| … | |
… | |
| 131 | .\} |
131 | .\} |
| 132 | .rm #[ #] #H #V #F C |
132 | .rm #[ #] #H #V #F C |
| 133 | .\" ======================================================================== |
133 | .\" ======================================================================== |
| 134 | .\" |
134 | .\" |
| 135 | .IX Title "GVPE 5" |
135 | .IX Title "GVPE 5" |
| 136 | .TH GVPE 5 "2015-10-31" "2.25" "GNU Virtual Private Ethernet" |
136 | .TH GVPE 5 "2016-11-02" "2.25" "GNU Virtual Private Ethernet" |
| 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
| 138 | .\" way too many mistakes in technical documents. |
138 | .\" way too many mistakes in technical documents. |
| 139 | .if n .ad l |
139 | .if n .ad l |
| 140 | .nh |
140 | .nh |
| 141 | .SH "NAME" |
141 | .SH "NAME" |
| … | |
… | |
| 192 | which virtually removes all possibilities of buffer overflows, as there is |
192 | which virtually removes all possibilities of buffer overflows, as there is |
| 193 | only a single type of buffer and it's always of fixed length. |
193 | only a single type of buffer and it's always of fixed length. |
| 194 | .IP "\s-1EASY TO SETUP\s0" 4 |
194 | .IP "\s-1EASY TO SETUP\s0" 4 |
| 195 | .IX Item "EASY TO SETUP" |
195 | .IX Item "EASY TO SETUP" |
| 196 | A few lines of config (the config file is shared unmodified between all |
196 | A few lines of config (the config file is shared unmodified between all |
| 197 | hosts) and a single run of \f(CW\*(C`gvpectrl\*(C'\fR to generate the keys suffices to |
197 | hosts) and generating an \s-1RSA\s0 key-pair on each node suffices to make it |
| 198 | make it work. |
198 | work. |
| 199 | .IP "MAC-BASED \s-1SECURITY\s0" 4 |
199 | .IP "MAC-BASED \s-1SECURITY\s0" 4 |
| 200 | .IX Item "MAC-BASED SECURITY" |
200 | .IX Item "MAC-BASED SECURITY" |
| 201 | Since every host has it's own private key, other hosts cannot spoof |
201 | Since every host has it's own private key, other hosts cannot spoof |
| 202 | traffic from this host. That makes it possible to filter packet by \s-1MAC\s0 |
202 | traffic from this host. That makes it possible to filter packet by \s-1MAC\s0 |
| 203 | address, e.g. to ensure that packets from a specific \s-1IP\s0 address come, in |
203 | address, e.g. to ensure that packets from a specific \s-1IP\s0 address come, in |
| … | |
… | |
| 308 | .PP |
308 | .PP |
| 309 | By enabling routing on the gateway host that runs \f(CW\*(C`gvpe\*(C'\fR all nodes will |
309 | By enabling routing on the gateway host that runs \f(CW\*(C`gvpe\*(C'\fR all nodes will |
| 310 | be able to reach the other nodes. You can, of course, also use proxy \s-1ARP\s0 |
310 | be able to reach the other nodes. You can, of course, also use proxy \s-1ARP\s0 |
| 311 | or other means of pseudo-bridging, or (best) full routing \- the choice is |
311 | or other means of pseudo-bridging, or (best) full routing \- the choice is |
| 312 | yours. |
312 | yours. |
| 313 | .SS "\s-1STEP 2:\s0 create the \s-1RSA\s0 key pairs for all hosts" |
313 | .SS "\s-1STEP 2:\s0 create the \s-1RSA\s0 key pair for each node" |
| 314 | .IX Subsection "STEP 2: create the RSA key pairs for all hosts" |
314 | .IX Subsection "STEP 2: create the RSA key pair for each node" |
| 315 | Run the following command to generate all key pairs for all nodes (that |
315 | Next you have to generate the \s-1RSA\s0 keys for the nodes. While you can set |
| 316 | might take a while): |
316 | up \s-1GVPE\s0 so you can generate all keys on a single host and centrally |
|
|
317 | distribute all keys, it is safer to generate the key for each node on the |
|
|
318 | node, so that the secret/private key does not have to be copied over the |
|
|
319 | network. |
| 317 | .PP |
320 | .PP |
|
|
321 | To do so, run the following command to generate a key pair: |
|
|
322 | .PP |
| 318 | .Vb 1 |
323 | .Vb 1 |
| 319 | \& gvpectrl \-c /etc/gvpe \-g |
324 | \& gvpectrl \-c /etc/gvpe \-g nodekey |
| 320 | .Ve |
325 | .Ve |
| 321 | .PP |
326 | .PP |
| 322 | This command will put the public keys into \f(CW\*(C`/etc/gvpe/pubkeys/\f(CInodename\f(CW\*(C'\fR and the private keys into \f(CW\*(C`/etc/gvpe/hostkeys/\f(CInodename\f(CW\*(C'\fR. |
327 | This will create two files, \fInodekey\fR and \fInodekey.privkey\fR. The former |
|
|
328 | should be copied to \fI/etc/gvpe/pubkey/\fInodename\fI\fR on the host where |
|
|
329 | your config file is (you will have to create the \fIpubkey\fR directory |
|
|
330 | first): |
|
|
331 | .PP |
|
|
332 | .Vb 1 |
|
|
333 | \& scp nodekey confighost:/etc/gvpe/pubkey/nodename |
|
|
334 | .Ve |
|
|
335 | .PP |
|
|
336 | The private key \fInodekey.privkey\fR should be moved to \fI/etc/gvpe/hostkey\fR: |
|
|
337 | .PP |
|
|
338 | .Vb 2 |
|
|
339 | \& mkdir \-p /etc/gvpe |
|
|
340 | \& mv nodekey.privkey /etc/gvpe/hostkey |
|
|
341 | .Ve |
| 323 | .SS "\s-1STEP 3:\s0 distribute the config files to all nodes" |
342 | .SS "\s-1STEP 3:\s0 distribute the config files to all nodes" |
| 324 | .IX Subsection "STEP 3: distribute the config files to all nodes" |
343 | .IX Subsection "STEP 3: distribute the config files to all nodes" |
| 325 | Now distribute the config files and private keys to the other nodes. This |
344 | Now distribute the config files and public keys to the other nodes. |
| 326 | should be done in two steps, since only the private keys meant for a node |
|
|
| 327 | should be distributed (so each node has only it's own private key). |
|
|
| 328 | .PP |
345 | .PP |
| 329 | The example uses rsync-over-ssh |
346 | The example uses rsync-over-ssh to copy the config file and all the public |
| 330 | .PP |
347 | keys: |
| 331 | First all the config files without the hostkeys should be distributed: |
|
|
| 332 | .PP |
348 | .PP |
| 333 | .Vb 3 |
349 | .Vb 3 |
| 334 | \& rsync \-avzessh /etc/gvpe first.example.net:/etc/. \-\-exclude hostkeys |
350 | \& rsync \-avzessh /etc/gvpe first.example.net:/etc/. \-\-exclude hostkey |
| 335 | \& rsync \-avzessh /etc/gvpe 133.55.82.9:/etc/. \-\-exclude hostkeys |
351 | \& rsync \-avzessh /etc/gvpe 133.55.82.9:/etc/. \-\-exclude hostkey |
| 336 | \& rsync \-avzessh /etc/gvpe third.example.net:/etc/. \-\-exclude hostkeys |
352 | \& rsync \-avzessh /etc/gvpe third.example.net:/etc/. \-\-exclude hostkey |
| 337 | .Ve |
353 | .Ve |
| 338 | .PP |
354 | .PP |
| 339 | Then the hostkeys should be copied: |
|
|
| 340 | .PP |
|
|
| 341 | .Vb 3 |
|
|
| 342 | \& rsync \-avzessh /etc/gvpe/hostkeys/first first.example.net:/etc/hostkey |
|
|
| 343 | \& rsync \-avzessh /etc/gvpe/hostkeys/second 133.55.82.9:/etc/hostkey |
|
|
| 344 | \& rsync \-avzessh /etc/gvpe/hostkeys/third third.example.net:/etc/hostkey |
|
|
| 345 | .Ve |
|
|
| 346 | .PP |
|
|
| 347 | You should now check the configuration by issuing the command \f(CW\*(C`gvpectrl \-c |
355 | You should now check the configuration by issuing the command \f(CW\*(C`gvpectrl |
| 348 | /etc/gvpe \-s\*(C'\fR on each node and verify it's output. |
356 | \&\-c /etc/gvpe \-s\*(C'\fR on each node and verify it's output. |
| 349 | .SS "\s-1STEP 4:\s0 starting gvpe" |
357 | .SS "\s-1STEP 4:\s0 starting gvpe" |
| 350 | .IX Subsection "STEP 4: starting gvpe" |
358 | .IX Subsection "STEP 4: starting gvpe" |
| 351 | You should then start gvpe on each node by issuing a command like: |
359 | You should then start gvpe on each node by issuing a command like: |
| 352 | .PP |
360 | .PP |
| 353 | .Vb 1 |
361 | .Vb 1 |
| … | |
… | |
| 370 | .Ve |
378 | .Ve |
| 371 | .SS "\s-1STEP 5:\s0 enjoy" |
379 | .SS "\s-1STEP 5:\s0 enjoy" |
| 372 | .IX Subsection "STEP 5: enjoy" |
380 | .IX Subsection "STEP 5: enjoy" |
| 373 | \&... and play around. Sending a \-HUP (\f(CW\*(C`gvpectrl \-kHUP\*(C'\fR) to the daemon |
381 | \&... and play around. Sending a \-HUP (\f(CW\*(C`gvpectrl \-kHUP\*(C'\fR) to the daemon |
| 374 | will make it try to connect to all other nodes again. If you run it from |
382 | will make it try to connect to all other nodes again. If you run it from |
| 375 | inittab, as is recommended, \f(CW\*(C`gvpectrl \-k\*(C'\fR (or simply \f(CW\*(C`killall gvpe\*(C'\fR) will |
383 | inittab \f(CW\*(C`gvpectrl \-k\*(C'\fR (or simply \f(CW\*(C`killall gvpe\*(C'\fR) will kill the daemon, |
| 376 | kill the daemon, start it again, making it read it's configuration files |
384 | start it again, making it read it's configuration files again. |
| 377 | again. |
385 | .PP |
|
|
386 | To run the \s-1GVPE\s0 daemon permanently from your SysV init, you can add it to |
|
|
387 | your \fIinittab\fR, e.g.: |
|
|
388 | .PP |
|
|
389 | .Vb 1 |
|
|
390 | \& t1:2345:respawn:/bin/sh \-c "exec nice \-n\-20 /path/to/gvpe \-D node >/var/log/gvpe.log 2>&1" |
|
|
391 | .Ve |
|
|
392 | .PP |
|
|
393 | For systems using systemd, you can use a unit file similar to this one: |
|
|
394 | .PP |
|
|
395 | .Vb 4 |
|
|
396 | \& [Unit] |
|
|
397 | \& Description=gvpe |
|
|
398 | \& After=network.target |
|
|
399 | \& Before=remote\-fs.target |
|
|
400 | \& |
|
|
401 | \& [Service] |
|
|
402 | \& ExecStart=/path/to/gvpe \-D node |
|
|
403 | \& KillMode=process |
|
|
404 | \& Restart=always |
|
|
405 | \& |
|
|
406 | \& [Install] |
|
|
407 | \& WantedBy=multi\-user.target |
|
|
408 | .Ve |
| 378 | .SH "SEE ALSO" |
409 | .SH "SEE ALSO" |
| 379 | .IX Header "SEE ALSO" |
410 | .IX Header "SEE ALSO" |
| 380 | \&\fIgvpe.osdep\fR\|(5) for OS-dependent information, \fIgvpe.conf\fR\|(5), \fIgvpectrl\fR\|(8), |
411 | \&\fIgvpe.osdep\fR\|(5) for OS-dependent information, \fIgvpe.conf\fR\|(5), \fIgvpectrl\fR\|(8), |
| 381 | and for a description of the transports, protocol, and routing algorithm, |
412 | and for a description of the transports, protocol, and routing algorithm, |
| 382 | \&\fIgvpe.protocol\fR\|(7). |
413 | \&\fIgvpe.protocol\fR\|(7). |
