… | |
… | |
370 | |
370 | |
371 | Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
371 | Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
372 | |
372 | |
373 | This value must be the minimum of the MTU values of all nodes. |
373 | This value must be the minimum of the MTU values of all nodes. |
374 | |
374 | |
|
|
375 | =item nfmark = integer |
|
|
376 | |
|
|
377 | This advanced option, when set to a nonzero value (default: C<0>), tries |
|
|
378 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
|
|
379 | send packets. |
|
|
380 | |
|
|
381 | This can be used to make gvpe use a different set of routing rules. For |
|
|
382 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
383 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
384 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
385 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
386 | |
|
|
387 | ip rule add not fwmark 1000 lookup 99 |
|
|
388 | |
375 | =item node = nickname |
389 | =item node = nickname |
376 | |
390 | |
377 | Not really a config setting but introduces a node section. The nickname is |
391 | Not really a config setting but introduces a node section. The nickname is |
378 | used to select the right configuration section and must be passed as an |
392 | used to select the right configuration section and must be passed as an |
379 | argument to the gvpe daemon. |
393 | argument to the gvpe daemon. |
… | |
… | |
439 | Same as C<node-up>, but gets called whenever a connection is lost. |
453 | Same as C<node-up>, but gets called whenever a connection is lost. |
440 | |
454 | |
441 | =item pid-file = path |
455 | =item pid-file = path |
442 | |
456 | |
443 | The path to the pid file to check and create |
457 | The path to the pid file to check and create |
444 | (default: C<LOCALSTATEDIR/run/gvpe.pid>). |
458 | (default: C<LOCALSTATEDIR/run/gvpe.pid>). The first C<%s> is replaced by |
|
|
459 | the nodename - any other use of C<%> must be written as C<%%>. |
445 | |
460 | |
446 | =item private-key = relative-path-to-key |
461 | =item private-key = relative-path-to-key |
447 | |
462 | |
448 | Sets the path (relative to the config directory) to the private key |
463 | Sets the path (relative to the config directory) to the private key |
449 | (default: C<hostkey>). This is a printf format string so every C<%> must |
464 | (default: C<hostkey>). This is a printf format string so every C<%> must |
… | |
… | |
455 | private key file should be kept secret per-node to avoid spoofing, it is |
470 | private key file should be kept secret per-node to avoid spoofing, it is |
456 | not recommended to use this feature. |
471 | not recommended to use this feature. |
457 | |
472 | |
458 | =item rekey = seconds |
473 | =item rekey = seconds |
459 | |
474 | |
460 | Sets the rekeying interval in seconds (default: C<3600>). Connections are |
475 | Sets the rekeying interval in seconds (default: C<3607>). Connections are |
461 | reestablished every C<rekey> seconds, making them use a new encryption |
476 | reestablished every C<rekey> seconds, making them use a new encryption |
462 | key. |
477 | key. |
463 | |
478 | |
464 | =item nfmark = integer |
479 | =item seed-device = path |
465 | |
480 | |
466 | This advanced option, when set to a nonzero value (default: C<0>), tries |
481 | The random device used to initially and regularly seed the random |
467 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
482 | number generator (default: F</dev/urandom>). Randomness is of paramount |
468 | send packets. |
483 | importance to the security of the algorithms used in gvpe. |
469 | |
484 | |
470 | This can be used to make gvpe use a different set of routing rules. For |
485 | On program start and every seed-interval, gvpe will read 64 octets. |
471 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
472 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
473 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
474 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
475 | |
486 | |
476 | ip rule add not fwmark 1000 lookup 99 |
487 | Setting this path to the empty string will disable this functionality |
|
|
488 | completely (the underlying crypto library will likely look for entropy |
|
|
489 | sources on it's own though, so not all is lost). |
|
|
490 | |
|
|
491 | =item seed-interval = seconds |
|
|
492 | |
|
|
493 | The number of seconds between reseeds of the random number generator |
|
|
494 | (default: C<3613>). A value of C<0> disables this regular reseeding. |
477 | |
495 | |
478 | =back |
496 | =back |
479 | |
497 | |
480 | =head2 NODE SPECIFIC SETTINGS |
498 | =head2 NODE SPECIFIC SETTINGS |
481 | |
499 | |
… | |
… | |
712 | |
730 | |
713 | If used the node up or node-down scripts. |
731 | If used the node up or node-down scripts. |
714 | |
732 | |
715 | =item hostkey |
733 | =item hostkey |
716 | |
734 | |
717 | The private key (taken from C<hostkeys/nodename>) of the current host. |
735 | The (default path of the) private key of the current host. |
718 | |
736 | |
719 | =item pubkey/nodename |
737 | =item pubkey/nodename |
720 | |
738 | |
721 | The public keys of the other nodes, one file per node. |
739 | The public keys of the other nodes, one file per node. |
722 | |
740 | |