ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/doc/gvpe.5.pod
Revision: 1.1
Committed: Fri Jun 11 15:56:12 2004 UTC (20 years, 4 months ago) by pcg
Branch: MAIN
Log Message:
*** empty log message ***

File Contents

# User Rev Content
1 pcg 1.1 =head1 NAME
2    
3     GNU-VPE - Overview of the GNU Virtual Private Ethernet suite.
4    
5     =head1 DESCRIPTION
6    
7     GVPE is a suite designed to provide a virtual private network for multiple
8     nodes over an untrusted network.
9    
10     "Virtual"X<Virtual> means that no physical network is created (of course), but an
11     ethernet is emulated by creating multiple tunnels between the member
12     nodes.
13    
14     "Private"X<Private> means that non-participating nodes cannot decode ("sniff)" nor
15     inject ("spoof") packets.
16    
17     In the case of gvpe, even participating nodes cannot sniff packets send to
18     other nodes or spoof packets as if sent from other nodes.
19    
20     "Network"X<Network> means that more than two parties can participate in the
21     network, so for instance it's possible to connect multiple branches of a
22     company into a single network. Many so-called "vpn" solutions only create
23     point-to-point tunnels.
24    
25     =head2 DESIGN GOALS
26    
27     =over 4
28    
29     =item SIMPLE DESIGN
30    
31     Cipher, HMAC algorithms and other key parameters must be selected
32     at compile time - this makes it possible to only link in algorithms
33     you actually need. It also makes the crypto part of the source very
34     transparent and easy to inspect.
35    
36     =item EASY TO SETUP
37    
38     A few lines of config (the config file is shared unmodified between all
39     hosts) and a single run of C<gvpectrl> to generate the keys suffices to
40     make it work.
41    
42     =item MAC-BASED SECURITY
43    
44     Since every host has it's own private key, other hosts cannot spoof
45     traffic from this host. That makes it possible to filter packet by MAC
46     address, e.g. to ensure that packets from a specific IP address come, in
47     fact, from a specific host that is associated with that IP and not from
48     another host.
49    
50     =back
51    
52     =head1 PROGRAMS
53    
54     Vpe comes with two programs: one daemon (C<gvpe>) and one control program
55     (C<gvpectrl>).
56    
57     =over 4
58    
59     =item gvpectrl
60    
61     Is used to generate the keys, check and give an overview of of the
62     configuration and contorl the daemon (restarting etc.).
63    
64     =item gvpe
65    
66     Is the daemon used to establish and maintain connections to the other
67     network members. It should be run on the gateway machine.
68    
69     =back
70    
71     =head1 COMPILETIME CONFIGURATION
72    
73     Please have a look at the C<gvpe.osdep(5)> manpage for platform-specific
74     information.
75    
76     Here are a few recipes for compiling your gvpe:
77    
78     =head2 AS LOW PACKET OVERHEAD AS POSSIBLE
79    
80     ./configure --enable-hmac-length=4 --enable-rand-length=0
81    
82     Minimize the header overhead of VPN packets (the above will result in only
83     4 bytes of overhead over the raw ethernet frame).
84    
85     =head2 MINIMIZE CPU TIME REQUIRED
86    
87     ./configure --enable-cipher=bf --enable-digest=md4
88    
89     Use the fastest cipher and digest algorithms currently available in gvpe.
90    
91     =head2 MAXIMIZE SECURITY
92    
93     ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1
94    
95     This uses a 16 byte HMAC checksum to authenticate packets (I guess 8-12
96     would also be pretty secure ;) and will additionally prefix each packet
97     with 8 bytes of random data.
98    
99     In general, remember that AES-128 seems to be more secure and faster than
100     AES-192 or AES-256, more randomness helps against sniffing and a longer
101     HMAC helps against spoofing. MD4 is a fast digest, SHA1 or RIPEMD160 are
102     better, and Blowfish is a fast cipher (and also quite secure).
103    
104     =head1 HOW TO SET UP A SIMPLE VPN
105    
106     In this section I will describe how to get a simple VPN consisting of
107     three hosts up and running.
108    
109     =head2 STEP 1: configuration
110    
111     First you have to create a daemon configuation file and put it into the
112     configuration directory. This is usually C</etc/gvpe>, depending on how you
113     configured gvpe, and can be overwritten using the C<-c> commandline switch.
114    
115     Put the following lines into C</etc/gvpe/gvpe.conf>:
116    
117     udp-port = 50000 # the external port to listen on (configure your firewall)
118     mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts
119     ifname = vpn0 # the local network device name
120    
121     node = first # just a nickname
122     hostname = first.example.net # the DNS name or IP address of the host
123    
124     node = second
125     hostname = 133.55.82.9
126    
127     node = third
128     hostname = third.example.net
129    
130     The only other file neccessary if the C<if-up> script that initializes the
131     local ethernet interface. Put the following lines into C</etc/gvpe/if-up>
132     and make it execute (C<chmod 755 /etc/gvpe/if-up>):
133    
134     #!/bin/sh
135     ip link set $IFNAME address $MAC mtu $MTU up
136     [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME
137     [ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME
138     [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME
139     ip route add 10.0.0.0/16 dev $IFNAME
140    
141     This script will give each node a different IP address in the C<10.0/16>
142     network. The internal network (e.g. the C<eth0> interface) should then be
143     set to a subset of that network, e.g. C<10.0.1.0/24> on node C<first>,
144     C<10.0.2.0/24> on node C<second>, and so on.
145    
146     By enabling routing on the gateway host that runs C<gvpe> all nodes will
147     be able to reach the other nodes. You can, of course, also use proxy arp
148     or other means of pseudo-bridging (or even real briding), or (best) full
149     routing - the choice is yours.
150    
151     =head2 STEP 2: create the RSA key pairs for all hosts
152    
153     Run the following command to generate all key pairs (that might take a
154     while):
155    
156     gvpectrl -c /etc/gvpe -g
157    
158     This command will put the public keys into C<<
159     /etc/gvpe/pubkeys/I<nodename> >> and the private keys into C<<
160     /etc/gvpe/hostkeys/I<nodename> >>.
161    
162     =head2 STEP 3: distribute the config files to all nodes
163    
164     Now distribute the config files to the other nodes. This should be done in two steps, since the
165     private keys should not be distributed. The example uses rsync-over-ssh
166    
167     First all the config files without the hostkeys should be distributed:
168    
169     rsync -avzessh /etc/gvpe first.example.net:/etc/. --exclude hostkeys
170     rsync -avzessh /etc/gvpe 133.55.82.9:/etc/. --exclude hostkeys
171     rsync -avzessh /etc/gvpe third.example.net:/etc/. --exclude hostkeys
172    
173     Then the hostkeys should be copied:
174    
175     rsync -avzessh /etc/gvpe/hostkeys/first first.example.net:/etc/hostkey
176     rsync -avzessh /etc/gvpe/hostkeys/second 133.55.82.9:/etc/hostkey
177     rsync -avzessh /etc/gvpe/hostkeys/third third.example.net:/etc/hostkey
178    
179     You should now check the configration by issuing the command C<gvpectrl -c
180     /etc/gvpe -s> on each node and verify it's output.
181    
182     =head2 STEP 4: starting gvpe
183    
184     You should then start gvpe on each node by issuing a command like:
185    
186     gvpe -D -linfo first # first is the nodename
187    
188     This will make the gvpe stay in foreground. You should then see
189     "connection established" messages. If you don't see them check your
190     firewall and routing (use tcpdump ;).
191    
192     If this works you should check your networking setup by pinging various
193     endpoints.
194    
195     To make gvpe run more permanently you can either run it as a daemon
196     (by starting it without the C<-D> switch), or, much better, from your
197     inittab. I use a line like this on my systems:
198    
199     t1:2345:respawn:/opt/gvpe/sbin/gvpe -D -L first >/dev/null 2>&1
200    
201     =head2 STEP 5: enjoy
202    
203     ... and play around. Sending a -HUP (C<gvpectrl -kHUP>) to the daemon
204     will make it try to connect to all other nodes again. If you run it from
205     inittab, as is recommended, C<gvpectrl -k> (or simply C<killall gvpe>) will
206     kill the daemon, start it again, making it read it's configuration files
207     again.
208    
209     =head1 SEE ALSO
210    
211     gvpe.osdep(5) for OS-depedendent information, gvpe.conf(5), gvpectrl(8), and
212     for a description of the protocol and routing algorithms, gvpe.protocol(7).
213    
214     =head1 AUTHOR
215    
216     Marc Lehmann <gvpe@plan9.de>
217    
218     =head1 COPYRIGHTS AND LICENSES
219    
220     GVPE itself is distributed under the GENERAL PUBLIC LICENSE (see the file
221     COPYING that should be part of your distribution).
222    
223     In some configurations it uses modified versions of the tinc vpn suite,
224     which is also available under the GENERAL PUBLIC LICENSE.
225