-.Dd 2002-02-06
+.Dd 2002-04-09
.Dt TINC.CONF 5
.\" Manual page created by:
-.\" Ivo Timmermans <itimmermans@bigfoot.com>
-.\" Guus Sliepen <guus@sliepen.warande.net>
+.\" Ivo Timmermans <ivo@o2w.nl>
+.\" Guus Sliepen <guus@sliepen.eu.org>
.Sh NAME
.Nm tinc.conf
.Nd tinc daemon configuration
Here are all valid variables, listed in alphabetical order.
The default value is given between parentheses.
.Bl -tag -width indent
-.It Va AddressFamily Li = ipv4 | ipv6 | any Po ipv4 Pc Bq experimental
+.It Va AddressFamily Li = ipv4 | ipv6 | any Pq any
This option affects the address family of listening and outgoing sockets.
If
.Qq any
is selected, then depending on the operating system both IPv4 and IPv6 or just
IPv6 listening sockets will be created.
-.Pp
-Mixing IPv4 and IPv6 may not work as desired.
-It's best to choose one address family and use that for all tinc daemons on the VPN.
-.It Va BindToInterface Li = Ar interface Bq experimental
-If your computer has more than one network interface,
+.It Va BindToAddress Li = Ar address Bq experimental
+If your computer has more than one IPv4 or IPv6 address,
.Nm tinc
will by default listen on all of them for incoming connections.
-It is possible to bind only to a single interface with this variable.
+It is possible to bind only to a single address with this variable.
.Pp
This option may not work on all platforms.
-.It Va BindToIP Li = Ar address Bq experimental
-If your computer has more than one IP address on a single interface
-(for example if you are running virtual hosts),
+.It Va BindToInterface Li = Ar interface Bq experimental
+If your computer has more than one network interface,
.Nm tinc
will by default listen on all of them for incoming connections.
-It is possible to bind only to a single IP address with this variable.
-It is still possible to listen on several interfaces at the same time though,
-if they share the same IP address.
+It is possible to bind only to a single interface with this variable.
.Pp
This option may not work on all platforms.
.It Va ConnectTo Li = Ar name
.Nm tinc
won't try to connect to other daemons at all,
and will instead just listen for incoming connections.
-.It Va Device Li = Ar device Po /dev/tap0 or /dev/misc/net/tun Pc
+.It Va Device Li = Ar device Po /dev/tap0 or /dev/net/tun Pc
The virtual network device to use.
.Nm tinc
will automatically detect what kind of device it is.
host configuration files.
.It Va Interface Li = Ar interface
Defines the name of the interface corresponding to the virtual network device.
-Depending on the operating system and the type of device this may or may not actually set the name.
-Currently this option only affects the Linux tun/tap device.
+Depending on the operating system and the type of device this may or may not actually set the name of the interface
+or choose the device corresponding to this interface.
.It Va KeyExpire Li = Ar period Pq 3600
This option controls the period the encryption keys used to encrypt the data are valid.
It is common practice to change keys at regular intervals to make it even harder for crackers,
even though it is thought to be nearly impossible to crack a single key.
+.It Va MACExpire Li = Ar period Pq 600
+This option controls the amount of time MAC addresses are kept before they are removed.
+This only has effect when
+.Va Mode
+is set to
+.Qq switch .
.It Va MaxTimeout Li = Ar period Pq 900
This is the maximum delay before trying to reconnect to other tinc daemons.
.It Va Mode Li = router | switch | hub Pq router
.Va Subnet
variables in the host configuration files will be used to form a routing table.
Only unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode.
+.Pp
+This is the default mode, and unless you really know you need another mode, don't change it.
.It switch
In this mode the MAC addresses of the packets on the VPN will be used to
dynamically create a routing table just like an Ethernet switch does.
Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode
at the cost of frequent broadcast ARP requests and routing table updates.
+.Pp
+This mode is primarily useful if you want to bridge Ethernet segments.
.It hub
This mode is almost the same as the switch mode, but instead
every packet will be broadcast to the other daemons
-while no routing table is created.
+while no routing table is managed.
.El
.It Va Name Li = Ar name Bq required
This is the name which identifies this tinc daemon.
will turn off packet encryption.
.It Va Compression Li = Ar level Pq 0
This option sets the level of compression used for UDP packets.
-Possible values are 0 (off), 1 (fast) and any integer up to 9 (best).
+Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
+10 (fast lzo) and 11 (best lzo).
.It Va Digest Li = Ar digest Pq sha1
The digest algorithm used to authenticate UDP packets.
Any digest supported by OpenSSL is recognised.
Furthermore, specifying
.Qq none
will turn off packet authentication.
-.It Va IndirectData Li = yes | no Po no Pc Bq experimental
+.It Va IndirectData Li = yes | no Pq no
This option specifies whether other tinc daemons besides the one you specified with
.Va ConnectTo
can make a direct connection to you.
Either the PEM format is used, or exactly one of the above two options must be specified
in each host configuration file,
if you want to be able to establish a connection with that host.
-.It Va Subnet Li = Ar address Ns Op Li / Ns Ar masklength
+.It Va Subnet Li = Ar address Ns Op Li / Ns Ar prefixlength
The subnet which this tinc daemon will serve.
.Nm tinc
tries to look up which other daemon it should send a packet to by searching the appropriate subnet.
.Pp
Subnets can either be single MAC, IPv4 or IPv6 addresses,
in which case a subnet consisting of only that single address is assumed,
-or they can be a IPv4 or IPv6 network address with a masklength.
+or they can be a IPv4 or IPv6 network address with a prefixlength.
Shorthand notations are not supported.
For example, IPv4 subnets must be in a form like 192.168.1.0/24,
where 192.168.1.0 is the network address and 24 is the number of bits set in the netmask.
Read a networking HOWTO/FAQ/guide if you don't understand this.
IPv6 subnets are notated like fec0:0:0:1:0:0:0:0/64.
MAC addresses are notated like 0:1a:2b:3c:4d:5e.
-.It Va TCPOnly Li = yes | no Po no Pc Bq experimental
+.It Va TCPOnly Li = yes | no Pq no
If this variable is set to yes,
then the packets are tunnelled over the TCP connection instead of a UDP connection.
This is especially useful for those who want to run a tinc daemon
from behind a masquerading firewall,
or if UDP packet routing is disabled somehow.
-This is experimental code, try this at your own risk.
-It may not work at all.
Setting this options also implicitly sets IndirectData.
.El
.Sh FILES
projects / tinc / blobdiff