123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663 |
- .Dd 2014-05-11
- .Dt TINC.CONF 5
- .\" Manual page created by:
- .\" Ivo Timmermans
- .\" Guus Sliepen <guus@tinc-vpn.org>
- .Sh NAME
- .Nm tinc.conf
- .Nd tinc daemon configuration
- .Sh DESCRIPTION
- The files in the
- .Pa @sysconfdir@/tinc/
- directory contain runtime and security information for the tinc daemon.
- .Sh NETWORKS
- It is perfectly ok for you to run more than one tinc daemon.
- However, in its default form,
- you will soon notice that you can't use two different configuration files without the
- .Fl c
- option.
- .Pp
- We have thought of another way of dealing with this: network names.
- This means that you call
- .Nm
- with the
- .Fl n
- option, which will assign a name to this daemon.
- .Pp
- The effect of this is that the daemon will set its configuration root to
- .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / ,
- where
- .Ar NETNAME
- is your argument to the
- .Fl n
- option.
- You'll notice that messages appear in syslog as coming from
- .Nm tincd. Ns Ar NETNAME .
- .Pp
- However, it is not strictly necessary that you call tinc with the
- .Fl n
- option.
- In this case, the network name would just be empty,
- and it will be used as such.
- .Nm tinc
- now looks for files in
- .Pa @sysconfdir@/tinc/ ,
- instead of
- .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / ;
- the configuration file should be
- .Pa @sysconfdir@/tinc/tinc.conf ,
- and the host configuration files are now expected to be in
- .Pa @sysconfdir@/tinc/hosts/ .
- .Pp
- But it is highly recommended that you use this feature of
- .Nm tinc ,
- because it will be so much clearer whom your daemon talks to.
- Hence, we will assume that you use it.
- .Sh NAMES
- Each tinc daemon should have a name that is unique in the network which it will be part of.
- The name will be used by other tinc daemons for identification.
- The name has to be declared in the
- .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
- file.
- .Pp
- To make things easy,
- choose something that will give unique and easy to remember names to your tinc daemon(s).
- You could try things like hostnames, owner surnames or location names.
- .Sh PUBLIC/PRIVATE KEYS
- You should use
- .Ic tincd -K
- to generate public/private keypairs.
- It will generate two keys.
- The private key should be stored in a separate file
- .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /rsa_key.priv
- \-\- where
- .Ar NETNAME
- stands for the network (see
- .Sx NETWORKS )
- above.
- The public key should be stored in the host configuration file
- .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Va NAME
- \-\- where
- .Va NAME
- stands for the name of the local tinc daemon (see
- .Sx NAMES ) .
- .Sh SERVER CONFIGURATION
- The server configuration of the daemon is done in the file
- .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf .
- This file consists of comments (lines started with a
- .Li # )
- or assignments in the form of:
- .Pp
- .Va Variable Li = Ar Value .
- .Pp
- The variable names are case insensitive, and any spaces, tabs,
- newlines and carriage returns are ignored.
- Note: it is not required that you put in the
- .Li =
- sign, but doing so improves readability.
- If you leave it out, remember to replace it with at least one space character.
- .Pp
- The server configuration is complemented with host specific configuration (see the next section).
- Although all configuration options for the local host listed in this document can also be put in
- .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf ,
- it is recommended to put host specific configuration options in the host configuration file,
- as this makes it easy to exchange with other nodes.
- .Pp
- Here are all valid variables, listed in alphabetical order.
- The default value is given between parentheses.
- .Bl -tag -width indent
- .It Va AddressFamily Li = ipv4 | ipv6 | any Pq any
- This option affects the address family of listening and outgoing sockets.
- If
- .Qq any
- is selected, then depending on the operating system both IPv4 and IPv6 or just
- IPv6 listening sockets will be created.
- .It Va BindToAddress Li = Ar address Oo Ar port Oc Bq experimental
- If your computer has more than one IPv4 or IPv6 address,
- .Nm tinc
- will by default listen on all of them for incoming connections.
- Multiple
- .Va BindToAddress
- variables may be specified,
- in which case listening sockets for each specified address are made.
- .Pp
- If no
- .Ar port
- is specified, the socket will be bound to the port specified by the
- .Va Port
- option, or to port 655 if neither is given.
- To only bind to a specific port but not to a specific address, use
- .Li *
- for the
- .Ar address .
- .Pp
- This option may not work on all platforms.
- .It Va BindToInterface Li = Ar interface Bq experimental
- If your computer has more than one network interface,
- .Nm tinc
- will by default listen on all of them for incoming connections.
- It is possible to bind only to a single interface with this variable.
- .Pp
- This option may not work on all platforms.
- Also, on some platforms it will not actually bind to an interface,
- but rather to the address that the interface has at the moment a socket is created.
- .It Va Broadcast Li = no | mst | direct Po mst Pc Bq experimental
- This option selects the way broadcast packets are sent to other daemons.
- NOTE: all nodes in a VPN must use the same
- .Va Broadcast
- mode, otherwise routing loops can form.
- .Bl -tag -width indent
- .It no
- Broadcast packets are never sent to other nodes.
- .It mst
- Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree.
- This ensures broadcast packets reach all nodes.
- .It direct
- Broadcast packets are sent directly to all nodes that can be reached directly.
- Broadcast packets received from other nodes are never forwarded.
- If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to.
- .El
- .It Va ConnectTo Li = Ar name
- Specifies which other tinc daemon to connect to on startup.
- Multiple
- .Va ConnectTo
- variables may be specified,
- in which case outgoing connections to each specified tinc daemon are made.
- The names should be known to this tinc daemon
- (i.e., there should be a host configuration file for the name on the
- .Va ConnectTo
- line).
- .Pp
- If you don't specify a host with
- .Va ConnectTo ,
- .Nm tinc
- won't try to connect to other daemons at all,
- and will instead just listen for incoming connections.
- .It Va DecrementTTL Li = yes | no Po no Pc Bq experimental
- When enabled,
- .Nm tinc
- will decrement the Time To Live field in IPv4 packets, or the Hop Limit field in IPv6 packets,
- before forwarding a received packet to the virtual network device or to another node,
- and will drop packets that have a TTL value of zero,
- in which case it will send an ICMP Time Exceeded packet back.
- .Pp
- Do not use this option if you use switch mode and want to use IPv6.
- .It Va Device Li = Ar device Po Pa /dev/tap0 , Pa /dev/net/tun No or other depending on platform Pc
- The virtual network device to use.
- .Nm tinc
- will automatically detect what kind of device it is.
- Note that you can only use one device per daemon.
- Under Windows, use
- .Va Interface
- instead of
- .Va Device .
- The info pages of the tinc package contain more information
- about configuring the virtual network device.
- .It Va DeviceType Li = Ar type Pq platform dependent
- The type of the virtual network device.
- Tinc will normally automatically select the right type of tun/tap interface, and this option should not be used.
- However, this option can be used to select one of the special interface types, if support for them is compiled in.
- .Bl -tag -width indent
- .It dummy
- Use a dummy interface.
- No packets are ever read or written to a virtual network device.
- Useful for testing, or when setting up a node that only forwards packets for other nodes.
- .It raw_socket
- Open a raw socket, and bind it to a pre-existing
- .Va Interface
- (eth0 by default).
- All packets are read from this interface.
- Packets received for the local node are written to the raw socket.
- However, at least on Linux, the operating system does not process IP packets destined for the local host.
- .It multicast
- Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using
- .Va Device .
- Packets are read from and written to this multicast socket.
- This can be used to connect to UML, QEMU or KVM instances listening on the same multicast address.
- Do NOT connect multiple
- .Nm tinc
- daemons to the same multicast address, this will very likely cause routing loops.
- Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
- .It uml Pq not compiled in by default
- Create a UNIX socket with the filename specified by
- .Va Device ,
- or
- .Pa @localstatedir@/run/ Ns Ar NETNAME Ns Pa .umlsocket
- if not specified.
- .Nm tinc
- will wait for a User Mode Linux instance to connect to this socket.
- .It vde Pq not compiled in by default
- Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch,
- using the UNIX socket specified by
- .Va Device ,
- or
- .Pa @localstatedir@/run/vde.ctl
- if not specified.
- .El
- Also, in case tinc does not seem to correctly interpret packets received from the virtual network device,
- it can be used to change the way packets are interpreted:
- .Bl -tag -width indent
- .It tun Pq BSD and Linux
- Set type to tun.
- Depending on the platform, this can either be with or without an address family header (see below).
- .It tunnohead Pq BSD
- Set type to tun without an address family header.
- Tinc will expect packets read from the virtual network device to start with an IP header.
- On some platforms IPv6 packets cannot be read from or written to the device in this mode.
- .It tunifhead Pq BSD
- Set type to tun with an address family header.
- Tinc will expect packets read from the virtual network device
- to start with a four byte header containing the address family,
- followed by an IP header.
- This mode should support both IPv4 and IPv6 packets.
- .It tap Pq BSD and Linux
- Set type to tap.
- Tinc will expect packets read from the virtual network device
- to start with an Ethernet header.
- .El
- .It Va DirectOnly Li = yes | no Po no Pc Bq experimental
- When this option is enabled, packets that cannot be sent directly to the destination node,
- but which would have to be forwarded by an intermediate node, are dropped instead.
- When combined with the IndirectData option,
- packets for nodes for which we do not have a meta connection with are also dropped.
- .It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
- This option selects the way indirect packets are forwarded.
- .Bl -tag -width indent
- .It off
- Incoming packets that are not meant for the local node,
- but which should be forwarded to another node, are dropped.
- .It internal
- Incoming packets that are meant for another node are forwarded by tinc internally.
- .Pp
- This is the default mode, and unless you really know you need another forwarding mode, don't change it.
- .It kernel
- Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
- This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
- and can also help debugging.
- .El
- .It Va GraphDumpFile Li = Ar filename Bq experimental
- If this option is present,
- .Nm tinc
- will dump the current network graph to the file
- .Ar filename
- every minute, unless there were no changes to the graph.
- The file is in a format that can be read by graphviz tools.
- If
- .Ar filename
- starts with a pipe symbol |,
- then the rest of the filename is interpreted as a shell command
- that is executed, the graph is then sent to stdin.
- .It Va Hostnames Li = yes | no Pq no
- This option selects whether IP addresses (both real and on the VPN) should
- be resolved. Since DNS lookups are blocking, it might affect tinc's
- efficiency, even stopping the daemon for a few seconds every time it does
- a lookup if your DNS server is not responding.
- .Pp
- This does not affect resolving hostnames to IP addresses from the
- host configuration files, but whether hostnames should be resolved while logging.
- .It Va IffOneQueue Li = yes | no Po no Pc Bq experimental
- (Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.
- .It Va Interface Li = Ar interface
- Defines the name of the interface corresponding to the virtual network device.
- Depending on the operating system and the type of device this may or may not actually set the name of the interface.
- Under Windows, this variable is used to select which network interface will be used.
- If you specified a
- .Va Device ,
- this variable is almost always already correctly set.
- .It Va KeyExpire Li = Ar seconds Pq 3600
- This option controls the period the encryption keys used to encrypt the data are valid.
- It is common practice to change keys at regular intervals to make it even harder for crackers,
- even though it is thought to be nearly impossible to crack a single key.
- .It Va LocalDiscovery Li = yes | no Po no Pc Bq experimental
- When enabled,
- .Nm tinc
- will try to detect peers that are on the same local network.
- This will allow direct communication using LAN addresses, even if both peers are behind a NAT
- and they only ConnectTo a third node outside the NAT,
- which normally would prevent the peers from learning each other's LAN address.
- .Pp
- Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery.
- This feature may not work in all possible situations.
- .It Va MACExpire Li = Ar seconds Pq 600
- This option controls the amount of time MAC addresses are kept before they are removed.
- This only has effect when
- .Va Mode
- is set to
- .Qq switch .
- .It Va MaxTimeout Li = Ar seconds Pq 900
- This is the maximum delay before trying to reconnect to other tinc daemons.
- .It Va Mode Li = router | switch | hub Pq router
- This option selects the way packets are routed to other daemons.
- .Bl -tag -width indent
- .It router
- In this mode
- .Va Subnet
- variables in the host configuration files will be used to form a routing table.
- Only unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode.
- .Pp
- This is the default mode, and unless you really know you need another mode, don't change it.
- .It switch
- In this mode the MAC addresses of the packets on the VPN will be used to
- dynamically create a routing table just like an Ethernet switch does.
- Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode
- at the cost of frequent broadcast ARP requests and routing table updates.
- .Pp
- This mode is primarily useful if you want to bridge Ethernet segments.
- .It hub
- This mode is almost the same as the switch mode, but instead
- every packet will be broadcast to the other daemons
- while no routing table is managed.
- .El
- .It Va Name Li = Ar name Bq required
- This is the name which identifies this tinc daemon.
- It must be unique for the virtual private network this daemon will connect to.
- The Name may only consist of alphanumeric and underscore characters.
- If
- .Va Name
- starts with a
- .Li $ ,
- then the contents of the environment variable that follows will be used.
- In that case, invalid characters will be converted to underscores.
- If
- .Va Name
- is
- .Li $HOST ,
- but no such environment variable exist, the hostname will be read using the gethostnname() system call.
- .It Va PingInterval Li = Ar seconds Pq 60
- The number of seconds of inactivity that
- .Nm tinc
- will wait before sending a probe to the other end.
- .It Va PingTimeout Li = Ar seconds Pq 5
- The number of seconds to wait for a response to pings or to allow meta
- connections to block. If the other end doesn't respond within this time,
- the connection is terminated,
- and the others will be notified of this.
- .It Va PriorityInheritance Li = yes | no Po no Pc Bq experimental
- When this option is enabled the value of the TOS field of tunneled IPv4 packets
- will be inherited by the UDP packets that are sent out.
- .It Va PrivateKey Li = Ar key Bq obsolete
- The private RSA key of this tinc daemon.
- It will allow this tinc daemon to authenticate itself to other daemons.
- .It Va PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /rsa_key.priv Pc
- The file in which the private RSA key of this tinc daemon resides.
- .It Va ProcessPriority Li = low | normal | high
- When this option is used the priority of the tincd process will be adjusted.
- Increasing the priority may help to reduce latency and packet loss on the VPN.
- .It Va Proxy Li = socks4 | socks5 | http | exec Ar ... Bq experimental
- Use a proxy when making outgoing connections.
- The following proxy types are currently supported:
- .Bl -tag -width indent
- .It socks4 Ar address Ar port Op Ar username
- Connects to the proxy using the SOCKS version 4 protocol.
- Optionally, a
- .Ar username
- can be supplied which will be passed on to the proxy server.
- Only IPv4 connections can be proxied using SOCKS 4.
- .It socks5 Ar address Ar port Op Ar username Ar password
- Connect to the proxy using the SOCKS version 5 protocol.
- If a
- .Ar username
- and
- .Ar password
- are given, basic username/password authentication will be used,
- otherwise no authentication will be used.
- .It http Ar address Ar port
- Connects to the proxy and sends a HTTP CONNECT request.
- .It exec Ar command
- Executes the given
- .Ar command
- which should set up the outgoing connection.
- The environment variables
- .Ev NAME ,
- .Ev NODE ,
- .Ev REMOTEADDRES
- and
- .Ev REMOTEPORT
- are available.
- .El
- .It Va ReplayWindow Li = Ar bytes Pq 16
- This is the size of the replay tracking window for each remote node, in bytes.
- The window is a bitfield which tracks 1 packet per bit, so for example
- the default setting of 16 will track up to 128 packets in the window. In high
- bandwidth scenarios, setting this to a higher value can reduce packet loss from
- the interaction of replay tracking with underlying real packet loss and/or
- reordering. Setting this to zero will disable replay tracking completely and
- pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
- traffic.
- .It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
- When this option is enabled tinc will only use Subnet statements which are
- present in the host config files in the local
- .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
- directory. Subnets learned via connections to other nodes and which are not
- present in the local host config files are ignored.
- .It Va TunnelServer Li = yes | no Po no Pc Bq experimental
- When this option is enabled tinc will no longer forward information between other tinc daemons,
- and will only allow connections with nodes for which host config files are present in the local
- .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
- directory.
- Setting this options also implicitly sets StrictSubnets.
- .It Va UDPRcvBuf Li = Ar bytes Pq OS default
- Sets the socket receive buffer size for the UDP socket, in bytes.
- If unset, the default buffer size will be used by the operating system.
- .It Va UDPSndBuf Li = Ar bytes Pq OS default
- Sets the socket send buffer size for the UDP socket, in bytes.
- If unset, the default buffer size will be used by the operating system.
- .El
- .Sh HOST CONFIGURATION FILES
- The host configuration files contain all information needed
- to establish a connection to those hosts.
- A host configuration file is also required for the local tinc daemon,
- it will use it to read in it's listen port, public key and subnets.
- .Pp
- The idea is that these files are portable.
- You can safely mail your own host configuration file to someone else.
- That other person can then copy it to his own hosts directory,
- and now his tinc daemon will be able to connect to your tinc daemon.
- Since host configuration files only contain public keys,
- no secrets are revealed by sending out this information.
- .Bl -tag -width indent
- .It Va Address Li = Ar address Oo Ar port Oc Bq recommended
- The IP address or hostname of this tinc daemon on the real network.
- This will only be used when trying to make an outgoing connection to this tinc daemon.
- Optionally, a port can be specified to use for this address.
- Multiple
- .Va Address
- variables can be specified, in which case each address will be tried until a working
- connection has been established.
- .It Va Cipher Li = Ar cipher Pq blowfish
- The symmetric cipher algorithm used to encrypt UDP packets.
- Any cipher supported by OpenSSL is recognised.
- Furthermore, specifying
- .Qq none
- will turn off packet encryption.
- It is best to use only those ciphers which support CBC mode.
- .It Va ClampMSS Li = yes | no Pq yes
- This option specifies whether tinc should clamp the maximum segment size (MSS)
- of TCP packets to the path MTU. This helps in situations where ICMP
- Fragmentation Needed or Packet too Big messages are dropped by firewalls.
- .It Va Compression Li = Ar level Pq 0
- This option sets the level of compression used for UDP packets.
- Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
- 10 (fast lzo) and 11 (best lzo).
- .It Va Digest Li = Ar digest Pq sha1
- The digest algorithm used to authenticate UDP packets.
- Any digest supported by OpenSSL is recognised.
- Furthermore, specifying
- .Qq none
- will turn off packet authentication.
- .It Va IndirectData Li = yes | no Pq no
- This option specifies whether other tinc daemons besides the one you specified with
- .Va ConnectTo
- can make a direct connection to you.
- This is especially useful if you are behind a firewall
- and it is impossible to make a connection from the outside to your tinc daemon.
- Otherwise, it is best to leave this option out or set it to no.
- .It Va MACLength Li = Ar length Pq 4
- The length of the message authentication code used to authenticate UDP packets.
- Can be anything from
- .Qq 0
- up to the length of the digest produced by the digest algorithm.
- .It Va PMTU Li = Ar mtu Po 1514 Pc
- This option controls the initial path MTU to this node.
- .It Va PMTUDiscovery Li = yes | no Po yes Pc
- When this option is enabled, tinc will try to discover the path MTU to this node.
- After the path MTU has been discovered, it will be enforced on the VPN.
- .It Va Port Li = Ar port Pq 655
- The port number on which this tinc daemon is listening for incoming connections,
- which is used if no port number is specified in an
- .Va Address
- statement.
- .It Va PublicKey Li = Ar key Bq obsolete
- The public RSA key of this tinc daemon.
- It will be used to cryptographically verify it's identity and to set up a secure connection.
- .It Va PublicKeyFile Li = Ar filename Bq obsolete
- The file in which the public RSA key of this tinc daemon resides.
- .Pp
- From version 1.0pre4 on
- .Nm tinc
- will store the public key directly into the host configuration file in PEM format,
- the above two options then are not necessary.
- Either the PEM format is used, or exactly one of the above two options must be specified
- in each host configuration file,
- if you want to be able to establish a connection with that host.
- .It Va Subnet Li = Ar address Ns Op Li / Ns Ar prefixlength Ns Op Li # Ns Ar weight
- The subnet which this tinc daemon will serve.
- .Nm tinc
- tries to look up which other daemon it should send a packet to by searching the appropriate subnet.
- If the packet matches a subnet,
- it will be sent to the daemon who has this subnet in his host configuration file.
- Multiple
- .Va Subnet
- variables can be specified.
- .Pp
- Subnets can either be single MAC, IPv4 or IPv6 addresses,
- in which case a subnet consisting of only that single address is assumed,
- or they can be a IPv4 or IPv6 network address with a prefixlength.
- For example, IPv4 subnets must be in a form like 192.168.1.0/24,
- where 192.168.1.0 is the network address and 24 is the number of bits set in the netmask.
- Note that subnets like 192.168.1.1/24 are invalid!
- Read a networking HOWTO/FAQ/guide if you don't understand this.
- IPv6 subnets are notated like fec0:0:0:1::/64.
- MAC addresses are notated like 0:1a:2b:3c:4d:5e.
- .Pp
- A Subnet can be given a weight to indicate its priority over identical Subnets
- owned by different nodes. The default weight is 10. Lower values indicate
- higher priority. Packets will be sent to the node with the highest priority,
- unless that node is not reachable, in which case the node with the next highest
- priority will be tried, and so on.
- .It Va TCPOnly Li = yes | no Pq no Bq obsolete
- If this variable is set to yes,
- then the packets are tunnelled over the TCP connection instead of a UDP connection.
- This is especially useful for those who want to run a tinc daemon
- from behind a masquerading firewall,
- or if UDP packet routing is disabled somehow.
- Setting this options also implicitly sets IndirectData.
- .Pp
- Since version 1.0.10, tinc will automatically detect whether communication via
- UDP is possible or not.
- .El
- .Sh SCRIPTS
- Apart from reading the server and host configuration files,
- tinc can also run scripts at certain moments.
- Under Windows (not Cygwin), the scripts should have the extension
- .Pa .bat .
- .Bl -tag -width indent
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
- This is the most important script.
- If it is present it will be executed right after the tinc daemon has been started and has connected to the virtual network device.
- It should be used to set up the corresponding network interface,
- but can also be used to start other things.
- Under Windows you can use the Network Connections control panel instead of creating this script.
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
- This script is started right before the tinc daemon quits.
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -up
- This script is started when the tinc daemon with name
- .Ar HOST
- becomes reachable.
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -down
- This script is started when the tinc daemon with name
- .Ar HOST
- becomes unreachable.
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-up
- This script is started when any host becomes reachable.
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-down
- This script is started when any host becomes unreachable.
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-up
- This script is started when a Subnet becomes reachable.
- The Subnet and the node it belongs to are passed in environment variables.
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-down
- This script is started when a Subnet becomes unreachable.
- .El
- .Pp
- The scripts are started without command line arguments, but can make use of certain environment variables.
- Under UNIX like operating systems the names of environment variables must be preceded by a
- .Li $
- in scripts.
- Under Windows, in
- .Pa .bat
- files, they have to be put between
- .Li %
- signs.
- .Bl -tag -width indent
- .It Ev NETNAME
- If a netname was specified, this environment variable contains it.
- .It Ev NAME
- Contains the name of this tinc daemon.
- .It Ev DEVICE
- Contains the name of the virtual network device that tinc uses.
- .It Ev INTERFACE
- Contains the name of the virtual network interface that tinc uses.
- This should be used for commands like
- .Pa ifconfig .
- .It Ev NODE
- When a host becomes (un)reachable, this is set to its name.
- If a subnet becomes (un)reachable, this is set to the owner of that subnet.
- .It Ev REMOTEADDRESS
- When a host becomes (un)reachable, this is set to its real address.
- .It Ev REMOTEPORT
- When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc daemons.
- .It Ev SUBNET
- When a subnet becomes (un)reachable, this is set to the subnet.
- .It Ev WEIGHT
- When a subnet becomes (un)reachable, this is set to the subnet weight.
- .El
- .Pp
- Do not forget that under UNIX operating systems, you have to make the scripts executable, using the command
- .Nm chmod Li a+x Pa script .
- .Sh FILES
- The most important files are:
- .Bl -tag -width indent
- .It Pa @sysconfdir@/tinc/
- The top directory for configuration files.
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
- The default name of the server configuration file for net
- .Ar NETNAME .
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /conf.d/
- Optional directory from which any *.conf file will be loaded
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
- Host configuration files are kept in this directory.
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
- If an executable file with this name exists,
- it will be executed right after the tinc daemon has connected to the virtual network device.
- It can be used to set up the corresponding network interface.
- .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
- If an executable file with this name exists,
- it will be executed right before the tinc daemon is going to close
- its connection to the virtual network device.
- .El
- .Sh SEE ALSO
- .Xr tincd 8 ,
- .Pa http://www.tinc-vpn.org/ ,
- .Pa http://www.tldp.org/LDP/nag2/ .
- .Pp
- The full documentation for
- .Nm tinc
- is maintained as a Texinfo manual.
- If the info and tinc programs are properly installed at your site, the command
- .Ic info tinc
- should give you access to the complete manual.
- .Pp
- .Nm tinc
- comes with ABSOLUTELY NO WARRANTY.
- This is free software, and you are welcome to redistribute it under certain conditions;
- see the file COPYING for details.
|