1 \input texinfo @c -*-texinfo-*-
2 @c $Id: tinc.texi,v 1.8.4.12 2001/01/07 17:08:47 guus Exp $
11 * tinc: (tinc). The tinc Manual.
14 This is the info manual for tinc, a Virtual Private Network daemon.
16 Copyright @copyright{} 1998-2001 Ivo Timmermans
17 <itimmermans@@bigfoot.com>, Guus Sliepen <guus@@sliepen.warande.net> and
18 Wessel Dankers <wsl@@nl.linux.org>.
20 $Id: tinc.texi,v 1.8.4.12 2001/01/07 17:08:47 guus Exp $
22 Permission is granted to make and distribute verbatim copies of this
23 manual provided the copyright notice and this permission notice are
24 preserved on all copies.
26 Permission is granted to copy and distribute modified versions of this
27 manual under the conditions for verbatim copying, provided that the
28 entire resulting derived work is distributed under the terms of a
29 permission notice identical to this one.
35 @subtitle Setting up a Virtual Private Network with tinc
36 @author Ivo Timmermans and Guus Sliepen
39 @vskip 0pt plus 1filll
41 Copyright @copyright{} 1998-2001 Ivo Timmermans
42 <itimmermans@@bigfoot.com>, Guus Sliepen <guus@@sliepen.warande.net> and
43 Wessel Dankers <wsl@@nl.linux.org>.
45 $Id: tinc.texi,v 1.8.4.12 2001/01/07 17:08:47 guus Exp $
47 Permission is granted to make and distribute verbatim copies of this
48 manual provided the copyright notice and this permission notice are
49 preserved on all copies.
51 Permission is granted to copy and distribute modified versions of this
52 manual under the conditions for verbatim copying, provided that the
53 entire resulting derived work is distributed under the terms of a
54 permission notice identical to this one.
58 @c ==================================================================
59 @node Top, Introduction, (dir), (dir)
62 * Introduction:: Introduction
63 * Installing tinc - preparations::
64 * Installing tinc - installation::
67 * Technical information::
69 * Concept Index:: All used terms explained
75 @c ==================================================================
76 @node Introduction, Installing tinc - preparations, Top, Top
80 tinc is a Virtual Private Network (VPN) daemon that uses tunneling and
81 encryption to create a secure private network between hosts on the
84 Because the tunnel appears to the IP level network code as a normal
85 network device, there is no need to adapt any existing software.
87 This tunneling allows VPN sites to share information with each other
88 over the Internet without exposing any information to others.
90 This document is the manual for tinc. Included are chapters on how to
91 configure your computer to use tinc, as well as the configuration
92 process of tinc itself.
95 * VPNs:: Virtual Private Networks in general
97 * Supported platforms::
100 @c ==================================================================
101 @node VPNs, tinc, Introduction, Introduction
102 @section Virtual Private Networks
105 A Virtual Private Network or VPN is a network that can only be accessed
106 by a few elected computers that participate. This goal is achievable in
107 more than just one way.
110 Private networks can consist of a single stand-alone ethernet LAN. Or
111 even two computers hooked up using a null-modem cable. In these cases,
113 obvious that the network is @emph{private}, no one can access it from the
114 outside. But if your computers are linked to the internet, the network
115 is not private anymore, unless one uses firewalls to block all private
116 traffic. But then, there is no way to send private data to trusted
117 computers on the other end of the internet.
120 This problem can be solved by using @emph{virtual} networks. Virtual
121 networks can live on top of other networks, but they use encapsulation to
122 keep using their private address space so they do not interfere with
123 each other. Mostly, virtual networks appear like a singe LAN, even though
124 they can span the entire world. But virtual networks can't be secured
125 by using firewalls, because the traffic that flows through it has to go
126 through the internet, where other people can look at it.
128 When one introduces encryption, we can form a true VPN. Other people may
129 see encrypted traffic, but if they don't know how to decipher it (they
130 need to know the key for that), they cannot read the information that flows
131 through the VPN. This is what tinc was made for.
134 tinc uses normal IP datagrams to encapsulate data that goes over the VPN
135 network link. In this case it's also clear that the network is
136 @emph{virtual}, because no direct network link has to exist between to
139 As is the case with either type of VPN, anybody could eavesdrop. Or
140 worse, alter data. Hence it's probably advisable to encrypt the data
141 that flows over the network.
144 @c ==================================================================
145 @node tinc, Supported platforms, VPNs, Introduction
150 I really don't quite remember what got us started, but it must have been
151 Guus' idea. He wrote a simple implementation (about 50 lines of C) that
152 used the @emph{ethertap} device that Linux knows of since somewhere
153 about kernel 2.1.60. It didn't work immediately and he improved it a
154 bit. At this stage, the project was still simply called @samp{vpnd}.
156 Since then, a lot has changed---to say the least.
159 tinc now supports encryption, it consists of a single daemon (tincd) for
160 both the receiving and sending end, it has become largely
161 runtime-configurable---in short, it has become a full-fledged
162 professional package.
164 A lot can---and will be---changed. We have a number of things that we would like to
165 see in the future releases of tinc. Not everything will be available in
166 the near future. Our first objective is to make tinc work perfectly as
167 it stands, and then add more advanced features.
169 Meanwhile, we're always open-minded towards new ideas. And we're
173 @c ==================================================================
174 @node Supported platforms, , tinc, Introduction
175 @section Supported platforms
177 tinc has been verified to work under Linux, FreeBSD and Solaris, with
178 various hardware architectures. These are the three platforms
179 that are supported by the universial TUN/TAP device driver, so if
180 support for other operating systems is added to this driver, perhaps
181 tinc will run on them as well. Without this driver, tinc will most
182 likely compile and run, but it will not be able to send or receive data
185 For an up to date list of supported platforms, please check the list on
187 @uref{http://tinc.nl.linux.org/platforms.html}.
190 @c ==================================================================
193 tinc was first written for Linux running on an intel x86 processor, so
194 this is the best supported platform. The protocol however, and actually
195 anything about tinc, has been rewritten to support random byte ordering
196 and arbitrary word length. So in theory it should run on other
197 processors that Linux runs on. It has already been verified to run on
198 alpha and sparc processors as well.
200 tinc uses the ethertap device that is provided in the standard kernel
201 since version 2.1.60, so anything above that (2.2.x, 2.3.x, and 2.4.0)
202 kernel version is able to support tinc.
205 @c ==================================================================
208 tinc on FreeBSD relies on the universial TUN/TAP driver for its data
209 acquisition from the kernel. Therefore, tinc suports the same platforms
210 as this driver. These are: FreeBSD 3.x, 4.x, 5.x.
213 @c ==================================================================
216 tinc on Solaris relies on the universial TUN/TAP driver for its data
217 acquisition from the kernel. Therefore, tinc suports the same platforms
218 as this driver. These are: Solaris, 2.1.x.
227 @c Preparing your system
234 @c ==================================================================
235 @node Installing tinc - preparations, Installing tinc - installation, Introduction, Top
236 @chapter Installing tinc: preparations
238 This chapter contains information on how to prepare your system to
242 * Configuring the kernel::
247 @c ==================================================================
248 @node Configuring the kernel, Libraries, Installing tinc - preparations, Installing tinc - preparations
249 @section Configuring the kernel
251 If you are running Linux, chances are good that your kernel already
252 supports all the devices that tinc needs for proper operation. For
253 example, the standard kernel from Redhat Linux already has support for
254 ethertap and netlink compiled in. Debian users can use the modconf
255 utility to select the modules. If your Linux distribution supports this
256 method of selecting devices, look out for something called `ethertap',
257 and `netlink_dev'. You need both these devices.
259 If you can install these devices in a similar manner, you may skip this
263 * Configuration of the Linux kernel::
264 * Configuration of the FreeBSD kernel::
265 * Configuration of the Solaris kernel::
269 @c ==================================================================
270 @node Configuration of the Linux kernel, Configuration of the FreeBSD kernel, Configuring the kernel, Configuring the kernel
271 @subsection Configuring the Linux kernel
273 Since this particular implementation only runs on 2.1 or higher Linux
274 kernels, you should grab one (2.2 is current at this time). A 2.0 port
275 is not really possible, unless someone tells me someone ported the
276 ethertap and netlink devices back to 2.0.
278 If you are unfamiliar with the process of configuring and compiling a
279 new kernel, you should read the
280 @uref{http://howto.linuxberg.com/LDP/HOWTO/Kernel-HOWTO.html, Kernel
281 HOWTO} first. Do that now!
283 Here are the options you have to turn on when configuring a new
289 Code maturity level options
290 [*] Prompt for development and/or incomplete code/drivers
292 [*] Kernel/User netlink socket
293 <*> Netlink device emulation
294 Network device support
295 <*> Ethertap network tap
298 Note that if you want to run more than one instance of tinc or other
299 programs that use the ethertap, you have to compile the ethertap driver
302 For kernel 2.3.x and 2.4.x:
305 Code maturity level options
306 [*] Prompt for development and/or incomplete code/drivers
308 [*] Kernel/User netlink socket
309 <*> Netlink device emulation
310 Network device support
311 <*> Universal TUN/TAP device driver support
315 Any other options not mentioned here are not relevant to tinc. If you
316 decide to build any of these as dynamic kernel modules, it's a good idea
317 to add these lines to @file{/etc/modules.conf}.
321 alias char-major-36 netlink_dev
324 If you have a 2.4-pre kernel, you can choose both the TUN/TAP driver and
325 the `Ethertap network tap' device. This latter is marked obsolete,
326 because the universal TUN/TAP driver is a newer implementation that is
327 supposed to be used in favour of ethertap. For tinc, it doesn't really
328 matter which one you choose; based on the device file name, tinc will make
329 the right choice about what protocol to use. However, chances are that
330 although you can choose the obsolote ethertap driver, it will not function
331 at all. The TUN/TAP driver is the safe choice.
333 Finally, after having set up other options, build the kernel and boot
334 it. Unfortunately it's not possible to insert these modules in a
338 @c ==================================================================
339 @node Configuration of the FreeBSD kernel, Configuration of the Solaris kernel, Configuration of the Linux kernel, Configuring the kernel
340 @subsection Configuring the FreeBSD kernel
342 This section will contain information on how to configure your FreeBSD
343 kernel to support the universal TUN/TAP device. For 5.0 and 4.1
344 systems, this is included in the kernel configuration, for earlier
345 systems (4.0 and 3.x), you need to install the universal TUN/TAP driver
348 Unfortunately somebody still has to write the text.
351 @c ==================================================================
352 @node Configuration of the Solaris kernel, , Configuration of the FreeBSD kernel, Configuring the kernel
353 @subsection Configuring the Solaris kernel
355 This section will contain information on how to configure your Solaris
356 kernel to support the universal TUN/TAP device. You need to install
357 this driver yourself.
359 Unfortunately somebody still has to write the text.
362 @c ==================================================================
363 @node Libraries, , Configuring the kernel, Installing tinc - preparations
367 Before you can configure or build tinc, you need to have the OpenSSL
368 library installed on your system. If you try to configure tinc without
369 having installed it, configure will give you an error message, and stop.
376 @c ==================================================================
377 @node OpenSSL, , Libraries, Libraries
381 For all cryptography-related functions, tinc uses the functions provided
382 by the OpenSSL library. We recommend using version 0.9.5 or 0.9.6 of
383 this library. Other versions may also work, but we can guarantee
386 If this library is not installed, you wil get an error when configuring
387 tinc for build. Support for running tinc without having OpenSSL
388 installed @emph{may} be added in the future.
390 You can use your operating system's package manager to install this if
391 available. Make sure you install the development AND runtime versions
394 If you have to install OpenSSL manually, you can get the source code
395 from @url{http://www.openssl.org/}. Instructions on how to configure,
396 build and install this package are included within the package. Please
397 make sure you build development and runtime libraries (which is the
400 If you installed the OpenSSL libraries from source, it may be necessary
401 to let configure know where they are, by passing configure one of the
402 --with-openssl-* parameters.
405 --with-openssl=DIR OpenSSL library and headers prefix
406 --with-openssl-include=DIR OpenSSL headers directory
407 (Default is OPENSSL_DIR/include)
408 --with-openssl-lib=DIR OpenSSL library directory
409 (Default is OPENSSL_DIR/lib)
413 @subsubheading License
415 Since the license under which OpenSSL is distributed is not directly
416 compatible with the terms of the GNU GPL
417 @uref{http://www.openssl.org/support/faq.html#LEGAL2}, therefore we
418 include an addition to the GPL (see also the file COPYING.README):
421 This program is released under the GPL with the additional exemption
422 that compiling, linking, and/or using OpenSSL is allowed. You may
423 provide binary packages linked to the OpenSSL libraries, provided that
424 all other requirements of the GPL are met.
437 @c ==================================================================
438 @node Installing tinc - installation, Configuring tinc, Installing tinc - preparations, Top
439 @chapter Installing tinc: installation
441 If you use Redhat or Debian, you may want to install one of the
442 precompiled packages for your system. These packages are equipped with
443 system startup scripts and sample configurations.
445 If you don't run either of these systems, or you want to compile tinc
446 for yourself, you can use the source. The source is distributed under
447 the GNU General Public License (GPL). Download the source from the
448 @uref{http://tinc.nl.linux.org/download.html, download page}, which has
449 the checksums of these files listed; you may wish to check these with
450 md5sum before continuing.
452 tinc comes in a convenient autoconf/automake package, which you can just
453 treat the same as any other package. Which is just untar it, type
454 `configure' and then `make'.
456 More detailed instructions are in the file @file{INSTALL}, which is
457 included in the source distribution.
466 @c ==================================================================
467 @node Building tinc, System files, Installing tinc - installation, Installing tinc - installation
468 @section Building tinc
470 Detailed instructions on configuring the source and building tinc can be
471 found in the file called @file{INSTALL}.
474 @c ==================================================================
475 @node System files, Interfaces, Building tinc, Installing tinc - installation
476 @section System files
478 Before you can run tinc, you must make sure you have all the needed
479 files on your system.
487 @c ==================================================================
488 @node Device files, Other files, System files, System files
489 @subsection Device files
491 First, you'll need the special device file(s) that form the interface
492 between the kernel and the daemon.
494 The permissions for these files have to be such that only the super user
495 may read/write to this file. You'd want this, because otherwise
496 eavesdropping would become a bit too easy. This does, however, imply
497 that you'd have to run tincd as root.
499 If you use the universal TUN/TAP driver, you have to create the
500 following device files (unless they already exist):
503 mknod -m 600 /dev/... c .. ..
507 If you want to have more devices, the device numbers will be .. .. ...
509 If you use Linux, and you run the new 2.4 kernel using the devfs
510 filesystem, then the tap device will be automatically generated as
511 @file{/dev/netlink/tap0}.
513 If you use Linux and have kernel 2.2.x, you have to make the ethertap
517 mknod -m 600 /dev/tap0 c 36 16
521 Any further ethertap devices have minor device number 16 through 31.
524 @c ==================================================================
525 @node Other files, , Device files, System files
526 @subsection Other files
528 @subsubheading @file{/etc/networks}
530 You may add a line to @file{/etc/networks} so that your VPN will get a
531 symbolic name. For example:
537 This has nothing to do with the MyVPNIP configuration variable that will be
538 discussed later, it is only to make the output of the route command more
541 @subsubheading @file{/etc/services}
543 You may add this line to @file{/etc/services}. The effect is that you
544 may supply a @samp{tinc} as a valid port number to some programs. The
545 number 655 is registered with the IANA.
550 # Ivo Timmermans <itimmermans@@bigfoot.com>
554 @c ==================================================================
555 @node Interfaces, , System files, Installing tinc - installation
558 Before you can start transmitting data over the tinc tunnel, you must
559 set up the ethertap network devices.
561 First, decide which IP addresses you want to have associated with these
562 devices, and what network mask they must have. You also need these
563 numbers when you are going to configure tinc itself. @xref{Configuring
566 It doesn't matter much which part you do first, setting up the network
567 devices or configure tinc. But they both have to be done before you try
570 The actual setup of the ethertap device is quite simple, just repeat
574 ifconfig tap@emph{n} hw ether fe:fd:00:00:00:00
578 @cindex hardware address
579 @strong{Note:} Since version 1.0pre3, all interface addresses are set to
580 this address, whereas previous versions required the MAC to match the
584 To activate the device, you have to assign an IP address to it. To set
585 an IP address @emph{IP} with network mask @emph{mask}, do the following:
588 ifconfig tap@emph{n} @emph{xx}.@emph{xx}.@emph{xx}.@emph{xx} netmask @emph{mask}
592 The netmask is the mask of the @emph{entire} VPN network, not just your
593 own subnet. It is the same netmask you will have to specify with the
594 VpnMask configuration variable.
608 @c ==================================================================
609 @node Configuring tinc, Running tinc, Installing tinc - installation, Top
610 @chapter Configuring tinc
613 * Multiple networks::
614 * How connections work::
615 * Configuration file::
619 @c ==================================================================
620 @node Multiple networks, How connections work, Configuring tinc, Configuring tinc
621 @section Multiple networks
625 It is perfectly OK for you to run more than one tinc daemon.
626 However, in its default form, you will soon notice that you can't use
627 two different configuration files without the -c option.
629 We have thought of another way of dealing with this: network names. This
630 means that you call tincd with the -n argument, which will assign a name
633 The effect of this is that the daemon will set its configuration
634 ``root'' to /etc/tinc/nn/, where nn is your argument to the -n
635 option. You'll notice that it appears in syslog as ``tinc.nn''.
637 However, it is not strictly necessary that you call tinc with the -n
638 option. In this case, the network name would just be empty, and it will
639 be used as such. tinc now looks for files in /etc/tinc/, instead of
640 /etc/tinc/nn/; the configuration file should be /etc/tinc/tinc.conf,
641 and the passphrases are now expected to be in /etc/tinc/passphrases/.
643 But it is highly recommended that you use this feature of tinc, because
644 it will be so much clearer whom your daemon talks to. Hence, we will
645 assume that you use it.
648 @c ==================================================================
649 @node How connections work, Configuration file, Multiple networks, Configuring tinc
650 @section How connections work
652 Before going on, first a bit on how tinc sees connections.
654 When tinc starts up, it reads in the configuration file and parses the
655 command-line options. If it sees a `ConnectTo' value in the file, it
656 will try to connect to it, on the given port. If this fails, tinc exits.
659 @c ==================================================================
660 @node Configuration file, Example, How connections work, Configuring tinc
661 @section Configuration file
663 The actual configuration of the daemon is done in the file
664 @file{/etc/tinc/nn/tinc.conf}.
666 This file consists of comments (lines started with a #) or assignments
673 The variable names are case insensitive, and any spaces, tabs, newlines
674 and carriage returns are ignored. Note: it is not required that you put
675 in the `=' sign, but doing so improves readability. If you leave it
676 out, remember to replace it with at least one space character.
678 In this section all valid variables are listed in alphabetical order.
679 The default value is given between parentheses; required directives are
680 given in @strong{bold}.
683 * Main configuration variables::
684 * Host configuration variables::
689 @c ==================================================================
690 @node Main configuration variables, Host configuration variables, Configuration file, Configuration file
691 @subsection Main configuration variables
694 @item @strong{ConnectTo = <name>}
695 Specifies which host to connect to on startup. Multiple ConnectTo
696 variables may be specified, if connecting to the first one fails then
697 tinc will try the next one, and so on. It is possible to specify
698 hostnames for dynamic IP addresses (like those given on dyndns.org),
699 tinc will not cache the resolved IP address.
701 If you don't specify a host with ConnectTo, regardless of whether a
702 value for ConnectPort is given, tinc won't connect at all, and will
703 instead just listen for incoming connections.
705 @item Hostnames = <yes|no> (no)
706 This option selects whether IP addresses (both real and on the VPN)
707 should be resolved. Since DNS lookups are blocking, it might affect
708 tinc's efficiency, even stopping the daemon for a few seconds everytime
709 it does a lookup if your DNS server is not responding.
711 This does not affect resolving hostnames to IP addresses from the
714 @item Interface = <device>
715 If you have more than one network interface in your computer, tinc will
716 by default listen on all of them for incoming connections. It is
717 possible to bind tinc to a single interface like eth0 or ppp0 with this
720 @item InterfaceIP = <local address>
721 If your computer has more than one IP address on a single interface (for
722 example if you are running virtual hosts), tinc will by default listen
723 on all of them for incoming connections. It is possible to bind tinc to
724 a single IP address with this variable. It is still possible to listen
725 on several interfaces at the same time though, if they share the same IP
728 @item KeyExpire = <seconds> (3600)
729 This option controls the time the encryption keys used to encrypt the
730 data are valid. It is common practice to change keys at regular
731 intervals to make it even harder for crackers, even though it is thought
732 to be nearly impossible to crack a single key.
734 @item @strong{Name = <name>}
735 This is a symbolic name for this connection. It can be anything
737 @item PingTimeout = <seconds> (5)
738 The number of seconds of inactivity that tinc will wait before sending a
739 probe to the other end. If that other end doesn't answer within that
740 same amount of seconds, the connection is terminated, and the others
741 will be notified of this.
743 @item PrivateKey = <key>
744 This is the RSA private key for tinc. However, for safety reasons it is
745 advised to store private keys of any kind in separate files. This prevents
746 accidental eavesdropping if you are editting the configuration file.
748 @item PrivateKeyFile = <path>
749 This is the full path name of the RSA private key file that was
750 generated by ``tincd --generate-keys''. It must be a full path, not a
753 Note that exactly @strong{one of the above two options} must be specified.
755 @item TapDevice = <device> (/dev/tap0)
756 The ethertap device to use. Note that you can only use one device per
757 daemon. The info pages of the tinc package contain more information
758 about configuring an ethertap device for Linux.
760 @item VpnMask = <mask>
761 The mask that defines the scope of the entire VPN. This option is not
762 used by the tinc daemon itself, but can be used by startup scripts to
763 configure the ethertap devices correctly.
767 @c ==================================================================
768 @node Host configuration variables, How to configure, Main configuration variables, Configuration file
769 @subsection Host configuration variables
772 @item @strong{Address = <IP address|hostname>}
773 This variable is only required if you want to connect to this host. It
774 must resolve to the external IP address where the host can be reached,
775 not the one that is internal to the VPN.
777 @item IndirectData = <yes|no> (no)
778 This option specifies whether other tinc daemons besides the one you
779 specified with ConnectTo can make a direct connection to you. This is
780 especially useful if you are behind a firewall and it is impossible to
781 make a connection from the outside to your tinc daemon. Otherwise, it
782 is best to leave this option out or set it to no.
784 @item Port = <port> (655)
785 Connect to the upstream host (given with the ConnectTo directive) on
786 port port. port may be given in decimal (default), octal (when preceded
787 by a single zero) o hexadecimal (prefixed with 0x). port is the port
788 number for both the UDP and the TCP (meta) connections.
790 @item PublicKey = <key>
791 This is the RSA public key for this host.
793 @item PublicKeyFile = <path>
794 This is the full path name of the RSA public key file that was generated
795 by ``tincd --generate-keys''. It must be a full path, not a relative
798 Note that exactly @strong{one of the above two options} must be specified
799 in each host configuration file, if you want to be able to establish a
800 connection with that host.
802 @item Subnet = <IP address/maskbits>
803 This is the subnet range of all IP addresses that will be accepted by
804 the host that defines it.
806 The range must be contained in the IP address range of the tap device,
807 not the real IP address of the host running tincd.
809 maskbits is the number of bits set to 1 in the netmask part; for
810 example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
811 /22. This conforms to standard CIDR notation as described in
812 @uref{ftp://ftp.isi.edu/in-notes/rfc1519.txt, RFC1519}
814 @item TCPonly = <yes|no> (no)
815 If this variable is set to yes, then the packets are tunnelled over a
816 TCP connection instead of a UDP connection. This is especially useful
817 for those who want to run a tinc daemon from behind a masquerading
818 firewall, or if UDP packet routing is disabled somehow. @emph{This is
819 experimental code, try this at your own risk. It may not work at all.}
823 @c ==================================================================
824 @node How to configure, , Host configuration variables, Configuration file
825 @subsection How to configure
827 @subsubheading Step 1. Creating the key files
829 For each host, you have to create a pair of RSA keys. One key is your
830 private key, which is only known to you. The other one is the public
831 key, which you should copy to all hosts wanting to authenticate to you.
834 @subsubheading Step 2. Configuring each host
836 For every host in the VPN, you have to create two files. First there is
837 the main configuration file, @file{/etc/tinc/vpn-name/tinc.conf}. In
838 this file there should at least be three directives:
842 You should fill in the name of this host (or rather, the name of this
843 leaf of the VPN). It can be called after the hostname, the physical
844 location, the department, or the name of one of your boss' pets. It can
845 be anything, as long as all these names are unique across the entire
849 Fill in the full pathname to the file that contains the private RSA key.
852 This is the name of the host that you want to connect to (not a DNS
853 name, rather the name that is given with the Name parameter in that
854 hosts tinc.conf). This is the upstream connection. If your computer is
855 a central node, you might want to leave this out to make it stay idle
856 until someone connects to it.
859 @cindex host configuration file
860 Then you should create a file with the name you gave yourself in
861 tinc.conf (the `Name' parameter), located in
862 @file{/etc/tinc/vpn-name/hosts/}. In this file, which we call the
863 `@emph{host configuration file}', only one variable is required:
867 The IP range that this host accepts as being `local'. All packets with
868 a destination address that is within this subnet will be sent to us.
872 @subsubheading Step 3. Bringing it all together
874 Now for all hosts that you want to create a direct connection to, -- you
875 connect to them or they connect to you -- you get a copy of their host
876 configuration file and their public RSA key.
878 For each host configuration file, you add two variables:
882 Enter the IP address or DNS hostname for this host. This is only needed
883 if you connect to this host.
886 Put the full pathname to this hosts public RSA key here.
889 When you did this, you should be ready to create your first connection.
890 Pay attention to the system log, most errors will only be visible
891 there. If you get an error, you can check @ref{Error messages}.
894 @c ==================================================================
895 @node Example, , Configuration file, Configuring tinc
900 Imagine the following situation. An A-based company wants to connect
901 three branch offices in B, C and D using the internet. All four offices
902 have a 24/7 connection to the internet.
904 A is going to serve as the center of the network. B and C will connect
905 to A, and D will connect to C. Each office will be assigned their own IP
909 A: net 10.1.0.0 mask 255.255.0.0 gateway 10.1.54.1 internet IP 1.2.3.4
910 B: net 10.2.0.0 mask 255.255.0.0 gateway 10.2.1.12 internet IP 2.3.4.5
911 C: net 10.3.0.0 mask 255.255.0.0 gateway 10.3.69.254 internet IP 3.4.5.6
912 D: net 10.4.0.0 mask 255.255.0.0 gateway 10.4.3.32 internet IP 4.5.6.7
915 ``gateway'' is the VPN IP address of the machine that is running the
916 tincd. ``internet IP'' is the IP address of the firewall, which does not
917 need to run tincd, but it must do a port forwarding of TCP&UDP on port
918 655 (unless otherwise configured).
920 In this example, it is assumed that eth0 is the interface that points to
921 the inner (physical) LAN of the office, although this could also be the
922 same as the interface that leads to the internet. The configuration of
923 the real interface is also shown as a comment, to give you an idea of
924 how these example host is set up.
928 @emph{A} would be configured like this:
931 #ifconfig eth0 10.1.54.1 netmask 255.255.0.0 broadcast 10.1.255.255
932 ifconfig tap0 hw ether fe:fd:00:00:00:00
933 ifconfig tap0 10.1.54.1 netmask 255.0.0.0
936 and in /etc/tinc/tinc.conf:
940 PrivateKey = /etc/tinc/A.priv
944 On all hosts, /etc/tinc/hosts/A contains:
949 PublicKey = /etc/tinc/hosts/A.pub
956 #ifconfig eth0 10.2.43.8 netmask 255.255.0.0 broadcast 10.2.255.255
957 ifconfig tap0 hw ether fe:fd:00:00:00:00
958 ifconfig tap0 10.2.1.12 netmask 255.0.0.0
961 and in /etc/tinc/tinc.conf:
966 PrivateKey = /etc/tinc/B.priv
970 Note here that the internal address (on eth0) doesn't have to be the
971 same as on the tap0 device. Also, ConnectTo is given so that no-one can
972 connect to this node.
974 On all hosts, /etc/tinc/hosts/B:
979 PublicKey = /etc/tinc/hosts/B.pub
986 #ifconfig eth0 10.3.69.254 netmask 255.255.0.0 broadcast 10.3.255.255
987 ifconfig tap0 hw ether fe:fd:00:00:00:00
988 ifconfig tap0 10.3.69.254 netmask 255.0.0.0
991 and in /etc/tinc/A/tinc.conf:
996 TapDevice = /dev/tap1
1000 C already has another daemon that runs on port 655, so they have to
1001 reserve another port for tinc. It can connect to other tinc daemons on
1002 the regular port though, so no ConnectPort variable is needed. They
1003 also use the netname to distinguish between the two. tinc is started
1006 On all hosts, /etc/tinc/hosts/C:
1009 Subnet = 10.3.0.0/16
1011 PublicKey = /etc/tinc/hosts/C.pub
1015 @subsubheading For D
1018 #ifconfig tap0 10.4.3.32 netmask 255.255.0.0 broadcast 10.4.255.255
1019 ifconfig tap0 hw ether fe:fd:0a:04:03:20
1020 ifconfig tap0 10.4.3.32 netmask 255.0.0.0
1023 and in /etc/tinc/tinc.conf:
1026 MyVirtualIP = 10.4.3.32/16
1032 D will be connecting to C, which has a tincd running for this network on
1033 port 2000. Hence they need to put in a ConnectPort, but it doesn't need
1034 to have a different ListenPort.
1036 @subsubheading Key files
1038 A, B, C and D all have generate a public key with tincd -K, the output is
1039 stored in /etc/tinc/hosts/X.pub (where X is A, B or D), except for C,
1040 who stored it in /etc/tinc/A/hosts/C.pub.
1042 A stores a copy of B's public key in /etc/tinc/hosts/B.pub
1044 A stores a copy of C's public key in /etc/tinc/hosts/C.pub
1046 B stores a copy of A's public key in /etc/tinc/hosts/A.pub
1048 C stores a copy of A's public key in /etc/tinc/A/hosts/A.pub
1050 C stores a copy of D's public key in /etc/tinc/A/hosts/D.pub
1052 D stores a copy of C's public key in /etc/tinc/hosts/C.pub
1054 @subsubheading Starting
1056 A has to start their tincd first. Then come B and C, where C has to
1057 provide the option `-n A', because they have more than one tinc
1058 network. Finally, D's tincd is started.
1062 @c ==================================================================
1063 @node Running tinc, Technical information, Configuring tinc, Top
1064 @chapter Running tinc
1066 Running tinc isn't just as easy as typing `tincd' and hoping everything
1067 will just work out the way you wanted. Instead, the use of tinc is a
1068 project that involves trust relations and more than one computer.
1077 @c ==================================================================
1078 @node Managing keys, Runtime options, Running tinc, Running tinc
1079 @section Managing keys
1081 Before attempting to start tinc, you have to create public/private keypairs.
1082 When tinc tries to make a connection, it exchanges some sensitive
1083 data. Before doing so, it likes to know if the other end is
1086 To do this, both ends must have some knowledge about the other. In the
1087 case of tinc this is the public keys.
1089 To generate a public/private keypair, run `tincd -n vpn-name -K<bits>'.
1090 <bits> is optional, you can use it to specify the length of the keys.
1091 The length of the public/private keypairs
1092 should be at least 1024 for reasonable security (reasonable being good enough
1093 to keep the NSA busy for a few weeks).
1095 Every computer that wants to participate in the VPN should do this. The
1096 public keyfile should get the name of each tinc daemon and an extension .pub,
1097 and it should be stored in the hosts directory.
1099 When every computer has his own keys and configuration files, the files in the
1100 hosts directory should be exchanged with each other computer that it wants to
1101 talk to directly. Since only public keys are involved, you can safely do this
1102 via email, telnet or ftp, or even putting the contents on a public billboard.
1105 @c ==================================================================
1106 @node Runtime options, Error messages, Managing keys, Running tinc
1107 @section Runtime options
1109 Besides the settings in the configuration file, tinc also accepts some
1110 command line options.
1112 This list is a longer version of that in the manpage. The latter is
1113 generated automatically, so may be more up-to-date.
1115 @cindex command line
1116 @cindex runtime options
1120 @item -c, --config=PATH
1121 Read configuration options from the directory PATH. The default is
1122 @file{/etc/tinc/nn/}.
1125 Increase debug level. The higher it gets, the more gets
1126 logged. Everything goes via syslog.
1128 0 is the default, only some basic information connection attempts get
1129 logged. Setting it to 1 will log a bit more, still not very
1130 disturbing. With two -d's tincd will log protocol information, which can
1131 get pretty noisy. Three or more -d's will output every single packet
1132 that goes out or comes in, which probably generates more data than the
1136 Attempt to kill a running tincd and exit. A TERM signal (15) gets sent
1137 to the daemon that his its PID in /var/run/tinc.pid.
1139 Because it kills only one tinc daemon, you should use -n here if you
1140 started it that way. It will then read the PID from
1141 @file{/var/run/tinc.NETNAME.pid}.
1143 @item -n, --net=NETNAME
1144 Connect to net NETNAME. @xref{Multiple networks}.
1146 @item -K, --generate-keys[=BITS]
1147 Generate public/private keypair of BITS length. If BITS is not specified,
1148 1024 is the default. tinc will ask where you want to store the files,
1149 but will default to the configuration directory (you can use the -c or -n option
1150 in combination with -K). After that, tinc will quit.
1153 Display a short reminder of these runtime options and terminate.
1156 Output version information and exit.
1161 @c ==================================================================
1162 @node Error messages, , Runtime options, Running tinc
1163 @section Error messages
1165 What follows is a list of the most common error messages you can see
1166 when configuring tinc. Most of these messages are visible in the syslog
1167 only, so keep an eye on it!
1170 @item Could not open /dev/tap0: No such device
1172 @item You forgot to insmod netlink_dev.o
1173 @item You forgot to compile `Netlink device emulation' in the kernel
1176 @item Can't write to tun/tap device: No such device
1178 @item You forgot to insmod tun.o
1179 @item You forgot to compile `Universal TUN/TAP driver' in the kernel
1182 @item Packet with destination 1.2.3.4 is looping back to us!
1184 @item Something is not configured right. Packets are being sent out to the
1185 tap device, but according to the Subnet directives in your host configuration
1186 file, those packets should go to your own host. Most common mistake is that
1187 you have a Subnet line in your host configuration file with a netmask which is
1188 just as large as the netmask of the tap device. The latter should in almost all
1189 cases be larger. Rethink your configuration.
1190 Note that you will only see this message if you specified a debug
1191 level of 5 or higher!
1194 @item Network address and subnet mask do not match!
1196 @item The Subnet field must contain a network address. That means that
1197 the lower order bits of the address must be zero. For example, 192.168.1.1/24
1198 is wrong, you should use 192.168.1.0/24.
1199 @item If you only want to use one IP address, set the netmask to /32.
1202 @item This is a bug: net.c:253: 24: Some error
1204 @item This is something that should not have happened
1205 Please report this, and tell us exactly what went wrong before you got
1206 this message. In normal operation, these errors should not occur.
1209 @item Error reading RSA key file `rsa_key.priv': No such file or directory
1211 @item You must specify the complete pathname
1212 Specifying a relative path does not make sense here. tinc changes its
1213 directory to / when starting (to avoid keeping a mount point busy); and
1214 even if we built in a default directory to look for these files, the key
1215 files are bound to be in a different directory.
1221 @c ==================================================================
1222 @node Technical information, About us, Running tinc, Top
1223 @chapter Technical information
1231 @c ==================================================================
1232 @node The Connection, Security, Technical information, Technical information
1233 @section The basic philosophy of the way tinc works
1236 tinc is a daemon that takes VPN data and transmit that to another host
1237 computer over the existing Internet infrastructure.
1240 * Protocol Preview::
1241 * The Meta-connection::
1245 @c ==================================================================
1246 @node Protocol Preview, The Meta-connection, The Connection, The Connection
1247 @subsection A preview of the way the tinc works
1251 The data itself is read from a character device file, the so-called
1252 @emph{ethertap} device. This device is associated with a network
1253 interface. Any data sent to this interface can be read from the device,
1254 and any data written to the device gets sent from the interface. Data to
1255 and from the device is formatted as if it were a normal ethernet card,
1256 so a frame is preceded by two MAC addresses and a @emph{frame type}
1259 So when tinc reads an ethernet frame from the device, it determines its
1260 type. Right now, tinc can only handle Internet Protocol version 4 (IPv4)
1261 frames, because it needs IP headers for routing.
1262 Plans to support other protocols and switching instead of routing are being made.
1264 which type of frame it has read, it can also read the source and
1265 destination address from it.
1267 Now it is time that the frame gets encrypted. Currently the only
1268 encryption algorithm available is blowfish.
1270 @cindex encapsulating
1271 When the encryption is ready, time has come to actually transport the
1272 packet to the destination computer. We do this by sending the packet
1273 over an UDP connection to the destination host. This is called
1274 @emph{encapsulating}, the VPN packet (though now encrypted) is
1275 encapsulated in another IP datagram.
1277 When the destination receives this packet, the same thing happens, only
1278 in reverse. So it does a decrypt on the contents of the UDP datagram,
1279 and it writes the decrypted information to its own ethertap device.
1281 To let the kernel on the receiving end accept the packet, the destination MAC
1282 address must match that of the tap interface. Because of the routing nature
1283 of tinc, ARP is not possible. tinc solves this by always overwriting the
1284 destination MAC address with fe:fd:0:0:0:0. That is also the reason why you must
1285 set the MAC address of your tap interface to that address.
1288 @c ==================================================================
1289 @node The Meta-connection, , Protocol Preview, The Connection
1290 @subsection The meta-connection
1292 Having only an UDP connection available is not enough. Though suitable
1293 for transmitting data, we want to be able to reliably send other
1294 information, such as routing and encryption information to somebody.
1296 TCP is a better alternative, because it already contains protection
1297 against information being lost, unlike UDP.
1299 So we establish two connections. One for the encrypted VPN data, and one
1300 for other information, the meta-data. Hence, we call the second
1301 connection the meta-connection. We can now be sure that the
1302 meta-information doesn't get lost on the way to another computer.
1304 @cindex data-protocol
1305 @cindex meta-protocol
1306 Like with any communication, we must have a protocol, so that everybody
1307 knows what everything stands for, and how she should react. Because we
1308 have two connections, we also have two protocols. The protocol used for
1309 the UDP data is the ``data-protocol,'' the other one is the
1312 The reason we don't use TCP for both protocols is that UDP is much
1313 better for encapsulation, even while it is less reliable. The real
1314 problem is that when TCP would be used to encapsulate a TCP stream
1315 that's on the private network, for every packet sent there would be
1316 three ACK's sent instead of just one. Furthermore, if there would be
1317 a timeout, both TCP streams would sense the timeout, and both would
1318 start resending packets.
1320 @c ==================================================================
1321 @node Security, , The Connection, Technical information
1322 @section About tinc's encryption and other security-related issues.
1326 tinc got its name from ``TINC,'' short for @emph{There Is No Cabal}; the
1327 alleged Cabal was/is an organization that was said to keep an eye on the
1328 entire Internet. As this is exactly what you @emph{don't} want, we named
1329 the tinc project after TINC.
1332 But in order to be ``immune'' to eavesdropping, you'll have to encrypt
1333 your data. Because tinc is a @emph{Secure} VPN (SVPN) daemon, it does
1334 exactly that: encrypt.
1336 This chapter is a mixture of ideas, reasoning and explanation, please
1337 don't take it too serious.
1343 @c ==================================================================
1344 @node Key Types, , Security, Security
1345 @subsection Key Types
1346 @c FIXME: check if I'm not talking nonsense
1348 There are several types of encryption keys. Tinc uses two of them,
1349 symmetric private keypairs and public/private keypairs.
1351 Public/private keypairs are used in public key cryptography. It enables
1352 someone to send out a public key with which other people can encrypt their
1353 data. The encrypted data now can only be decrypted by the person who has
1354 the private key that matches the public key. So, a public key only allows
1355 @emph{other} people to send encrypted messages to you. This is very useful
1356 in setting up private communications channels. Just send out your public key
1357 and other people can talk to you in a secure way. But how can you know
1358 the other person is who she says she is? This is done by sending out an
1359 encrypted challenge that only the person with the right private key can decode
1362 However, encryption with public/private keys is very slow. Symmetric key cryptography
1363 is orders of magnitudes faster, but it is very hard to safely exchange the symmetric
1364 keys, since they should be kept private.
1366 The idea is to use public/private cryptography for authentication, and for
1367 exchanging symmetric keys in a safe way. After that, all communications are encrypted
1368 with the symmetric cipher.
1371 @c ==================================================================
1372 @node About us, Concept Index, Technical information, Top
1377 * Contact Information::
1382 @c ==================================================================
1383 @node Contact Information, Authors, About us, About us
1384 @section Contact information
1386 tinc's main page is at @url{http://tinc.nl.linux.org/},
1387 this server is located in the Netherlands.
1389 We have an IRC channel on the Open Projects IRC network. Connect to
1390 @uref{http://openprojects.nu/services/irc.html, irc.openprojects.net},
1391 and join channel #tinc.
1394 @c ==================================================================
1395 @node Authors, , Contact Information, About us
1399 @item Ivo Timmermans (zarq) (@email{itimmermans@@bigfoot.com})
1400 Main coder/hacker and maintainer of the package.
1402 @item Guus Sliepen (guus) (@email{guus@@sliepen.warande.net})
1403 Originator of it all, co-author.
1405 @item Wessel Dankers (Ubiq) (@email{wsl@@nl.linux.org})
1406 For the name `tinc' and various suggestions.
1410 We have received a lot of valuable input from users. With their help,
1411 tinc has become the flexible and robust tool that it is today. We have
1412 composed a list of contributions, in the file called @file{THANKS} in
1413 the source distribution.
1416 @c ==================================================================
1417 @node Concept Index, , About us, Top
1418 @c node-name, next, previous, up
1419 @unnumbered Concept Index
1421 @c ==================================================================
1425 @c ==================================================================