From: Guus Sliepen Date: Fri, 25 May 2001 10:06:13 +0000 (+0000) Subject: Small corrections to the manuals. X-Git-Tag: release-1.0pre4~5 X-Git-Url: https://git.tinc-vpn.org/git/browse?a=commitdiff_plain;h=6e09c2a99c8ac3c1391f4f2eee16d6c235c10e90;p=tinc Small corrections to the manuals. --- diff --git a/doc/tinc.conf.5 b/doc/tinc.conf.5 index 8f0dc896..46bc0cfe 100644 --- a/doc/tinc.conf.5 +++ b/doc/tinc.conf.5 @@ -15,14 +15,14 @@ names. This means that you call \fBtincd\fR with the \fI-n\fR argument, which will assign a name to this daemon. The effect of this is that the daemon will set its configuration -``root'' to \fI/etc/tinc/\fBnn\fI/\fR, where \fBnn\fR is your argument +``root'' to \fI/etc/tinc/\fBnetname\fI/\fR, where \fBnetname\fR is your argument to the \fI-n\fR option. You'll notice that it appears in syslog as -``tincd.\fBnn\fR''. +``tincd.\fBnetname\fR''. However, it is not strictly necessary that you call tinc with the -n option. In this case, the network name would just be empty, and it will be used as such. tinc now looks for files in \fI/etc/tinc/\fR, -instead of \fI/etc/tinc/\fBnn\fI/\fR; the configuration file should be +instead of \fI/etc/tinc/\fBnetname\fI/\fR; the configuration file should be \fI/etc/tinc/tinc.conf\fR, and the passphrases are now expected to be in \fI/etc/tinc/passphrases/\fR. @@ -34,7 +34,7 @@ we will assume that you use it. Each tinc daemon should have a name that is unique in the network which it will be part of. The name will be used by other tinc daemons for identification. The name has to be declared in the -\fI/etc/tinc/\fBnn\fI/tinc.conf\fR file. +\fI/etc/tinc/\fBnetname\fI/tinc.conf\fR file. To make things easy, choose something that will give unique and easy to rememebr names to your tinc daemon(s). @@ -42,16 +42,16 @@ You could try things like hostnames, owner surnames or location names. .PP .SH "PUBLIC/PRIVATE KEYS" You should use \fBtincd --generate-keys\fR to generate public/private -keypairs. It will generate two keys. The line containing the private -key should be completely copied to \fI/etc/tinc/\fBnn\fI/tinc.conf\fR -\-\- where \fBnn\fR stands for the network (See under \fBNETWORKS\fR) -above. The line containing the public key should be completely copied -to \fI/etc/tinc/\fBnn\fI/hosts/\fBname\fR \-\- where \fBname\fR stands -for the name of the tinc daemon (See \fBNAMES\fR). +keypairs. It will generate two keys. The private +key should be stored in a separate file \fI/etc/tinc/\fBnetname\fI/rsa_key.priv\fR +\-\- where \fBnetname\fR stands for the network (See under \fBNETWORKS\fR) +above. The public key should be stored in +the host configuration file \fI/etc/tinc/\fBnetname\fI/hosts/\fBname\fR \-\- where \fBname\fR stands +for the name of the local tinc daemon (See \fBNAMES\fR). .PP .SH "SERVER CONFIGURATION" The server configuration of the daemon is done in the file -\fI/etc/tinc/\fBnn\fI/tinc.conf\fR. +\fI/etc/tinc/\fBnetname\fI/tinc.conf\fR. This file consists of comments (lines started with a \fB#\fR) or assignments in the form of @@ -67,16 +67,16 @@ readability. If you leave it out, remember to replace it with at least one space character. .PP Here are all valid variables, listed in alphabetical order. The default -value, required or optional is given between parentheses. +value is given between parentheses. .TP -\fBConnectTo\fR = <\fIname\fR> (optional) +\fBConnectTo\fR = <\fIname\fR> Specifies which host to connect to on startup. Multiple \fBConnectTo\fR variables may be specified, if connecting to the first one fails then tinc will try the next one, and so on. The names should be known to this tinc daemon (i.e., there should be a host configuration file for the name on the ConnectTo line). -If you don't specify a host with \fBConnectTo\fR, tinc won't connect at all, +If you don't specify a host with \fBConnectTo\fR, tinc won't try to connect to other daemons at all, and will instead just listen for incoming connections. .TP \fBHostnames\fR = <\fIyes|no\fR> (no) @@ -88,33 +88,47 @@ a lookup if your DNS server is not responding. This does not affect resolving hostnames to IP addresses from the host configuration files. .TP +\fBInterface\fR = <\fIdevice\fR> +If you have more than one network interface in your computer, tinc will +by default listen on all of them for incoming connections. It is +possible to bind tinc to a single interface like eth0 or ppp0 with this +variable. +.TP +\fBInterfaceIP\fR = <\fIlocal address\fR> +If your computer has more than one IP address on a single interface (for +example if you are running virtual hosts), tinc will by default listen +on all of them for incoming connections. It is possible to bind tinc to +a single IP address with this variable. It is still possible to listen +on several interfaces at the same time though, if they share the same IP +address. +.TP \fBKeyExpire\fR = <\fIseconds\fR> (3600) This option controls the time the encryption keys used to encrypt the data are valid. It is common practice to change keys at regular intervals to make it even harder for crackers, even though it is thought to be nearly impossible to crack a single key. .TP -\fBName\fR = <\fIname\fR> (required) +\fBName\fR = <\fIname\fR> [required] This is the name which identifies this tinc daemon. It must be unique for the virtual private network this daemon will connect to. .TP -\fBPingTimeout\fR = <\fIseconds\fR> (5) +\fBPingTimeout\fR = <\fIseconds\fR> (60) The number of seconds of inactivity that tinc will wait before sending a probe to the other end. If that other end doesn't answer within that same amount of seconds, the connection is terminated, and the others will be notified of this. .TP -\fBPrivateKey\fR = <\fIkey\fR> +\fBPrivateKey\fR = <\fIkey\fR> [obsolete] The private RSA key of this tinc daemon. It will allow this tinc daemon to authenticate itself to other daemons. .TP -\fBPrivateKeyFile\fR = <\fIfilename\fR> +\fBPrivateKeyFile\fR = <\fIfilename\fR> [recommended] The file in which the private RSA key of this tinc daemon resides. Note that there must be exactly one of \fBPrivateKey\fR or \fBPrivateKeyFile\fR specified in the configuration file. .TP -\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0) +\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0 or /dev/net/tun) The ethertap or tun/tap device to use. tinc will automatically detect what kind of tapdevice it is. Note that you can only use one device per @@ -134,24 +148,34 @@ tinc daemon. Since host configuration files only contain public keys, no secrets are revealed by sending out this information. .PP .TP -\fBAddress\fR = <\fIIP address\fR> (required) +\fBAddress\fR = <\fIIP address\fR> [recommended] The real address or hostname of this tinc daemon. .TP +\fBIndirectData\fR = <\fIyes\fR|\fIno\fR> (no) [experimental] +This option specifies whether other tinc daemons besides the one you +specified with ConnectTo can make a direct connection to you. This is +especially useful if you are behind a firewall and it is impossible to +make a connection from the outside to your tinc daemon. Otherwise, it +is best to leave this option out or set it to no. +.TP \fBPort\fR = <\fIport number\fR> (655) The port on which this tinc daemon is listening for incoming connections. .TP -\fBPublicKey\fR = <\fIkey\fR> +\fBPublicKey\fR = <\fIkey\fR> [obsolete] The public RSA key of this tinc daemon. It will be used to cryptographically verify it's identity and to set up a secure connection. .TP -\fBPublicKeyFile\fR = <\fIfilename\fR> +\fBPublicKeyFile\fR = <\fIfilename\fR> [obsolete] The file in which the public RSA key of this tinc daemon resides. -Note that there must be exactly one of \fBPublicKey\fR or \fBPublicKeyFile\fR -specified in each host configuration file, if you want to be able to establish -a connection with that host. -.TP -\fBSubnet\fR = <\fIaddress/masklength\fR> (optional) +From version 1.0pre4 on tinc will store the public key directly into the +host configuration file in PEM format, the above two options then are not +necessary. Either the PEM format is used, or exactly +one of the above two options must be specified +in each host configuration file, if you want to be able to establish a +connection with that host. +.TP +\fBSubnet\fR = <\fIaddress/masklength\fR> The subnet which this tinc daemon will serve. tinc tries to look up which other daemon it should send a packet to by searching the appropiate subnet. If the packet matches a subnet, it will be sent to the daemon who has this subnet in his @@ -165,19 +189,27 @@ The subnets must be in a form like \fI192.168.1.0/24\fR, where 192.168.1.0 is th network address and 24 is the number of bits set in the netmask. Note that subnets like \fI192.168.1.1/24\fR are invalid! Read a networking howto/FAQ/guide if you don't understand this. +.TP +\fBTCPonly\fR = <\fIyes\fR|\fIno\fR> (no) [experimental] +If this variable is set to yes, then the packets are tunnelled over a +TCP connection instead of a UDP connection. This is especially useful +for those who want to run a tinc daemon from behind a masquerading +firewall, or if UDP packet routing is disabled somehow. This is +experimental code, try this at your own risk. It may not work at all. +Setting this options also implicitly sets IndirectData. .SH "FILES" .TP \fI/etc/tinc/\fR The top directory for configuration files. .TP -\fI/etc/tinc/\fBnn\fI/tinc.conf\fR +\fI/etc/tinc/\fBnetname\fI/tinc.conf\fR The default name of the server configuration file for net -\fBnn\fR. +\fBnetname\fR. .TP -\fI/etc/tinc/\fBnn\fI/hosts/\fR +\fI/etc/tinc/\fBnetname\fI/hosts/\fR Host configuration files are kept in this directory. .TP -\fI/etc/tinc/\fBnn\fI/tinc-up\fR +\fI/etc/tinc/\fBnetname\fI/tinc-up\fR If an executable file with this name exists, it will be executed right after the tinc daemon has connected to the tap device. It can be used to ifconfig the network interface. @@ -185,7 +217,7 @@ be used to ifconfig the network interface. If the tapdevice is a tun/tap device, the evironment variable \fB$IFNAME\fR will be set to the name of the network interface. .TP -\fI/etc/tinc/\fBnn\fI/tinc-down\fR +\fI/etc/tinc/\fBnetname\fI/tinc-down\fR If an executable file with this name exists, it will be executed right before the tinc daemon is going to close it's connection to the tap device. diff --git a/doc/tinc.texi b/doc/tinc.texi index 74951c92..c3c4a78d 100644 --- a/doc/tinc.texi +++ b/doc/tinc.texi @@ -1,5 +1,5 @@ \input texinfo @c -*-texinfo-*- -@c $Id: tinc.texi,v 1.8.4.16 2001/05/24 20:24:12 guus Exp $ +@c $Id: tinc.texi,v 1.8.4.17 2001/05/25 10:06:13 guus Exp $ @c %**start of header @setfilename tinc.info @settitle tinc Manual @@ -17,7 +17,7 @@ Copyright @copyright{} 1998-2001 Ivo Timmermans , Guus Sliepen and Wessel Dankers . -$Id: tinc.texi,v 1.8.4.16 2001/05/24 20:24:12 guus Exp $ +$Id: tinc.texi,v 1.8.4.17 2001/05/25 10:06:13 guus Exp $ Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are @@ -42,7 +42,7 @@ Copyright @copyright{} 1998-2001 Ivo Timmermans , Guus Sliepen and Wessel Dankers . -$Id: tinc.texi,v 1.8.4.16 2001/05/24 20:24:12 guus Exp $ +$Id: tinc.texi,v 1.8.4.17 2001/05/25 10:06:13 guus Exp $ Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are @@ -519,12 +519,17 @@ ethertap devices: @example mknod -m 600 /dev/tap0 c 36 16 chown 0.0 /dev/tap0 +mknod -m 600 /dev/tap1 c 36 17 +chown 0.0 /dev/tap0 +... +mknod -m 600 /dev/tap@emph{N} c 36 @emph{N+16} +chown 0.0 /dev/tap@emph{N} @end example -Any further ethertap devices have minor device number 16 through 31. +There is a maximum of 16 ethertap devices. If you use the universal TUN/TAP driver, you have to create the -following device files (unless they already exist): +following device file (unless it already exist): @example mknod -m 600 /dev/tun c 10 200 @@ -535,6 +540,9 @@ If you use Linux, and you run the new 2.4 kernel using the devfs filesystem, then the TUN/TAP device will probably be automatically generated as @file{/dev/net/tun}. +Unlike the ethertap device, you do not need multiple device files if +you are planning to run multiple tinc daemons. + @c ================================================================== @node Other files, , Device files, System files @@ -693,8 +701,9 @@ in the `=' sign, but doing so improves readability. If you leave it out, remember to replace it with at least one space character. In this section all valid variables are listed in alphabetical order. -The default value is given between parentheses; required directives are -given in @strong{bold}. +The default value is given between parentheses, +other comments are between square brackets and +required directives are given in @strong{bold}. @menu * Main configuration variables:: @@ -753,47 +762,35 @@ are valid. It is common practice to change keys at regular intervals to make it even harder for crackers, even though it is thought to be nearly impossible to crack a single key. -@item ListenPort = (655) -@cindex ListenPort -Listen on local port port. The computer connecting to this daemon should -use this number as the argument for his ConnectPort. - @item @strong{Name = } @cindex Name This is a symbolic name for this connection. It can be anything -@item PingTimeout = (5) +@item PingTimeout = (60) @cindex PingTimeout The number of seconds of inactivity that tinc will wait before sending a probe to the other end. If that other end doesn't answer within that same amount of seconds, the connection is terminated, and the others will be notified of this. -@item PrivateKey = (obsolete) +@item PrivateKey = [obsolete] @cindex PrivateKey This is the RSA private key for tinc. However, for safety reasons it is advised to store private keys of any kind in separate files. This prevents accidental eavesdropping if you are editting the configuration file. -@item @strong{PrivateKeyFile = } (recommended) +@item @strong{PrivateKeyFile = } [recommended] @cindex PrivateKeyFile This is the full path name of the RSA private key file that was generated by ``tincd --generate-keys''. It must be a full path, not a relative directory. -@item @strong{TapDevice = } (/dev/tap0) +@item @strong{TapDevice = } (/dev/tap0 or /dev/net/tun) @cindex TapDevice The ethertap device to use. Note that you can only use one device per daemon. The info pages of the tinc package contain more information about configuring an ethertap device for Linux. -@item TCPonly = (no, experimental) -@cindex TCPonly -If this variable is set to yes, then the packets are tunnelled over a TCP -connection instead of a UDP connection. This is especially useful for those -who want to run a tinc daemon from behind a masquerading firewall, or if -UDP packet routing is disabled somehow. This is experimental code, -try this at your own risk. @end table @@ -802,13 +799,13 @@ try this at your own risk. @subsection Host configuration variables @table @asis -@item @strong{Address = } +@item @strong{Address = } [recommended] @cindex Address This variable is only required if you want to connect to this host. It must resolve to the external IP address where the host can be reached, not the one that is internal to the VPN. -@item IndirectData = (no, experimental) +@item IndirectData = (no) [experimental] @cindex IndirectData This option specifies whether other tinc daemons besides the one you specified with ConnectTo can make a direct connection to you. This is @@ -823,11 +820,11 @@ port port. port may be given in decimal (default), octal (when preceded by a single zero) o hexadecimal (prefixed with 0x). port is the port number for both the UDP and the TCP (meta) connections. -@item PublicKey = (obsolete) +@item PublicKey = [obsolete] @cindex PublicKey This is the RSA public key for this host. -@item PublicKeyFile = (obsolete) +@item PublicKeyFile = [obsolete] @cindex PublicKeyFile This is the full path name of the RSA public key file that was generated by ``tincd --generate-keys''. It must be a full path, not a relative @@ -855,13 +852,14 @@ example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes /22. This conforms to standard CIDR notation as described in @uref{ftp://ftp.isi.edu/in-notes/rfc1519.txt, RFC1519} -@item TCPonly = (no, experimental) +@item TCPonly = (no) [experimental] @cindex TCPonly If this variable is set to yes, then the packets are tunnelled over a TCP connection instead of a UDP connection. This is especially useful for those who want to run a tinc daemon from behind a masquerading firewall, or if UDP packet routing is disabled somehow. This is experimental code, try this at your own risk. It may not work at all. +Setting this options also implicitly sets IndirectData. @end table diff --git a/doc/tincd.8 b/doc/tincd.8 index 1dbe280a..138d8116 100644 --- a/doc/tincd.8 +++ b/doc/tincd.8 @@ -33,8 +33,8 @@ Increase debug level (see below). \fB\-k\fR, \fB\-\-kill\fR Attempt to kill a running tincd and exit. .TP -\fB\-n\fR, \fB\-\-net\fR=\fINETNAME\fR -Connect to net NETNAME. +\fB\-n\fR, \fB\-\-net\fR=\fInetname\fR +Connect to net `netname'. .TP \fB\-K\fR, \fB\-\-generate-keys\fR[=\fIBITS]\fR Generate public/private RSA keypair and exit. If BITS is omitted, @@ -93,26 +93,26 @@ This will log all network traffic over the virtual private network. .PP .SH "FILES" .TP -\fI/etc/tinc//tinc.conf\fR +\fI/etc/tinc/\fBnetname\fI/tinc.conf\fR The configuration file for tincd. .TP -\fI/etc/tinc//tinc-up\fR +\fI/etc/tinc/\fBnetname\fI/tinc-up\fR Script which is executed as soon as a tap device has been allocated. Purpose is to further configure that device. .TP -\fI/etc/tinc//tinc-down\fR +\fI/etc/tinc/\fBnetname\fI/tinc-down\fR Script which is executed when tinc quits. Purpose is to shut down the tap device. .TP -\fI/etc/tinc//hosts/*\fR +\fI/etc/tinc/\fBnetname\fI/hosts/*\fR The directory containing the host configuration files used to authenticate other tinc daemons. +.TP +\fI/var/run/tinc.\fBnetname\fI.pid\fR +The PID of the currently running tincd is stored in this file. .PP .SH "BUGS" -Maintaining a connection list on each tinc daemon that can connect and disconnect at any -moment, and making sure that all connections satisfy the tree property isn't easy. Although -we have done a lot to make sure tinc is sturdy and foolproof, it might happen that -some connection lists get corrupted. +The TCPonly and IndirectData options may not work correctly. .PP \fBThe cryptography in tinc is not well tested yet. Use it at your own risk!\fR .PP