1 \input texinfo @c -*-texinfo-*-
2 @c $Id: tinc.texi,v 1.8.4.15 2001/05/19 15:50:51 guus Exp $
11 * tinc: (tinc). The tinc Manual.
14 This is the info manual for tinc, a Virtual Private Network daemon.
16 Copyright @copyright{} 1998-2001 Ivo Timmermans
17 <itimmermans@@bigfoot.com>, Guus Sliepen <guus@@sliepen.warande.net> and
18 Wessel Dankers <wsl@@nl.linux.org>.
20 $Id: tinc.texi,v 1.8.4.15 2001/05/19 15:50:51 guus Exp $
22 Permission is granted to make and distribute verbatim copies of this
23 manual provided the copyright notice and this permission notice are
24 preserved on all copies.
26 Permission is granted to copy and distribute modified versions of this
27 manual under the conditions for verbatim copying, provided that the
28 entire resulting derived work is distributed under the terms of a
29 permission notice identical to this one.
35 @subtitle Setting up a Virtual Private Network with tinc
36 @author Ivo Timmermans and Guus Sliepen
39 @vskip 0pt plus 1filll
41 Copyright @copyright{} 1998-2001 Ivo Timmermans
42 <itimmermans@@bigfoot.com>, Guus Sliepen <guus@@sliepen.warande.net> and
43 Wessel Dankers <wsl@@nl.linux.org>.
45 $Id: tinc.texi,v 1.8.4.15 2001/05/19 15:50:51 guus Exp $
47 Permission is granted to make and distribute verbatim copies of this
48 manual provided the copyright notice and this permission notice are
49 preserved on all copies.
51 Permission is granted to copy and distribute modified versions of this
52 manual under the conditions for verbatim copying, provided that the
53 entire resulting derived work is distributed under the terms of a
54 permission notice identical to this one.
58 @c ==================================================================
59 @node Top, Introduction, (dir), (dir)
62 * Introduction:: Introduction
63 * Installing tinc - preparations::
64 * Installing tinc - installation::
67 * Technical information::
69 * Concept Index:: All used terms explained
75 @c ==================================================================
76 @node Introduction, Installing tinc - preparations, Top, Top
80 tinc is a Virtual Private Network (VPN) daemon that uses tunneling and
81 encryption to create a secure private network between hosts on the
84 Because the tunnel appears to the IP level network code as a normal
85 network device, there is no need to adapt any existing software.
87 This tunneling allows VPN sites to share information with each other
88 over the Internet without exposing any information to others.
90 This document is the manual for tinc. Included are chapters on how to
91 configure your computer to use tinc, as well as the configuration
92 process of tinc itself.
95 * VPNs:: Virtual Private Networks in general
97 * Supported platforms::
100 @c ==================================================================
101 @node VPNs, tinc, Introduction, Introduction
102 @section Virtual Private Networks
105 A Virtual Private Network or VPN is a network that can only be accessed
106 by a few elected computers that participate. This goal is achievable in
107 more than just one way.
110 Private networks can consist of a single stand-alone ethernet LAN. Or
111 even two computers hooked up using a null-modem cable. In these cases,
113 obvious that the network is @emph{private}, no one can access it from the
114 outside. But if your computers are linked to the internet, the network
115 is not private anymore, unless one uses firewalls to block all private
116 traffic. But then, there is no way to send private data to trusted
117 computers on the other end of the internet.
120 This problem can be solved by using @emph{virtual} networks. Virtual
121 networks can live on top of other networks, but they use encapsulation to
122 keep using their private address space so they do not interfere with
123 each other. Mostly, virtual networks appear like a singe LAN, even though
124 they can span the entire world. But virtual networks can't be secured
125 by using firewalls, because the traffic that flows through it has to go
126 through the internet, where other people can look at it.
128 When one introduces encryption, we can form a true VPN. Other people may
129 see encrypted traffic, but if they don't know how to decipher it (they
130 need to know the key for that), they cannot read the information that flows
131 through the VPN. This is what tinc was made for.
134 tinc uses normal IP datagrams to encapsulate data that goes over the VPN
135 network link. In this case it's also clear that the network is
136 @emph{virtual}, because no direct network link has to exist between to
139 As is the case with either type of VPN, anybody could eavesdrop. Or
140 worse, alter data. Hence it's probably advisable to encrypt the data
141 that flows over the network.
144 @c ==================================================================
145 @node tinc, Supported platforms, VPNs, Introduction
150 I really don't quite remember what got us started, but it must have been
151 Guus' idea. He wrote a simple implementation (about 50 lines of C) that
152 used the @emph{ethertap} device that Linux knows of since somewhere
153 about kernel 2.1.60. It didn't work immediately and he improved it a
154 bit. At this stage, the project was still simply called @samp{vpnd}.
156 Since then, a lot has changed---to say the least.
159 tinc now supports encryption, it consists of a single daemon (tincd) for
160 both the receiving and sending end, it has become largely
161 runtime-configurable---in short, it has become a full-fledged
162 professional package.
164 A lot can---and will be---changed. We have a number of things that we would like to
165 see in the future releases of tinc. Not everything will be available in
166 the near future. Our first objective is to make tinc work perfectly as
167 it stands, and then add more advanced features.
169 Meanwhile, we're always open-minded towards new ideas. And we're
173 @c ==================================================================
174 @node Supported platforms, , tinc, Introduction
175 @section Supported platforms
177 tinc has been verified to work under Linux, FreeBSD and Solaris, with
178 various hardware architectures. These are the three platforms
179 that are supported by the universial TUN/TAP device driver, so if
180 support for other operating systems is added to this driver, perhaps
181 tinc will run on them as well. Without this driver, tinc will most
182 likely compile and run, but it will not be able to send or receive data
185 The official release only truly supports Linux.
186 For an up to date list of supported platforms, please check the list on
188 @uref{http://tinc.nl.linux.org/platforms.html}.
191 @c ==================================================================
194 tinc was first written for Linux running on an intel x86 processor, so
195 this is the best supported platform. The protocol however, and actually
196 anything about tinc, has been rewritten to support random byte ordering
197 and arbitrary word length. So in theory it should run on other
198 processors that Linux runs on. It has already been verified to run on
199 alpha and sparc processors as well.
201 tinc uses the ethertap device or the universal TUN/TAP driver. The former is provided in the standard kernel
202 from version 2.1.60 up to 2.3.x, but has been replaced in favour of the TUN/TAP driver in kernel versions 2.4.0 and later.
205 @c ==================================================================
208 tinc on FreeBSD relies on the universial TUN/TAP driver for its data
209 acquisition from the kernel. Therefore, tinc works on the same platforms
210 as this driver. These are: FreeBSD 3.x, 4.x, 5.x.
213 @c ==================================================================
216 tinc on Solaris relies on the universial TUN/TAP driver for its data
217 acquisition from the kernel. Therefore, tinc works on the same platforms
218 as this driver. These are: Solaris, 2.1.x.
227 @c Preparing your system
234 @c ==================================================================
235 @node Installing tinc - preparations, Installing tinc - installation, Introduction, Top
236 @chapter Installing tinc: preparations
238 This chapter contains information on how to prepare your system to
242 * Configuring the kernel::
247 @c ==================================================================
248 @node Configuring the kernel, Libraries, Installing tinc - preparations, Installing tinc - preparations
249 @section Configuring the kernel
251 If you are running Linux, chances are good that your kernel already supports
252 all the devices that tinc needs for proper operation. For example, the
253 standard kernel from Redhat Linux already has support for ethertap and netlink
254 compiled in. Debian users can use the modconf utility to select the modules.
255 If your Linux distribution supports this method of selecting devices, look out
256 for something called `ethertap', and `netlink_dev' if it is using a kernel
257 version prior to 2.4.0. In that case you will need both these devices. If you
258 are using kernel 2.4.0 or later, you need to select `tun'.
260 If you can install these devices in a similar manner, you may skip this
264 * Configuration of the Linux kernel::
265 * Configuration of the FreeBSD kernel::
266 * Configuration of the Solaris kernel::
270 @c ==================================================================
271 @node Configuration of the Linux kernel, Configuration of the FreeBSD kernel, Configuring the kernel, Configuring the kernel
272 @subsection Configuring the Linux kernel
274 First of all, a kernel version of 2.1.60 or higher is @emph{required}.
276 If you are unfamiliar with the process of configuring and compiling a
277 new kernel, you should read the
278 @uref{http://howto.linuxberg.com/LDP/HOWTO/Kernel-HOWTO.html, Kernel
279 HOWTO} first. Do that now!
281 Here are the options you have to turn on when configuring a new kernel.
283 For kernels 2.1.60 up to 2.4.0:
286 Code maturity level options
287 [*] Prompt for development and/or incomplete code/drivers
289 [*] Kernel/User netlink socket
290 <M> Netlink device emulation
291 Network device support
292 <M> Ethertap network tap
295 If you want to run more than one instance of tinc or other programs that use
296 the ethertap, you have to compile the ethertap driver as a module, otherwise
297 you can also choose to compile it directly into the kernel.
299 If you decide to build any of these as dynamic kernel modules, it's a good idea
300 to add these lines to @file{/etc/modules.conf}:
303 alias char-major-36 netlink_dev
305 options tap0 -o tap0 unit=0
307 options tap1 -o tap1 unit=1
310 Add more alias/options lines if necessary.
312 For kernels 2.4.0 and higher:
315 Code maturity level options
316 [*] Prompt for development and/or incomplete code/drivers
317 Network device support
318 <M> Universal TUN/TAP device driver support
321 It's not necessary to compile this driver as a module, even if you are going to
322 run more than one instance of tinc.
324 If you have an early 2.4 kernel, you can choose both the TUN/TAP driver and the
325 `Ethertap network tap' device. This latter is marked obsolete, and chances are
326 that it won't even function correctly anymore. Make sure you select the
327 universal TUN/TAP driver.
329 If you decide to build the TUN/TAP driver as a kernel module, add these lines
330 to @file{/etc/modules.conf}:
333 alias char-major-10-200 tun
337 @c ==================================================================
338 @node Configuration of the FreeBSD kernel, Configuration of the Solaris kernel, Configuration of the Linux kernel, Configuring the kernel
339 @subsection Configuring the FreeBSD kernel
341 This section will contain information on how to configure your FreeBSD
342 kernel to support the universal TUN/TAP device. For 5.0 and 4.1
343 systems, this is included in the kernel configuration, for earlier
344 systems (4.0 and 3.x), you need to install the universal TUN/TAP driver
347 Unfortunately somebody still has to write the text.
350 @c ==================================================================
351 @node Configuration of the Solaris kernel, , Configuration of the FreeBSD kernel, Configuring the kernel
352 @subsection Configuring the Solaris kernel
354 This section will contain information on how to configure your Solaris
355 kernel to support the universal TUN/TAP device. You need to install
356 this driver yourself.
358 Unfortunately somebody still has to write the text.
361 @c ==================================================================
362 @node Libraries, , Configuring the kernel, Installing tinc - preparations
366 Before you can configure or build tinc, you need to have the OpenSSL
367 library installed on your system. If you try to configure tinc without
368 having installed it, configure will give you an error message, and stop.
375 @c ==================================================================
376 @node OpenSSL, , Libraries, Libraries
380 For all cryptography-related functions, tinc uses the functions provided
381 by the OpenSSL library.
383 If this library is not installed, you wil get an error when configuring
384 tinc for build. Support for running tinc without having OpenSSL
385 installed @emph{may} be added in the future.
387 You can use your operating system's package manager to install this if
388 available. Make sure you install the development AND runtime versions
391 If you have to install OpenSSL manually, you can get the source code
392 from @url{http://www.openssl.org/}. Instructions on how to configure,
393 build and install this package are included within the package. Please
394 make sure you build development and runtime libraries (which is the
397 If you installed the OpenSSL libraries from source, it may be necessary
398 to let configure know where they are, by passing configure one of the
399 --with-openssl-* parameters.
402 --with-openssl=DIR OpenSSL library and headers prefix
403 --with-openssl-include=DIR OpenSSL headers directory
404 (Default is OPENSSL_DIR/include)
405 --with-openssl-lib=DIR OpenSSL library directory
406 (Default is OPENSSL_DIR/lib)
410 @subsubheading License
412 Since the license under which OpenSSL is distributed is not directly
413 compatible with the terms of the GNU GPL
414 @uref{http://www.openssl.org/support/faq.html#LEGAL2}, therefore we
415 include an addition to the GPL (see also the file COPYING.README):
418 This program is released under the GPL with the additional exemption
419 that compiling, linking, and/or using OpenSSL is allowed. You may
420 provide binary packages linked to the OpenSSL libraries, provided that
421 all other requirements of the GPL are met.
434 @c ==================================================================
435 @node Installing tinc - installation, Configuring tinc, Installing tinc - preparations, Top
436 @chapter Installing tinc: installation
438 If you use Redhat or Debian, you may want to install one of the
439 precompiled packages for your system. These packages are equipped with
440 system startup scripts and sample configurations.
442 If you don't run either of these systems, or you want to compile tinc
443 for yourself, you can use the source. The source is distributed under
444 the GNU General Public License (GPL). Download the source from the
445 @uref{http://tinc.nl.linux.org/download.html, download page}, which has
446 the checksums of these files listed; you may wish to check these with
447 md5sum before continuing.
449 tinc comes in a convenient autoconf/automake package, which you can just
450 treat the same as any other package. Which is just untar it, type
451 `configure' and then `make'.
453 More detailed instructions are in the file @file{INSTALL}, which is
454 included in the source distribution.
463 @c ==================================================================
464 @node Building tinc, System files, Installing tinc - installation, Installing tinc - installation
465 @section Building tinc
467 Detailed instructions on configuring the source and building tinc can be
468 found in the file called @file{INSTALL}.
471 @c ==================================================================
472 @node System files, Interfaces, Building tinc, Installing tinc - installation
473 @section System files
475 Before you can run tinc, you must make sure you have all the needed
476 files on your system.
484 @c ==================================================================
485 @node Device files, Other files, System files, System files
486 @subsection Device files
488 First, you'll need the special device file(s) that form the interface
489 between the kernel and the daemon.
491 The permissions for these files have to be such that only the super user
492 may read/write to this file. You'd want this, because otherwise
493 eavesdropping would become a bit too easy. This does, however, imply
494 that you'd have to run tincd as root.
496 If you use Linux and have a kernel version prior to 2.4.0, you have to make the
500 mknod -m 600 /dev/tap0 c 36 16
504 Any further ethertap devices have minor device number 16 through 31.
506 If you use the universal TUN/TAP driver, you have to create the
507 following device files (unless they already exist):
510 mknod -m 600 /dev/tun c 10 200
514 If you use Linux, and you run the new 2.4 kernel using the devfs filesystem,
515 then the TUN/TAP device will probably be automatically generated as
519 @c ==================================================================
520 @node Other files, , Device files, System files
521 @subsection Other files
523 @subsubheading @file{/etc/networks}
525 You may add a line to @file{/etc/networks} so that your VPN will get a
526 symbolic name. For example:
532 @subsubheading @file{/etc/services}
534 You may add this line to @file{/etc/services}. The effect is that you
535 may supply a @samp{tinc} as a valid port number to some programs. The
536 number 655 is registered with the IANA.
541 # Ivo Timmermans <itimmermans@@bigfoot.com>
545 @c ==================================================================
546 @node Interfaces, , System files, Installing tinc - installation
549 Before you can start transmitting data over the tinc tunnel, tinc must
550 set up the ethertap network devices.
552 First, decide which IP addresses you want to have associated with these
553 devices, and what network mask they must have. You also need these
554 numbers when you are going to configure tinc itself. @xref{Configuring
557 tinc will open an ethertap device or TUN/TAP device, which will also
558 create a network interface called `tap0', `tap1' etc. if you are using
559 the ethertap driver, or a network interface with the same name as NETNAME
560 if you are using the universal TUN/TAP driver.
562 You can configure that device by putting ordinary ifconfig, route, and other commands
563 to a script named @file{/etc/tinc/NETNAME/tinc-up}. When tinc starts, this script
564 will be executed. When tinc exits, it will execute the script named
565 @file{/etc/tinc/NETNAME/tinc-down}, but normally you don't need to create that script.
567 An example @file{tinc-up} script when using the TUN/TAP driver:
570 ifconfig $NETNAME hw ether fe:fd:00:00:00:00
571 ifconfig $NETNAME @emph{xx}.@emph{xx}.@emph{xx}.@emph{xx} netmask @emph{mask}
572 ifconfig $NETNAME -arp
576 @cindex hardware address
577 The first line sets up the MAC address of the network interface.
578 Due to the nature of how ethernet and tinc work, it has to be set to fe:fd:00:00:00:00.
579 (tinc versions prior to 1.0pre3 required that the MAC address matched the IP address.)
580 You can use the environment variable $NETNAME to get the name of the interface.
581 If you are using the ethertap driver however, you need to replace it with tap@emph{n},
582 corresponding to the device file name.
585 The next line gives the interface an IP address and a netmask.
586 The kernel will also automatically add a route to this interface, so normally you don't need
587 to add route commands to the @file{tinc-up} script.
588 The kernel will also bring the interface up after this command.
590 The netmask is the mask of the @emph{entire} VPN network, not just your
594 The last line tells the kernel not to use ARP on that interface.
595 Again this has to do with how ethernet and tinc work. Don't forget to add this line.
609 @c ==================================================================
610 @node Configuring tinc, Running tinc, Installing tinc - installation, Top
611 @chapter Configuring tinc
614 * Multiple networks::
615 * How connections work::
616 * Configuration file::
620 @c ==================================================================
621 @node Multiple networks, How connections work, Configuring tinc, Configuring tinc
622 @section Multiple networks
626 It is perfectly OK for you to run more than one tinc daemon.
627 However, in its default form, you will soon notice that you can't use
628 two different configuration files without the -c option.
630 We have thought of another way of dealing with this: network names. This
631 means that you call tincd with the -n argument, which will assign a name
634 The effect of this is that the daemon will set its configuration
635 ``root'' to /etc/tinc/nn/, where nn is your argument to the -n
636 option. You'll notice that it appears in syslog as ``tinc.nn''.
638 However, it is not strictly necessary that you call tinc with the -n
639 option. In this case, the network name would just be empty, and it will
640 be used as such. tinc now looks for files in /etc/tinc/, instead of
641 /etc/tinc/nn/; the configuration file should be /etc/tinc/tinc.conf,
642 and the passphrases are now expected to be in /etc/tinc/passphrases/.
644 But it is highly recommended that you use this feature of tinc, because
645 it will be so much clearer whom your daemon talks to. Hence, we will
646 assume that you use it.
649 @c ==================================================================
650 @node How connections work, Configuration file, Multiple networks, Configuring tinc
651 @section How connections work
653 Before going on, first a bit on how tinc sees connections.
655 When tinc starts up, it reads in the configuration file and parses the
656 command-line options. If it sees a `ConnectTo' value in the file, it
657 will try to connect to it, on the given port. If this fails, tinc exits.
660 @c ==================================================================
661 @node Configuration file, Example, How connections work, Configuring tinc
662 @section Configuration file
664 The actual configuration of the daemon is done in the file
665 @file{/etc/tinc/nn/tinc.conf}.
667 This file consists of comments (lines started with a #) or assignments
674 The variable names are case insensitive, and any spaces, tabs, newlines
675 and carriage returns are ignored. Note: it is not required that you put
676 in the `=' sign, but doing so improves readability. If you leave it
677 out, remember to replace it with at least one space character.
679 In this section all valid variables are listed in alphabetical order.
680 The default value is given between parentheses; required directives are
681 given in @strong{bold}.
684 * Main configuration variables::
685 * Host configuration variables::
690 @c ==================================================================
691 @node Main configuration variables, Host configuration variables, Configuration file, Configuration file
692 @subsection Main configuration variables
695 @item @strong{ConnectTo = <name>}
696 Specifies which host to connect to on startup. Multiple ConnectTo
697 variables may be specified, if connecting to the first one fails then
698 tinc will try the next one, and so on. It is possible to specify
699 hostnames for dynamic IP addresses (like those given on dyndns.org),
700 tinc will not cache the resolved IP address.
702 If you don't specify a host with ConnectTo, regardless of whether a
703 value for ConnectPort is given, tinc won't connect at all, and will
704 instead just listen for incoming connections.
706 @item Hostnames = <yes|no> (no)
707 This option selects whether IP addresses (both real and on the VPN)
708 should be resolved. Since DNS lookups are blocking, it might affect
709 tinc's efficiency, even stopping the daemon for a few seconds everytime
710 it does a lookup if your DNS server is not responding.
712 This does not affect resolving hostnames to IP addresses from the
715 @item Interface = <device>
716 If you have more than one network interface in your computer, tinc will
717 by default listen on all of them for incoming connections. It is
718 possible to bind tinc to a single interface like eth0 or ppp0 with this
721 @item InterfaceIP = <local address>
722 If your computer has more than one IP address on a single interface (for
723 example if you are running virtual hosts), tinc will by default listen
724 on all of them for incoming connections. It is possible to bind tinc to
725 a single IP address with this variable. It is still possible to listen
726 on several interfaces at the same time though, if they share the same IP
729 @item KeyExpire = <seconds> (3600)
730 This option controls the time the encryption keys used to encrypt the data
731 are valid. It is common practice to change keys at regular intervals to
732 make it even harder for crackers, even though it is thought to be nearly
733 impossible to crack a single key.
735 @item ListenPort = <port> (655)
736 Listen on local port port. The computer connecting to this daemon should
737 use this number as the argument for his ConnectPort.
739 @item @strong{Name = <name>}
740 This is a symbolic name for this connection. It can be anything
742 @item PingTimeout = <seconds> (5)
743 The number of seconds of inactivity that tinc will wait before sending a
744 probe to the other end. If that other end doesn't answer within that
745 same amount of seconds, the connection is terminated, and the others
746 will be notified of this.
748 @item PrivateKey = <key> (obsolete)
749 This is the RSA private key for tinc. However, for safety reasons it is
750 advised to store private keys of any kind in separate files. This prevents
751 accidental eavesdropping if you are editting the configuration file.
753 @item @strong{PrivateKeyFile = <path>} (recommended)
754 This is the full path name of the RSA private key file that was
755 generated by ``tincd --generate-keys''. It must be a full path, not a
758 @item @strong{TapDevice = <device>} (/dev/tap0)
759 The ethertap device to use. Note that you can only use one device per
760 daemon. The info pages of the tinc package contain more information
761 about configuring an ethertap device for Linux.
763 @item TCPonly = <yes|no> (no, experimental)
764 If this variable is set to yes, then the packets are tunnelled over a TCP
765 connection instead of a UDP connection. This is especially useful for those
766 who want to run a tinc daemon from behind a masquerading firewall, or if
767 UDP packet routing is disabled somehow. This is experimental code,
768 try this at your own risk.
772 @c ==================================================================
773 @node Host configuration variables, How to configure, Main configuration variables, Configuration file
774 @subsection Host configuration variables
777 @item @strong{Address = <IP address|hostname>}
778 This variable is only required if you want to connect to this host. It
779 must resolve to the external IP address where the host can be reached,
780 not the one that is internal to the VPN.
782 @item IndirectData = <yes|no> (no, experimental)
783 This option specifies whether other tinc daemons besides the one you
784 specified with ConnectTo can make a direct connection to you. This is
785 especially useful if you are behind a firewall and it is impossible to
786 make a connection from the outside to your tinc daemon. Otherwise, it
787 is best to leave this option out or set it to no.
789 @item Port = <port> (655)
790 Connect to the upstream host (given with the ConnectTo directive) on
791 port port. port may be given in decimal (default), octal (when preceded
792 by a single zero) o hexadecimal (prefixed with 0x). port is the port
793 number for both the UDP and the TCP (meta) connections.
795 @item PublicKey = <key> (obsolete)
796 This is the RSA public key for this host.
798 @item PublicKeyFile = <path> (obsolete)
799 This is the full path name of the RSA public key file that was generated
800 by ``tincd --generate-keys''. It must be a full path, not a relative
803 From version 1.0pre4 on tinc will store the public key directly into the
804 host configuration file in PEM format, the above two options then are not
805 necessary. Either the PEM format is used, or exactly
806 @strong{one of the above two options} must be specified
807 in each host configuration file, if you want to be able to establish a
808 connection with that host.
810 @item Subnet = <IP address/maskbits>
811 This is the subnet range of all IP addresses that will be accepted by
812 the host that defines it.
814 The range must be contained in the IP address range of the tap device,
815 not the real IP address of the host running tincd.
817 maskbits is the number of bits set to 1 in the netmask part; for
818 example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
819 /22. This conforms to standard CIDR notation as described in
820 @uref{ftp://ftp.isi.edu/in-notes/rfc1519.txt, RFC1519}
822 @item TCPonly = <yes|no> (no, experimental)
823 If this variable is set to yes, then the packets are tunnelled over a
824 TCP connection instead of a UDP connection. This is especially useful
825 for those who want to run a tinc daemon from behind a masquerading
826 firewall, or if UDP packet routing is disabled somehow. This is
827 experimental code, try this at your own risk. It may not work at all.
831 @c ==================================================================
832 @node How to configure, , Host configuration variables, Configuration file
833 @subsection How to configure
835 @subsubheading Step 1. Creating the key files
837 For each host, you have to create a pair of RSA keys. One key is your
838 private key, which is only known to you. The other one is the public
839 key, which you should copy to all hosts wanting to authenticate to you.
842 @subsubheading Step 2. Configuring each host
844 For every host in the VPN, you have to create two files. First there is
845 the main configuration file, @file{/etc/tinc/vpn-name/tinc.conf}. In
846 this file there should at least be three directives:
850 You should fill in the name of this host (or rather, the name of this
851 leaf of the VPN). It can be called after the hostname, the physical
852 location, the department, or the name of one of your boss' pets. It can
853 be anything, as long as all these names are unique across the entire
857 Fill in the full pathname to the file that contains the private RSA key.
860 This is the name of the host that you want to connect to (not a DNS
861 name, rather the name that is given with the Name parameter in that
862 hosts tinc.conf). This is the upstream connection. If your computer is
863 a central node, you might want to leave this out to make it stay idle
864 until someone connects to it.
867 @cindex host configuration file
868 Then you should create a file with the name you gave yourself in
869 tinc.conf (the `Name' parameter), located in
870 @file{/etc/tinc/vpn-name/hosts/}. In this file, which we call the
871 `@emph{host configuration file}', the public key must be present
872 and one variable is required:
876 The IP range that this host accepts as being `local'. All packets with
877 a destination address that is within this subnet will be sent to us.
878 Actually it is not stricly required, but you need it to send packets to
883 @subsubheading Step 3. Bringing it all together
885 Now for all hosts that you want to create a direct connection to, -- you
886 connect to them or they connect to you -- you get a copy of their host
889 If it is not already present, make sure you add this variable:
893 Enter the IP address or DNS hostname for this host. This is only needed
894 if you connect to this host.
897 When you did this, you should be ready to create your first connection.
898 Pay attention to the system log, most errors will only be visible
899 there. If you get an error, you can check @ref{Error messages}.
902 @c ==================================================================
903 @node Example, , Configuration file, Configuring tinc
908 Imagine the following situation. Branch A of our example `company' wants to connect
909 three branch offices in B, C and D using the internet. All four offices
910 have a 24/7 connection to the internet.
912 A is going to serve as the center of the network. B and C will connect
913 to A, and D will connect to C. Each office will be assigned their own IP
917 A: net 10.1.0.0 mask 255.255.0.0 gateway 10.1.54.1 internet IP 1.2.3.4
918 B: net 10.2.0.0 mask 255.255.0.0 gateway 10.2.1.12 internet IP 2.3.4.5
919 C: net 10.3.0.0 mask 255.255.0.0 gateway 10.3.69.254 internet IP 3.4.5.6
920 D: net 10.4.0.0 mask 255.255.0.0 gateway 10.4.3.32 internet IP 4.5.6.7
923 ``gateway'' is the VPN IP address of the machine that is running the
924 tincd. ``internet IP'' is the IP address of the firewall, which does not
925 need to run tincd, but it must do a port forwarding of TCP&UDP on port
926 655 (unless otherwise configured).
928 In this example, it is assumed that eth0 is the interface that points to
929 the inner (physical) LAN of the office, although this could also be the
930 same as the interface that leads to the internet. The configuration of
931 the real interface is also shown as a comment, to give you an idea of
932 how these example host is set up. All branches use the netname `company'
933 for this particular VPN.
935 @subsubheading For Branch A
937 @emph{BranchA} would be configured like this:
939 In @file{/etc/tinc/company/tinc-up}:
942 # Real interface of internal network:
943 # ifconfig eth0 10.1.54.1 netmask 255.255.0.0 broadcast 10.1.255.255
945 ifconfig tap0 hw ether fe:fd:00:00:00:00
946 ifconfig tap0 10.1.54.1 netmask 255.0.0.0
950 and in @file{/etc/tinc/company/tinc.conf}:
954 PrivateKey = /etc/tinc/company/rsa_key.priv
955 TapDevice = /dev/tap0
958 On all hosts, /etc/tinc/company/hosts/BranchA contains:
964 -----BEGIN RSA PUBLIC KEY-----
966 -----END RSA PUBLIC KEY-----
970 @subsubheading For Branch B
972 In @file{/etc/tinc/company/tinc-up}:
975 # Real interface of internal network:
976 # ifconfig eth0 10.2.43.8 netmask 255.255.0.0 broadcast 10.2.255.255
978 ifconfig tap0 hw ether fe:fd:00:00:00:00
979 ifconfig tap0 10.2.1.12 netmask 255.0.0.0
983 and in @file{/etc/tinc/company/tinc.conf}:
988 PrivateKey = /etc/tinc/company/rsa_key.priv
991 Note here that the internal address (on eth0) doesn't have to be the
992 same as on the tap0 device. Also, ConnectTo is given so that no-one can
993 connect to this node.
995 On all hosts, in @file{/etc/tinc/company/hosts/BranchB}:
1001 -----BEGIN RSA PUBLIC KEY-----
1003 -----END RSA PUBLIC KEY-----
1007 @subsubheading For Branch C
1009 In @file{/etc/tinc/company/tinc-up}:
1012 # Real interface of internal network:
1013 # ifconfig eth0 10.3.69.254 netmask 255.255.0.0 broadcast 10.3.255.255
1015 ifconfig tap1 hw ether fe:fd:00:00:00:00
1016 ifconfig tap1 10.3.69.254 netmask 255.0.0.0
1020 and in @file{/etc/tinc/company/tinc.conf}:
1025 TapDevice = /dev/tap1
1028 C already has another daemon that runs on port 655, so they have to
1029 reserve another port for tinc. It knows the portnumber it has to listen on
1030 from it's own host configuration file.
1032 On all hosts, in @file{/etc/tinc/company/hosts/BranchC}:
1036 Subnet = 10.3.0.0/16
1039 -----BEGIN RSA PUBLIC KEY-----
1041 -----END RSA PUBLIC KEY-----
1045 @subsubheading For Branch D
1047 In @file{/etc/tinc/company/tinc-up}:
1050 # Real interface of internal network:
1051 # ifconfig tap0 10.4.3.32 netmask 255.255.0.0 broadcast 10.4.255.255
1053 ifconfig tap0 hw ether fe:fd:0a:04:03:20
1054 ifconfig tap0 10.4.3.32 netmask 255.0.0.0
1058 and in @file{/etc/tinc/company/tinc.conf}:
1063 PrivateKeyFile = /etc/tinc/company/rsa_key.priv
1066 D will be connecting to C, which has a tincd running for this network on
1067 port 2000. It knows the port number from the host configuration file.
1069 On all hosts, in @file{/etc/tinc/company/hosts/BranchD}:
1072 Subnet = 10.4.0.0/16
1075 -----BEGIN RSA PUBLIC KEY-----
1077 -----END RSA PUBLIC KEY-----
1080 @subsubheading Key files
1082 A, B, C and D all have generated a public/private keypair with the following command:
1088 The private key is stored in @file{/etc/tinc/company/rsa_key.priv},
1089 the public key is put into the host configuration file in the @file{/etc/tinc/company/hosts/} directory.
1090 During key generation, tinc automatically guesses the right filenames based on the -n option and
1091 the Name directive in the @file{tinc.conf} file (if it is available).
1093 @subsubheading Starting
1095 After each branch has finished configuration and they have distributed
1096 the host configuration files amongst them, they can start their tinc daemons.
1097 They don't necessarily have to wait for the other branches to have started
1098 their daemons, tinc will try connecting until they are available.
1101 @c ==================================================================
1102 @node Running tinc, Technical information, Configuring tinc, Top
1103 @chapter Running tinc
1105 Running tinc isn't just as easy as typing `tincd' and hoping everything
1106 will just work out the way you wanted. Instead, the use of tinc is a
1107 project that involves trust relations and more than one computer.
1116 @c ==================================================================
1117 @node Managing keys, Runtime options, Running tinc, Running tinc
1118 @section Managing keys
1120 Before attempting to start tinc, you have to create public/private keypairs.
1121 When tinc tries to make a connection, it exchanges some sensitive
1122 data. Before doing so, it likes to know if the other end is
1125 To do this, both ends must have some knowledge about the other. In the
1126 case of tinc this is the public keys.
1128 To generate a public/private keypair, run `tincd -n vpn-name -K<bits>'.
1129 <bits> is optional, you can use it to specify the length of the keys.
1130 The length of the public/private keypairs
1131 should be at least 1024 for reasonable security (reasonable being good enough
1132 to keep the NSA busy for a few weeks).
1134 Every computer that wants to participate in the VPN should do this. The
1135 public keyfile should get the name of each tinc daemon and an extension .pub,
1136 and it should be stored in the hosts directory.
1138 When every computer has his own keys and configuration files, the files in the
1139 hosts directory should be exchanged with each other computer that it wants to
1140 talk to directly. Since only public keys are involved, you can safely do this
1141 via email, telnet or ftp, or even putting the contents on a public billboard.
1144 @c ==================================================================
1145 @node Runtime options, Error messages, Managing keys, Running tinc
1146 @section Runtime options
1148 Besides the settings in the configuration file, tinc also accepts some
1149 command line options.
1151 This list is a longer version of that in the manpage. The latter is
1152 generated automatically, so may be more up-to-date.
1154 @cindex command line
1155 @cindex runtime options
1159 @item -c, --config=PATH
1160 Read configuration options from the directory PATH. The default is
1161 @file{/etc/tinc/nn/}.
1164 Increase debug level. The higher it gets, the more gets
1165 logged. Everything goes via syslog.
1167 0 is the default, only some basic information connection attempts get
1168 logged. Setting it to 1 will log a bit more, still not very
1169 disturbing. With two -d's tincd will log protocol information, which can
1170 get pretty noisy. Three or more -d's will output every single packet
1171 that goes out or comes in, which probably generates more data than the
1175 Attempt to kill a running tincd and exit. A TERM signal (15) gets sent
1176 to the daemon that his its PID in /var/run/tinc.pid.
1178 Because it kills only one tinc daemon, you should use -n here if you
1179 started it that way. It will then read the PID from
1180 @file{/var/run/tinc.NETNAME.pid}.
1182 @item -n, --net=NETNAME
1183 Connect to net NETNAME. @xref{Multiple networks}.
1185 @item -K, --generate-keys[=BITS]
1186 Generate public/private keypair of BITS length. If BITS is not specified,
1187 1024 is the default. tinc will ask where you want to store the files,
1188 but will default to the configuration directory (you can use the -c or -n option
1189 in combination with -K). After that, tinc will quit.
1192 Display a short reminder of these runtime options and terminate.
1195 Output version information and exit.
1200 @c ==================================================================
1201 @node Error messages, , Runtime options, Running tinc
1202 @section Error messages
1204 What follows is a list of the most common error messages you can see
1205 when configuring tinc. Most of these messages are visible in the syslog
1206 only, so keep an eye on it!
1209 @item Could not open /dev/tap0: No such device
1211 @item You forgot to insmod netlink_dev.o or ethertap.o
1212 @item You forgot to compile `Netlink device emulation' in the kernel
1215 @item Can't write to /dev/net/tun: No such device
1217 @item You forgot to insmod tun.o
1218 @item You forgot to compile `Universal TUN/TAP driver' in the kernel
1221 @item Packet with destination 1.2.3.4 is looping back to us!
1223 @item Something is not configured right. Packets are being sent out to the
1224 tap device, but according to the Subnet directives in your host configuration
1225 file, those packets should go to your own host. Most common mistake is that
1226 you have a Subnet line in your host configuration file with a netmask which is
1227 just as large as the netmask of the tap device. The latter should in almost all
1228 cases be larger. Rethink your configuration.
1229 Note that you will only see this message if you specified a debug
1230 level of 5 or higher!
1233 @item Network address and subnet mask do not match!
1235 @item The Subnet field must contain a network address
1236 If you only want to use one IP address, set the netmask to /32.
1239 @item This is a bug: net.c:253: 24: Some error
1241 @item This is something that should not have happened
1242 Please report this, and tell us exactly what went wrong before you got
1243 this message. In normal operation, these errors should not occur.
1246 @item Error reading RSA key file `rsa_key.priv': No such file or directory
1248 @item You must specify the complete pathname
1249 Specifying a relative path does not make sense here. tinc changes its
1250 directory to / when starting (to avoid keeping a mount point busy); and
1251 even if we built in a default directory to look for these files, the key
1252 files are bound to be in a different directory.
1257 @c ==================================================================
1258 @node Technical information, About us, Running tinc, Top
1259 @chapter Technical information
1268 @c ==================================================================
1269 @node The Connection, Security, Technical information, Technical information
1270 @section The basic philosophy of the way tinc works
1273 tinc is a daemon that takes VPN data and transmit that to another host
1274 computer over the existing Internet infrastructure.
1277 * Protocol Preview::
1278 * The Meta-connection::
1282 @c ==================================================================
1283 @node Protocol Preview, The Meta-connection, The Connection, The Connection
1284 @subsection A preview of the way the tinc works
1288 The data itself is read from a character device file, the so-called
1289 @emph{ethertap} device. This device is associated with a network
1290 interface. Any data sent to this interface can be read from the device,
1291 and any data written to the device gets sent from the interface. Data to
1292 and from the device is formatted as if it were a normal ethernet card,
1293 so a frame is preceded by two MAC addresses and a @emph{frame type}
1296 So when tinc reads an ethernet frame from the device, it determines its
1297 type. Right now, tinc can only handle Internet Protocol version 4 (IPv4)
1298 frames, because it needs IP headers for routing.
1299 Plans to support other protocols and switching instead of routing are being made.
1301 which type of frame it has read, it can also read the source and
1302 destination address from it.
1304 Now it is time that the frame gets encrypted. Currently the only
1305 encryption algorithm available is blowfish.
1307 @cindex encapsulating
1308 When the encryption is ready, time has come to actually transport the
1309 packet to the destination computer. We do this by sending the packet
1310 over an UDP connection to the destination host. This is called
1311 @emph{encapsulating}, the VPN packet (though now encrypted) is
1312 encapsulated in another IP datagram.
1314 When the destination receives this packet, the same thing happens, only
1315 in reverse. So it does a decrypt on the contents of the UDP datagram,
1316 and it writes the decrypted information to its own ethertap device.
1318 To let the kernel on the receiving end accept the packet, the destination MAC
1319 address must match that of the tap interface. Because of the routing nature
1320 of tinc, ARP is not possible. tinc solves this by always overwriting the
1321 destination MAC address with fe:fd:0:0:0:0. That is also the reason why you must
1322 set the MAC address of your tap interface to that address.
1325 @c ==================================================================
1326 @node The Meta-connection, , Protocol Preview, The Connection
1327 @subsection The meta-connection
1329 Having only an UDP connection available is not enough. Though suitable
1330 for transmitting data, we want to be able to reliably send other
1331 information, such as routing and encryption information to somebody.
1333 TCP is a better alternative, because it already contains protection
1334 against information being lost, unlike UDP.
1336 So we establish two connections. One for the encrypted VPN data, and one
1337 for other information, the meta-data. Hence, we call the second
1338 connection the meta-connection. We can now be sure that the
1339 meta-information doesn't get lost on the way to another computer.
1341 @cindex data-protocol
1342 @cindex meta-protocol
1343 Like with any communication, we must have a protocol, so that everybody
1344 knows what everything stands for, and how she should react. Because we
1345 have two connections, we also have two protocols. The protocol used for
1346 the UDP data is the ``data-protocol,'' the other one is the
1349 The reason we don't use TCP for both protocols is that UDP is much
1350 better for encapsulation, even while it is less reliable. The real
1351 problem is that when TCP would be used to encapsulate a TCP stream
1352 that's on the private network, for every packet sent there would be
1353 three ACK's sent instead of just one. Furthermore, if there would be
1354 a timeout, both TCP streams would sense the timeout, and both would
1355 start resending packets.
1357 @c ==================================================================
1358 @node Security, , The Connection, Technical information
1359 @section About tinc's encryption and other security-related issues.
1363 tinc got its name from ``TINC,'' short for @emph{There Is No Cabal}; the
1364 alleged Cabal was/is an organization that was said to keep an eye on the
1365 entire Internet. As this is exactly what you @emph{don't} want, we named
1366 the tinc project after TINC.
1369 But in order to be ``immune'' to eavesdropping, you'll have to encrypt
1370 your data. Because tinc is a @emph{Secure} VPN (SVPN) daemon, it does
1371 exactly that: encrypt.
1373 This chapter is a mixture of ideas, reasoning and explanation, please
1374 don't take it too serious.
1380 @c ==================================================================
1381 @node Key Types, , Security, Security
1382 @subsection Key Types
1383 @c FIXME: check if I'm not talking nonsense
1385 There are several types of encryption keys. Tinc uses two of them,
1386 symmetric private keypairs and public/private keypairs.
1388 Public/private keypairs are used in public key cryptography. It enables
1389 someone to send out a public key with which other people can encrypt their
1390 data. The encrypted data now can only be decrypted by the person who has
1391 the private key that matches the public key. So, a public key only allows
1392 @emph{other} people to send encrypted messages to you. This is very useful
1393 in setting up private communications channels. Just send out your public key
1394 and other people can talk to you in a secure way. But how can you know
1395 the other person is who she says she is? This is done by sending out an
1396 encrypted challenge that only the person with the right private key can decode
1399 However, encryption with public/private keys is very slow. Symmetric key cryptography
1400 is orders of magnitudes faster, but it is very hard to safely exchange the symmetric
1401 keys, since they should be kept private.
1403 The idea is to use public/private cryptography for authentication, and for
1404 exchanging symmetric keys in a safe way. After that, all communications are encrypted
1405 with the symmetric cipher.
1408 @c ==================================================================
1409 @node About us, Concept Index, Technical information, Top
1414 * Contact Information::
1419 @c ==================================================================
1420 @node Contact Information, Authors, About us, About us
1421 @section Contact information
1423 tinc's main page is at @url{http://tinc.nl.linux.org/},
1424 this server is located in the Netherlands.
1426 We have an IRC channel on the Open Projects IRC network. Connect to
1427 @uref{http://openprojects.nu/services/irc.html, irc.openprojects.net},
1428 and join channel #tinc.
1431 @c ==================================================================
1432 @node Authors, , Contact Information, About us
1436 @item Ivo Timmermans (zarq) (@email{itimmermans@@bigfoot.com})
1437 Main coder/hacker and maintainer of the package.
1439 @item Guus Sliepen (guus) (@email{guus@@sliepen.warande.net})
1440 Originator of it all, co-author.
1442 @item Wessel Dankers (Ubiq) (@email{wsl@@nl.linux.org})
1443 For the name `tinc' and various suggestions.
1447 We have received a lot of valuable input from users. With their help,
1448 tinc has become the flexible and robust tool that it is today. We have
1449 composed a list of contributions, in the file called @file{THANKS} in
1450 the source distribution.
1453 @c ==================================================================
1454 @node Concept Index, , About us, Top
1455 @c node-name, next, previous, up
1456 @unnumbered Concept Index
1458 @c ==================================================================
1462 @c ==================================================================