… | |
… | |
31 | values, but not within the variable names or values themselves. |
31 | values, but not within the variable names or values themselves. |
32 | |
32 | |
33 | All settings are applied "in order", that is, later settings of the same |
33 | All settings are applied "in order", that is, later settings of the same |
34 | variable overwrite earlier ones. |
34 | variable overwrite earlier ones. |
35 | |
35 | |
36 | The only exceptions to the above are the "on" and "include" directives: |
36 | The only exceptions to the above are the following directives: |
37 | |
37 | |
38 | =over 4 |
38 | =over 4 |
|
|
39 | |
|
|
40 | =item node nodename |
|
|
41 | |
|
|
42 | Introduces a node section. The nodename is used to select the right |
|
|
43 | configuration section and is the same string as is passed as an argument |
|
|
44 | to the gvpe daemon. |
|
|
45 | |
|
|
46 | Multiple C<node> statements with the same node name are supported and will |
|
|
47 | be merged together. |
|
|
48 | |
|
|
49 | =item global |
|
|
50 | |
|
|
51 | This statement switches back to the global section, which is mainly |
|
|
52 | useful if you want to include a second config file, e..g for local |
|
|
53 | customisations. To do that, simply include this at the very end of your |
|
|
54 | config file: |
|
|
55 | |
|
|
56 | global |
|
|
57 | include local.conf |
39 | |
58 | |
40 | =item on nodename ... |
59 | =item on nodename ... |
41 | |
60 | |
42 | =item on !nodename ... |
61 | =item on !nodename ... |
43 | |
62 | |
… | |
… | |
384 | gvpe traffic avoid that routing table, in effect routing normal traffic |
403 | gvpe traffic avoid that routing table, in effect routing normal traffic |
385 | via gvpe and gvpe traffic via the normal system routing tables: |
404 | via gvpe and gvpe traffic via the normal system routing tables: |
386 | |
405 | |
387 | ip rule add not fwmark 1000 lookup 99 |
406 | ip rule add not fwmark 1000 lookup 99 |
388 | |
407 | |
389 | =item node = nickname |
|
|
390 | |
|
|
391 | Not really a config setting but introduces a node section. The nickname is |
|
|
392 | used to select the right configuration section and must be passed as an |
|
|
393 | argument to the gvpe daemon. |
|
|
394 | |
|
|
395 | =item node-up = relative-or-absolute-path |
408 | =item node-up = relative-or-absolute-path |
396 | |
409 | |
397 | Sets a command (default: none) that should be called whenever a connection |
410 | Sets a command (default: none) that should be called whenever a connection |
398 | is established (even on rekeying operations). Note that node-up/down |
411 | is established (even on rekeying operations). Note that node-up/down |
399 | scripts will be run asynchronously, but execution is serialised, so there |
412 | scripts will be run asynchronously, but execution is serialised, so there |
… | |
… | |
453 | Same as C<node-up>, but gets called whenever a connection is lost. |
466 | Same as C<node-up>, but gets called whenever a connection is lost. |
454 | |
467 | |
455 | =item pid-file = path |
468 | =item pid-file = path |
456 | |
469 | |
457 | The path to the pid file to check and create |
470 | The path to the pid file to check and create |
458 | (default: C<LOCALSTATEDIR/run/gvpe.pid>). |
471 | (default: C<LOCALSTATEDIR/run/gvpe.pid>). The first C<%s> is replaced by |
|
|
472 | the nodename - any other use of C<%> must be written as C<%%>. |
459 | |
473 | |
460 | =item private-key = relative-path-to-key |
474 | =item private-key = relative-path-to-key |
461 | |
475 | |
462 | Sets the path (relative to the config directory) to the private key |
476 | Sets the path (relative to the config directory) to the private key |
463 | (default: C<hostkey>). This is a printf format string so every C<%> must |
477 | (default: C<hostkey>). This is a printf format string so every C<%> must |
464 | be doubled. A single C<%s> is replaced by the hostname, so you could |
478 | be doubled. A single C<%s> is replaced by the hostname, so you could use |
465 | use paths like C<hostkeys/%s> to fetch the files at the location where |
479 | paths like C<hostkeys/%s> to be able to share the same config directory |
466 | C<gvpectrl> puts them. |
480 | between nodes. |
467 | |
481 | |
468 | Since only the private key file of the current node is used and the |
482 | Since only the private key file of the current node is used and the |
469 | private key file should be kept secret per-node to avoid spoofing, it is |
483 | private key file should be kept secret per-node to avoid spoofing, it is |
470 | not recommended to use this feature. |
484 | not recommended to use this feature this way though. |
471 | |
485 | |
472 | =item rekey = seconds |
486 | =item rekey = seconds |
473 | |
487 | |
474 | Sets the rekeying interval in seconds (default: C<3607>). Connections are |
488 | Sets the rekeying interval in seconds (default: C<3607>). Connections are |
475 | reestablished every C<rekey> seconds, making them use a new encryption |
489 | reestablished every C<rekey> seconds, making them use a new encryption |
… | |
… | |
489 | |
503 | |
490 | =item seed-interval = seconds |
504 | =item seed-interval = seconds |
491 | |
505 | |
492 | The number of seconds between reseeds of the random number generator |
506 | The number of seconds between reseeds of the random number generator |
493 | (default: C<3613>). A value of C<0> disables this regular reseeding. |
507 | (default: C<3613>). A value of C<0> disables this regular reseeding. |
|
|
508 | |
|
|
509 | =item serial = string |
|
|
510 | |
|
|
511 | The configuration serial number. This can be any string up to 16 bytes |
|
|
512 | length. Only when the serial matches on both sides of a connection will |
|
|
513 | the connection succeed. This is I<not> a security mechanism and eay to |
|
|
514 | spoof, this mechanism exists to alert users that their config is outdated. |
|
|
515 | |
|
|
516 | It's recommended to specify this is a date string such as C<2013-05-05> or |
|
|
517 | C<20121205084417>. |
|
|
518 | |
|
|
519 | The exact algorithm is as this: if a connection request is received form a |
|
|
520 | node with an identical serial, then it succeeds normally. |
|
|
521 | |
|
|
522 | If the remote serial is lower than the local serial, it is ignored. |
|
|
523 | |
|
|
524 | If the remote serial is higher than the local serial, a warning message is |
|
|
525 | logged. |
494 | |
526 | |
495 | =back |
527 | =back |
496 | |
528 | |
497 | =head2 NODE SPECIFIC SETTINGS |
529 | =head2 NODE SPECIFIC SETTINGS |
498 | |
530 | |
… | |
… | |
647 | Whether to inherit the TOS settings of packets sent to the tunnel when |
679 | Whether to inherit the TOS settings of packets sent to the tunnel when |
648 | sending packets to this node (default: C<yes>). If set to C<yes> then |
680 | sending packets to this node (default: C<yes>). If set to C<yes> then |
649 | outgoing tunnel packets will have the same TOS setting as the packets sent |
681 | outgoing tunnel packets will have the same TOS setting as the packets sent |
650 | to the tunnel device, which is usually what you want. |
682 | to the tunnel device, which is usually what you want. |
651 | |
683 | |
|
|
684 | =item low-power = yes|true|on | no|false|off |
|
|
685 | |
|
|
686 | If true, designates a node as a low-power node. Low-power nodes use |
|
|
687 | larger timeouts and try to reduce cpu time. Other nodes talking to a |
|
|
688 | low-power node will also use larger timeouts, and will use less aggressive |
|
|
689 | optimisations, in the hope of reducing load. Security is not compromised. |
|
|
690 | |
|
|
691 | The typical low-power node would be a mobile phone, where wakeups and |
|
|
692 | encryption can significantly increase power drain. |
|
|
693 | |
652 | =item max-retry = positive-number |
694 | =item max-retry = positive-number |
653 | |
695 | |
654 | The maximum interval in seconds (default: C<3600>, one hour) between |
696 | The maximum interval in seconds (default: C<3600>, one hour) between |
655 | retries to establish a connection to this node. When a connection cannot |
697 | retries to establish a connection to this node. When a connection cannot |
656 | be established, gvpe uses exponential back-off capped at this value. It's |
698 | be established, gvpe uses exponential back-off capped at this value. It's |
… | |
… | |
729 | |
771 | |
730 | If used the node up or node-down scripts. |
772 | If used the node up or node-down scripts. |
731 | |
773 | |
732 | =item hostkey |
774 | =item hostkey |
733 | |
775 | |
734 | The private key (taken from C<hostkeys/nodename>) of the current host. |
776 | The (default path of the) private key of the current host. |
735 | |
777 | |
736 | =item pubkey/nodename |
778 | =item pubkey/nodename |
737 | |
779 | |
738 | The public keys of the other nodes, one file per node. |
780 | The public keys of the other nodes, one file per node. |
739 | |
781 | |