gvpe/doc/gvpe.conf.5.pod

=head1 NAME

gvpe.conf - configuration file for the GNU VPE daemon

=head1 SYNOPSIS

   # global options for all nodes
   udp-port = 407
   mtu = 1492
   ifname = vpn0

   # first node is named branch1 and is at 1.2.3.4
   node = branch1
   hostname = 1.2.3.4

   # second node uses dns to resolve the address
   node = branch2
   hostname = www.example.net
   udp-port = 500       # this host uses a different udp-port

   # third node has no fixed ip address
   node = branch3
   connect = ondemand

=head1 DESCRIPTION

The gvpe config file consists of a series of lines that contain C<variable
= value> pairs. Empty lines are ignored. Comments start with a C<#> and
extend to the end of the line. They can be used on their own lines, or
after any directives. Whitespace is allowed around the C<=> sign or after
values, but not within the variable names or values themselves.

All settings are applied "in order", that is, later settings of the same
variable overwrite earlier ones.

The only exceptions to the above are the following directives:

=over 4

=item node nodename

Introduces a node section. The nodename is used to select the right
configuration section and is the same string as is passed as an argument
to the gvpe daemon.

Multiple C<node> statements with the same node name are supported and will
be merged together.

=item global

This statement switches back to the global section, which is mainly
useful if you want to include a second config file, e..g for local
customisations. To do that, simply include this at the very end of your
config file:

   global
   include local.conf

=item on nodename ...

=item on !nodename ...

You can prefix any configuration directive with C<on> and a nodename. GVPE
will will only "execute" it on the named node, or (if the nodename starts
with C<!>) on all nodes except the named one.

Example: set the MTU to C<1450> everywhere, C<loglevel> to C<noise> on
C<branch1>, and C<connect> to C<ondemand> everywhere but on branch2.

   mtu = 1450
   on branch1 loglevel = noise
   on !branch2 connect = ondemand

=item include relative-or-absolute-path

Reads the specified file (the path must not contain whitespace or C<=>
characters) and evaluate all config directives in it as if they were
spelled out in place of the C<include> directive.

The path is a printf format string, that is, you must escape any C<%>
by doubling it, and you can have a single C<%s> inside, which will be
replaced by the current nodename.

Relative paths are interpreted relative to the GVPE config directory.

Example: include the file F<local.conf> in the config directory on every
node.

   include local.conf

Example: include a file F<conf/>nodenameF<.conf>

   include conf/%s.conf

=back

=head1 ANATOMY OF A CONFIG FILE

Usually, a config file starts with a few global settings (like the UDP
port to listen on), followed by node-specific sections that begin with a
C<node = nickname> line.

Every node that is part of the network must have a section that starts
with C<node = nickname>. The number and order of the nodes is important
and must be the same on all nodes. It is not uncommon for node sections to
be completely empty - if the default values are right.

Node-specific settings can be used at any time. If used before the first
node section they will set the default values for all following nodes.

=head1 CONFIG VARIABLES

=head2 GLOBAL SETTINGS

Global settings will affect the behaviour of the running gvpe daemon, that
is, they are in some sense node-specific (config files can set different
values on different nodes using C<on>), but will affect the behaviour of
the gvpe daemon and all connections it creates.

=over 4

=item chroot = path or /

Tells GVPE to chroot(2) to the specified path after reading all necessary
files, binding to sockets and running the C<if-up> script, but before
running C<node-up> or any other scripts.

The special path F</> instructs GVPE to create (and remove) an empty
temporary directory to use as new root. This is most secure, but makes it
impossible to use any scripts other than the C<if-up> one.

=item chuid = numerical-uid

=item chgid = numerical-gid

These two options tell GVPE to change to the given user and/or group id
after reading all necessary files, binding to sockets and running the
C<if-up> script.

Other scripts, such as C<node-up>, are run with the new user id or group id.

=item chuser = username

Alternative to C<chuid> and C<chgid>: Sets both C<chuid> and C<chgid>
to the user and (primary) group ids of the specified user (for example,
C<nobody>).

=item dns-forw-host = hostname/ip

The DNS server to forward DNS requests to for the DNS tunnel protocol
(default: C<127.0.0.1>, changing it is highly recommended).

=item dns-forw-port = port-number

The port where the C<dns-forw-host> is to be contacted (default: C<53>,
which is fine in most cases).

=item dns-case-preserving = yes|true|on | no|false|off

Sets whether the DNS transport forwarding server preserves case (DNS
servers have to, but some access systems are even more broken than others)
(default: true).

Normally, when the forwarding server changes the case of domain names then
GVPE will automatically set this to false.

=item dns-max-outstanding = integer-number-of-requests

The maximum number of outstanding DNS transport requests
(default: C<100>). GVPE will never issue more requests then the given
limit without receiving replies. In heavily overloaded situations it might
help to set this to a low number (e.g. C<3> or even C<1>) to limit the
number of parallel requests.

The default should be working OK for most links.

=item dns-overlap-factor = float

The DNS transport uses the minimum request latency (B<min_latency>) seen
during a connection as it's timing base. This factor (default: C<0.5>,
must be > 0) is multiplied by B<min_latency> to get the maximum sending
rate (= minimum send interval), i.e. a factor of C<1> means that a new
request might be generated every B<min_latency> seconds, which means on
average there should only ever be one outstanding request.  A factor of
C<0.5> means that GVPE will send requests twice as often as the minimum
latency measured.

For congested or picky DNS forwarders you could use a value nearer to or
exceeding C<1>.

The default should be working OK for most links.

=item dns-send-interval = send-interval-in-seconds

The minimum send interval (= maximum rate) that the DNS transport will
use to send new DNS requests. GVPE will not exceed this rate even when
the latency is very low. The default is C<0.01>, which means GVPE will
not send more than 100 DNS requests per connection per second. For
high-bandwidth links you could go lower, e.g. to C<0.001> or so. For
congested or rate-limited links, you might want to go higher, say C<0.1>,
C<0.2> or even higher.

The default should be working OK for most links.

=item dns-timeout-factor = float

Factor to multiply the C<min_latency> (see C<dns-overlap-factor>) by to
get request timeouts. The default of C<8> means that the DNS transport
will resend the request when no reply has been received for longer than
eight times the minimum (= expected) latency, assuming the request or
reply has been lost.

For congested links a higher value might be necessary (e.g. C<30>). If
the link is very stable lower values (e.g. C<2>) might work
nicely. Values near or below C<1> makes no sense whatsoever.

The default should be working OK for most links but will result in low
throughput if packet loss is high.

=item if-up = relative-or-absolute-path

Sets the path of a script that should be called immediately after the
network interface is initialized (but not necessarily up). The following
environment variables are passed to it (the values are just examples).

Variables that have the same value on all nodes:

=over 4

=item CONFBASE=/etc/gvpe

The configuration base directory.

=item IFNAME=vpn0

The network interface to initialize.

=item IFTYPE=native # or tincd

=item IFSUBTYPE=linux # or freebsd, darwin etc..

The interface type (C<native> or C<tincd>) and the subtype (usually the
OS name in lowercase) that this GVPE was configured for. Can be used to
select the correct syntax to use for network-related commands.

=item MTU=1436

The MTU to set the interface to. You can use lower values (if done
consistently on all nodes), but this is usually either inefficient or
simply ineffective.

=item NODES=5

The number of nodes in this GVPE network.

=back

Variables that are node-specific and with values pertaining to the node
running this GVPE:

=over 4

=item IFUPDATA=string

The value of the configuration directive C<if-up-data>.

=item MAC=fe:fd:80:00:00:01

The MAC address the network interface has to use.

Might be used to initialize interfaces on platforms where GVPE does not
do this automatically.  Please see the C<gvpe.osdep(5)> man page for
platform-specific information.

=item NODENAME=branch1

The nickname of the node.

=item NODEID=1

The numerical node ID of the node running this instance of GVPE. The first
node mentioned in the config file gets ID 1, the second ID 2 and so on.

=back

In addition, all node-specific variables (except C<NODEID>) will be
available with a postfix of C<_nodeid>, which contains the value for that
node, e.g. the C<MAC_1> variable contains the MAC address of node #1, while
the C<NODENAME_22> variable contains the name of node #22.

Here is a simple if-up script:

   #!/bin/sh
   ip link set $IFNAME up
   [ $NODENAME = branch1 ] && ip addr add 10.0.0.1 dev $IFNAME
   [ $NODENAME = branch2 ] && ip addr add 10.1.0.1 dev $IFNAME
   ip route add 10.0.0.0/8 dev $IFNAME

More complicated examples (using routing to reduce ARP traffic) can be
found in the F<etc/> subdirectory of the distribution.

=item ifname = devname

Sets the tun interface name to the given name. The default is OS-specific
and most probably something like C<tun0>.

=item ifpersist = yes|true|on | no|false|off

Should the tun/tap device be made persistent, that is, should the device
stay up even when gvpe exits? Some versions of the tunnel device have
problems sending packets when gvpe is restarted in persistent mode, so
if the connections can be established but you cannot send packets from
the local node, try to set this to C<off> and do an ifconfig down on the
device.

=item ip-proto = numerical-ip-protocol

Sets the protocol number to be used for the rawip protocol. This is a
global option because all nodes must use the same protocol, and since
there are no port numbers, you cannot easily run more than one gvpe
instance using the same protocol, nor can you share the protocol with
other programs.

The default is 47 (GRE), which has a good chance of tunneling
through firewalls (but note that gvpe's rawip protocol is not GRE
compatible). Other common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4
(IPIP tunnels) or 98 (ENCAP, rfc1241).

Many versions of Linux seem to have a bug that causes them to reorder
packets for some ip protocols (GRE, ESP) but not for others (AH), so
choose wisely (that is, use 51, AH).

=item http-proxy-host = hostname/ip

The C<http-proxy-*> family of options are only available if gvpe was
compiled with the C<--enable-http-proxy> option and enable tunneling of
tcp connections through a http proxy server.

C<http-proxy-host> and C<http-proxy-port> should specify the hostname and
port number of the proxy server. See C<http-proxy-loginpw> if your proxy
requires authentication.

Please note that gvpe will still try to resolve all hostnames in the
configuration file, so if you are behind a proxy without access to a DNS
server better use numerical IP addresses.

To make best use of this option disable all protocols except TCP in your
config file and make sure your routers (or all other nodes) are listening
on a port that the proxy allows (443, https, is a common choice).

If you have a router, connecting to it will suffice. Otherwise TCP must be
enabled on all nodes.

Example:

   http-proxy-host = proxy.example.com
   http-proxy-port = 3128       # 8080 is another common choice
   http-proxy-auth = schmorp:grumbeere

=item http-proxy-port = proxy-tcp-port

The port where your proxy server listens.

=item http-proxy-auth = login:password

The optional login and password used to authenticate to the proxy server,
separated by a literal colon (C<:>). Only basic authentication is
currently supported.

=item keepalive = seconds

Sets the keepalive probe interval in seconds (default: C<60>). After this
many seconds of inactivity the daemon will start to send keepalive probe
every 3 seconds until it receives a reply from the other end. If no reply
is received within 15 seconds, the peer is considered unreachable and the
connection is closed.

=item loglevel = noise|trace|debug|info|notice|warn|error|critical

Set the logging level. Connection established messages are logged at level
C<info>, notable errors are logged with C<error>. Default is C<info>.

=item mtu = bytes

Sets the maximum MTU that should be used on outgoing packets (basically
the MTU of the outgoing interface) The daemon will automatically calculate
maximum overhead (e.g. UDP header size, encryption blocksize...) and pass
this information to the C<if-up> script.

Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp).

This value must be the minimum of the MTU values of all nodes.

=item nfmark = integer

This advanced option, when set to a nonzero value (default: C<0>), tries
to set the netfilter mark (or fwmark) value on all sockets gvpe uses to
send packets.

This can be used to make gvpe use a different set of routing rules. For
example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then
put all routing rules into table C<99> and then use an ip rule to make
gvpe traffic avoid that routing table, in effect routing normal traffic
via gvpe and gvpe traffic via the normal system routing tables:

   ip rule add not fwmark 1000 lookup 99

=item node-up = relative-or-absolute-path

Sets a command (default: none) that should be called whenever a connection
is established (even on rekeying operations). Note that node-up/down
scripts will be run asynchronously, but execution is serialised, so there
will only ever be one such script running.

In addition to all the variables passed to C<if-up> scripts, the following
environment variables will be set (values are just examples):

=over 4

=item DESTNODE=branch2

The name of the remote node.

=item DESTID=2

The node id of the remote node.

=item DESTSI=rawip/88.99.77.55:0

The "socket info" of the target node, protocol dependent but usually in
the format protocol/ip:port.

=item DESTIP=188.13.66.8

The numerical IP address of the remote node (gvpe accepts connections from
everywhere, as long as the other node can authenticate itself).

=item DESTPORT=655 # deprecated

The protocol port used by the other side, if applicable.

=item STATE=up

Node-up scripts get called with STATE=up, node-change scripts get called
with STATE=change and node-down scripts get called with STATE=down.

=back

Here is a nontrivial example that uses nsupdate to update the name => ip
mapping in some DNS zone:

   #!/bin/sh
   {
     echo update delete $DESTNODE.lowttl.example.net. a
     echo update add $DESTNODE.lowttl.example.net. 1 in a $DESTIP
     echo
   } | nsupdate -d -k $CONFBASE:key.example.net.

=item node-change = relative-or-absolute-path

Same as C<node-change>, but gets called whenever something about a
connection changes (such as the source IP address).

=item node-down = relative-or-absolute-path

Same as C<node-up>, but gets called whenever a connection is lost.

=item pid-file = path

The path to the pid file to check and create
(default: C<LOCALSTATEDIR/run/gvpe.pid>). The first C<%s> is replaced by
the nodename - any other use of C<%> must be written as C<%%>.

=item private-key = relative-path-to-key

Sets the path (relative to the config directory) to the private key
(default: C<hostkey>). This is a printf format string so every C<%> must
be doubled. A single C<%s> is replaced by the hostname, so you could use
paths like C<hostkeys/%s> to be able to share the same config directory
between nodes.

Since only the private key file of the current node is used and the
private key file should be kept secret per-node to avoid spoofing, it is
not recommended to use this feature this way though.

=item rekey = seconds

Sets the rekeying interval in seconds (default: C<3607>). Connections are
reestablished every C<rekey> seconds, making them use a new encryption
key.

=item seed-device = path

The random device used to initially and regularly seed the random
number generator (default: F</dev/urandom>). Randomness is of paramount
importance to the security of the algorithms used in gvpe.

On program start and every seed-interval, gvpe will read 64 octets.

Setting this path to the empty string will disable this functionality
completely (the underlying crypto library will likely look for entropy
sources on it's own though, so not all is lost).

=item seed-interval = seconds

The number of seconds between reseeds of the random number generator
(default: C<3613>). A value of C<0> disables this regular reseeding.

=item serial = string

The configuration serial number. This can be any string up to 16 bytes
length. Only when the serial matches on both sides of a connection will
the connection succeed. This is I<not> a security mechanism and eay to
spoof, this mechanism exists to alert users that their config is outdated.

It's recommended to specify this is a date string such as C<2013-05-05> or
C<20121205084417>.

The exact algorithm is as this: if a connection request is received form a
node with an identical serial, then it succeeds normally.

If the remote serial is lower than the local serial, it is ignored.

If the remote serial is higher than the local serial, a warning message is
logged.

=back

=head2 NODE SPECIFIC SETTINGS

The following settings are node-specific, that is, every node can have
different settings, even within the same gvpe instance. Settings that are
set before the first node section set the defaults, settings that are
set within a node section only apply to the given node.

=over 4

=item allow-direct = nodename

Allow direct connections to this node. See C<deny-direct> for more info.

=item compress = yes|true|on | no|false|off

For the current node, this specified whether it will accept compressed
packets, and for all other nodes, this specifies whether to try to
compress data packets sent to this node (default: C<yes>). Compression is
really cheap even on slow computers, has no size overhead at all and will
only be used when the other side supports compression, so enabling this is
often a good idea.

=item connect = ondemand | never | always | disabled

Sets the connect mode (default: C<always>). It can be C<always> (always
try to establish and keep a connection to the given node), C<never>
(never initiate a connection to the given host, but accept connections),
C<ondemand> (try to establish a connection when there are outstanding
packets in the queue and take it down after the keepalive interval) or
C<disabled> (node is bad, don't talk to it).

Routers will automatically be forced to C<always> unless they are
C<disabled>, to ensure all nodes can talk to each other.

=item deny-direct = nodename | *

Deny direct connections to the specified node (or all nodes when C<*>
is given). Only one node can be specified, but you can use multiple
C<allow-direct> and C<deny-direct> statements. This only makes sense in
networks with routers, as routers are required for indirect connections.

Sometimes, a node cannot reach some other nodes for reasons of network
connectivity. For example, a node behind a firewall that only allows
connections to/from a single other node in the network. In this case one
should specify C<deny-direct = *> and C<allow-direct = othernodename> (the other
node I<must> be a router for this to work).

The algorithm to check whether a connection may be direct is as follows:

1. Other node mentioned in an C<allow-direct>? If yes, allow the connection.

2. Other node mentioned in a C<deny-direct>? If yes, deny direct connections.

3. Allow the connection.

That is, C<allow-direct> takes precedence over C<deny-direct>.

The check is done in both directions, i.e. both nodes must allow a direct
connection before one is attempted, so you only need to specify connect
limitations on one node.

=item dns-domain = domain-suffix

The DNS domain suffix that points to the DNS tunnel server for this node.

The domain must point to a NS record that points to the I<dns-hostname>,
i.e.

   dns-domainname = tunnel.example.net
   dns-hostname   = tunnel-server.example.net

Corresponds to the following DNS entries in the C<example.net> domain:

   tunnel.example.net.         NS tunnel-server.example.net.
   tunnel-server.example.net.  A  13.13.13.13

=item dns-hostname = hostname/ip

The address to bind the DNS tunnel socket to, similar to the C<hostname>,
but for the DNS tunnel protocol only. Default: C<0.0.0.0>, but that might
change.

=item dns-port = port-number

The port to bind the DNS tunnel socket to. Must be C<53> on DNS tunnel servers.

=item enable-dns = yes|true|on | no|false|off

See gvpe.protocol(7) for a description of the DNS transport
protocol. Avoid this protocol if you can.

Enable the DNS tunneling protocol on this node, either as server or as
client. Support for this transport protocol is only available when gvpe
was compiled using the C<--enable-dns> option.

=item enable-icmp = yes|true|on | no|false|off

See gvpe.protocol(7) for a description of the ICMP transport protocol.

Enable the ICMP transport using ICMP packets of type C<icmp-type> on this
node.

=item enable-rawip = yes|true|on | no|false|off

See gvpe.protocol(7) for a description of the RAW IP transport protocol.

Enable the RAW IPv4 transport using the C<ip-proto> protocol
(default: C<no>).

=item enable-tcp = yes|true|on | no|false|off

See gvpe.protocol(7) for a description of the TCP transport protocol.

Enable the TCPv4 transport using the C<tcp-port> port
(default: C<no>). Support for this transport protocol is only available
when gvpe was compiled using the C<--enable-tcp> option.

=item enable-udp = yes|true|on | no|false|off

See gvpe.protocol(7) for a description of the UDP transport protocol.

Enable the UDPv4 transport using the C<udp-port> port (default: C<no>).

=item hostname = hostname | ip    [can not be defaulted]

Forces the address of this node to be set to the given DNS hostname or IP
address. It will be resolved before each connect request, so dyndns should
work fine. If this setting is not specified and a router is available,
then the router will be queried for the address of this node. Otherwise,
the connection attempt will fail.

Note that DNS resolving is done synchronously, pausing the daemon. If that
is an issue you need to specify IP addresses.

=item icmp-type = integer

Sets the type value to be used for outgoing (and incoming) packets sent
via the ICMP transport.

The default is C<0> (which is C<echo-reply>, also known as
"ping-reply"). Other useful values include C<8> (C<echo-request>, a.k.a.
"ping") and C<11> (C<time-exceeded>), but any 8-bit value can be used.

=item if-up-data = value

The value specified using this directive will be passed to the C<if-up>
script in the environment variable C<IFUPDATA>.

=item inherit-tos = yes|true|on | no|false|off

Whether to inherit the TOS settings of packets sent to the tunnel when
sending packets to this node (default: C<yes>). If set to C<yes> then
outgoing tunnel packets will have the same TOS setting as the packets sent
to the tunnel device, which is usually what you want.

=item low-power = yes|true|on | no|false|off

If true, designates a node as a low-power node. Low-power nodes use
larger timeouts and try to reduce cpu time. Other nodes talking to a
low-power node will also use larger timeouts, and will use less aggressive
optimisations, in the hope of reducing load. Security is not compromised.

The typical low-power node would be a mobile phone, where wakeups and
encryption can significantly increase power drain.

=item max-retry = positive-number

The maximum interval in seconds (default: C<3600>, one hour) between
retries to establish a connection to this node. When a connection cannot
be established, gvpe uses exponential back-off capped at this value. It's
sometimes useful to set this to a much lower value (e.g. C<120>) on
connections to routers that usually are stable but sometimes are down, to
assure quick reconnections even after longer downtimes.

=item max-ttl = seconds

Expire packets that couldn't be sent after this many seconds
(default: C<60>). Gvpe will normally queue packets for a node without an
active connection, in the hope of establishing a connection soon. This
value specifies the maximum lifetime a packet will stay in the queue, if a
packet gets older, it will be thrown away.

=item max-queue = positive-number>=1

The maximum number of packets that will be queued (default: C<512>)
for this node. If more packets are sent then earlier packets will be
expired. See C<max-ttl>, above.

=item router-priority = 0 | 1 | positive-number>=2

Sets the router priority of the given node (default: C<0>, disabled).

If some node tries to connect to another node but it doesn't have a
hostname, it asks a router node for it's IP address. The router node
chosen is the one with the highest priority larger than C<1> that is
currently reachable. This is called a I<mediated> connection, as the
connection itself will still be direct, but it uses another node to
mediate between the two nodes.

The value C<0> disables routing, that means if the node receives a packet
not for itself it will not forward it but instead drop it.

The special value C<1> allows other hosts to route through the router
host, but they will never route through it by default (i.e. the config
file of another node needs to specify a router priority higher than one
to choose such a node for routing).

The idea behind this is that some hosts can, if required, bump the
C<router-priority> setting to higher than C<1> in their local config to
route through specific hosts. If C<router-priority> is C<0>, then routing
will be refused, so C<1> serves as a "enable, but do not use by default"
switch.

Nodes with C<router-priority> set to C<2> or higher will always be forced
to C<connect> = C<always> (unless they are C<disabled>).

=item tcp-port = port-number

Similar to C<udp-port> (default: C<655>), but sets the TCP port number.

=item udp-port = port-number

Sets the port number used by the UDP protocol (default: C<655>, not
officially assigned by IANA!).

=back

=head1 CONFIG DIRECTORY LAYOUT

The default (or recommended) directory layout for the config directory is:

=over 4

=item gvpe.conf

The config file.

=item if-up

The if-up script

=item node-up, node-down

If used the node up or node-down scripts.

=item hostkey

The (default path of the) private key of the current host.

=item pubkey/nodename

The public keys of the other nodes, one file per node.

=back

=head1 SEE ALSO

gvpe(5), gvpe(8), gvpectrl(8).

=head1 AUTHOR

Marc Lehmann <gvpe@schmorp.de>

Revision:	1.38
Committed:	Sat Nov 12 21:45:49 2016 UTC (9 years, 3 months ago) by root
Branch:	MAIN
CVS Tags:	HEAD
Changes since 1.37:	+1 -1 lines
Log Message:	* empty log message *