which will assign a name to this daemon.
The effect of this is that the daemon will set its configuration
-``root'' to \fI/etc/tinc/\fBnn\fI/\fR, where \fBnn\fR is your argument
+``root'' to \fI/etc/tinc/\fBnetname\fI/\fR, where \fBnetname\fR is your argument
to the \fI-n\fR option. You'll notice that it appears in syslog as
-``tincd.\fBnn\fR''.
+``tincd.\fBnetname\fR''.
However, it is not strictly necessary that you call tinc with the -n
option. In this case, the network name would just be empty, and it
will be used as such. tinc now looks for files in \fI/etc/tinc/\fR,
-instead of \fI/etc/tinc/\fBnn\fI/\fR; the configuration file should be
+instead of \fI/etc/tinc/\fBnetname\fI/\fR; the configuration file should be
\fI/etc/tinc/tinc.conf\fR, and the passphrases are now expected to be
in \fI/etc/tinc/passphrases/\fR.
Each tinc daemon should have a name that is unique in the network which
it will be part of. The name will be used by other tinc daemons for
identification. The name has to be declared in the
-\fI/etc/tinc/\fBnn\fI/tinc.conf\fR file.
+\fI/etc/tinc/\fBnetname\fI/tinc.conf\fR file.
To make things easy, choose something that will give unique and easy
to rememebr names to your tinc daemon(s).
.PP
.SH "PUBLIC/PRIVATE KEYS"
You should use \fBtincd --generate-keys\fR to generate public/private
-keypairs. It will generate two keys. The line containing the private
-key should be completely copied to \fI/etc/tinc/\fBnn\fI/tinc.conf\fR
-\-\- where \fBnn\fR stands for the network (See under \fBNETWORKS\fR)
-above. The line containing the public key should be completely copied
-to \fI/etc/tinc/\fBnn\fI/hosts/\fBname\fR \-\- where \fBname\fR stands
-for the name of the tinc daemon (See \fBNAMES\fR).
+keypairs. It will generate two keys. The private
+key should be stored in a separate file \fI/etc/tinc/\fBnetname\fI/rsa_key.priv\fR
+\-\- where \fBnetname\fR stands for the network (See under \fBNETWORKS\fR)
+above. The public key should be stored in
+the host configuration file \fI/etc/tinc/\fBnetname\fI/hosts/\fBname\fR \-\- where \fBname\fR stands
+for the name of the local tinc daemon (See \fBNAMES\fR).
.PP
.SH "SERVER CONFIGURATION"
The server configuration of the daemon is done in the file
-\fI/etc/tinc/\fBnn\fI/tinc.conf\fR.
+\fI/etc/tinc/\fBnetname\fI/tinc.conf\fR.
This file consists of comments (lines started with a \fB#\fR) or
assignments in the form of
one space character.
.PP
Here are all valid variables, listed in alphabetical order. The default
-value, required or optional is given between parentheses.
+value is given between parentheses.
.TP
-\fBConnectTo\fR = <\fIname\fR> (optional)
+\fBConnectTo\fR = <\fIname\fR>
Specifies which host to connect to on startup. Multiple \fBConnectTo\fR variables
may be specified, if connecting to the first one fails then tinc will try
the next one, and so on. The names should be known to this tinc daemon
(i.e., there should be a host configuration file for the name on the ConnectTo
line).
-If you don't specify a host with \fBConnectTo\fR, tinc won't connect at all,
+If you don't specify a host with \fBConnectTo\fR, tinc won't try to connect to other daemons at all,
and will instead just listen for incoming connections.
.TP
\fBHostnames\fR = <\fIyes|no\fR> (no)
This does not affect resolving hostnames to IP addresses from the
host configuration files.
.TP
+\fBInterface\fR = <\fIdevice\fR>
+If you have more than one network interface in your computer, tinc will
+by default listen on all of them for incoming connections. It is
+possible to bind tinc to a single interface like eth0 or ppp0 with this
+variable.
+.TP
+\fBInterfaceIP\fR = <\fIlocal address\fR>
+If your computer has more than one IP address on a single interface (for
+example if you are running virtual hosts), tinc will by default listen
+on all of them for incoming connections. It is possible to bind tinc to
+a single IP address with this variable. It is still possible to listen
+on several interfaces at the same time though, if they share the same IP
+address.
+.TP
\fBKeyExpire\fR = <\fIseconds\fR> (3600)
This option controls the time the encryption keys used to encrypt the data
are valid. It is common practice to change keys at regular intervals to
make it even harder for crackers, even though it is thought to be nearly
impossible to crack a single key.
.TP
-\fBName\fR = <\fIname\fR> (required)
+\fBName\fR = <\fIname\fR> [required]
This is the name which identifies this tinc daemon. It must be unique for
the virtual private network this daemon will connect to.
.TP
-\fBPingTimeout\fR = <\fIseconds\fR> (5)
+\fBPingTimeout\fR = <\fIseconds\fR> (60)
The number of seconds of inactivity that tinc will wait before sending a
probe to the other end. If that other end doesn't answer within that
same amount of seconds, the connection is terminated, and the others
will be notified of this.
.TP
-\fBPrivateKey\fR = <\fIkey\fR>
+\fBPrivateKey\fR = <\fIkey\fR> [obsolete]
The private RSA key of this tinc daemon. It will allow this tinc daemon to
authenticate itself to other daemons.
.TP
-\fBPrivateKeyFile\fR = <\fIfilename\fR>
+\fBPrivateKeyFile\fR = <\fIfilename\fR> [recommended]
The file in which the private RSA key of this tinc daemon resides.
Note that there must be exactly one of \fBPrivateKey\fR or \fBPrivateKeyFile\fR
specified in the configuration file.
.TP
-\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0)
+\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0 or /dev/net/tun)
The ethertap or tun/tap device to use. tinc will automatically detect what
kind of tapdevice it is.
Note that you can only use one device per
are revealed by sending out this information.
.PP
.TP
-\fBAddress\fR = <\fIIP address\fR> (required)
+\fBAddress\fR = <\fIIP address\fR> [recommended]
The real address or hostname of this tinc daemon.
.TP
+\fBIndirectData\fR = <\fIyes\fR|\fIno\fR> (no) [experimental]
+This option specifies whether other tinc daemons besides the one you
+specified with ConnectTo can make a direct connection to you. This is
+especially useful if you are behind a firewall and it is impossible to
+make a connection from the outside to your tinc daemon. Otherwise, it
+is best to leave this option out or set it to no.
+.TP
\fBPort\fR = <\fIport number\fR> (655)
The port on which this tinc daemon is listening for incoming connections.
.TP
-\fBPublicKey\fR = <\fIkey\fR>
+\fBPublicKey\fR = <\fIkey\fR> [obsolete]
The public RSA key of this tinc daemon. It will be used to cryptographically
verify it's identity and to set up a secure connection.
.TP
-\fBPublicKeyFile\fR = <\fIfilename\fR>
+\fBPublicKeyFile\fR = <\fIfilename\fR> [obsolete]
The file in which the public RSA key of this tinc daemon resides.
-Note that there must be exactly one of \fBPublicKey\fR or \fBPublicKeyFile\fR
-specified in each host configuration file, if you want to be able to establish
-a connection with that host.
-.TP
-\fBSubnet\fR = <\fIaddress/masklength\fR> (optional)
+From version 1.0pre4 on tinc will store the public key directly into the
+host configuration file in PEM format, the above two options then are not
+necessary. Either the PEM format is used, or exactly
+one of the above two options must be specified
+in each host configuration file, if you want to be able to establish a
+connection with that host.
+.TP
+\fBSubnet\fR = <\fIaddress/masklength\fR>
The subnet which this tinc daemon will serve. tinc tries to look up which other
daemon it should send a packet to by searching the appropiate subnet. If the
packet matches a subnet, it will be sent to the daemon who has this subnet in his
network address and 24 is the number of bits set in the netmask. Note that subnets
like \fI192.168.1.1/24\fR are invalid! Read a networking howto/FAQ/guide if you
don't understand this.
+.TP
+\fBTCPonly\fR = <\fIyes\fR|\fIno\fR> (no) [experimental]
+If this variable is set to yes, then the packets are tunnelled over a
+TCP connection instead of a UDP connection. This is especially useful
+for those who want to run a tinc daemon from behind a masquerading
+firewall, or if UDP packet routing is disabled somehow. This is
+experimental code, try this at your own risk. It may not work at all.
+Setting this options also implicitly sets IndirectData.
.SH "FILES"
.TP
\fI/etc/tinc/\fR
The top directory for configuration files.
.TP
-\fI/etc/tinc/\fBnn\fI/tinc.conf\fR
+\fI/etc/tinc/\fBnetname\fI/tinc.conf\fR
The default name of the server configuration file for net
-\fBnn\fR.
+\fBnetname\fR.
.TP
-\fI/etc/tinc/\fBnn\fI/hosts/\fR
+\fI/etc/tinc/\fBnetname\fI/hosts/\fR
Host configuration files are kept in this directory.
.TP
-\fI/etc/tinc/\fBnn\fI/tinc-up\fR
+\fI/etc/tinc/\fBnetname\fI/tinc-up\fR
If an executable file with this name exists, it will be executed
right after the tinc daemon has connected to the tap device. It can
be used to ifconfig the network interface.
If the tapdevice is a tun/tap device, the evironment variable
\fB$IFNAME\fR will be set to the name of the network interface.
.TP
-\fI/etc/tinc/\fBnn\fI/tinc-down\fR
+\fI/etc/tinc/\fBnetname\fI/tinc-down\fR
If an executable file with this name exists, it will be executed
right before the tinc daemon is going to close it's connection to the
tap device.
\input texinfo @c -*-texinfo-*-
-@c $Id: tinc.texi,v 1.8.4.16 2001/05/24 20:24:12 guus Exp $
+@c $Id: tinc.texi,v 1.8.4.17 2001/05/25 10:06:13 guus Exp $
@c %**start of header
@setfilename tinc.info
@settitle tinc Manual
<itimmermans@@bigfoot.com>, Guus Sliepen <guus@@sliepen.warande.net> and
Wessel Dankers <wsl@@nl.linux.org>.
-$Id: tinc.texi,v 1.8.4.16 2001/05/24 20:24:12 guus Exp $
+$Id: tinc.texi,v 1.8.4.17 2001/05/25 10:06:13 guus Exp $
Permission is granted to make and distribute verbatim copies of this
manual provided the copyright notice and this permission notice are
<itimmermans@@bigfoot.com>, Guus Sliepen <guus@@sliepen.warande.net> and
Wessel Dankers <wsl@@nl.linux.org>.
-$Id: tinc.texi,v 1.8.4.16 2001/05/24 20:24:12 guus Exp $
+$Id: tinc.texi,v 1.8.4.17 2001/05/25 10:06:13 guus Exp $
Permission is granted to make and distribute verbatim copies of this
manual provided the copyright notice and this permission notice are
@example
mknod -m 600 /dev/tap0 c 36 16
chown 0.0 /dev/tap0
+mknod -m 600 /dev/tap1 c 36 17
+chown 0.0 /dev/tap0
+...
+mknod -m 600 /dev/tap@emph{N} c 36 @emph{N+16}
+chown 0.0 /dev/tap@emph{N}
@end example
-Any further ethertap devices have minor device number 16 through 31.
+There is a maximum of 16 ethertap devices.
If you use the universal TUN/TAP driver, you have to create the
-following device files (unless they already exist):
+following device file (unless it already exist):
@example
mknod -m 600 /dev/tun c 10 200
then the TUN/TAP device will probably be automatically generated as
@file{/dev/net/tun}.
+Unlike the ethertap device, you do not need multiple device files if
+you are planning to run multiple tinc daemons.
+
@c ==================================================================
@node Other files, , Device files, System files
out, remember to replace it with at least one space character.
In this section all valid variables are listed in alphabetical order.
-The default value is given between parentheses; required directives are
-given in @strong{bold}.
+The default value is given between parentheses,
+other comments are between square brackets and
+required directives are given in @strong{bold}.
@menu
* Main configuration variables::
make it even harder for crackers, even though it is thought to be nearly
impossible to crack a single key.
-@item ListenPort = <port> (655)
-@cindex ListenPort
-Listen on local port port. The computer connecting to this daemon should
-use this number as the argument for his ConnectPort.
-
@item @strong{Name = <name>}
@cindex Name
This is a symbolic name for this connection. It can be anything
-@item PingTimeout = <seconds> (5)
+@item PingTimeout = <seconds> (60)
@cindex PingTimeout
The number of seconds of inactivity that tinc will wait before sending a
probe to the other end. If that other end doesn't answer within that
same amount of seconds, the connection is terminated, and the others
will be notified of this.
-@item PrivateKey = <key> (obsolete)
+@item PrivateKey = <key> [obsolete]
@cindex PrivateKey
This is the RSA private key for tinc. However, for safety reasons it is
advised to store private keys of any kind in separate files. This prevents
accidental eavesdropping if you are editting the configuration file.
-@item @strong{PrivateKeyFile = <path>} (recommended)
+@item @strong{PrivateKeyFile = <path>} [recommended]
@cindex PrivateKeyFile
This is the full path name of the RSA private key file that was
generated by ``tincd --generate-keys''. It must be a full path, not a
relative directory.
-@item @strong{TapDevice = <device>} (/dev/tap0)
+@item @strong{TapDevice = <device>} (/dev/tap0 or /dev/net/tun)
@cindex TapDevice
The ethertap device to use. Note that you can only use one device per
daemon. The info pages of the tinc package contain more information
about configuring an ethertap device for Linux.
-@item TCPonly = <yes|no> (no, experimental)
-@cindex TCPonly
-If this variable is set to yes, then the packets are tunnelled over a TCP
-connection instead of a UDP connection. This is especially useful for those
-who want to run a tinc daemon from behind a masquerading firewall, or if
-UDP packet routing is disabled somehow. This is experimental code,
-try this at your own risk.
@end table
@subsection Host configuration variables
@table @asis
-@item @strong{Address = <IP address|hostname>}
+@item @strong{Address = <IP address|hostname>} [recommended]
@cindex Address
This variable is only required if you want to connect to this host. It
must resolve to the external IP address where the host can be reached,
not the one that is internal to the VPN.
-@item IndirectData = <yes|no> (no, experimental)
+@item IndirectData = <yes|no> (no) [experimental]
@cindex IndirectData
This option specifies whether other tinc daemons besides the one you
specified with ConnectTo can make a direct connection to you. This is
by a single zero) o hexadecimal (prefixed with 0x). port is the port
number for both the UDP and the TCP (meta) connections.
-@item PublicKey = <key> (obsolete)
+@item PublicKey = <key> [obsolete]
@cindex PublicKey
This is the RSA public key for this host.
-@item PublicKeyFile = <path> (obsolete)
+@item PublicKeyFile = <path> [obsolete]
@cindex PublicKeyFile
This is the full path name of the RSA public key file that was generated
by ``tincd --generate-keys''. It must be a full path, not a relative
/22. This conforms to standard CIDR notation as described in
@uref{ftp://ftp.isi.edu/in-notes/rfc1519.txt, RFC1519}
-@item TCPonly = <yes|no> (no, experimental)
+@item TCPonly = <yes|no> (no) [experimental]
@cindex TCPonly
If this variable is set to yes, then the packets are tunnelled over a
TCP connection instead of a UDP connection. This is especially useful
for those who want to run a tinc daemon from behind a masquerading
firewall, or if UDP packet routing is disabled somehow. This is
experimental code, try this at your own risk. It may not work at all.
+Setting this options also implicitly sets IndirectData.
@end table
projects / oweals / tinc.git / commitdiff