X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=doc%2Ftinc.texi;h=726655d337be8e6d6c105debfcbcb361a407542d;hp=ca399d5b2640be227d008d2dadadfeff045a5cae;hb=efd29fde85481e080a676f2ba780a528a90a9925;hpb=f0aa9641e82fb6e09c1e485366d14dddaa7f7c36 diff --git a/doc/tinc.texi b/doc/tinc.texi index ca399d5b..726655d3 100644 --- a/doc/tinc.texi +++ b/doc/tinc.texi @@ -1,5 +1,5 @@ \input texinfo @c -*-texinfo-*- -@c $Id: tinc.texi,v 1.8.4.19 2002/02/10 21:57:51 guus Exp $ +@c $Id: tinc.texi,v 1.8.4.27 2002/03/27 15:26:29 guus Exp $ @c %**start of header @setfilename tinc.info @settitle tinc Manual @@ -18,7 +18,7 @@ Copyright @copyright{} 1998-2002 Ivo Timmermans , Guus Sliepen and Wessel Dankers . -$Id: tinc.texi,v 1.8.4.19 2002/02/10 21:57:51 guus Exp $ +$Id: tinc.texi,v 1.8.4.27 2002/03/27 15:26:29 guus Exp $ Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are @@ -43,7 +43,7 @@ Copyright @copyright{} 1998-2002 Ivo Timmermans , Guus Sliepen and Wessel Dankers . -$Id: tinc.texi,v 1.8.4.19 2002/02/10 21:57:51 guus Exp $ +$Id: tinc.texi,v 1.8.4.27 2002/03/27 15:26:29 guus Exp $ Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are @@ -221,6 +221,8 @@ as this driver. These are: FreeBSD 3.x, 4.x, 5.x. tinc on OpenBSD relies on the tun driver for its data acquisition from the kernel. It has been verified to work under at least OpenBSD 2.9. +Tunneling IPv6 packets may not work on OpenBSD. + @c ================================================================== @subsection Solaris @@ -228,7 +230,9 @@ acquisition from the kernel. It has been verified to work under at least OpenBSD @cindex Solaris tinc on Solaris relies on the universal tun/tap driver for its data acquisition from the kernel. Therefore, tinc will work on the same platforms -as this driver. These are: Solaris, 2.1.x. +as this driver. These are: Solaris 8 (SunOS 5.8). + +IPv6 packets cannot be tunneled on Solaris. @c @@ -385,8 +389,8 @@ Unfortunately somebody still has to write the text. @subsection Configuration of Solaris kernels This section will contain information on how to configure your Solaris -kernel to support the universal tun/tap device. You need to install -this driver yourself. +kernel to support the universal tun/tap device. For Solaris 8 (SunOS 5.8), +this is included in the default kernel configuration. Unfortunately somebody still has to write the text. @@ -403,11 +407,12 @@ having installed it, configure will give you an error message, and stop. @menu * OpenSSL:: +* zlib:: @end menu @c ================================================================== -@node OpenSSL, , Libraries, Libraries +@node OpenSSL, zlib, Libraries, Libraries @subsection OpenSSL @cindex OpenSSL @@ -457,6 +462,29 @@ all other requirements of the GPL are met. @end quotation +@c ================================================================== +@node zlib, , OpenSSL, Libraries +@subsection zlib + +@cindex zlib +For the optional compression of UDP packets, tinc uses the functions provided +by the zlib library. + +If this library is not installed, you wil get an error when configuring +tinc for build. Support for running tinc without having zlib +installed @emph{may} be added in the future. + +You can use your operating system's package manager to install this if +available. Make sure you install the development AND runtime versions +of this package. + +If you have to install zlib manually, you can get the source code +from @url{http://www.gzip.org/zlib/}. Instructions on how to configure, +build and install this package are included within the package. Please +make sure you build development and runtime libraries (which is the +default). + + @c @c @c @@ -736,8 +764,14 @@ required directives are given in @strong{bold}. @subsection Main configuration variables @table @asis +@cindex AddressFamily +@item AddressFamily = (ipv4) [experimental] +This option affects the address family of listening and outgoing sockets. +If "any" is selected, then depending on the operating system +both IPv4 and IPv6 or just IPv6 listening sockets will be created. + @cindex BindToInterface -@item BindToInterface = +@item BindToInterface = [experimental] If you have more than one network interface in your computer, tinc will by default listen on all of them for incoming connections. It is possible to bind tinc to a single interface like eth0 or ppp0 with this @@ -745,17 +779,6 @@ variable. This option may not work on all platforms. -@cindex BindToIP -@item BindToIP =
-If your computer has more than one IP address on a single interface (for -example if you are running virtual hosts), tinc will by default listen -on all of them for incoming connections. It is possible to bind tinc to -a single IP address with this variable. It is still possible to listen -on several interfaces at the same time though, if they share the same IP -address. - -This option may not work on all platforms. - @cindex ConnectTo @item @strong{ConnectTo = } Specifies which host to connect to on startup. Multiple ConnectTo @@ -803,13 +826,15 @@ Only unicast packets of routable protocols (IPv4 and IPv6) are supported in this @cindex switch @item switch In this mode the MAC addresses of the packets on the VPN will be used to -dynamically create a routing table just like a network switch does. -Unicast, multicast and broadcast packets of every ethernet protocol are supported in this mode +dynamically create a routing table just like an Ethernet switch does. +Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode at the cost of frequent broadcast ARP requests and routing table updates. @cindex hub @item hub -In this mode every packet will be broadcast to the other daemons. +This mode is almost the same as the switch mode, but instead +every packet will be broadcast to the other daemons +while no routing table is managed. @end table @cindex KeyExpire @@ -819,6 +844,11 @@ are valid. It is common practice to change keys at regular intervals to make it even harder for crackers, even though it is thought to be nearly impossible to crack a single key. +@cindex MACExpire +@item MACExpire = (600) +This option controls the amount of time MAC addresses are kept before they are removed. +This only has effect when Mode is set to "switch". + @cindex Name @item @strong{Name = } This is a symbolic name for this connection. It can be anything @@ -830,6 +860,11 @@ probe to the other end. If that other end doesn't answer within that same amount of seconds, the connection is terminated, and the others will be notified of this. +@cindex PriorityInheritance +@item PriorityInheritance = (no) [experimental] +When this option is enabled the value of the TOS field of tunneled IPv4 packets +will be inherited by the UDP packets that are sent out. + @cindex PrivateKey @item PrivateKey = [obsolete] This is the RSA private key for tinc. However, for safety reasons it is @@ -865,6 +900,11 @@ not the one that is internal to the VPN. The symmetric cipher algorithm used to encrypt UDP packets. Any cipher supported by OpenSSL is recognized. +@cindex Compression +@item Compression = (0) +This option sets the level of compression used for UDP packets. +Possible values are 0 (off), 1 (fast) and any integer up to 9 (best). + @cindex Digest @item Digest = (sha1) The digest algorithm used to authenticate UDP packets. @@ -872,7 +912,7 @@ Any digest supported by OpenSSL is recognized. Furthermore, specifying "none" will turn off packet authentication. @cindex IndirectData -@item IndirectData = (no) [experimental] +@item IndirectData = (no) This option specifies whether other tinc daemons besides the one you specified with ConnectTo can make a direct connection to you. This is especially useful if you are behind a firewall and it is impossible to @@ -921,9 +961,13 @@ Multiple subnet lines can be specified for each daemon. Subnets can either be single MAC, IPv4 or IPv6 addresses, in which case a subnet consisting of only that single address is assumed, or they can be a IPv4 or IPv6 network address with a masklength. +Shorthand notations are not supported. For example, IPv4 subnets must be in a form like 192.168.1.0/24, where 192.168.1.0 is the network address and 24 is the number of bits set in the netmask. Note that subnets like 192.168.1.1/24 are invalid! +Read a networking HOWTO/FAQ/guide if you don't understand this. +IPv6 subnets are notated like fec0:0:0:1:0:0:0:0/64. +MAC addresses are notated like 0:1a:2b:3c:4d:5e. @cindex CIDR notation masklength is the number of bits set to 1 in the netmask part; for @@ -936,8 +980,7 @@ example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes If this variable is set to yes, then the packets are tunnelled over a TCP connection instead of a UDP connection. This is especially useful for those who want to run a tinc daemon from behind a masquerading -firewall, or if UDP packet routing is disabled somehow. This is -experimental code, try this at your own risk. It may not work at all. +firewall, or if UDP packet routing is disabled somehow. Setting this options also implicitly sets IndirectData. @end table @@ -1031,8 +1074,7 @@ If you configured tinc to work in `switch' or `hub' mode, the hardware address s be set to a unique address instead of fe:fd:0:0:0:0. You can use the environment variable $INTERFACE to get the name of the interface. -If you are using the ethertap driver however, you need to replace it with tap@emph{N}, -corresponding to the device file name. +However, this might not be reliable. If in doubt, use the name of the interface explicitly. @cindex ifconfig The next line gives the interface an IP address and a netmask. @@ -1205,7 +1247,7 @@ In @file{/etc/tinc/company/tinc-up}: # Real interface of internal network: # ifconfig eth0 10.4.3.32 netmask 255.255.0.0 broadcast 10.4.255.255 -ifconfig company hw ether fe:fd:0a:04:03:20 +ifconfig company hw ether fe:fd:0:0:0:0 ifconfig company 10.4.3.32 netmask 255.0.0.0 ifconfig company -arp @end example @@ -1315,9 +1357,8 @@ in combination with -K). After that, tinc will quit. @item --help Display a short reminder of these runtime options and terminate. -@item -k, --kill -Attempt to kill a running tincd and exit. A TERM signal (15) gets sent -to the daemon that his its PID in @file{/var/run/tinc.NETNAME.pid}. +@item -k, --kill[=SIGNAL] +Attempt to kill a running tincd (optionally with the specified SIGNAL instead of SIGTERM) and exit. Use it in conjunction with the -n option to make sure you kill the right tinc daemon. @item -n, --net=NETNAME @@ -1632,8 +1673,13 @@ the tinc project after TINC. But in order to be ``immune'' to eavesdropping, you'll have to encrypt your data. Because tinc is a @emph{Secure} VPN (SVPN) daemon, it does exactly that: encrypt. -tinc uses blowfish encryption in CBC mode, sequence numbers and message authentication codes -to make sure eavesdroppers cannot get and cannot change any information at all from the packets they can intercept. +tinc by default uses blowfish encryption with 128 bit keys in CBC mode, 32 bit +sequence numbers and 4 byte long message authentication codes to make sure +eavesdroppers cannot get and cannot change any information at all from the +packets they can intercept. The encryption algorithm and message authentication +algorithm can be changed in the configuration. The length of the message +authentication codes is also adjustable. The length of the key for the +encryption algorithm is always the default length used by OpenSSL. @menu * Authentication protocol::