This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
-Copyright @copyright{} 1998-2014 Ivo Timmermans,
+Copyright @copyright{} 1998-2016 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@vskip 0pt plus 1filll
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
-Copyright @copyright{} 1998-2014 Ivo Timmermans,
+Copyright @copyright{} 1998-2016 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@section Supported platforms
@cindex platforms
-Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment),
+Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment),
with various hardware architectures. These are some of the platforms
that are supported by the universal tun/tap device driver or other virtual network device drivers.
Without such a driver, tinc will most
* Configuration of OpenBSD kernels::
* Configuration of NetBSD kernels::
* Configuration of Solaris kernels::
-* Configuration of Darwin (MacOS/X) kernels::
+* Configuration of Darwin (Mac OS X) kernels::
* Configuration of Windows::
@end menu
@c ==================================================================
-@node Configuration of Darwin (MacOS/X) kernels
-@subsection Configuration of Darwin (MacOS/X) kernels
+@node Configuration of Darwin (Mac OS X) kernels
+@subsection Configuration of Darwin (Mac OS X) kernels
Tinc on Darwin relies on a tunnel driver for its data acquisition from the kernel.
-Tinc supports either the driver from @uref{http://tuntaposx.sourceforge.net/},
-which supports both tun and tap style devices,
-and also the driver from from @uref{http://chrisp.de/en/projects/tunnel.html}.
-The former driver is recommended.
-The tunnel driver must be loaded before starting tinc with the following command:
+OS X version 10.6.8 and later have a built-in tun driver called "utun".
+Tinc also supports the driver from @uref{http://tuntaposx.sourceforge.net/},
+which supports both tun and tap style devices.
-@example
-kmodload tunnel
-@end example
+By default, tinc expects the tuntaposx driver to be installed.
+To use the utun driver, set add @code{Device = utunX} to @file{tinc.conf},
+where X is the desired number for the utun interface.
+You can also omit the number, in which case the first free number will be chosen.
@c ==================================================================
@cindex requirements
@cindex libraries
-Before you can configure or build tinc, you need to have the OpenSSL,
+Before you can configure or build tinc, you need to have the LibreSSL or OpenSSL,
zlib and lzo libraries installed on your system. If you try to configure tinc without
having them installed, configure will give you an error message, and stop.
@menu
-* OpenSSL::
+* LibreSSL/OpenSSL::
* zlib::
* lzo::
@end menu
@c ==================================================================
-@node OpenSSL
-@subsection OpenSSL
+@node LibreSSL/OpenSSL
+@subsection LibreSSL/OpenSSL
+@cindex LibreSSL
@cindex OpenSSL
For all cryptography-related functions, tinc uses the functions provided
-by the OpenSSL library.
+by the LibreSSL or the OpenSSL library.
If this library is not installed, you will get an error when configuring
tinc for build. Support for running tinc with other cryptographic libraries
available. Make sure you install the development AND runtime versions
of this package.
-If you have to install OpenSSL manually, you can get the source code
-from @url{http://www.openssl.org/}. Instructions on how to configure,
-build and install this package are included within the package. Please
-make sure you build development and runtime libraries (which is the
+If your operating system comes neither with LibreSSL or OpenSSL, you have to
+install one manually. It is recommended that you get the latest version of
+LibreSSL from @url{http://www.libressl.org/}. Instructions on how to
+configure, build and install this package are included within the package.
+Please make sure you build development and runtime libraries (which is the
default).
-If you installed the OpenSSL libraries from source, it may be necessary
+If you installed the LibreSSL or OpenSSL libraries from source, it may be necessary
to let configure know where they are, by passing configure one of the
---with-openssl-* parameters.
+--with-openssl-* parameters. Note that you even have to use --with-openssl-* if you
+are using LibreSSL.
@example
---with-openssl=DIR OpenSSL library and headers prefix
---with-openssl-include=DIR OpenSSL headers directory
+--with-openssl=DIR LibreSSL/OpenSSL library and headers prefix
+--with-openssl-include=DIR LibreSSL/OpenSSL headers directory
(Default is OPENSSL_DIR/include)
---with-openssl-lib=DIR OpenSSL library directory
+--with-openssl-lib=DIR LibreSSL/OpenSSL library directory
(Default is OPENSSL_DIR/lib)
@end example
The documentation that comes along with your distribution will tell you how to do that.
@menu
-* Darwin (MacOS/X) build environment::
+* Darwin (Mac OS X) build environment::
* Cygwin (Windows) build environment::
* MinGW (Windows) build environment::
@end menu
@c ==================================================================
-@node Darwin (MacOS/X) build environment
-@subsection Darwin (MacOS/X) build environment
+@node Darwin (Mac OS X) build environment
+@subsection Darwin (Mac OS X) build environment
-In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools
+In order to build tinc on Darwin, you need to install the Mac OS X Developer Tools
from @uref{http://developer.apple.com/tools/macosxtools.html} and
-a recent version of Fink from @uref{http://www.finkproject.org/}.
+preferably a recent version of Fink from @uref{http://www.finkproject.org/}.
After installation use fink to download and install the following packages:
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
followed by an IP header.
This mode should support both IPv4 and IPv6 packets.
+@cindex utun
+@item utun (OS X)
+Set type to utun.
+This is only supported on OS X version 10.6.8 and higher, but doesn't require the tuntaposx module.
+This mode should support both IPv4 and IPv6 packets.
+
@item tap (BSD and Linux)
Set type to tap.
Tinc will expect packets read from the virtual network device
@cindex Name
@item Name = <@var{name}> [required]
This is a symbolic name for this connection.
-The name should consist only of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _).
+The name must consist only of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _).
If Name starts with a $, then the contents of the environment variable that follows will be used.
In that case, invalid characters will be converted to underscores.
If Name is $HOST, but no such environment variable exist,
-the hostname will be read using the gethostnname() system call.
+the hostname will be read using the gethostname() system call.
@cindex PingInterval
@item PingInterval = <@var{seconds}> (60)
@cindex Cipher
@item Cipher = <@var{cipher}> (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets.
-Any cipher supported by OpenSSL is recognized.
+Any cipher supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet encryption.
It is best to use only those ciphers which support CBC mode.
@cindex Digest
@item Digest = <@var{digest}> (sha1)
The digest algorithm used to authenticate UDP packets.
-Any digest supported by OpenSSL is recognized.
+Any digest supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet authentication.
@cindex IndirectData
@cindex scripts
Apart from reading the server and host configuration files,
tinc can also run scripts at certain moments.
-Under Windows (not Cygwin), the scripts should have the extension .bat.
+Below is a list of filenames of scripts and a description of when they are run.
+A script is only run if it exists and if it is executable.
+
+Scripts are run synchronously;
+this means that tinc will temporarily stop processing packets until the called script finishes executing.
+This guarantees that scripts will execute in the exact same order as the events that trigger them.
+If you need to run commands asynchronously, you have to ensure yourself that they are being run in the background.
+
+Under Windows (not Cygwin), the scripts must have the extension .bat.
@table @file
@cindex tinc-up
started and has connected to the virtual network device.
It should be used to set up the corresponding network interface,
but can also be used to start other things.
+
Under Windows you can use the Network Connections control panel instead of creating this script.
@cindex tinc-down
packets they can intercept. The encryption algorithm and message authentication
algorithm can be changed in the configuration. The length of the message
authentication codes is also adjustable. The length of the key for the
-encryption algorithm is always the default length used by OpenSSL.
+encryption algorithm is always the default length used by LibreSSL/OpenSSL.
@menu
* Authentication protocol::
In August 2000, we discovered the existence of a security hole in all versions
of tinc up to and including 1.0pre2. This had to do with the way we exchanged
keys. Since then, we have been working on a new authentication scheme to make
-tinc as secure as possible. The current version uses the OpenSSL library and
+tinc as secure as possible. The current version uses the LibreSSL or OpenSSL library and
uses strong authentication with RSA keys.
On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc
For IPv4 addresses:
-@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
+@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Linux iproute2
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Solaris
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
-@item Darwin (MacOS/X)
+@item Darwin (Mac OS X)
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Windows
@tab @code{netsh interface ip set address} @var{interface} @code{static} @var{address} @var{netmask}
For IPv6 addresses:
-@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
+@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ifconfig} @var{interface} @code{add} @var{address}@code{/}@var{prefixlength}
@item FreeBSD
@tab @code{ifconfig} @var{interface} @code{inet6 plumb up}
@item
@tab @code{ifconfig} @var{interface} @code{inet6 addif} @var{address} @var{address}
-@item Darwin (MacOS/X)
+@item Darwin (Mac OS X)
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
@item Windows
@tab @code{netsh interface ipv6 add address} @var{interface} @code{static} @var{address}/@var{prefixlength}
On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command:
-@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
+@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item OpenBSD
@tab @code{ifconfig} @var{interface} @code{link0}
@end multitable
It can be useful to set up a tun/tap interface owned by a non-root user, so
tinc can be started without needing any root privileges at all.
-@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
+@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ip tuntap add dev} @var{interface} @code{mode} @var{tun|tap} @code{user} @var{username}
@end multitable
Adding routes to IPv4 subnets:
-@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
+@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{route add -net} @var{network_address} @code{netmask} @var{netmask} @var{interface}
@item Linux iproute2
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
@item Solaris
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
-@item Darwin (MacOS/X)
-@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
+@item Darwin (Mac OS X)
+@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @code{-interface} @var{interface}
@item Windows
@tab @code{netsh routing ip add persistentroute} @var{network_address} @var{netmask} @var{interface} @var{local_address}
@end multitable
Adding routes to IPv6 subnets:
-@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
+@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{route add -A inet6} @var{network_address}@code{/}@var{prefixlength} @var{interface}
@item Linux iproute2
@tab @code{route add -inet6} @var{network_address} @var{local_address} @code{-prefixlen} @var{prefixlength}
@item Solaris
@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
-@item Darwin (MacOS/X)
-@tab ?
+@item Darwin (Mac OS X)
+@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @code{-interface} @var{interface}
@item Windows
@tab @code{netsh interface ipv6 add route} @var{network address}/@var{prefixlength} @var{interface}
@end multitable
projects / oweals / tinc.git / blobdiff