-This is the README file for tinc version 1.0.8. Installation
+This is the README file for tinc version 1.0.33. Installation
instructions may be found in the INSTALL file.
-tinc is Copyright (C) 1998-2007 by:
+tinc is Copyright (C) 1998-2017 by:
Ivo Timmermans,
Guus Sliepen <guus@tinc-vpn.org>,
that tinc lacks perfect forward security, the connection authentication could
be done more properly, that the sequence number we use as an IV is not the best
practice and that the default length of the HMAC for packets is too short in
-his opinion. We do not know of a way to exploit these weaknesses, but we will
-address these issues in tinc 2.0.
+his opinion. We do not know of a way to exploit these weaknesses, but these
+issues are being addressed in the tinc 1.1 branch.
+
+The Sweet32 attack affects versions of tinc prior to 1.0.30.
Cryptography is a hard thing to get right. We cannot make any
guarantees. Time, review and feedback are the only things that can
prove the security of any cryptographic product. If you wish to review
-tinc or give us feedback, you are stronly encouraged to do so.
+tinc or give us feedback, you are strongly encouraged to do so.
Changes to configuration file format since 1.0pre5
should be changed into "Device", and "Device" should be changed into
"BindToDevice".
+
Compatibility
-------------
-Version 1.0.8 is compatible with 1.0pre8, 1.0 and later, but not with older
-versions of tinc.
+Version 1.0.31 is compatible with 1.0pre8, 1.0 and later, but not with older
+versions of tinc. Note that since version 1.0.30, tinc requires all nodes in
+the VPN to be compiled with a version of LibreSSL or OpenSSL that supports the
+AES256 and SHA256 algorithms.
Requirements
------------
-Since 1.0pre3, we use OpenSSL for all cryptographic functions. So you
-need to install this library first; grab it from
-http://www.openssl.org/. You will need version 0.9.7 or later. If
-this library is not installed on you system, configure will fail. The
-manual in doc/tinc.texi contains more detailed information on how to
-install this library.
+Since 1.0pre3, we use OpenSSL for all cryptographic functions. So you need to
+install this library first; grab it from http://www.openssl.org/. You will
+need version 1.0.1 or later with support for AES256 and SHA256 enabled. If
+this library is not installed on you system, configure will fail. The manual
+in doc/tinc.texi contains more detailed information on how to install this
+library. Alternatively, you may also use LibreSSL.
-Since 1.0pre6, the zlib library is used for optional compression. You need this
-library whether or not you plan to enable the compression. You can find it at
-http://www.gzip.org/zlib/. Because of a possible exploit in earlier versions we
-recommand that you download version 1.1.4 or later.
+Since 1.0pre6, the zlib library is used for optional compression. You can
+find it at http://www.gzip.org/zlib/. Because of a possible exploit in
+earlier versions we recommend that you download version 1.1.4 or later.
-Since 1.0, the lzo library is also used for optional compression. You need this
-library whether or not you plan to enable compression. You can find it at
-http://www.oberhumer.com/opensource/lzo/.
+Since 1.0, the lzo library is also used for optional compression. You can
+find it at http://www.oberhumer.com/opensource/lzo/.
In order to compile tinc, you will need a GNU C compiler environment.
The algorithms used for encryption and generating message authentication codes
can now be changed in the configuration files. All cipher and digest algorithms
supported by OpenSSL can be used. Useful ciphers are "blowfish" (default),
-"bf-ofb", "des", "des3", etcetera. Useful digests are "sha1" (default), "md5",
-etcetera.
+"bf-ofb", "des", "des3", et cetera. Useful digests are "sha1" (default), "md5",
+et cetera.
Support for routing IPv6 packets has been added. Just add Subnet lines with
IPv6 addresses (without using :: abbreviations) and use ifconfig or ip (from
the iproute package) to give the virtual network interface corresponding IPv6
-addresses. tinc does not provide autoconfiguration for IPv6 hosts, if you need
-it use radvd or zebra. Tunneling IPv6 packets only works on Linux, FreeBSD,
-Windows and possibly OpenBSD.
+addresses. tinc does not provide autoconfiguration for IPv6 hosts. Consider
+using radvd or zebra if you need it.
It is also possible to make tunnels to other tinc daemons over IPv6 networks,
if the operating system supports IPv6. tinc will automatically use both IPv6
"AddressFamily = ipv4" or "AddressFamily = ipv6" to the tinc.conf file.
Normally, when started tinc will detach and run in the background. In a native
-Windows environment this means tinc will intall itself as a service, which will
+Windows environment this means tinc will install itself as a service, which will
restart after reboots. To prevent tinc from detaching or running as a service,
use the -D option.
projects / tinc / blobdiff