… | |
… | |
370 | |
370 | |
371 | Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
371 | Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
372 | |
372 | |
373 | This value must be the minimum of the MTU values of all nodes. |
373 | This value must be the minimum of the MTU values of all nodes. |
374 | |
374 | |
|
|
375 | =item nfmark = integer |
|
|
376 | |
|
|
377 | This advanced option, when set to a nonzero value (default: C<0>), tries |
|
|
378 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
|
|
379 | send packets. |
|
|
380 | |
|
|
381 | This can be used to make gvpe use a different set of routing rules. For |
|
|
382 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
383 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
384 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
385 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
386 | |
|
|
387 | ip rule add not fwmark 1000 lookup 99 |
|
|
388 | |
375 | =item node = nickname |
389 | =item node = nickname |
376 | |
390 | |
377 | Not really a config setting but introduces a node section. The nickname is |
391 | Not really a config setting but introduces a node section. The nickname is |
378 | used to select the right configuration section and must be passed as an |
392 | used to select the right configuration section and must be passed as an |
379 | argument to the gvpe daemon. |
393 | argument to the gvpe daemon. |
… | |
… | |
455 | private key file should be kept secret per-node to avoid spoofing, it is |
469 | private key file should be kept secret per-node to avoid spoofing, it is |
456 | not recommended to use this feature. |
470 | not recommended to use this feature. |
457 | |
471 | |
458 | =item rekey = seconds |
472 | =item rekey = seconds |
459 | |
473 | |
460 | Sets the rekeying interval in seconds (default: C<3600>). Connections are |
474 | Sets the rekeying interval in seconds (default: C<3607>). Connections are |
461 | reestablished every C<rekey> seconds, making them use a new encryption |
475 | reestablished every C<rekey> seconds, making them use a new encryption |
462 | key. |
476 | key. |
463 | |
477 | |
464 | =item nfmark = integer |
478 | =item seed-device = path |
465 | |
479 | |
466 | This advanced option, when set to a nonzero value (default: C<0>), tries |
480 | The random device used to initially and regularly seed the random |
467 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
481 | number generator (default: F</dev/urandom>). Randomness is of paramount |
468 | send packets. |
482 | importance to the security of the algorithms used in gvpe. |
469 | |
483 | |
470 | This can be used to make gvpe use a different set of routing rules. For |
484 | On program start and every seed-interval, gvpe will read 64 octets. |
471 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
472 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
473 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
474 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
475 | |
485 | |
476 | ip rule add not fwmark 1000 lookup 99 |
486 | Setting this path to the empty string will disable this functionality |
|
|
487 | completely (the underlying crypto library will likely look for entropy |
|
|
488 | sources on it's own though, so not all is lost). |
|
|
489 | |
|
|
490 | =item seed-interval = seconds |
|
|
491 | |
|
|
492 | The number of seconds between reseeds of the random number generator |
|
|
493 | (default: C<3613>). A value of C<0> disables this regular reseeding. |
477 | |
494 | |
478 | =back |
495 | =back |
479 | |
496 | |
480 | =head2 NODE SPECIFIC SETTINGS |
497 | =head2 NODE SPECIFIC SETTINGS |
481 | |
498 | |