X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=doc%2Ftinc.conf.5;fp=doc%2Ftinc.conf.5;h=d6d8f5047ebb5461da96ca8c8095cc713b1080db;hp=0000000000000000000000000000000000000000;hb=bd0325655867b1dff740d52d0505773bba0606a6;hpb=a9247e6f2c57bda9dc62ed050f41048847109e83 diff --git a/doc/tinc.conf.5 b/doc/tinc.conf.5 new file mode 100644 index 00000000..d6d8f504 --- /dev/null +++ b/doc/tinc.conf.5 @@ -0,0 +1,159 @@ +.TH TINC 5 "March 1999" "tinc version 0.2.16" "FSF" +.SH NAME +tincd.conf \- tinc daemon configuration +.SH "DESCRIPTION" +The files in the \fI/etc/tinc\fR directory contain runtime and +security information for the \fBtinc\fR(8) daemon. +.PP +.SH "NETWORKS" +It is perfectly ok for you to run more than one tinc daemon. However, +in its default form, you will soon notice that you can't use two +different configuration files without the \fI-c\fR option. + +We have thought of another way of dealing with this: network +names. This means that you call \fBtincd\fR with the \fI-n\fR argument, +which will assign a name to this daemon. + +The effect of this is that the daemon will set its configuration +``root'' to \fI/etc/tinc/\fBnn\fI/\fR, where \fBnn\fR is your argument +to the \fI-n\fR option. You'll notice that it appears in syslog as +``tincd.\fBnn\fR''. + +However, it is not strictly necessary that you call tinc with the -n +option. In this case, the network name would just be empty, and it +will be used as such. tinc now looks for files in \fI/etc/tinc/\fR, +instead of \fI/etc/tinc/\fBnn\fI/\fR; the configuration file should be +\fI/etc/tinc/tincd.conf\fR, and the passphrases are now expected to be +in \fI/etc/tinc/passphrases/\fR. + +But it is highly recommended that you use this feature of tinc, +because it will be so much clearer whom your daemon talks to. Hence, +we will assume that you use it. +.PP +.SH "PASSPHRASES" +You should use the \fBgenauth\fR(8) program to generate passphrases. +with, it accepts a single parameter, which is the number of bits the +passphrase should be. Its output should be stored in +\fI/etc/tinc/\fBnn\fI/passphrases/local\fR \-\- where \fBnn\fR stands +for the network (See under \fBNETWORKS\fR) above. + +Please see the manpage for \fBgenauth\fR to learn more about setting +up an authentication scheme. +.PP +.SH "CONFIGURATION" +The actual configuration of the daemon is done in the file +\fI/etc/tinc/\fBnn\fI/tincd.conf\fR. + +This file consists of comments (lines started with a \fB#\fR) or +assignments in the form of +.PP +.Vb 1 +\& \fIVariable \fB= \fIValue\fR. +.Ve +.PP +The variable names are case insensitive, and any spaces, tabs, +newlines and carriage returns are ignored. \fINote\fR: it is not +required that you put in the \fB=\fR sign, but doing so improves +readability. If you leave it out, remember to replace it with at least +one space character. +.PP +.SH "VARIABLES" +.PP +Here are all valid variables, listed in alphabetical order: +.TP +\fBAllowConnect = \fB(\fIyes\fB|\fIno\fB)\fR +If set to \fIyes\fR, anyone may try to connect to you. If you set this +to no, no incoming connections will be accepted. This does not affect +the outgoing connections. +.TP +\fBConnectPort = \fIport\fR +Connect to the upstream host (given with the \fBConnectTo\fR +directive) on port \fIport\fR. \fIport\fR may be given in decimal +(default), octal (when preceded by a single zero) or hexadecimal +(prefixed with \fB0x\fR). \fIport\fR is the port number for both the +UDP and the TCP (meta) connections. +.TP +\fBConnectTo = \fB(\fIIP address\fB|\fIhostname\fB)\fR +Specifies which host to connect to on startup. If the +\fBConnectPort\fR variable is omitted, then tinc will try to connect +to port 655. + +If you don't specify a host with \fBConnectTo\fR, tinc won't connect +at all, and will instead just listen for incoming connections. Only +the initiator of a tinc VPN should need this. +.TP +\fBKeyExpire = \fIs\fR +The secret (and public) key expires after \fIs\fR seconds. The default +is 3600 seconds, or one hour. + +If you make it shorter, a lot of time and bandwidth is spent +negotiating over the new keys. If you make it longer, you make +yourself more vulnerable to crackers, because they have more data to +work with. The best value depends on the speed of the link, and the +amount of data that goes over it. +.TP +\fBListenPort = \fIport\fR +Listen on local port \fIport\fR. The computer connecting to this +daemon should use this number as the argument for his +\fBConnectPort\fR. Again, the default is 655. +.TP +\fBMyOwnVPNIP = \fInetwork address\fR[\fB/\fImaskbits\fR] +The \fInetwork address\fR is the number that the daemon will propagate +to other daemons on the network when it is identifying itself. Hence +this will be the file name of the passphrase file that the other end +expects to find the passphrase in. + +\fImaskbits\fR is the number of bits set to 1 in the netmask part. +.TP +\fBMyVirtualIP = \fInetwork address\fR[\fB/\fImaskbits\fR] +This is an alias for \fBMyOwnVPNIP\fR. +.TP +\fBPassphrases = \fIdirectory\fR +The directory where tinc will look for passphrases when someone tries +to cennect. Please see the manpage for \fBgenauth\fR(8) for more +information about passphrases as used by tinc. +.TP +\fBPingTimeout = \fInumber\fR +The number of seconds of inactivity that tinc will wait before sending +a probe to the other end. If that other end doesn't answer within that +same amount of seconds, the connection is terminated, and the others +will be notified of this. +.TP +\fBTapDevice = \fIdevice\fR +The ethertap device to use. Note that you can only use one device per +daemon. The info pages of the tinc package contain more information +about configuring an ethertap device for linux. +.PP +.SH "FILES" +.TP +\fI/etc/tinc/\fR +The top directory for configuration files. +.TP +\fI/etc/tinc/\fBnn\fI/tincd.conf\fR +The default name of the configuration file for net +\fBnn\fR. +.TP +\fI/etc/tinc/\fBnn\fI/passphrases/\fR +Passphrases are kept in this directory. (See the section +\fBPASSPHRASES\fR above). +.PP +.SH "SEE ALSO" +\fBtincd\fR(8), \fBgenauth\fR(8) +.TP +\fBhttp://tinc.nl.linux.org/\fR +.PP +The full documentation for +.B tinc +is maintained as a Texinfo manual. If the +.B info +and +.B tinc +programs are properly installed at your site, the command +.IP +.B info tinc +.PP +should give you access to the complete manual. +.PP +tinc comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions; +see the file COPYING for details.