-.Dd 2014-01-29
+.Dd 2017-09-02
.Dt TINC.CONF 5
.\" Manual page created by:
.\" Ivo Timmermans
.Pp
The effect of this option is that the daemon will set its configuration root to
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / ,
-where
+where
.Ar NETNAME
is your argument to the
.Fl n
.Nm tinc
now looks for files in
.Pa @sysconfdir@/tinc/ ,
-instead of
+instead of
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / ;
the configuration file should be
.Pa @sysconfdir@/tinc/tinc.conf ,
and the host configuration files are now expected to be in
.Pa @sysconfdir@/tinc/hosts/ .
.Sh NAMES
-Each tinc daemon should have a name that is unique in the network which it will be part of.
+Each tinc daemon must have a name that is unique in the network which it will be part of.
The name will be used by other tinc daemons for identification.
The name has to be declared in the
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
.Sh PUBLIC/PRIVATE KEYS
The
.Nm tinc Li init
-command will have generated both RSA and Ed25519 public/private keypairs.
+command will have generated both RSA and Ed25519 public/private key pairs.
The private keys should be stored in files named
.Pa rsa_key.priv
and
.Pp
The variable names are case insensitive, and any spaces, tabs,
newlines and carriage returns are ignored.
-Note: it is not required that you put in the
+Note: it is not required that you put in the
.Li =
sign, but doing so improves readability.
If you leave it out, remember to replace it with at least one space character.
.Qq any
is selected, then depending on the operating system both IPv4 and IPv6 or just
IPv6 listening sockets will be created.
-.It Va AutoConnect Li = yes | no Po no Pc Bq experimental
+.It Va AutoConnect Li = yes | no Pq yes
If set to yes,
.Nm tinc
will automatically set up meta connections to other nodes,
however the address given with the
.Va BindToAddress
option will also be used for outgoing connections. This is useful if your
-computer has more than one IPv4 or IPv6 address, and you want
+computer has more than one IPv4 or IPv6 address, and you want
.Nm tinc
to only use a specific one for outgoing packets.
.It Va BindToInterface Li = Ar interface Bq experimental
.Pp
If you don't specify a host with
.Va ConnectTo
-and don't enable
+and have disabled
.Va AutoConnect ,
.Nm tinc
won't try to connect to other daemons at all,
Packets are read from and written to this multicast socket.
This can be used to connect to UML, QEMU or KVM instances listening on the same multicast address.
Do NOT connect multiple
-.Nm tinc
+.Nm tinc
daemons to the same multicast address, this will very likely cause routing loops.
Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
+.It fd
+Use a file descriptor, given directly as an integer or passed through a unix domain socket.
+On Linux, an abstract socket address can be specified by using "@" as a prefix.
+All packets are read from this interface.
+Packets received for the local node are written to it.
.It uml Pq not compiled in by default
Create a UNIX socket with the filename specified by
.Va Device ,
or
-.Pa @localstatedir@/run/ Ns Ar NETNAME Ns Pa .umlsocket
+.Pa @runstatedir@/ Ns Ar NETNAME Ns Pa .umlsocket
if not specified.
.Nm tinc
will wait for a User Mode Linux instance to connect to this socket.
using the UNIX socket specified by
.Va Device ,
or
-.Pa @localstatedir@/run/vde.ctl
+.Pa @runstatedir@/vde.ctl
if not specified.
.El
Also, in case tinc does not seem to correctly interpret packets received from the virtual network device,
to start with a four byte header containing the address family,
followed by an IP header.
This mode should support both IPv4 and IPv6 packets.
+.It utun Pq OS X
+Set type to utun.
+This is only supported on OS X version 10.6.8 and higher, but doesn't require the tuntaposx module.
+This mode should support both IPv4 and IPv6 packets.
.It tap Pq BSD and Linux
Set type to tap.
Tinc will expect packets read from the virtual network device
.Pp
This is the default mode, and unless you really know you need another forwarding mode, don't change it.
.It kernel
-Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
+Incoming packets using the legacy protocol are always sent to the TUN/TAP device,
+even if the packets are not for the local node.
This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
and can also help debugging.
+Incoming packets using the SPTPS protocol are dropped, since they are end-to-end encrypted.
.El
+.It Va FWMark Li = Ar value Po 0 Pc Bq experimental
+When set to a non-zero value, all TCP and UDP sockets created by tinc will use the given value as the firewall mark.
+This can be used for mark-based routing or for packet filtering.
+This option is currently only supported on Linux.
.It Va Hostnames Li = yes | no Pq no
This option selects whether IP addresses (both real and on the VPN) should
be resolved. Since DNS lookups are blocking, it might affect tinc's
If you specified a
.Va Device ,
this variable is almost always already correctly set.
+.It Va InvitationExpire Li = Ar seconds Pq 604800
+This option controls the period invitations are valid.
.It Va KeyExpire Li = Ar seconds Pq 3600
This option controls the period the encryption keys used to encrypt the data are valid.
It is common practice to change keys at regular intervals to make it even harder for crackers,
which normally would prevent the peers from learning each other's LAN address.
.Pp
Currently, local discovery is implemented by sending some packets to the local address of the node during UDP discovery. This will not work with old nodes that don't transmit their local address.
+.It Va LogLevel Li = level Pq 0
+This option controls the verbosity of the logging. The higher the debug level, the more messages it will log.
.It Va MACExpire Li = Ar seconds Pq 600
This option controls the amount of time MAC addresses are kept before they are removed.
This only has effect when
.Va Mode
is set to
.Qq switch .
-.It Va MaxConnectionBurst Li = Ar count Pq 100
+.It Va MaxConnectionBurst Li = Ar count Pq 10
This option controls how many connections tinc accepts in quick succession.
If there are more connections than the given number in a short time interval,
tinc will reduce the number of accepted connections to only one per second,
It must be unique for the virtual private network this daemon will connect to.
.Va Name
may only consist of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is case sensitive.
-If
+If
.Va Name
starts with a
.Li $ ,
.It Va PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /rsa_key.priv Pc
The file in which the private RSA key of this tinc daemon resides.
.It Va ProcessPriority Li = low | normal | high
-When this option is used the priority of the
+When this option is used the priority of the
.Nm tincd
process will be adjusted.
Increasing the priority may help to reduce latency and packet loss on the VPN.
reordering. Setting this to zero will disable replay tracking completely and
pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
traffic.
+.It Va Sandbox Li = off | normal | high Po normal Pc
+Use process sandbox on some operating systems where it is supported (currently that's OpenBSD).
+Using this directive on other operating systems with levels higher than
+.Ar off
+will cause
+.Nm tincd
+to exit with an error.
+The goal is to limit the impact of possible remote attacks against the
+.Nm tincd
+daemon by running it with lowest privileges necessary for the required features to work.
+The following levels are provided:
+.Bl -tag -width indent
+.It off
+Disable sandbox.
+No restrictions are put on
+.Nm tincd ,
+all functionality works as if this feature did not exist.
+.It normal
+The default level which aims to be safe for most users.
+Adds some level of protection with only minor reductions in functionality.
+For example, executables located in non-standard paths may not be available as
+.Nm tincd
+scripts or
+.Ar exec
+proxies, and configuration reloading may not work for some variables, forcing you to restart
+.Nm tincd
+to apply new settings.
+.It high
+Fully disables
+.Ar exec
+proxies and
+.Nm tincd
+scripts, with the exception of initial
+.Nm tinc-up
+and
+.Nm subnet-up .
+This allows
+.Nm tincd
+to block large parts of operating system interface that may be useful to attackers.
+Strongly consider using this level if you need neither of these features.
+.El
.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local
.It Va UDPDiscoveryTimeout Li = Ar seconds Pq 30
If tinc doesn't receive any UDP ping replies over the specified interval,
it will assume UDP communication is broken and will fall back to TCP.
+.It Va UDPInfoInterval Li = Ar seconds Pq 5
+The minimum amount of time between sending periodic updates about UDP addresses, which are mostly useful for UDP hole punching.
.It Va UDPRcvBuf Li = Ar bytes Pq 1048576
Sets the socket receive buffer size for the UDP socket, in bytes.
If set to zero, the default buffer size will be used by the operating system.
Sets the socket send buffer size for the UDP socket, in bytes.
If set to zero, the default buffer size will be used by the operating system.
Note: this setting can have a significant impact on performance, especially raw throughput.
+.It Va UPnP Li = yes | udponly | no Po no Pc
+If this option is enabled then tinc will search for UPnP-IGD devices on the local network.
+It will then create and maintain port mappings for tinc's listening TCP and UDP ports.
+If set to "udponly", tinc will only create a mapping for its UDP (data) port, not for its TCP (metaconnection) port.
+Note that tinc must have been built with miniupnpc support for this feature to be available.
+Furthermore, be advised that enabling this can have security implications, because the miniupnpc library that
+tinc uses might not be well-hardened with regard to malicious UPnP replies.
+.It Va UPnPDiscoverWait Li = Ar seconds Pq 5
+The amount of time to wait for replies when probing the local network for UPnP devices.
+.It Va UPnPRefreshPeriod Li = Ar seconds Pq 60
+How often tinc will re-add the port mapping, in case it gets reset on the UPnP device. This also controls the duration of the port mapping itself, which will be set to twice that duration.
.El
.Sh HOST CONFIGURATION FILES
The host configuration files contain all information needed
connection has been established.
.It Va Cipher Li = Ar cipher Pq blowfish
The symmetric cipher algorithm used to encrypt UDP packets.
-Any cipher supported by OpenSSL is recognised.
+Any cipher supported by LibreSSL or OpenSSL is recognised.
Furthermore, specifying
.Qq none
will turn off packet encryption.
.It Va Compression Li = Ar level Pq 0
This option sets the level of compression used for UDP packets.
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
-10 (fast lzo) and 11 (best lzo).
+10 (fast lzo), 11 (best lzo), and 12 (lz4).
.It Va Digest Li = Ar digest Pq sha1
The digest algorithm used to authenticate UDP packets.
-Any digest supported by OpenSSL is recognised.
+Any digest supported by LibreSSL or OpenSSL is recognised.
Furthermore, specifying
.Qq none
will turn off packet authentication.
.It Va PMTUDiscovery Li = yes | no Po yes Pc
When this option is enabled, tinc will try to discover the path MTU to this node.
After the path MTU has been discovered, it will be enforced on the VPN.
+.It Va MTUInfoInterval Li = Ar seconds Pq 5
+The minimum amount of time between sending periodic updates about relay path MTU. Useful for quickly determining MTU to indirect nodes.
.It Va Port Li = Ar port Pq 655
The port number on which this tinc daemon is listening for incoming connections,
which is used if no port number is specified in an
.Sh SCRIPTS
Apart from reading the server and host configuration files,
tinc can also run scripts at certain moments.
-Under Windows (not Cygwin), the scripts should have the extension
+Below is a list of filenames of scripts and a description of when they are run.
+A script is only run if it exists and if it is executable.
+.Pp
+Scripts are run synchronously;
+this means that tinc will temporarily stop processing packets until the called script finishes executing.
+This guarantees that scripts will execute in the exact same order as the events that trigger them.
+If you need to run commands asynchronously, you have to ensure yourself that they are being run in the background.
+.Pp
+Under Windows, the scripts must have the extension
.Pa .bat
or
-.Pa cmd .
+.Pa .cmd .
.Bl -tag -width indent
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
This is the most important script.
is used).
It should be used to set up the corresponding network interface,
but can also be used to start other things.
+.Pp
Under Windows you can use the Network Connections control panel instead of creating this script.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
This script is started right before the tinc daemon quits (or when the last node becomes unreachable if
.Pp
The scripts are started without command line arguments, but can make use of certain environment variables.
Under UNIX like operating systems the names of environment variables must be preceded by a
-.Li $
+.Li $
in scripts.
Under Windows, in
.Pa .bat
.Pp
Do not forget that under UNIX operating systems, you have to make the scripts executable, using the command
.Nm chmod Li a+x Pa script .
+.Pp
+Here's the list of script configuration variables in alphabetical order.
+.Bl -tag -width indent
+.It Va ScriptsExtension Li = Ar .extension Pq empty
+File extension to use for
+.Nm tincd
+scripts. For example,
+.Ar .py ,
+.Ar .pl ,
+or
+.Ar .rb .
+Please note than it is simply concatenated with the script name and the dot is not added automatically.
+.It Va ScriptsInterpreter Li = Pa /path/to/interpreter Pq empty
+Used as an interpreter for scripts started by
+.Nm tincd
+by prepending it to the start of the command line.
+If the variable is empty (which is the default), scripts are executed directly.
.Sh FILES
The most important files are:
.Bl -tag -width indent
If an executable file with this name exists,
it will be executed right before the tinc daemon is going to close
its connection to the virtual network device.
+.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /invitations/
+This directory contains outstanding invitations.
+.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /invitation-data
+After a successful join, this file contains a copy of the invitation data received.
.El
.Sh SEE ALSO
.Xr tincd 8 ,
.Xr tinc 8 ,
-.Pa http://www.tinc-vpn.org/ ,
+.Pa https://www.tinc-vpn.org/ ,
.Pa http://www.tldp.org/LDP/nag2/ .
.Pp
The full documentation for
projects / tinc / blobdiff