-.TH TINC 5 "March 1999" "tinc version 0.2.16" "FSF"
+.TH TINC 5 "May 2000" "tinc version 1.0" "FSF"
.SH NAME
tincd.conf \- tinc daemon configuration
.SH "DESCRIPTION"
because it will be so much clearer whom your daemon talks to. Hence,
we will assume that you use it.
.PP
-.SH "PASSPHRASES"
-You should use the \fBgenauth\fR(8) program to generate passphrases.
-with, it accepts a single parameter, which is the number of bits the
-passphrase should be. Its output should be stored in
-\fI/etc/tinc/\fBnn\fI/passphrases/local\fR \-\- where \fBnn\fR stands
-for the network (See under \fBNETWORKS\fR) above.
+.SH "NAMES"
+Each tinc daemon should have a name that is unique in the network which
+it will be part of. The name will be used by other tinc daemons for
+identification. The name has to be declared in the
+\fI/etc/tinc/\fBnn\fI/tinc.conf\fR file.
-Please see the manpage for \fBgenauth\fR to learn more about setting
-up an authentication scheme.
+To make things easy, choose something that will give unique names to
+your tinc daemon(s): hostnames, owner surnames, location.
.PP
-.SH "CONFIGURATION"
-The actual configuration of the daemon is done in the file
+.SH "PUBLIC/PRIVATE KEYS"
+You should use \fBtincd --generate-keys\fR to generate public/private
+keypairs. It will generate two keys. The line containing the private
+key should be completely copied to \fI/etc/tinc/\fBnn\fI/tinc.conf\fR
+\-\- where \fBnn\fR stands for the network (See under \fBNETWORKS\fR)
+above. The line containing the public key should be completely copied
+to \fI/etc/tinc/\fBnn\fI/hosts/\fBname\fR \-\- where \fBname\fR stands
+for the name of the tinc daemon (See \fBNAMES\fR).
+.PP
+.SH "SERVER CONFIGURATION"
+The server configuration of the daemon is done in the file
\fI/etc/tinc/\fBnn\fI/tincd.conf\fR.
This file consists of comments (lines started with a \fB#\fR) or
readability. If you leave it out, remember to replace it with at least
one space character.
.PP
-.SH "VARIABLES"
-.PP
-Here are all valid variables, listed in alphabetical order:
-.TP
-\fBAllowConnect = \fB(\fIyes\fB|\fIno\fB)\fR
-If set to \fIyes\fR, anyone may try to connect to you. If you set this
-to no, no incoming connections will be accepted. This does not affect
-the outgoing connections.
-.TP
-\fBConnectPort = \fIport\fR
-Connect to the upstream host (given with the \fBConnectTo\fR
-directive) on port \fIport\fR. \fIport\fR may be given in decimal
-(default), octal (when preceded by a single zero) or hexadecimal
-(prefixed with \fB0x\fR). \fIport\fR is the port number for both the
-UDP and the TCP (meta) connections.
-.TP
-\fBConnectTo = \fB(\fIIP address\fB|\fIhostname\fB)\fR
-Specifies which host to connect to on startup. If the
-\fBConnectPort\fR variable is omitted, then tinc will try to connect
-to port 655.
-
-If you don't specify a host with \fBConnectTo\fR, tinc won't connect
-at all, and will instead just listen for incoming connections. Only
-the initiator of a tinc VPN should need this.
+Here are all valid variables, listed in alphabetical order. The default
+value, required or optional is given between parentheses.
.TP
-\fBKeyExpire = \fIs\fR
-The secret (and public) key expires after \fIs\fR seconds. The default
-is 3600 seconds, or one hour.
+\fBConnectTo\fR = <\fIname\fR> (optional)
+Specifies which host to connect to on startup. Multiple \fBConnectTo\fR variables
+may be specified, if connecting to the first one fails then tinc will try
+the next one, and so on. The names should be known to this tinc daemon
+(i.e., there should be a host configuration file for the name on the ConnectTo
+line).
-If you make it shorter, a lot of time and bandwidth is spent
-negotiating over the new keys. If you make it longer, you make
-yourself more vulnerable to crackers, because they have more data to
-work with. The best value depends on the speed of the link, and the
-amount of data that goes over it.
-.TP
-\fBListenPort = \fIport\fR
-Listen on local port \fIport\fR. The computer connecting to this
-daemon should use this number as the argument for his
-\fBConnectPort\fR. Again, the default is 655.
-.TP
-\fBMyOwnVPNIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
-The \fInetwork address\fR is the number that the daemon will propagate
-to other daemons on the network when it is identifying itself. Hence
-this will be the file name of the passphrase file that the other end
-expects to find the passphrase in.
+If you don't specify a host with \fBConnectTo\fR, tinc won't connect at all,
+and will instead just listen for incoming connections.
+.TP
+\fBHostnames\fR = <\fIyes|no\fR> (no)
+This option selects whether IP addresses (both real and on the VPN) should
+be resolved. Since DNS lookups are blocking, it might affect tinc's
+efficiency, even stopping the daemon for a few seconds everytime it does
+a lookup if your DNS server is not responding.
-\fImaskbits\fR is the number of bits set to 1 in the netmask part.
+This does not affect resolving hostnames to IP addresses from the
+host configuration files.
+.TP
+\fBInterface\fR = <\fIdevice\fR> (optional)
+If you have more than one network interface in your computer, tinc will by
+default listen on all of them for incoming connections. It is possible to
+bind tinc to a single interface like eth0 or ppp0 with this variable.
.TP
-\fBMyVirtualIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
-This is an alias for \fBMyOwnVPNIP\fR.
+\fBInterfaceIP\fR = <\fIlocal address\fR> (optional)
+If your computer has more than one IP address on a single interface (for example
+if you are running virtual hosts), tinc will by default listen on all of them for
+incoming connections. It is possible to bind tinc to a single IP address with
+this variable. It is still possible to listen on several interfaces at the same
+time though, if they share the same IP address.
.TP
-\fBPassphrases = \fIdirectory\fR
-The directory where tinc will look for passphrases when someone tries
-to cennect. Please see the manpage for \fBgenauth\fR(8) for more
-information about passphrases as used by tinc.
+\fBKeyExpire\fR = <\fIseconds\fR> (3600)
+This option controls the time the encryption keys used to encrypt the data
+are valid. It is common practice to change keys at regular intervals to
+make it even harder for crackers, even though it is thought to be nearly
+impossible to crack a single key.
.TP
-\fBPingTimeout = \fInumber\fR
-The number of seconds of inactivity that tinc will wait before sending
-a probe to the other end. If that other end doesn't answer within that
+\fBName\fR = <\fIname\fR> (required)
+This is the name which identifies this tinc daemon. It must be unique for
+the virtual private network this daemon will connect to.
+.TP
+\fBPingTimeout\fR = <\fIseconds\fR> (5)
+The number of seconds of inactivity that tinc will wait before sending a
+probe to the other end. If that other end doesn't answer within that
same amount of seconds, the connection is terminated, and the others
will be notified of this.
.TP
-\fBTapDevice = \fIdevice\fR
-The ethertap device to use. Note that you can only use one device per
+\fBPrivateKey\fR = <\fIkey\fR> (required)
+The private RSA key of this tinc daemon. It will allow this tinc daemon to
+authenticate itself to other daemons.
+.TP
+\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0)
+The ethertap or tun/tap device to use. tinc will automatically detect what
+kind of tapdevice it is.
+Note that you can only use one device per
daemon. The info pages of the tinc package contain more information
-about configuring an ethertap device for linux.
+about configuring an ethertap device for Linux.
.PP
+.SH "HOST CONFIGURATION FILES"
+The host configuration files contain all information needed to establish a
+connection to those hosts. A host configuration file is also required for the
+local tinc daemon, it will use it to read in it's listen port, public key and
+subnets.
+
+The idea is that these files are ``portable''. You can safely mail your own host
+configuration file to someone else. That other person can then copy it to his
+own hosts directory, and now his tinc daemon will be able to connect to your
+tinc daemon. Since host configuration files only contain public keys, no secrets
+are revealed by sending out this information.
+.PP
+.TP
+\fBAddress\fR = <\fIIP address\fR> (required)
+The real address or hostname of this tinc daemon.
+.TP
+\fBPort\fR = <\fIport number\fR> (655)
+The port on which this tinc daemon is listening for incoming connections.
+.TP
+\fBPublicKey\fR = <\fIkey\fR> (required)
+The public RSA key of this tinc daemon. It will be used to cryptographically
+verify it's identity and to set up a secure connection.
+.TP
+\fBSubnet\fR = <\fIaddress/masklength\fR> (optional)
+The subnet which this tinc daemon will serve. tinc tries to look up which other
+daemon it should send a packet to by searching the appropiate subnet. If the
+packet matches a subnet, it will be sent to the daemon who has this subnet in his
+host configuration file. Multiple subnet lines can be specified.
+
+At the moment, this directive is only used in the host configuration file of
+the local tinc daemon itself. In upcoming versions of tinc, it will be possible to
+restrict other hosts in which subnets they server.
+
+The subnets must be in a form like \fI192.168.1.0/24\fR, where 192.168.1.0 is the
+network address and 24 is the number of bits set in the netmask. Note that subnets
+like \fI192.168.1.1/24\fR are invalid! Read a networking howto/FAQ/guide if you
+don't understand this.
.SH "FILES"
.TP
\fI/etc/tinc/\fR
The top directory for configuration files.
.TP
-\fI/etc/tinc/\fBnn\fI/tincd.conf\fR
-The default name of the configuration file for net
+\fI/etc/tinc/\fBnn\fI/tinc.conf\fR
+The default name of the server configuration file for net
\fBnn\fR.
.TP
-\fI/etc/tinc/\fBnn\fI/passphrases/\fR
-Passphrases are kept in this directory. (See the section
-\fBPASSPHRASES\fR above).
+\fI/etc/tinc/\fBnn\fI/hosts/\fR
+Host configuration files are kept in this directory.
+.TP
+\fI/etc/tinc/\fBnn\fI/tinc-up\fR
+If an executable file with this name exists, it will be executed
+right after the tinc daemon has connected to the tap device. It can
+be used to ifconfig the network interface.
+
+If the tapdevice is a tun/tap device, the evironment variable
+\fB$IFNAME\fR will be set to the name of the network interface.
+.TP
+\fI/etc/tinc/\fBnn\fI/tinc-down\fR
+If an executable file with this name exists, it will be executed
+right before the tinc daemon is going to close it's connection to the
+tap device.
.PP
.SH "SEE ALSO"
-\fBtincd\fR(8), \fBgenauth\fR(8)
+\fBtincd\fR(8)
.TP
\fBhttp://tinc.nl.linux.org/\fR
+.TP
+\fBhttp://www.kernelnotes.org/guides/NAG/\fR
.PP
The full documentation for
.B tinc