This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
-Copyright @copyright{} 1998-2014 Ivo Timmermans,
+Copyright @copyright{} 1998-2016 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@vskip 0pt plus 1filll
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
-Copyright @copyright{} 1998-2014 Ivo Timmermans,
+Copyright @copyright{} 1998-2016 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@cindex release
For an up to date list of supported platforms, please check the list on
our website:
-@uref{http://www.tinc-vpn.org/platforms/}.
+@uref{https://www.tinc-vpn.org/platforms/}.
@c
@c
@node Configuration of OpenBSD kernels
@subsection Configuration of OpenBSD kernels
-For OpenBSD version 2.9 and higher,
-the tun driver is included in the default kernel configuration.
-There is also a kernel patch from @uref{http://diehard.n-r-g.com/stuff/openbsd/}
-which adds a tap device to OpenBSD which should work with tinc,
-but with recent versions of OpenBSD,
-a tun device can act as a tap device by setting the link0 option with ifconfig.
+Recent versions of OpenBSD come with both tun and tap devices enabled in the default kernel configuration.
@c ==================================================================
For Solaris 8 (SunOS 5.8) and higher,
the tun driver may or may not be included in the default kernel configuration.
If it isn't, the source can be downloaded from @uref{http://vtun.sourceforge.net/tun/}.
-For x86 and sparc64 architectures, precompiled versions can be found at @uref{http://www.monkey.org/~dugsong/fragroute/}.
+For x86 and sparc64 architectures, precompiled versions can be found at @uref{https://www.monkey.org/~dugsong/fragroute/}.
If the @file{net/if_tun.h} header file is missing, install it from the source package.
@subsection Configuration of Darwin (Mac OS X) kernels
Tinc on Darwin relies on a tunnel driver for its data acquisition from the kernel.
-Tinc supports either the driver from @uref{http://tuntaposx.sourceforge.net/},
+OS X version 10.6.8 and later have a built-in tun driver called "utun".
+Tinc also supports the driver from @uref{http://tuntaposx.sourceforge.net/},
which supports both tun and tap style devices.
+By default, tinc expects the tuntaposx driver to be installed.
+To use the utun driver, set add @code{Device = utunX} to @file{tinc.conf},
+where X is the desired number for the utun interface.
+You can also omit the number, in which case the first free number will be chosen.
+
@c ==================================================================
@node Configuration of Windows
@subsection Configuration of Windows
You will need to install the latest TAP-Win32 driver from OpenVPN.
-You can download it from @uref{http://openvpn.sourceforge.net}.
+You can download it from @uref{https://openvpn.net/index.php/open-source/downloads.html}.
Using the Network Connections control panel,
configure the TAP-Win32 network interface in the same way as you would do from the tinc-up script,
as explained in the rest of the documentation.
@cindex requirements
@cindex libraries
-Before you can configure or build tinc, you need to have the OpenSSL,
+Before you can configure or build tinc, you need to have the LibreSSL or OpenSSL,
zlib and lzo libraries installed on your system. If you try to configure tinc without
having them installed, configure will give you an error message, and stop.
@menu
-* OpenSSL::
+* LibreSSL/OpenSSL::
* zlib::
* lzo::
@end menu
@c ==================================================================
-@node OpenSSL
-@subsection OpenSSL
+@node LibreSSL/OpenSSL
+@subsection LibreSSL/OpenSSL
+@cindex LibreSSL
@cindex OpenSSL
For all cryptography-related functions, tinc uses the functions provided
-by the OpenSSL library.
+by the LibreSSL or the OpenSSL library.
If this library is not installed, you will get an error when configuring
tinc for build. Support for running tinc with other cryptographic libraries
available. Make sure you install the development AND runtime versions
of this package.
-If you have to install OpenSSL manually, you can get the source code
-from @url{http://www.openssl.org/}. Instructions on how to configure,
-build and install this package are included within the package. Please
-make sure you build development and runtime libraries (which is the
+If your operating system comes neither with LibreSSL or OpenSSL, you have to
+install one manually. It is recommended that you get the latest version of
+LibreSSL from @url{http://www.libressl.org/}. Instructions on how to
+configure, build and install this package are included within the package.
+Please make sure you build development and runtime libraries (which is the
default).
-If you installed the OpenSSL libraries from source, it may be necessary
+If you installed the LibreSSL or OpenSSL libraries from source, it may be necessary
to let configure know where they are, by passing configure one of the
---with-openssl-* parameters.
+--with-openssl-* parameters. Note that you even have to use --with-openssl-* if you
+are using LibreSSL.
@example
---with-openssl=DIR OpenSSL library and headers prefix
---with-openssl-include=DIR OpenSSL headers directory
+--with-openssl=DIR LibreSSL/OpenSSL library and headers prefix
+--with-openssl-include=DIR LibreSSL/OpenSSL headers directory
(Default is OPENSSL_DIR/include)
---with-openssl-lib=DIR OpenSSL library directory
+--with-openssl-lib=DIR LibreSSL/OpenSSL library directory
(Default is OPENSSL_DIR/lib)
@end example
The complete source code of tinc is covered by the GNU GPL version 2.
Since the license under which OpenSSL is distributed is not directly
compatible with the terms of the GNU GPL
-@uref{http://www.openssl.org/support/faq.html#LEGAL2}, we
+@uref{https://www.openssl.org/support/faq.html#LEGAL2}, we
include an exemption to the GPL (see also the file COPYING.README) to allow
everyone to create a statically or dynamically linked executable:
@quotation
Hereby I grant a special exception to the tinc VPN project
-(http://www.tinc-vpn.org/) to link the LZO library with the OpenSSL library
-(http://www.openssl.org).
+(https://www.tinc-vpn.org/) to link the LZO library with the OpenSSL library
+(https://www.openssl.org).
Markus F.X.J. Oberhumer
@end quotation
of this package.
If you have to install zlib manually, you can get the source code
-from @url{http://www.gzip.org/zlib/}. Instructions on how to configure,
+from @url{http://www.zlib.net/}. Instructions on how to configure,
build and install this package are included within the package. Please
make sure you build development and runtime libraries (which is the
default).
of this package.
If you have to install lzo manually, you can get the source code
-from @url{http://www.oberhumer.com/opensource/lzo/}. Instructions on how to configure,
+from @url{https://www.oberhumer.com/opensource/lzo/}. Instructions on how to configure,
build and install this package are included within the package. Please
make sure you build development and runtime libraries (which is the
default).
If you cannot use one of the precompiled packages, or you want to compile tinc
for yourself, you can use the source. The source is distributed under
the GNU General Public License (GPL). Download the source from the
-@uref{http://www.tinc-vpn.org/download/, download page}, which has
-the checksums of these files listed; you may wish to check these with
-md5sum before continuing.
+@uref{https://www.tinc-vpn.org/download/, download page}.
Tinc comes in a convenient autoconf/automake package, which you can just
treat the same as any other package. Which is just untar it, type
@node Darwin (Mac OS X) build environment
@subsection Darwin (Mac OS X) build environment
-In order to build tinc on Darwin, you need to install the Mac OS X Developer Tools
-from @uref{http://developer.apple.com/tools/macosxtools.html} and
-preferably a recent version of Fink from @uref{http://www.finkproject.org/}.
+In order to build tinc on Darwin, you need to install Xcode from @uref{https://developer.apple.com/xcode/}.
+It might also help to install a recent version of Fink from @uref{http://www.finkproject.org/}.
-After installation use fink to download and install the following packages:
-autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
+You need to download and install LibreSSL (or OpenSSL) and LZO,
+either directly from their websites (see @ref{Libraries}) or using Fink.
@c ==================================================================
@node Cygwin (Windows) build environment
@subsection Cygwin (Windows) build environment
If Cygwin hasn't already been installed, install it directly from
-@uref{http://www.cygwin.com/}.
+@uref{https://www.cygwin.com/}.
When tinc is compiled in a Cygwin environment, it can only be run in this environment,
but all programs, including those started outside the Cygwin environment, will be able to use the VPN.
@subsection MinGW (Windows) build environment
You will need to install the MinGW environment from @uref{http://www.mingw.org}.
+You also need to download and install LibreSSL (or OpenSSL) and LZO.
When tinc is compiled using MinGW it runs natively under Windows,
it is not necessary to keep MinGW installed.
followed by an IP header.
This mode should support both IPv4 and IPv6 packets.
+@cindex utun
+@item utun (OS X)
+Set type to utun.
+This is only supported on OS X version 10.6.8 and higher, but doesn't require the tuntaposx module.
+This mode should support both IPv4 and IPv6 packets.
+
@item tap (BSD and Linux)
Set type to tap.
Tinc will expect packets read from the virtual network device
@cindex Name
@item Name = <@var{name}> [required]
This is a symbolic name for this connection.
-The name should consist only of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _).
+The name must consist only of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _).
If Name starts with a $, then the contents of the environment variable that follows will be used.
In that case, invalid characters will be converted to underscores.
If Name is $HOST, but no such environment variable exist,
-the hostname will be read using the gethostnname() system call.
+the hostname will be read using the gethostname() system call.
@cindex PingInterval
@item PingInterval = <@var{seconds}> (60)
tried until a working connection has been established.
@cindex Cipher
-@item Cipher = <@var{cipher}> (blowfish)
+@item Cipher = <@var{cipher}> (aes-256-cbc)
The symmetric cipher algorithm used to encrypt UDP packets.
-Any cipher supported by OpenSSL is recognized.
+Any cipher supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet encryption.
It is best to use only those ciphers which support CBC mode.
10 (fast lzo) and 11 (best lzo).
@cindex Digest
-@item Digest = <@var{digest}> (sha1)
+@item Digest = <@var{digest}> (sha256)
The digest algorithm used to authenticate UDP packets.
-Any digest supported by OpenSSL is recognized.
+Any digest supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet authentication.
@cindex IndirectData
Prefixlength is the number of bits set to 1 in the netmask part; for
example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
/22. This conforms to standard CIDR notation as described in
-@uref{http://www.ietf.org/rfc/rfc1519.txt, RFC1519}
+@uref{https://www.ietf.org/rfc/rfc1519.txt, RFC1519}
@cindex Subnet weight
A Subnet can be given a weight to indicate its priority over identical Subnets
packets they can intercept. The encryption algorithm and message authentication
algorithm can be changed in the configuration. The length of the message
authentication codes is also adjustable. The length of the key for the
-encryption algorithm is always the default length used by OpenSSL.
+encryption algorithm is always the default length used by LibreSSL/OpenSSL.
@menu
* Authentication protocol::
In August 2000, we discovered the existence of a security hole in all versions
of tinc up to and including 1.0pre2. This had to do with the way we exchanged
keys. Since then, we have been working on a new authentication scheme to make
-tinc as secure as possible. The current version uses the OpenSSL library and
+tinc as secure as possible. The current version uses the LibreSSL or OpenSSL library and
uses strong authentication with RSA keys.
On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc
@section Contact information
@cindex website
-Tinc's website is at @url{http://www.tinc-vpn.org/},
+Tinc's website is at @url{https://www.tinc-vpn.org/},
this server is located in the Netherlands.
@cindex IRC
We have an IRC channel on the FreeNode and OFTC IRC networks. Connect to
-@uref{http://www.freenode.net/, irc.freenode.net}
+@uref{https://freenode.net/, irc.freenode.net}
or
-@uref{http://www.oftc.net/, irc.oftc.net}
+@uref{https://www.oftc.net/, irc.oftc.net}
and join channel #tinc.
projects / tinc / blobdiff