December 27th 2014

Version 1.1pre11 released.

  • Added a “network” command to list or switch networks.
  • Switched to Ed25519 keys and the ChaCha-Poly1305 cipher for the new protocol.
  • AutoConnect is now a boolean option, when enabled tinc always tries to keep at least three meta-connections open.
  • The new protocol now uses UDP much more often.
  • Tinc “del” and “get” commands now return a non-zero exit code when they don’t find the requested variable.
  • Updated documentation.
  • Added a “DeviceStandby” option to defer running tinc-up until a working connection is made, and which on Windows will also change the network interface link status accordingly.
  • Tinc now tells the resolver to reload /etc/resolv.conf when it receives SIGALRM.
  • Improved error messages and event loop handling on Windows.
  • LocalDiscovery now uses local address learned from other nodes, and is enabled by default.
  • Added a “BroadcastSubnet” option to change the behavior of broadcast packets in router mode.
  • Added support for dotted quad notation in IPv6 (e.g. ::
  • Improved format of printed Subnets, MAC and IPv6 addresses.
  • Added a “—batch” option to force the tinc CLI to run in non-interactive mode.
  • Improve default Device selection on *BSD and Mac OS X.
  • Allow running tinc without RSA keys.

Thanks to Etienne Dechamps, Sven-Haegar Koch, William A. Kennington III, Baptiste Jonglez, Alexis Hildebrandt, Armin Fisslthaler, Franz Pletz, Alexander Ried and Saverio Proto for their contributions to this version of tinc.

December 22nd 2014

Version 1.0.25 released.

  • Documentation updates.
  • Support linking against -lresolv on Mac OS X.
  • Fix scripts on Windows when using the ScriptsInterpreter option.
  • Allow a minimum reconnect timeout to be specified.
  • Support PriorityInheritance on IPv6 sockets.

Thanks to David Pflug, Baptiste Jonglez, Alexis Hildebrandt, Borg, Jochen Voss, Tomislav Čohar and Vittorio Gambaletta for their contributions to this version of tinc.

May 11th 2014

Version 1.0.24 released.

  • Various compiler hardening flags are enabled by default.
  • Updated support for Solaris, allowing switch mode on Solaris 11.
  • Configuration will now also be read from a conf.d directory.
  • Various updates to the documentation.
  • Tinc now forces glibc to reload /etc/resolv.conf after it receives SIGALRM.
  • Fixed a potential routing loop when IndirectData or TCPOnly is used and broadcast packets are being sent.
  • Improved security with constant time memcmp and stricter use of OpenSSL’s RNG functions.
  • Fixed all issues found by Coverity.

Thanks to Florent Clairambault, Vilbrekin, luckyhacky, Armin Fisslthaler, Loïc Dachary and Steffan Karger for their contributions to this version of tinc.

April 10th 2014

Tinc is not vulnerable to the Heartbleed bug.

The Heartbleed bug (CVE-2014-0160) is a bug in the OpenSSL library that affects any application that is linked to it and is making or accepting TLS connections. Although tinc links to the OpenSSL library, it does not use the TLS protocol, and is therefore not vulnerable.

February 7th 2014

Version 1.1pre10 released.

  • Added a benchmark tool (sptps_speed) for the new protocol.
  • Fixed a crash when using Name = $HOST while $HOST is not set.
  • Use AES-256-GCM for the new protocol.
  • Updated support for Solaris.
  • Allow running tincd without a private ECDSA key present when ExperimentalProtocol is not explicitly set.
  • Enable various compiler hardening flags by default.
  • Added support for a “conf.d” configuration directory.
  • Fix tinc-gui on Windows, also allowing it to connect to a 32-bits tincd when tinc-gui is run in a 64-bits Python environment.
  • Added a “ListenAddress” option, which like BindToAddress adds more listening address/ports, but doesn’t bind to them for outgoing sockets.
  • Make invitations work better when the “invite” and “join” commands are not run interactively.
  • When creating meta-connections to a node for which no Address statement is specified, try to use addresses learned from other nodes.

Thanks to Dennis Joachimsthaler and Florent Clairambault for their contribution to this version of tinc.

October 19th 2013

Version 1.0.23 released.

  • Start authentication immediately on outgoing connections (useful for sslh).
  • Fixed segfault when Name = $HOST but $HOST is not set.
  • Updated the build system and the documentation.
  • Clean up child processes left over from Proxy = exec.

September 8th 2013

Version 1.1pre9 released.

  • The UNIX socket is now created before tinc-up is called.
  • Windows users can now use any extension that is in %PATHEXT% for scripts, not only .bat.
  • Outgoing sockets are bound to the address of the listening sockets again, when there is no ambiguity.
  • Added invitation-created and invitation-accepted scripts.
  • Invited nodes now learn of the Mode and Broadcast settings of the VPN.
  • Joining a VPN with an invitation now also works on Windows.
  • The port number tincd is listening on is now always included in the invitation URL.
  • A running tincd is now correctly informed when a new invitation has been generated.
  • Several bug fixes for the new protocol.
  • Added a test suite.

Thanks to Etienne Dechamps for his contribution to this version of tinc.

August 13th 2013

Version 1.0.22 released.

  • Fixed the combination of Mode = router and DeviceType = tap.
  • The $NAME variable is now set in subnet-up/down scripts.
  • Tinc now gives an error when unknown options are given on the command line.
  • Tinc now correctly handles a space between a short command line option and an optional argument.

Thanks to Etienne Dechamps for his contribution to this version of tinc.

August 13th 2013

Version 1.1pre8 released.

  • ExperimentalProtocol is now enabled by default.
  • Added an invitation protocol that makes it easy to invite new nodes.
  • Added the LocalDiscoveryAddress option to change the broadcast address used to find local nodes.
  • Limit the rate of incoming meta-connections.
  • Many small bug fixes and code cleanups.

Thanks to Etienne Dechamps and Sven-Haegar Koch for their contributions to this version of tinc.

August 4th 2013

Today is exactly 10 years ago that tinc 1.0 was released.

Show full text.

We would have hoped to celebrate this by releasing 1.0.22 and 1.1pre8 today, but this will instead happen in one week.

Tinc 1.1 is close to becoming stable, and I hope to release 1.1.0 before the end of the year. The main features of tinc 1.1 are the improved security over tinc 1.0, and a much nicer interface that makes it very easy to set up new VPNs, and allows you to easily get live information from a running VPN. Tinc 1.1 will also feature an invitation protocol which allows you to easily invite others to join a VPN, by simply giving them an invitation URL that you can create with a simple command. No central servers are involved, invitees will directly connect to your own tinc node to redeem invitations. The invitation protocol will be available in the 1.1pre8 release.

Tinc is the work of many people. For those of you who haven’t read the THANKS file in the source code distribution, here is a list of all the contributors:

Alexander Reil and Gemeinde Berg, Allesandro Gatti, Andreas van Cranenburgh, Anthony G. Basile, Armijn Hemel, Brandon Black, Cheng LI, Cris van Pelt, Darius Jahandarie, Delf Eldkraft, dnk, Enrique Zanardi, Erik Tews, Etienne Dechamps, Flynn Marquardt, Grzegorz Dymarek, Hans Bayle, Ivo Timmermans, Ivo van Dong, James MacLean, Jamie Briggs, Jason Harper, Jeroen Ubbink, Jerome Etienne, Julien Muchembled, Loïc Grenié, Lubomír Bulej, Mads Kiilerich, Marc A. Lehmann, Mark Glines, Markus Goetz, Martin Kihlgren, Martin Schobert, Martin Schürrer, Matias Carrasco, Max Rijevski, Menno Smits, Mesar Hameed, Michael Tokarev, Miles Nordin, Nick Hibma, Nick Patavalis, Paul Littlefield, Philipp Babel, Robert van der Meulen, Rumko, Scott Lamb, Sven-Haegar Koch, Teemu Kiviniemi, Timothy Redaelli, Tonnerre Lombard, Vil Brekin, Wessel Dankers and Wouter van Heyst.

And finally, thank you for using tinc!

You can find older news in the archive.