ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/doc/gvpe.5
(Generate patch)

Comparing gvpe/doc/gvpe.5 (file contents):
Revision 1.11 by pcg, Wed Sep 3 04:58:46 2008 UTC vs.
Revision 1.14 by root, Wed Nov 2 07:06:38 2016 UTC

1.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) 1.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.30)
2.\" 2.\"
3.\" Standard preamble: 3.\" Standard preamble:
4.\" ======================================================================== 4.\" ========================================================================
5.de Sh \" Subsection heading
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
13.de Sp \" Vertical space (when we can't use .PP) 5.de Sp \" Vertical space (when we can't use .PP)
14.if t .sp .5v 6.if t .sp .5v
15.if n .sp 7.if n .sp
16.. 8..
17.de Vb \" Begin verbatim text 9.de Vb \" Begin verbatim text
44.el\{\ 36.el\{\
45. ds -- \|\(em\| 37. ds -- \|\(em\|
46. ds PI \(*p 38. ds PI \(*p
47. ds L" `` 39. ds L" ``
48. ds R" '' 40. ds R" ''
41. ds C`
42. ds C'
49'br\} 43'br\}
50.\" 44.\"
51.\" Escape single quotes in literal strings from groff's Unicode transform. 45.\" Escape single quotes in literal strings from groff's Unicode transform.
52.ie \n(.g .ds Aq \(aq 46.ie \n(.g .ds Aq \(aq
53.el .ds Aq ' 47.el .ds Aq '
54.\" 48.\"
55.\" If the F register is turned on, we'll generate index entries on stderr for 49.\" If the F register is turned on, we'll generate index entries on stderr for
56.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index 50.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
57.\" entries marked with X<> in POD. Of course, you'll have to process the 51.\" entries marked with X<> in POD. Of course, you'll have to process the
58.\" output yourself in some meaningful fashion. 52.\" output yourself in some meaningful fashion.
59.ie \nF \{\ 53.\"
54.\" Avoid warning from groff about undefined register 'F'.
60. de IX 55.de IX
61. tm Index:\\$1\t\\n%\t"\\$2"
62.. 56..
63. nr % 0 57.nr rF 0
64. rr F 58.if \n(.g .if rF .nr rF 1
65.\} 59.if (\n(rF:(\n(.g==0)) \{
66.el \{\ 60. if \nF \{
67. de IX 61. de IX
62. tm Index:\\$1\t\\n%\t"\\$2"
68.. 63..
64. if !\nF==2 \{
65. nr % 0
66. nr F 2
67. \}
68. \}
69.\} 69.\}
70.rr rF
70.\" 71.\"
71.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). 72.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
72.\" Fear. Run. Save yourself. No user-serviceable parts. 73.\" Fear. Run. Save yourself. No user-serviceable parts.
73. \" fudge factors for nroff and troff 74. \" fudge factors for nroff and troff
74.if n \{\ 75.if n \{\
130.\} 131.\}
131.rm #[ #] #H #V #F C 132.rm #[ #] #H #V #F C
132.\" ======================================================================== 133.\" ========================================================================
133.\" 134.\"
134.IX Title "GVPE 5" 135.IX Title "GVPE 5"
135.TH GVPE 5 "2008-09-01" "2.2" "GNU Virtual Private Ethernet" 136.TH GVPE 5 "2016-11-02" "2.25" "GNU Virtual Private Ethernet"
136.\" For nroff, turn off justification. Always turn off hyphenation; it makes 137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
137.\" way too many mistakes in technical documents. 138.\" way too many mistakes in technical documents.
138.if n .ad l 139.if n .ad l
139.nh 140.nh
140.SH "NAME" 141.SH "NAME"
141GNU\-VPE \- Overview of the GNU Virtual Private Ethernet suite. 142GNU\-VPE \- Overview of the GNU Virtual Private Ethernet suite.
142.SH "DESCRIPTION" 143.SH "DESCRIPTION"
143.IX Header "DESCRIPTION" 144.IX Header "DESCRIPTION"
144\&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple 145\&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple
145nodes over an untrusted network. This document first gives an introduction 146nodes over an untrusted network. This document first gives an introduction
146to VPNs in general and then describes the specific implementation of \s-1GVPE\s0. 147to VPNs in general and then describes the specific implementation of \s-1GVPE.\s0
147.Sh "\s-1WHAT\s0 \s-1IS\s0 A \s-1VPN\s0?" 148.SS "\s-1WHAT IS A VPN\s0?"
148.IX Subsection "WHAT IS A VPN?" 149.IX Subsection "WHAT IS A VPN?"
149\&\s-1VPN\s0 is an acronym, it stands for: 150\&\s-1VPN\s0 is an acronym, it stands for:
150.IP "Virtual" 4 151.IP "Virtual" 4
151.IX Item "Virtual" 152.IX Item "Virtual"
152Virtual means that no physical network is created (of course), but a 153Virtual means that no physical network is created (of course), but a
162inject (\*(L"spoof\*(R") packets. This means that nodes can be connected over 163inject (\*(L"spoof\*(R") packets. This means that nodes can be connected over
163untrusted networks such as the public Internet without fear of being 164untrusted networks such as the public Internet without fear of being
164eavesdropped while at the same time being able to trust data sent by other 165eavesdropped while at the same time being able to trust data sent by other
165nodes. 166nodes.
166.Sp 167.Sp
167In the case of \s-1GVPE\s0, even participating nodes cannot sniff packets 168In the case of \s-1GVPE,\s0 even participating nodes cannot sniff packets
168send to other nodes or spoof packets as if sent from other nodes, so 169send to other nodes or spoof packets as if sent from other nodes, so
169communications between any two nodes is private to those two nodes. 170communications between any two nodes is private to those two nodes.
170.IP "Network" 4 171.IP "Network" 4
171.IX Item "Network" 172.IX Item "Network"
172Network means that more than two parties can participate in the network, 173Network means that more than two parties can participate in the network,
173so for instance it's possible to connect multiple branches of a company 174so for instance it's possible to connect multiple branches of a company
174into a single network. Many so-called \*(L"\s-1VPN\s0\*(R" solutions only create 175into a single network. Many so-called \*(L"\s-1VPN\*(R"\s0 solutions only create
175point-to-point tunnels, which in turn can be used to build larger 176point-to-point tunnels, which in turn can be used to build larger
176networks. 177networks.
177.Sp 178.Sp
178\&\s-1GVPE\s0 provides a true multi-point network in which any number of nodes (at 179\&\s-1GVPE\s0 provides a true multi-point network in which any number of nodes (at
179least a few dozen in practise, the theoretical limit is 4095 nodes) can 180least a few dozen in practise, the theoretical limit is 4095 nodes) can
180participate. 181participate.
181.Sh "\s-1GVPE\s0 \s-1DESIGN\s0 \s-1GOALS\s0" 182.SS "\s-1GVPE DESIGN GOALS\s0"
182.IX Subsection "GVPE DESIGN GOALS" 183.IX Subsection "GVPE DESIGN GOALS"
183.IP "\s-1SIMPLE\s0 \s-1DESIGN\s0" 4 184.IP "\s-1SIMPLE DESIGN\s0" 4
184.IX Item "SIMPLE DESIGN" 185.IX Item "SIMPLE DESIGN"
185Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected 186Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected
186at compile time \- this makes it possible to only link in algorithms 187at compile time \- this makes it possible to only link in algorithms
187you actually need. It also makes the crypto part of the source very 188you actually need. It also makes the crypto part of the source very
188transparent and easy to inspect, and last not least this makes it possible 189transparent and easy to inspect, and last not least this makes it possible
189to hardcode the layout of all packets into the binary. \s-1GVPE\s0 goes a step 190to hardcode the layout of all packets into the binary. \s-1GVPE\s0 goes a step
190further and internally reserves blocks of the same length for all packets, 191further and internally reserves blocks of the same length for all packets,
191which virtually removes all possibilities of buffer overflows, as there is 192which virtually removes all possibilities of buffer overflows, as there is
192only a single type of buffer and it's always of fixed length. 193only a single type of buffer and it's always of fixed length.
193.IP "\s-1EASY\s0 \s-1TO\s0 \s-1SETUP\s0" 4 194.IP "\s-1EASY TO SETUP\s0" 4
194.IX Item "EASY TO SETUP" 195.IX Item "EASY TO SETUP"
195A few lines of config (the config file is shared unmodified between all 196A few lines of config (the config file is shared unmodified between all
196hosts) and a single run of \f(CW\*(C`gvpectrl\*(C'\fR to generate the keys suffices to 197hosts) and generating an \s-1RSA\s0 key-pair on each node suffices to make it
197make it work. 198work.
198.IP "MAC-BASED \s-1SECURITY\s0" 4 199.IP "MAC-BASED \s-1SECURITY\s0" 4
199.IX Item "MAC-BASED SECURITY" 200.IX Item "MAC-BASED SECURITY"
200Since every host has it's own private key, other hosts cannot spoof 201Since every host has it's own private key, other hosts cannot spoof
201traffic from this host. That makes it possible to filter packet by \s-1MAC\s0 202traffic from this host. That makes it possible to filter packet by \s-1MAC\s0
202address, e.g. to ensure that packets from a specific \s-1IP\s0 address come, in 203address, e.g. to ensure that packets from a specific \s-1IP\s0 address come, in
224impossible under most circumstances. 225impossible under most circumstances.
225.PP 226.PP
226Here are a few recipes for compiling your gvpe, showing the extremes 227Here are a few recipes for compiling your gvpe, showing the extremes
227(fast, small, insecure \s-1OR\s0 slow, large, more secure), between which you 228(fast, small, insecure \s-1OR\s0 slow, large, more secure), between which you
228should choose: 229should choose:
229.Sh "\s-1AS\s0 \s-1LOW\s0 \s-1PACKET\s0 \s-1OVERHEAD\s0 \s-1AS\s0 \s-1POSSIBLE\s0" 230.SS "\s-1AS LOW PACKET OVERHEAD AS POSSIBLE\s0"
230.IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE" 231.IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE"
231.Vb 1 232.Vb 1
232\& ./configure \-\-enable\-hmac\-length=4 \-\-enable\-rand\-length=0 233\& ./configure \-\-enable\-hmac\-length=4 \-\-enable\-rand\-length=0
233.Ve 234.Ve
234.PP 235.PP
235Minimize the header overhead of \s-1VPN\s0 packets (the above will result in 236Minimize the header overhead of \s-1VPN\s0 packets (the above will result in
236only 4 bytes of overhead over the raw ethernet frame). This is a insecure 237only 4 bytes of overhead over the raw ethernet frame). This is a insecure
237configuration because a \s-1HMAC\s0 length of 4 makes collision attacks based on 238configuration because a \s-1HMAC\s0 length of 4 makes collision attacks almost
238the birthday paradox pretty easy. 239trivial.
239.Sh "\s-1MINIMIZE\s0 \s-1CPU\s0 \s-1TIME\s0 \s-1REQUIRED\s0" 240.SS "\s-1MINIMIZE CPU TIME REQUIRED\s0"
240.IX Subsection "MINIMIZE CPU TIME REQUIRED" 241.IX Subsection "MINIMIZE CPU TIME REQUIRED"
241.Vb 1 242.Vb 1
242\& ./configure \-\-enable\-cipher=bf \-\-enable\-digest=md4 243\& ./configure \-\-enable\-cipher=bf \-\-enable\-digest=md4
243.Ve 244.Ve
244.PP 245.PP
245Use the fastest cipher and digest algorithms currently available in 246Use the fastest cipher and digest algorithms currently available in
246gvpe. \s-1MD4\s0 has been broken and is quite insecure, though, so using another 247gvpe. \s-1MD4\s0 has been broken and is quite insecure, though, so using another
247digest algorithm is recommended. 248digest algorithm is recommended.
248.Sh "\s-1MAXIMIZE\s0 \s-1SECURITY\s0" 249.SS "\s-1MAXIMIZE SECURITY\s0"
249.IX Subsection "MAXIMIZE SECURITY" 250.IX Subsection "MAXIMIZE SECURITY"
250.Vb 1 251.Vb 1
251\& ./configure \-\-enable\-hmac\-length=16 \-\-enable\-rand\-length=8 \-\-enable\-digest=sha1 252\& ./configure \-\-enable\-hmac\-length=16 \-\-enable\-rand\-length=12 \-\-enable\-digest=ripemd610
252.Ve 253.Ve
253.PP 254.PP
254This uses a 16 byte \s-1HMAC\s0 checksum to authenticate packets (I guess 8\-12 255This uses a 16 byte \s-1HMAC\s0 checksum to authenticate packets (I guess 8\-12
255would also be pretty secure ;) and will additionally prefix each packet 256would also be pretty secure ;) and will additionally prefix each packet
256with 8 bytes of random data. In the long run, people should move to 257with 12 bytes of random data.
257\&\s-1SHA\-256\s0 and beyond).
258.PP 258.PP
259In general, remember that \s-1AES\-128\s0 seems to be as secure but faster than 259In general, remember that \s-1AES\-128\s0 seems to be as secure but faster than
260\&\s-1AES\-192\s0 or \s-1AES\-256\s0, more randomness helps against sniffing and a longer 260\&\s-1AES\-192\s0 or \s-1AES\-256,\s0 more randomness helps against sniffing and a longer
261\&\s-1HMAC\s0 helps against spoofing. \s-1MD4\s0 is a fast digest, \s-1SHA1\s0, \s-1RIPEMD160\s0, \s-1SHA256\s0 261\&\s-1HMAC\s0 helps against spoofing. \s-1MD4\s0 is a fast digest, \s-1SHA1, RIPEMD160, SHA256\s0
262are consecutively better, and Blowfish is a fast cipher (and also quite 262are consecutively better, and Blowfish is a fast cipher (and also quite
263secure). 263secure).
264.SH "HOW TO SET UP A SIMPLE VPN" 264.SH "HOW TO SET UP A SIMPLE VPN"
265.IX Header "HOW TO SET UP A SIMPLE VPN" 265.IX Header "HOW TO SET UP A SIMPLE VPN"
266In this section I will describe how to get a simple \s-1VPN\s0 consisting of 266In this section I will describe how to get a simple \s-1VPN\s0 consisting of
267three hosts up and running. 267three hosts up and running.
268.Sh "\s-1STEP\s0 1: configuration" 268.SS "\s-1STEP 1:\s0 configuration"
269.IX Subsection "STEP 1: configuration" 269.IX Subsection "STEP 1: configuration"
270First you have to create a daemon configuration file and put it into the 270First you have to create a daemon configuration file and put it into the
271configuration directory. This is usually \f(CW\*(C`/etc/gvpe\*(C'\fR, depending on how you 271configuration directory. This is usually \f(CW\*(C`/etc/gvpe\*(C'\fR, depending on how you
272configured gvpe, and can be overwritten using the \f(CW\*(C`\-c\*(C'\fR command line switch. 272configured gvpe, and can be overwritten using the \f(CW\*(C`\-c\*(C'\fR command line switch.
273.PP 273.PP
308.PP 308.PP
309By enabling routing on the gateway host that runs \f(CW\*(C`gvpe\*(C'\fR all nodes will 309By enabling routing on the gateway host that runs \f(CW\*(C`gvpe\*(C'\fR all nodes will
310be able to reach the other nodes. You can, of course, also use proxy \s-1ARP\s0 310be able to reach the other nodes. You can, of course, also use proxy \s-1ARP\s0
311or other means of pseudo-bridging, or (best) full routing \- the choice is 311or other means of pseudo-bridging, or (best) full routing \- the choice is
312yours. 312yours.
313.Sh "\s-1STEP\s0 2: create the \s-1RSA\s0 key pairs for all hosts" 313.SS "\s-1STEP 2:\s0 create the \s-1RSA\s0 key pair for each node"
314.IX Subsection "STEP 2: create the RSA key pairs for all hosts" 314.IX Subsection "STEP 2: create the RSA key pair for each node"
315Run the following command to generate all key pairs for all nodes (that 315Next you have to generate the \s-1RSA\s0 keys for the nodes. While you can set
316might take a while): 316up \s-1GVPE\s0 so you can generate all keys on a single host and centrally
317distribute all keys, it is safer to generate the key for each node on the
318node, so that the secret/private key does not have to be copied over the
319network.
317.PP 320.PP
321To do so, run the following command to generate a key pair:
322.PP
318.Vb 1 323.Vb 1
319\& gvpectrl \-c /etc/gvpe \-g 324\& gvpectrl \-c /etc/gvpe \-g nodekey
320.Ve 325.Ve
321.PP 326.PP
322This command will put the public keys into \f(CW\*(C`/etc/gvpe/pubkeys/\f(CInodename\f(CW\*(C'\fR and the private keys into \f(CW\*(C`/etc/gvpe/hostkeys/\f(CInodename\f(CW\*(C'\fR. 327This will create two files, \fInodekey\fR and \fInodekey.privkey\fR. The former
328should be copied to \fI/etc/gvpe/pubkey/\fInodename\fI\fR on the host where
329your config file is (you will have to create the \fIpubkey\fR directory
330first):
331.PP
332.Vb 1
333\& scp nodekey confighost:/etc/gvpe/pubkey/nodename
334.Ve
335.PP
336The private key \fInodekey.privkey\fR should be moved to \fI/etc/gvpe/hostkey\fR:
337.PP
338.Vb 2
339\& mkdir \-p /etc/gvpe
340\& mv nodekey.privkey /etc/gvpe/hostkey
341.Ve
323.Sh "\s-1STEP\s0 3: distribute the config files to all nodes" 342.SS "\s-1STEP 3:\s0 distribute the config files to all nodes"
324.IX Subsection "STEP 3: distribute the config files to all nodes" 343.IX Subsection "STEP 3: distribute the config files to all nodes"
325Now distribute the config files and private keys to the other nodes. This 344Now distribute the config files and public keys to the other nodes.
326should be done in two steps, since only the private keys meant for a node
327should be distributed (so each node has only it's own private key).
328.PP 345.PP
329The example uses rsync-over-ssh 346The example uses rsync-over-ssh to copy the config file and all the public
330.PP 347keys:
331First all the config files without the hostkeys should be distributed:
332.PP 348.PP
333.Vb 3 349.Vb 3
334\& rsync \-avzessh /etc/gvpe first.example.net:/etc/. \-\-exclude hostkeys 350\& rsync \-avzessh /etc/gvpe first.example.net:/etc/. \-\-exclude hostkey
335\& rsync \-avzessh /etc/gvpe 133.55.82.9:/etc/. \-\-exclude hostkeys 351\& rsync \-avzessh /etc/gvpe 133.55.82.9:/etc/. \-\-exclude hostkey
336\& rsync \-avzessh /etc/gvpe third.example.net:/etc/. \-\-exclude hostkeys 352\& rsync \-avzessh /etc/gvpe third.example.net:/etc/. \-\-exclude hostkey
337.Ve 353.Ve
338.PP 354.PP
339Then the hostkeys should be copied:
340.PP
341.Vb 3
342\& rsync \-avzessh /etc/gvpe/hostkeys/first first.example.net:/etc/hostkey
343\& rsync \-avzessh /etc/gvpe/hostkeys/second 133.55.82.9:/etc/hostkey
344\& rsync \-avzessh /etc/gvpe/hostkeys/third third.example.net:/etc/hostkey
345.Ve
346.PP
347You should now check the configuration by issuing the command \f(CW\*(C`gvpectrl \-c 355You should now check the configuration by issuing the command \f(CW\*(C`gvpectrl
348/etc/gvpe \-s\*(C'\fR on each node and verify it's output. 356\&\-c /etc/gvpe \-s\*(C'\fR on each node and verify it's output.
349.Sh "\s-1STEP\s0 4: starting gvpe" 357.SS "\s-1STEP 4:\s0 starting gvpe"
350.IX Subsection "STEP 4: starting gvpe" 358.IX Subsection "STEP 4: starting gvpe"
351You should then start gvpe on each node by issuing a command like: 359You should then start gvpe on each node by issuing a command like:
352.PP 360.PP
353.Vb 1 361.Vb 1
354\& gvpe \-D \-l info first # first is the nodename 362\& gvpe \-D \-l info first # first is the nodename
366or equivalent. I use a line like this on all my systems: 374or equivalent. I use a line like this on all my systems:
367.PP 375.PP
368.Vb 1 376.Vb 1
369\& t1:2345:respawn:/opt/gvpe/sbin/gvpe \-D \-L first >/dev/null 2>&1 377\& t1:2345:respawn:/opt/gvpe/sbin/gvpe \-D \-L first >/dev/null 2>&1
370.Ve 378.Ve
371.Sh "\s-1STEP\s0 5: enjoy" 379.SS "\s-1STEP 5:\s0 enjoy"
372.IX Subsection "STEP 5: enjoy" 380.IX Subsection "STEP 5: enjoy"
373\&... and play around. Sending a \-HUP (\f(CW\*(C`gvpectrl \-kHUP\*(C'\fR) to the daemon 381\&... and play around. Sending a \-HUP (\f(CW\*(C`gvpectrl \-kHUP\*(C'\fR) to the daemon
374will make it try to connect to all other nodes again. If you run it from 382will make it try to connect to all other nodes again. If you run it from
375inittab, as is recommended, \f(CW\*(C`gvpectrl \-k\*(C'\fR (or simply \f(CW\*(C`killall gvpe\*(C'\fR) will 383inittab \f(CW\*(C`gvpectrl \-k\*(C'\fR (or simply \f(CW\*(C`killall gvpe\*(C'\fR) will kill the daemon,
376kill the daemon, start it again, making it read it's configuration files 384start it again, making it read it's configuration files again.
377again. 385.PP
386To run the \s-1GVPE\s0 daemon permanently from your SysV init, you can add it to
387your \fIinittab\fR, e.g.:
388.PP
389.Vb 1
390\& t1:2345:respawn:/bin/sh \-c "exec nice \-n\-20 /path/to/gvpe \-D node >/var/log/gvpe.log 2>&1"
391.Ve
392.PP
393For systems using systemd, you can use a unit file similar to this one:
394.PP
395.Vb 4
396\& [Unit]
397\& Description=gvpe
398\& After=network.target
399\& Before=remote\-fs.target
400\&
401\& [Service]
402\& ExecStart=/path/to/gvpe \-D node
403\& KillMode=process
404\& Restart=always
405\&
406\& [Install]
407\& WantedBy=multi\-user.target
408.Ve
378.SH "SEE ALSO" 409.SH "SEE ALSO"
379.IX Header "SEE ALSO" 410.IX Header "SEE ALSO"
380\&\fIgvpe.osdep\fR\|(5) for OS-dependent information, \fIgvpe.conf\fR\|(5), \fIgvpectrl\fR\|(8), 411\&\fIgvpe.osdep\fR\|(5) for OS-dependent information, \fIgvpe.conf\fR\|(5), \fIgvpectrl\fR\|(8),
381and for a description of the transports, protocol, and routing algorithm, 412and for a description of the transports, protocol, and routing algorithm,
382\&\fIgvpe.protocol\fR\|(7). 413\&\fIgvpe.protocol\fR\|(7).
386.SH "AUTHOR" 417.SH "AUTHOR"
387.IX Header "AUTHOR" 418.IX Header "AUTHOR"
388Marc Lehmann <gvpe@schmorp.de> 419Marc Lehmann <gvpe@schmorp.de>
389.SH "COPYRIGHTS AND LICENSES" 420.SH "COPYRIGHTS AND LICENSES"
390.IX Header "COPYRIGHTS AND LICENSES" 421.IX Header "COPYRIGHTS AND LICENSES"
391\&\s-1GVPE\s0 itself is distributed under the \s-1GENERAL\s0 \s-1PUBLIC\s0 \s-1LICENSE\s0 (see the file 422\&\s-1GVPE\s0 itself is distributed under the \s-1GENERAL PUBLIC LICENSE \s0(see the file
392\&\s-1COPYING\s0 that should be part of your distribution). 423\&\s-1COPYING\s0 that should be part of your distribution).
393.PP 424.PP
394In some configurations it uses modified versions of the tinc vpn suite, 425In some configurations it uses modified versions of the tinc vpn suite,
395which is also available under the \s-1GENERAL\s0 \s-1PUBLIC\s0 \s-1LICENSE\s0. 426which is also available under the \s-1GENERAL PUBLIC LICENSE.\s0

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines