot directory.
+If you want to be able to run scripts other than @file{tinc-up} in the chroot,
+you must ensure the appropriate shell is also installed in the chroot, along with all its dependencies.
This option is not supported on all platforms.
@item -U, --user=@var{user}
@item --pidfile=@var{filename}
Use the cookie from @var{filename} to authenticate with a running tinc daemon.
If unspecified, the default is
-@file{@value{localstatedir}/run/tinc.@var{netname}.pid}.
+@file{@value{runstatedir}/tinc.@var{netname}.pid}.
@item --force
Force some commands to work despite warnings.
projects / tinc / blobdiff