| 1 | .\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.20) |
1 | .\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.30) |
| 2 | .\" |
2 | .\" |
| 3 | .\" Standard preamble: |
3 | .\" Standard preamble: |
| 4 | .\" ======================================================================== |
4 | .\" ======================================================================== |
| 5 | .de Sp \" Vertical space (when we can't use .PP) |
5 | .de Sp \" Vertical space (when we can't use .PP) |
| 6 | .if t .sp .5v |
6 | .if t .sp .5v |
| … | |
… | |
| 36 | .el\{\ |
36 | .el\{\ |
| 37 | . ds -- \|\(em\| |
37 | . ds -- \|\(em\| |
| 38 | . ds PI \(*p |
38 | . ds PI \(*p |
| 39 | . ds L" `` |
39 | . ds L" `` |
| 40 | . ds R" '' |
40 | . ds R" '' |
|
|
41 | . ds C` |
|
|
42 | . ds C' |
| 41 | 'br\} |
43 | 'br\} |
| 42 | .\" |
44 | .\" |
| 43 | .\" Escape single quotes in literal strings from groff's Unicode transform. |
45 | .\" Escape single quotes in literal strings from groff's Unicode transform. |
| 44 | .ie \n(.g .ds Aq \(aq |
46 | .ie \n(.g .ds Aq \(aq |
| 45 | .el .ds Aq ' |
47 | .el .ds Aq ' |
| 46 | .\" |
48 | .\" |
| 47 | .\" If the F register is turned on, we'll generate index entries on stderr for |
49 | .\" If the F register is turned on, we'll generate index entries on stderr for |
| 48 | .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
50 | .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
| 49 | .\" entries marked with X<> in POD. Of course, you'll have to process the |
51 | .\" entries marked with X<> in POD. Of course, you'll have to process the |
| 50 | .\" output yourself in some meaningful fashion. |
52 | .\" output yourself in some meaningful fashion. |
| 51 | .ie \nF \{\ |
53 | .\" |
|
|
54 | .\" Avoid warning from groff about undefined register 'F'. |
| 52 | . de IX |
55 | .de IX |
| 53 | . tm Index:\\$1\t\\n%\t"\\$2" |
|
|
| 54 | .. |
56 | .. |
| 55 | . nr % 0 |
57 | .nr rF 0 |
| 56 | . rr F |
58 | .if \n(.g .if rF .nr rF 1 |
| 57 | .\} |
59 | .if (\n(rF:(\n(.g==0)) \{ |
| 58 | .el \{\ |
60 | . if \nF \{ |
| 59 | . de IX |
61 | . de IX |
|
|
62 | . tm Index:\\$1\t\\n%\t"\\$2" |
| 60 | .. |
63 | .. |
|
|
64 | . if !\nF==2 \{ |
|
|
65 | . nr % 0 |
|
|
66 | . nr F 2 |
|
|
67 | . \} |
|
|
68 | . \} |
| 61 | .\} |
69 | .\} |
|
|
70 | .rr rF |
| 62 | .\" |
71 | .\" |
| 63 | .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
72 | .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
| 64 | .\" Fear. Run. Save yourself. No user-serviceable parts. |
73 | .\" Fear. Run. Save yourself. No user-serviceable parts. |
| 65 | . \" fudge factors for nroff and troff |
74 | . \" fudge factors for nroff and troff |
| 66 | .if n \{\ |
75 | .if n \{\ |
| … | |
… | |
| 122 | .\} |
131 | .\} |
| 123 | .rm #[ #] #H #V #F C |
132 | .rm #[ #] #H #V #F C |
| 124 | .\" ======================================================================== |
133 | .\" ======================================================================== |
| 125 | .\" |
134 | .\" |
| 126 | .IX Title "GVPE 5" |
135 | .IX Title "GVPE 5" |
| 127 | .TH GVPE 5 "2013-07-10" "2.24" "GNU Virtual Private Ethernet" |
136 | .TH GVPE 5 "2016-11-02" "2.25" "GNU Virtual Private Ethernet" |
| 128 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
| 129 | .\" way too many mistakes in technical documents. |
138 | .\" way too many mistakes in technical documents. |
| 130 | .if n .ad l |
139 | .if n .ad l |
| 131 | .nh |
140 | .nh |
| 132 | .SH "NAME" |
141 | .SH "NAME" |
| 133 | GNU\-VPE \- Overview of the GNU Virtual Private Ethernet suite. |
142 | GNU\-VPE \- Overview of the GNU Virtual Private Ethernet suite. |
| 134 | .SH "DESCRIPTION" |
143 | .SH "DESCRIPTION" |
| 135 | .IX Header "DESCRIPTION" |
144 | .IX Header "DESCRIPTION" |
| 136 | \&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple |
145 | \&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple |
| 137 | nodes over an untrusted network. This document first gives an introduction |
146 | nodes over an untrusted network. This document first gives an introduction |
| 138 | to VPNs in general and then describes the specific implementation of \s-1GVPE\s0. |
147 | to VPNs in general and then describes the specific implementation of \s-1GVPE.\s0 |
| 139 | .SS "\s-1WHAT\s0 \s-1IS\s0 A \s-1VPN\s0?" |
148 | .SS "\s-1WHAT IS A VPN\s0?" |
| 140 | .IX Subsection "WHAT IS A VPN?" |
149 | .IX Subsection "WHAT IS A VPN?" |
| 141 | \&\s-1VPN\s0 is an acronym, it stands for: |
150 | \&\s-1VPN\s0 is an acronym, it stands for: |
| 142 | .IP "Virtual" 4 |
151 | .IP "Virtual" 4 |
| 143 | .IX Item "Virtual" |
152 | .IX Item "Virtual" |
| 144 | Virtual means that no physical network is created (of course), but a |
153 | Virtual means that no physical network is created (of course), but a |
| … | |
… | |
| 154 | inject (\*(L"spoof\*(R") packets. This means that nodes can be connected over |
163 | inject (\*(L"spoof\*(R") packets. This means that nodes can be connected over |
| 155 | untrusted networks such as the public Internet without fear of being |
164 | untrusted networks such as the public Internet without fear of being |
| 156 | eavesdropped while at the same time being able to trust data sent by other |
165 | eavesdropped while at the same time being able to trust data sent by other |
| 157 | nodes. |
166 | nodes. |
| 158 | .Sp |
167 | .Sp |
| 159 | In the case of \s-1GVPE\s0, even participating nodes cannot sniff packets |
168 | In the case of \s-1GVPE,\s0 even participating nodes cannot sniff packets |
| 160 | send to other nodes or spoof packets as if sent from other nodes, so |
169 | send to other nodes or spoof packets as if sent from other nodes, so |
| 161 | communications between any two nodes is private to those two nodes. |
170 | communications between any two nodes is private to those two nodes. |
| 162 | .IP "Network" 4 |
171 | .IP "Network" 4 |
| 163 | .IX Item "Network" |
172 | .IX Item "Network" |
| 164 | Network means that more than two parties can participate in the network, |
173 | Network means that more than two parties can participate in the network, |
| 165 | so for instance it's possible to connect multiple branches of a company |
174 | so for instance it's possible to connect multiple branches of a company |
| 166 | into a single network. Many so-called \*(L"\s-1VPN\s0\*(R" solutions only create |
175 | into a single network. Many so-called \*(L"\s-1VPN\*(R"\s0 solutions only create |
| 167 | point-to-point tunnels, which in turn can be used to build larger |
176 | point-to-point tunnels, which in turn can be used to build larger |
| 168 | networks. |
177 | networks. |
| 169 | .Sp |
178 | .Sp |
| 170 | \&\s-1GVPE\s0 provides a true multi-point network in which any number of nodes (at |
179 | \&\s-1GVPE\s0 provides a true multi-point network in which any number of nodes (at |
| 171 | least a few dozen in practise, the theoretical limit is 4095 nodes) can |
180 | least a few dozen in practise, the theoretical limit is 4095 nodes) can |
| 172 | participate. |
181 | participate. |
| 173 | .SS "\s-1GVPE\s0 \s-1DESIGN\s0 \s-1GOALS\s0" |
182 | .SS "\s-1GVPE DESIGN GOALS\s0" |
| 174 | .IX Subsection "GVPE DESIGN GOALS" |
183 | .IX Subsection "GVPE DESIGN GOALS" |
| 175 | .IP "\s-1SIMPLE\s0 \s-1DESIGN\s0" 4 |
184 | .IP "\s-1SIMPLE DESIGN\s0" 4 |
| 176 | .IX Item "SIMPLE DESIGN" |
185 | .IX Item "SIMPLE DESIGN" |
| 177 | Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected |
186 | Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected |
| 178 | at compile time \- this makes it possible to only link in algorithms |
187 | at compile time \- this makes it possible to only link in algorithms |
| 179 | you actually need. It also makes the crypto part of the source very |
188 | you actually need. It also makes the crypto part of the source very |
| 180 | transparent and easy to inspect, and last not least this makes it possible |
189 | transparent and easy to inspect, and last not least this makes it possible |
| 181 | to hardcode the layout of all packets into the binary. \s-1GVPE\s0 goes a step |
190 | to hardcode the layout of all packets into the binary. \s-1GVPE\s0 goes a step |
| 182 | further and internally reserves blocks of the same length for all packets, |
191 | further and internally reserves blocks of the same length for all packets, |
| 183 | which virtually removes all possibilities of buffer overflows, as there is |
192 | which virtually removes all possibilities of buffer overflows, as there is |
| 184 | only a single type of buffer and it's always of fixed length. |
193 | only a single type of buffer and it's always of fixed length. |
| 185 | .IP "\s-1EASY\s0 \s-1TO\s0 \s-1SETUP\s0" 4 |
194 | .IP "\s-1EASY TO SETUP\s0" 4 |
| 186 | .IX Item "EASY TO SETUP" |
195 | .IX Item "EASY TO SETUP" |
| 187 | A few lines of config (the config file is shared unmodified between all |
196 | A few lines of config (the config file is shared unmodified between all |
| 188 | hosts) and a single run of \f(CW\*(C`gvpectrl\*(C'\fR to generate the keys suffices to |
197 | hosts) and generating an \s-1RSA\s0 key-pair on each node suffices to make it |
| 189 | make it work. |
198 | work. |
| 190 | .IP "MAC-BASED \s-1SECURITY\s0" 4 |
199 | .IP "MAC-BASED \s-1SECURITY\s0" 4 |
| 191 | .IX Item "MAC-BASED SECURITY" |
200 | .IX Item "MAC-BASED SECURITY" |
| 192 | Since every host has it's own private key, other hosts cannot spoof |
201 | Since every host has it's own private key, other hosts cannot spoof |
| 193 | traffic from this host. That makes it possible to filter packet by \s-1MAC\s0 |
202 | traffic from this host. That makes it possible to filter packet by \s-1MAC\s0 |
| 194 | address, e.g. to ensure that packets from a specific \s-1IP\s0 address come, in |
203 | address, e.g. to ensure that packets from a specific \s-1IP\s0 address come, in |
| … | |
… | |
| 216 | impossible under most circumstances. |
225 | impossible under most circumstances. |
| 217 | .PP |
226 | .PP |
| 218 | Here are a few recipes for compiling your gvpe, showing the extremes |
227 | Here are a few recipes for compiling your gvpe, showing the extremes |
| 219 | (fast, small, insecure \s-1OR\s0 slow, large, more secure), between which you |
228 | (fast, small, insecure \s-1OR\s0 slow, large, more secure), between which you |
| 220 | should choose: |
229 | should choose: |
| 221 | .SS "\s-1AS\s0 \s-1LOW\s0 \s-1PACKET\s0 \s-1OVERHEAD\s0 \s-1AS\s0 \s-1POSSIBLE\s0" |
230 | .SS "\s-1AS LOW PACKET OVERHEAD AS POSSIBLE\s0" |
| 222 | .IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE" |
231 | .IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE" |
| 223 | .Vb 1 |
232 | .Vb 1 |
| 224 | \& ./configure \-\-enable\-hmac\-length=4 \-\-enable\-rand\-length=0 |
233 | \& ./configure \-\-enable\-hmac\-length=4 \-\-enable\-rand\-length=0 |
| 225 | .Ve |
234 | .Ve |
| 226 | .PP |
235 | .PP |
| 227 | Minimize the header overhead of \s-1VPN\s0 packets (the above will result in |
236 | Minimize the header overhead of \s-1VPN\s0 packets (the above will result in |
| 228 | only 4 bytes of overhead over the raw ethernet frame). This is a insecure |
237 | only 4 bytes of overhead over the raw ethernet frame). This is a insecure |
| 229 | configuration because a \s-1HMAC\s0 length of 4 makes collision attacks almost |
238 | configuration because a \s-1HMAC\s0 length of 4 makes collision attacks almost |
| 230 | trivial. |
239 | trivial. |
| 231 | .SS "\s-1MINIMIZE\s0 \s-1CPU\s0 \s-1TIME\s0 \s-1REQUIRED\s0" |
240 | .SS "\s-1MINIMIZE CPU TIME REQUIRED\s0" |
| 232 | .IX Subsection "MINIMIZE CPU TIME REQUIRED" |
241 | .IX Subsection "MINIMIZE CPU TIME REQUIRED" |
| 233 | .Vb 1 |
242 | .Vb 1 |
| 234 | \& ./configure \-\-enable\-cipher=bf \-\-enable\-digest=md4 |
243 | \& ./configure \-\-enable\-cipher=bf \-\-enable\-digest=md4 |
| 235 | .Ve |
244 | .Ve |
| 236 | .PP |
245 | .PP |
| 237 | Use the fastest cipher and digest algorithms currently available in |
246 | Use the fastest cipher and digest algorithms currently available in |
| 238 | gvpe. \s-1MD4\s0 has been broken and is quite insecure, though, so using another |
247 | gvpe. \s-1MD4\s0 has been broken and is quite insecure, though, so using another |
| 239 | digest algorithm is recommended. |
248 | digest algorithm is recommended. |
| 240 | .SS "\s-1MAXIMIZE\s0 \s-1SECURITY\s0" |
249 | .SS "\s-1MAXIMIZE SECURITY\s0" |
| 241 | .IX Subsection "MAXIMIZE SECURITY" |
250 | .IX Subsection "MAXIMIZE SECURITY" |
| 242 | .Vb 1 |
251 | .Vb 1 |
| 243 | \& ./configure \-\-enable\-hmac\-length=16 \-\-enable\-rand\-length=12 \-\-enable\-digest=ripemd610 |
252 | \& ./configure \-\-enable\-hmac\-length=16 \-\-enable\-rand\-length=12 \-\-enable\-digest=ripemd610 |
| 244 | .Ve |
253 | .Ve |
| 245 | .PP |
254 | .PP |
| 246 | This uses a 16 byte \s-1HMAC\s0 checksum to authenticate packets (I guess 8\-12 |
255 | This uses a 16 byte \s-1HMAC\s0 checksum to authenticate packets (I guess 8\-12 |
| 247 | would also be pretty secure ;) and will additionally prefix each packet |
256 | would also be pretty secure ;) and will additionally prefix each packet |
| 248 | with 12 bytes of random data. |
257 | with 12 bytes of random data. |
| 249 | .PP |
258 | .PP |
| 250 | In general, remember that \s-1AES\-128\s0 seems to be as secure but faster than |
259 | In general, remember that \s-1AES\-128\s0 seems to be as secure but faster than |
| 251 | \&\s-1AES\-192\s0 or \s-1AES\-256\s0, more randomness helps against sniffing and a longer |
260 | \&\s-1AES\-192\s0 or \s-1AES\-256,\s0 more randomness helps against sniffing and a longer |
| 252 | \&\s-1HMAC\s0 helps against spoofing. \s-1MD4\s0 is a fast digest, \s-1SHA1\s0, \s-1RIPEMD160\s0, \s-1SHA256\s0 |
261 | \&\s-1HMAC\s0 helps against spoofing. \s-1MD4\s0 is a fast digest, \s-1SHA1, RIPEMD160, SHA256\s0 |
| 253 | are consecutively better, and Blowfish is a fast cipher (and also quite |
262 | are consecutively better, and Blowfish is a fast cipher (and also quite |
| 254 | secure). |
263 | secure). |
| 255 | .SH "HOW TO SET UP A SIMPLE VPN" |
264 | .SH "HOW TO SET UP A SIMPLE VPN" |
| 256 | .IX Header "HOW TO SET UP A SIMPLE VPN" |
265 | .IX Header "HOW TO SET UP A SIMPLE VPN" |
| 257 | In this section I will describe how to get a simple \s-1VPN\s0 consisting of |
266 | In this section I will describe how to get a simple \s-1VPN\s0 consisting of |
| 258 | three hosts up and running. |
267 | three hosts up and running. |
| 259 | .SS "\s-1STEP\s0 1: configuration" |
268 | .SS "\s-1STEP 1:\s0 configuration" |
| 260 | .IX Subsection "STEP 1: configuration" |
269 | .IX Subsection "STEP 1: configuration" |
| 261 | First you have to create a daemon configuration file and put it into the |
270 | First you have to create a daemon configuration file and put it into the |
| 262 | configuration directory. This is usually \f(CW\*(C`/etc/gvpe\*(C'\fR, depending on how you |
271 | configuration directory. This is usually \f(CW\*(C`/etc/gvpe\*(C'\fR, depending on how you |
| 263 | configured gvpe, and can be overwritten using the \f(CW\*(C`\-c\*(C'\fR command line switch. |
272 | configured gvpe, and can be overwritten using the \f(CW\*(C`\-c\*(C'\fR command line switch. |
| 264 | .PP |
273 | .PP |
| … | |
… | |
| 299 | .PP |
308 | .PP |
| 300 | By enabling routing on the gateway host that runs \f(CW\*(C`gvpe\*(C'\fR all nodes will |
309 | By enabling routing on the gateway host that runs \f(CW\*(C`gvpe\*(C'\fR all nodes will |
| 301 | be able to reach the other nodes. You can, of course, also use proxy \s-1ARP\s0 |
310 | be able to reach the other nodes. You can, of course, also use proxy \s-1ARP\s0 |
| 302 | or other means of pseudo-bridging, or (best) full routing \- the choice is |
311 | or other means of pseudo-bridging, or (best) full routing \- the choice is |
| 303 | yours. |
312 | yours. |
| 304 | .SS "\s-1STEP\s0 2: create the \s-1RSA\s0 key pairs for all hosts" |
313 | .SS "\s-1STEP 2:\s0 create the \s-1RSA\s0 key pair for each node" |
| 305 | .IX Subsection "STEP 2: create the RSA key pairs for all hosts" |
314 | .IX Subsection "STEP 2: create the RSA key pair for each node" |
| 306 | Run the following command to generate all key pairs for all nodes (that |
315 | Next you have to generate the \s-1RSA\s0 keys for the nodes. While you can set |
| 307 | might take a while): |
316 | up \s-1GVPE\s0 so you can generate all keys on a single host and centrally |
|
|
317 | distribute all keys, it is safer to generate the key for each node on the |
|
|
318 | node, so that the secret/private key does not have to be copied over the |
|
|
319 | network. |
| 308 | .PP |
320 | .PP |
|
|
321 | To do so, run the following command to generate a key pair: |
|
|
322 | .PP |
| 309 | .Vb 1 |
323 | .Vb 1 |
| 310 | \& gvpectrl \-c /etc/gvpe \-g |
324 | \& gvpectrl \-c /etc/gvpe \-g nodekey |
| 311 | .Ve |
325 | .Ve |
| 312 | .PP |
326 | .PP |
| 313 | This command will put the public keys into \f(CW\*(C`/etc/gvpe/pubkeys/\f(CInodename\f(CW\*(C'\fR and the private keys into \f(CW\*(C`/etc/gvpe/hostkeys/\f(CInodename\f(CW\*(C'\fR. |
327 | This will create two files, \fInodekey\fR and \fInodekey.privkey\fR. The former |
|
|
328 | should be copied to \fI/etc/gvpe/pubkey/\fInodename\fI\fR on the host where |
|
|
329 | your config file is (you will have to create the \fIpubkey\fR directory |
|
|
330 | first): |
|
|
331 | .PP |
|
|
332 | .Vb 1 |
|
|
333 | \& scp nodekey confighost:/etc/gvpe/pubkey/nodename |
|
|
334 | .Ve |
|
|
335 | .PP |
|
|
336 | The private key \fInodekey.privkey\fR should be moved to \fI/etc/gvpe/hostkey\fR: |
|
|
337 | .PP |
|
|
338 | .Vb 2 |
|
|
339 | \& mkdir \-p /etc/gvpe |
|
|
340 | \& mv nodekey.privkey /etc/gvpe/hostkey |
|
|
341 | .Ve |
| 314 | .SS "\s-1STEP\s0 3: distribute the config files to all nodes" |
342 | .SS "\s-1STEP 3:\s0 distribute the config files to all nodes" |
| 315 | .IX Subsection "STEP 3: distribute the config files to all nodes" |
343 | .IX Subsection "STEP 3: distribute the config files to all nodes" |
| 316 | Now distribute the config files and private keys to the other nodes. This |
344 | Now distribute the config files and public keys to the other nodes. |
| 317 | should be done in two steps, since only the private keys meant for a node |
|
|
| 318 | should be distributed (so each node has only it's own private key). |
|
|
| 319 | .PP |
345 | .PP |
| 320 | The example uses rsync-over-ssh |
346 | The example uses rsync-over-ssh to copy the config file and all the public |
| 321 | .PP |
347 | keys: |
| 322 | First all the config files without the hostkeys should be distributed: |
|
|
| 323 | .PP |
348 | .PP |
| 324 | .Vb 3 |
349 | .Vb 3 |
| 325 | \& rsync \-avzessh /etc/gvpe first.example.net:/etc/. \-\-exclude hostkeys |
350 | \& rsync \-avzessh /etc/gvpe first.example.net:/etc/. \-\-exclude hostkey |
| 326 | \& rsync \-avzessh /etc/gvpe 133.55.82.9:/etc/. \-\-exclude hostkeys |
351 | \& rsync \-avzessh /etc/gvpe 133.55.82.9:/etc/. \-\-exclude hostkey |
| 327 | \& rsync \-avzessh /etc/gvpe third.example.net:/etc/. \-\-exclude hostkeys |
352 | \& rsync \-avzessh /etc/gvpe third.example.net:/etc/. \-\-exclude hostkey |
| 328 | .Ve |
353 | .Ve |
| 329 | .PP |
354 | .PP |
| 330 | Then the hostkeys should be copied: |
|
|
| 331 | .PP |
|
|
| 332 | .Vb 3 |
|
|
| 333 | \& rsync \-avzessh /etc/gvpe/hostkeys/first first.example.net:/etc/hostkey |
|
|
| 334 | \& rsync \-avzessh /etc/gvpe/hostkeys/second 133.55.82.9:/etc/hostkey |
|
|
| 335 | \& rsync \-avzessh /etc/gvpe/hostkeys/third third.example.net:/etc/hostkey |
|
|
| 336 | .Ve |
|
|
| 337 | .PP |
|
|
| 338 | You should now check the configuration by issuing the command \f(CW\*(C`gvpectrl \-c |
355 | You should now check the configuration by issuing the command \f(CW\*(C`gvpectrl |
| 339 | /etc/gvpe \-s\*(C'\fR on each node and verify it's output. |
356 | \&\-c /etc/gvpe \-s\*(C'\fR on each node and verify it's output. |
| 340 | .SS "\s-1STEP\s0 4: starting gvpe" |
357 | .SS "\s-1STEP 4:\s0 starting gvpe" |
| 341 | .IX Subsection "STEP 4: starting gvpe" |
358 | .IX Subsection "STEP 4: starting gvpe" |
| 342 | You should then start gvpe on each node by issuing a command like: |
359 | You should then start gvpe on each node by issuing a command like: |
| 343 | .PP |
360 | .PP |
| 344 | .Vb 1 |
361 | .Vb 1 |
| 345 | \& gvpe \-D \-l info first # first is the nodename |
362 | \& gvpe \-D \-l info first # first is the nodename |
| … | |
… | |
| 357 | or equivalent. I use a line like this on all my systems: |
374 | or equivalent. I use a line like this on all my systems: |
| 358 | .PP |
375 | .PP |
| 359 | .Vb 1 |
376 | .Vb 1 |
| 360 | \& t1:2345:respawn:/opt/gvpe/sbin/gvpe \-D \-L first >/dev/null 2>&1 |
377 | \& t1:2345:respawn:/opt/gvpe/sbin/gvpe \-D \-L first >/dev/null 2>&1 |
| 361 | .Ve |
378 | .Ve |
| 362 | .SS "\s-1STEP\s0 5: enjoy" |
379 | .SS "\s-1STEP 5:\s0 enjoy" |
| 363 | .IX Subsection "STEP 5: enjoy" |
380 | .IX Subsection "STEP 5: enjoy" |
| 364 | \&... and play around. Sending a \-HUP (\f(CW\*(C`gvpectrl \-kHUP\*(C'\fR) to the daemon |
381 | \&... and play around. Sending a \-HUP (\f(CW\*(C`gvpectrl \-kHUP\*(C'\fR) to the daemon |
| 365 | will make it try to connect to all other nodes again. If you run it from |
382 | will make it try to connect to all other nodes again. If you run it from |
| 366 | inittab, as is recommended, \f(CW\*(C`gvpectrl \-k\*(C'\fR (or simply \f(CW\*(C`killall gvpe\*(C'\fR) will |
383 | inittab \f(CW\*(C`gvpectrl \-k\*(C'\fR (or simply \f(CW\*(C`killall gvpe\*(C'\fR) will kill the daemon, |
| 367 | kill the daemon, start it again, making it read it's configuration files |
384 | start it again, making it read it's configuration files again. |
| 368 | again. |
385 | .PP |
|
|
386 | To run the \s-1GVPE\s0 daemon permanently from your SysV init, you can add it to |
|
|
387 | your \fIinittab\fR, e.g.: |
|
|
388 | .PP |
|
|
389 | .Vb 1 |
|
|
390 | \& t1:2345:respawn:/bin/sh \-c "exec nice \-n\-20 /path/to/gvpe \-D node >/var/log/gvpe.log 2>&1" |
|
|
391 | .Ve |
|
|
392 | .PP |
|
|
393 | For systems using systemd, you can use a unit file similar to this one: |
|
|
394 | .PP |
|
|
395 | .Vb 4 |
|
|
396 | \& [Unit] |
|
|
397 | \& Description=gvpe |
|
|
398 | \& After=network.target |
|
|
399 | \& Before=remote\-fs.target |
|
|
400 | \& |
|
|
401 | \& [Service] |
|
|
402 | \& ExecStart=/path/to/gvpe \-D node |
|
|
403 | \& KillMode=process |
|
|
404 | \& Restart=always |
|
|
405 | \& |
|
|
406 | \& [Install] |
|
|
407 | \& WantedBy=multi\-user.target |
|
|
408 | .Ve |
| 369 | .SH "SEE ALSO" |
409 | .SH "SEE ALSO" |
| 370 | .IX Header "SEE ALSO" |
410 | .IX Header "SEE ALSO" |
| 371 | \&\fIgvpe.osdep\fR\|(5) for OS-dependent information, \fIgvpe.conf\fR\|(5), \fIgvpectrl\fR\|(8), |
411 | \&\fIgvpe.osdep\fR\|(5) for OS-dependent information, \fIgvpe.conf\fR\|(5), \fIgvpectrl\fR\|(8), |
| 372 | and for a description of the transports, protocol, and routing algorithm, |
412 | and for a description of the transports, protocol, and routing algorithm, |
| 373 | \&\fIgvpe.protocol\fR\|(7). |
413 | \&\fIgvpe.protocol\fR\|(7). |
| … | |
… | |
| 377 | .SH "AUTHOR" |
417 | .SH "AUTHOR" |
| 378 | .IX Header "AUTHOR" |
418 | .IX Header "AUTHOR" |
| 379 | Marc Lehmann <gvpe@schmorp.de> |
419 | Marc Lehmann <gvpe@schmorp.de> |
| 380 | .SH "COPYRIGHTS AND LICENSES" |
420 | .SH "COPYRIGHTS AND LICENSES" |
| 381 | .IX Header "COPYRIGHTS AND LICENSES" |
421 | .IX Header "COPYRIGHTS AND LICENSES" |
| 382 | \&\s-1GVPE\s0 itself is distributed under the \s-1GENERAL\s0 \s-1PUBLIC\s0 \s-1LICENSE\s0 (see the file |
422 | \&\s-1GVPE\s0 itself is distributed under the \s-1GENERAL PUBLIC LICENSE \s0(see the file |
| 383 | \&\s-1COPYING\s0 that should be part of your distribution). |
423 | \&\s-1COPYING\s0 that should be part of your distribution). |
| 384 | .PP |
424 | .PP |
| 385 | In some configurations it uses modified versions of the tinc vpn suite, |
425 | In some configurations it uses modified versions of the tinc vpn suite, |
| 386 | which is also available under the \s-1GENERAL\s0 \s-1PUBLIC\s0 \s-1LICENSE\s0. |
426 | which is also available under the \s-1GENERAL PUBLIC LICENSE.\s0 |
