… | |
… | |
473 | |
473 | |
474 | =item private-key = relative-path-to-key |
474 | =item private-key = relative-path-to-key |
475 | |
475 | |
476 | Sets the path (relative to the config directory) to the private key |
476 | Sets the path (relative to the config directory) to the private key |
477 | (default: C<hostkey>). This is a printf format string so every C<%> must |
477 | (default: C<hostkey>). This is a printf format string so every C<%> must |
478 | be doubled. A single C<%s> is replaced by the hostname, so you could |
478 | be doubled. A single C<%s> is replaced by the hostname, so you could use |
479 | use paths like C<hostkeys/%s> to fetch the files at the location where |
479 | paths like C<hostkeys/%s> to be able to share the same config directory |
480 | C<gvpectrl> puts them. |
480 | between nodes. |
481 | |
481 | |
482 | Since only the private key file of the current node is used and the |
482 | Since only the private key file of the current node is used and the |
483 | private key file should be kept secret per-node to avoid spoofing, it is |
483 | private key file should be kept secret per-node to avoid spoofing, it is |
484 | not recommended to use this feature. |
484 | not recommended to use this feature this way though. |
485 | |
485 | |
486 | =item rekey = seconds |
486 | =item rekey = seconds |
487 | |
487 | |
488 | Sets the rekeying interval in seconds (default: C<3607>). Connections are |
488 | Sets the rekeying interval in seconds (default: C<3607>). Connections are |
489 | reestablished every C<rekey> seconds, making them use a new encryption |
489 | reestablished every C<rekey> seconds, making them use a new encryption |
… | |
… | |
503 | |
503 | |
504 | =item seed-interval = seconds |
504 | =item seed-interval = seconds |
505 | |
505 | |
506 | The number of seconds between reseeds of the random number generator |
506 | The number of seconds between reseeds of the random number generator |
507 | (default: C<3613>). A value of C<0> disables this regular reseeding. |
507 | (default: C<3613>). A value of C<0> disables this regular reseeding. |
|
|
508 | |
|
|
509 | =item serial = string |
|
|
510 | |
|
|
511 | The configuration serial number. This can be any string up to 16 bytes |
|
|
512 | length. Only when the serial matches on both sides of a connection will |
|
|
513 | the connection succeed. This is I<not> a security mechanism and eay to |
|
|
514 | spoof, this mechanism exists to alert users that their config is outdated. |
|
|
515 | |
|
|
516 | It's recommended to specify this is a date string such as C<2013-05-05> or |
|
|
517 | C<20121205084417>. |
|
|
518 | |
|
|
519 | The exact algorithm is as this: if a connection request is received form a |
|
|
520 | node with an identical serial, then it succeeds normally. |
|
|
521 | |
|
|
522 | If the remote serial is lower than the local serial, it is ignored. |
|
|
523 | |
|
|
524 | If the remote serial is higher than the local serial, a warning message is |
|
|
525 | logged. |
508 | |
526 | |
509 | =back |
527 | =back |
510 | |
528 | |
511 | =head2 NODE SPECIFIC SETTINGS |
529 | =head2 NODE SPECIFIC SETTINGS |
512 | |
530 | |
… | |
… | |
661 | Whether to inherit the TOS settings of packets sent to the tunnel when |
679 | Whether to inherit the TOS settings of packets sent to the tunnel when |
662 | sending packets to this node (default: C<yes>). If set to C<yes> then |
680 | sending packets to this node (default: C<yes>). If set to C<yes> then |
663 | outgoing tunnel packets will have the same TOS setting as the packets sent |
681 | outgoing tunnel packets will have the same TOS setting as the packets sent |
664 | to the tunnel device, which is usually what you want. |
682 | to the tunnel device, which is usually what you want. |
665 | |
683 | |
|
|
684 | =item low-power = yes|true|on | no|false|off |
|
|
685 | |
|
|
686 | If true, designates a node as a low-power node. Low-power nodes use |
|
|
687 | larger timeouts and try to reduce cpu time. Other nodes talking to a |
|
|
688 | low-power node will also use larger timeouts, and will use less aggressive |
|
|
689 | optimisations, in the hope of reducing load. Security is not compromised. |
|
|
690 | |
|
|
691 | The typical low-power node would be a mobile phone, where wakeups and |
|
|
692 | encryption can significantly increase power drain. |
|
|
693 | |
666 | =item max-retry = positive-number |
694 | =item max-retry = positive-number |
667 | |
695 | |
668 | The maximum interval in seconds (default: C<3600>, one hour) between |
696 | The maximum interval in seconds (default: C<3600>, one hour) between |
669 | retries to establish a connection to this node. When a connection cannot |
697 | retries to establish a connection to this node. When a connection cannot |
670 | be established, gvpe uses exponential back-off capped at this value. It's |
698 | be established, gvpe uses exponential back-off capped at this value. It's |