TINC.CONF(5)

File Formats Manual

TINC.CONF(5)

NAME¶

tinc.conf — tinc daemon configuration

DESCRIPTION¶

The files in the /etc/tinc/ directory contain runtime and security information for the tinc daemon.

NETWORKS¶

It is perfectly ok for you to run more than one tinc daemon. However, in its default form, you will soon notice that you can't use two different configuration files without the -c option.

We have thought of another way of dealing with this: network names. This means that you call tinc.conf with the -n option, which will assign a name to this daemon.

The effect of this is that the daemon will set its configuration root to /etc/tinc/NETNAME/, where NETNAME is your argument to the -n option. You'll notice that messages appear in syslog as coming from tincd.NETNAME.

However, it is not strictly necessary that you call tinc with the -n option. In this case, the network name would just be empty, and it will be used as such. tinc now looks for files in /etc/tinc/, instead of /etc/tinc/NETNAME/; the configuration file should be /etc/tinc/tinc.conf, and the host configuration files are now expected to be in /etc/tinc/hosts/.

But it is highly recommended that you use this feature of tinc, because it will be so much clearer whom your daemon talks to. Hence, we will assume that you use it.

NAMES¶

Each tinc daemon should have a name that is unique in the network which it will be part of. The name will be used by other tinc daemons for identification. The name has to be declared in the /etc/tinc/NETNAME/tinc.conf file.

To make things easy, choose something that will give unique and easy to remember names to your tinc daemon(s). You could try things like hostnames, owner surnames or location names.

PUBLIC/PRIVATE KEYS¶

You should use tincd -K to generate public/private keypairs. It will generate two keys. The private key should be stored in a separate file /etc/tinc/NETNAME/rsa_key.priv -- where NETNAME stands for the network (see NETWORKS) above. The public key should be stored in the host configuration file /etc/tinc/NETNAME/hosts/NAME -- where NAME stands for the name of the local tinc daemon (see NAMES).

SERVER CONFIGURATION¶

The server configuration of the daemon is done in the file /etc/tinc/NETNAME/tinc.conf. This file consists of comments (lines started with a #) or assignments in the form of:

Variable = Value.

The variable names are case insensitive, and any spaces, tabs, newlines and carriage returns are ignored. Note: it is not required that you put in the = sign, but doing so improves readability. If you leave it out, remember to replace it with at least one space character.

The server configuration is complemented with host specific configuration (see the next section). Although all configuration options for the local host listed in this document can also be put in /etc/tinc/NETNAME/tinc.conf, it is recommended to put host specific configuration options in the host configuration file, as this makes it easy to exchange with other nodes.

Here are all valid variables, listed in alphabetical order. The default value is given between parentheses.

AddressFamily = ipv4 | ipv6 | any (any)

This option affects the address family of listening and outgoing sockets. If “any” is selected, then depending on the operating system both IPv4 and IPv6 or just IPv6 listening sockets will be created.

BindToAddress = address [port] [experimental]

If your computer has more than one IPv4 or IPv6 address, tinc will by default listen on all of them for incoming connections. Multiple BindToAddress variables may be specified, in which case listening sockets for each specified address are made.

If no port is specified, the socket will be bound to the port specified by the Port option, or to port 655 if neither is given. To only bind to a specific port but not to a specific address, use * for the address.

This option may not work on all platforms.

BindToInterface = interface [experimental]

If your computer has more than one network interface, tinc will by default listen on all of them for incoming connections. It is possible to bind only to a single interface with this variable.

This option may not work on all platforms.

Broadcast = no | mst | direct (mst) [experimental]

This option selects the way broadcast packets are sent to other daemons. NOTE: all nodes in a VPN must use the same Broadcast mode, otherwise routing loops can form.

no: Broadcast packets are never sent to other nodes.
mst: Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree. This ensures broadcast packets reach all nodes.
direct: Broadcast packets are sent directly to all nodes that can be reached directly. Broadcast packets received from other nodes are never forwarded. If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to.

ConnectTo = name

Specifies which other tinc daemon to connect to on startup. Multiple ConnectTo variables may be specified, in which case outgoing connections to each specified tinc daemon are made. The names should be known to this tinc daemon (i.e., there should be a host configuration file for the name on the ConnectTo line).

If you don't specify a host with ConnectTo, tinc won't try to connect to other daemons at all, and will instead just listen for incoming connections.

DecrementTTL = yes | no (no) [experimental]

When enabled, tinc will decrement the Time To Live field in IPv4 packets, or the Hop Limit field in IPv6 packets, before forwarding a received packet to the virtual network device or to another node, and will drop packets that have a TTL value of zero, in which case it will send an ICMP Time Exceeded packet back.

Do not use this option if you use switch mode and want to use IPv6.

Device = device (/dev/tap0, /dev/net/tun or other depending on platform)

The virtual network device to use. tinc will automatically detect what kind of device it is. Note that you can only use one device per daemon. Under Windows, use Interface instead of Device. The info pages of the tinc package contain more information about configuring the virtual network device.

DeviceType = type (platform dependent)

The type of the virtual network device. Tinc will normally automatically select the right type of tun/tap interface, and this option should not be used. However, this option can be used to select one of the special interface types, if support for them is compiled in.

dummy: Use a dummy interface. No packets are ever read or written to a virtual network device. Useful for testing, or when setting up a node that only forwards packets for other nodes.
raw_socket: Open a raw socket, and bind it to a pre-existing Interface (eth0 by default). All packets are read from this interface. Packets received for the local node are written to the raw socket. However, at least on Linux, the operating system does not process IP packets destined for the local host.
multicast: Open a multicast UDP socket and bind it to the address and port (separated by spaces) and optionally a TTL value specified using Device. Packets are read from and written to this multicast socket. This can be used to connect to UML, QEMU or KVM instances listening on the same multicast address. Do NOT connect multiple tinc daemons to the same multicast address, this will very likely cause routing loops. Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
uml (not compiled in by default): Create a UNIX socket with the filename specified by Device, or /var/run/NETNAME.umlsocket if not specified. tinc will wait for a User Mode Linux instance to connect to this socket.
vde (not compiled in by default): Uses the libvdeplug library to connect to a Virtual Distributed Ethernet switch, using the UNIX socket specified by Device, or /var/run/vde.ctl if not specified.

Also, in case tinc does not seem to correctly interpret packets received from the virtual network device, it can be used to change the way packets are interpreted:

tun (BSD and Linux): Set type to tun. Depending on the platform, this can either be with or without an address family header (see below).
tunnohead (BSD): Set type to tun without an address family header. Tinc will expect packets read from the virtual network device to start with an IP header. On some platforms IPv6 packets cannot be read from or written to the device in this mode.
tunifhead (BSD): Set type to tun with an address family header. Tinc will expect packets read from the virtual network device to start with a four byte header containing the address family, followed by an IP header. This mode should support both IPv4 and IPv6 packets.
tap (BSD and Linux): Set type to tap. Tinc will expect packets read from the virtual network device to start with an Ethernet header.

DirectOnly = yes | no (no) [experimental]

When this option is enabled, packets that cannot be sent directly to the destination node, but which would have to be forwarded by an intermediate node, are dropped instead. When combined with the IndirectData option, packets for nodes for which we do not have a meta connection with are also dropped.

Forwarding = off | internal | kernel (internal) [experimental]

This option selects the way indirect packets are forwarded.

off: Incoming packets that are not meant for the local node, but which should be forwarded to another node, are dropped.
internal: Incoming packets that are meant for another node are forwarded by tinc internally.

This is the default mode, and unless you really know you need another forwarding mode, don't change it.
kernel: Incoming packets are always sent to the TUN/TAP device, even if the packets are not for the local node. This is less efficient, but allows the kernel to apply its routing and firewall rules on them, and can also help debugging.

GraphDumpFile = filename [experimental]

If this option is present, tinc will dump the current network graph to the file filename every minute, unless there were no changes to the graph. The file is in a format that can be read by graphviz tools. If filename starts with a pipe symbol |, then the rest of the filename is interpreted as a shell command that is executed, the graph is then sent to stdin.

Hostnames = yes | no (no)

This option selects whether IP addresses (both real and on the VPN) should be resolved. Since DNS lookups are blocking, it might affect tinc's efficiency, even stopping the daemon for a few seconds every time it does a lookup if your DNS server is not responding.

This does not affect resolving hostnames to IP addresses from the host configuration files.

IffOneQueue = yes | no (no) [experimental]

(Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.

Interface = interface

Defines the name of the interface corresponding to the virtual network device. Depending on the operating system and the type of device this may or may not actually set the name of the interface. Under Windows, this variable is used to select which network interface will be used. If you specified a Device, this variable is almost always already correctly set.

KeyExpire = seconds (3600)

This option controls the period the encryption keys used to encrypt the data are valid. It is common practice to change keys at regular intervals to make it even harder for crackers, even though it is thought to be nearly impossible to crack a single key.

LocalDiscovery = yes | no (no) [experimental]

When enabled, tinc will try to detect peers that are on the same local network. This will allow direct communication using LAN addresses, even if both peers are behind a NAT and they only ConnectTo a third node outside the NAT, which normally would prevent the peers from learning each other's LAN address.

Currently, local discovery is implemented by sending broadcast packets to the LAN during path MTU discovery. This feature may not work in all possible situations.

MACExpire = seconds (600)

This option controls the amount of time MAC addresses are kept before they are removed. This only has effect when Mode is set to “switch”.

MaxTimeout = seconds (900)

This is the maximum delay before trying to reconnect to other tinc daemons.

Mode = router | switch | hub (router)

This option selects the way packets are routed to other daemons.

router: In this mode Subnet variables in the host configuration files will be used to form a routing table. Only unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode.

This is the default mode, and unless you really know you need another mode, don't change it.
switch: In this mode the MAC addresses of the packets on the VPN will be used to dynamically create a routing table just like an Ethernet switch does. Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode at the cost of frequent broadcast ARP requests and routing table updates.

This mode is primarily useful if you want to bridge Ethernet segments.
hub: This mode is almost the same as the switch mode, but instead every packet will be broadcast to the other daemons while no routing table is managed.

Name = name [required]

This is the name which identifies this tinc daemon. It must be unique for the virtual private network this daemon will connect to. The Name may only consist of alphanumeric and underscore characters.

If Name starts with a $, then the contents of the environment variable that follows will be used. In that case, invalid characters will be converted to underscores. If Name is $HOST, but no such environment variable exist, the hostname will be read using the gethostnname() system call.

PingInterval = seconds (60)

The number of seconds of inactivity that tinc will wait before sending a probe to the other end.

PingTimeout = seconds (5)

The number of seconds to wait for a response to pings or to allow meta connections to block. If the other end doesn't respond within this time, the connection is terminated, and the others will be notified of this.

PriorityInheritance = yes | no (no) [experimental]

When this option is enabled the value of the TOS field of tunneled IPv4 packets will be inherited by the UDP packets that are sent out.

PrivateKey = key [obsolete]

The private RSA key of this tinc daemon. It will allow this tinc daemon to authenticate itself to other daemons.

PrivateKeyFile = filename (/etc/tinc/NETNAME/rsa_key.priv)

The file in which the private RSA key of this tinc daemon resides. Note that there must be exactly one of PrivateKey or PrivateKeyFile specified in the configuration file.

ProcessPriority = low | normal | high

When this option is used the priority of the tincd process will be adjusted. Increasing the priority may help to reduce latency and packet loss on the VPN.

Proxy = socks4 | socks5 | http | exec ... [experimental]

Use a proxy when making outgoing connections. The following proxy types are currently supported:

socks4 address port [username]: Connects to the proxy using the SOCKS version 4 protocol. Optionally, a username can be supplied which will be passed on to the proxy server. Only IPv4 connections can be proxied using SOCKS 4.
socks5 address port [username password]: Connect to the proxy using the SOCKS version 5 protocol. If a username and password are given, basic username/password authentication will be used, otherwise no authentication will be used.
http address port: Connects to the proxy and sends a HTTP CONNECT request.
exec command: Executes the given command which should set up the outgoing connection. The environment variables NAME, NODE, REMOTEADDRES and REMOTEPORT are available.

ReplayWindow = bytes (16)

vhis is the size of the replay tracking window for each remote node, in bytes. The window is a bitfield which tracks 1 packet per bit, so for example the default setting of 16 will track up to 128 packets in the window. In high bandwidth scenarios, setting this to a higher value can reduce packet loss from the interaction of replay tracking with underlying real packet loss and/or reordering. Setting this to zero will disable replay tracking completely and pass all traffic, but leaves tinc vulnerable to replay-based attacks on your traffic.

StrictSubnets = yes | no (no) [experimental]

When this option is enabled tinc will only use Subnet statements which are present in the host config files in the local /etc/tinc/NETNAME/hosts/ directory.

TunnelServer = yes | no (no) [experimental]

When this option is enabled tinc will no longer forward information between other tinc daemons, and will only allow connections with nodes for which host config files are present in the local /etc/tinc/NETNAME/hosts/ directory. Setting this options also implicitly sets StrictSubnets.

UDPRcvBuf = bytes (OS default)

Sets the socket receive buffer size for the UDP socket, in bytes. If unset, the default buffer size will be used by the operating system.

UDPSndBuf = bytes (OS default)

Sets the socket send buffer size for the UDP socket, in bytes. If unset, the default buffer size will be used by the operating system.

HOST CONFIGURATION FILES¶

The host configuration files contain all information needed to establish a connection to those hosts. A host configuration file is also required for the local tinc daemon, it will use it to read in it's listen port, public key and subnets.

The idea is that these files are portable. You can safely mail your own host configuration file to someone else. That other person can then copy it to his own hosts directory, and now his tinc daemon will be able to connect to your tinc daemon. Since host configuration files only contain public keys, no secrets are revealed by sending out this information.

Address = address [port] [recommended]: The IP address or hostname of this tinc daemon on the real network. This will only be used when trying to make an outgoing connection to this tinc daemon. Optionally, a port can be specified to use for this address. Multiple Address variables can be specified, in which case each address will be tried until a working connection has been established.
Cipher = cipher (blowfish): The symmetric cipher algorithm used to encrypt UDP packets. Any cipher supported by OpenSSL is recognised. Furthermore, specifying “none” will turn off packet encryption. It is best to use only those ciphers which support CBC mode.
ClampMSS = yes | no (yes): This option specifies whether tinc should clamp the maximum segment size (MSS) of TCP packets to the path MTU. This helps in situations where ICMP Fragmentation Needed or Packet too Big messages are dropped by firewalls.
Compression = level (0): This option sets the level of compression used for UDP packets. Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), 10 (fast lzo) and 11 (best lzo).
Digest = digest (sha1): The digest algorithm used to authenticate UDP packets. Any digest supported by OpenSSL is recognised. Furthermore, specifying “none” will turn off packet authentication.
IndirectData = yes | no (no): This option specifies whether other tinc daemons besides the one you specified with ConnectTo can make a direct connection to you. This is especially useful if you are behind a firewall and it is impossible to make a connection from the outside to your tinc daemon. Otherwise, it is best to leave this option out or set it to no.
MACLength = length (4): The length of the message authentication code used to authenticate UDP packets. Can be anything from “0” up to the length of the digest produced by the digest algorithm.
PMTU = mtu (1514): This option controls the initial path MTU to this node.
PMTUDiscovery = yes | no (yes): When this option is enabled, tinc will try to discover the path MTU to this node. After the path MTU has been discovered, it will be enforced on the VPN.
Port = port (655): The port number on which this tinc daemon is listening for incoming connections, which is used if no port number is specified in an Address statement.
PublicKey = key [obsolete]: The public RSA key of this tinc daemon. It will be used to cryptographically verify it's identity and to set up a secure connection.
PublicKeyFile = filename [obsolete]: The file in which the public RSA key of this tinc daemon resides.

From version 1.0pre4 on tinc will store the public key directly into the host configuration file in PEM format, the above two options then are not necessary. Either the PEM format is used, or exactly one of the above two options must be specified in each host configuration file, if you want to be able to establish a connection with that host.
Subnet = address[/prefixlength[#weight]]: The subnet which this tinc daemon will serve. tinc tries to look up which other daemon it should send a packet to by searching the appropriate subnet. If the packet matches a subnet, it will be sent to the daemon who has this subnet in his host configuration file. Multiple Subnet variables can be specified.

Subnets can either be single MAC, IPv4 or IPv6 addresses, in which case a subnet consisting of only that single address is assumed, or they can be a IPv4 or IPv6 network address with a prefixlength. For example, IPv4 subnets must be in a form like 192.168.1.0/24, where 192.168.1.0 is the network address and 24 is the number of bits set in the netmask. Note that subnets like 192.168.1.1/24 are invalid! Read a networking HOWTO/FAQ/guide if you don't understand this. IPv6 subnets are notated like fec0:0:0:1::/64. MAC addresses are notated like 0:1a:2b:3c:4d:5e.

A Subnet can be given a weight to indicate its priority over identical Subnets owned by different nodes. The default weight is 10. Lower values indicate higher priority. Packets will be sent to the node with the highest priority, unless that node is not reachable, in which case the node with the next highest priority will be tried, and so on.
TCPOnly = yes | no (no [obsolete]): If this variable is set to yes, then the packets are tunnelled over the TCP connection instead of a UDP connection. This is especially useful for those who want to run a tinc daemon from behind a masquerading firewall, or if UDP packet routing is disabled somehow. Setting this options also implicitly sets IndirectData.

Since version 1.0.10, tinc will automatically detect whether communication via UDP is possible or not.

SCRIPTS¶

Apart from reading the server and host configuration files, tinc can also run scripts at certain moments. Under Windows (not Cygwin), the scripts should have the extension .bat.

/etc/tinc/NETNAME/tinc-up: This is the most important script. If it is present it will be executed right after the tinc daemon has been started and has connected to the virtual network device. It should be used to set up the corresponding network interface, but can also be used to start other things. Under Windows you can use the Network Connections control panel instead of creating this script.
/etc/tinc/NETNAME/tinc-down: This script is started right before the tinc daemon quits.
/etc/tinc/NETNAME/hosts/HOST-up: This script is started when the tinc daemon with name HOST becomes reachable.
/etc/tinc/NETNAME/hosts/HOST-down: This script is started when the tinc daemon with name HOST becomes unreachable.
/etc/tinc/NETNAME/host-up: This script is started when any host becomes reachable.
/etc/tinc/NETNAME/host-down: This script is started when any host becomes unreachable.
/etc/tinc/NETNAME/subnet-up: This script is started when a Subnet becomes reachable. The Subnet and the node it belongs to are passed in environment variables.
/etc/tinc/NETNAME/subnet-down: This script is started when a Subnet becomes unreachable.

The scripts are started without command line arguments, but can make use of certain environment variables. Under UNIX like operating systems the names of environment variables must be preceded by a $ in scripts. Under Windows, in .bat files, they have to be put between % signs.

NETNAME: If a netname was specified, this environment variable contains it.
NAME: Contains the name of this tinc daemon.
DEVICE: Contains the name of the virtual network device that tinc uses.
INTERFACE: Contains the name of the virtual network interface that tinc uses. This should be used for commands like ifconfig.
NODE: When a host becomes (un)reachable, this is set to its name. If a subnet becomes (un)reachable, this is set to the owner of that subnet.
REMOTEADDRESS: When a host becomes (un)reachable, this is set to its real address.
REMOTEPORT: When a host becomes (un)reachable, this is set to the port number it uses for communication with other tinc daemons.
SUBNET: When a subnet becomes (un)reachable, this is set to the subnet.
WEIGHT: When a subnet becomes (un)reachable, this is set to the subnet weight.

FILES¶

The most important files are:

/etc/tinc/: The top directory for configuration files.
/etc/tinc/NETNAME/tinc.conf: The default name of the server configuration file for net NETNAME.
/etc/tinc/NETNAME/hosts/: Host configuration files are kept in this directory.
/etc/tinc/NETNAME/tinc-up: If an executable file with this name exists, it will be executed right after the tinc daemon has connected to the virtual network device. It can be used to set up the corresponding network interface.
/etc/tinc/NETNAME/tinc-down: If an executable file with this name exists, it will be executed right before the tinc daemon is going to close its connection to the virtual network device.

Source file:	tinc.conf.5.en.gz (from tinc 1.0.19-3)
Source last updated:	2013-04-22T19:45:39Z
Converted to HTML:	2017-06-07T16:41:40Z