1TINC.CONF(5)                BSD File Formats Manual               TINC.CONF(5)
2

NAME

4     tinc.conf — tinc daemon configuration
5

DESCRIPTION

7     The files in the /etc/tinc/ directory contain runtime and security infor‐
8     mation for the tinc daemon.
9

NETWORKS

11     It is perfectly ok for you to run more than one tinc daemon.  However, in
12     its default form, you will soon notice that you can't use two different
13     configuration files without the -c option.
14
15     We have thought of another way of dealing with this: network names.  This
16     means that you call tinc.conf with the -n option, which will assign a
17     name to this daemon.
18
19     The effect of this is that the daemon will set its configuration root to
20     /etc/tinc/NETNAME/, where NETNAME is your argument to the -n option.
21     You'll notice that messages appear in syslog as coming from
22     tincd.NETNAME.
23
24     However, it is not strictly necessary that you call tinc with the -n
25     option.  In this case, the network name would just be empty, and it will
26     be used as such.  tinc now looks for files in /etc/tinc/, instead of
27     /etc/tinc/NETNAME/; the configuration file should be /etc/tinc/tinc.conf,
28     and the host configuration files are now expected to be in
29     /etc/tinc/hosts/.
30
31     But it is highly recommended that you use this feature of tinc, because
32     it will be so much clearer whom your daemon talks to.  Hence, we will
33     assume that you use it.
34

NAMES

36     Each tinc daemon must have a name that is unique in the network which it
37     will be part of.  The name will be used by other tinc daemons for identi‐
38     fication.  The name has to be declared in the /etc/tinc/NETNAME/tinc.conf
39     file.
40
41     To make things easy, choose something that will give unique and easy to
42     remember names to your tinc daemon(s).  You could try things like host‐
43     names, owner surnames or location names.
44

PUBLIC/PRIVATE KEYS

46     You should use tincd -K to generate public/private keypairs.  It will
47     generate two keys.  The private key should be stored in a separate file
48     /etc/tinc/NETNAME/rsa_key.priv -- where NETNAME stands for the network
49     (see NETWORKS) above.  The public key should be stored in the host con‐
50     figuration file /etc/tinc/NETNAME/hosts/NAME -- where NAME stands for the
51     name of the local tinc daemon (see NAMES).
52

SERVER CONFIGURATION

54     The server configuration of the daemon is done in the file
55     /etc/tinc/NETNAME/tinc.conf.  This file consists of comments (lines
56     started with a #) or assignments in the form of:
57
58     Variable = Value.
59
60     The variable names are case insensitive, and any spaces, tabs, newlines
61     and carriage returns are ignored.  Note: it is not required that you put
62     in the = sign, but doing so improves readability.  If you leave it out,
63     remember to replace it with at least one space character.
64
65     The server configuration is complemented with host specific configuration
66     (see the next section).  Although all configuration options for the local
67     host listed in this document can also be put in
68     /etc/tinc/NETNAME/tinc.conf, it is recommended to put host specific con‐
69     figuration options in the host configuration file, as this makes it easy
70     to exchange with other nodes.
71
72     Here are all valid variables, listed in alphabetical order.  The default
73     value is given between parentheses.
74
75     AddressFamily = ipv4 | ipv6 | any (any)
76             This option affects the address family of listening and outgoing
77             sockets.  If "any" is selected, then depending on the operating
78             system both IPv4 and IPv6 or just IPv6 listening sockets will be
79             created.
80
81     BindToAddress = address [port] [experimental]
82             If your computer has more than one IPv4 or IPv6 address, tinc
83             will by default listen on all of them for incoming connections.
84             Multiple BindToAddress variables may be specified, in which case
85             listening sockets for each specified address are made.
86
87             If no port is specified, the socket will be bound to the port
88             specified by the Port option, or to port 655 if neither is given.
89             To only bind to a specific port but not to a specific address,
90             use * for the address.
91
92             This option may not work on all platforms.
93
94     BindToInterface = interface [experimental]
95             If your computer has more than one network interface, tinc will
96             by default listen on all of them for incoming connections.  It is
97             possible to bind only to a single interface with this variable.
98
99             This option may not work on all platforms.  Also, on some plat‐
100             forms it will not actually bind to an interface, but rather to
101             the address that the interface has at the moment a socket is cre‐
102             ated.
103
104     Broadcast = no | mst | direct (mst) [experimental]
105             This option selects the way broadcast packets are sent to other
106             daemons.  NOTE: all nodes in a VPN must use the same Broadcast
107             mode, otherwise routing loops can form.
108
109             no      Broadcast packets are never sent to other nodes.
110
111             mst     Broadcast packets are sent and forwarded via the VPN's
112                     Minimum Spanning Tree.  This ensures broadcast packets
113                     reach all nodes.
114
115             direct  Broadcast packets are sent directly to all nodes that can
116                     be reached directly.  Broadcast packets received from
117                     other nodes are never forwarded.  If the IndirectData
118                     option is also set, broadcast packets will only be sent
119                     to nodes which we have a meta connection to.
120
121     ConnectTo = name
122             Specifies which other tinc daemon to connect to on startup.  Mul‐
123             tiple ConnectTo variables may be specified, in which case outgo‐
124             ing connections to each specified tinc daemon are made.  The
125             names should be known to this tinc daemon (i.e., there should be
126             a host configuration file for the name on the ConnectTo line).
127
128             If you don't specify a host with ConnectTo, tinc won't try to
129             connect to other daemons at all, and will instead just listen for
130             incoming connections.
131
132     DecrementTTL = yes | no (no) [experimental]
133             When enabled, tinc will decrement the Time To Live field in IPv4
134             packets, or the Hop Limit field in IPv6 packets, before forward‐
135             ing a received packet to the virtual network device or to another
136             node, and will drop packets that have a TTL value of zero, in
137             which case it will send an ICMP Time Exceeded packet back.
138
139             Do not use this option if you use switch mode and want to use
140             IPv6.
141
142     Device = device (/dev/tap0, /dev/net/tun or other depending on platform)
143             The virtual network device to use.  tinc will automatically
144             detect what kind of device it is.  Note that you can only use one
145             device per daemon.  Under Windows, use Interface instead of
146             Device.  The info pages of the tinc package contain more informa‐
147             tion about configuring the virtual network device.
148
149     DeviceType = type (platform dependent)
150             The type of the virtual network device.  Tinc will normally auto‐
151             matically select the right type of tun/tap interface, and this
152             option should not be used.  However, this option can be used to
153             select one of the special interface types, if support for them is
154             compiled in.
155
156             dummy   Use a dummy interface.  No packets are ever read or writ‐
157                     ten to a virtual network device.  Useful for testing, or
158                     when setting up a node that only forwards packets for
159                     other nodes.
160
161             raw_socket
162                     Open a raw socket, and bind it to a pre-existing
163                     Interface (eth0 by default).  All packets are read from
164                     this interface.  Packets received for the local node are
165                     written to the raw socket.  However, at least on Linux,
166                     the operating system does not process IP packets destined
167                     for the local host.
168
169             multicast
170                     Open a multicast UDP socket and bind it to the address
171                     and port (separated by spaces) and optionally a TTL value
172                     specified using Device.  Packets are read from and writ‐
173                     ten to this multicast socket.  This can be used to con‐
174                     nect to UML, QEMU or KVM instances listening on the same
175                     multicast address.  Do NOT connect multiple tinc daemons
176                     to the same multicast address, this will very likely
177                     cause routing loops.  Also note that this can cause
178                     decrypted VPN packets to be sent out on a real network if
179                     misconfigured.
180
181             uml (not compiled in by default)
182                     Create a UNIX socket with the filename specified by
183                     Device, or /var/run/NETNAME.umlsocket if not specified.
184                     tinc will wait for a User Mode Linux instance to connect
185                     to this socket.
186
187             vde (not compiled in by default)
188                     Uses the libvdeplug library to connect to a Virtual Dis‐
189                     tributed Ethernet switch, using the UNIX socket specified
190                     by Device, or /var/run/vde.ctl if not specified.
191             Also, in case tinc does not seem to correctly interpret packets
192             received from the virtual network device, it can be used to
193             change the way packets are interpreted:
194
195             tun (BSD and Linux)
196                     Set type to tun.  Depending on the platform, this can
197                     either be with or without an address family header (see
198                     below).
199
200             tunnohead (BSD)
201                     Set type to tun without an address family header.  Tinc
202                     will expect packets read from the virtual network device
203                     to start with an IP header.  On some platforms IPv6 pack‐
204                     ets cannot be read from or written to the device in this
205                     mode.
206
207             tunifhead (BSD)
208                     Set type to tun with an address family header.  Tinc will
209                     expect packets read from the virtual network device to
210                     start with a four byte header containing the address fam‐
211                     ily, followed by an IP header.  This mode should support
212                     both IPv4 and IPv6 packets.
213
214             utun (OS X)
215                     Set type to utun.  This is only supported on OS X version
216                     10.6.8 and higher, but doesn't require the tuntaposx mod‐
217                     ule.  This mode should support both IPv4 and IPv6 pack‐
218                     ets.
219
220             tap (BSD and Linux)
221                     Set type to tap.  Tinc will expect packets read from the
222                     virtual network device to start with an Ethernet header.
223
224     DirectOnly = yes | no (no) [experimental]
225             When this option is enabled, packets that cannot be sent directly
226             to the destination node, but which would have to be forwarded by
227             an intermediate node, are dropped instead.  When combined with
228             the IndirectData option, packets for nodes for which we do not
229             have a meta connection with are also dropped.
230
231     Forwarding = off | internal | kernel (internal) [experimental]
232             This option selects the way indirect packets are forwarded.
233
234             off     Incoming packets that are not meant for the local node,
235                     but which should be forwarded to another node, are
236                     dropped.
237
238             internal
239                     Incoming packets that are meant for another node are for‐
240                     warded by tinc internally.
241
242                     This is the default mode, and unless you really know you
243                     need another forwarding mode, don't change it.
244
245             kernel  Incoming packets are always sent to the TUN/TAP device,
246                     even if the packets are not for the local node.  This is
247                     less efficient, but allows the kernel to apply its rout‐
248                     ing and firewall rules on them, and can also help debug‐
249                     ging.
250
251     GraphDumpFile = filename [experimental]
252             If this option is present, tinc will dump the current network
253             graph to the file filename every minute, unless there were no
254             changes to the graph.  The file is in a format that can be read
255             by graphviz tools.  If filename starts with a pipe symbol |, then
256             the rest of the filename is interpreted as a shell command that
257             is executed, the graph is then sent to stdin.
258
259     Hostnames = yes | no (no)
260             This option selects whether IP addresses (both real and on the
261             VPN) should be resolved. Since DNS lookups are blocking, it might
262             affect tinc's efficiency, even stopping the daemon for a few sec‐
263             onds every time it does a lookup if your DNS server is not
264             responding.
265
266             This does not affect resolving hostnames to IP addresses from the
267             host configuration files, but whether hostnames should be
268             resolved while logging.
269
270     IffOneQueue = yes | no (no) [experimental]
271             (Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.
272
273     Interface = interface
274             Defines the name of the interface corresponding to the virtual
275             network device.  Depending on the operating system and the type
276             of device this may or may not actually set the name of the inter‐
277             face.  Under Windows, this variable is used to select which net‐
278             work interface will be used.  If you specified a Device, this
279             variable is almost always already correctly set.
280
281     KeyExpire = seconds (3600)
282             This option controls the period the encryption keys used to
283             encrypt the data are valid.  It is common practice to change keys
284             at regular intervals to make it even harder for crackers, even
285             though it is thought to be nearly impossible to crack a single
286             key.
287
288     LocalDiscovery = yes | no (no) [experimental]
289             When enabled, tinc will try to detect peers that are on the same
290             local network.  This will allow direct communication using LAN
291             addresses, even if both peers are behind a NAT and they only Con‐
292             nectTo a third node outside the NAT, which normally would prevent
293             the peers from learning each other's LAN address.
294
295             Currently, local discovery is implemented by sending broadcast
296             packets to the LAN during path MTU discovery.  This feature may
297             not work in all possible situations.
298
299     MACExpire = seconds (600)
300             This option controls the amount of time MAC addresses are kept
301             before they are removed.  This only has effect when Mode is set
302             to "switch".
303
304     MaxTimeout = seconds (900)
305             This is the maximum delay before trying to reconnect to other
306             tinc daemons.
307
308     Mode = router | switch | hub (router)
309             This option selects the way packets are routed to other daemons.
310
311             router  In this mode Subnet variables in the host configuration
312                     files will be used to form a routing table.  Only unicast
313                     packets of routable protocols (IPv4 and IPv6) are sup‐
314                     ported in this mode.
315
316                     This is the default mode, and unless you really know you
317                     need another mode, don't change it.
318
319             switch  In this mode the MAC addresses of the packets on the VPN
320                     will be used to dynamically create a routing table just
321                     like an Ethernet switch does.  Unicast, multicast and
322                     broadcast packets of every protocol that runs over Ether‐
323                     net are supported in this mode at the cost of frequent
324                     broadcast ARP requests and routing table updates.
325
326                     This mode is primarily useful if you want to bridge Eth‐
327                     ernet segments.
328
329             hub     This mode is almost the same as the switch mode, but
330                     instead every packet will be broadcast to the other dae‐
331                     mons while no routing table is managed.
332
333     Name = name [required]
334             This is the name which identifies this tinc daemon.  It must be
335             unique for the virtual private network this daemon will connect
336             to.  The Name may only consist of alphanumeric and underscore
337             characters.  If Name starts with a $, then the contents of the
338             environment variable that follows will be used.  In that case,
339             invalid characters will be converted to underscores.  If Name is
340             $HOST, but no such environment variable exist, the hostname will
341             be read using the gethostname() system call.
342
343     PingInterval = seconds (60)
344             The number of seconds of inactivity that tinc will wait before
345             sending a probe to the other end.
346
347     PingTimeout = seconds (5)
348             The number of seconds to wait for a response to pings or to allow
349             meta connections to block. If the other end doesn't respond
350             within this time, the connection is terminated, and the others
351             will be notified of this.
352
353     PriorityInheritance = yes | no (no) [experimental]
354             When this option is enabled the value of the TOS field of tun‐
355             neled IPv4 packets will be inherited by the UDP packets that are
356             sent out.
357
358     PrivateKey = key [obsolete]
359             The private RSA key of this tinc daemon.  It will allow this tinc
360             daemon to authenticate itself to other daemons.
361
362     PrivateKeyFile = filename (/etc/tinc/NETNAME/rsa_key.priv)
363             The file in which the private RSA key of this tinc daemon
364             resides.
365
366     ProcessPriority = low | normal | high
367             When this option is used the priority of the tincd process will
368             be adjusted.  Increasing the priority may help to reduce latency
369             and packet loss on the VPN.
370
371     Proxy = socks4 | socks5 | http | exec ... [experimental]
372             Use a proxy when making outgoing connections.  The following
373             proxy types are currently supported:
374
375             socks4 address port [username]
376                     Connects to the proxy using the SOCKS version 4 protocol.
377                     Optionally, a username can be supplied which will be
378                     passed on to the proxy server.  Only IPv4 connections can
379                     be proxied using SOCKS 4.
380
381             socks5 address port [username password]
382                     Connect to the proxy using the SOCKS version 5 protocol.
383                     If a username and password are given, basic user‐
384                     name/password authentication will be used, otherwise no
385                     authentication will be used.
386
387             http address port
388                     Connects to the proxy and sends a HTTP CONNECT request.
389
390             exec command
391                     Executes the given command which should set up the outgo‐
392                     ing connection.  The environment variables NAME, NODE,
393                     REMOTEADDRES and REMOTEPORT are available.
394
395     ReplayWindow = bytes (16)
396             This is the size of the replay tracking window for each remote
397             node, in bytes.  The window is a bitfield which tracks 1 packet
398             per bit, so for example the default setting of 16 will track up
399             to 128 packets in the window.  In high bandwidth scenarios, set‐
400             ting this to a higher value can reduce packet loss from the
401             interaction of replay tracking with underlying real packet loss
402             and/or reordering.  Setting this to zero will disable replay
403             tracking completely and pass all traffic, but leaves tinc vulner‐
404             able to replay-based attacks on your traffic.
405
406     StrictSubnets = yes | no (no) [experimental]
407             When this option is enabled tinc will only use Subnet statements
408             which are present in the host config files in the local
409             /etc/tinc/NETNAME/hosts/ directory. Subnets learned via connec‐
410             tions to other nodes and which are not present in the local host
411             config files are ignored.
412
413     TunnelServer = yes | no (no) [experimental]
414             When this option is enabled tinc will no longer forward informa‐
415             tion between other tinc daemons, and will only allow connections
416             with nodes for which host config files are present in the local
417             /etc/tinc/NETNAME/hosts/ directory.  Setting this options also
418             implicitly sets StrictSubnets.
419
420     UDPRcvBuf = bytes (OS default)
421             Sets the socket receive buffer size for the UDP socket, in bytes.
422             If unset, the default buffer size will be used by the operating
423             system.
424
425     UDPSndBuf = bytes (OS default)
426             Sets the socket send buffer size for the UDP socket, in bytes.
427             If unset, the default buffer size will be used by the operating
428             system.
429

HOST CONFIGURATION FILES

431     The host configuration files contain all information needed to establish
432     a connection to those hosts.  A host configuration file is also required
433     for the local tinc daemon, it will use it to read in it's listen port,
434     public key and subnets.
435
436     The idea is that these files are portable.  You can safely mail your own
437     host configuration file to someone else.  That other person can then copy
438     it to his own hosts directory, and now his tinc daemon will be able to
439     connect to your tinc daemon.  Since host configuration files only contain
440     public keys, no secrets are revealed by sending out this information.
441
442     Address = address [port] [recommended]
443             The IP address or hostname of this tinc daemon on the real net‐
444             work.  This will only be used when trying to make an outgoing
445             connection to this tinc daemon.  Optionally, a port can be speci‐
446             fied to use for this address.  Multiple Address variables can be
447             specified, in which case each address will be tried until a work‐
448             ing connection has been established.
449
450     Cipher = cipher (aes-256-cbc)
451             The symmetric cipher algorithm used to encrypt UDP packets.  Any
452             cipher supported by LibreSSL or OpenSSL is recognised.  Further‐
453             more, specifying "none" will turn off packet encryption.  It is
454             best to use only those ciphers which support CBC mode.
455
456     ClampMSS = yes | no (yes)
457             This option specifies whether tinc should clamp the maximum seg‐
458             ment size (MSS) of TCP packets to the path MTU. This helps in
459             situations where ICMP Fragmentation Needed or Packet too Big mes‐
460             sages are dropped by firewalls.
461
462     Compression = level (0)
463             This option sets the level of compression used for UDP packets.
464             Possible values are 0 (off), 1 (fast zlib) and any integer up to
465             9 (best zlib), 10 (fast lzo) and 11 (best lzo).
466
467     Digest = digest (sha256)
468             The digest algorithm used to authenticate UDP packets.  Any
469             digest supported by LibreSSL or OpenSSL is recognised.  Further‐
470             more, specifying "none" will turn off packet authentication.
471
472     IndirectData = yes | no (no)
473             When set to yes, only nodes which already have a meta connection
474             to you will try to establish direct communication with you.  It
475             is best to leave this option out or set it to no.
476
477     MACLength = length (4)
478             The length of the message authentication code used to authenti‐
479             cate UDP packets.  Can be anything from "0" up to the length of
480             the digest produced by the digest algorithm.
481
482     PMTU = mtu (1514)
483             This option controls the initial path MTU to this node.
484
485     PMTUDiscovery = yes | no (yes)
486             When this option is enabled, tinc will try to discover the path
487             MTU to this node.  After the path MTU has been discovered, it
488             will be enforced on the VPN.
489
490     Port = port (655)
491             The port number on which this tinc daemon is listening for incom‐
492             ing connections, which is used if no port number is specified in
493             an Address statement.
494
495     PublicKey = key [obsolete]
496             The public RSA key of this tinc daemon.  It will be used to cryp‐
497             tographically verify it's identity and to set up a secure connec‐
498             tion.
499
500     PublicKeyFile = filename [obsolete]
501             The file in which the public RSA key of this tinc daemon resides.
502
503             From version 1.0pre4 on tinc will store the public key directly
504             into the host configuration file in PEM format, the above two
505             options then are not necessary.  Either the PEM format is used,
506             or exactly one of the above two options must be specified in each
507             host configuration file, if you want to be able to establish a
508             connection with that host.
509
510     Subnet = address[/prefixlength[#weight]]
511             The subnet which this tinc daemon will serve.  tinc tries to look
512             up which other daemon it should send a packet to by searching the
513             appropriate subnet.  If the packet matches a subnet, it will be
514             sent to the daemon who has this subnet in his host configuration
515             file.  Multiple Subnet variables can be specified.
516
517             Subnets can either be single MAC, IPv4 or IPv6 addresses, in
518             which case a subnet consisting of only that single address is
519             assumed, or they can be a IPv4 or IPv6 network address with a
520             prefixlength.  For example, IPv4 subnets must be in a form like
521             192.168.1.0/24, where 192.168.1.0 is the network address and 24
522             is the number of bits set in the netmask.  Note that subnets like
523             192.168.1.1/24 are invalid!  Read a networking HOWTO/FAQ/guide if
524             you don't understand this.  IPv6 subnets are notated like
525             fec0:0:0:1::/64.  MAC addresses are notated like
526             0:1a:2b:3c:4d:5e.
527
528             A Subnet can be given a weight to indicate its priority over
529             identical Subnets owned by different nodes.  The default weight
530             is 10. Lower values indicate higher priority. Packets will be
531             sent to the node with the highest priority, unless that node is
532             not reachable, in which case the node with the next highest pri‐
533             ority will be tried, and so on.
534
535     TCPOnly = yes | no (no [obsolete])
536             If this variable is set to yes, then the packets are tunnelled
537             over the TCP connection instead of a UDP connection.  This is
538             especially useful for those who want to run a tinc daemon from
539             behind a masquerading firewall, or if UDP packet routing is dis‐
540             abled somehow.  Setting this options also implicitly sets Indi‐
541             rectData.
542
543             Since version 1.0.10, tinc will automatically detect whether com‐
544             munication via UDP is possible or not.
545

SCRIPTS

547     Apart from reading the server and host configuration files, tinc can also
548     run scripts at certain moments.  Below is a list of filenames of scripts
549     and a description of when they are run.  A script is only run if it
550     exists and if it is executable.
551
552     Scripts are run synchronously; this means that tinc will temporarily stop
553     processing packets until the called script finishes executing.  This
554     guarantees that scripts will execute in the exact same order as the
555     events that trigger them.  If you need to run commands asynchronously,
556     you have to ensure yourself that they are being run in the background.
557
558     Under Windows (not Cygwin), the scripts must have the extension .bat.
559
560     /etc/tinc/NETNAME/tinc-up
561             This is the most important script.  If it is present it will be
562             executed right after the tinc daemon has been started and has
563             connected to the virtual network device.  It should be used to
564             set up the corresponding network interface, but can also be used
565             to start other things.
566
567             Under Windows you can use the Network Connections control panel
568             instead of creating this script.
569
570     /etc/tinc/NETNAME/tinc-down
571             This script is started right before the tinc daemon quits.
572
573     /etc/tinc/NETNAME/hosts/HOST-up
574             This script is started when the tinc daemon with name HOST
575             becomes reachable.
576
577     /etc/tinc/NETNAME/hosts/HOST-down
578             This script is started when the tinc daemon with name HOST
579             becomes unreachable.
580
581     /etc/tinc/NETNAME/host-up
582             This script is started when any host becomes reachable.
583
584     /etc/tinc/NETNAME/host-down
585             This script is started when any host becomes unreachable.
586
587     /etc/tinc/NETNAME/subnet-up
588             This script is started when a Subnet becomes reachable.  The Sub‐
589             net and the node it belongs to are passed in environment vari‐
590             ables.
591
592     /etc/tinc/NETNAME/subnet-down
593             This script is started when a Subnet becomes unreachable.
594
595     The scripts are started without command line arguments, but can make use
596     of certain environment variables.  Under UNIX like operating systems the
597     names of environment variables must be preceded by a $ in scripts.  Under
598     Windows, in .bat files, they have to be put between % signs.
599
600     NETNAME
601             If a netname was specified, this environment variable contains
602             it.
603
604     NAME    Contains the name of this tinc daemon.
605
606     DEVICE  Contains the name of the virtual network device that tinc uses.
607
608     INTERFACE
609             Contains the name of the virtual network interface that tinc
610             uses.  This should be used for commands like ifconfig.
611
612     NODE    When a host becomes (un)reachable, this is set to its name.  If a
613             subnet becomes (un)reachable, this is set to the owner of that
614             subnet.
615
616     REMOTEADDRESS
617             When a host becomes (un)reachable, this is set to its real
618             address.
619
620     REMOTEPORT
621             When a host becomes (un)reachable, this is set to the port number
622             it uses for communication with other tinc daemons.
623
624     SUBNET  When a subnet becomes (un)reachable, this is set to the subnet.
625
626     WEIGHT  When a subnet becomes (un)reachable, this is set to the subnet
627             weight.
628
629     Do not forget that under UNIX operating systems, you have to make the
630     scripts executable, using the command chmod a+x script.
631

FILES

633     The most important files are:
634
635     /etc/tinc/
636             The top directory for configuration files.
637
638     /etc/tinc/NETNAME/tinc.conf
639             The default name of the server configuration file for net
640             NETNAME.
641
642     /etc/tinc/NETNAME/conf.d/
643             Optional directory from which any *.conf file will be loaded
644
645     /etc/tinc/NETNAME/hosts/
646             Host configuration files are kept in this directory.
647
648     /etc/tinc/NETNAME/tinc-up
649             If an executable file with this name exists, it will be executed
650             right after the tinc daemon has connected to the virtual network
651             device.  It can be used to set up the corresponding network
652             interface.
653
654     /etc/tinc/NETNAME/tinc-down
655             If an executable file with this name exists, it will be executed
656             right before the tinc daemon is going to close its connection to
657             the virtual network device.
658

SEE ALSO

660     tincd(8), https://www.tinc-vpn.org/, http://www.tldp.org/LDP/nag2/.
661
662     The full documentation for tinc is maintained as a Texinfo manual.  If
663     the info and tinc programs are properly installed at your site, the com‐
664     mand info tinc should give you access to the complete manual.
665
666     tinc comes with ABSOLUTELY NO WARRANTY.  This is free software, and you
667     are welcome to redistribute it under certain conditions; see the file
668     COPYING for details.
669
670                                 June 20, 2019
Impressum