--- gvpe/doc/gvpe.conf.5 2008/08/10 22:18:58 1.21 +++ gvpe/doc/gvpe.conf.5 2008/09/01 05:31:28 1.22 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 +.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) .\" .\" Standard preamble: .\" ======================================================================== @@ -48,22 +48,25 @@ . ds R" '' 'br\} .\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. -.if \nF \{\ +.ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.hy 0 -.if n .na +.el \{\ +. de IX +.. +.\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. @@ -129,29 +132,31 @@ .\" ======================================================================== .\" .IX Title "GVPE.CONF 5" -.TH GVPE.CONF 5 "2008-08-10" "2.2" "GNU Virtual Private Ethernet" +.TH GVPE.CONF 5 "2008-09-01" "2.2" "GNU Virtual Private Ethernet" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh .SH "NAME" gvpe.conf \- configuration file for the GNU VPE daemon .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 3 +.Vb 4 +\& # global options for all nodes \& udp\-port = 407 \& mtu = 1492 \& ifname = vpn0 -.Ve -.PP -.Vb 2 +\& +\& # first node is named branch1 and is at 1.2.3.4 \& node = branch1 \& hostname = 1.2.3.4 -.Ve -.PP -.Vb 3 +\& +\& # second node uses dns to resolve the address \& node = branch2 \& hostname = www.example.net \& udp\-port = 500 # this host uses a different udp\-port -.Ve -.PP -.Vb 2 +\& +\& # third node has no fixed ip address \& node = branch3 \& connect = ondemand .Ve @@ -167,19 +172,22 @@ \&\f(CW\*(C`name = value\*(C'\fR setting and will only \*(L"execute\*(R" it on the named node, or (if the nodename starts with \*(L"!\*(R") on all nodes except the named one. .PP +For example, set the \s-1MTU\s0 to \f(CW1450\fR everywhere, loglevel to \f(CW\*(C`noise\*(C'\fR on +branch1, and connect to \f(CW\*(C`ondemand\*(C'\fR everywhere but on branch2: +.PP .Vb 3 -\& name = value +\& mtu = 1450 \& on branch1 loglevel = noise \& on !branch2 connect = ondemand .Ve .PP -All settings are executed \*(L"in order\*(R", that is, later settings of the same +All settings are applied \*(L"in order\*(R", that is, later settings of the same variable overwrite earlier ones. .SH "ANATOMY OF A CONFIG FILE" .IX Header "ANATOMY OF A CONFIG FILE" -Usually, a config file starts with global settings (like the udp port to -listen on), followed by node-specific sections that begin with a \f(CW\*(C`node = -nickname\*(C'\fR line. +Usually, a config file starts with a few global settings (like the \s-1UDP\s0 +port to listen on), followed by node-specific sections that begin with a +\&\f(CW\*(C`node = nickname\*(C'\fR line. .PP Every node that is part of the network must have a section that starts with \f(CW\*(C`node = nickname\*(C'\fR. The number and order of the nodes is important @@ -198,7 +206,7 @@ the gvpe daemon and all connections it creates. .IP "dns-forw-host = hostname/ip" 4 .IX Item "dns-forw-host = hostname/ip" -The dns server to forward dns requests to for the \s-1DNS\s0 tunnel protocol +The \s-1DNS\s0 server to forward \s-1DNS\s0 requests to for the \s-1DNS\s0 tunnel protocol (default: \f(CW127.0.0.1\fR, changing it is highly recommended). .IP "dns-forw-port = port-number" 4 .IX Item "dns-forw-port = port-number" @@ -212,7 +220,7 @@ help to set this to a low number (e.g. \f(CW3\fR or even \f(CW1\fR) to limit the number of parallel requests. .Sp -The default should be working ok for most links. +The default should be working \s-1OK\s0 for most links. .IP "dns-overlap-factor = float" 4 .IX Item "dns-overlap-factor = float" The \s-1DNS\s0 transport uses the minimum request latency (\fBmin_latency\fR) seen @@ -224,10 +232,10 @@ \&\f(CW0.5\fR means that \s-1GVPE\s0 will send requests twice as often as the minimum latency measured. .Sp -For congested or picky dns forwarders you could use a value nearer to or +For congested or picky \s-1DNS\s0 forwarders you could use a value nearer to or exceeding \f(CW1\fR. .Sp -The default should be working ok for most links. +The default should be working \s-1OK\s0 for most links. .IP "dns-send-interval = send-interval-in-seconds" 4 .IX Item "dns-send-interval = send-interval-in-seconds" The minimum send interval (= maximum rate) that the \s-1DNS\s0 transport will @@ -238,7 +246,7 @@ congested or rate-limited links, you might want to go higher, say \f(CW0.1\fR, \&\f(CW0.2\fR or even higher. .Sp -The default should be working ok for most links. +The default should be working \s-1OK\s0 for most links. .IP "dns-timeout-factor = float" 4 .IX Item "dns-timeout-factor = float" Factor to multiply the \f(CW\*(C`min_latency\*(C'\fR (see \f(CW\*(C`dns\-overlap\-factor\*(C'\fR) by to @@ -251,12 +259,12 @@ the link is very stable lower values (e.g. \f(CW2\fR) might work nicely. Values near or below \f(CW1\fR makes no sense whatsoever. .Sp -The default should be working ok for most links but will result in low +The default should be working \s-1OK\s0 for most links but will result in low throughput if packet loss is high. .IP "if-up = relative-or-absolute-path" 4 .IX Item "if-up = relative-or-absolute-path" Sets the path of a script that should be called immediately after the -network interface is initialized (but not neccessarily up). The following +network interface is initialized (but not necessarily up). The following environment variables are passed to it (the values are just examples). .Sp Variables that have the same value on all nodes: @@ -297,7 +305,7 @@ The \s-1MAC\s0 address the network interface has to use. .Sp Might be used to initialize interfaces on platforms where \s-1GVPE\s0 does not -do this automatically. Please see the \f(CW\*(C`gvpe.osdep(5)\*(C'\fR manpage for +do this automatically. Please see the \f(CW\*(C`gvpe.osdep(5)\*(C'\fR man page for platform-specific information. .IP "NODENAME=branch1" 4 .IX Item "NODENAME=branch1" @@ -324,8 +332,8 @@ \& ip route add 10.0.0.0/8 dev $IFNAME .Ve .Sp -More complicated examples (using routing to reduce arp traffic) can be -found in the etc/ subdirectory of the distribution. +More complicated examples (using routing to reduce \s-1ARP\s0 traffic) can be +found in the \fIetc/\fR subdirectory of the distribution. .RE .IP "ifname = devname" 4 .IX Item "ifname = devname" @@ -347,10 +355,10 @@ instance using the same protocol, nor can you share the protocol with other programs. .Sp -The default is 47 (\s-1GRE\s0), which has a good chance of tunneling through -firewalls (but note that the rawip protocol is not \s-1GRE\s0 compatible). Other -common choices are 50 (\s-1IPSEC\s0, \s-1ESP\s0), 51 (\s-1IPSEC\s0, \s-1AH\s0), 4 (\s-1IPIP\s0 tunnels) or 98 -(\s-1ENCAP\s0, rfc1241) +The default is 47 (\s-1GRE\s0), which has a good chance of tunneling +through firewalls (but note that gvpe's rawip protocol is not \s-1GRE\s0 +compatible). Other common choices are 50 (\s-1IPSEC\s0, \s-1ESP\s0), 51 (\s-1IPSEC\s0, \s-1AH\s0), 4 +(\s-1IPIP\s0 tunnels) or 98 (\s-1ENCAP\s0, rfc1241) .IP "http-proxy-host = hostname/ip" 4 .IX Item "http-proxy-host = hostname/ip" The \f(CW\*(C`http\-proxy\-*\*(C'\fR family of options are only available if gvpe was @@ -362,14 +370,14 @@ requires authentication. .Sp Please note that gvpe will still try to resolve all hostnames in the -configuration file, so if you are behind a proxy without access to a dns +configuration file, so if you are behind a proxy without access to a \s-1DNS\s0 server better use numerical \s-1IP\s0 addresses. .Sp -To make best use of this option disable all protocols except tcp in your +To make best use of this option disable all protocols except \s-1TCP\s0 in your config file and make sure your routers (or all other nodes) are listening on a port that the proxy allows (443, https, is a common choice). .Sp -If you have a router, connecting to it will suffice. Otherwise tcp must be +If you have a router, connecting to it will suffice. Otherwise \s-1TCP\s0 must be enabled on all nodes. .Sp Example: @@ -385,14 +393,14 @@ .IP "http-proxy-auth = login:password" 4 .IX Item "http-proxy-auth = login:password" The optional login and password used to authenticate to the proxy server, -seperated by a literal colon (\f(CW\*(C`:\*(C'\fR). Only basic authentication is +separated by a literal colon (\f(CW\*(C`:\*(C'\fR). Only basic authentication is currently supported. .IP "keepalive = seconds" 4 .IX Item "keepalive = seconds" Sets the keepalive probe interval in seconds (default: \f(CW60\fR). After this many seconds of inactivity the daemon will start to send keepalive probe -every 5 seconds until it receives a reply from the other end. If no reply -is received within 30 seconds, the peer is considered unreachable and the +every 3 seconds until it receives a reply from the other end. If no reply +is received within 15 seconds, the peer is considered unreachable and the connection is closed. .IP "loglevel = noise|trace|debug|info|notice|warn|error|critical" 4 .IX Item "loglevel = noise|trace|debug|info|notice|warn|error|critical" @@ -402,12 +410,12 @@ .IX Item "mtu = bytes" Sets the maximum \s-1MTU\s0 that should be used on outgoing packets (basically the \s-1MTU\s0 of the outgoing interface) The daemon will automatically calculate -maximum overhead (e.g. udp header size, encryption blocksize...) and pass +maximum overhead (e.g. \s-1UDP\s0 header size, encryption blocksize...) and pass this information to the \f(CW\*(C`if\-up\*(C'\fR script. .Sp Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). .Sp -This value must be the minimum of the mtu values of all nodes. +This value must be the minimum of the \s-1MTU\s0 values of all nodes. .IP "node = nickname" 4 .IX Item "node = nickname" Not really a config setting but introduces a node section. The nickname is @@ -444,7 +452,7 @@ .RS 4 .Sp Here is a nontrivial example that uses nsupdate to update the name => ip -mapping in some dns zone: +mapping in some \s-1DNS\s0 zone: .Sp .Vb 6 \& #!/bin/sh @@ -471,15 +479,16 @@ \&\f(CW\*(C`gvpectrl\*(C'\fR puts them. .Sp Since only the private key file of the current node is used and the -private key file should be kept secret per-node to avoid spoofings, it is +private key file should be kept secret per-node to avoid spoofing, it is not recommended to use this feature. .IP "rekey = seconds" 4 .IX Item "rekey = seconds" Sets the rekeying interval in seconds (default: \f(CW3600\fR). Connections are -reestablished every \f(CW\*(C`rekey\*(C'\fR seconds. +reestablished every \f(CW\*(C`rekey\*(C'\fR seconds, making them use a new encryption +key. .Sh "\s-1NODE\s0 \s-1SPECIFIC\s0 \s-1SETTINGS\s0" .IX Subsection "NODE SPECIFIC SETTINGS" -The following settings are node\-specific, that is, every node can have +The following settings are node-specific, that is, every node can have different settings, even within the same gvpe instance. Settings that are set before the first node section set the defaults, settings that are set within a node section only apply to the given node. @@ -490,7 +499,7 @@ .IX Item "compress = yes|true|on | no|false|off" Wether to compress data packets sent to this node (default: \f(CW\*(C`yes\*(C'\fR). Compression is really cheap even on slow computers and has no size -overhead at all, so enabling this is a good idea. +overhead at all, so enabling this is often a good idea. .IP "connect = ondemand | never | always | disabled" 4 .IX Item "connect = ondemand | never | always | disabled" Sets the connect mode (default: \f(CW\*(C`always\*(C'\fR). It can be \f(CW\*(C`always\*(C'\fR (always @@ -511,13 +520,13 @@ .Sp Sometimes, a node cannot reach some other nodes for reasons of network connectivity. For example, a node behind a firewall that only allows -conenctions to/from a single other node in the network. In this case one +connections to/from a single other node in the network. In this case one should specify \f(CW\*(C`deny\-direct = *\*(C'\fR and \f(CW\*(C`allow\-direct = othernodename\*(C'\fR (the other node \fImust\fR be a router for this to work). .Sp -The algorithm to check wether a connection may be direct is as follows: +The algorithm to check whether a connection may be direct is as follows: .Sp -1. Other node mentioned in a \f(CW\*(C`allow\-direct\*(C'\fR? If yes, allow the connection. +1. Other node mentioned in an \f(CW\*(C`allow\-direct\*(C'\fR? If yes, allow the connection. .Sp 2. Other node mentioned in a \f(CW\*(C`deny\-direct\*(C'\fR? If yes, deny direct connections. .Sp @@ -566,7 +575,7 @@ .IX Item "enable-icmp = yes|true|on | no|false|off" See \fIgvpe.protocol\fR\|(7) for a description of the \s-1ICMP\s0 transport protocol. .Sp -Enable the \s-1ICMP\s0 transport using icmp packets of type \f(CW\*(C`icmp\-type\*(C'\fR on this +Enable the \s-1ICMP\s0 transport using \s-1ICMP\s0 packets of type \f(CW\*(C`icmp\-type\*(C'\fR on this node. .IP "enable-rawip = yes|true|on | no|false|off" 4 .IX Item "enable-rawip = yes|true|on | no|false|off" @@ -589,23 +598,26 @@ unless no other protocol is enabled for a node, in which case this protocol is enabled automatically). .Sp -\&\s-1NOTE:\s0 Please specify \f(CW\*(C`enable\-udp = yes\*(C'\fR if you want t use it even though +\&\s-1NOTE:\s0 Please specify \f(CW\*(C`enable\-udp = yes\*(C'\fR if you want to use it even though it might get switched on automatically, as some future version might default to another default protocol. .IP "hostname = hostname | ip [can not be defaulted]" 4 .IX Item "hostname = hostname | ip [can not be defaulted]" -Forces the address of this node to be set to the given dns hostname or ip +Forces the address of this node to be set to the given \s-1DNS\s0 hostname or \s-1IP\s0 address. It will be resolved before each connect request, so dyndns should work fine. If this setting is not specified and a router is available, then the router will be queried for the address of this node. Otherwise, the connection attempt will fail. +.Sp +Note that \s-1DNS\s0 resolving is done synchronously, pausing the daemon. If that +is an issue you need to specify \s-1IP\s0 addresses. .IP "icmp-type = integer" 4 .IX Item "icmp-type = integer" Sets the type value to be used for outgoing (and incoming) packets sent via the \s-1ICMP\s0 transport. .Sp The default is \f(CW0\fR (which is \f(CW\*(C`echo\-reply\*(C'\fR, also known as -\&\*(L"ping\-replies\*(R"). Other useful values include \f(CW8\fR (\f(CW\*(C`echo\-request\*(C'\fR, a.k.a. +\&\*(L"ping-reply\*(R"). Other useful values include \f(CW8\fR (\f(CW\*(C`echo\-request\*(C'\fR, a.k.a. \&\*(L"ping\*(R") and \f(CW11\fR (\f(CW\*(C`time\-exceeded\*(C'\fR), but any 8\-bit value can be used. .IP "if-up-data = value" 4 .IX Item "if-up-data = value" @@ -621,7 +633,7 @@ .IX Item "max-retry = positive-number" The maximum interval in seconds (default: \f(CW3600\fR, one hour) between retries to establish a connection to this node. When a connection cannot -be established, gvpe uses exponential backoff capped at this value. It's +be established, gvpe uses exponential back-off capped at this value. It's sometimes useful to set this to a much lower value (e.g. \f(CW120\fR) on connections to routers that usually are stable but sometimes are down, to assure quick reconnections even after longer downtimes. @@ -674,19 +686,19 @@ .SH "CONFIG DIRECTORY LAYOUT" .IX Header "CONFIG DIRECTORY LAYOUT" The default (or recommended) directory layout for the config directory is: -.IP "\(bu" 4 +.IP "" 4 .IX Xref "gvpe.conf" The config file. -.IP "\(bu" 4 +.IP "" 4 .IX Xref "if-up" The if-up script .IP "," 4 .IX Xref "node-up node-down" If used the node up or node-down scripts. -.IP "\(bu" 4 +.IP "" 4 .IX Xref "hostkey" The private key (taken from \f(CW\*(C`hostkeys/nodename\*(C'\fR) of the current host. -.IP "\(bu" 4 +.IP "" 4 .IX Xref "pubkey nodename" The public keys of the other nodes, one file per node. .SH "SEE ALSO"