ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/doc/gvpe.5.pod
Revision: 1.2
Committed: Tue Oct 12 11:54:33 2004 UTC (20 years, 2 months ago) by pcg
Branch: MAIN
Changes since 1.1: +3 -1 lines
Log Message:
*** empty log message ***

File Contents

# Content
1 =head1 NAME
2
3 GNU-VPE - Overview of the GNU Virtual Private Ethernet suite.
4
5 =head1 DESCRIPTION
6
7 GVPE is a suite designed to provide a virtual private network for multiple
8 nodes over an untrusted network.
9
10 "Virtual"X<Virtual> means that no physical network is created (of course), but an
11 ethernet is emulated by creating multiple tunnels between the member
12 nodes.
13
14 "Private"X<Private> means that non-participating nodes cannot decode ("sniff)" nor
15 inject ("spoof") packets.
16
17 In the case of gvpe, even participating nodes cannot sniff packets send to
18 other nodes or spoof packets as if sent from other nodes.
19
20 "Network"X<Network> means that more than two parties can participate in the
21 network, so for instance it's possible to connect multiple branches of a
22 company into a single network. Many so-called "vpn" solutions only create
23 point-to-point tunnels.
24
25 =head2 DESIGN GOALS
26
27 =over 4
28
29 =item SIMPLE DESIGN
30
31 Cipher, HMAC algorithms and other key parameters must be selected
32 at compile time - this makes it possible to only link in algorithms
33 you actually need. It also makes the crypto part of the source very
34 transparent and easy to inspect.
35
36 =item EASY TO SETUP
37
38 A few lines of config (the config file is shared unmodified between all
39 hosts) and a single run of C<gvpectrl> to generate the keys suffices to
40 make it work.
41
42 =item MAC-BASED SECURITY
43
44 Since every host has it's own private key, other hosts cannot spoof
45 traffic from this host. That makes it possible to filter packet by MAC
46 address, e.g. to ensure that packets from a specific IP address come, in
47 fact, from a specific host that is associated with that IP and not from
48 another host.
49
50 =back
51
52 =head1 PROGRAMS
53
54 Vpe comes with two programs: one daemon (C<gvpe>) and one control program
55 (C<gvpectrl>).
56
57 =over 4
58
59 =item gvpectrl
60
61 Is used to generate the keys, check and give an overview of of the
62 configuration and contorl the daemon (restarting etc.).
63
64 =item gvpe
65
66 Is the daemon used to establish and maintain connections to the other
67 network members. It should be run on the gateway machine.
68
69 =back
70
71 =head1 COMPILETIME CONFIGURATION
72
73 Please have a look at the C<gvpe.osdep(5)> manpage for platform-specific
74 information.
75
76 Here are a few recipes for compiling your gvpe:
77
78 =head2 AS LOW PACKET OVERHEAD AS POSSIBLE
79
80 ./configure --enable-hmac-length=4 --enable-rand-length=0
81
82 Minimize the header overhead of VPN packets (the above will result in only
83 4 bytes of overhead over the raw ethernet frame).
84
85 =head2 MINIMIZE CPU TIME REQUIRED
86
87 ./configure --enable-cipher=bf --enable-digest=md4
88
89 Use the fastest cipher and digest algorithms currently available in gvpe.
90
91 =head2 MAXIMIZE SECURITY
92
93 ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1
94
95 This uses a 16 byte HMAC checksum to authenticate packets (I guess 8-12
96 would also be pretty secure ;) and will additionally prefix each packet
97 with 8 bytes of random data. In the long run, people should move to
98 SHA-224 and beyond, but support in openssl is missing as of writing this
99 document.
100
101 In general, remember that AES-128 seems to be more secure and faster than
102 AES-192 or AES-256, more randomness helps against sniffing and a longer
103 HMAC helps against spoofing. MD4 is a fast digest, SHA1 or RIPEMD160 are
104 better, and Blowfish is a fast cipher (and also quite secure).
105
106 =head1 HOW TO SET UP A SIMPLE VPN
107
108 In this section I will describe how to get a simple VPN consisting of
109 three hosts up and running.
110
111 =head2 STEP 1: configuration
112
113 First you have to create a daemon configuation file and put it into the
114 configuration directory. This is usually C</etc/gvpe>, depending on how you
115 configured gvpe, and can be overwritten using the C<-c> commandline switch.
116
117 Put the following lines into C</etc/gvpe/gvpe.conf>:
118
119 udp-port = 50000 # the external port to listen on (configure your firewall)
120 mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts
121 ifname = vpn0 # the local network device name
122
123 node = first # just a nickname
124 hostname = first.example.net # the DNS name or IP address of the host
125
126 node = second
127 hostname = 133.55.82.9
128
129 node = third
130 hostname = third.example.net
131
132 The only other file neccessary if the C<if-up> script that initializes the
133 local ethernet interface. Put the following lines into C</etc/gvpe/if-up>
134 and make it execute (C<chmod 755 /etc/gvpe/if-up>):
135
136 #!/bin/sh
137 ip link set $IFNAME address $MAC mtu $MTU up
138 [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME
139 [ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME
140 [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME
141 ip route add 10.0.0.0/16 dev $IFNAME
142
143 This script will give each node a different IP address in the C<10.0/16>
144 network. The internal network (e.g. the C<eth0> interface) should then be
145 set to a subset of that network, e.g. C<10.0.1.0/24> on node C<first>,
146 C<10.0.2.0/24> on node C<second>, and so on.
147
148 By enabling routing on the gateway host that runs C<gvpe> all nodes will
149 be able to reach the other nodes. You can, of course, also use proxy arp
150 or other means of pseudo-bridging (or even real briding), or (best) full
151 routing - the choice is yours.
152
153 =head2 STEP 2: create the RSA key pairs for all hosts
154
155 Run the following command to generate all key pairs (that might take a
156 while):
157
158 gvpectrl -c /etc/gvpe -g
159
160 This command will put the public keys into C<<
161 /etc/gvpe/pubkeys/I<nodename> >> and the private keys into C<<
162 /etc/gvpe/hostkeys/I<nodename> >>.
163
164 =head2 STEP 3: distribute the config files to all nodes
165
166 Now distribute the config files to the other nodes. This should be done in two steps, since the
167 private keys should not be distributed. The example uses rsync-over-ssh
168
169 First all the config files without the hostkeys should be distributed:
170
171 rsync -avzessh /etc/gvpe first.example.net:/etc/. --exclude hostkeys
172 rsync -avzessh /etc/gvpe 133.55.82.9:/etc/. --exclude hostkeys
173 rsync -avzessh /etc/gvpe third.example.net:/etc/. --exclude hostkeys
174
175 Then the hostkeys should be copied:
176
177 rsync -avzessh /etc/gvpe/hostkeys/first first.example.net:/etc/hostkey
178 rsync -avzessh /etc/gvpe/hostkeys/second 133.55.82.9:/etc/hostkey
179 rsync -avzessh /etc/gvpe/hostkeys/third third.example.net:/etc/hostkey
180
181 You should now check the configration by issuing the command C<gvpectrl -c
182 /etc/gvpe -s> on each node and verify it's output.
183
184 =head2 STEP 4: starting gvpe
185
186 You should then start gvpe on each node by issuing a command like:
187
188 gvpe -D -linfo first # first is the nodename
189
190 This will make the gvpe stay in foreground. You should then see
191 "connection established" messages. If you don't see them check your
192 firewall and routing (use tcpdump ;).
193
194 If this works you should check your networking setup by pinging various
195 endpoints.
196
197 To make gvpe run more permanently you can either run it as a daemon
198 (by starting it without the C<-D> switch), or, much better, from your
199 inittab. I use a line like this on my systems:
200
201 t1:2345:respawn:/opt/gvpe/sbin/gvpe -D -L first >/dev/null 2>&1
202
203 =head2 STEP 5: enjoy
204
205 ... and play around. Sending a -HUP (C<gvpectrl -kHUP>) to the daemon
206 will make it try to connect to all other nodes again. If you run it from
207 inittab, as is recommended, C<gvpectrl -k> (or simply C<killall gvpe>) will
208 kill the daemon, start it again, making it read it's configuration files
209 again.
210
211 =head1 SEE ALSO
212
213 gvpe.osdep(5) for OS-depedendent information, gvpe.conf(5), gvpectrl(8), and
214 for a description of the protocol and routing algorithms, gvpe.protocol(7).
215
216 =head1 AUTHOR
217
218 Marc Lehmann <gvpe@plan9.de>
219
220 =head1 COPYRIGHTS AND LICENSES
221
222 GVPE itself is distributed under the GENERAL PUBLIC LICENSE (see the file
223 COPYING that should be part of your distribution).
224
225 In some configurations it uses modified versions of the tinc vpn suite,
226 which is also available under the GENERAL PUBLIC LICENSE.
227