--- gvpe/doc/gvpe.5 2013/07/13 04:10:29 1.12 +++ gvpe/doc/gvpe.5 2016/03/30 04:02:50 1.13 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.20) +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.30) .\" .\" Standard preamble: .\" ======================================================================== @@ -38,6 +38,8 @@ . ds PI \(*p . ds L" `` . ds R" '' +. ds C` +. ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. @@ -48,17 +50,24 @@ .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX .. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{ +. if \nF \{ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" .. +. if !\nF==2 \{ +. nr % 0 +. nr F 2 +. \} +. \} .\} +.rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. @@ -124,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "GVPE 5" -.TH GVPE 5 "2013-07-10" "2.24" "GNU Virtual Private Ethernet" +.TH GVPE 5 "2015-10-31" "2.25" "GNU Virtual Private Ethernet" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -135,8 +144,8 @@ .IX Header "DESCRIPTION" \&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple nodes over an untrusted network. This document first gives an introduction -to VPNs in general and then describes the specific implementation of \s-1GVPE\s0. -.SS "\s-1WHAT\s0 \s-1IS\s0 A \s-1VPN\s0?" +to VPNs in general and then describes the specific implementation of \s-1GVPE.\s0 +.SS "\s-1WHAT IS A VPN\s0?" .IX Subsection "WHAT IS A VPN?" \&\s-1VPN\s0 is an acronym, it stands for: .IP "Virtual" 4 @@ -156,23 +165,23 @@ eavesdropped while at the same time being able to trust data sent by other nodes. .Sp -In the case of \s-1GVPE\s0, even participating nodes cannot sniff packets +In the case of \s-1GVPE,\s0 even participating nodes cannot sniff packets send to other nodes or spoof packets as if sent from other nodes, so communications between any two nodes is private to those two nodes. .IP "Network" 4 .IX Item "Network" Network means that more than two parties can participate in the network, so for instance it's possible to connect multiple branches of a company -into a single network. Many so-called \*(L"\s-1VPN\s0\*(R" solutions only create +into a single network. Many so-called \*(L"\s-1VPN\*(R"\s0 solutions only create point-to-point tunnels, which in turn can be used to build larger networks. .Sp \&\s-1GVPE\s0 provides a true multi-point network in which any number of nodes (at least a few dozen in practise, the theoretical limit is 4095 nodes) can participate. -.SS "\s-1GVPE\s0 \s-1DESIGN\s0 \s-1GOALS\s0" +.SS "\s-1GVPE DESIGN GOALS\s0" .IX Subsection "GVPE DESIGN GOALS" -.IP "\s-1SIMPLE\s0 \s-1DESIGN\s0" 4 +.IP "\s-1SIMPLE DESIGN\s0" 4 .IX Item "SIMPLE DESIGN" Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected at compile time \- this makes it possible to only link in algorithms @@ -182,7 +191,7 @@ further and internally reserves blocks of the same length for all packets, which virtually removes all possibilities of buffer overflows, as there is only a single type of buffer and it's always of fixed length. -.IP "\s-1EASY\s0 \s-1TO\s0 \s-1SETUP\s0" 4 +.IP "\s-1EASY TO SETUP\s0" 4 .IX Item "EASY TO SETUP" A few lines of config (the config file is shared unmodified between all hosts) and a single run of \f(CW\*(C`gvpectrl\*(C'\fR to generate the keys suffices to @@ -218,7 +227,7 @@ Here are a few recipes for compiling your gvpe, showing the extremes (fast, small, insecure \s-1OR\s0 slow, large, more secure), between which you should choose: -.SS "\s-1AS\s0 \s-1LOW\s0 \s-1PACKET\s0 \s-1OVERHEAD\s0 \s-1AS\s0 \s-1POSSIBLE\s0" +.SS "\s-1AS LOW PACKET OVERHEAD AS POSSIBLE\s0" .IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE" .Vb 1 \& ./configure \-\-enable\-hmac\-length=4 \-\-enable\-rand\-length=0 @@ -228,7 +237,7 @@ only 4 bytes of overhead over the raw ethernet frame). This is a insecure configuration because a \s-1HMAC\s0 length of 4 makes collision attacks almost trivial. -.SS "\s-1MINIMIZE\s0 \s-1CPU\s0 \s-1TIME\s0 \s-1REQUIRED\s0" +.SS "\s-1MINIMIZE CPU TIME REQUIRED\s0" .IX Subsection "MINIMIZE CPU TIME REQUIRED" .Vb 1 \& ./configure \-\-enable\-cipher=bf \-\-enable\-digest=md4 @@ -237,7 +246,7 @@ Use the fastest cipher and digest algorithms currently available in gvpe. \s-1MD4\s0 has been broken and is quite insecure, though, so using another digest algorithm is recommended. -.SS "\s-1MAXIMIZE\s0 \s-1SECURITY\s0" +.SS "\s-1MAXIMIZE SECURITY\s0" .IX Subsection "MAXIMIZE SECURITY" .Vb 1 \& ./configure \-\-enable\-hmac\-length=16 \-\-enable\-rand\-length=12 \-\-enable\-digest=ripemd610 @@ -248,15 +257,15 @@ with 12 bytes of random data. .PP In general, remember that \s-1AES\-128\s0 seems to be as secure but faster than -\&\s-1AES\-192\s0 or \s-1AES\-256\s0, more randomness helps against sniffing and a longer -\&\s-1HMAC\s0 helps against spoofing. \s-1MD4\s0 is a fast digest, \s-1SHA1\s0, \s-1RIPEMD160\s0, \s-1SHA256\s0 +\&\s-1AES\-192\s0 or \s-1AES\-256,\s0 more randomness helps against sniffing and a longer +\&\s-1HMAC\s0 helps against spoofing. \s-1MD4\s0 is a fast digest, \s-1SHA1, RIPEMD160, SHA256\s0 are consecutively better, and Blowfish is a fast cipher (and also quite secure). .SH "HOW TO SET UP A SIMPLE VPN" .IX Header "HOW TO SET UP A SIMPLE VPN" In this section I will describe how to get a simple \s-1VPN\s0 consisting of three hosts up and running. -.SS "\s-1STEP\s0 1: configuration" +.SS "\s-1STEP 1:\s0 configuration" .IX Subsection "STEP 1: configuration" First you have to create a daemon configuration file and put it into the configuration directory. This is usually \f(CW\*(C`/etc/gvpe\*(C'\fR, depending on how you @@ -301,7 +310,7 @@ be able to reach the other nodes. You can, of course, also use proxy \s-1ARP\s0 or other means of pseudo-bridging, or (best) full routing \- the choice is yours. -.SS "\s-1STEP\s0 2: create the \s-1RSA\s0 key pairs for all hosts" +.SS "\s-1STEP 2:\s0 create the \s-1RSA\s0 key pairs for all hosts" .IX Subsection "STEP 2: create the RSA key pairs for all hosts" Run the following command to generate all key pairs for all nodes (that might take a while): @@ -311,7 +320,7 @@ .Ve .PP This command will put the public keys into \f(CW\*(C`/etc/gvpe/pubkeys/\f(CInodename\f(CW\*(C'\fR and the private keys into \f(CW\*(C`/etc/gvpe/hostkeys/\f(CInodename\f(CW\*(C'\fR. -.SS "\s-1STEP\s0 3: distribute the config files to all nodes" +.SS "\s-1STEP 3:\s0 distribute the config files to all nodes" .IX Subsection "STEP 3: distribute the config files to all nodes" Now distribute the config files and private keys to the other nodes. This should be done in two steps, since only the private keys meant for a node @@ -337,7 +346,7 @@ .PP You should now check the configuration by issuing the command \f(CW\*(C`gvpectrl \-c /etc/gvpe \-s\*(C'\fR on each node and verify it's output. -.SS "\s-1STEP\s0 4: starting gvpe" +.SS "\s-1STEP 4:\s0 starting gvpe" .IX Subsection "STEP 4: starting gvpe" You should then start gvpe on each node by issuing a command like: .PP @@ -359,7 +368,7 @@ .Vb 1 \& t1:2345:respawn:/opt/gvpe/sbin/gvpe \-D \-L first >/dev/null 2>&1 .Ve -.SS "\s-1STEP\s0 5: enjoy" +.SS "\s-1STEP 5:\s0 enjoy" .IX Subsection "STEP 5: enjoy" \&... and play around. Sending a \-HUP (\f(CW\*(C`gvpectrl \-kHUP\*(C'\fR) to the daemon will make it try to connect to all other nodes again. If you run it from @@ -379,8 +388,8 @@ Marc Lehmann .SH "COPYRIGHTS AND LICENSES" .IX Header "COPYRIGHTS AND LICENSES" -\&\s-1GVPE\s0 itself is distributed under the \s-1GENERAL\s0 \s-1PUBLIC\s0 \s-1LICENSE\s0 (see the file +\&\s-1GVPE\s0 itself is distributed under the \s-1GENERAL PUBLIC LICENSE \s0(see the file \&\s-1COPYING\s0 that should be part of your distribution). .PP In some configurations it uses modified versions of the tinc vpn suite, -which is also available under the \s-1GENERAL\s0 \s-1PUBLIC\s0 \s-1LICENSE\s0. +which is also available under the \s-1GENERAL PUBLIC LICENSE.\s0