| … | |
… | |
| 370 | |
370 | |
| 371 | Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
371 | Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
| 372 | |
372 | |
| 373 | This value must be the minimum of the MTU values of all nodes. |
373 | This value must be the minimum of the MTU values of all nodes. |
| 374 | |
374 | |
|
|
375 | =item nfmark = integer |
|
|
376 | |
|
|
377 | This advanced option, when set to a nonzero value (default: C<0>), tries |
|
|
378 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
|
|
379 | send packets. |
|
|
380 | |
|
|
381 | This can be used to make gvpe use a different set of routing rules. For |
|
|
382 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
383 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
384 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
385 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
386 | |
|
|
387 | ip rule add not fwmark 1000 lookup 99 |
|
|
388 | |
| 375 | =item node = nickname |
389 | =item node = nickname |
| 376 | |
390 | |
| 377 | Not really a config setting but introduces a node section. The nickname is |
391 | Not really a config setting but introduces a node section. The nickname is |
| 378 | used to select the right configuration section and must be passed as an |
392 | used to select the right configuration section and must be passed as an |
| 379 | argument to the gvpe daemon. |
393 | argument to the gvpe daemon. |
| … | |
… | |
| 439 | Same as C<node-up>, but gets called whenever a connection is lost. |
453 | Same as C<node-up>, but gets called whenever a connection is lost. |
| 440 | |
454 | |
| 441 | =item pid-file = path |
455 | =item pid-file = path |
| 442 | |
456 | |
| 443 | The path to the pid file to check and create |
457 | The path to the pid file to check and create |
| 444 | (default: C<LOCALSTATEDIR/run/gvpe.pid>). |
458 | (default: C<LOCALSTATEDIR/run/gvpe.pid>). The first C<%s> is replaced by |
|
|
459 | the nodename - any other use of C<%> must be written as C<%%>. |
| 445 | |
460 | |
| 446 | =item private-key = relative-path-to-key |
461 | =item private-key = relative-path-to-key |
| 447 | |
462 | |
| 448 | Sets the path (relative to the config directory) to the private key |
463 | Sets the path (relative to the config directory) to the private key |
| 449 | (default: C<hostkey>). This is a printf format string so every C<%> must |
464 | (default: C<hostkey>). This is a printf format string so every C<%> must |
| … | |
… | |
| 455 | private key file should be kept secret per-node to avoid spoofing, it is |
470 | private key file should be kept secret per-node to avoid spoofing, it is |
| 456 | not recommended to use this feature. |
471 | not recommended to use this feature. |
| 457 | |
472 | |
| 458 | =item rekey = seconds |
473 | =item rekey = seconds |
| 459 | |
474 | |
| 460 | Sets the rekeying interval in seconds (default: C<3600>). Connections are |
475 | Sets the rekeying interval in seconds (default: C<3607>). Connections are |
| 461 | reestablished every C<rekey> seconds, making them use a new encryption |
476 | reestablished every C<rekey> seconds, making them use a new encryption |
| 462 | key. |
477 | key. |
| 463 | |
478 | |
| 464 | =item nfmark = integer |
479 | =item seed-device = path |
| 465 | |
480 | |
| 466 | This advanced option, when set to a nonzero value (default: C<0>), tries |
481 | The random device used to initially and regularly seed the random |
| 467 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
482 | number generator (default: F</dev/urandom>). Randomness is of paramount |
| 468 | send packets. |
483 | importance to the security of the algorithms used in gvpe. |
| 469 | |
484 | |
| 470 | This can be used to make gvpe use a different set of routing rules. For |
485 | On program start and every seed-interval, gvpe will read 64 octets. |
| 471 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
| 472 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
| 473 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
| 474 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
| 475 | |
486 | |
| 476 | ip rule add not fwmark 1000 lookup 99 |
487 | Setting this path to the empty string will disable this functionality |
|
|
488 | completely (the underlying crypto library will likely look for entropy |
|
|
489 | sources on it's own though, so not all is lost). |
|
|
490 | |
|
|
491 | =item seed-interval = seconds |
|
|
492 | |
|
|
493 | The number of seconds between reseeds of the random number generator |
|
|
494 | (default: C<3613>). A value of C<0> disables this regular reseeding. |
| 477 | |
495 | |
| 478 | =back |
496 | =back |
| 479 | |
497 | |
| 480 | =head2 NODE SPECIFIC SETTINGS |
498 | =head2 NODE SPECIFIC SETTINGS |
| 481 | |
499 | |
| … | |
… | |
| 712 | |
730 | |
| 713 | If used the node up or node-down scripts. |
731 | If used the node up or node-down scripts. |
| 714 | |
732 | |
| 715 | =item hostkey |
733 | =item hostkey |
| 716 | |
734 | |
| 717 | The private key (taken from C<hostkeys/nodename>) of the current host. |
735 | The (default path of the) private key of the current host. |
| 718 | |
736 | |
| 719 | =item pubkey/nodename |
737 | =item pubkey/nodename |
| 720 | |
738 | |
| 721 | The public keys of the other nodes, one file per node. |
739 | The public keys of the other nodes, one file per node. |
| 722 | |
740 | |
