X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=doc%2Ftinc.texi;h=ca8d46e04ff6188a5747b0d9eaf2a1c1942be06c;hp=44891cd7501a4687f324cd405ea36e398689a668;hb=40f20184d8ce81f65075100983d235f17a1b28d1;hpb=48fb63f9c2bc0b838c1f3684cfc230c143bef11f diff --git a/doc/tinc.texi b/doc/tinc.texi index 44891cd7..ca8d46e0 100644 --- a/doc/tinc.texi +++ b/doc/tinc.texi @@ -15,7 +15,7 @@ This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon. -Copyright @copyright{} 1998-2014 Ivo Timmermans, +Copyright @copyright{} 1998-2016 Ivo Timmermans, Guus Sliepen and Wessel Dankers . @@ -39,7 +39,7 @@ permission notice identical to this one. @vskip 0pt plus 1filll This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon. -Copyright @copyright{} 1998-2014 Ivo Timmermans, +Copyright @copyright{} 1998-2016 Ivo Timmermans, Guus Sliepen and Wessel Dankers . @@ -302,9 +302,15 @@ If the @file{net/if_tun.h} header file is missing, install it from the source pa @subsection Configuration of Darwin (Mac OS X) kernels Tinc on Darwin relies on a tunnel driver for its data acquisition from the kernel. -Tinc supports either the driver from @uref{http://tuntaposx.sourceforge.net/}, +OS X version 10.6.8 and later have a built-in tun driver called "utun". +Tinc also supports the driver from @uref{http://tuntaposx.sourceforge.net/}, which supports both tun and tap style devices. +By default, tinc expects the tuntaposx driver to be installed. +To use the utun driver, set add @code{Device = utunX} to @file{tinc.conf}, +where X is the desired number for the utun interface. +You can also omit the number, in which case the first free number will be chosen. + @c ================================================================== @node Configuration of Windows @@ -323,24 +329,25 @@ as explained in the rest of the documentation. @cindex requirements @cindex libraries -Before you can configure or build tinc, you need to have the OpenSSL, +Before you can configure or build tinc, you need to have the LibreSSL or OpenSSL, zlib and lzo libraries installed on your system. If you try to configure tinc without having them installed, configure will give you an error message, and stop. @menu -* OpenSSL:: +* LibreSSL/OpenSSL:: * zlib:: * lzo:: @end menu @c ================================================================== -@node OpenSSL -@subsection OpenSSL +@node LibreSSL/OpenSSL +@subsection LibreSSL/OpenSSL +@cindex LibreSSL @cindex OpenSSL For all cryptography-related functions, tinc uses the functions provided -by the OpenSSL library. +by the LibreSSL or the OpenSSL library. If this library is not installed, you will get an error when configuring tinc for build. Support for running tinc with other cryptographic libraries @@ -350,21 +357,23 @@ You can use your operating system's package manager to install this if available. Make sure you install the development AND runtime versions of this package. -If you have to install OpenSSL manually, you can get the source code -from @url{http://www.openssl.org/}. Instructions on how to configure, -build and install this package are included within the package. Please -make sure you build development and runtime libraries (which is the +If your operating system comes neither with LibreSSL or OpenSSL, you have to +install one manually. It is recommended that you get the latest version of +LibreSSL from @url{http://www.libressl.org/}. Instructions on how to +configure, build and install this package are included within the package. +Please make sure you build development and runtime libraries (which is the default). -If you installed the OpenSSL libraries from source, it may be necessary +If you installed the LibreSSL or OpenSSL libraries from source, it may be necessary to let configure know where they are, by passing configure one of the ---with-openssl-* parameters. +--with-openssl-* parameters. Note that you even have to use --with-openssl-* if you +are using LibreSSL. @example ---with-openssl=DIR OpenSSL library and headers prefix ---with-openssl-include=DIR OpenSSL headers directory +--with-openssl=DIR LibreSSL/OpenSSL library and headers prefix +--with-openssl-include=DIR LibreSSL/OpenSSL headers directory (Default is OPENSSL_DIR/include) ---with-openssl-lib=DIR OpenSSL library directory +--with-openssl-lib=DIR LibreSSL/OpenSSL library directory (Default is OPENSSL_DIR/lib) @end example @@ -892,6 +901,12 @@ to start with a four byte header containing the address family, followed by an IP header. This mode should support both IPv4 and IPv6 packets. +@cindex utun +@item utun (OS X) +Set type to utun. +This is only supported on OS X version 10.6.8 and higher, but doesn't require the tuntaposx module. +This mode should support both IPv4 and IPv6 packets. + @item tap (BSD and Linux) Set type to tap. Tinc will expect packets read from the virtual network device @@ -1137,7 +1152,7 @@ tried until a working connection has been established. @cindex Cipher @item Cipher = <@var{cipher}> (blowfish) The symmetric cipher algorithm used to encrypt UDP packets. -Any cipher supported by OpenSSL is recognized. +Any cipher supported by LibreSSL or OpenSSL is recognized. Furthermore, specifying "none" will turn off packet encryption. It is best to use only those ciphers which support CBC mode. @@ -1156,7 +1171,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), @cindex Digest @item Digest = <@var{digest}> (sha1) The digest algorithm used to authenticate UDP packets. -Any digest supported by OpenSSL is recognized. +Any digest supported by LibreSSL or OpenSSL is recognized. Furthermore, specifying "none" will turn off packet authentication. @cindex IndirectData @@ -2242,7 +2257,7 @@ eavesdroppers cannot get and cannot change any information at all from the packets they can intercept. The encryption algorithm and message authentication algorithm can be changed in the configuration. The length of the message authentication codes is also adjustable. The length of the key for the -encryption algorithm is always the default length used by OpenSSL. +encryption algorithm is always the default length used by LibreSSL/OpenSSL. @menu * Authentication protocol:: @@ -2401,7 +2416,7 @@ the MACLength configuration variable. In August 2000, we discovered the existence of a security hole in all versions of tinc up to and including 1.0pre2. This had to do with the way we exchanged keys. Since then, we have been working on a new authentication scheme to make -tinc as secure as possible. The current version uses the OpenSSL library and +tinc as secure as possible. The current version uses the LibreSSL or OpenSSL library and uses strong authentication with RSA keys. On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc