| … | |
… | |
| 31 | values, but not within the variable names or values themselves. |
31 | values, but not within the variable names or values themselves. |
| 32 | |
32 | |
| 33 | All settings are applied "in order", that is, later settings of the same |
33 | All settings are applied "in order", that is, later settings of the same |
| 34 | variable overwrite earlier ones. |
34 | variable overwrite earlier ones. |
| 35 | |
35 | |
| 36 | The only exceptions to the above are the "on" and "include" directives: |
36 | The only exceptions to the above are the following directives: |
| 37 | |
37 | |
| 38 | =over 4 |
38 | =over 4 |
|
|
39 | |
|
|
40 | =item node nodename |
|
|
41 | |
|
|
42 | Introduces a node section. The nodename is used to select the right |
|
|
43 | configuration section and is the same string as is passed as an argument |
|
|
44 | to the gvpe daemon. |
|
|
45 | |
|
|
46 | Multiple C<node> statements with the same node name are supported and will |
|
|
47 | be merged together. |
|
|
48 | |
|
|
49 | =item global |
|
|
50 | |
|
|
51 | This statement switches back to the global section, which is mainly |
|
|
52 | useful if you want to include a second config file, e..g for local |
|
|
53 | customisations. To do that, simply include this at the very end of your |
|
|
54 | config file: |
|
|
55 | |
|
|
56 | global |
|
|
57 | include local.conf |
| 39 | |
58 | |
| 40 | =item on nodename ... |
59 | =item on nodename ... |
| 41 | |
60 | |
| 42 | =item on !nodename ... |
61 | =item on !nodename ... |
| 43 | |
62 | |
| … | |
… | |
| 370 | |
389 | |
| 371 | Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
390 | Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
| 372 | |
391 | |
| 373 | This value must be the minimum of the MTU values of all nodes. |
392 | This value must be the minimum of the MTU values of all nodes. |
| 374 | |
393 | |
| 375 | =item node = nickname |
394 | =item nfmark = integer |
| 376 | |
395 | |
| 377 | Not really a config setting but introduces a node section. The nickname is |
396 | This advanced option, when set to a nonzero value (default: C<0>), tries |
| 378 | used to select the right configuration section and must be passed as an |
397 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
| 379 | argument to the gvpe daemon. |
398 | send packets. |
|
|
399 | |
|
|
400 | This can be used to make gvpe use a different set of routing rules. For |
|
|
401 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
402 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
403 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
404 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
405 | |
|
|
406 | ip rule add not fwmark 1000 lookup 99 |
| 380 | |
407 | |
| 381 | =item node-up = relative-or-absolute-path |
408 | =item node-up = relative-or-absolute-path |
| 382 | |
409 | |
| 383 | Sets a command (default: none) that should be called whenever a connection |
410 | Sets a command (default: none) that should be called whenever a connection |
| 384 | is established (even on rekeying operations). Note that node-up/down |
411 | is established (even on rekeying operations). Note that node-up/down |
| … | |
… | |
| 439 | Same as C<node-up>, but gets called whenever a connection is lost. |
466 | Same as C<node-up>, but gets called whenever a connection is lost. |
| 440 | |
467 | |
| 441 | =item pid-file = path |
468 | =item pid-file = path |
| 442 | |
469 | |
| 443 | The path to the pid file to check and create |
470 | The path to the pid file to check and create |
| 444 | (default: C<LOCALSTATEDIR/run/gvpe.pid>). |
471 | (default: C<LOCALSTATEDIR/run/gvpe.pid>). The first C<%s> is replaced by |
|
|
472 | the nodename - any other use of C<%> must be written as C<%%>. |
| 445 | |
473 | |
| 446 | =item private-key = relative-path-to-key |
474 | =item private-key = relative-path-to-key |
| 447 | |
475 | |
| 448 | Sets the path (relative to the config directory) to the private key |
476 | Sets the path (relative to the config directory) to the private key |
| 449 | (default: C<hostkey>). This is a printf format string so every C<%> must |
477 | (default: C<hostkey>). This is a printf format string so every C<%> must |
| … | |
… | |
| 455 | private key file should be kept secret per-node to avoid spoofing, it is |
483 | private key file should be kept secret per-node to avoid spoofing, it is |
| 456 | not recommended to use this feature. |
484 | not recommended to use this feature. |
| 457 | |
485 | |
| 458 | =item rekey = seconds |
486 | =item rekey = seconds |
| 459 | |
487 | |
| 460 | Sets the rekeying interval in seconds (default: C<3600>). Connections are |
488 | Sets the rekeying interval in seconds (default: C<3607>). Connections are |
| 461 | reestablished every C<rekey> seconds, making them use a new encryption |
489 | reestablished every C<rekey> seconds, making them use a new encryption |
| 462 | key. |
490 | key. |
| 463 | |
491 | |
| 464 | =item nfmark = integer |
492 | =item seed-device = path |
| 465 | |
493 | |
| 466 | This advanced option, when set to a nonzero value (default: C<0>), tries |
494 | The random device used to initially and regularly seed the random |
| 467 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
495 | number generator (default: F</dev/urandom>). Randomness is of paramount |
| 468 | send packets. |
496 | importance to the security of the algorithms used in gvpe. |
| 469 | |
497 | |
| 470 | This can be used to make gvpe use a different set of routing rules. For |
498 | On program start and every seed-interval, gvpe will read 64 octets. |
| 471 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
| 472 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
| 473 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
| 474 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
| 475 | |
499 | |
| 476 | ip rule add not fwmark 1000 lookup 99 |
500 | Setting this path to the empty string will disable this functionality |
|
|
501 | completely (the underlying crypto library will likely look for entropy |
|
|
502 | sources on it's own though, so not all is lost). |
|
|
503 | |
|
|
504 | =item seed-interval = seconds |
|
|
505 | |
|
|
506 | The number of seconds between reseeds of the random number generator |
|
|
507 | (default: C<3613>). A value of C<0> disables this regular reseeding. |
| 477 | |
508 | |
| 478 | =back |
509 | =back |
| 479 | |
510 | |
| 480 | =head2 NODE SPECIFIC SETTINGS |
511 | =head2 NODE SPECIFIC SETTINGS |
| 481 | |
512 | |
| … | |
… | |
| 712 | |
743 | |
| 713 | If used the node up or node-down scripts. |
744 | If used the node up or node-down scripts. |
| 714 | |
745 | |
| 715 | =item hostkey |
746 | =item hostkey |
| 716 | |
747 | |
| 717 | The private key (taken from C<hostkeys/nodename>) of the current host. |
748 | The (default path of the) private key of the current host. |
| 718 | |
749 | |
| 719 | =item pubkey/nodename |
750 | =item pubkey/nodename |
| 720 | |
751 | |
| 721 | The public keys of the other nodes, one file per node. |
752 | The public keys of the other nodes, one file per node. |
| 722 | |
753 | |
