1 This is the README file for tinc version 1.0pre3. Installation instructions may
2 be found in the INSTALL file.
4 tinc is Copyright (C) 1998,1999,2000 Ivo Timmermans <itimmermans@bigfoot.com>,
5 Guus Sliepen <guus@sliepen.warande.net> and others. For a complete list of
6 authors see the AUTHORS file.
8 This program is free software; you can redistribute it and/or modify it under
9 the terms of the GNU General Public License as published by the Free Software
10 Foundation; either version 2 of the License, or (at your option) any later
11 version. See the file COPYING for more details.
17 In august 2000, we discovered the existence of a security hole in all versions
18 of tinc up to and including 1.0pre2. This had to do with the way we exchanged
19 keys. Since then, we have been working on a new authentication scheme to make
20 tinc as secure as possible. The current version uses the OpenSSL library and
21 does authentication in much the same way as the SSH protocol does.
23 Cryptography is a hard thing to get right. We cannot make any guarantees. Time,
24 review and feedback are the only things that can prove the security of any
25 cryptographic product. If you wish to review tinc or give us feedback, you are
26 stronly encouraged to do so.
31 Since 1.0pre3, we use OpenSSL for all cryptographic functions. So you need to
32 install this library first; grab it from http://www.openssl.org/. We recommend
33 version 0.9.5 or better. If this library is not installed on you system,
34 configure will fail. The manual in doc/tinc.texi contains more detailed
35 information on how to install this library.
41 This version of tinc supports multiple virtual networks at once. To use this
42 feature, you may supply a netname via the -n or --net options. The standard
43 locations for the config files will then be /etc/tinc/<net>/. Because of this
44 feature, tinc will send packets directly to their destinations, instead of to
45 the uplink. If this behaviour is undesirable (for instance because of firewalls
46 or other restrictions), please use an older version of tinc (I would recommend
49 In order to force the kernel to accept received packets, the destination MAC
50 address will be set to FE:FD:00:00:00:00 upon reception. The MAC address of the
51 ethertap or tun/tap interface must also be set to this address. See the manual
52 for more detailed information.
54 tincd regenerates its encryption key pairs. It does this on the first activity
55 after the keys have expired. This period is adjustable in the configuration
56 file, and the default time is 3600 seconds (one hour).
58 This version supports multiple subnets at once. They are also sorted on subnet
59 mask size. This means that it is possible to have overlapping subnets on the
60 VPN, as long as their subnet mask sizes differ.