@section Supported platforms
@cindex platforms
-Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment),
+Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows,
with various hardware architectures. These are some of the platforms
that are supported by the universal tun/tap device driver or other virtual network device drivers.
Without such a driver, tinc will most
@menu
* Darwin (MacOS/X) build environment::
-* Cygwin (Windows) build environment::
* MinGW (Windows) build environment::
@end menu
You need to download and install LibreSSL (or OpenSSL) and LZO,
either directly from their websites (see @ref{Libraries}) or using Fink.
-@c ==================================================================
-@node Cygwin (Windows) build environment
-@subsection Cygwin (Windows) build environment
-
-If Cygwin hasn't already been installed, install it directly from
-@uref{https://www.cygwin.com/}.
-
-When tinc is compiled in a Cygwin environment, it can only be run in this environment,
-but all programs, including those started outside the Cygwin environment, will be able to use the VPN.
-It will also support all features.
-
@c ==================================================================
@node MinGW (Windows) build environment
@subsection MinGW (Windows) build environment
If you have everything clearly pictured in your mind,
proceed in the following order:
-First, create the initial configuration files and public/private keypairs using the following command:
+First, create the initial configuration files and public/private key pairs using the following command:
@example
tinc -n @var{NETNAME} init @var{NAME}
@end example
@cindex fd
@item fd
-Use a file descriptor.
+Use a file descriptor, given directly as an integer or passed through a unix domain socket.
+On Linux, an abstract socket address can be specified by using "@" as a prefix.
All packets are read from this interface.
Packets received for the local node are written to it.
This guarantees that scripts will execute in the exact same order as the events that trigger them.
If you need to run commands asynchronously, you have to ensure yourself that they are being run in the background.
-Under Windows (not Cygwin), the scripts should have the extension @file{.bat} or @file{.cmd}.
+Under Windows, the scripts should have the extension @file{.bat} or @file{.cmd}.
@table @file
@cindex tinc-up
@subsubheading Step 1. Creating initial configuration files.
-The initial directory structure, configuration files and public/private keypairs are created using the following command:
+The initial directory structure, configuration files and public/private key pairs are created using the following command:
@example
tinc -n @var{netname} init @var{name}
@subsubheading Key files
-A, B, C and D all have their own public/private keypairs:
+A, B, C and D all have their own public/private key pairs:
The private RSA key is stored in @file{@value{sysconfdir}/tinc/company/rsa_key.priv},
the private Ed25519 key is stored in @file{@value{sysconfdir}/tinc/company/ed25519_key.priv},
@item Error reading RSA key file `rsa_key.priv': No such file or directory
@itemize
-@item You forgot to create a public/private keypair.
+@item You forgot to create a public/private key pair.
@item Specify the complete pathname to the private key file with the @samp{PrivateKeyFile} option.
@end itemize
@item Got bad/bogus/unauthorized REQUEST from foo (1.2.3.4 port 12345)
@itemize
-@item Node foo does not have the right public/private keypair.
-Generate new keypairs and distribute them again.
+@item Node foo does not have the right public/private key pair.
+Generate new key pairs and distribute them again.
@item An attacker tries to gain access to your VPN.
@item A network error caused corruption of metadata sent from foo.
@end itemize
@cindex init
@item init [@var{name}]
-Create initial configuration files and RSA and Ed25519 keypairs with default length.
+Create initial configuration files and RSA and Ed25519 key pairs with default length.
If no @var{name} for this node is given, it will be asked for.
@cindex get
@cindex generate-keys
@item generate-keys [@var{bits}]
-Generate both RSA and Ed25519 keypairs (see below) and exit.
+Generate both RSA and Ed25519 key pairs (see below) and exit.
tinc will ask where you want to store the files, but will default to the
configuration directory (you can use the -c or -n option).
@cindex generate-ed25519-keys
@item generate-ed25519-keys
-Generate public/private Ed25519 keypair and exit.
+Generate public/private Ed25519 key pair and exit.
@cindex generate-rsa-keys
@item generate-rsa-keys [@var{bits}]
-Generate public/private RSA keypair and exit. If @var{bits} is omitted, the
+Generate public/private RSA key pair and exit. If @var{bits} is omitted, the
default length will be 2048 bits. When saving keys to existing files, tinc
will not delete the old keys; you have to remove them manually.
In those modes every interface should have a unique MAC address, so make sure they are not the same.
Because switch and hub modes rely on MAC addresses to function correctly,
these modes cannot be used on the following operating systems which don't have a `tap' style virtual network device:
-OpenBSD, NetBSD, Darwin and Solaris.
+NetBSD, Darwin and Solaris.
@c ==================================================================
like tinc's use of RSA during authentication. We do not know of a security hole
in the legacy protocol of tinc, but it is not as strong as TLS or IPsec.
-This version of tinc comes with an improved protocol, called Simple Peer-to-Peer Security,
-which aims to be as strong as TLS with one of the strongest cipher suites.
+The Sweet32 attack affects versions of tinc prior to 1.0.30.
+
+On September 6th, 2018, Michael Yonly contacted us and provided
+proof-of-concept code that allowed a remote attacker to create an
+authenticated, one-way connection with a node, and also that there was a
+possibility for a man-in-the-middle to force UDP packets from a node to be sent
+in plaintext. The first issue was trivial to exploit on tinc versions prior to
+1.0.30, but the changes in 1.0.30 to mitigate the Sweet32 attack made this
+weakness much harder to exploit. These issues have been fixed in tinc 1.0.35.
+
+This version of tinc comes with an improved protocol, called Simple
+Peer-to-Peer Security (SPTPS), which aims to be as strong as TLS with one of
+the strongest cipher suites. None of the above security issues affected SPTPS.
+However, be aware that SPTPS is only used between nodes running tinc 1.1pre* or
+later, and in a VPN with nodes running different versions, the security might
+only be as good as that of the oldest version.
Cryptography is a hard thing to get right. We cannot make any
guarantees. Time, review and feedback are the only things that can
@tab @code{netsh interface ipv6 add address} @var{interface} @code{static} @var{address}/@var{prefixlength}
@end multitable
-On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command:
-
-@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
-@item OpenBSD
-@tab @code{ifconfig} @var{interface} @code{link0}
-@end multitable
-
On Linux, it is possible to create a persistent tun/tap interface which will
continue to exist even if tinc quit, although this is normally not required.
It can be useful to set up a tun/tap interface owned by a non-root user, so