1TINC.CONF(5) BSD File Formats Manual TINC.CONF(5)
2
4 tinc.conf — tinc daemon configuration
5
7 The files in the /etc/tinc/ directory contain runtime and security infor‐
8 mation for the tinc daemon.
9
11 It is perfectly ok for you to run more than one tinc daemon. However, in
12 its default form, you will soon notice that you can't use two different
13 configuration files without the -c option.
14
15 We have thought of another way of dealing with this: network names. This
16 means that you call tinc.conf with the -n option, which will assign a
17 name to this daemon.
18
19 The effect of this is that the daemon will set its configuration root to
20 /etc/tinc/NETNAME/, where NETNAME is your argument to the -n option.
21 You'll notice that messages appear in syslog as coming from
22 tincd.NETNAME.
23
24 However, it is not strictly necessary that you call tinc with the -n
25 option. In this case, the network name would just be empty, and it will
26 be used as such. tinc now looks for files in /etc/tinc/, instead of
27 /etc/tinc/NETNAME/; the configuration file should be /etc/tinc/tinc.conf,
28 and the host configuration files are now expected to be in
29 /etc/tinc/hosts/.
30
31 But it is highly recommended that you use this feature of tinc, because
32 it will be so much clearer whom your daemon talks to. Hence, we will
33 assume that you use it.
34
36 Each tinc daemon must have a name that is unique in the network which it
37 will be part of. The name will be used by other tinc daemons for identi‐
38 fication. The name has to be declared in the /etc/tinc/NETNAME/tinc.conf
39 file.
40
41 To make things easy, choose something that will give unique and easy to
42 remember names to your tinc daemon(s). You could try things like host‐
43 names, owner surnames or location names.
44
46 You should use tincd -K to generate public/private keypairs. It will
47 generate two keys. The private key should be stored in a separate file
48 /etc/tinc/NETNAME/rsa_key.priv -- where NETNAME stands for the network
49 (see NETWORKS) above. The public key should be stored in the host con‐
50 figuration file /etc/tinc/NETNAME/hosts/NAME -- where NAME stands for the
51 name of the local tinc daemon (see NAMES).
52
54 The server configuration of the daemon is done in the file
55 /etc/tinc/NETNAME/tinc.conf. This file consists of comments (lines
56 started with a #) or assignments in the form of:
57
58 Variable = Value.
59
60 The variable names are case insensitive, and any spaces, tabs, newlines
61 and carriage returns are ignored. Note: it is not required that you put
62 in the = sign, but doing so improves readability. If you leave it out,
63 remember to replace it with at least one space character.
64
65 The server configuration is complemented with host specific configuration
66 (see the next section). Although all configuration options for the local
67 host listed in this document can also be put in
68 /etc/tinc/NETNAME/tinc.conf, it is recommended to put host specific con‐
69 figuration options in the host configuration file, as this makes it easy
70 to exchange with other nodes.
71
72 Here are all valid variables, listed in alphabetical order. The default
73 value is given between parentheses.
74
75 AddressFamily = ipv4 | ipv6 | any (any)
76 This option affects the address family of listening and outgoing
77 sockets. If "any" is selected, then depending on the operating
78 system both IPv4 and IPv6 or just IPv6 listening sockets will be
79 created.
80
81 BindToAddress = address [port] [experimental]
82 If your computer has more than one IPv4 or IPv6 address, tinc
83 will by default listen on all of them for incoming connections.
84 Multiple BindToAddress variables may be specified, in which case
85 listening sockets for each specified address are made.
86
87 If no port is specified, the socket will be bound to the port
88 specified by the Port option, or to port 655 if neither is given.
89 To only bind to a specific port but not to a specific address,
90 use * for the address.
91
92 This option may not work on all platforms.
93
94 BindToInterface = interface [experimental]
95 If your computer has more than one network interface, tinc will
96 by default listen on all of them for incoming connections. It is
97 possible to bind only to a single interface with this variable.
98
99 This option may not work on all platforms. Also, on some plat‐
100 forms it will not actually bind to an interface, but rather to
101 the address that the interface has at the moment a socket is cre‐
102 ated.
103
104 Broadcast = no | mst | direct (mst) [experimental]
105 This option selects the way broadcast packets are sent to other
106 daemons. NOTE: all nodes in a VPN must use the same Broadcast
107 mode, otherwise routing loops can form.
108
109 no Broadcast packets are never sent to other nodes.
110
111 mst Broadcast packets are sent and forwarded via the VPN's
112 Minimum Spanning Tree. This ensures broadcast packets
113 reach all nodes.
114
115 direct Broadcast packets are sent directly to all nodes that can
116 be reached directly. Broadcast packets received from
117 other nodes are never forwarded. If the IndirectData
118 option is also set, broadcast packets will only be sent
119 to nodes which we have a meta connection to.
120
121 ConnectTo = name
122 Specifies which other tinc daemon to connect to on startup. Mul‐
123 tiple ConnectTo variables may be specified, in which case outgo‐
124 ing connections to each specified tinc daemon are made. The
125 names should be known to this tinc daemon (i.e., there should be
126 a host configuration file for the name on the ConnectTo line).
127
128 If you don't specify a host with ConnectTo, tinc won't try to
129 connect to other daemons at all, and will instead just listen for
130 incoming connections.
131
132 DecrementTTL = yes | no (no) [experimental]
133 When enabled, tinc will decrement the Time To Live field in IPv4
134 packets, or the Hop Limit field in IPv6 packets, before forward‐
135 ing a received packet to the virtual network device or to another
136 node, and will drop packets that have a TTL value of zero, in
137 which case it will send an ICMP Time Exceeded packet back.
138
139 Do not use this option if you use switch mode and want to use
140 IPv6.
141
142 Device = device (/dev/tap0, /dev/net/tun or other depending on platform)
143 The virtual network device to use. tinc will automatically
144 detect what kind of device it is. Note that you can only use one
145 device per daemon. Under Windows, use Interface instead of
146 Device. The info pages of the tinc package contain more informa‐
147 tion about configuring the virtual network device.
148
149 DeviceType = type (platform dependent)
150 The type of the virtual network device. Tinc will normally auto‐
151 matically select the right type of tun/tap interface, and this
152 option should not be used. However, this option can be used to
153 select one of the special interface types, if support for them is
154 compiled in.
155
156 dummy Use a dummy interface. No packets are ever read or writ‐
157 ten to a virtual network device. Useful for testing, or
158 when setting up a node that only forwards packets for
159 other nodes.
160
161 raw_socket
162 Open a raw socket, and bind it to a pre-existing
163 Interface (eth0 by default). All packets are read from
164 this interface. Packets received for the local node are
165 written to the raw socket. However, at least on Linux,
166 the operating system does not process IP packets destined
167 for the local host.
168
169 multicast
170 Open a multicast UDP socket and bind it to the address
171 and port (separated by spaces) and optionally a TTL value
172 specified using Device. Packets are read from and writ‐
173 ten to this multicast socket. This can be used to con‐
174 nect to UML, QEMU or KVM instances listening on the same
175 multicast address. Do NOT connect multiple tinc daemons
176 to the same multicast address, this will very likely
177 cause routing loops. Also note that this can cause
178 decrypted VPN packets to be sent out on a real network if
179 misconfigured.
180
181 uml (not compiled in by default)
182 Create a UNIX socket with the filename specified by
183 Device, or /var/run/NETNAME.umlsocket if not specified.
184 tinc will wait for a User Mode Linux instance to connect
185 to this socket.
186
187 vde (not compiled in by default)
188 Uses the libvdeplug library to connect to a Virtual Dis‐
189 tributed Ethernet switch, using the UNIX socket specified
190 by Device, or /var/run/vde.ctl if not specified.
191 Also, in case tinc does not seem to correctly interpret packets
192 received from the virtual network device, it can be used to
193 change the way packets are interpreted:
194
195 tun (BSD and Linux)
196 Set type to tun. Depending on the platform, this can
197 either be with or without an address family header (see
198 below).
199
200 tunnohead (BSD)
201 Set type to tun without an address family header. Tinc
202 will expect packets read from the virtual network device
203 to start with an IP header. On some platforms IPv6 pack‐
204 ets cannot be read from or written to the device in this
205 mode.
206
207 tunifhead (BSD)
208 Set type to tun with an address family header. Tinc will
209 expect packets read from the virtual network device to
210 start with a four byte header containing the address fam‐
211 ily, followed by an IP header. This mode should support
212 both IPv4 and IPv6 packets.
213
214 utun (OS X)
215 Set type to utun. This is only supported on OS X version
216 10.6.8 and higher, but doesn't require the tuntaposx mod‐
217 ule. This mode should support both IPv4 and IPv6 pack‐
218 ets.
219
220 tap (BSD and Linux)
221 Set type to tap. Tinc will expect packets read from the
222 virtual network device to start with an Ethernet header.
223
224 DirectOnly = yes | no (no) [experimental]
225 When this option is enabled, packets that cannot be sent directly
226 to the destination node, but which would have to be forwarded by
227 an intermediate node, are dropped instead. When combined with
228 the IndirectData option, packets for nodes for which we do not
229 have a meta connection with are also dropped.
230
231 Forwarding = off | internal | kernel (internal) [experimental]
232 This option selects the way indirect packets are forwarded.
233
234 off Incoming packets that are not meant for the local node,
235 but which should be forwarded to another node, are
236 dropped.
237
238 internal
239 Incoming packets that are meant for another node are for‐
240 warded by tinc internally.
241
242 This is the default mode, and unless you really know you
243 need another forwarding mode, don't change it.
244
245 kernel Incoming packets are always sent to the TUN/TAP device,
246 even if the packets are not for the local node. This is
247 less efficient, but allows the kernel to apply its rout‐
248 ing and firewall rules on them, and can also help debug‐
249 ging.
250
251 GraphDumpFile = filename [experimental]
252 If this option is present, tinc will dump the current network
253 graph to the file filename every minute, unless there were no
254 changes to the graph. The file is in a format that can be read
255 by graphviz tools. If filename starts with a pipe symbol |, then
256 the rest of the filename is interpreted as a shell command that
257 is executed, the graph is then sent to stdin.
258
259 Hostnames = yes | no (no)
260 This option selects whether IP addresses (both real and on the
261 VPN) should be resolved. Since DNS lookups are blocking, it might
262 affect tinc's efficiency, even stopping the daemon for a few sec‐
263 onds every time it does a lookup if your DNS server is not
264 responding.
265
266 This does not affect resolving hostnames to IP addresses from the
267 host configuration files, but whether hostnames should be
268 resolved while logging.
269
270 IffOneQueue = yes | no (no) [experimental]
271 (Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.
272
273 Interface = interface
274 Defines the name of the interface corresponding to the virtual
275 network device. Depending on the operating system and the type
276 of device this may or may not actually set the name of the inter‐
277 face. Under Windows, this variable is used to select which net‐
278 work interface will be used. If you specified a Device, this
279 variable is almost always already correctly set.
280
281 KeyExpire = seconds (3600)
282 This option controls the period the encryption keys used to
283 encrypt the data are valid. It is common practice to change keys
284 at regular intervals to make it even harder for crackers, even
285 though it is thought to be nearly impossible to crack a single
286 key.
287
288 LocalDiscovery = yes | no (no) [experimental]
289 When enabled, tinc will try to detect peers that are on the same
290 local network. This will allow direct communication using LAN
291 addresses, even if both peers are behind a NAT and they only Con‐
292 nectTo a third node outside the NAT, which normally would prevent
293 the peers from learning each other's LAN address.
294
295 Currently, local discovery is implemented by sending broadcast
296 packets to the LAN during path MTU discovery. This feature may
297 not work in all possible situations.
298
299 MACExpire = seconds (600)
300 This option controls the amount of time MAC addresses are kept
301 before they are removed. This only has effect when Mode is set
302 to "switch".
303
304 MaxTimeout = seconds (900)
305 This is the maximum delay before trying to reconnect to other
306 tinc daemons.
307
308 Mode = router | switch | hub (router)
309 This option selects the way packets are routed to other daemons.
310
311 router In this mode Subnet variables in the host configuration
312 files will be used to form a routing table. Only unicast
313 packets of routable protocols (IPv4 and IPv6) are sup‐
314 ported in this mode.
315
316 This is the default mode, and unless you really know you
317 need another mode, don't change it.
318
319 switch In this mode the MAC addresses of the packets on the VPN
320 will be used to dynamically create a routing table just
321 like an Ethernet switch does. Unicast, multicast and
322 broadcast packets of every protocol that runs over Ether‐
323 net are supported in this mode at the cost of frequent
324 broadcast ARP requests and routing table updates.
325
326 This mode is primarily useful if you want to bridge Eth‐
327 ernet segments.
328
329 hub This mode is almost the same as the switch mode, but
330 instead every packet will be broadcast to the other dae‐
331 mons while no routing table is managed.
332
333 Name = name [required]
334 This is the name which identifies this tinc daemon. It must be
335 unique for the virtual private network this daemon will connect
336 to. The Name may only consist of alphanumeric and underscore
337 characters. If Name starts with a $, then the contents of the
338 environment variable that follows will be used. In that case,
339 invalid characters will be converted to underscores. If Name is
340 $HOST, but no such environment variable exist, the hostname will
341 be read using the gethostname() system call.
342
343 PingInterval = seconds (60)
344 The number of seconds of inactivity that tinc will wait before
345 sending a probe to the other end.
346
347 PingTimeout = seconds (5)
348 The number of seconds to wait for a response to pings or to allow
349 meta connections to block. If the other end doesn't respond
350 within this time, the connection is terminated, and the others
351 will be notified of this.
352
353 PriorityInheritance = yes | no (no) [experimental]
354 When this option is enabled the value of the TOS field of tun‐
355 neled IPv4 packets will be inherited by the UDP packets that are
356 sent out.
357
358 PrivateKey = key [obsolete]
359 The private RSA key of this tinc daemon. It will allow this tinc
360 daemon to authenticate itself to other daemons.
361
362 PrivateKeyFile = filename (/etc/tinc/NETNAME/rsa_key.priv)
363 The file in which the private RSA key of this tinc daemon
364 resides.
365
366 ProcessPriority = low | normal | high
367 When this option is used the priority of the tincd process will
368 be adjusted. Increasing the priority may help to reduce latency
369 and packet loss on the VPN.
370
371 Proxy = socks4 | socks5 | http | exec ... [experimental]
372 Use a proxy when making outgoing connections. The following
373 proxy types are currently supported:
374
375 socks4 address port [username]
376 Connects to the proxy using the SOCKS version 4 protocol.
377 Optionally, a username can be supplied which will be
378 passed on to the proxy server. Only IPv4 connections can
379 be proxied using SOCKS 4.
380
381 socks5 address port [username password]
382 Connect to the proxy using the SOCKS version 5 protocol.
383 If a username and password are given, basic user‐
384 name/password authentication will be used, otherwise no
385 authentication will be used.
386
387 http address port
388 Connects to the proxy and sends a HTTP CONNECT request.
389
390 exec command
391 Executes the given command which should set up the outgo‐
392 ing connection. The environment variables NAME, NODE,
393 REMOTEADDRES and REMOTEPORT are available.
394
395 ReplayWindow = bytes (16)
396 This is the size of the replay tracking window for each remote
397 node, in bytes. The window is a bitfield which tracks 1 packet
398 per bit, so for example the default setting of 16 will track up
399 to 128 packets in the window. In high bandwidth scenarios, set‐
400 ting this to a higher value can reduce packet loss from the
401 interaction of replay tracking with underlying real packet loss
402 and/or reordering. Setting this to zero will disable replay
403 tracking completely and pass all traffic, but leaves tinc vulner‐
404 able to replay-based attacks on your traffic.
405
406 StrictSubnets = yes | no (no) [experimental]
407 When this option is enabled tinc will only use Subnet statements
408 which are present in the host config files in the local
409 /etc/tinc/NETNAME/hosts/ directory. Subnets learned via connec‐
410 tions to other nodes and which are not present in the local host
411 config files are ignored.
412
413 TunnelServer = yes | no (no) [experimental]
414 When this option is enabled tinc will no longer forward informa‐
415 tion between other tinc daemons, and will only allow connections
416 with nodes for which host config files are present in the local
417 /etc/tinc/NETNAME/hosts/ directory. Setting this options also
418 implicitly sets StrictSubnets.
419
420 UDPRcvBuf = bytes (OS default)
421 Sets the socket receive buffer size for the UDP socket, in bytes.
422 If unset, the default buffer size will be used by the operating
423 system.
424
425 UDPSndBuf = bytes (OS default)
426 Sets the socket send buffer size for the UDP socket, in bytes.
427 If unset, the default buffer size will be used by the operating
428 system.
429
431 The host configuration files contain all information needed to establish
432 a connection to those hosts. A host configuration file is also required
433 for the local tinc daemon, it will use it to read in it's listen port,
434 public key and subnets.
435
436 The idea is that these files are portable. You can safely mail your own
437 host configuration file to someone else. That other person can then copy
438 it to his own hosts directory, and now his tinc daemon will be able to
439 connect to your tinc daemon. Since host configuration files only contain
440 public keys, no secrets are revealed by sending out this information.
441
442 Address = address [port] [recommended]
443 The IP address or hostname of this tinc daemon on the real net‐
444 work. This will only be used when trying to make an outgoing
445 connection to this tinc daemon. Optionally, a port can be speci‐
446 fied to use for this address. Multiple Address variables can be
447 specified, in which case each address will be tried until a work‐
448 ing connection has been established.
449
450 Cipher = cipher (aes-256-cbc)
451 The symmetric cipher algorithm used to encrypt UDP packets. Any
452 cipher supported by LibreSSL or OpenSSL is recognised. Further‐
453 more, specifying "none" will turn off packet encryption. It is
454 best to use only those ciphers which support CBC mode.
455
456 ClampMSS = yes | no (yes)
457 This option specifies whether tinc should clamp the maximum seg‐
458 ment size (MSS) of TCP packets to the path MTU. This helps in
459 situations where ICMP Fragmentation Needed or Packet too Big mes‐
460 sages are dropped by firewalls.
461
462 Compression = level (0)
463 This option sets the level of compression used for UDP packets.
464 Possible values are 0 (off), 1 (fast zlib) and any integer up to
465 9 (best zlib), 10 (fast lzo) and 11 (best lzo).
466
467 Digest = digest (sha256)
468 The digest algorithm used to authenticate UDP packets. Any
469 digest supported by LibreSSL or OpenSSL is recognised. Further‐
470 more, specifying "none" will turn off packet authentication.
471
472 IndirectData = yes | no (no)
473 When set to yes, only nodes which already have a meta connection
474 to you will try to establish direct communication with you. It
475 is best to leave this option out or set it to no.
476
477 MACLength = length (4)
478 The length of the message authentication code used to authenti‐
479 cate UDP packets. Can be anything from "0" up to the length of
480 the digest produced by the digest algorithm.
481
482 PMTU = mtu (1514)
483 This option controls the initial path MTU to this node.
484
485 PMTUDiscovery = yes | no (yes)
486 When this option is enabled, tinc will try to discover the path
487 MTU to this node. After the path MTU has been discovered, it
488 will be enforced on the VPN.
489
490 Port = port (655)
491 The port number on which this tinc daemon is listening for incom‐
492 ing connections, which is used if no port number is specified in
493 an Address statement.
494
495 PublicKey = key [obsolete]
496 The public RSA key of this tinc daemon. It will be used to cryp‐
497 tographically verify it's identity and to set up a secure connec‐
498 tion.
499
500 PublicKeyFile = filename [obsolete]
501 The file in which the public RSA key of this tinc daemon resides.
502
503 From version 1.0pre4 on tinc will store the public key directly
504 into the host configuration file in PEM format, the above two
505 options then are not necessary. Either the PEM format is used,
506 or exactly one of the above two options must be specified in each
507 host configuration file, if you want to be able to establish a
508 connection with that host.
509
510 Subnet = address[/prefixlength[#weight]]
511 The subnet which this tinc daemon will serve. tinc tries to look
512 up which other daemon it should send a packet to by searching the
513 appropriate subnet. If the packet matches a subnet, it will be
514 sent to the daemon who has this subnet in his host configuration
515 file. Multiple Subnet variables can be specified.
516
517 Subnets can either be single MAC, IPv4 or IPv6 addresses, in
518 which case a subnet consisting of only that single address is
519 assumed, or they can be a IPv4 or IPv6 network address with a
520 prefixlength. For example, IPv4 subnets must be in a form like
521 192.168.1.0/24, where 192.168.1.0 is the network address and 24
522 is the number of bits set in the netmask. Note that subnets like
523 192.168.1.1/24 are invalid! Read a networking HOWTO/FAQ/guide if
524 you don't understand this. IPv6 subnets are notated like
525 fec0:0:0:1::/64. MAC addresses are notated like
526 0:1a:2b:3c:4d:5e.
527
528 A Subnet can be given a weight to indicate its priority over
529 identical Subnets owned by different nodes. The default weight
530 is 10. Lower values indicate higher priority. Packets will be
531 sent to the node with the highest priority, unless that node is
532 not reachable, in which case the node with the next highest pri‐
533 ority will be tried, and so on.
534
535 TCPOnly = yes | no (no [obsolete])
536 If this variable is set to yes, then the packets are tunnelled
537 over the TCP connection instead of a UDP connection. This is
538 especially useful for those who want to run a tinc daemon from
539 behind a masquerading firewall, or if UDP packet routing is dis‐
540 abled somehow. Setting this options also implicitly sets Indi‐
541 rectData.
542
543 Since version 1.0.10, tinc will automatically detect whether com‐
544 munication via UDP is possible or not.
545
547 Apart from reading the server and host configuration files, tinc can also
548 run scripts at certain moments. Below is a list of filenames of scripts
549 and a description of when they are run. A script is only run if it
550 exists and if it is executable.
551
552 Scripts are run synchronously; this means that tinc will temporarily stop
553 processing packets until the called script finishes executing. This
554 guarantees that scripts will execute in the exact same order as the
555 events that trigger them. If you need to run commands asynchronously,
556 you have to ensure yourself that they are being run in the background.
557
558 Under Windows (not Cygwin), the scripts must have the extension .bat.
559
560 /etc/tinc/NETNAME/tinc-up
561 This is the most important script. If it is present it will be
562 executed right after the tinc daemon has been started and has
563 connected to the virtual network device. It should be used to
564 set up the corresponding network interface, but can also be used
565 to start other things.
566
567 Under Windows you can use the Network Connections control panel
568 instead of creating this script.
569
570 /etc/tinc/NETNAME/tinc-down
571 This script is started right before the tinc daemon quits.
572
573 /etc/tinc/NETNAME/hosts/HOST-up
574 This script is started when the tinc daemon with name HOST
575 becomes reachable.
576
577 /etc/tinc/NETNAME/hosts/HOST-down
578 This script is started when the tinc daemon with name HOST
579 becomes unreachable.
580
581 /etc/tinc/NETNAME/host-up
582 This script is started when any host becomes reachable.
583
584 /etc/tinc/NETNAME/host-down
585 This script is started when any host becomes unreachable.
586
587 /etc/tinc/NETNAME/subnet-up
588 This script is started when a Subnet becomes reachable. The Sub‐
589 net and the node it belongs to are passed in environment vari‐
590 ables.
591
592 /etc/tinc/NETNAME/subnet-down
593 This script is started when a Subnet becomes unreachable.
594
595 The scripts are started without command line arguments, but can make use
596 of certain environment variables. Under UNIX like operating systems the
597 names of environment variables must be preceded by a $ in scripts. Under
598 Windows, in .bat files, they have to be put between % signs.
599
600 NETNAME
601 If a netname was specified, this environment variable contains
602 it.
603
604 NAME Contains the name of this tinc daemon.
605
606 DEVICE Contains the name of the virtual network device that tinc uses.
607
608 INTERFACE
609 Contains the name of the virtual network interface that tinc
610 uses. This should be used for commands like ifconfig.
611
612 NODE When a host becomes (un)reachable, this is set to its name. If a
613 subnet becomes (un)reachable, this is set to the owner of that
614 subnet.
615
616 REMOTEADDRESS
617 When a host becomes (un)reachable, this is set to its real
618 address.
619
620 REMOTEPORT
621 When a host becomes (un)reachable, this is set to the port number
622 it uses for communication with other tinc daemons.
623
624 SUBNET When a subnet becomes (un)reachable, this is set to the subnet.
625
626 WEIGHT When a subnet becomes (un)reachable, this is set to the subnet
627 weight.
628
629 Do not forget that under UNIX operating systems, you have to make the
630 scripts executable, using the command chmod a+x script.
631
633 The most important files are:
634
635 /etc/tinc/
636 The top directory for configuration files.
637
638 /etc/tinc/NETNAME/tinc.conf
639 The default name of the server configuration file for net
640 NETNAME.
641
642 /etc/tinc/NETNAME/conf.d/
643 Optional directory from which any *.conf file will be loaded
644
645 /etc/tinc/NETNAME/hosts/
646 Host configuration files are kept in this directory.
647
648 /etc/tinc/NETNAME/tinc-up
649 If an executable file with this name exists, it will be executed
650 right after the tinc daemon has connected to the virtual network
651 device. It can be used to set up the corresponding network
652 interface.
653
654 /etc/tinc/NETNAME/tinc-down
655 If an executable file with this name exists, it will be executed
656 right before the tinc daemon is going to close its connection to
657 the virtual network device.
658
660 tincd(8), https://www.tinc-vpn.org/, http://www.tldp.org/LDP/nag2/.
661
662 The full documentation for tinc is maintained as a Texinfo manual. If
663 the info and tinc programs are properly installed at your site, the com‐
664 mand info tinc should give you access to the complete manual.
665
666 tinc comes with ABSOLUTELY NO WARRANTY. This is free software, and you
667 are welcome to redistribute it under certain conditions; see the file
668 COPYING for details.
669
670 June 20, 2019