| … | |
… | |
| 31 | values, but not within the variable names or values themselves. |
31 | values, but not within the variable names or values themselves. |
| 32 | |
32 | |
| 33 | All settings are applied "in order", that is, later settings of the same |
33 | All settings are applied "in order", that is, later settings of the same |
| 34 | variable overwrite earlier ones. |
34 | variable overwrite earlier ones. |
| 35 | |
35 | |
| 36 | The only exceptions to the above are the "on" and "include" directives: |
36 | The only exceptions to the above are the following directives: |
| 37 | |
37 | |
| 38 | =over 4 |
38 | =over 4 |
|
|
39 | |
|
|
40 | =item node nodename |
|
|
41 | |
|
|
42 | Introduces a node section. The nodename is used to select the right |
|
|
43 | configuration section and is the same string as is passed as an argument |
|
|
44 | to the gvpe daemon. |
|
|
45 | |
|
|
46 | Multiple C<node> statements with the same node name are supported and will |
|
|
47 | be merged together. |
|
|
48 | |
|
|
49 | =item global |
|
|
50 | |
|
|
51 | This statement switches back to the global section, which is mainly |
|
|
52 | useful if you want to include a second config file, e..g for local |
|
|
53 | customisations. To do that, simply include this at the very end of your |
|
|
54 | config file: |
|
|
55 | |
|
|
56 | global |
|
|
57 | include local.conf |
| 39 | |
58 | |
| 40 | =item on nodename ... |
59 | =item on nodename ... |
| 41 | |
60 | |
| 42 | =item on !nodename ... |
61 | =item on !nodename ... |
| 43 | |
62 | |
| … | |
… | |
| 384 | gvpe traffic avoid that routing table, in effect routing normal traffic |
403 | gvpe traffic avoid that routing table, in effect routing normal traffic |
| 385 | via gvpe and gvpe traffic via the normal system routing tables: |
404 | via gvpe and gvpe traffic via the normal system routing tables: |
| 386 | |
405 | |
| 387 | ip rule add not fwmark 1000 lookup 99 |
406 | ip rule add not fwmark 1000 lookup 99 |
| 388 | |
407 | |
| 389 | =item node = nickname |
|
|
| 390 | |
|
|
| 391 | Not really a config setting but introduces a node section. The nickname is |
|
|
| 392 | used to select the right configuration section and must be passed as an |
|
|
| 393 | argument to the gvpe daemon. |
|
|
| 394 | |
|
|
| 395 | =item node-up = relative-or-absolute-path |
408 | =item node-up = relative-or-absolute-path |
| 396 | |
409 | |
| 397 | Sets a command (default: none) that should be called whenever a connection |
410 | Sets a command (default: none) that should be called whenever a connection |
| 398 | is established (even on rekeying operations). Note that node-up/down |
411 | is established (even on rekeying operations). Note that node-up/down |
| 399 | scripts will be run asynchronously, but execution is serialised, so there |
412 | scripts will be run asynchronously, but execution is serialised, so there |
| … | |
… | |
| 453 | Same as C<node-up>, but gets called whenever a connection is lost. |
466 | Same as C<node-up>, but gets called whenever a connection is lost. |
| 454 | |
467 | |
| 455 | =item pid-file = path |
468 | =item pid-file = path |
| 456 | |
469 | |
| 457 | The path to the pid file to check and create |
470 | The path to the pid file to check and create |
| 458 | (default: C<LOCALSTATEDIR/run/gvpe.pid>). |
471 | (default: C<LOCALSTATEDIR/run/gvpe.pid>). The first C<%s> is replaced by |
|
|
472 | the nodename - any other use of C<%> must be written as C<%%>. |
| 459 | |
473 | |
| 460 | =item private-key = relative-path-to-key |
474 | =item private-key = relative-path-to-key |
| 461 | |
475 | |
| 462 | Sets the path (relative to the config directory) to the private key |
476 | Sets the path (relative to the config directory) to the private key |
| 463 | (default: C<hostkey>). This is a printf format string so every C<%> must |
477 | (default: C<hostkey>). This is a printf format string so every C<%> must |
| 464 | be doubled. A single C<%s> is replaced by the hostname, so you could |
478 | be doubled. A single C<%s> is replaced by the hostname, so you could use |
| 465 | use paths like C<hostkeys/%s> to fetch the files at the location where |
479 | paths like C<hostkeys/%s> to be able to share the same config directory |
| 466 | C<gvpectrl> puts them. |
480 | between nodes. |
| 467 | |
481 | |
| 468 | Since only the private key file of the current node is used and the |
482 | Since only the private key file of the current node is used and the |
| 469 | private key file should be kept secret per-node to avoid spoofing, it is |
483 | private key file should be kept secret per-node to avoid spoofing, it is |
| 470 | not recommended to use this feature. |
484 | not recommended to use this feature this way though. |
| 471 | |
485 | |
| 472 | =item rekey = seconds |
486 | =item rekey = seconds |
| 473 | |
487 | |
| 474 | Sets the rekeying interval in seconds (default: C<3607>). Connections are |
488 | Sets the rekeying interval in seconds (default: C<3607>). Connections are |
| 475 | reestablished every C<rekey> seconds, making them use a new encryption |
489 | reestablished every C<rekey> seconds, making them use a new encryption |
| … | |
… | |
| 489 | |
503 | |
| 490 | =item seed-interval = seconds |
504 | =item seed-interval = seconds |
| 491 | |
505 | |
| 492 | The number of seconds between reseeds of the random number generator |
506 | The number of seconds between reseeds of the random number generator |
| 493 | (default: C<3613>). A value of C<0> disables this regular reseeding. |
507 | (default: C<3613>). A value of C<0> disables this regular reseeding. |
|
|
508 | |
|
|
509 | =item serial = string |
|
|
510 | |
|
|
511 | The configuration serial number. This can be any string up to 16 bytes |
|
|
512 | length. Only when the serial matches on both sides of a connection will |
|
|
513 | the connection succeed. This is I<not> a security mechanism and eay to |
|
|
514 | spoof, this mechanism exists to alert users that their config is outdated. |
|
|
515 | |
|
|
516 | It's recommended to specify this is a date string such as C<2013-05-05> or |
|
|
517 | C<20121205084417>. |
|
|
518 | |
|
|
519 | The exact algorithm is as this: if a connection request is received form a |
|
|
520 | node with an identical serial, then it succeeds normally. |
|
|
521 | |
|
|
522 | If the remote serial is lower than the local serial, it is ignored. |
|
|
523 | |
|
|
524 | If the remote serial is higher than the local serial, a warning message is |
|
|
525 | logged. |
| 494 | |
526 | |
| 495 | =back |
527 | =back |
| 496 | |
528 | |
| 497 | =head2 NODE SPECIFIC SETTINGS |
529 | =head2 NODE SPECIFIC SETTINGS |
| 498 | |
530 | |
| … | |
… | |
| 647 | Whether to inherit the TOS settings of packets sent to the tunnel when |
679 | Whether to inherit the TOS settings of packets sent to the tunnel when |
| 648 | sending packets to this node (default: C<yes>). If set to C<yes> then |
680 | sending packets to this node (default: C<yes>). If set to C<yes> then |
| 649 | outgoing tunnel packets will have the same TOS setting as the packets sent |
681 | outgoing tunnel packets will have the same TOS setting as the packets sent |
| 650 | to the tunnel device, which is usually what you want. |
682 | to the tunnel device, which is usually what you want. |
| 651 | |
683 | |
|
|
684 | =item low-power = yes|true|on | no|false|off |
|
|
685 | |
|
|
686 | If true, designates a node as a low-power node. Low-power nodes use |
|
|
687 | larger timeouts and try to reduce cpu time. Other nodes talking to a |
|
|
688 | low-power node will also use larger timeouts, and will use less aggressive |
|
|
689 | optimisations, in the hope of reducing load. Security is not compromised. |
|
|
690 | |
|
|
691 | The typical low-power node would be a mobile phone, where wakeups and |
|
|
692 | encryption can significantly increase power drain. |
|
|
693 | |
| 652 | =item max-retry = positive-number |
694 | =item max-retry = positive-number |
| 653 | |
695 | |
| 654 | The maximum interval in seconds (default: C<3600>, one hour) between |
696 | The maximum interval in seconds (default: C<3600>, one hour) between |
| 655 | retries to establish a connection to this node. When a connection cannot |
697 | retries to establish a connection to this node. When a connection cannot |
| 656 | be established, gvpe uses exponential back-off capped at this value. It's |
698 | be established, gvpe uses exponential back-off capped at this value. It's |
| … | |
… | |
| 729 | |
771 | |
| 730 | If used the node up or node-down scripts. |
772 | If used the node up or node-down scripts. |
| 731 | |
773 | |
| 732 | =item hostkey |
774 | =item hostkey |
| 733 | |
775 | |
| 734 | The private key (taken from C<hostkeys/nodename>) of the current host. |
776 | The (default path of the) private key of the current host. |
| 735 | |
777 | |
| 736 | =item pubkey/nodename |
778 | =item pubkey/nodename |
| 737 | |
779 | |
| 738 | The public keys of the other nodes, one file per node. |
780 | The public keys of the other nodes, one file per node. |
| 739 | |
781 | |
