--- gvpe/doc/gvpe.5	2016/03/30 04:02:50	1.13
+++ gvpe/doc/gvpe.5	2016/11/02 07:06:38	1.14
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "GVPE 5"
-.TH GVPE 5 "2015-10-31" "2.25" "GNU Virtual Private Ethernet"
+.TH GVPE 5 "2016-11-02" "2.25" "GNU Virtual Private Ethernet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -194,8 +194,8 @@
 .IP "\s-1EASY TO SETUP\s0" 4
 .IX Item "EASY TO SETUP"
 A few lines of config (the config file is shared unmodified between all
-hosts) and a single run of \f(CW\*(C`gvpectrl\*(C'\fR to generate the keys suffices to
-make it work.
+hosts) and generating an \s-1RSA\s0 key-pair on each node suffices to make it
+work.
 .IP "MAC-BASED \s-1SECURITY\s0" 4
 .IX Item "MAC-BASED SECURITY"
 Since every host has it's own private key, other hosts cannot spoof
@@ -310,42 +310,50 @@
 be able to reach the other nodes. You can, of course, also use proxy \s-1ARP\s0
 or other means of pseudo-bridging, or (best) full routing \- the choice is
 yours.
-.SS "\s-1STEP 2:\s0 create the \s-1RSA\s0 key pairs for all hosts"
-.IX Subsection "STEP 2: create the RSA key pairs for all hosts"
-Run the following command to generate all key pairs for all nodes (that
-might take a while):
+.SS "\s-1STEP 2:\s0 create the \s-1RSA\s0 key pair for each node"
+.IX Subsection "STEP 2: create the RSA key pair for each node"
+Next you have to generate the \s-1RSA\s0 keys for the nodes. While you can set
+up \s-1GVPE\s0 so you can generate all keys on a single host and centrally
+distribute all keys, it is safer to generate the key for each node on the
+node, so that the secret/private key does not have to be copied over the
+network.
+.PP
+To do so, run the following command to generate a key pair:
 .PP
 .Vb 1
-\&   gvpectrl \-c /etc/gvpe \-g
+\&   gvpectrl \-c /etc/gvpe \-g nodekey
 .Ve
 .PP
-This command will put the public keys into \f(CW\*(C`/etc/gvpe/pubkeys/\f(CInodename\f(CW\*(C'\fR and the private keys into \f(CW\*(C`/etc/gvpe/hostkeys/\f(CInodename\f(CW\*(C'\fR.
-.SS "\s-1STEP 3:\s0 distribute the config files to all nodes"
-.IX Subsection "STEP 3: distribute the config files to all nodes"
-Now distribute the config files and private keys to the other nodes. This
-should be done in two steps, since only the private keys meant for a node
-should be distributed (so each node has only it's own private key).
+This will create two files, \fInodekey\fR and \fInodekey.privkey\fR. The former
+should be copied to \fI/etc/gvpe/pubkey/\fInodename\fI\fR on the host where
+your config file is (you will have to create the \fIpubkey\fR directory
+first):
 .PP
-The example uses rsync-over-ssh
+.Vb 1
+\&   scp nodekey confighost:/etc/gvpe/pubkey/nodename
+.Ve
 .PP
-First all the config files without the hostkeys should be distributed:
+The private key \fInodekey.privkey\fR should be moved to \fI/etc/gvpe/hostkey\fR:
 .PP
-.Vb 3
-\&   rsync \-avzessh /etc/gvpe first.example.net:/etc/. \-\-exclude hostkeys
-\&   rsync \-avzessh /etc/gvpe 133.55.82.9:/etc/. \-\-exclude hostkeys
-\&   rsync \-avzessh /etc/gvpe third.example.net:/etc/. \-\-exclude hostkeys
+.Vb 2
+\&   mkdir \-p /etc/gvpe
+\&   mv nodekey.privkey /etc/gvpe/hostkey
 .Ve
+.SS "\s-1STEP 3:\s0 distribute the config files to all nodes"
+.IX Subsection "STEP 3: distribute the config files to all nodes"
+Now distribute the config files and public keys to the other nodes.
 .PP
-Then the hostkeys should be copied:
+The example uses rsync-over-ssh to copy the config file and all the public
+keys:
 .PP
 .Vb 3
-\&   rsync \-avzessh /etc/gvpe/hostkeys/first  first.example.net:/etc/hostkey
-\&   rsync \-avzessh /etc/gvpe/hostkeys/second 133.55.82.9:/etc/hostkey
-\&   rsync \-avzessh /etc/gvpe/hostkeys/third  third.example.net:/etc/hostkey
+\&   rsync \-avzessh /etc/gvpe first.example.net:/etc/. \-\-exclude hostkey
+\&   rsync \-avzessh /etc/gvpe 133.55.82.9:/etc/.       \-\-exclude hostkey
+\&   rsync \-avzessh /etc/gvpe third.example.net:/etc/. \-\-exclude hostkey
 .Ve
 .PP
-You should now check the configuration by issuing the command \f(CW\*(C`gvpectrl \-c
-/etc/gvpe \-s\*(C'\fR on each node and verify it's output.
+You should now check the configuration by issuing the command \f(CW\*(C`gvpectrl
+\&\-c /etc/gvpe \-s\*(C'\fR on each node and verify it's output.
 .SS "\s-1STEP 4:\s0 starting gvpe"
 .IX Subsection "STEP 4: starting gvpe"
 You should then start gvpe on each node by issuing a command like:
@@ -372,9 +380,32 @@
 .IX Subsection "STEP 5: enjoy"
 \&... and play around. Sending a \-HUP (\f(CW\*(C`gvpectrl \-kHUP\*(C'\fR) to the daemon
 will make it try to connect to all other nodes again. If you run it from
-inittab, as is recommended, \f(CW\*(C`gvpectrl \-k\*(C'\fR (or simply \f(CW\*(C`killall gvpe\*(C'\fR) will
-kill the daemon, start it again, making it read it's configuration files
-again.
+inittab \f(CW\*(C`gvpectrl \-k\*(C'\fR (or simply \f(CW\*(C`killall gvpe\*(C'\fR) will kill the daemon,
+start it again, making it read it's configuration files again.
+.PP
+To run the \s-1GVPE\s0 daemon permanently from your SysV init, you can add it to
+your \fIinittab\fR, e.g.:
+.PP
+.Vb 1
+\&   t1:2345:respawn:/bin/sh \-c "exec nice \-n\-20 /path/to/gvpe \-D node >/var/log/gvpe.log 2>&1"
+.Ve
+.PP
+For systems using systemd, you can use a unit file similar to this one:
+.PP
+.Vb 4
+\&   [Unit]
+\&   Description=gvpe
+\&   After=network.target
+\&   Before=remote\-fs.target
+\&
+\&   [Service]
+\&   ExecStart=/path/to/gvpe \-D node
+\&   KillMode=process
+\&   Restart=always
+\&
+\&   [Install]
+\&   WantedBy=multi\-user.target
+.Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIgvpe.osdep\fR\|(5) for OS-dependent information, \fIgvpe.conf\fR\|(5), \fIgvpectrl\fR\|(8),