[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4. Configuration

4.1 Configuration introduction  
4.2 Multiple networks  
4.3 How connections work  
4.4 Configuration files  
4.5 Generating keypairs  
4.6 Network interfaces  
4.7 Example configuration  


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.1 Configuration introduction

Before actually starting to configure tinc and editing files, make sure you have read this entire section so you know what to expect. Then, make it clear to yourself how you want to organize your VPN: What are the nodes (computers running tinc)? What IP addresses/subnets do they have? What is the network mask of the entire VPN? Do you need special firewall rules? Do you have to set up masquerading or forwarding rules? These questions can only be answered by yourself, you will not find the answers in this documentation. Make sure you have an adequate understanding of networks in general. A good resource on networking is the Linux Network Administrators Guide.

If you have everything clearly pictured in your mind, proceed in the following order: First, generate the configuration files (`tinc.conf', your host configuration file, `tinc-up' and perhaps `tinc-down'). Then generate the keypairs. Finally, distribute the host configuration files. These steps are described in the subsections below.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.2 Multiple networks

In order to allow you to run more than one tinc daemon on one computer, for instance if your computer is part of more than one VPN, you can assign a "netname" to your VPN. It is not required if you only run one tinc daemon, it doesn't even have to be the same on all the sites of your VPN, but it is recommended that you choose one anyway.

We will asume you use a netname throughout this document. This means that you call tincd with the -n argument, which will assign a netname to this daemon.

The effect of this is that the daemon will set its configuration "root" to /etc/tinc/netname/, where netname is your argument to the -n option. You'll notice that it appears in syslog as "tinc.netname".

However, it is not strictly necessary that you call tinc with the -n option. In this case, the network name would just be empty, and it will be used as such. tinc now looks for files in /etc/tinc/, instead of /etc/tinc/netname/; the configuration file should be /etc/tinc/tinc.conf, and the host configuration files are now expected to be in /etc/tinc/hosts/.

But it is highly recommended that you use this feature of tinc, because it will be so much clearer whom your daemon talks to. Hence, we will assume that you use it.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.3 How connections work

When tinc starts up, it parses the command-line options and then reads in the configuration file. If it sees a `ConnectTo' value pointing to another tinc daemon in the file, it will try to connect to that other one. Whether this succeeds or not and whether `ConnectTo' is specified or not, tinc will listen for incoming connection from other deamons. If you did specify a `ConnectTo' value and the other side is not responding, tinc will keep retrying. This means that once started, tinc will stay running until you tell it to stop, and failures to connect to other tinc daemons will not stop your tinc daemon for trying again later. This means you don't have to intervene if there are any network problems.

There is no real distinction between a server and a client in tinc. If you wish, you can view a tinc daemon without a `ConnectTo' value as a server, and one which does specify such a value as a client. It does not matter if two tinc daemons have a `ConnectTo' value pointing to eachother however.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.4 Configuration files

The actual configuration of the daemon is done in the file `/etc/tinc/netname/tinc.conf' and at least one other file in the directory `/etc/tinc/netname/hosts/'.

These file consists of comments (lines started with a #) or assignments in the form of

 
Variable = Value.

The variable names are case insensitive, and any spaces, tabs, newlines and carriage returns are ignored. Note: it is not required that you put in the `=' sign, but doing so improves readability. If you leave it out, remember to replace it with at least one space character.

In this section all valid variables are listed in alphabetical order. The default value is given between parentheses, other comments are between square brackets and required directives are given in bold.

4.4.1 Main configuration variables  
4.4.2 Host configuration variables  
4.4.3 How to configure  


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.4.1 Main configuration variables

AddressFamily = <ipv4|ipv6|any> (ipv4) [experimental]
This option affects the address family of listening and outgoing sockets. If "any" is selected, then depending on the operating system both IPv4 and IPv6 or just IPv6 listening sockets will be created.

BindToInterface = <interface> [experimental]
If you have more than one network interface in your computer, tinc will by default listen on all of them for incoming connections. It is possible to bind tinc to a single interface like eth0 or ppp0 with this variable.

This option may not work on all platforms.

ConnectTo = <name>
Specifies which host to connect to on startup. Multiple ConnectTo variables may be specified, if connecting to the first one fails then tinc will try the next one, and so on. It is possible to specify hostnames for dynamic IP addresses (like those given on dyndns.org), tinc will not cache the resolved IP address.

If you don't specify a host with ConnectTo, regardless of whether a value for ConnectPort is given, tinc won't connect at all, and will instead just listen for incoming connections.

Device = <device> (/dev/tap0 or /dev/misc/net/tun)
The virtual network device to use. Note that you can only use one device per daemon. See also 3.2.1 Device files.

Hostnames = <yes|no> (no)
This option selects whether IP addresses (both real and on the VPN) should be resolved. Since DNS lookups are blocking, it might affect tinc's efficiency, even stopping the daemon for a few seconds everytime it does a lookup if your DNS server is not responding.

This does not affect resolving hostnames to IP addresses from the configuration file.

Interface = <interface>
Defines the name of the interface corresponding to the virtual network device. Depending on the operating system and the type of device this may or may not actually set the name. Currently this option only affects the Linux tun/tap device.

Mode = <router|switch|hub> (router)
This option selects the way packets are routed to other daemons.

router
In this mode Subnet variables in the host configuration files will be used to form a routing table. Only unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode.

switch
In this mode the MAC addresses of the packets on the VPN will be used to dynamically create a routing table just like an Ethernet switch does. Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode at the cost of frequent broadcast ARP requests and routing table updates.

hub
This mode is almost the same as the switch mode, but instead every packet will be broadcast to the other daemons while no routing table is managed.

KeyExpire = <seconds> (3600)
This option controls the time the encryption keys used to encrypt the data are valid. It is common practice to change keys at regular intervals to make it even harder for crackers, even though it is thought to be nearly impossible to crack a single key.

MACExpire = <seconds> (600)
This option controls the amount of time MAC addresses are kept before they are removed. This only has effect when Mode is set to "switch".

Name = <name>
This is a symbolic name for this connection. It can be anything

PingTimeout = <seconds> (60)
The number of seconds of inactivity that tinc will wait before sending a probe to the other end. If that other end doesn't answer within that same amount of seconds, the connection is terminated, and the others will be notified of this.

PriorityInheritance = <yes|no> (no) [experimental]
When this option is enabled the value of the TOS field of tunneled IPv4 packets will be inherited by the UDP packets that are sent out.

PrivateKey = <key> [obsolete]
This is the RSA private key for tinc. However, for safety reasons it is advised to store private keys of any kind in separate files. This prevents accidental eavesdropping if you are editting the configuration file.

PrivateKeyFile = <path> [recommended]
This is the full path name of the RSA private key file that was generated by "tincd --generate-keys". It must be a full path, not a relative directory.

Note that there must be exactly one of PrivateKey or PrivateKeyFile specified in the configuration file.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.4.2 Host configuration variables

Address = <IP address|hostname> [recommended]
This variable is only required if you want to connect to this host. It must resolve to the external IP address where the host can be reached, not the one that is internal to the VPN.

Cipher = <cipher> (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets. Any cipher supported by OpenSSL is recognized.

Compression = <level> (0)
This option sets the level of compression used for UDP packets. Possible values are 0 (off), 1 (fast) and any integer up to 9 (best).

Digest = <digest> (sha1)
The digest algorithm used to authenticate UDP packets. Any digest supported by OpenSSL is recognized. Furthermore, specifying "none" will turn off packet authentication.

IndirectData = <yes|no> (no)
This option specifies whether other tinc daemons besides the one you specified with ConnectTo can make a direct connection to you. This is especially useful if you are behind a firewall and it is impossible to make a connection from the outside to your tinc daemon. Otherwise, it is best to leave this option out or set it to no.

MACLength = <length> (4)
The length of the message authentication code used to authenticate UDP packets. Can be anything from 0 up to the length of the digest produced by the digest algorithm.

Port = <port> (655)
Connect to the upstream host (given with the ConnectTo directive) on port port. port may be given in decimal (default), octal (when preceded by a single zero) o hexadecimal (prefixed with 0x). port is the port number for both the UDP and the TCP (meta) connections.

PublicKey = <key> [obsolete]
This is the RSA public key for this host.

PublicKeyFile = <path> [obsolete]
This is the full path name of the RSA public key file that was generated by "tincd --generate-keys". It must be a full path, not a relative directory.

From version 1.0pre4 on tinc will store the public key directly into the host configuration file in PEM format, the above two options then are not necessary. Either the PEM format is used, or exactly one of the above two options must be specified in each host configuration file, if you want to be able to establish a connection with that host.

Subnet = <address[/prefixlength]>
The subnet which this tinc daemon will serve. tinc tries to look up which other daemon it should send a packet to by searching the appropiate subnet. If the packet matches a subnet, it will be sent to the daemon who has this subnet in his host configuration file. Multiple subnet lines can be specified for each daemon.

Subnets can either be single MAC, IPv4 or IPv6 addresses, in which case a subnet consisting of only that single address is assumed, or they can be a IPv4 or IPv6 network address with a prefixlength. Shorthand notations are not supported. For example, IPv4 subnets must be in a form like 192.168.1.0/24, where 192.168.1.0 is the network address and 24 is the number of bits set in the netmask. Note that subnets like 192.168.1.1/24 are invalid! Read a networking HOWTO/FAQ/guide if you don't understand this. IPv6 subnets are notated like fec0:0:0:1:0:0:0:0/64. MAC addresses are notated like 0:1a:2b:3c:4d:5e.

prefixlength is the number of bits set to 1 in the netmask part; for example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes /22. This conforms to standard CIDR notation as described in RFC1519

TCPonly = <yes|no> (no) [experimental]
If this variable is set to yes, then the packets are tunnelled over a TCP connection instead of a UDP connection. This is especially useful for those who want to run a tinc daemon from behind a masquerading firewall, or if UDP packet routing is disabled somehow. Setting this options also implicitly sets IndirectData.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.4.3 How to configure

Step 1. Creating the main configuration file

The main configuration file will be called `/etc/tinc/netname/tinc.conf'. Adapt the following example to create a basic configuration file:

 
Name = yourname
Device = /dev/tap0
PrivateKeyFile = /etc/tinc/netname/rsa_key.priv

Then, if you know to which other tinc daemon(s) yours is going to connect, add `ConnectTo' values.

Step 2. Creating your host configuration file

If you added a line containing `Name = yourname' in the main configuarion file, you will need to create a host configuration file `/etc/tinc/netname/hosts/yourname'. Adapt the following example to create a host configuration file:

 
Address = your.real.hostname.org
Subnet = 192.168.1.0/24

You can also use an IP address instead of a hostname. The `Subnet' specifies the address range that is local for your part of the VPN only. If you have multiple address ranges you can specify more than one `Subnet'. You might also need to add a `Port' if you want your tinc daemon to run on a different port number than the default (655).


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.5 Generating keypairs

Now that you have already created the main configuration file and your host configuration file, you can easily create a public/private keypair by entering the following command:

 
tincd -n netname -K

tinc will generate a public and a private key and ask you where to put them. Just press enter to accept the defaults.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.6 Network interfaces

Before tinc can start transmitting data over the tunnel, it must set up the virtual network interface.

First, decide which IP addresses you want to have associated with these devices, and what network mask they must have.

tinc will open a virtual network device (`/dev/tun', `/dev/tap0' or similar), which will also create a network interface called something like `tun0', `tap0', or, if you are using the Linux tun/tap driver, the network interface will by default have the same name as the netname.

You can configure the network interface by putting ordinary ifconfig, route, and other commands to a script named `/etc/tinc/netname/tinc-up'. When tinc starts, this script will be executed. When tinc exits, it will execute the script named `/etc/tinc/netname/tinc-down', but normally you don't need to create that script.

An example `tinc-up' script:

 
#!/bin/sh
ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
ifconfig $INTERFACE 192.168.1.1 netmask 255.255.0.0
ifconfig $INTERFACE -arp

The first line sets up the MAC address of the network interface. Due to the nature of how Ethernet and tinc work, it has to be set to fe:fd:0:0:0:0 for tinc to work in it's normal mode. If you configured tinc to work in `switch' or `hub' mode, the hardware address should instead be set to a unique address instead of fe:fd:0:0:0:0.

You can use the environment variable $INTERFACE to get the name of the interface. However, this might not be reliable. If in doubt, use the name of the interface explicitly.

The next line gives the interface an IP address and a netmask. The kernel will also automatically add a route to this interface, so normally you don't need to add route commands to the `tinc-up' script. The kernel will also bring the interface up after this command. The netmask is the mask of the entire VPN network, not just your own subnet.

The last line tells the kernel not to use ARP on that interface. Again this has to do with how Ethernet and tinc work. Use this option only if you are running tinc under Linux and are using tinc's normal routing mode.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.7 Example configuration

Imagine the following situation. Branch A of our example `company' wants to connect three branch offices in B, C and D using the Internet. All four offices have a 24/7 connection to the Internet.

A is going to serve as the center of the network. B and C will connect to A, and D will connect to C. Each office will be assigned their own IP network, 10.x.0.0.

 
A: net 10.1.0.0 mask 255.255.0.0 gateway 10.1.54.1 internet IP 1.2.3.4
B: net 10.2.0.0 mask 255.255.0.0 gateway 10.2.1.12 internet IP 2.3.4.5
C: net 10.3.0.0 mask 255.255.0.0 gateway 10.3.69.254 internet IP 3.4.5.6
D: net 10.4.0.0 mask 255.255.0.0 gateway 10.4.3.32 internet IP 4.5.6.7

"gateway" is the VPN IP address of the machine that is running the tincd. "internet IP" is the IP address of the firewall, which does not need to run tincd, but it must do a port forwarding of TCP&UDP on port 655 (unless otherwise configured).

In this example, it is assumed that eth0 is the interface that points to the inner (physical) LAN of the office, although this could also be the same as the interface that leads to the Internet. The configuration of the real interface is also shown as a comment, to give you an idea of how these example host is set up. All branches use the netname `company' for this particular VPN.

For Branch A

BranchA would be configured like this:

In `/etc/tinc/company/tinc-up':

 
# Real interface of internal network:
# ifconfig eth0 10.1.54.1 netmask 255.255.0.0 broadcast 10.1.255.255

ifconfig tap0 hw ether fe:fd:0:0:0:0
ifconfig tap0 10.1.54.1 netmask 255.0.0.0
ifconfig tap0 -arp

and in `/etc/tinc/company/tinc.conf':

 
Name = BranchA
PrivateKey = /etc/tinc/company/rsa_key.priv
Device = /dev/tap0

On all hosts, /etc/tinc/company/hosts/BranchA contains:

 
Subnet = 10.1.0.0/16
Address = 1.2.3.4

Note that the IP addresses of eth0 and tap0 are the same.
This is quite possible, if you make sure that the netmasks of the interfaces are different.
It is in fact recommended to give give both real internal network interfaces and tap interfaces the same IP address,
since that will make things a lot easier to remember and set up.

-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

For Branch B

In `/etc/tinc/company/tinc-up':

 
# Real interface of internal network:
# ifconfig eth0 10.2.43.8 netmask 255.255.0.0 broadcast 10.2.255.255

ifconfig tap0 hw ether fe:fd:0:0:0:0
ifconfig tap0 10.2.1.12 netmask 255.0.0.0
ifconfig tap0 -arp

and in `/etc/tinc/company/tinc.conf':

 
Name = BranchB
ConnectTo = BranchA
PrivateKey = /etc/tinc/company/rsa_key.priv

Note here that the internal address (on eth0) doesn't have to be the same as on the tap0 device. Also, ConnectTo is given so that no-one can connect to this node.

On all hosts, in `/etc/tinc/company/hosts/BranchB':

 
Subnet = 10.2.0.0/16
Address = 2.3.4.5

-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

For Branch C

In `/etc/tinc/company/tinc-up':

 
# Real interface of internal network:
# ifconfig eth0 10.3.69.254 netmask 255.255.0.0 broadcast 10.3.255.255

ifconfig tap1 hw ether fe:fd:0:0:0:0
ifconfig tap1 10.3.69.254 netmask 255.0.0.0
ifconfig tap1 -arp

and in `/etc/tinc/company/tinc.conf':

 
Name = BranchC
ConnectTo = BranchA
Device = /dev/tap1

C already has another daemon that runs on port 655, so they have to reserve another port for tinc. It knows the portnumber it has to listen on from it's own host configuration file.

On all hosts, in `/etc/tinc/company/hosts/BranchC':

 
Address = 3.4.5.6
Subnet = 10.3.0.0/16
Port = 2000

-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

For Branch D

In `/etc/tinc/company/tinc-up':

 
# Real interface of internal network:
# ifconfig eth0 10.4.3.32 netmask 255.255.0.0 broadcast 10.4.255.255

ifconfig company hw ether fe:fd:0:0:0:0
ifconfig company 10.4.3.32 netmask 255.0.0.0
ifconfig company -arp

and in `/etc/tinc/company/tinc.conf':

 
Name = BranchD
ConnectTo = BranchC
Device = /dev/misc/net/tun
PrivateKeyFile = /etc/tinc/company/rsa_key.priv

D will be connecting to C, which has a tincd running for this network on port 2000. It knows the port number from the host configuration file. Also note that since D uses the tun/tap driver, the network interface will not be called `tun' or `tap0' or something like that, but will have the same name as netname.

On all hosts, in `/etc/tinc/company/hosts/BranchD':

 
Subnet = 10.4.0.0/16
Address = 4.5.6.7

-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

Key files

A, B, C and D all have generated a public/private keypair with the following command:

 
tincd -n company -K

The private key is stored in `/etc/tinc/company/rsa_key.priv', the public key is put into the host configuration file in the `/etc/tinc/company/hosts/' directory. During key generation, tinc automatically guesses the right filenames based on the -n option and the Name directive in the `tinc.conf' file (if it is available).

Starting

After each branch has finished configuration and they have distributed the host configuration files amongst them, they can start their tinc daemons. They don't necessarily have to wait for the other branches to have started their daemons, tinc will try connecting until they are available.


[ << ] [ >> ]           [Top] [Contents] [Index] [ ? ]

This document was generated by luser on April, 9 2002 using texi2html