Main configuration file

This file is located under /etc/mcc/mcc.conf path by default. To override the path pass the new one as the argument to mccd.

listen-addr =

Listen address (ip:port).


Parent nodes' socket addresses (ip:port, hostname:port, ...).

parents-resolve-period = 1h

How frequently the parents' hostnames need to be resolved.

resolver.ipv4-network =

IPv4 network that is used to resolve node IDs. Beware that the addresses from this network are always local to the current node and are assigned dynamically. The same address on different nodes may point to a different node ID. The address is reassigned only if the system runs out of IP addresses, i.e. you resolve over 65536 unique node IDs from a single node.

resolver.ipv6-network = 200::/7

IPv6 network that is used to resolve node IDs. The default is unused IPv6 range deprecated in RFC 4048.

resolver.mac-address-mask = AE:00:00:00:00:00

MAC address mask that is used to resolve node IDs.

resolver.domain =

Domain under which node IDs are resolved. The default is (RFC 8375).

resolver.ttl = 0

TTL of DNS entries in seconds.

unix-socket-path = /tmp/.mcc-socket

UNIX socket path used by mcc command.

unix-enable = true

Enable UNIX socket server. Without this server mcc commands do not work.

keep-alive-period = 30s

How frequently the parent node needs to be checked.

topology-update-period = 2m

How frequently topology needs to be sent to the parent node.

rejoin-period = 1m

How frequently a node tries to switch to the first parent.

log-level = info

Log verbosity level. Possible values: off, error, warn, info, debug, trace.


Redirect all MCC output to the specified file.

data-dir = /var/lib/mcc

Internal data storage directory.

tun-device-name = mcc0
tun-device-name = utun83

TUN device name (utun83 on MacOS, mcc0 otherwise).

tun-device-mtu = 1280

TUN device MTU.

firewall-chain-name = MCC

Firewall chain name.

dns-addr =

Bind address (ip:port) of internal DNS server that is used to resolve node IDs.

dns-enable = true

Enable local DNS server. Without this server node ID resolution does not work on musl-based Linux distributions and MacOS, but still works on glibc-based Linux distributions via NSS module.

node-certificate = /etc/mcc/node-certificate.txt

Node's certificate path.

node-private-key = /etc/mcc/node-private-key.txt

Node's private key path.

network-certificates = /etc/mcc/network-certificate.txt

Comma-separated list of files with trusted network certificates.

compression = none

Compression method for tunneled packets. Possible values: none, lz4.

cert-update-addr =

The address (ip:port) of a server to get updated certificates from.

cert-update-enable = true

Enable automatic update of network certificates.

cert-update-period = 3h

How frequently to update network certificates.


Tags associated with the node.

dependent-nodes = /etc/mcc/dependent-nodes

A directory that contains dependent nodes configuration files.

static-addr =

Static address of this node in overlay network. Please note that dynamic IP addresses is more secure against man-in-the-middle attacks than static ones: dynamic addresses resolve to node ids locally whereas static addresses resolve to node ids by contacting a parent node. This also means that dynamic addresses are much faster to resolve than static ones.

network-lookup-ttl = 64

Network lookup TTL, i.e. the maximum number of hops a packet will travel before being dropped. This applies to static IP address and DNS name resolution.

network-lookup-timeout = 20s

Network lookup timeout. This applies to static IP address and DNS name resolution.

forwarding-rules = /etc/mcc/forwarding-rules.conf

Packet forwarding rules.

forwarding-rules-commit-timeout = 7s

The timeout of applying new forwarding rules with mcc apply-forwarding-rules command.


Enable Dnsmasq integration. When enabled MCC will generate configuration file for Dnsmasq and place it under dnsmasq-directory. The integration is enabled by default if dnsmasq-directory exists. Note that MCC does not restart Dnsmasq and does not delete generated configuration file.

dnsmasq-directory = /etc/dnsmasq.d

Dnsmasq directory that contains additional (usually per-domain) configuration files.


Dnsmasq restart shell command. By default MCC does not restart Dnsmasq after the configuration file is generated, because it may interfere with system boot sequence. If you are sure that this is not an issue, specify restart command here. Something like systemctl restart dnsmasq.

See also