tinc
3 years agoReleasing 1.0.31. release-1.0.31
Guus Sliepen [Sun, 15 Jan 2017 14:50:49 +0000 (15:50 +0100)]
Releasing 1.0.31.

3 years agoRemove ExecStop in tinc@.service
Élie Bouttier [Mon, 31 Oct 2016 20:06:32 +0000 (21:06 +0100)]
Remove ExecStop in tinc@.service

This avoid tinc to receive SIGTERM twice (through ExecStop and through systemd
directly) which prevented tinc-down script to be executed.

3 years agoReleasing 1.0.30. release-1.0.30
Guus Sliepen [Sun, 30 Oct 2016 13:18:39 +0000 (14:18 +0100)]
Releasing 1.0.30.

3 years agoUse CFB mode for meta-connections to improve security.
Guus Sliepen [Sun, 30 Oct 2016 12:11:24 +0000 (13:11 +0100)]
Use CFB mode for meta-connections to improve security.

4 years agoUse AES in CTR mode instead of OFB mode for meta-connections.
Guus Sliepen [Sat, 29 Oct 2016 20:14:45 +0000 (22:14 +0200)]
Use AES in CTR mode instead of OFB mode for meta-connections.

This gives a very nice speedup while preserving the stream characteristics.

4 years agoReally fix byte budget calculation.
Guus Sliepen [Sat, 29 Oct 2016 20:10:32 +0000 (22:10 +0200)]
Really fix byte budget calculation.

We want to use the underlying cipher's block length, but if it's a stream
mode this will be 1. In that case, use the IV length. Ensure we never get
a budget that cannot be stored in a 64 bits integer.

Thanks to Wessel Dankers for helping getting this right.

4 years agoFix bit shifting arithmetic so the code actually does what the last commit message...
Guus Sliepen [Sat, 29 Oct 2016 18:56:43 +0000 (20:56 +0200)]
Fix bit shifting arithmetic so the code actually does what the last commit message says.

4 years agoEnforce maximum amount of bytes sent/received on meta-connections.
Guus Sliepen [Sat, 29 Oct 2016 17:51:35 +0000 (19:51 +0200)]
Enforce maximum amount of bytes sent/received on meta-connections.

This is sqrt(2^{block_length_in_bits}).

4 years agoUse AES256 and SHA256 by default, also for the meta-connections.
Guus Sliepen [Sat, 29 Oct 2016 13:24:34 +0000 (15:24 +0200)]
Use AES256 and SHA256 by default, also for the meta-connections.

At the start of the decade, there were still distributions that shipped
with versions of OpenSSL that did not support these algorithms. By now
everyone should support them. The old defaults were Blowfish and SHA1,
both of which are not considered secure anymore.

The meta-protocol now always uses AES in OFB mode, but the key length
will adapt to the one specified by the Cipher option. The digest for the
meta-protocol is hardcoded to SHA256.

4 years agoDelay sending the real ID request until after a proxy request is granted.
Guus Sliepen [Fri, 14 Oct 2016 12:44:06 +0000 (14:44 +0200)]
Delay sending the real ID request until after a proxy request is granted.

4 years agoLog only the first line of a proxy request rejection message.
Guus Sliepen [Fri, 14 Oct 2016 12:27:49 +0000 (14:27 +0200)]
Log only the first line of a proxy request rejection message.

4 years agoFix proxy reply parsing broken by the previous commit.
Guus Sliepen [Fri, 14 Oct 2016 12:27:19 +0000 (14:27 +0200)]
Fix proxy reply parsing broken by the previous commit.

4 years agoAllow non-empty lines after status code from a HTTP proxy.
Guus Sliepen [Thu, 13 Oct 2016 14:45:37 +0000 (16:45 +0200)]
Allow non-empty lines after status code from a HTTP proxy.

4 years agoReleasing 1.0.29. release-1.0.29
Guus Sliepen [Sun, 9 Oct 2016 13:42:14 +0000 (15:42 +0200)]
Releasing 1.0.29.

4 years agoFix compiler warnings about format string errors on BSD.
Guus Sliepen [Sun, 9 Oct 2016 13:16:42 +0000 (15:16 +0200)]
Fix compiler warnings about format string errors on BSD.

4 years agoFix possibly unitialized variable.
Guus Sliepen [Sun, 9 Oct 2016 13:09:52 +0000 (15:09 +0200)]
Fix possibly unitialized variable.

4 years agoAdd ax_require_defined.m4.
Guus Sliepen [Sun, 9 Oct 2016 12:38:35 +0000 (14:38 +0200)]
Add ax_require_defined.m4.

4 years agoAdd a copy of ax_append_flag.m4.
Guus Sliepen [Tue, 27 Sep 2016 12:18:20 +0000 (14:18 +0200)]
Add a copy of ax_append_flag.m4.

This is a dependency of ax_cflags_warn_all.m4.

4 years agoLog warnings about dropped packets only with debug level 5 or higher.
Guus Sliepen [Tue, 26 Jul 2016 14:47:02 +0000 (16:47 +0200)]
Log warnings about dropped packets only with debug level 5 or higher.

4 years agoForce nul-termination of strings after vsnprintf().
Guus Sliepen [Thu, 23 Jun 2016 13:32:47 +0000 (15:32 +0200)]
Force nul-termination of strings after vsnprintf().

Apparently, on Windows this function might not always be properly
terminated.

4 years agoCheck return value of RSA_generate_key_ex().
Guus Sliepen [Wed, 22 Jun 2016 15:42:13 +0000 (17:42 +0200)]
Check return value of RSA_generate_key_ex().

4 years agoAdd -Wall to CFLAGS.
Guus Sliepen [Wed, 22 Jun 2016 15:38:06 +0000 (17:38 +0200)]
Add -Wall to CFLAGS.

4 years agoEnsure compatibility with OpenSSL 1.1.0.
Guus Sliepen [Wed, 15 Jun 2016 09:12:09 +0000 (11:12 +0200)]
Ensure compatibility with OpenSSL 1.1.0.

4 years agoPreserve IPv6 scope_id in edges.
Guus Sliepen [Sun, 5 Jun 2016 13:23:07 +0000 (15:23 +0200)]
Preserve IPv6 scope_id in edges.

When creating an edge after authenticating a peer, we copy the address
used for the TCP connection, but change the port to that used for UDP.
But the way we did it discarded the scope_id for IPv6 addresses. This
prevented UDP communication from working correctly when connecting to a
peer on the same LAN using an IPv6 link-local address.

Thanks to Rafał Leśniak for pointing out this issue.

4 years agoReleasing 1.0.28. release-1.0.28
Guus Sliepen [Sun, 10 Apr 2016 13:08:01 +0000 (15:08 +0200)]
Releasing 1.0.28.

4 years agoUpdate links in the documentation.
Guus Sliepen [Sun, 10 Apr 2016 13:04:59 +0000 (15:04 +0200)]
Update links in the documentation.

4 years agoExplicitly mention that LibreSSL can be used as well.
Guus Sliepen [Sun, 10 Apr 2016 12:47:21 +0000 (14:47 +0200)]
Explicitly mention that LibreSSL can be used as well.

4 years agoEnsure the service files are in the tarball.
Guus Sliepen [Sun, 10 Apr 2016 12:30:20 +0000 (14:30 +0200)]
Ensure the service files are in the tarball.

4 years agoUpdate .gitignore.
Guus Sliepen [Sun, 10 Apr 2016 12:13:53 +0000 (14:13 +0200)]
Update .gitignore.

4 years agoAdd systemd service files.
Guus Sliepen [Sun, 10 Apr 2016 12:13:44 +0000 (14:13 +0200)]
Add systemd service files.

4 years agoReally remove use of __DATE__ and __TIME__ to facilitate reproducible builds.
Guus Sliepen [Sun, 10 Apr 2016 11:41:54 +0000 (13:41 +0200)]
Really remove use of __DATE__ and __TIME__ to facilitate reproducible builds.

4 years agoFix compiling bsd/device.c on systems without utun.
Guus Sliepen [Sun, 10 Apr 2016 11:40:42 +0000 (13:40 +0200)]
Fix compiling bsd/device.c on systems without utun.

4 years agoReleasing 1.0.27. release-1.0.27
Guus Sliepen [Sat, 9 Apr 2016 22:50:15 +0000 (00:50 +0200)]
Releasing 1.0.27.

4 years agoAdd support for OS X utun interfaces.
Guus Sliepen [Sat, 9 Apr 2016 22:05:13 +0000 (00:05 +0200)]
Add support for OS X utun interfaces.

4 years agoEnable silent builds by default.
Guus Sliepen [Sat, 9 Apr 2016 20:17:47 +0000 (22:17 +0200)]
Enable silent builds by default.

Cleaner build messages make it easier to spot compiler warnings and errors.
Use make V=1 to get the verbose output back.

4 years agoUse SIOCGIFADDR on BSDs that support it.
Guus Sliepen [Sat, 9 Apr 2016 16:40:09 +0000 (18:40 +0200)]
Use SIOCGIFADDR on BSDs that support it.

4 years agoUse devname() if available to support devfs cloning on BSD.
Guus Sliepen [Sat, 9 Apr 2016 16:39:40 +0000 (18:39 +0200)]
Use devname() if available to support devfs cloning on BSD.

Some BSD flavors allow opening /dev/tun and/or /dev/tap, which automatically
create a new tun or tap interface with an unused number. To find out which
number the interface got, you have to call devname() on the device file
that was opened.

The semantics are different from the way Linux's /dev/tun works though.
In particular, after closing the device, the interface will continue to exist.
Restarting tincd would cause the old interface to stay around, and a new
one to be created. One could add a tinc-down script with the following line:

ifconfig $INTERFACE destroy

But that is still no guarantee that restarting tinc will give you the same
interface. So the default tun and tap device will stay /dev/tun0 and /dev/tap0
for all BSD flavors to avoid surprises for existing users.

4 years agoEvery BSD flavor has a tap device nowadays.
Guus Sliepen [Sat, 9 Apr 2016 16:30:48 +0000 (18:30 +0200)]
Every BSD flavor has a tap device nowadays.

4 years agoGet rid of a warning when compiling tinc using MinGW.
Guus Sliepen [Sat, 9 Apr 2016 14:11:00 +0000 (16:11 +0200)]
Get rid of a warning when compiling tinc using MinGW.

Because Windows has the wrong declaration of setsockopt().

4 years agoCast 0xff to char before comparing it to another char.
Guus Sliepen [Sat, 9 Apr 2016 14:00:08 +0000 (16:00 +0200)]
Cast 0xff to char before comparing it to another char.

Clang warned about this.

4 years agoRemove use of __DATE__ and __TIME__ to facilitate reproducible builds.
Guus Sliepen [Sat, 9 Apr 2016 13:42:12 +0000 (15:42 +0200)]
Remove use of __DATE__ and __TIME__ to facilitate reproducible builds.

4 years agoUpdate copyright notices.
Guus Sliepen [Sat, 9 Apr 2016 13:21:26 +0000 (15:21 +0200)]
Update copyright notices.

4 years agoUse iface instead of interface.
Guus Sliepen [Fri, 8 Apr 2016 16:09:30 +0000 (18:09 +0200)]
Use iface instead of interface.

This was accidentally added in commit 2f03a5d.

4 years agoUpdate THANKS.
Guus Sliepen [Fri, 8 Apr 2016 16:05:24 +0000 (18:05 +0200)]
Update THANKS.

4 years agoUpdate .gitignore.
Guus Sliepen [Fri, 8 Apr 2016 16:03:35 +0000 (18:03 +0200)]
Update .gitignore.

4 years agoDon't compile getopt*.c if the system provides getopt_long().
Guus Sliepen [Fri, 8 Apr 2016 15:49:49 +0000 (17:49 +0200)]
Don't compile getopt*.c if the system provides getopt_long().

4 years agoProofing README.
LunarShaddow [Tue, 8 Mar 2016 07:28:11 +0000 (15:28 +0800)]
Proofing README.

4 years agore-arrange include sequence to avoid a mingw introduced bug.
LunarShaddow [Mon, 7 Mar 2016 07:43:04 +0000 (15:43 +0800)]
re-arrange include sequence to avoid a mingw introduced bug.
refers: https://www.cygwin.com/ml/cygwin/2012-12/msg00194.html

4 years agofix typo
LunarShaddow [Mon, 7 Mar 2016 07:42:34 +0000 (15:42 +0800)]
fix typo

4 years agoFix forwarding of edge updates.
Guus Sliepen [Sun, 28 Feb 2016 15:28:28 +0000 (16:28 +0100)]
Fix forwarding of edge updates.

Commit e4670fc accidentily prevented ADD_EDGE messages from propagating
in some cases.

4 years agoAdd warnings for bad combinations of Device and Interface.
Guus Sliepen [Sat, 27 Feb 2016 13:46:01 +0000 (14:46 +0100)]
Add warnings for bad combinations of Device and Interface.

On Linux, the name of the tun/tap interface can be set freely. However,
on most other operating systems, tinc cannot change the name of the
interface. In those situations, it is possible to specify a Device and
an Interface that conflict with each other. On BSD, this can cause
$INTERFACE to be set incorrectly, on Windows, this results in a
potentially unreliable way in which a TAP-Win32 interface is selected.

4 years agoSmall fixes for the documentation.
Guus Sliepen [Sat, 27 Feb 2016 13:22:36 +0000 (14:22 +0100)]
Small fixes for the documentation.

4 years agoClarify that scripts are called synchronously.
Guus Sliepen [Sat, 27 Feb 2016 13:21:53 +0000 (14:21 +0100)]
Clarify that scripts are called synchronously.

4 years agoImprove performance of edge updates.
Guus Sliepen [Sat, 27 Feb 2016 13:18:20 +0000 (14:18 +0100)]
Improve performance of edge updates.

4 years agoFix warnings from the Clang Static Analyzer.
Guus Sliepen [Mon, 16 Nov 2015 13:33:39 +0000 (14:33 +0100)]
Fix warnings from the Clang Static Analyzer.

These were all harmless.

4 years agoFix compatibility with TAP-Win32 9.0.0.21 and later.
Guus Sliepen [Mon, 18 Jan 2016 12:58:46 +0000 (13:58 +0100)]
Fix compatibility with TAP-Win32 9.0.0.21 and later.

Tinc was a bit sloppy writing packets to the TAP-Win32 device using
overlapped I/O. It worked with older versions of the driver, but it
caused lots of dropped packets with newer versions of the driver (that
use the NDIS 6 API).

4 years agoOnly add a reflexive address when we're sure it's working.
Guus Sliepen [Thu, 14 Jan 2016 14:07:22 +0000 (15:07 +0100)]
Only add a reflexive address when we're sure it's working.

4 years agoAdd ability to use proxies to connect to hostnames when there is no nameserver.
Guus Sliepen [Fri, 6 Nov 2015 07:48:35 +0000 (08:48 +0100)]
Add ability to use proxies to connect to hostnames when there is no nameserver.

This adds support for SOCKS4a, and enhances the support for SOCKS5 and
HTTP.

4 years agoUpdate "now" after connect() when making outgoing connections.
Guus Sliepen [Sun, 1 Nov 2015 20:07:56 +0000 (21:07 +0100)]
Update "now" after connect() when making outgoing connections.

It could be that address resolution takes a long time, don't let that
count against a connection. This is especially important when using a
nameserver from the VPN.

5 years agoAttribution for various contributors.
Guus Sliepen [Fri, 30 Oct 2015 14:46:54 +0000 (15:46 +0100)]
Attribution for various contributors.

5 years agoRemove forward declaration for do_decrement_ttl.
Vittorio Gambaletta (VittGam) [Fri, 25 Sep 2015 14:51:51 +0000 (16:51 +0200)]
Remove forward declaration for do_decrement_ttl.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
5 years agos/broadcast_packet_helper/route_broadcast/
Vittorio Gambaletta (VittGam) [Fri, 25 Sep 2015 13:35:28 +0000 (15:35 +0200)]
s/broadcast_packet_helper/route_broadcast/

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
5 years agoFix DecrementTTL option for packets destined to the local node.
Vittorio Gambaletta (VittGam) [Fri, 25 Sep 2015 02:52:25 +0000 (04:52 +0200)]
Fix DecrementTTL option for packets destined to the local node.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
5 years agoAdd missing AM_PROG_CC_C_O to configure.ac.
Guus Sliepen [Thu, 24 Sep 2015 15:08:29 +0000 (17:08 +0200)]
Add missing AM_PROG_CC_C_O to configure.ac.

5 years agoFix invalid checksum generation.
Nathan Stratton Treadway [Sat, 12 Sep 2015 14:33:52 +0000 (16:33 +0200)]
Fix invalid checksum generation.

Use equation 3 given in RFC 1624 and the UpdateTTL() example function given
RFC 1141.

5 years agoTry to reply with node address only when decrementing the TTL.
Vittorio Gambaletta (VittGam) [Fri, 4 Sep 2015 15:04:03 +0000 (17:04 +0200)]
Try to reply with node address only when decrementing the TTL.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
5 years agoFix source IP address for ICMP unreachable packets generated by tinc.
Vittorio Gambaletta (VittGam) [Fri, 4 Sep 2015 02:00:57 +0000 (04:00 +0200)]
Fix source IP address for ICMP unreachable packets generated by tinc.

Try to send ICMP unreachable replies from an address assigned to the
local machine, instead of the destination address of the original
packet.

The address is found by looking up the route towards the sender of
the packet that generated the error; in usual configurations, this
is the tinc interface.

This also fixes the traceroute display in mtr when using the
DecrementTTL option.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
5 years agoFix DecrementTTL option.
Vittorio Gambaletta (VittGam) [Thu, 3 Sep 2015 14:02:50 +0000 (16:02 +0200)]
Fix DecrementTTL option.

The option was not actually working, as it could be seen on traceroute or mtr.

The problem is that it was checking if the TTL was < 1 (so equal to 0) before decrementing it.

This meant that a packet with a TTL of 1 was being sent with a TTL of 0 on the VPN, instead of being discarded with the ICMP error message.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
5 years agoFix NAME variable in subnet-* scripts for local subnets.
Florian Weik [Fri, 28 Aug 2015 12:52:21 +0000 (14:52 +0200)]
Fix NAME variable in subnet-* scripts for local subnets.

5 years agoReleasing 1.0.26. release-1.0.26
Guus Sliepen [Sun, 5 Jul 2015 14:12:07 +0000 (16:12 +0200)]
Releasing 1.0.26.

5 years agoDon't try to call res_init() if ./configure told us it doesn't exist.
Guus Sliepen [Sun, 5 Jul 2015 14:04:11 +0000 (16:04 +0200)]
Don't try to call res_init() if ./configure told us it doesn't exist.

5 years agoFix unputenv() on Windows.
Guus Sliepen [Sun, 5 Jul 2015 14:03:22 +0000 (16:03 +0200)]
Fix unputenv() on Windows.

5 years agoOnly check for -fno-strict-overflow if -fwrapv does not work.
Guus Sliepen [Sun, 5 Jul 2015 14:03:03 +0000 (16:03 +0200)]
Only check for -fno-strict-overflow if -fwrapv does not work.

5 years agoAttribution for various contributors.
Guus Sliepen [Sun, 5 Jul 2015 13:31:24 +0000 (15:31 +0200)]
Attribution for various contributors.

5 years agoUpdate copyright notices.
Guus Sliepen [Sun, 5 Jul 2015 13:26:57 +0000 (15:26 +0200)]
Update copyright notices.

5 years agoFix spelling of FORTIFY_SOURCE.
Guus Sliepen [Sun, 5 Jul 2015 13:26:03 +0000 (15:26 +0200)]
Fix spelling of FORTIFY_SOURCE.

5 years agoFix autoconf check for function attributes.
Guus Sliepen [Sun, 7 Jun 2015 20:25:22 +0000 (22:25 +0200)]
Fix autoconf check for function attributes.

GCC warns when a function attribute has no effect. The autoconf check
turns warnings about attributes into errors, therefore thinking that
they did not work. The reason was that the test function returned void,
which is not suitable for checking both __malloc__ and
__warn_unused_result__.

5 years agoReturn non-zero exit code when encountering configuration errors during startup.
Guus Sliepen [Sun, 5 Jul 2015 12:42:18 +0000 (14:42 +0200)]
Return non-zero exit code when encountering configuration errors during startup.

5 years agofix musl compatibility
Jo-Philipp Wich [Thu, 18 Jun 2015 21:58:31 +0000 (23:58 +0200)]
fix musl compatibility

Let configure include sys/if_tun.h when testing for netinet/if_ether.h
to detect the Kernel/libc header conflict on musl.

After this patch, configure will correctly detect netinet/if_ether.h as
unusable and the subsequent compilation will not attempt to use it.

5 years agoNever call putenv() with data on the stack.
Guus Sliepen [Sun, 3 May 2015 18:06:12 +0000 (20:06 +0200)]
Never call putenv() with data on the stack.

Even though we are using putenv() here to remove items from the
environment, there is no guarantee that putenv() doesn't add the
argument to the environment anyway. In that case, we have to make sure
that it doesn't go away. We also don't want a memory leak, so keep a
list of things we unputenv()ed around, so we can reuse things.

Thanks to Poul-Henning Kamp for pointing out this problem.

5 years agoFix --logfile without a filename on Windows.
Guus Sliepen [Tue, 14 Apr 2015 09:20:24 +0000 (11:20 +0200)]
Fix --logfile without a filename on Windows.

On Windows, the log filename now defaults to "tinc.log" in the same
directory as tinc.conf.

5 years agoAlways call res_init() before getaddrinfo().
Guus Sliepen [Mon, 9 Feb 2015 14:06:12 +0000 (15:06 +0100)]
Always call res_init() before getaddrinfo().

Unfortunately, glibc assumes that /etc/resolv.conf is a static file that
never changes. Even on servers, /etc/resolv.conf might be a dynamically
generated file, and we never know when it changes. So just call
res_init() every time, so glibc uses up-to-date nameserver information.

5 years agoAttribution for Saverio Proto.
Guus Sliepen [Mon, 9 Feb 2015 14:05:57 +0000 (15:05 +0100)]
Attribution for Saverio Proto.

5 years agoUse VittGam's real name.
Guus Sliepen [Mon, 22 Dec 2014 19:57:38 +0000 (20:57 +0100)]
Use VittGam's real name.

5 years agoReleasing 1.0.25. release-1.0.25
Guus Sliepen [Mon, 22 Dec 2014 17:20:25 +0000 (18:20 +0100)]
Releasing 1.0.25.

5 years agoCheck whether res_init() really lives in libresolv.
Guus Sliepen [Mon, 22 Dec 2014 17:17:11 +0000 (18:17 +0100)]
Check whether res_init() really lives in libresolv.

On some platforms (Mac OS X for example), the res_init() function requires
linking with libresolv. On others (Linux, OpenBSD for example), res_init()
lives in libc.

5 years agoUpdate documentation for Mac OS X.
Guus Sliepen [Mon, 22 Dec 2014 15:29:23 +0000 (16:29 +0100)]
Update documentation for Mac OS X.

5 years agoAutomatically choose a tap device on Mac OS X when using switch Mode.
Guus Sliepen [Mon, 22 Dec 2014 15:28:41 +0000 (16:28 +0100)]
Automatically choose a tap device on Mac OS X when using switch Mode.

5 years agoAttribution for various contributors.
Guus Sliepen [Mon, 22 Dec 2014 14:33:35 +0000 (15:33 +0100)]
Attribution for various contributors.

5 years agoRemember ToS/Diffserv priority for each socket individually.
Guus Sliepen [Mon, 22 Dec 2014 14:18:17 +0000 (15:18 +0100)]
Remember ToS/Diffserv priority for each socket individually.

5 years agoSupport ToS/DiffServ priority handling for IPv6 meta and UDP connections.
VittGam [Sun, 21 Dec 2014 13:29:40 +0000 (14:29 +0100)]
Support ToS/DiffServ priority handling for IPv6 meta and UDP connections.

6 years agoConfigure minimum reconnect timeouts.
Tomislav Čohar [Tue, 26 Aug 2014 22:25:12 +0000 (00:25 +0200)]
Configure minimum reconnect timeouts.

Enable the configuration of minimum reconnect timeout via a
configuration directive "MinTimeout". This functionality is missing in
the default tinc stable distribution. The minimum timeout is, in code,
set to 0 seconds. This patch makes it configurable.

You might ask yourself why is that needed at all ?

Well, we've been using tinc with success for quite some time in a cross DC
setup. Tinc is used to create a virtual network switch and to connect our
distributed database nodes into a virtual local network. Our database nodes
exchange information, synchronize and do failover over the created
tinc-backed network.

Every now and then, when a node has a physical networking issue and is
unreachable by some or all neighboring nodes, tinc will relay traffic over
reachable neighboring nodes and thus save our cluster. But, sometimes,
especially when BGP route changes take place, minor outages of physical
connectivity towards some nodes may cause tinc to become as reliable as
packet-loss is :).

Tinc is fast, it can and does re-establish a lost connection in a jiffy,
but it cannot detect the reason for the loss of the connection. A
re-established connection might last for a few seconds (ping timeout) to
get lost again just because the packet loss is huge at that time. Then it
reconnects again and the story repeats itself.

This process keeps repeating until the physical network stabilizes. Packet
loss on a physical link means disaster in a database replication scenario.
In such cases it is better for tinc to remain disconnected from the
unreachable/destabilized nodes for some time and relay traffic over the
reachable (unaffected) nodes then to use an unreliable route.

This patch enables us to slow down the re-connection process and eliminate
application level issues we had.

6 years agoFixed tinc-up script calling on Win32.
Borg [Sat, 28 Jun 2014 12:58:09 +0000 (14:58 +0200)]
Fixed tinc-up script calling on Win32.

It was called too early. Simple sleep fixes the issue.

6 years agoGet MAC of TAP device.
Borg [Sat, 28 Jun 2014 12:33:07 +0000 (14:33 +0200)]
Get MAC of TAP device.

This fixes initial communication problems since
mymac is NOT properly initialized.

6 years agoFix some typos in the manual.
Jochen Voss [Thu, 26 Jun 2014 11:10:46 +0000 (12:10 +0100)]
Fix some typos in the manual.

6 years agoFixed scripts calling under Win32.
Borg [Mon, 23 Jun 2014 21:13:03 +0000 (23:13 +0200)]
Fixed scripts calling under Win32.

When using 'ScriptsInterpreter' variable, we incorrectly
checked for '.bat' ending scripts while later building
scriptname without extension.

6 years agoAdd support to link against libresolv Mac OS X
Alexis Hildebrandt [Sun, 22 Jun 2014 14:43:15 +0000 (16:43 +0200)]
Add support to link against libresolv Mac OS X

6 years agoUse the description from the 1.1 man page for the IndirectData option
Baptiste Jonglez [Fri, 20 Jun 2014 06:56:30 +0000 (15:56 +0900)]
Use the description from the 1.1 man page for the IndirectData option

6 years agoFix date of last NEWS entry.
Guus Sliepen [Sun, 15 Jun 2014 10:06:20 +0000 (12:06 +0200)]
Fix date of last NEWS entry.

6 years agoUpdate README.android
David Pflug [Wed, 11 Jun 2014 12:00:02 +0000 (08:00 -0400)]
Update README.android

- More openssl security fixes.
- The tinc repo doesn't need to be cloned into openssl's directory.