tinc

The network is virtual, your privacy is not...

Links:

Main screen

Activities
Contact
Documentation
Download
Examples
FAQ
Goals
Mailing lists
News
Search
Security issues
Subversion
Supported platforms
VPN links

Hosted by:

non-gnu.uvt.nl

News

May 16th 2007

Version 1.0.8 released.
  • Fixed some memory and resource leaks.
  • Made network sockets non-blocking under Windows.

Jan 5th 2007

Version 1.0.7 released.
  • Fixed a bug that caused slow network speeds on Windows.
  • Fixed a bug that caused tinc unable to write packets to the tun device on OpenBSD.

Dec 18th 2006

Version 1.0.6 released.
  • More flexible detection of the LZO libraries when compiling.
  • Fixed a bug where broadcasts in switch and hub modes sometimes would not work anymore when part of the VPN had become disconnected from the rest.

Nov 14th 2006

Version 1.0.5 released.
  • Lots of small fixes.
  • Broadcast packets no longer grow in size with each hop. This should fix switch mode (again).
  • Generic host-up and host-down scripts.
  • Optionally dump graph in graphviz format to a file or a script.
  • Support LZO 2.0 and later.

May 4th 2005

Version 1.0.4 released.
  • Fix switch and hub modes.
  • Optionally start scripts when a Subnet becomes (un)reachable.

Nov 11th 2004

Version 1.0.3 released.
  • Show error message when failing to write a PID file.
  • Ignore spaces at end of lines in config files.
  • Fix handling of late packets.
  • Unify BSD tun/tap device handling. This allows IPv6 on tun devices and anything on tap devices as long as the underlying OS supports it.
  • Handle IPv6 on Solaris tun devices.
  • Allow tinc to work properly under Windows XP SP2.
  • Allow VLAN tagged Ethernet frames in switch and hub mode.
  • Experimental PMTUDiscovery, TunnelServer and BlockingTCP options.

Apr 3rd 2004

The website has moved from nl.linux.org to non-gnu.uvt.nl. From now on we will use our own domain name, tinc-vpn.org, for our website and our email addresses.

Nov 8th 2003

Version 1.0.2 released.
  • Fix address and hostname resolving under Windows.
  • Remove warnings about non-existing scripts and unsupported address families.
  • Use the event logger under Windows.
  • Fix quoting of filenames and command line arguments under Windows.
  • Strict checks for length incoming network packets and return values of cryptographic functions,
  • Fix a bug in metadata handling that made the tinc daemon abort.

Nov 1st 2003

On Saturday, November the 8th, there will be an online tutorial held on IRC. Installation, configuration and practical issues will be discussed.

Sep 26th 2003

Peter Gutmann, a well known security expert, has done a security analysis of tinc. You can find our response in a new section about security issues.

Aug 14th 2003

Version 1.0.1 released.
  • Allow empty lines in config files.
  • Fix handling of spaces and backslashes in filenames under native Windows.
  • Allow scripts to be executed under native Windows.
  • Fix compiling under OpenBSD.
  • Update documentation, make it less Linux specific.

Aug 04th 2003

Version 1.0 released.
  • Lots of small bugfixes and code cleanups.
  • Throughput doubled and latency reduced.
  • Added LZO compression support.
  • No need to set MAC address or disable ARP anymore.
  • Added support for Windows 2000 and XP, both natively and in a Cygwin environment.

Sep 29th 2002

Package for Debian woody (stable) added to the download page.

Sep 16th 2002

Version 1.0pre8 released.
  • More fixes for subnets with prefixlength undivisible by 8.
  • Added support for NetBSD and MacOS/X.
  • Switched from undirected graphs to directed graphs to avoid certain race conditions and improve scalability.
  • Generalized broadcasting and forwarding of protocol messages.
  • Cleanup of source code.
Again, due to changes in the protocols this version does not work together with older versions.

Apr 25th 2002

RedHat package for tinc 1.0pre7 added to the download page, thanks to Nick Patavalis.

Apr 9th 2002

Version 1.0pre7 released.
  • Don't do blocking read()s when getting a signal.
  • Remove RSA key checking code, since it sometimes thinks perfectly good RSA keys are bad.
  • Fix handling of subnets when prefixlength isn't divisible by 8.
This version features only small bugfixes. It is fully compatible with 1.0pre6.

Mar 27th 2002

Version 1.0pre6 released.
  • Improvement of redundant links:
    • Non-blocking connects.
    • Protocol broadcast messages can no longer go into an infinite loop.
    • Graph algorithm updated to look harder for direct connections.
  • Good support for routing IPv6 packets over the VPN. Works on Linux, FreeBSD, possibly OpenBSD but not on Solaris.
  • Support for tunnels over IPv6 networks. Works on all supported operating systems.
  • Optional compression of UDP connections using zlib.
  • Optionally let UDP connections inherit TOS field of tunneled packets.
  • Optionally start scripts when certain hosts become (un)reachable.
As always, due to changes in the protocols this version does not work together with older versions. Configuration is case insensitive again.

Feb 10th 2002

Version 1.0pre5 released.
  • Security enhancements:
    • Added sequence number and optional message authentication code to the packets.
    • Configurable encryption cipher and digest algorithms.
  • More robust handling of dis- and reconnects.
  • Added a "switch" and a "hub" mode to allow bridging setups.
  • Preliminary support for routing of IPv6 packets.
  • Supports Linux, FreeBSD, OpenBSD and Solaris.
Again, due to large changes in the protocols this version does not work together with older versions. Also, some configuration variables have changed names, most notably you will have to replace TapDevice by Device.

Dec 31st 2001

Jerome Etienne, author of Yavipin, has done a security analysis of tinc. You can read his findings in our mailing list archive or on his homepage. His points are valid, although the higher protocols will protect you against most of the weaknesses. We will further increase tinc's security in the upcoming release.

Jul 21st 2001

Got tinc to work under Solaris 7. For more information see supported platforms.

May 25th 2001

Version 1.0pre4 released.
  • New authentication protocol (better security, and faster too).
  • TCPonly and IndirectData are back (but not fully tested).
  • Documentation revised, it's really up to date with the released package now.
  • tincd -K now stores public/private keys in PEM format, but keys of 1.0pre3 can still be used.
  • Faster and more secure encryption of tunneled packets.
  • Stresstested to see if it handles large VPNs with more than 100 sites (it does).
Again, due to the large changes in the protocols this version does not work together with older versions. However, you don't have to change the configuration files this time.

Jan 26th 2001

Whee, we have a search page!

Jan 6th 2001

Updated tinc manual to current version. See documentation section.

Nov 25th 2000

Got tinc to work under FreeBSD. For more information see supported platforms.

Nov 12th 2000

New web pages.

Nov 9th 2000

Version 1.0pre3. It's been a while, but it's finally here.
  • The protocol has been redesigned, and although some details are still under discussion, this is secure. Care has been taken to resist most, if not all, attacks.
  • Unfortunately this protocol is not compatible with earlier versions, nor are earlier versions compatible with this version. Because the older protocol has huge security flaws, we feel that not implementing backwards compatibility is justified.
  • Some data about the protocol:
    • It uses public/private RSA keys for authentication (this is the actual fix for the security hole).
    • All cryptographic functions have been taken out of tinc, instead it uses the OpenSSL library functions.
    • Offers support for multiple subnets per tinc daemon.
  • New is also the support for the universal tun/tap device. This means better portability to FreeBSD and Solaris.
  • tinc is tested to compile on Solaris, Linux x86, Linux alpha.
  • tinc now uses the OpenSSL library for cryptographic operations. More information on getting and installing OpenSSL is in the manual. This also means that the GMP library is no longer required.
  • Further, thanks to Enrique Zanardi, we have Spanish messages; Matias Carrasco provided us with a Spanish translation of the manual.

September 10th 2000

Although we (the authors of tinc) have done our best to make tinc as secure as possible, an unfortunate combination of encryption and key exchange techniques has created a hole in at least all versions of tinc >= 0.3, including the current CVS version.

Exploit:

If somebody can intercept the meta protocol to a host that is running a tinc daemon, it is possible to decrypt the passphrase, which can then be used to gain unauthorised access to the VPN, and become a part of it.

Workaround:

Add firewall rules so that only trusted hosts can connect to the tinc daemon.

Fix:

We are currently working on the implementation of a new protocol, with a different authentication scheme. We expect to have a working version in CVS around next weekend, we will release a new version (1.0pre3) when this becomes stable.

Guus Sliepen
Ivo Timmermans

June 3rd 2000

I changed the colours on the web site, hope you'll like them.

May 31st 2000

Version 1.0pre2.
  • This version has been internationalised and a Dutch translation has been included.
  • Two configuration variables have been added:
    • VpnMask - the IP network mask for the entire VPN, not just our subnet (as given by MyVirtualIP). The Redhat and Debian packages use this variable in their system startup scripts, but it is ignored by tinc.
    • Hostnames - if set to `yes', look up the names of IP addresses trying to connect to us. Default set to `no', to prevent lockups during lookups.
  • The system startup scripts for Debian and Redhat use /etc/tinc/nets.boot to find out which networks need to be started during system boot.
  • Fixes to prevent denial of service attacks by sending random data after connecting (and even when the connection has been established), either random garbage or just nonsensical protocol fields.
  • tinc will retry to connect upon startup, does not quit if it doesn't work the first time.
  • Hosts that are disconnected implicitly if we lose a connection get deleted from the internal list, to prevent hogging each other with add and delete requests when the connection is restored.

May 15th 2000

I uploaded a Debian package of version 1.0pre1.

May 11th 2000

Version 1.0pre1. It has a new protocol (this protocol is not compatible with 0.3 versions). A rpm for Redhat Linux is also available, thanks to work from Lubomír Bulej and Mads Kiilerich. The Debian package is delayed. Please test this version, so that the final 1.0 will be rock stable.

May 4th 2000

It's time for some news again. Well, version 1.0pre1 is coming. It has a new protocol (this protocol is not compatible with 0.3 versions). There will be an rpm and deb. Maybe it will even work with FreeBSD, and other architectures. In short: tinc 1.0 will be packed with good stuff.

February 9th 2000

Version 0.3.3. There was a problem when using kernel 2.2.14 or the newer 2.3 kernels, packets would no longer be accepted when using the wrong MAC address. The documentation was also updated.

January 16th 2000

I uploaded my development tree for 0.5 into a Subversion repository, you can read more about how to get it on the Subversion page.

$Id: news.html 292 2007-07-24 17:03:55Z guus $