1TINCD(8)                  BSD System Manager's Manual                 TINCD(8)
2

NAME

4     tincd — tinc VPN daemon
5

SYNOPSIS

7     tincd [-cdDkKnoLRU] [--config=DIR] [--no-detach] [--debug[=LEVEL]]
8           [--kill[=SIGNAL]] [--net=NETNAME] [--generate-keys[=BITS]]
9           [--option=[HOST.]KEY=VALUE] [--mlock] [--logfile[=FILE]]
10           [--pidfile=FILE] [--bypass-security] [--chroot] [--user=USER]
11           [--help] [--version]
12

DESCRIPTION

14     This is the daemon of tinc, a secure virtual private network (VPN)
15     project.  When started, tincd will read it's configuration file to deter‐
16     mine what virtual subnets it has to serve and to what other tinc daemons
17     it should connect.  It will connect to the ethertap or tun/tap device and
18     set up a socket for incoming connections.  Optionally a script will be
19     executed to further configure the virtual device.  If that succeeds, it
20     will detach from the controlling terminal and continue in the background,
21     accepting and setting up connections to other tinc daemons that are part
22     of the virtual private network.  Under Windows (not Cygwin) tinc will in‐
23     stall itself as a service, which will be restarted automatically after
24     reboots.
25

OPTIONS

27     -c, --config=DIR
28             Read configuration files from DIR instead of /etc/tinc/.
29
30     -D, --no-detach
31             Don't fork and detach.  This will also disable the automatic
32             restart mechanism for fatal errors.  If not mentioned otherwise,
33             this will show log messages on the standard error output.
34
35     -d, --debug[=LEVEL]
36             Increase debug level or set it to LEVEL (see below).
37
38     -k, --kill[=SIGNAL]
39             Attempt to kill a running tincd (optionally with the specified
40             SIGNAL instead of SIGTERM) and exit.  Under Windows (not Cygwin)
41             the optional argument is ignored, the service will always be
42             stopped and removed.
43
44     -n, --net=NETNAME
45             Connect to net NETNAME.  This will let tinc read all configura‐
46             tion files from /etc/tinc/ NETNAME.  Specifying .  for NETNAME is
47             the same as not specifying any NETNAME.
48
49     -K, --generate-keys[=BITS]
50             Generate public/private RSA keypair and exit.  If BITS is omit‐
51             ted, the default length will be 2048 bits.  When saving keys to
52             existing files, tinc will not delete the old keys, you have to
53             remove them manually.
54
55     -o, --option=[HOST.]KEY=VALUE
56             Without specifying a HOST, this will set server configuration
57             variable KEY to VALUE.  If specified as HOST.KEY=VALUE, this will
58             set the host configuration variable KEY of the host named HOST to
59             VALUE.  This option can be used more than once to specify multi‐
60             ple configuration variables.
61
62     -L, --mlock
63             Lock tinc into main memory.  This will prevent sensitive data
64             like shared private keys to be written to the system swap
65             files/partitions.
66
67     --logfile[=FILE]
68             Write log entries to a file instead of to the system logging fa‐
69             cility.  If FILE is omitted, the default is
70             /var/log/tinc.NETNAME.log.
71
72     --pidfile=FILE
73             Write PID to FILE instead of /run/tinc.NETNAME.pid. Under Windows
74             this option will be ignored.
75
76     --bypass-security
77             Disables encryption and authentication of the meta protocol.
78             Only useful for debugging.
79
80     -R, --chroot
81             With this option tinc chroots into the directory where network
82             config is located (/etc/tinc/NETNAME if -n option is used, or to
83             the directory specified with -c option) after initialization.
84
85     -U, --user=USER
86             setuid to the specified USER after initialization.
87
88     --help  Display short list of options.
89
90     --version
91             Output version information and exit.
92

SIGNALS

94     ALRM    Forces tincd to try to connect to all uplinks immediately.  Usu‐
95             ally tincd attempts to do this itself, but increases the time it
96             waits between the attempts each time it failed, and if tincd
97             didn't succeed to connect to an uplink the first time after it
98             started, it defaults to the maximum time of 15 minutes.
99
100     HUP     Partially rereads configuration files.  Connections to hosts
101             whose host config file are removed are closed.  New outgoing con‐
102             nections specified in tinc.conf will be made.  If the --logfile
103             option is used, this will also close and reopen the log file,
104             useful when log rotation is used.
105
106     INT     Temporarily increases debug level to 5.  Send this signal again
107             to revert to the original level.
108
109     USR1    Dumps the connection list to syslog.
110
111     USR2    Dumps virtual network device statistics, all known nodes, edges
112             and subnets to syslog.
113
114     WINCH   Purges all information remembered about unreachable nodes.
115

DEBUG LEVELS

117     The tinc daemon can send a lot of messages to the syslog.  The higher the
118     debug level, the more messages it will log.  Each level inherits all mes‐
119     sages of the previous level:
120
121     0       This will log a message indicating tincd has started along with a
122             version number.  It will also log any serious error.
123
124     1       This will log all connections that are made with other tinc dae‐
125             mons.
126
127     2       This will log status and error messages from scripts and other
128             tinc daemons.
129
130     3       This will log all requests that are exchanged with other tinc
131             daemons. These include authentication, key exchange and connec‐
132             tion list updates.
133
134     4       This will log a copy of everything received on the meta socket.
135
136     5       This will log all network traffic over the virtual private net‐
137             work.
138

FILES

140     /etc/tinc/
141             Directory containing the configuration files tinc uses.  For more
142             information, see tinc.conf(5).
143
144     /run/tinc.NETNAME.pid
145             The PID of the currently running tincd is stored in this file.
146

BUGS

148     The BindToInterface option may not work correctly.
149
150     The cryptography in tinc is not well tested yet. Use it at your own risk!
151
152     If you find any bugs, report them to tinc@tinc-vpn.org.
153

TODO

155     A lot, especially security auditing.
156

SEE ALSO

158     tinc.conf(5), https://www.tinc-vpn.org/, http://www.cabal.org/.
159
160     The full documentation for tinc is maintained as a Texinfo manual.  If
161     the info and tinc programs are properly installed at your site, the com‐
162     mand info tinc should give you access to the complete manual.
163
164     tinc comes with ABSOLUTELY NO WARRANTY.  This is free software, and you
165     are welcome to redistribute it under certain conditions; see the file
166     COPYING for details.
167

AUTHORS

169     Ivo Timmermans
170     Guus Sliepen <guus@tinc-vpn.org>
171
172     And thanks to many others for their contributions to tinc!
173
174                               December 17, 2023
Impressum