-.Dd 2014-01-29
-.Dt TINC.CONF 5
-.\" Manual page created by:
-.\" Ivo Timmermans
-.\" Guus Sliepen <guus@tinc-vpn.org>
-.Sh NAME
-.Nm tinc.conf
-.Nd tinc daemon configuration
-.Sh DESCRIPTION
-The files in the
-.Pa @sysconfdir@/tinc/
-directory contain runtime and security information for the tinc daemon.
-.Sh NETWORKS
-To distinguish multiple instances of tinc running on one computer,
-you can use the
-.Fl n
-option to assign a network name to each tinc daemon.
-.Pp
-The effect of this option is that the daemon will set its configuration root to
-.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / ,
-where
-.Ar NETNAME
-is your argument to the
-.Fl n
-option.
-You'll notice that messages appear in syslog as coming from
-.Nm tincd. Ns Ar NETNAME ,
-and on Linux, unless specified otherwise, the name of the virtual network interface will be the same as the network name.
-.Pp
-It is recommended that you use network names even if you run only one instance of tinc.
-However, you can choose not to use the
-.Fl n
-option.
-In this case, the network name would just be empty, and
-.Nm tinc
-now looks for files in
-.Pa @sysconfdir@/tinc/ ,
-instead of
-.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa / ;
-the configuration file should be
-.Pa @sysconfdir@/tinc/tinc.conf ,
-and the host configuration files are now expected to be in
-.Pa @sysconfdir@/tinc/hosts/ .
-.Sh NAMES
-Each tinc daemon should have a name that is unique in the network which it will be part of.
-The name will be used by other tinc daemons for identification.
-The name has to be declared in the
-.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
-file.
-.Pp
-To make things easy,
-choose something that will give unique and easy to remember names to your tinc daemon(s).
-You could try things like hostnames, owner surnames or location names.
-However, you are only allowed to use alphanumerical characters (a-z, A-Z, and 0-9) and underscores (_) in the name.
-.Sh INITIAL CONFIGURATION
-If you have not configured tinc yet, you can easily create a basic configuration using the following command:
-.Bd -literal -offset indent
-.Nm tinc Fl n Ar NETNAME Li init Ar NAME
-.Ed
-.Pp
-You can further change the configuration as needed either by manually editing the configuration files,
-or by using
-.Xr tinc 8 .
-.Sh PUBLIC/PRIVATE KEYS
-The
-.Nm tinc Li init
-command will have generated both RSA and ECDSA public/private keypairs.
-The private keys should be stored in files named
-.Pa rsa_key.priv
-and
-.Pa ecdsa_key.priv
-in the directory
-.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /
-The public keys should be stored in the host configuration file
-.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Va NAME .
-The RSA keys are used for backwards compatibility with tinc version 1.0.
-If you are upgrading from version 1.0 to 1.1, you can keep the old configuration files,
-but you will need to create ECDSA keys using the following command:
-.Bd -literal -offset indent
-.Nm tinc Fl n Ar NETNAME Li generate-ecdsa-keys
-.Ed
-.Sh SERVER CONFIGURATION
-The server configuration of the daemon is done in the file
-.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf .
-This file consists of comments (lines started with a
-.Li # )
-or assignments in the form of:
-.Pp
-.Va Variable Li = Ar Value .
-.Pp
-The variable names are case insensitive, and any spaces, tabs,
-newlines and carriage returns are ignored.
-Note: it is not required that you put in the
-.Li =
-sign, but doing so improves readability.
-If you leave it out, remember to replace it with at least one space character.
-.Pp
-The server configuration is complemented with host specific configuration (see the next section).
-Although all configuration options for the local host listed in this document can also be put in
-.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf ,
-it is recommended to put host specific configuration options in the host configuration file,
-as this makes it easy to exchange with other nodes.
-.Pp
-You can edit the config file manually, but it is recommended that you use
-.Xr tinc 8
-to change configuration variables for you.
-.Pp
-Here are all valid variables, listed in alphabetical order.
-The default value is given between parentheses.
-.Bl -tag -width indent
-.It Va AddressFamily Li = ipv4 | ipv6 | any Pq any
-This option affects the address family of listening and outgoing sockets.
-If
-.Qq any
-is selected, then depending on the operating system both IPv4 and IPv6 or just
-IPv6 listening sockets will be created.
-.It Va AutoConnect Li = Ar count Po 0 Pc Bq experimental
-If set to a non-zero value,
-.Nm
-will try to only have
-.Ar count
-meta connections to other nodes,
-by automatically making or breaking connections to known nodes.
-Higher values increase redundancy but also increase meta data overhead.
-When using this option, a good value is 3.
-.It Va BindToAddress Li = Ar address Op Ar port
-This is the same as
-.Va ListenAddress ,
-however the address given with the
-.Va BindToAddress
-option will also be used for outgoing connections. This is useful if your
-computer has more than one IPv4 or IPv6 address, and you want
-.Nm tinc
-to only use a specific one for outgoing packets.
-.It Va BindToInterface Li = Ar interface Bq experimental
-If your computer has more than one network interface,
-.Nm tinc
-will by default listen on all of them for incoming connections.
-It is possible to bind only to a single interface with this variable.
-.Pp
-This option may not work on all platforms.
-Also, on some platforms it will not actually bind to an interface,
-but rather to the address that the interface has at the moment a socket is created.
-.It Va Broadcast Li = no | mst | direct Po mst Pc Bq experimental
-This option selects the way broadcast packets are sent to other daemons.
-NOTE: all nodes in a VPN must use the same
-.Va Broadcast
-mode, otherwise routing loops can form.
-.Bl -tag -width indent
-.It no
-Broadcast packets are never sent to other nodes.
-.It mst
-Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree.
-This ensures broadcast packets reach all nodes.
-.It direct
-Broadcast packets are sent directly to all nodes that can be reached directly.
-Broadcast packets received from other nodes are never forwarded.
-If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to.
-.El
-.It Va ConnectTo Li = Ar name
-Specifies which other tinc daemon to connect to on startup.
-Multiple
-.Va ConnectTo
-variables may be specified,
-in which case outgoing connections to each specified tinc daemon are made.
-The names should be known to this tinc daemon
-(i.e., there should be a host configuration file for the name on the
-.Va ConnectTo
-line).
-.Pp
-If you don't specify a host with
-.Va ConnectTo ,
-.Nm tinc
-won't try to connect to other daemons at all,
-and will instead just listen for incoming connections.
-.It Va DecrementTTL Li = yes | no Po no Pc Bq experimental
-When enabled,
-.Nm tinc
-will decrement the Time To Live field in IPv4 packets, or the Hop Limit field in IPv6 packets,
-before forwarding a received packet to the virtual network device or to another node,
-and will drop packets that have a TTL value of zero,
-in which case it will send an ICMP Time Exceeded packet back.
-.Pp
-Do not use this option if you use switch mode and want to use IPv6.
-.It Va Device Li = Ar device Po Pa /dev/tap0 , Pa /dev/net/tun No or other depending on platform Pc
-The virtual network device to use.
-.Nm tinc
-will automatically detect what kind of device it is.
-Note that you can only use one device per daemon.
-Under Windows, use
-.Va Interface
-instead of
-.Va Device .
-The info pages of the tinc package contain more information
-about configuring the virtual network device.
-.It Va DeviceType Li = Ar type Pq platform dependent
-The type of the virtual network device.
-Tinc will normally automatically select the right type of tun/tap interface, and this option should not be used.
-However, this option can be used to select one of the special interface types, if support for them is compiled in.
-.Bl -tag -width indent
-.It dummy
-Use a dummy interface.
-No packets are ever read or written to a virtual network device.
-Useful for testing, or when setting up a node that only forwards packets for other nodes.
-.It raw_socket
-Open a raw socket, and bind it to a pre-existing
-.Va Interface
-(eth0 by default).
-All packets are read from this interface.
-Packets received for the local node are written to the raw socket.
-However, at least on Linux, the operating system does not process IP packets destined for the local host.
-.It multicast
-Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using
-.Va Device .
-Packets are read from and written to this multicast socket.
-This can be used to connect to UML, QEMU or KVM instances listening on the same multicast address.
-Do NOT connect multiple
-.Nm tinc
-daemons to the same multicast address, this will very likely cause routing loops.
-Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
-.It uml Pq not compiled in by default
-Create a UNIX socket with the filename specified by
-.Va Device ,
-or
-.Pa @localstatedir@/run/ Ns Ar NETNAME Ns Pa .umlsocket
-if not specified.
-.Nm tinc
-will wait for a User Mode Linux instance to connect to this socket.
-.It vde Pq not compiled in by default
-Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch,
-using the UNIX socket specified by
-.Va Device ,
-or
-.Pa @localstatedir@/run/vde.ctl
-if not specified.
-.El
-Also, in case tinc does not seem to correctly interpret packets received from the virtual network device,
-it can be used to change the way packets are interpreted:
-.Bl -tag -width indent
-.It tun Pq BSD and Linux
-Set type to tun.
-Depending on the platform, this can either be with or without an address family header (see below).
-.It tunnohead Pq BSD
-Set type to tun without an address family header.
-Tinc will expect packets read from the virtual network device to start with an IP header.
-On some platforms IPv6 packets cannot be read from or written to the device in this mode.
-.It tunifhead Pq BSD
-Set type to tun with an address family header.
-Tinc will expect packets read from the virtual network device
-to start with a four byte header containing the address family,
-followed by an IP header.
-This mode should support both IPv4 and IPv6 packets.
-.It tap Pq BSD and Linux
-Set type to tap.
-Tinc will expect packets read from the virtual network device
-to start with an Ethernet header.
-.El
-.It Va DirectOnly Li = yes | no Po no Pc Bq experimental
-When this option is enabled, packets that cannot be sent directly to the destination node,
-but which would have to be forwarded by an intermediate node, are dropped instead.
-When combined with the IndirectData option,
-packets for nodes for which we do not have a meta connection with are also dropped.
-.It Va ECDSAPrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /ecdsa_key.priv Pc
-The file in which the private ECDSA key of this tinc daemon resides.
-This is only used if
-.Va ExperimentalProtocol
-is enabled.
-.It Va ExperimentalProtocol Li = yes | no Pq yes
-When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
-Ephemeral ECDH will be used for key exchanges,
-and ECDSA will be used instead of RSA for authentication.
-When enabled, an ECDSA key must have been generated before with
-.Nm tinc generate-ecdsa-keys .
-.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
-This option selects the way indirect packets are forwarded.
-.Bl -tag -width indent
-.It off
-Incoming packets that are not meant for the local node,
-but which should be forwarded to another node, are dropped.
-.It internal
-Incoming packets that are meant for another node are forwarded by tinc internally.
-.Pp
-This is the default mode, and unless you really know you need another forwarding mode, don't change it.
-.It kernel
-Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node.
-This is less efficient, but allows the kernel to apply its routing and firewall rules on them,
-and can also help debugging.
-.El
-.It Va Hostnames Li = yes | no Pq no
-This option selects whether IP addresses (both real and on the VPN) should
-be resolved. Since DNS lookups are blocking, it might affect tinc's
-efficiency, even stopping the daemon for a few seconds every time it does
-a lookup if your DNS server is not responding.
-.Pp
-This does not affect resolving hostnames to IP addresses from the
-host configuration files, but whether hostnames should be resolved while logging.
-.It Va IffOneQueue Li = yes | no Po no Pc Bq experimental
-(Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.
-.It Va Interface Li = Ar interface
-Defines the name of the interface corresponding to the virtual network device.
-Depending on the operating system and the type of device this may or may not actually set the name of the interface.
-Under Windows, this variable is used to select which network interface will be used.
-If you specified a
-.Va Device ,
-this variable is almost always already correctly set.
-.It Va KeyExpire Li = Ar seconds Pq 3600
-This option controls the period the encryption keys used to encrypt the data are valid.
-It is common practice to change keys at regular intervals to make it even harder for crackers,
-even though it is thought to be nearly impossible to crack a single key.
-.It Va ListenAddress Li = Ar address Op Ar port
-If your computer has more than one IPv4 or IPv6 address,
-.Nm tinc
-will by default listen on all of them for incoming connections.
-This option can be used to restrict which addresses tinc listens on.
-Multiple
-.Va ListenAddress
-variables may be specified,
-in which case listening sockets for each specified address are made.
-.Pp
-If no
-.Ar port
-is specified, the socket will listen on the port specified by the
-.Va Port
-option, or to port 655 if neither is given.
-To only listen on a specific port but not on a specific address, use
-.Li *
-for the
-.Ar address .
-.It Va LocalDiscovery Li = yes | no Pq no
-When enabled,
-.Nm tinc
-will try to detect peers that are on the same local network.
-This will allow direct communication using LAN addresses, even if both peers are behind a NAT
-and they only ConnectTo a third node outside the NAT,
-which normally would prevent the peers from learning each other's LAN address.
-.Pp
-Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery.
-This feature may not work in all possible situations.
-.It Va LocalDiscoveryAddress Li = Ar address
-If this variable is specified, local discovery packets are sent to the given
-.Ar address .
-.It Va MACExpire Li = Ar seconds Pq 600
-This option controls the amount of time MAC addresses are kept before they are removed.
-This only has effect when
-.Va Mode
-is set to
-.Qq switch .
-.It Va MaxConnectionBurst Li = Ar count Pq 100
-This option controls how many connections tinc accepts in quick succession.
-If there are more connections than the given number in a short time interval,
-tinc will reduce the number of accepted connections to only one per second,
-until the burst has passed.
-.It Va MaxTimeout Li = Ar seconds Pq 900
-This is the maximum delay before trying to reconnect to other tinc daemons.
-.It Va Mode Li = router | switch | hub Pq router
-This option selects the way packets are routed to other daemons.
-.Bl -tag -width indent
-.It router
-In this mode
-.Va Subnet
-variables in the host configuration files will be used to form a routing table.
-Only packets of routable protocols (IPv4 and IPv6) are supported in this mode.
-.Pp
-This is the default mode, and unless you really know you need another mode, don't change it.
-.It switch
-In this mode the MAC addresses of the packets on the VPN will be used to
-dynamically create a routing table just like an Ethernet switch does.
-Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode
-at the cost of frequent broadcast ARP requests and routing table updates.
-.Pp
-This mode is primarily useful if you want to bridge Ethernet segments.
-.It hub
-This mode is almost the same as the switch mode, but instead
-every packet will be broadcast to the other daemons
-while no routing table is managed.
-.El
-.It Va Name Li = Ar name Bq required
-This is the name which identifies this tinc daemon.
-It must be unique for the virtual private network this daemon will connect to.
-The Name may only consist of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is case sensitive.
-If
-.Va Name
-starts with a
-.Li $ ,
-then the contents of the environment variable that follows will be used.
-In that case, invalid characters will be converted to underscores.
-If
-.Va Name
-is
-.Li $HOST ,
-but no such environment variable exist, the hostname will be read using the gethostname() system call.
-.It Va PingInterval Li = Ar seconds Pq 60
-The number of seconds of inactivity that
-.Nm tinc
-will wait before sending a probe to the other end.
-.It Va PingTimeout Li = Ar seconds Pq 5
-The number of seconds to wait for a response to pings or to allow meta
-connections to block. If the other end doesn't respond within this time,
-the connection is terminated,
-and the others will be notified of this.
-.It Va PriorityInheritance Li = yes | no Po no Pc Bq experimental
-When this option is enabled the value of the TOS field of tunneled IPv4 packets
-will be inherited by the UDP packets that are sent out.
-.It Va PrivateKey Li = Ar key Bq obsolete
-The private RSA key of this tinc daemon.
-It will allow this tinc daemon to authenticate itself to other daemons.
-.It Va PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /rsa_key.priv Pc
-The file in which the private RSA key of this tinc daemon resides.
-.It Va ProcessPriority Li = low | normal | high
-When this option is used the priority of the
-.Nm tincd
-process will be adjusted.
-Increasing the priority may help to reduce latency and packet loss on the VPN.
-.It Va Proxy Li = socks4 | socks5 | http | exec Ar ... Bq experimental
-Use a proxy when making outgoing connections.
-The following proxy types are currently supported:
-.Bl -tag -width indent
-.It socks4 Ar address Ar port Op Ar username
-Connects to the proxy using the SOCKS version 4 protocol.
-Optionally, a
-.Ar username
-can be supplied which will be passed on to the proxy server.
-Only IPv4 connections can be proxied using SOCKS 4.
-.It socks5 Ar address Ar port Op Ar username Ar password
-Connect to the proxy using the SOCKS version 5 protocol.
-If a
-.Ar username
-and
-.Ar password
-are given, basic username/password authentication will be used,
-otherwise no authentication will be used.
-.It http Ar address Ar port
-Connects to the proxy and sends a HTTP CONNECT request.
-.It exec Ar command
-Executes the given
-.Ar command
-which should set up the outgoing connection.
-The environment variables
-.Ev NAME ,
-.Ev NODE ,
-.Ev REMOTEADDRES
-and
-.Ev REMOTEPORT
-are available.
-.El
-.It Va ReplayWindow Li = Ar bytes Pq 16
-This is the size of the replay tracking window for each remote node, in bytes.
-The window is a bitfield which tracks 1 packet per bit, so for example
-the default setting of 16 will track up to 128 packets in the window. In high
-bandwidth scenarios, setting this to a higher value can reduce packet loss from
-the interaction of replay tracking with underlying real packet loss and/or
-reordering. Setting this to zero will disable replay tracking completely and
-pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
-traffic.
-.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
-When this option is enabled tinc will only use Subnet statements which are
-present in the host config files in the local
-.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
-directory. Subnets learned via connections to other nodes and which are not
-present in the local host config files are ignored.
-.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
-When this option is enabled tinc will no longer forward information between other tinc daemons,
-and will only allow connections with nodes for which host config files are present in the local
-.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
-directory.
-Setting this options also implicitly sets StrictSubnets.
-.It Va UDPRcvBuf Li = Ar bytes Pq OS default
-Sets the socket receive buffer size for the UDP socket, in bytes.
-If unset, the default buffer size will be used by the operating system.
-.It Va UDPSndBuf Li = Ar bytes Pq OS default
-Sets the socket send buffer size for the UDP socket, in bytes.
-If unset, the default buffer size will be used by the operating system.
-.El
-.Sh HOST CONFIGURATION FILES
-The host configuration files contain all information needed
-to establish a connection to those hosts.
-A host configuration file is also required for the local tinc daemon,
-it will use it to read in it's listen port, public key and subnets.
-.Pp
-The idea is that these files are portable.
-You can safely mail your own host configuration file to someone else.
-That other person can then copy it to his own hosts directory,
-and now his tinc daemon will be able to connect to your tinc daemon.
-Since host configuration files only contain public keys,
-no secrets are revealed by sending out this information.
-.Bl -tag -width indent
-.It Va Address Li = Ar address Oo Ar port Oc Bq recommended
-The IP address or hostname of this tinc daemon on the real network.
-This will only be used when trying to make an outgoing connection to this tinc daemon.
-Optionally, a port can be specified to use for this address.
-Multiple
-.Va Address
-variables can be specified, in which case each address will be tried until a working
-connection has been established.
-.It Va Cipher Li = Ar cipher Pq blowfish
-The symmetric cipher algorithm used to encrypt UDP packets.
-Any cipher supported by OpenSSL is recognised.
-Furthermore, specifying
-.Qq none
-will turn off packet encryption.
-It is best to use only those ciphers which support CBC mode.
-This option has no effect for connections between nodes using
-.Va ExperimentalProtocol .
-.It Va ClampMSS Li = yes | no Pq yes
-This option specifies whether tinc should clamp the maximum segment size (MSS)
-of TCP packets to the path MTU. This helps in situations where ICMP
-Fragmentation Needed or Packet too Big messages are dropped by firewalls.
-.It Va Compression Li = Ar level Pq 0
-This option sets the level of compression used for UDP packets.
-Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
-10 (fast lzo) and 11 (best lzo).
-.It Va Digest Li = Ar digest Pq sha1
-The digest algorithm used to authenticate UDP packets.
-Any digest supported by OpenSSL is recognised.
-Furthermore, specifying
-.Qq none
-will turn off packet authentication.
-This option has no effect for connections between nodes using
-.Va ExperimentalProtocol .
-.It Va IndirectData Li = yes | no Pq no
-When set to yes, other nodes which do not already have a meta connection to you
-will not try to establish direct communication with you.
-It is best to leave this option out or set it to no.
-.It Va MACLength Li = Ar length Pq 4
-The length of the message authentication code used to authenticate UDP packets.
-Can be anything from
-.Qq 0
-up to the length of the digest produced by the digest algorithm.
-This option has no effect for connections between nodes using
-.Va ExperimentalProtocol .
-.It Va PMTU Li = Ar mtu Po 1514 Pc
-This option controls the initial path MTU to this node.
-.It Va PMTUDiscovery Li = yes | no Po yes Pc
-When this option is enabled, tinc will try to discover the path MTU to this node.
-After the path MTU has been discovered, it will be enforced on the VPN.
-.It Va Port Li = Ar port Pq 655
-The port number on which this tinc daemon is listening for incoming connections,
-which is used if no port number is specified in an
-.Va Address
-statement.
-.It Va PublicKey Li = Ar key Bq obsolete
-The public RSA key of this tinc daemon.
-It will be used to cryptographically verify it's identity and to set up a secure connection.
-.It Va PublicKeyFile Li = Ar filename Bq obsolete
-The file in which the public RSA key of this tinc daemon resides.
-.Pp
-From version 1.0pre4 on
-.Nm tinc
-will store the public key directly into the host configuration file in PEM format,
-the above two options then are not necessary.
-Either the PEM format is used, or exactly one of the above two options must be specified
-in each host configuration file,
-if you want to be able to establish a connection with that host.
-.It Va Subnet Li = Ar address Ns Op Li / Ns Ar prefixlength Ns Op Li # Ns Ar weight
-The subnet which this tinc daemon will serve.
-.Nm tinc
-tries to look up which other daemon it should send a packet to by searching the appropriate subnet.
-If the packet matches a subnet,
-it will be sent to the daemon who has this subnet in his host configuration file.
-Multiple
-.Va Subnet
-variables can be specified.
-.Pp
-Subnets can either be single MAC, IPv4 or IPv6 addresses,
-in which case a subnet consisting of only that single address is assumed,
-or they can be a IPv4 or IPv6 network address with a prefixlength.
-For example, IPv4 subnets must be in a form like 192.168.1.0/24,
-where 192.168.1.0 is the network address and 24 is the number of bits set in the netmask.
-Note that subnets like 192.168.1.1/24 are invalid!
-Read a networking HOWTO/FAQ/guide if you don't understand this.
-IPv6 subnets are notated like fec0:0:0:1::/64.
-MAC addresses are notated like 0:1a:2b:3c:4d:5e.
-.Pp
-A Subnet can be given a weight to indicate its priority over identical Subnets
-owned by different nodes. The default weight is 10. Lower values indicate
-higher priority. Packets will be sent to the node with the highest priority,
-unless that node is not reachable, in which case the node with the next highest
-priority will be tried, and so on.
-.It Va TCPOnly Li = yes | no Pq no Bq obsolete
-If this variable is set to yes,
-then the packets are tunnelled over the TCP connection instead of a UDP connection.
-This is especially useful for those who want to run a tinc daemon
-from behind a masquerading firewall,
-or if UDP packet routing is disabled somehow.
-Setting this options also implicitly sets IndirectData.
-.Pp
-Since version 1.0.10, tinc will automatically detect whether communication via
-UDP is possible or not.
-.It Va Weight Li = Ar weight
-If this variable is set, it overrides the weight given to connections made with
-another host. A higher
-.Ar weight
-means a lower priority is given to this connection when broadcasting or
-forwarding packets.
-.El
-.Sh SCRIPTS
-Apart from reading the server and host configuration files,
-tinc can also run scripts at certain moments.
-Under Windows (not Cygwin), the scripts should have the extension
-.Pa .bat
-or
-.Pa cmd .
-.Bl -tag -width indent
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
-This is the most important script.
-If it is present it will be executed right after the tinc daemon has been started and has connected to the virtual network device.
-It should be used to set up the corresponding network interface,
-but can also be used to start other things.
-Under Windows you can use the Network Connections control panel instead of creating this script.
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
-This script is started right before the tinc daemon quits.
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -up
-This script is started when the tinc daemon with name
-.Ar HOST
-becomes reachable.
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Ar HOST Ns Pa -down
-This script is started when the tinc daemon with name
-.Ar HOST
-becomes unreachable.
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-up
-This script is started when any host becomes reachable.
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /host-down
-This script is started when any host becomes unreachable.
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-up
-This script is started when a Subnet becomes reachable.
-The Subnet and the node it belongs to are passed in environment variables.
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /subnet-down
-This script is started when a Subnet becomes unreachable.
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /invitation-created
-This script is started when a new invitation has been created.
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /invitation-accepted
-This script is started when an invitation has been used.
-.El
-.Pp
-The scripts are started without command line arguments, but can make use of certain environment variables.
-Under UNIX like operating systems the names of environment variables must be preceded by a
-.Li $
-in scripts.
-Under Windows, in
-.Pa .bat
-or
-.Pa .cmd
-files, they have to be put between
-.Li %
-signs.
-.Bl -tag -width indent
-.It Ev NETNAME
-If a netname was specified, this environment variable contains it.
-.It Ev NAME
-Contains the name of this tinc daemon.
-.It Ev DEVICE
-Contains the name of the virtual network device that tinc uses.
-.It Ev INTERFACE
-Contains the name of the virtual network interface that tinc uses.
-This should be used for commands like
-.Pa ifconfig .
-.It Ev NODE
-When a host becomes (un)reachable, this is set to its name.
-If a subnet becomes (un)reachable, this is set to the owner of that subnet.
-.It Ev REMOTEADDRESS
-When a host becomes (un)reachable, this is set to its real address.
-.It Ev REMOTEPORT
-When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc daemons.
-.It Ev SUBNET
-When a subnet becomes (un)reachable, this is set to the subnet.
-.It Ev WEIGHT
-When a subnet becomes (un)reachable, this is set to the subnet weight.
-.It Ev INVITATION_FILE
-When the
-.Pa invitation-created
-script is called, this is set to the file where the invitation details will be stored.
-.It Ev INVITATION_URL
-When the
-.Pa invitation-created
-script is called, this is set to the invitation URL that has been created.
-.El
-.Pp
-Do not forget that under UNIX operating systems, you have to make the scripts executable, using the command
-.Nm chmod Li a+x Pa script .
-.Sh FILES
-The most important files are:
-.Bl -tag -width indent
-.It Pa @sysconfdir@/tinc/
-The top directory for configuration files.
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
-The default name of the server configuration file for net
-.Ar NETNAME .
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /conf.d/
-Optional directory from which any .conf file will be loaded
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
-Host configuration files are kept in this directory.
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
-If an executable file with this name exists,
-it will be executed right after the tinc daemon has connected to the virtual network device.
-It can be used to set up the corresponding network interface.
-.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-down
-If an executable file with this name exists,
-it will be executed right before the tinc daemon is going to close
-its connection to the virtual network device.
-.El
-.Sh SEE ALSO
-.Xr tincd 8 ,
-.Xr tinc 8 ,
-.Pa http://www.tinc-vpn.org/ ,
-.Pa http://www.tldp.org/LDP/nag2/ .
-.Pp
-The full documentation for
-.Nm tinc
-is maintained as a Texinfo manual.
-If the info and tinc programs are properly installed at your site, the command
-.Ic info tinc
-should give you access to the complete manual.
-.Pp
-.Nm tinc
-comes with ABSOLUTELY NO WARRANTY.
-This is free software, and you are welcome to redistribute it under certain conditions;
-see the file COPYING for details.
projects / meshlink / commitdiff