1TINCD(8) BSD System Manager's Manual TINCD(8)
2
4 tincd — tinc VPN daemon
5
7 tincd [-cdDkKnLRU] [--config=DIR] [--no-detach] [--debug[=LEVEL]]
8 [--kill[=SIGNAL]] [--net=NETNAME] [--generate-keys[=BITS]]
9 [--mlock] [--logfile[=FILE]] [--pidfile=FILE] [--bypass-security]
10 [--chroot] [--user=USER] [--help] [--version]
11
13 This is the daemon of tinc, a secure virtual private network (VPN)
14 project. When started, tincd will read it's configuration file to deter‐
15 mine what virtual subnets it has to serve and to what other tinc daemons
16 it should connect. It will connect to the ethertap or tun/tap device and
17 set up a socket for incoming connections. Optionally a script will be
18 executed to further configure the virtual device. If that succeeds, it
19 will detach from the controlling terminal and continue in the background,
20 accepting and setting up connections to other tinc daemons that are part
21 of the virtual private network. Under Windows (not Cygwin) tinc will
22 install itself as a service, which will be restarted automatically after
23 reboots.
24
26 -c, --config=DIR
27 Read configuration files from DIR instead of /etc/tinc/.
28 -D, --no-detach
30 Don't fork and detach. This will also disable the automatic
31 restart mechanism for fatal errors. If not mentioned otherwise,
32 this will show log messages on the standard error output.
33 -d, --debug[=LEVEL]
35 Increase debug level or set it to LEVEL (see below).
36 -k, --kill[=SIGNAL]
38 Attempt to kill a running tincd (optionally with the specified
39 SIGNAL instead of SIGTERM) and exit. Under Windows (not Cygwin)
40 the optional argument is ignored, the service will always be
41 stopped and removed.
42 -n, --net=NETNAME
44 Connect to net NETNAME. This will let tinc read all configura‐
45 tion files from /etc/tinc/ NETNAME. Specifying . for NETNAME is
46 the same as not specifying any NETNAME.
47 -K, --generate-keys[=BITS]
49 Generate public/private RSA keypair and exit. If BITS is omit‐
50 ted, the default length will be 2048 bits. When saving keys to
51 existing files, tinc will not delete the old keys, you have to
52 remove them manually.
53 -L, --mlock
55 Lock tinc into main memory. This will prevent sensitive data
56 like shared private keys to be written to the system swap
57 files/partitions.
58 --logfile[=FILE]
60 Write log entries to a file instead of to the system logging
61 facility. If FILE is omitted, the default is
62 /var/log/tinc.NETNAME.log.
63 --pidfile=FILE
65 Write PID to FILE instead of /var/run/tinc.NETNAME.pid. Under
66 Windows this option will be ignored.
67 --bypass-security
69 Disables encryption and authentication of the meta protocol.
70 Only useful for debugging.
71 -R, --chroot
73 With this option tinc chroots into the directory where network
74 config is located (/etc/tinc/NETNAME if -n option is used, or to
75 the directory specified with -c option) after initialization.
76 -U, --user=USER
78 setuid to the specified USER after initialization.
79 --help Display short list of options.
81 --version
83 Output version information and exit.
84
86 ALRM Forces tincd to try to connect to all uplinks immediately. Usu‐
87 ally tincd attempts to do this itself, but increases the time it
88 waits between the attempts each time it failed, and if tincd
89 didn't succeed to connect to an uplink the first time after it
90 started, it defaults to the maximum time of 15 minutes.
91 HUP Partially rereads configuration files. Connections to hosts
93 whose host config file are removed are closed. New outgoing con‐
94 nections specified in tinc.conf will be made. If the --logfile
95 option is used, this will also close and reopen the log file,
96 useful when log rotation is used.
97 INT Temporarily increases debug level to 5. Send this signal again
99 to revert to the original level.
100 USR1 Dumps the connection list to syslog.
102 USR2 Dumps virtual network device statistics, all known nodes, edges
104 and subnets to syslog.
105 WINCH Purges all information remembered about unreachable nodes.
107
109 The tinc daemon can send a lot of messages to the syslog. The higher the
110 debug level, the more messages it will log. Each level inherits all mes‐
111 sages of the previous level:
112 0 This will log a message indicating tincd has started along with a
114 version number. It will also log any serious error.
115 1 This will log all connections that are made with other tinc dae‐
117 mons.
118 2 This will log status and error messages from scripts and other
120 tinc daemons.
121 3 This will log all requests that are exchanged with other tinc
123 daemons. These include authentication, key exchange and connec‐
124 tion list updates.
125 4 This will log a copy of everything received on the meta socket.
127 5 This will log all network traffic over the virtual private net‐
129 work.
130
132 /etc/tinc/
133 Directory containing the configuration files tinc uses. For more
134 information, see tinc.conf(5).
135 /var/run/tinc.NETNAME.pid
137 The PID of the currently running tincd is stored in this file.
138
140 The BindToInterface option may not work correctly.
141 The cryptography in tinc is not well tested yet. Use it at your own risk!
143 If you find any bugs, report them to tinc@tinc-vpn.org.
145
147 A lot, especially security auditing.
148
150 tinc.conf(5), http://www.tinc-vpn.org/, http://www.cabal.org/.
151 The full documentation for tinc is maintained as a Texinfo manual. If
153 the info and tinc programs are properly installed at your site, the com‐
154 mand info tinc should give you access to the complete manual.
155 tinc comes with ABSOLUTELY NO WARRANTY. This is free software, and you
157 are welcome to redistribute it under certain conditions; see the file
158 COPYING for details.
159
161 Ivo Timmermans
162 Guus Sliepen <guus@tinc-vpn.org>
163 And thanks to many others for their contributions to tinc!
165 June 22, 2019