[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

5. Running tinc

If everything else is done, you can start tinc by typing the following command:

 
tincd -n netname

Tinc will detach from the terminal and continue to run in the background like a good daemon. If there are any problems however you can try to increase the debug level and look in the syslog to find out what the problems are.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

5.1 Runtime options

Besides the settings in the configuration file, tinc also accepts some command line options.

-c, --config=path

Read configuration options from the directory path. The default is ‘/etc/tinc/netname/’.

-D, --no-detach

Don’t fork and detach. This will also disable the automatic restart mechanism for fatal errors.

-d, --debug=level

Set debug level to level. The higher the debug level, the more gets logged. Everything goes via syslog.

-k, --kill[=signal]

Attempt to kill a running tincd (optionally with the specified signal instead of SIGTERM) and exit. Use it in conjunction with the -n option to make sure you kill the right tinc daemon. Under native Windows the optional argument is ignored, the service will always be stopped and removed.

-n, --net=netname

Use configuration for net netname. This will let tinc read all configuration files from ‘/etc/tinc/netname/’. Specifying . for netname is the same as not specifying any netname. See section Multiple networks.

-K, --generate-keys[=bits]

Generate public/private keypair of bits length. If bits is not specified, 2048 is the default. tinc will ask where you want to store the files, but will default to the configuration directory (you can use the -c or -n option in combination with -K). After that, tinc will quit.

-o, --option=[HOST.]KEY=VALUE

Without specifying a HOST, this will set server configuration variable KEY to VALUE. If specified as HOST.KEY=VALUE, this will set the host configuration variable KEY of the host named HOST to VALUE. This option can be used more than once to specify multiple configuration variables.

-L, --mlock

Lock tinc into main memory. This will prevent sensitive data like shared private keys to be written to the system swap files/partitions.

--logfile[=file]

Write log entries to a file instead of to the system logging facility. If file is omitted, the default is ‘/var/log/tinc.netname.log’.

--pidfile=file

Write PID to file instead of ‘/var/run/tinc.netname.pid’.

--bypass-security

Disables encryption and authentication. Only useful for debugging.

-R, --chroot

Change process root directory to the directory where the config file is located (‘/etc/tinc/netname/’ as determined by -n/–net option or as given by -c/–config option), for added security. The chroot is performed after all the initialization is done, after writing pid files and opening network sockets.

Note that this option alone does not do any good without -U/–user, below.

Note also that tinc can’t run scripts anymore (such as tinc-down or host-up), unless it’s setup to be runnable inside chroot environment.

-U, --user=user

Switch to the given user after initialization, at the same time as chroot is performed (see –chroot above). With this option tinc drops privileges, for added security.

--help

Display a short reminder of these runtime options and terminate.

--version

Output version information and exit.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

5.2 Signals

You can also send the following signals to a running tincd process:

ALRM

Forces tinc to try to connect to all uplinks immediately. Usually tinc attempts to do this itself, but increases the time it waits between the attempts each time it failed, and if tinc didn’t succeed to connect to an uplink the first time after it started, it defaults to the maximum time of 15 minutes.

HUP

Partially rereads configuration files. Connections to hosts whose host config file are removed are closed. New outgoing connections specified in ‘tinc.conf’ will be made. If the –logfile option is used, this will also close and reopen the log file, useful when log rotation is used.

INT

Temporarily increases debug level to 5. Send this signal again to revert to the original level.

USR1

Dumps the connection list to syslog.

USR2

Dumps virtual network device statistics, all known nodes, edges and subnets to syslog.

WINCH

Purges all information remembered about unreachable nodes.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

5.3 Debug levels

The tinc daemon can send a lot of messages to the syslog. The higher the debug level, the more messages it will log. Each level inherits all messages of the previous level:

0

This will log a message indicating tinc has started along with a version number. It will also log any serious error.

1

This will log all connections that are made with other tinc daemons.

2

This will log status and error messages from scripts and other tinc daemons.

3

This will log all requests that are exchanged with other tinc daemons. These include authentication, key exchange and connection list updates.

4

This will log a copy of everything received on the meta socket.

5

This will log all network traffic over the virtual private network.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

5.4 Solving problems

If tinc starts without problems, but if the VPN doesn’t work, you will have to find the cause of the problem. The first thing to do is to start tinc with a high debug level in the foreground, so you can directly see everything tinc logs:

 
tincd -n netname -d5 -D

If tinc does not log any error messages, then you might want to check the following things:


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

5.5 Error messages

What follows is a list of the most common error messages you might find in the logs. Some of them will only be visible if the debug level is high enough.

Could not open /dev/tap0: No such device
Can't write to /dev/net/tun: No such device
Network address and prefix length do not match!
Error reading RSA key file `rsa_key.priv': No such file or directory
Warning: insecure file permissions for RSA private key file `rsa_key.priv'!
Creating metasocket failed: Address family not supported
Cannot route packet: unknown IPv4 destination 1.2.3.4
Cannot route packet: ARP request for unknown address 1.2.3.4
Packet with destination 1.2.3.4 is looping back to us!
Node foo (1.2.3.4) is not reachable
Received UDP packet from unknown source 1.2.3.4 (port 12345)
Got bad/bogus/unauthorized REQUEST from foo (1.2.3.4 port 12345)

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

5.6 Sending bug reports

If you really can’t find the cause of a problem, or if you suspect tinc is not working right, you can send us a bugreport, see Contact information. Be sure to include the following information in your bugreport:


[ << ] [ >> ]           [Top] [Contents] [Index] [ ? ]

This document was generated by Build Daemon on April 22, 2013 using texi2html 1.82.