1 | .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 |
1 | .\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.20) |
2 | .\" |
2 | .\" |
3 | .\" Standard preamble: |
3 | .\" Standard preamble: |
4 | .\" ======================================================================== |
4 | .\" ======================================================================== |
5 | .de Sh \" Subsection heading |
|
|
6 | .br |
|
|
7 | .if t .Sp |
|
|
8 | .ne 5 |
|
|
9 | .PP |
|
|
10 | \fB\\$1\fR |
|
|
11 | .PP |
|
|
12 | .. |
|
|
13 | .de Sp \" Vertical space (when we can't use .PP) |
5 | .de Sp \" Vertical space (when we can't use .PP) |
14 | .if t .sp .5v |
6 | .if t .sp .5v |
15 | .if n .sp |
7 | .if n .sp |
16 | .. |
8 | .. |
17 | .de Vb \" Begin verbatim text |
9 | .de Vb \" Begin verbatim text |
… | |
… | |
23 | .ft R |
15 | .ft R |
24 | .fi |
16 | .fi |
25 | .. |
17 | .. |
26 | .\" Set up some character translations and predefined strings. \*(-- will |
18 | .\" Set up some character translations and predefined strings. \*(-- will |
27 | .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
19 | .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
28 | .\" double quote, and \*(R" will give a right double quote. | will give a |
20 | .\" double quote, and \*(R" will give a right double quote. \*(C+ will |
29 | .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to |
21 | .\" give a nicer C++. Capital omega is used to do unbreakable dashes and |
30 | .\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' |
22 | .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, |
31 | .\" expand to `' in nroff, nothing in troff, for use with C<>. |
23 | .\" nothing in troff, for use with C<>. |
32 | .tr \(*W-|\(bv\*(Tr |
24 | .tr \(*W- |
33 | .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
25 | .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
34 | .ie n \{\ |
26 | .ie n \{\ |
35 | . ds -- \(*W- |
27 | . ds -- \(*W- |
36 | . ds PI pi |
28 | . ds PI pi |
37 | . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
29 | . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
… | |
… | |
46 | . ds PI \(*p |
38 | . ds PI \(*p |
47 | . ds L" `` |
39 | . ds L" `` |
48 | . ds R" '' |
40 | . ds R" '' |
49 | 'br\} |
41 | 'br\} |
50 | .\" |
42 | .\" |
|
|
43 | .\" Escape single quotes in literal strings from groff's Unicode transform. |
|
|
44 | .ie \n(.g .ds Aq \(aq |
|
|
45 | .el .ds Aq ' |
|
|
46 | .\" |
51 | .\" If the F register is turned on, we'll generate index entries on stderr for |
47 | .\" If the F register is turned on, we'll generate index entries on stderr for |
52 | .\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index |
48 | .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
53 | .\" entries marked with X<> in POD. Of course, you'll have to process the |
49 | .\" entries marked with X<> in POD. Of course, you'll have to process the |
54 | .\" output yourself in some meaningful fashion. |
50 | .\" output yourself in some meaningful fashion. |
55 | .if \nF \{\ |
51 | .ie \nF \{\ |
56 | . de IX |
52 | . de IX |
57 | . tm Index:\\$1\t\\n%\t"\\$2" |
53 | . tm Index:\\$1\t\\n%\t"\\$2" |
58 | .. |
54 | .. |
59 | . nr % 0 |
55 | . nr % 0 |
60 | . rr F |
56 | . rr F |
61 | .\} |
57 | .\} |
62 | .\" |
58 | .el \{\ |
63 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
59 | . de IX |
64 | .\" way too many mistakes in technical documents. |
60 | .. |
65 | .hy 0 |
61 | .\} |
66 | .if n .na |
|
|
67 | .\" |
62 | .\" |
68 | .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
63 | .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
69 | .\" Fear. Run. Save yourself. No user-serviceable parts. |
64 | .\" Fear. Run. Save yourself. No user-serviceable parts. |
70 | . \" fudge factors for nroff and troff |
65 | . \" fudge factors for nroff and troff |
71 | .if n \{\ |
66 | .if n \{\ |
… | |
… | |
127 | .\} |
122 | .\} |
128 | .rm #[ #] #H #V #F C |
123 | .rm #[ #] #H #V #F C |
129 | .\" ======================================================================== |
124 | .\" ======================================================================== |
130 | .\" |
125 | .\" |
131 | .IX Title "GVPE 5" |
126 | .IX Title "GVPE 5" |
132 | .TH GVPE 5 "2004-06-11" "1.7" "GNU Virtual Private Ethernet" |
127 | .TH GVPE 5 "2013-07-10" "2.24" "GNU Virtual Private Ethernet" |
|
|
128 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
|
|
129 | .\" way too many mistakes in technical documents. |
|
|
130 | .if n .ad l |
|
|
131 | .nh |
133 | .SH "NAME" |
132 | .SH "NAME" |
134 | GNU\-VPE \- Overview of the GNU Virtual Private Ethernet suite. |
133 | GNU\-VPE \- Overview of the GNU Virtual Private Ethernet suite. |
135 | .SH "DESCRIPTION" |
134 | .SH "DESCRIPTION" |
136 | .IX Header "DESCRIPTION" |
135 | .IX Header "DESCRIPTION" |
137 | \&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple |
136 | \&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple |
138 | nodes over an untrusted network. |
137 | nodes over an untrusted network. This document first gives an introduction |
139 | .PP |
138 | to VPNs in general and then describes the specific implementation of \s-1GVPE\s0. |
|
|
139 | .SS "\s-1WHAT\s0 \s-1IS\s0 A \s-1VPN\s0?" |
|
|
140 | .IX Subsection "WHAT IS A VPN?" |
|
|
141 | \&\s-1VPN\s0 is an acronym, it stands for: |
|
|
142 | .IP "Virtual" 4 |
|
|
143 | .IX Item "Virtual" |
140 | \&\*(L"Virtual\*(R" means that no physical network is created (of course), but an |
144 | Virtual means that no physical network is created (of course), but a |
141 | ethernet is emulated by creating multiple tunnels between the member |
145 | network is \fIemulated\fR by creating multiple tunnels between the member |
|
|
146 | nodes by encapsulating and sending data over another transport network. |
|
|
147 | .Sp |
|
|
148 | Usually the emulated network is a normal \s-1IP\s0 or Ethernet, and the transport |
|
|
149 | network is the Internet. However, using a \s-1VPN\s0 system like \s-1GVPE\s0 to connect |
|
|
150 | nodes over other untrusted networks such as Wireless \s-1LAN\s0 is not uncommon. |
|
|
151 | .IP "Private" 4 |
|
|
152 | .IX Item "Private" |
|
|
153 | Private means that non-participating nodes cannot decode (\*(L"sniff)\*(R" nor |
|
|
154 | inject (\*(L"spoof\*(R") packets. This means that nodes can be connected over |
|
|
155 | untrusted networks such as the public Internet without fear of being |
|
|
156 | eavesdropped while at the same time being able to trust data sent by other |
142 | nodes. |
157 | nodes. |
143 | .IX Xref "Virtual" |
158 | .Sp |
144 | .PP |
|
|
145 | \&\*(L"Private\*(R" means that non-participating nodes cannot decode (\*(L"sniff)\*(R" nor |
|
|
146 | inject (\*(L"spoof\*(R") packets. |
|
|
147 | .IX Xref "Private" |
|
|
148 | .PP |
|
|
149 | In the case of gvpe, even participating nodes cannot sniff packets send to |
159 | In the case of \s-1GVPE\s0, even participating nodes cannot sniff packets |
150 | other nodes or spoof packets as if sent from other nodes. |
160 | send to other nodes or spoof packets as if sent from other nodes, so |
151 | .PP |
161 | communications between any two nodes is private to those two nodes. |
|
|
162 | .IP "Network" 4 |
|
|
163 | .IX Item "Network" |
152 | \&\*(L"Network\*(R" means that more than two parties can participate in the |
164 | Network means that more than two parties can participate in the network, |
153 | network, so for instance it's possible to connect multiple branches of a |
165 | so for instance it's possible to connect multiple branches of a company |
154 | company into a single network. Many so-called \*(L"vpn\*(R" solutions only create |
166 | into a single network. Many so-called \*(L"\s-1VPN\s0\*(R" solutions only create |
155 | point-to-point tunnels. |
167 | point-to-point tunnels, which in turn can be used to build larger |
156 | .IX Xref "Network" |
168 | networks. |
|
|
169 | .Sp |
|
|
170 | \&\s-1GVPE\s0 provides a true multi-point network in which any number of nodes (at |
|
|
171 | least a few dozen in practise, the theoretical limit is 4095 nodes) can |
|
|
172 | participate. |
157 | .Sh "\s-1DESIGN\s0 \s-1GOALS\s0" |
173 | .SS "\s-1GVPE\s0 \s-1DESIGN\s0 \s-1GOALS\s0" |
158 | .IX Subsection "DESIGN GOALS" |
174 | .IX Subsection "GVPE DESIGN GOALS" |
159 | .IP "\s-1SIMPLE\s0 \s-1DESIGN\s0" 4 |
175 | .IP "\s-1SIMPLE\s0 \s-1DESIGN\s0" 4 |
160 | .IX Item "SIMPLE DESIGN" |
176 | .IX Item "SIMPLE DESIGN" |
161 | Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected |
177 | Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected |
162 | at compile time \- this makes it possible to only link in algorithms |
178 | at compile time \- this makes it possible to only link in algorithms |
163 | you actually need. It also makes the crypto part of the source very |
179 | you actually need. It also makes the crypto part of the source very |
164 | transparent and easy to inspect. |
180 | transparent and easy to inspect, and last not least this makes it possible |
|
|
181 | to hardcode the layout of all packets into the binary. \s-1GVPE\s0 goes a step |
|
|
182 | further and internally reserves blocks of the same length for all packets, |
|
|
183 | which virtually removes all possibilities of buffer overflows, as there is |
|
|
184 | only a single type of buffer and it's always of fixed length. |
165 | .IP "\s-1EASY\s0 \s-1TO\s0 \s-1SETUP\s0" 4 |
185 | .IP "\s-1EASY\s0 \s-1TO\s0 \s-1SETUP\s0" 4 |
166 | .IX Item "EASY TO SETUP" |
186 | .IX Item "EASY TO SETUP" |
167 | A few lines of config (the config file is shared unmodified between all |
187 | A few lines of config (the config file is shared unmodified between all |
168 | hosts) and a single run of \f(CW\*(C`gvpectrl\*(C'\fR to generate the keys suffices to |
188 | hosts) and a single run of \f(CW\*(C`gvpectrl\*(C'\fR to generate the keys suffices to |
169 | make it work. |
189 | make it work. |
… | |
… | |
174 | address, e.g. to ensure that packets from a specific \s-1IP\s0 address come, in |
194 | address, e.g. to ensure that packets from a specific \s-1IP\s0 address come, in |
175 | fact, from a specific host that is associated with that \s-1IP\s0 and not from |
195 | fact, from a specific host that is associated with that \s-1IP\s0 and not from |
176 | another host. |
196 | another host. |
177 | .SH "PROGRAMS" |
197 | .SH "PROGRAMS" |
178 | .IX Header "PROGRAMS" |
198 | .IX Header "PROGRAMS" |
179 | Vpe comes with two programs: one daemon (\f(CW\*(C`gvpe\*(C'\fR) and one control program |
199 | Gvpe comes with two programs: one daemon (\f(CW\*(C`gvpe\*(C'\fR) and one control program |
180 | (\f(CW\*(C`gvpectrl\*(C'\fR). |
200 | (\f(CW\*(C`gvpectrl\*(C'\fR). |
181 | .IP "gvpectrl" 4 |
201 | .IP "gvpectrl" 4 |
182 | .IX Item "gvpectrl" |
202 | .IX Item "gvpectrl" |
183 | Is used to generate the keys, check and give an overview of of the |
203 | This program is used to generate the keys, check and give an overview of of the |
184 | configuration and contorl the daemon (restarting etc.). |
204 | configuration and to control the daemon (restarting etc.). |
185 | .IP "gvpe" 4 |
205 | .IP "gvpe" 4 |
186 | .IX Item "gvpe" |
206 | .IX Item "gvpe" |
187 | Is the daemon used to establish and maintain connections to the other |
207 | This is the daemon used to establish and maintain connections to the other |
188 | network members. It should be run on the gateway machine. |
208 | network nodes. It should be run on the gateway of each \s-1VPN\s0 subnet. |
189 | .SH "COMPILETIME CONFIGURATION" |
209 | .SH "COMPILETIME CONFIGURATION" |
190 | .IX Header "COMPILETIME CONFIGURATION" |
210 | .IX Header "COMPILETIME CONFIGURATION" |
191 | Please have a look at the \f(CW\*(C`gvpe.osdep(5)\*(C'\fR manpage for platform-specific |
211 | Please have a look at the \f(CW\*(C`gvpe.osdep(5)\*(C'\fR manpage for platform-specific |
192 | information. |
212 | information. |
193 | .PP |
213 | .PP |
|
|
214 | Gvpe hardcodes most encryption parameters. While this reduces flexibility, |
|
|
215 | it makes the program much simpler and helps making buffer overflows |
|
|
216 | impossible under most circumstances. |
|
|
217 | .PP |
194 | Here are a few recipes for compiling your gvpe: |
218 | Here are a few recipes for compiling your gvpe, showing the extremes |
|
|
219 | (fast, small, insecure \s-1OR\s0 slow, large, more secure), between which you |
|
|
220 | should choose: |
195 | .Sh "\s-1AS\s0 \s-1LOW\s0 \s-1PACKET\s0 \s-1OVERHEAD\s0 \s-1AS\s0 \s-1POSSIBLE\s0" |
221 | .SS "\s-1AS\s0 \s-1LOW\s0 \s-1PACKET\s0 \s-1OVERHEAD\s0 \s-1AS\s0 \s-1POSSIBLE\s0" |
196 | .IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE" |
222 | .IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE" |
197 | .Vb 1 |
223 | .Vb 1 |
198 | \& ./configure --enable-hmac-length=4 --enable-rand-length=0 |
224 | \& ./configure \-\-enable\-hmac\-length=4 \-\-enable\-rand\-length=0 |
199 | .Ve |
225 | .Ve |
200 | .PP |
226 | .PP |
201 | Minimize the header overhead of \s-1VPN\s0 packets (the above will result in only |
227 | Minimize the header overhead of \s-1VPN\s0 packets (the above will result in |
202 | 4 bytes of overhead over the raw ethernet frame). |
228 | only 4 bytes of overhead over the raw ethernet frame). This is a insecure |
|
|
229 | configuration because a \s-1HMAC\s0 length of 4 makes collision attacks almost |
|
|
230 | trivial. |
203 | .Sh "\s-1MINIMIZE\s0 \s-1CPU\s0 \s-1TIME\s0 \s-1REQUIRED\s0" |
231 | .SS "\s-1MINIMIZE\s0 \s-1CPU\s0 \s-1TIME\s0 \s-1REQUIRED\s0" |
204 | .IX Subsection "MINIMIZE CPU TIME REQUIRED" |
232 | .IX Subsection "MINIMIZE CPU TIME REQUIRED" |
205 | .Vb 1 |
233 | .Vb 1 |
206 | \& ./configure --enable-cipher=bf --enable-digest=md4 |
234 | \& ./configure \-\-enable\-cipher=bf \-\-enable\-digest=md4 |
207 | .Ve |
235 | .Ve |
208 | .PP |
236 | .PP |
209 | Use the fastest cipher and digest algorithms currently available in gvpe. |
237 | Use the fastest cipher and digest algorithms currently available in |
|
|
238 | gvpe. \s-1MD4\s0 has been broken and is quite insecure, though, so using another |
|
|
239 | digest algorithm is recommended. |
210 | .Sh "\s-1MAXIMIZE\s0 \s-1SECURITY\s0" |
240 | .SS "\s-1MAXIMIZE\s0 \s-1SECURITY\s0" |
211 | .IX Subsection "MAXIMIZE SECURITY" |
241 | .IX Subsection "MAXIMIZE SECURITY" |
212 | .Vb 1 |
242 | .Vb 1 |
213 | \& ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
243 | \& ./configure \-\-enable\-hmac\-length=16 \-\-enable\-rand\-length=12 \-\-enable\-digest=ripemd610 |
214 | .Ve |
244 | .Ve |
215 | .PP |
245 | .PP |
216 | This uses a 16 byte \s-1HMAC\s0 checksum to authenticate packets (I guess 8\-12 |
246 | This uses a 16 byte \s-1HMAC\s0 checksum to authenticate packets (I guess 8\-12 |
217 | would also be pretty secure ;) and will additionally prefix each packet |
247 | would also be pretty secure ;) and will additionally prefix each packet |
218 | with 8 bytes of random data. |
248 | with 12 bytes of random data. |
219 | .PP |
249 | .PP |
220 | In general, remember that \s-1AES\-128\s0 seems to be more secure and faster than |
250 | In general, remember that \s-1AES\-128\s0 seems to be as secure but faster than |
221 | \&\s-1AES\-192\s0 or \s-1AES\-256\s0, more randomness helps against sniffing and a longer |
251 | \&\s-1AES\-192\s0 or \s-1AES\-256\s0, more randomness helps against sniffing and a longer |
222 | \&\s-1HMAC\s0 helps against spoofing. \s-1MD4\s0 is a fast digest, \s-1SHA1\s0 or \s-1RIPEMD160\s0 are |
252 | \&\s-1HMAC\s0 helps against spoofing. \s-1MD4\s0 is a fast digest, \s-1SHA1\s0, \s-1RIPEMD160\s0, \s-1SHA256\s0 |
223 | better, and Blowfish is a fast cipher (and also quite secure). |
253 | are consecutively better, and Blowfish is a fast cipher (and also quite |
|
|
254 | secure). |
224 | .SH "HOW TO SET UP A SIMPLE VPN" |
255 | .SH "HOW TO SET UP A SIMPLE VPN" |
225 | .IX Header "HOW TO SET UP A SIMPLE VPN" |
256 | .IX Header "HOW TO SET UP A SIMPLE VPN" |
226 | In this section I will describe how to get a simple \s-1VPN\s0 consisting of |
257 | In this section I will describe how to get a simple \s-1VPN\s0 consisting of |
227 | three hosts up and running. |
258 | three hosts up and running. |
228 | .Sh "\s-1STEP\s0 1: configuration" |
259 | .SS "\s-1STEP\s0 1: configuration" |
229 | .IX Subsection "STEP 1: configuration" |
260 | .IX Subsection "STEP 1: configuration" |
230 | First you have to create a daemon configuation file and put it into the |
261 | First you have to create a daemon configuration file and put it into the |
231 | configuration directory. This is usually \f(CW\*(C`/etc/gvpe\*(C'\fR, depending on how you |
262 | configuration directory. This is usually \f(CW\*(C`/etc/gvpe\*(C'\fR, depending on how you |
232 | configured gvpe, and can be overwritten using the \f(CW\*(C`\-c\*(C'\fR commandline switch. |
263 | configured gvpe, and can be overwritten using the \f(CW\*(C`\-c\*(C'\fR command line switch. |
233 | .PP |
264 | .PP |
234 | Put the following lines into \f(CW\*(C`/etc/gvpe/gvpe.conf\*(C'\fR: |
265 | Put the following lines into \f(CW\*(C`/etc/gvpe/gvpe.conf\*(C'\fR: |
235 | .PP |
266 | .PP |
236 | .Vb 3 |
267 | .Vb 3 |
237 | \& udp-port = 50000 # the external port to listen on (configure your firewall) |
268 | \& udp\-port = 50000 # the external port to listen on (configure your firewall) |
238 | \& mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts |
269 | \& mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts |
239 | \& ifname = vpn0 # the local network device name |
270 | \& ifname = vpn0 # the local network device name |
240 | .Ve |
271 | \& |
241 | .PP |
|
|
242 | .Vb 2 |
|
|
243 | \& node = first # just a nickname |
272 | \& node = first # just a nickname |
244 | \& hostname = first.example.net # the DNS name or IP address of the host |
273 | \& hostname = first.example.net # the DNS name or IP address of the host |
245 | .Ve |
274 | \& |
246 | .PP |
|
|
247 | .Vb 2 |
|
|
248 | \& node = second |
275 | \& node = second |
249 | \& hostname = 133.55.82.9 |
276 | \& hostname = 133.55.82.9 |
250 | .Ve |
277 | \& |
251 | .PP |
|
|
252 | .Vb 2 |
|
|
253 | \& node = third |
278 | \& node = third |
254 | \& hostname = third.example.net |
279 | \& hostname = third.example.net |
255 | .Ve |
280 | .Ve |
256 | .PP |
281 | .PP |
257 | The only other file neccessary if the \f(CW\*(C`if\-up\*(C'\fR script that initializes the |
282 | The only other file necessary is the \f(CW\*(C`if\-up\*(C'\fR script that initializes the |
258 | local ethernet interface. Put the following lines into \f(CW\*(C`/etc/gvpe/if\-up\*(C'\fR |
283 | virtual ethernet interface on the local host. Put the following lines into |
259 | and make it execute (\f(CW\*(C`chmod 755 /etc/gvpe/if\-up\*(C'\fR): |
284 | \&\f(CW\*(C`/etc/gvpe/if\-up\*(C'\fR and make it executable (\f(CW\*(C`chmod 755 /etc/gvpe/if\-up\*(C'\fR): |
260 | .PP |
285 | .PP |
261 | .Vb 6 |
286 | .Vb 6 |
262 | \& #!/bin/sh |
287 | \& #!/bin/sh |
263 | \& ip link set $IFNAME address $MAC mtu $MTU up |
288 | \& ip link set $IFNAME address $MAC mtu $MTU up |
264 | \& [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME |
289 | \& [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME |
… | |
… | |
266 | \& [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME |
291 | \& [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME |
267 | \& ip route add 10.0.0.0/16 dev $IFNAME |
292 | \& ip route add 10.0.0.0/16 dev $IFNAME |
268 | .Ve |
293 | .Ve |
269 | .PP |
294 | .PP |
270 | This script will give each node a different \s-1IP\s0 address in the \f(CW\*(C`10.0/16\*(C'\fR |
295 | This script will give each node a different \s-1IP\s0 address in the \f(CW\*(C`10.0/16\*(C'\fR |
271 | network. The internal network (e.g. the \f(CW\*(C`eth0\*(C'\fR interface) should then be |
296 | network. The internal network (if gvpe runs on a router) should then be |
272 | set to a subset of that network, e.g. \f(CW\*(C`10.0.1.0/24\*(C'\fR on node \f(CW\*(C`first\*(C'\fR, |
297 | set to a subset of that network, e.g. \f(CW\*(C`10.0.1.0/24\*(C'\fR on node \f(CW\*(C`first\*(C'\fR, |
273 | \&\f(CW\*(C`10.0.2.0/24\*(C'\fR on node \f(CW\*(C`second\*(C'\fR, and so on. |
298 | \&\f(CW\*(C`10.0.2.0/24\*(C'\fR on node \f(CW\*(C`second\*(C'\fR, and so on. |
274 | .PP |
299 | .PP |
275 | By enabling routing on the gateway host that runs \f(CW\*(C`gvpe\*(C'\fR all nodes will |
300 | By enabling routing on the gateway host that runs \f(CW\*(C`gvpe\*(C'\fR all nodes will |
276 | be able to reach the other nodes. You can, of course, also use proxy arp |
301 | be able to reach the other nodes. You can, of course, also use proxy \s-1ARP\s0 |
277 | or other means of pseudo-bridging (or even real briding), or (best) full |
302 | or other means of pseudo-bridging, or (best) full routing \- the choice is |
278 | routing \- the choice is yours. |
303 | yours. |
279 | .Sh "\s-1STEP\s0 2: create the \s-1RSA\s0 key pairs for all hosts" |
304 | .SS "\s-1STEP\s0 2: create the \s-1RSA\s0 key pairs for all hosts" |
280 | .IX Subsection "STEP 2: create the RSA key pairs for all hosts" |
305 | .IX Subsection "STEP 2: create the RSA key pairs for all hosts" |
281 | Run the following command to generate all key pairs (that might take a |
306 | Run the following command to generate all key pairs for all nodes (that |
282 | while): |
307 | might take a while): |
283 | .PP |
308 | .PP |
284 | .Vb 1 |
309 | .Vb 1 |
285 | \& gvpectrl -c /etc/gvpe -g |
310 | \& gvpectrl \-c /etc/gvpe \-g |
286 | .Ve |
311 | .Ve |
287 | .PP |
312 | .PP |
288 | This command will put the public keys into \f(CW\*(C`/etc/gvpe/pubkeys/\f(CInodename\f(CW\*(C'\fR and the private keys into \f(CW\*(C`/etc/gvpe/hostkeys/\f(CInodename\f(CW\*(C'\fR. |
313 | This command will put the public keys into \f(CW\*(C`/etc/gvpe/pubkeys/\f(CInodename\f(CW\*(C'\fR and the private keys into \f(CW\*(C`/etc/gvpe/hostkeys/\f(CInodename\f(CW\*(C'\fR. |
289 | .Sh "\s-1STEP\s0 3: distribute the config files to all nodes" |
314 | .SS "\s-1STEP\s0 3: distribute the config files to all nodes" |
290 | .IX Subsection "STEP 3: distribute the config files to all nodes" |
315 | .IX Subsection "STEP 3: distribute the config files to all nodes" |
291 | Now distribute the config files to the other nodes. This should be done in two steps, since the |
316 | Now distribute the config files and private keys to the other nodes. This |
292 | private keys should not be distributed. The example uses rsync-over-ssh |
317 | should be done in two steps, since only the private keys meant for a node |
|
|
318 | should be distributed (so each node has only it's own private key). |
|
|
319 | .PP |
|
|
320 | The example uses rsync-over-ssh |
293 | .PP |
321 | .PP |
294 | First all the config files without the hostkeys should be distributed: |
322 | First all the config files without the hostkeys should be distributed: |
295 | .PP |
323 | .PP |
296 | .Vb 3 |
324 | .Vb 3 |
297 | \& rsync -avzessh /etc/gvpe first.example.net:/etc/. --exclude hostkeys |
325 | \& rsync \-avzessh /etc/gvpe first.example.net:/etc/. \-\-exclude hostkeys |
298 | \& rsync -avzessh /etc/gvpe 133.55.82.9:/etc/. --exclude hostkeys |
326 | \& rsync \-avzessh /etc/gvpe 133.55.82.9:/etc/. \-\-exclude hostkeys |
299 | \& rsync -avzessh /etc/gvpe third.example.net:/etc/. --exclude hostkeys |
327 | \& rsync \-avzessh /etc/gvpe third.example.net:/etc/. \-\-exclude hostkeys |
300 | .Ve |
328 | .Ve |
301 | .PP |
329 | .PP |
302 | Then the hostkeys should be copied: |
330 | Then the hostkeys should be copied: |
303 | .PP |
331 | .PP |
304 | .Vb 3 |
332 | .Vb 3 |
305 | \& rsync -avzessh /etc/gvpe/hostkeys/first first.example.net:/etc/hostkey |
333 | \& rsync \-avzessh /etc/gvpe/hostkeys/first first.example.net:/etc/hostkey |
306 | \& rsync -avzessh /etc/gvpe/hostkeys/second 133.55.82.9:/etc/hostkey |
334 | \& rsync \-avzessh /etc/gvpe/hostkeys/second 133.55.82.9:/etc/hostkey |
307 | \& rsync -avzessh /etc/gvpe/hostkeys/third third.example.net:/etc/hostkey |
335 | \& rsync \-avzessh /etc/gvpe/hostkeys/third third.example.net:/etc/hostkey |
308 | .Ve |
336 | .Ve |
309 | .PP |
337 | .PP |
310 | You should now check the configration by issuing the command \f(CW\*(C`gvpectrl \-c |
338 | You should now check the configuration by issuing the command \f(CW\*(C`gvpectrl \-c |
311 | /etc/gvpe \-s\*(C'\fR on each node and verify it's output. |
339 | /etc/gvpe \-s\*(C'\fR on each node and verify it's output. |
312 | .Sh "\s-1STEP\s0 4: starting gvpe" |
340 | .SS "\s-1STEP\s0 4: starting gvpe" |
313 | .IX Subsection "STEP 4: starting gvpe" |
341 | .IX Subsection "STEP 4: starting gvpe" |
314 | You should then start gvpe on each node by issuing a command like: |
342 | You should then start gvpe on each node by issuing a command like: |
315 | .PP |
343 | .PP |
316 | .Vb 1 |
344 | .Vb 1 |
317 | \& gvpe -D -linfo first # first is the nodename |
345 | \& gvpe \-D \-l info first # first is the nodename |
318 | .Ve |
346 | .Ve |
319 | .PP |
347 | .PP |
320 | This will make the gvpe stay in foreground. You should then see |
348 | This will make the gvpe daemon stay in foreground. You should then see |
321 | \&\*(L"connection established\*(R" messages. If you don't see them check your |
349 | \&\*(L"connection established\*(R" messages. If you don't see them check your |
322 | firewall and routing (use tcpdump ;). |
350 | firewall and routing (use tcpdump ;). |
323 | .PP |
351 | .PP |
324 | If this works you should check your networking setup by pinging various |
352 | If this works you should check your networking setup by pinging various |
325 | endpoints. |
353 | endpoints. |
326 | .PP |
354 | .PP |
327 | To make gvpe run more permanently you can either run it as a daemon |
355 | To make gvpe run more permanently you can either run it as a daemon (by |
328 | (by starting it without the \f(CW\*(C`\-D\*(C'\fR switch), or, much better, from your |
356 | starting it without the \f(CW\*(C`\-D\*(C'\fR switch), or, much better, from your inittab |
329 | inittab. I use a line like this on my systems: |
357 | or equivalent. I use a line like this on all my systems: |
330 | .PP |
358 | .PP |
331 | .Vb 1 |
359 | .Vb 1 |
332 | \& t1:2345:respawn:/opt/gvpe/sbin/gvpe -D -L first >/dev/null 2>&1 |
360 | \& t1:2345:respawn:/opt/gvpe/sbin/gvpe \-D \-L first >/dev/null 2>&1 |
333 | .Ve |
361 | .Ve |
334 | .Sh "\s-1STEP\s0 5: enjoy" |
362 | .SS "\s-1STEP\s0 5: enjoy" |
335 | .IX Subsection "STEP 5: enjoy" |
363 | .IX Subsection "STEP 5: enjoy" |
336 | \&... and play around. Sending a \-HUP (\f(CW\*(C`gvpectrl \-kHUP\*(C'\fR) to the daemon |
364 | \&... and play around. Sending a \-HUP (\f(CW\*(C`gvpectrl \-kHUP\*(C'\fR) to the daemon |
337 | will make it try to connect to all other nodes again. If you run it from |
365 | will make it try to connect to all other nodes again. If you run it from |
338 | inittab, as is recommended, \f(CW\*(C`gvpectrl \-k\*(C'\fR (or simply \f(CW\*(C`killall gvpe\*(C'\fR) will |
366 | inittab, as is recommended, \f(CW\*(C`gvpectrl \-k\*(C'\fR (or simply \f(CW\*(C`killall gvpe\*(C'\fR) will |
339 | kill the daemon, start it again, making it read it's configuration files |
367 | kill the daemon, start it again, making it read it's configuration files |
340 | again. |
368 | again. |
341 | .SH "SEE ALSO" |
369 | .SH "SEE ALSO" |
342 | .IX Header "SEE ALSO" |
370 | .IX Header "SEE ALSO" |
343 | \&\fIgvpe.osdep\fR\|(5) for OS-depedendent information, \fIgvpe.conf\fR\|(5), \fIgvpectrl\fR\|(8), and |
371 | \&\fIgvpe.osdep\fR\|(5) for OS-dependent information, \fIgvpe.conf\fR\|(5), \fIgvpectrl\fR\|(8), |
344 | for a description of the protocol and routing algorithms, \fIgvpe.protocol\fR\|(7). |
372 | and for a description of the transports, protocol, and routing algorithm, |
|
|
373 | \&\fIgvpe.protocol\fR\|(7). |
|
|
374 | .PP |
|
|
375 | The \s-1GVPE\s0 mailing list, at <http://lists.schmorp.de/>, or |
|
|
376 | \&\f(CW\*(C`gvpe@lists.schmorp.de\*(C'\fR. |
345 | .SH "AUTHOR" |
377 | .SH "AUTHOR" |
346 | .IX Header "AUTHOR" |
378 | .IX Header "AUTHOR" |
347 | Marc Lehmann <gvpe@plan9.de> |
379 | Marc Lehmann <gvpe@schmorp.de> |
348 | .SH "COPYRIGHTS AND LICENSES" |
380 | .SH "COPYRIGHTS AND LICENSES" |
349 | .IX Header "COPYRIGHTS AND LICENSES" |
381 | .IX Header "COPYRIGHTS AND LICENSES" |
350 | \&\s-1GVPE\s0 itself is distributed under the \s-1GENERAL\s0 \s-1PUBLIC\s0 \s-1LICENSE\s0 (see the file |
382 | \&\s-1GVPE\s0 itself is distributed under the \s-1GENERAL\s0 \s-1PUBLIC\s0 \s-1LICENSE\s0 (see the file |
351 | \&\s-1COPYING\s0 that should be part of your distribution). |
383 | \&\s-1COPYING\s0 that should be part of your distribution). |
352 | .PP |
384 | .PP |