--- gvpe/README 2003/03/23 14:58:21 1.2 +++ gvpe/README 2003/03/25 18:11:58 1.3 @@ -43,44 +43,50 @@ ==== PROGRAMS ==== Vpe comes with two programs: one daemon (``vped'') and one control - program ``vpectrl''). + program (``vpectrl''). : vpectrl - Is used to generate the keys and give an overview of the - configuration. + Is used to generate the keys, check and give an overview of of the + configuration and contorl the daemon (restarting etc.). : vped Is the daemon used to establish and maintain conenctions to the other network members. It should be run on the gateway machine. -==== CONFIGURING VPE ==== +==== COMPILETIME CONFIGURATION ==== - Here are a few recipes for configuring your vpe: + Here are a few recipes for compiling your vpe: == AS LOW PACKET OVERHEAD AS POSSIBLE == - ./configure --enable-hmac-length=4 --enable-rand-length=0 + ./configure --enable-hmac-length=4 --enable-rand-length=0 - Minimize the header overhead of VPN packets. + Minimize the header overhead of VPN packets (the above will result in + only 4 bytes of overhead over the raw ethernet frame). == MINIMIZE CPU TIME REQUIRED == - ./configure --enable-cipher=bf --enable-digest=md4 + ./configure --enable-cipher=bf --enable-digest=md4 - Use the fastest cipher and digest algorithms. + Use the fastest cipher and digest algorithms currently available in vpe. == MAXIMIZE SECURITY == - ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 + ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 + + This uses a 16 byte HMAC checksum to authenticate packets (I guess 8-12 + would also be pretty secure ;) and will additionally prefix each packet + with 8 bytes of random data. In general, remember that AES-128 seems to be more secure and faster - than AES-192 or AES-256, more randomness and longer hmac is more secure, - MD4 is a fast digest, SHA1 or RIPEMD160 are better, and Blowfish is a - fast and so-far quite secure cipher. + than AES-192 or AES-256, more randomness helps against sniffing and a + longer HMAC helps against spoofing. MD4 is a fast digest, SHA1 or + RIPEMD160 are better, and Blowfish is a fast cipher (and also quite + secure). ==== HOW TO SET UP A SIMPLE VPN ==== @@ -98,29 +104,29 @@ Put the following lines into ``/etc/vpe/vped.conf'': - udp-port = 50000 # the external port to listen on (configure your firewall) - mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts - ifname = vpn0 # the local network device name + udp-port = 50000 # the external port to listen on (configure your firewall) + mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts + ifname = vpn0 # the local network device name - node = first # just a nickname - hostname = first.example.net # the DNS name or IP address of the host + node = first # just a nickname + hostname = first.example.net # the DNS name or IP address of the host - node = second - hostname = 133.55.82.9 + node = second + hostname = 133.55.82.9 - node = third - hostname = third.example.net + node = third + hostname = third.example.net The only other file neccessary if the ``if-up'' script that initializes the local ethernet interface. Put the following lines into ``/etc/vpe/if-up'' and make it execute (``chmod 755 /etc/vpe/if-up''): - #!/bin/sh - ip link set $IFNAME address $MAC mtu $MTU up - [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME - [ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME - [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME - ip route add 10.0.0.0/16 dev $IFNAME + #!/bin/sh + ip link set $IFNAME address $MAC mtu $MTU up + [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME + [ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME + [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME + ip route add 10.0.0.0/16 dev $IFNAME This script will give each node a different IP address in the ``10.0/16'' network. The internal network (e.g. the ``eth0'' interface) @@ -138,7 +144,7 @@ Run the following command to generate all key pairs (that might take a while): - vpectrl -c /etc/vpe -g + vpectrl -c /etc/vpe -g This command will put the public keys into ``/etc/vpe/pubkeys/*nodename*'' and the private keys into @@ -153,15 +159,15 @@ First all the config files without the hostkeys should be distributed: - rsync -avzessh /etc/vpe first.example.net:/etc/. --exclude hostkeys - rsync -avzessh /etc/vpe 133.55.82.9:/etc/. --exclude hostkeys - rsync -avzessh /etc/vpe third.example.net:/etc/. --exclude hostkeys + rsync -avzessh /etc/vpe first.example.net:/etc/. --exclude hostkeys + rsync -avzessh /etc/vpe 133.55.82.9:/etc/. --exclude hostkeys + rsync -avzessh /etc/vpe third.example.net:/etc/. --exclude hostkeys Then the hostkeys should be copied: - rsync -avzessh /etc/vpe/hostkeys/first first.example.net:/etc/hostkey - rsync -avzessh /etc/vpe/hostkeys/second 133.55.82.9:/etc/hostkey - rsync -avzessh /etc/vpe/hostkeys/third third.example.net:/etc/hostkey + rsync -avzessh /etc/vpe/hostkeys/first first.example.net:/etc/hostkey + rsync -avzessh /etc/vpe/hostkeys/second 133.55.82.9:/etc/hostkey + rsync -avzessh /etc/vpe/hostkeys/third third.example.net:/etc/hostkey You should now check the configration by issuing the command ``vpectrl -c /etc/vpe -s'' on each node and verify it's output. @@ -171,7 +177,7 @@ You should then start vped on each node by issuing a command like: - vped -D -linfo first # first is the nodename + vped -D -linfo first # first is the nodename This will make the vped stay in foreground. You should then see "connection established" messages. If you don't see them check your @@ -184,7 +190,7 @@ starting it without the ``-D'' switch), or, much better, from your inittab. I use a line like this on my systems: - t1:2345:respawn:/opt/vpe/sbin/vped -D -L first >/dev/null 2>&1 + t1:2345:respawn:/opt/vpe/sbin/vped -D -L first >/dev/null 2>&1 == STEP 5: enjoy ==