X-Git-Url: http://git.meshlink.io/?p=meshlink;a=blobdiff_plain;f=doc%2Ftinc.conf.5.in;fp=doc%2Ftinc.conf.5.in;h=0000000000000000000000000000000000000000;hp=28296fb4ca9dd6ca8a54558c51f982318d4e6542;hb=b3b89e46b1b84fa6cf1726fabe9e9c7bb0d3d831;hpb=4c819a6e3a59da17142bc7bafd0455ca4bf049ac diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in deleted file mode 100644 index 28296fb4..00000000 --- a/doc/tinc.conf.5.in +++ /dev/null @@ -1,717 +0,0 @@ -.Dd 2014-01-29 -.Dt TINC.CONF 5 -.\" Manual page created by: -.\" Ivo Timmermans -.\" Guus Sliepen -.Sh NAME -.Nm tinc.conf -.Nd tinc daemon configuration -.Sh DESCRIPTION -The files in the -.Pa @sysconfdir@/tinc/ -directory contain runtime and security information for the tinc daemon. -.Sh NETWORKS -To distinguish multiple instances of tinc running on one computer, -you can use the -.Fl n -option to assign a network name to each tinc daemon. -.Pp -The effect of this option is that the daemon will set its configuration root to -.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / , -where -.Ar NETNAME -is your argument to the -.Fl n -option. -You'll notice that messages appear in syslog as coming from -.Nm tincd. Ns Ar NETNAME , -and on Linux, unless specified otherwise, the name of the virtual network interface will be the same as the network name. -.Pp -It is recommended that you use network names even if you run only one instance of tinc. -However, you can choose not to use the -.Fl n -option. -In this case, the network name would just be empty, and -.Nm tinc -now looks for files in -.Pa @sysconfdir@/tinc/ , -instead of -.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / ; -the configuration file should be -.Pa @sysconfdir@/tinc/tinc.conf , -and the host configuration files are now expected to be in -.Pa @sysconfdir@/tinc/hosts/ . -.Sh NAMES -Each tinc daemon should have a name that is unique in the network which it will be part of. -The name will be used by other tinc daemons for identification. -The name has to be declared in the -.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf -file. -.Pp -To make things easy, -choose something that will give unique and easy to remember names to your tinc daemon(s). -You could try things like hostnames, owner surnames or location names. -However, you are only allowed to use alphanumerical characters (a-z, A-Z, and 0-9) and underscores (_) in the name. -.Sh INITIAL CONFIGURATION -If you have not configured tinc yet, you can easily create a basic configuration using the following command: -.Bd -literal -offset indent -.Nm tinc Fl n Ar NETNAME Li init Ar NAME -.Ed -.Pp -You can further change the configuration as needed either by manually editing the configuration files, -or by using -.Xr tinc 8 . -.Sh PUBLIC/PRIVATE KEYS -The -.Nm tinc Li init -command will have generated both RSA and ECDSA public/private keypairs. -The private keys should be stored in files named -.Pa rsa_key.priv -and -.Pa ecdsa_key.priv -in the directory -.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / -The public keys should be stored in the host configuration file -.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Va NAME . -The RSA keys are used for backwards compatibility with tinc version 1.0. -If you are upgrading from version 1.0 to 1.1, you can keep the old configuration files, -but you will need to create ECDSA keys using the following command: -.Bd -literal -offset indent -.Nm tinc Fl n Ar NETNAME Li generate-ecdsa-keys -.Ed -.Sh SERVER CONFIGURATION -The server configuration of the daemon is done in the file -.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf . -This file consists of comments (lines started with a -.Li # ) -or assignments in the form of: -.Pp -.Va Variable Li = Ar Value . -.Pp -The variable names are case insensitive, and any spaces, tabs, -newlines and carriage returns are ignored. -Note: it is not required that you put in the -.Li = -sign, but doing so improves readability. -If you leave it out, remember to replace it with at least one space character. -.Pp -The server configuration is complemented with host specific configuration (see the next section). -Although all configuration options for the local host listed in this document can also be put in -.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf , -it is recommended to put host specific configuration options in the host configuration file, -as this makes it easy to exchange with other nodes. -.Pp -You can edit the config file manually, but it is recommended that you use -.Xr tinc 8 -to change configuration variables for you. -.Pp -Here are all valid variables, listed in alphabetical order. -The default value is given between parentheses. -.Bl -tag -width indent -.It Va AddressFamily Li = ipv4 | ipv6 | any Pq any -This option affects the address family of listening and outgoing sockets. -If -.Qq any -is selected, then depending on the operating system both IPv4 and IPv6 or just -IPv6 listening sockets will be created. -.It Va AutoConnect Li = Ar count Po 0 Pc Bq experimental -If set to a non-zero value, -.Nm -will try to only have -.Ar count -meta connections to other nodes, -by automatically making or breaking connections to known nodes. -Higher values increase redundancy but also increase meta data overhead. -When using this option, a good value is 3. -.It Va BindToAddress Li = Ar address Op Ar port -This is the same as -.Va ListenAddress , -however the address given with the -.Va BindToAddress -option will also be used for outgoing connections. This is useful if your -computer has more than one IPv4 or IPv6 address, and you want -.Nm tinc -to only use a specific one for outgoing packets. -.It Va BindToInterface Li = Ar interface Bq experimental -If your computer has more than one network interface, -.Nm tinc -will by default listen on all of them for incoming connections. -It is possible to bind only to a single interface with this variable. -.Pp -This option may not work on all platforms. -Also, on some platforms it will not actually bind to an interface, -but rather to the address that the interface has at the moment a socket is created. -.It Va Broadcast Li = no | mst | direct Po mst Pc Bq experimental -This option selects the way broadcast packets are sent to other daemons. -NOTE: all nodes in a VPN must use the same -.Va Broadcast -mode, otherwise routing loops can form. -.Bl -tag -width indent -.It no -Broadcast packets are never sent to other nodes. -.It mst -Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree. -This ensures broadcast packets reach all nodes. -.It direct -Broadcast packets are sent directly to all nodes that can be reached directly. -Broadcast packets received from other nodes are never forwarded. -If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to. -.El -.It Va ConnectTo Li = Ar name -Specifies which other tinc daemon to connect to on startup. -Multiple -.Va ConnectTo -variables may be specified, -in which case outgoing connections to each specified tinc daemon are made. -The names should be known to this tinc daemon -(i.e., there should be a host configuration file for the name on the -.Va ConnectTo -line). -.Pp -If you don't specify a host with -.Va ConnectTo , -.Nm tinc -won't try to connect to other daemons at all, -and will instead just listen for incoming connections. -.It Va DecrementTTL Li = yes | no Po no Pc Bq experimental -When enabled, -.Nm tinc -will decrement the Time To Live field in IPv4 packets, or the Hop Limit field in IPv6 packets, -before forwarding a received packet to the virtual network device or to another node, -and will drop packets that have a TTL value of zero, -in which case it will send an ICMP Time Exceeded packet back. -.Pp -Do not use this option if you use switch mode and want to use IPv6. -.It Va Device Li = Ar device Po Pa /dev/tap0 , Pa /dev/net/tun No or other depending on platform Pc -The virtual network device to use. -.Nm tinc -will automatically detect what kind of device it is. -Note that you can only use one device per daemon. -Under Windows, use -.Va Interface -instead of -.Va Device . -The info pages of the tinc package contain more information -about configuring the virtual network device. -.It Va DeviceType Li = Ar type Pq platform dependent -The type of the virtual network device. -Tinc will normally automatically select the right type of tun/tap interface, and this option should not be used. -However, this option can be used to select one of the special interface types, if support for them is compiled in. -.Bl -tag -width indent -.It dummy -Use a dummy interface. -No packets are ever read or written to a virtual network device. -Useful for testing, or when setting up a node that only forwards packets for other nodes. -.It raw_socket -Open a raw socket, and bind it to a pre-existing -.Va Interface -(eth0 by default). -All packets are read from this interface. -Packets received for the local node are written to the raw socket. -However, at least on Linux, the operating system does not process IP packets destined for the local host. -.It multicast -Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using -.Va Device . -Packets are read from and written to this multicast socket. -This can be used to connect to UML, QEMU or KVM instances listening on the same multicast address. -Do NOT connect multiple -.Nm tinc -daemons to the same multicast address, this will very likely cause routing loops. -Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured. -.It uml Pq not compiled in by default -Create a UNIX socket with the filename specified by -.Va Device , -or -.Pa @localstatedir@/run/ Ns Ar NETNAME Ns Pa .umlsocket -if not specified. -.Nm tinc -will wait for a User Mode Linux instance to connect to this socket. -.It vde Pq not compiled in by default -Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch, -using the UNIX socket specified by -.Va Device , -or -.Pa @localstatedir@/run/vde.ctl -if not specified. -.El -Also, in case tinc does not seem to correctly interpret packets received from the virtual network device, -it can be used to change the way packets are interpreted: -.Bl -tag -width indent -.It tun Pq BSD and Linux -Set type to tun. -Depending on the platform, this can either be with or without an address family header (see below). -.It tunnohead Pq BSD -Set type to tun without an address family header. -Tinc will expect packets read from the virtual network device to start with an IP header. -On some platforms IPv6 packets cannot be read from or written to the device in this mode. -.It tunifhead Pq BSD -Set type to tun with an address family header. -Tinc will expect packets read from the virtual network device -to start with a four byte header containing the address family, -followed by an IP header. -This mode should support both IPv4 and IPv6 packets. -.It tap Pq BSD and Linux -Set type to tap. -Tinc will expect packets read from the virtual network device -to start with an Ethernet header. -.El -.It Va DirectOnly Li = yes | no Po no Pc Bq experimental -When this option is enabled, packets that cannot be sent directly to the destination node, -but which would have to be forwarded by an intermediate node, are dropped instead. -When combined with the IndirectData option, -packets for nodes for which we do not have a meta connection with are also dropped. -.It Va ECDSAPrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /ecdsa_key.priv Pc -The file in which the private ECDSA key of this tinc daemon resides. -This is only used if -.Va ExperimentalProtocol -is enabled. -.It Va ExperimentalProtocol Li = yes | no Pq yes -When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it. -Ephemeral ECDH will be used for key exchanges, -and ECDSA will be used instead of RSA for authentication. -When enabled, an ECDSA key must have been generated before with -.Nm tinc generate-ecdsa-keys . -.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental -This option selects the way indirect packets are forwarded. -.Bl -tag -width indent -.It off -Incoming packets that are not meant for the local node, -but which should be forwarded to another node, are dropped. -.It internal -Incoming packets that are meant for another node are forwarded by tinc internally. -.Pp -This is the default mode, and unless you really know you need another forwarding mode, don't change it. -.It kernel -Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node. -This is less efficient, but allows the kernel to apply its routing and firewall rules on them, -and can also help debugging. -.El -.It Va Hostnames Li = yes | no Pq no -This option selects whether IP addresses (both real and on the VPN) should -be resolved. Since DNS lookups are blocking, it might affect tinc's -efficiency, even stopping the daemon for a few seconds every time it does -a lookup if your DNS server is not responding. -.Pp -This does not affect resolving hostnames to IP addresses from the -host configuration files, but whether hostnames should be resolved while logging. -.It Va IffOneQueue Li = yes | no Po no Pc Bq experimental -(Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices. -.It Va Interface Li = Ar interface -Defines the name of the interface corresponding to the virtual network device. -Depending on the operating system and the type of device this may or may not actually set the name of the interface. -Under Windows, this variable is used to select which network interface will be used. -If you specified a -.Va Device , -this variable is almost always already correctly set. -.It Va KeyExpire Li = Ar seconds Pq 3600 -This option controls the period the encryption keys used to encrypt the data are valid. -It is common practice to change keys at regular intervals to make it even harder for crackers, -even though it is thought to be nearly impossible to crack a single key. -.It Va ListenAddress Li = Ar address Op Ar port -If your computer has more than one IPv4 or IPv6 address, -.Nm tinc -will by default listen on all of them for incoming connections. -This option can be used to restrict which addresses tinc listens on. -Multiple -.Va ListenAddress -variables may be specified, -in which case listening sockets for each specified address are made. -.Pp -If no -.Ar port -is specified, the socket will listen on the port specified by the -.Va Port -option, or to port 655 if neither is given. -To only listen on a specific port but not on a specific address, use -.Li * -for the -.Ar address . -.It Va LocalDiscovery Li = yes | no Pq no -When enabled, -.Nm tinc -will try to detect peers that are on the same local network. -This will allow direct communication using LAN addresses, even if both peers are behind a NAT -and they only ConnectTo a third node outside the NAT, -which normally would prevent the peers from learning each other's LAN address. -.Pp -Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery. -This feature may not work in all possible situations. -.It Va LocalDiscoveryAddress Li = Ar address -If this variable is specified, local discovery packets are sent to the given -.Ar address . -.It Va MACExpire Li = Ar seconds Pq 600 -This option controls the amount of time MAC addresses are kept before they are removed. -This only has effect when -.Va Mode -is set to -.Qq switch . -.It Va MaxConnectionBurst Li = Ar count Pq 100 -This option controls how many connections tinc accepts in quick succession. -If there are more connections than the given number in a short time interval, -tinc will reduce the number of accepted connections to only one per second, -until the burst has passed. -.It Va MaxTimeout Li = Ar seconds Pq 900 -This is the maximum delay before trying to reconnect to other tinc daemons. -.It Va Mode Li = router | switch | hub Pq router -This option selects the way packets are routed to other daemons. -.Bl -tag -width indent -.It router -In this mode -.Va Subnet -variables in the host configuration files will be used to form a routing table. -Only packets of routable protocols (IPv4 and IPv6) are supported in this mode. -.Pp -This is the default mode, and unless you really know you need another mode, don't change it. -.It switch -In this mode the MAC addresses of the packets on the VPN will be used to -dynamically create a routing table just like an Ethernet switch does. -Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode -at the cost of frequent broadcast ARP requests and routing table updates. -.Pp -This mode is primarily useful if you want to bridge Ethernet segments. -.It hub -This mode is almost the same as the switch mode, but instead -every packet will be broadcast to the other daemons -while no routing table is managed. -.El -.It Va Name Li = Ar name Bq required -This is the name which identifies this tinc daemon. -It must be unique for the virtual private network this daemon will connect to. -The Name may only consist of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is case sensitive. -If -.Va Name -starts with a -.Li $ , -then the contents of the environment variable that follows will be used. -In that case, invalid characters will be converted to underscores. -If -.Va Name -is -.Li $HOST , -but no such environment variable exist, the hostname will be read using the gethostname() system call. -.It Va PingInterval Li = Ar seconds Pq 60 -The number of seconds of inactivity that -.Nm tinc -will wait before sending a probe to the other end. -.It Va PingTimeout Li = Ar seconds Pq 5 -The number of seconds to wait for a response to pings or to allow meta -connections to block. If the other end doesn't respond within this time, -the connection is terminated, -and the others will be notified of this. -.It Va PriorityInheritance Li = yes | no Po no Pc Bq experimental -When this option is enabled the value of the TOS field of tunneled IPv4 packets -will be inherited by the UDP packets that are sent out. -.It Va PrivateKey Li = Ar key Bq obsolete -The private RSA key of this tinc daemon. -It will allow this tinc daemon to authenticate itself to other daemons. -.It Va PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /rsa_key.priv Pc -The file in which the private RSA key of this tinc daemon resides. -.It Va ProcessPriority Li = low | normal | high -When this option is used the priority of the -.Nm tincd -process will be adjusted. -Increasing the priority may help to reduce latency and packet loss on the VPN. -.It Va Proxy Li = socks4 | socks5 | http | exec Ar ... Bq experimental -Use a proxy when making outgoing connections. -The following proxy types are currently supported: -.Bl -tag -width indent -.It socks4 Ar address Ar port Op Ar username -Connects to the proxy using the SOCKS version 4 protocol. -Optionally, a -.Ar username -can be supplied which will be passed on to the proxy server. -Only IPv4 connections can be proxied using SOCKS 4. -.It socks5 Ar address Ar port Op Ar username Ar password -Connect to the proxy using the SOCKS version 5 protocol. -If a -.Ar username -and -.Ar password -are given, basic username/password authentication will be used, -otherwise no authentication will be used. -.It http Ar address Ar port -Connects to the proxy and sends a HTTP CONNECT request. -.It exec Ar command -Executes the given -.Ar command -which should set up the outgoing connection. -The environment variables -.Ev NAME , -.Ev NODE , -.Ev REMOTEADDRES -and -.Ev REMOTEPORT -are available. -.El -.It Va ReplayWindow Li = Ar bytes Pq 16 -This is the size of the replay tracking window for each remote node, in bytes. -The window is a bitfield which tracks 1 packet per bit, so for example -the default setting of 16 will track up to 128 packets in the window. In high -bandwidth scenarios, setting this to a higher value can reduce packet loss from -the interaction of replay tracking with underlying real packet loss and/or -reordering. Setting this to zero will disable replay tracking completely and -pass all traffic, but leaves tinc vulnerable to replay-based attacks on your -traffic. -.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental -When this option is enabled tinc will only use Subnet statements which are -present in the host config files in the local -.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ -directory. Subnets learned via connections to other nodes and which are not -present in the local host config files are ignored. -.It Va TunnelServer Li = yes | no Po no Pc Bq experimental -When this option is enabled tinc will no longer forward information between other tinc daemons, -and will only allow connections with nodes for which host config files are present in the local -.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ -directory. -Setting this options also implicitly sets StrictSubnets. -.It Va UDPRcvBuf Li = Ar bytes Pq OS default -Sets the socket receive buffer size for the UDP socket, in bytes. -If unset, the default buffer size will be used by the operating system. -.It Va UDPSndBuf Li = Ar bytes Pq OS default -Sets the socket send buffer size for the UDP socket, in bytes. -If unset, the default buffer size will be used by the operating system. -.El -.Sh HOST CONFIGURATION FILES -The host configuration files contain all information needed -to establish a connection to those hosts. -A host configuration file is also required for the local tinc daemon, -it will use it to read in it's listen port, public key and subnets. -.Pp -The idea is that these files are portable. -You can safely mail your own host configuration file to someone else. -That other person can then copy it to his own hosts directory, -and now his tinc daemon will be able to connect to your tinc daemon. -Since host configuration files only contain public keys, -no secrets are revealed by sending out this information. -.Bl -tag -width indent -.It Va Address Li = Ar address Oo Ar port Oc Bq recommended -The IP address or hostname of this tinc daemon on the real network. -This will only be used when trying to make an outgoing connection to this tinc daemon. -Optionally, a port can be specified to use for this address. -Multiple -.Va Address -variables can be specified, in which case each address will be tried until a working -connection has been established. -.It Va Cipher Li = Ar cipher Pq blowfish -The symmetric cipher algorithm used to encrypt UDP packets. -Any cipher supported by OpenSSL is recognised. -Furthermore, specifying -.Qq none -will turn off packet encryption. -It is best to use only those ciphers which support CBC mode. -This option has no effect for connections between nodes using -.Va ExperimentalProtocol . -.It Va ClampMSS Li = yes | no Pq yes -This option specifies whether tinc should clamp the maximum segment size (MSS) -of TCP packets to the path MTU. This helps in situations where ICMP -Fragmentation Needed or Packet too Big messages are dropped by firewalls. -.It Va Compression Li = Ar level Pq 0 -This option sets the level of compression used for UDP packets. -Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), -10 (fast lzo) and 11 (best lzo). -.It Va Digest Li = Ar digest Pq sha1 -The digest algorithm used to authenticate UDP packets. -Any digest supported by OpenSSL is recognised. -Furthermore, specifying -.Qq none -will turn off packet authentication. -This option has no effect for connections between nodes using -.Va ExperimentalProtocol . -.It Va IndirectData Li = yes | no Pq no -When set to yes, other nodes which do not already have a meta connection to you -will not try to establish direct communication with you. -It is best to leave this option out or set it to no. -.It Va MACLength Li = Ar length Pq 4 -The length of the message authentication code used to authenticate UDP packets. -Can be anything from -.Qq 0 -up to the length of the digest produced by the digest algorithm. -This option has no effect for connections between nodes using -.Va ExperimentalProtocol . -.It Va PMTU Li = Ar mtu Po 1514 Pc -This option controls the initial path MTU to this node. -.It Va PMTUDiscovery Li = yes | no Po yes Pc -When this option is enabled, tinc will try to discover the path MTU to this node. -After the path MTU has been discovered, it will be enforced on the VPN. -.It Va Port Li = Ar port Pq 655 -The port number on which this tinc daemon is listening for incoming connections, -which is used if no port number is specified in an -.Va Address -statement. -.It Va PublicKey Li = Ar key Bq obsolete -The public RSA key of this tinc daemon. -It will be used to cryptographically verify it's identity and to set up a secure connection. -.It Va PublicKeyFile Li = Ar filename Bq obsolete -The file in which the public RSA key of this tinc daemon resides. -.Pp -From version 1.0pre4 on -.Nm tinc -will store the public key directly into the host configuration file in PEM format, -the above two options then are not necessary. -Either the PEM format is used, or exactly one of the above two options must be specified -in each host configuration file, -if you want to be able to establish a connection with that host. -.It Va Subnet Li = Ar address Ns Op Li / Ns Ar prefixlength Ns Op Li # Ns Ar weight -The subnet which this tinc daemon will serve. -.Nm tinc -tries to look up which other daemon it should send a packet to by searching the appropriate subnet. -If the packet matches a subnet, -it will be sent to the daemon who has this subnet in his host configuration file. -Multiple -.Va Subnet -variables can be specified. -.Pp -Subnets can either be single MAC, IPv4 or IPv6 addresses, -in which case a subnet consisting of only that single address is assumed, -or they can be a IPv4 or IPv6 network address with a prefixlength. -For example, IPv4 subnets must be in a form like 192.168.1.0/24, -where 192.168.1.0 is the network address and 24 is the number of bits set in the netmask. -Note that subnets like 192.168.1.1/24 are invalid! -Read a networking HOWTO/FAQ/guide if you don't understand this. -IPv6 subnets are notated like fec0:0:0:1::/64. -MAC addresses are notated like 0:1a:2b:3c:4d:5e. -.Pp -A Subnet can be given a weight to indicate its priority over identical Subnets -owned by different nodes. The default weight is 10. Lower values indicate -higher priority. Packets will be sent to the node with the highest priority, -unless that node is not reachable, in which case the node with the next highest -priority will be tried, and so on. -.It Va TCPOnly Li = yes | no Pq no Bq obsolete -If this variable is set to yes, -then the packets are tunnelled over the TCP connection instead of a UDP connection. -This is especially useful for those who want to run a tinc daemon -from behind a masquerading firewall, -or if UDP packet routing is disabled somehow. -Setting this options also implicitly sets IndirectData. -.Pp -Since version 1.0.10, tinc will automatically detect whether communication via -UDP is possible or not. -.It Va Weight Li = Ar weight -If this variable is set, it overrides the weight given to connections made with -another host. A higher -.Ar weight -means a lower priority is given to this connection when broadcasting or -forwarding packets. -.El -.Sh SCRIPTS -Apart from reading the server and host configuration files, -tinc can also run scripts at certain moments. -Under Windows (not Cygwin), the scripts should have the extension -.Pa .bat -or -.Pa cmd . -.Bl -tag -width indent -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up -This is the most important script. -If it is present it will be executed right after the tinc daemon has been started and has connected to the virtual network device. -It should be used to set up the corresponding network interface, -but can also be used to start other things. -Under Windows you can use the Network Connections control panel instead of creating this script. -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down -This script is started right before the tinc daemon quits. -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -up -This script is started when the tinc daemon with name -.Ar HOST -becomes reachable. -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -down -This script is started when the tinc daemon with name -.Ar HOST -becomes unreachable. -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-up -This script is started when any host becomes reachable. -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-down -This script is started when any host becomes unreachable. -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-up -This script is started when a Subnet becomes reachable. -The Subnet and the node it belongs to are passed in environment variables. -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-down -This script is started when a Subnet becomes unreachable. -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /invitation-created -This script is started when a new invitation has been created. -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /invitation-accepted -This script is started when an invitation has been used. -.El -.Pp -The scripts are started without command line arguments, but can make use of certain environment variables. -Under UNIX like operating systems the names of environment variables must be preceded by a -.Li $ -in scripts. -Under Windows, in -.Pa .bat -or -.Pa .cmd -files, they have to be put between -.Li % -signs. -.Bl -tag -width indent -.It Ev NETNAME -If a netname was specified, this environment variable contains it. -.It Ev NAME -Contains the name of this tinc daemon. -.It Ev DEVICE -Contains the name of the virtual network device that tinc uses. -.It Ev INTERFACE -Contains the name of the virtual network interface that tinc uses. -This should be used for commands like -.Pa ifconfig . -.It Ev NODE -When a host becomes (un)reachable, this is set to its name. -If a subnet becomes (un)reachable, this is set to the owner of that subnet. -.It Ev REMOTEADDRESS -When a host becomes (un)reachable, this is set to its real address. -.It Ev REMOTEPORT -When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc daemons. -.It Ev SUBNET -When a subnet becomes (un)reachable, this is set to the subnet. -.It Ev WEIGHT -When a subnet becomes (un)reachable, this is set to the subnet weight. -.It Ev INVITATION_FILE -When the -.Pa invitation-created -script is called, this is set to the file where the invitation details will be stored. -.It Ev INVITATION_URL -When the -.Pa invitation-created -script is called, this is set to the invitation URL that has been created. -.El -.Pp -Do not forget that under UNIX operating systems, you have to make the scripts executable, using the command -.Nm chmod Li a+x Pa script . -.Sh FILES -The most important files are: -.Bl -tag -width indent -.It Pa @sysconfdir@/tinc/ -The top directory for configuration files. -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf -The default name of the server configuration file for net -.Ar NETNAME . -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /conf.d/ -Optional directory from which any .conf file will be loaded -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ -Host configuration files are kept in this directory. -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up -If an executable file with this name exists, -it will be executed right after the tinc daemon has connected to the virtual network device. -It can be used to set up the corresponding network interface. -.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down -If an executable file with this name exists, -it will be executed right before the tinc daemon is going to close -its connection to the virtual network device. -.El -.Sh SEE ALSO -.Xr tincd 8 , -.Xr tinc 8 , -.Pa http://www.tinc-vpn.org/ , -.Pa http://www.tldp.org/LDP/nag2/ . -.Pp -The full documentation for -.Nm tinc -is maintained as a Texinfo manual. -If the info and tinc programs are properly installed at your site, the command -.Ic info tinc -should give you access to the complete manual. -.Pp -.Nm tinc -comes with ABSOLUTELY NO WARRANTY. -This is free software, and you are welcome to redistribute it under certain conditions; -see the file COPYING for details.