| … | |
… | |
| 18 | * gvpe: (gvpe). The GNU VPE Manual. |
18 | * gvpe: (gvpe). The GNU VPE Manual. |
| 19 | @end direntry |
19 | @end direntry |
| 20 | |
20 | |
| 21 | This is the info manual for vpe, the Virtual Private Ethernet daemon. |
21 | This is the info manual for vpe, the Virtual Private Ethernet daemon. |
| 22 | |
22 | |
| 23 | Copyright @copyright{} 2003-2005 Marc Lehmann <gvpe@@schmorp.de>. |
23 | Copyright @copyright{} 2003-2008 Marc Lehmann <gvpe@@schmorp.de>. |
| 24 | |
24 | |
| 25 | Permission is granted to make and distribute verbatim copies of this |
25 | Permission is granted to make and distribute verbatim copies of this |
| 26 | manual provided the copyright notice and this permission notice are |
26 | manual provided the copyright notice and this permission notice are |
| 27 | preserved on all copies. |
27 | preserved on all copies. |
| 28 | |
28 | |
| … | |
… | |
| 39 | |
39 | |
| 40 | @page |
40 | @page |
| 41 | @vskip 0pt plus 1filll |
41 | @vskip 0pt plus 1filll |
| 42 | @cindex copyright |
42 | @cindex copyright |
| 43 | |
43 | |
| 44 | Copyright @copyright{} 2003-2005 Marc Lehmann <gvpe@@schmorp.de>. |
44 | Copyright @copyright{} 2003-2008 Marc Lehmann <gvpe@@schmorp.de>. |
| 45 | |
45 | |
| 46 | Permission is granted to make and distribute verbatim copies of this |
46 | Permission is granted to make and distribute verbatim copies of this |
| 47 | manual provided the copyright notice and this permission notice are |
47 | manual provided the copyright notice and this permission notice are |
| 48 | preserved on all copies. |
48 | preserved on all copies. |
| 49 | |
49 | |
| … | |
… | |
| 98 | |
98 | |
| 99 | @itemize |
99 | @itemize |
| 100 | |
100 | |
| 101 | |
101 | |
| 102 | @item |
102 | @item |
| 103 | @b{ |
103 | |
| 104 | @cindex Virtual |
104 | @cindex Virtual |
| 105 | Virtual} |
105 | Virtual |
| 106 | |
106 | |
| 107 | Virtual means that no physical network is created (of course), but a network is @emph{emulated} by creating multiple tunnels between the member nodes by encapsulating and sending data over another transport network. |
107 | Virtual means that no physical network is created (of course), but a network is @emph{emulated} by creating multiple tunnels between the member nodes by encapsulating and sending data over another transport network. |
| 108 | @refill |
108 | @refill |
| 109 | Usually the emulated network is a normal IP or Ethernet, and the transport network is the Internet. However, using a VPN system like GVPE to connect nodes over other untrusted networks such as Wireless LAN is not uncommon. |
109 | Usually the emulated network is a normal IP or Ethernet, and the transport network is the Internet. However, using a VPN system like GVPE to connect nodes over other untrusted networks such as Wireless LAN is not uncommon. |
| 110 | @refill |
110 | @refill |
| 111 | |
111 | |
| 112 | |
112 | |
| 113 | @item |
113 | @item |
| 114 | @b{ |
114 | |
| 115 | @cindex Private |
115 | @cindex Private |
| 116 | Private} |
116 | Private |
| 117 | |
117 | |
| 118 | Private means that non-participating nodes cannot decode ("sniff)" nor inject ("spoof") packets. This means that nodes can be connected over untrusted networks such as the public Internet without fear of being eavesdropped while at the same time being able to trust data sent by other nodes. |
118 | Private means that non-participating nodes cannot decode ("sniff)" nor inject ("spoof") packets. This means that nodes can be connected over untrusted networks such as the public Internet without fear of being eavesdropped while at the same time being able to trust data sent by other nodes. |
| 119 | @refill |
119 | @refill |
| 120 | In the case of GVPE, even participating nodes cannot sniff packets send to other nodes or spoof packets as if sent from other nodes, so communications between any two nodes is private to those two nodes. |
120 | In the case of GVPE, even participating nodes cannot sniff packets send to other nodes or spoof packets as if sent from other nodes, so communications between any two nodes is private to those two nodes. |
| 121 | @refill |
121 | @refill |
| 122 | |
122 | |
| 123 | |
123 | |
| 124 | @item |
124 | @item |
| 125 | @b{ |
125 | |
| 126 | @cindex Network |
126 | @cindex Network |
| 127 | Network} |
127 | Network |
| 128 | |
128 | |
| 129 | Network means that more than two parties can participate in the network, so for instance it's possible to connect multiple branches of a company into a single network. Many so-called "vpn" solutions only create point-to-point tunnels, which in turn can be used to build larger networks. |
129 | Network means that more than two parties can participate in the network, so for instance it's possible to connect multiple branches of a company into a single network. Many so-called "vpn" solutions only create point-to-point tunnels, which in turn can be used to build larger networks. |
| 130 | @refill |
130 | @refill |
| 131 | GVPE provides a true multi-point network in wich any number of nodes (at least a few dozen in practise, the theoretical limit is 4095 nodes) can participate. |
131 | GVPE provides a true multi-point network in wich any number of nodes (at least a few dozen in practise, the theoretical limit is 4095 nodes) can participate. |
| 132 | @refill |
132 | @refill |
| … | |
… | |
| 139 | |
139 | |
| 140 | @itemize |
140 | @itemize |
| 141 | |
141 | |
| 142 | |
142 | |
| 143 | @item |
143 | @item |
| 144 | @b{SIMPLE DESIGN} |
144 | SIMPLE DESIGN |
| 145 | |
145 | |
| 146 | Cipher, HMAC algorithms and other key parameters must be selected at compile time - this makes it possible to only link in algorithms you actually need. It also makes the crypto part of the source very transparent and easy to inspect, and last not least this makes it possible to hardcode the layout of all packets into the binary. GVPE goes a step further and internally reserves blocks of the same length for all packets, which virtually removes all possibilities of buffer overflows, as there is only a single type of buffer and it's always of fixed length. |
146 | Cipher, HMAC algorithms and other key parameters must be selected at compile time - this makes it possible to only link in algorithms you actually need. It also makes the crypto part of the source very transparent and easy to inspect, and last not least this makes it possible to hardcode the layout of all packets into the binary. GVPE goes a step further and internally reserves blocks of the same length for all packets, which virtually removes all possibilities of buffer overflows, as there is only a single type of buffer and it's always of fixed length. |
| 147 | @refill |
147 | @refill |
| 148 | |
148 | |
| 149 | |
149 | |
| 150 | @item |
150 | @item |
| 151 | @b{EASY TO SETUP} |
151 | EASY TO SETUP |
| 152 | |
152 | |
| 153 | A few lines of config (the config file is shared unmodified between all hosts) and a single run of @t{gvpectrl} to generate the keys suffices to make it work. |
153 | A few lines of config (the config file is shared unmodified between all hosts) and a single run of @t{gvpectrl} to generate the keys suffices to make it work. |
| 154 | @refill |
154 | @refill |
| 155 | |
155 | |
| 156 | |
156 | |
| 157 | @item |
157 | @item |
| 158 | @b{MAC-BASED SECURITY} |
158 | MAC-BASED SECURITY |
| 159 | |
159 | |
| 160 | Since every host has it's own private key, other hosts cannot spoof traffic from this host. That makes it possible to filter packet by MAC address, e.g. to ensure that packets from a specific IP address come, in fact, from a specific host that is associated with that IP and not from another host. |
160 | Since every host has it's own private key, other hosts cannot spoof traffic from this host. That makes it possible to filter packet by MAC address, e.g. to ensure that packets from a specific IP address come, in fact, from a specific host that is associated with that IP and not from another host. |
| 161 | @refill |
161 | @refill |
| 162 | @end itemize |
162 | @end itemize |
| 163 | |
163 | |
| … | |
… | |
| 170 | |
170 | |
| 171 | @itemize |
171 | @itemize |
| 172 | |
172 | |
| 173 | |
173 | |
| 174 | @item |
174 | @item |
| 175 | @b{gvpectrl} |
175 | gvpectrl |
| 176 | |
176 | |
| 177 | Is used to generate the keys, check and give an overview of of the configuration and contorl the daemon (restarting etc.). |
177 | Is used to generate the keys, check and give an overview of of the configuration and contorl the daemon (restarting etc.). |
| 178 | @refill |
178 | @refill |
| 179 | |
179 | |
| 180 | |
180 | |
| 181 | @item |
181 | @item |
| 182 | @b{gvpe} |
182 | gvpe |
| 183 | |
183 | |
| 184 | Is the daemon used to establish and maintain connections to the other network members. It should be run on the gateway machine. |
184 | Is the daemon used to establish and maintain connections to the other network members. It should be run on the gateway machine. |
| 185 | @refill |
185 | @refill |
| 186 | @end itemize |
186 | @end itemize |
| 187 | |
187 | |
| … | |
… | |
| 645 | |
645 | |
| 646 | |
646 | |
| 647 | @section ANATOMY OF A CONFIG FILE |
647 | @section ANATOMY OF A CONFIG FILE |
| 648 | Usually, a config file starts with global settings (like the udp port to listen on), followed by node-specific sections that begin with a @t{node = nickname} line. |
648 | Usually, a config file starts with global settings (like the udp port to listen on), followed by node-specific sections that begin with a @t{node = nickname} line. |
| 649 | @refill |
649 | @refill |
| 650 | Every node that is part of the network must have a section that starts with @t{node = nickname}. The number and order of the nodes is important and must be the same on all hosts. It is not uncommon for node sections to be completely empty - if the default values are right. |
650 | Every node that is part of the network must have a section that starts with @t{node = nickname}. The number and order of the nodes is important and must be the same on all nodes. It is not uncommon for node sections to be completely empty - if the default values are right. |
| 651 | @refill |
651 | @refill |
| 652 | Node-specific settings can be used at any time. If used before the first node section they will set the default values for all following nodes. |
652 | Node-specific settings can be used at any time. If used before the first node section they will set the default values for all following nodes. |
| 653 | @refill |
653 | @refill |
| 654 | |
654 | |
| 655 | |
655 | |
| … | |
… | |
| 663 | |
663 | |
| 664 | @itemize |
664 | @itemize |
| 665 | |
665 | |
| 666 | |
666 | |
| 667 | @item |
667 | @item |
| 668 | @b{dns-forw-host = hostname/ip} |
668 | dns-forw-host = hostname/ip |
| 669 | |
669 | |
| 670 | @cindex dns-forw-host |
670 | @cindex dns-forw-host |
| 671 | The dns server to forward dns requests to for the DNS tunnel protocol (default: @t{127.0.0.1}, changing it is highly recommended). |
671 | The dns server to forward dns requests to for the DNS tunnel protocol (default: @t{127.0.0.1}, changing it is highly recommended). |
| 672 | @refill |
672 | @refill |
| 673 | |
673 | |
| 674 | |
674 | |
| 675 | @item |
675 | @item |
| 676 | @b{dns-forw-port = port-number} |
676 | dns-forw-port = port-number |
| 677 | |
677 | |
| 678 | @cindex dns-forw-port |
678 | @cindex dns-forw-port |
| 679 | The port where the @t{dns-forw-host} is to be contacted (default: @t{53}, which is fine in most cases). |
679 | The port where the @t{dns-forw-host} is to be contacted (default: @t{53}, which is fine in most cases). |
| 680 | @refill |
680 | @refill |
| 681 | |
681 | |
| 682 | |
682 | |
| 683 | @item |
683 | @item |
| 684 | @b{dns-max-outstanding = integer-number-of-requests} |
684 | dns-max-outstanding = integer-number-of-requests |
| 685 | |
685 | |
| 686 | @cindex dns-max-outstanding |
686 | @cindex dns-max-outstanding |
| 687 | The maximum number of outstanding DNS transport requests (default: @t{100}). GVPE will never issue more requests then the given limit without receiving replies. In heavily overloaded situations it might help to set this to a low number (e.g. @t{3} or even @t{1}) to limit the number of parallel requests. |
687 | The maximum number of outstanding DNS transport requests (default: @t{100}). GVPE will never issue more requests then the given limit without receiving replies. In heavily overloaded situations it might help to set this to a low number (e.g. @t{3} or even @t{1}) to limit the number of parallel requests. |
| 688 | @refill |
688 | @refill |
| 689 | The default should be working ok for most links. |
689 | The default should be working ok for most links. |
| 690 | @refill |
690 | @refill |
| 691 | |
691 | |
| 692 | |
692 | |
| 693 | @item |
693 | @item |
| 694 | @b{dns-overlap-factor = float} |
694 | dns-overlap-factor = float |
| 695 | |
695 | |
| 696 | @cindex dns-overlap-factor |
696 | @cindex dns-overlap-factor |
| 697 | The DNS transport uses the minimum request latency (@strong{min_latency}) seen during a connection as it's timing base. This factor (default: @t{0.5}, must be > 0) is multiplied by @strong{min_latency} to get the maximum sending rate (= minimum send interval), i.e. a factor of @t{1} means that a new request might be generated every @strong{min_latency} seconds, which means on average there should only ever be one outstanding request. A factor of @t{0.5} means that GVPE will send requests twice as often as the minimum latency measured. |
697 | The DNS transport uses the minimum request latency (@strong{min_latency}) seen during a connection as it's timing base. This factor (default: @t{0.5}, must be > 0) is multiplied by @strong{min_latency} to get the maximum sending rate (= minimum send interval), i.e. a factor of @t{1} means that a new request might be generated every @strong{min_latency} seconds, which means on average there should only ever be one outstanding request. A factor of @t{0.5} means that GVPE will send requests twice as often as the minimum latency measured. |
| 698 | @refill |
698 | @refill |
| 699 | For congested or picky dns forwarders you could use a value nearer to or exceeding @t{1}. |
699 | For congested or picky dns forwarders you could use a value nearer to or exceeding @t{1}. |
| … | |
… | |
| 701 | The default should be working ok for most links. |
701 | The default should be working ok for most links. |
| 702 | @refill |
702 | @refill |
| 703 | |
703 | |
| 704 | |
704 | |
| 705 | @item |
705 | @item |
| 706 | @b{dns-send-interval = send-interval-in-seconds} |
706 | dns-send-interval = send-interval-in-seconds |
| 707 | |
707 | |
| 708 | @cindex dns-send-interval |
708 | @cindex dns-send-interval |
| 709 | The minimum send interval (= maximum rate) that the DNS transport will use to send new DNS requests. GVPE will not exceed this rate even when the latency is very low. The default is @t{0.01}, which means GVPE will not send more than 100 DNS requests per connection per second. For high-bandwidth links you could go lower, e.g. to @t{0.001} or so. For congested or rate-limited links, you might want to go higher, say @t{0.1}, @t{0.2} or even higher. |
709 | The minimum send interval (= maximum rate) that the DNS transport will use to send new DNS requests. GVPE will not exceed this rate even when the latency is very low. The default is @t{0.01}, which means GVPE will not send more than 100 DNS requests per connection per second. For high-bandwidth links you could go lower, e.g. to @t{0.001} or so. For congested or rate-limited links, you might want to go higher, say @t{0.1}, @t{0.2} or even higher. |
| 710 | @refill |
710 | @refill |
| 711 | The default should be working ok for most links. |
711 | The default should be working ok for most links. |
| 712 | @refill |
712 | @refill |
| 713 | |
713 | |
| 714 | |
714 | |
| 715 | @item |
715 | @item |
| 716 | @b{dns-timeout-factor = float} |
716 | dns-timeout-factor = float |
| 717 | |
717 | |
| 718 | @cindex dns-timeout-factor |
718 | @cindex dns-timeout-factor |
| 719 | Factor to multiply the @t{min_latency} (see @t{dns-overlap-factor}) by to get request timeouts. The default of @t{8} means that the DNS transport will resend the request when no reply has been received for longer than eight times the minimum (= expected) latency, assuming the request or reply has been lost. |
719 | Factor to multiply the @t{min_latency} (see @t{dns-overlap-factor}) by to get request timeouts. The default of @t{8} means that the DNS transport will resend the request when no reply has been received for longer than eight times the minimum (= expected) latency, assuming the request or reply has been lost. |
| 720 | @refill |
720 | @refill |
| 721 | For congested links a higher value might be necessary (e.g. @t{30}). If the link is very stable lower values (e.g. @t{2}) might work nicely. Values near or below @t{1} makes no sense whatsoever. |
721 | For congested links a higher value might be necessary (e.g. @t{30}). If the link is very stable lower values (e.g. @t{2}) might work nicely. Values near or below @t{1} makes no sense whatsoever. |
| … | |
… | |
| 723 | The default should be working ok for most links but will result in low throughput if packet loss is high. |
723 | The default should be working ok for most links but will result in low throughput if packet loss is high. |
| 724 | @refill |
724 | @refill |
| 725 | |
725 | |
| 726 | |
726 | |
| 727 | @item |
727 | @item |
| 728 | @b{if-up = relative-or-absolute-path} |
728 | if-up = relative-or-absolute-path |
| 729 | |
729 | |
| 730 | @cindex if-up |
730 | @cindex if-up |
| 731 | Sets the path of a script that should be called immediately after the network interface is initialized (but not neccessarily up). The following environment variables are passed to it (the values are just examples). |
731 | Sets the path of a script that should be called immediately after the network interface is initialized (but not neccessarily up). The following environment variables are passed to it (the values are just examples). |
| 732 | @refill |
732 | @refill |
| 733 | Variables that have the same value on all nodes: |
733 | Variables that have the same value on all nodes: |
| … | |
… | |
| 736 | |
736 | |
| 737 | @itemize |
737 | @itemize |
| 738 | |
738 | |
| 739 | |
739 | |
| 740 | @item |
740 | @item |
| 741 | @b{CONFBASE=/etc/gvpe} |
741 | CONFBASE=/etc/gvpe |
| 742 | |
742 | |
| 743 | @cindex CONFBASE |
743 | @cindex CONFBASE |
| 744 | The configuration base directory. |
744 | The configuration base directory. |
| 745 | @refill |
745 | @refill |
| 746 | |
746 | |
| 747 | |
747 | |
| 748 | @item |
748 | @item |
| 749 | @b{IFNAME=vpn0} |
749 | IFNAME=vpn0 |
| 750 | |
750 | |
| 751 | @cindex IFNAME |
751 | @cindex IFNAME |
| 752 | The network interface to initialize. |
752 | The network interface to initialize. |
| 753 | @refill |
753 | @refill |
| 754 | |
754 | |
| 755 | |
755 | |
| 756 | @item |
756 | @item |
| 757 | @b{IFTYPE=native # or tincd} |
757 | IFTYPE=native # or tincd |
| 758 | |
758 | |
| 759 | @cindex IFTYPE |
759 | @cindex IFTYPE |
| 760 | |
760 | |
| 761 | |
761 | |
| 762 | @item |
762 | @item |
| 763 | @b{IFSUBTYPE=linux # or freebsd, darwin etc..} |
763 | IFSUBTYPE=linux # or freebsd, darwin etc.. |
| 764 | |
764 | |
| 765 | @cindex IFSUBTYPE |
765 | @cindex IFSUBTYPE |
| 766 | The interface type (@t{native} or @t{tincd}) and the subtype (usually the OS name in lowercase) that this GVPE was configured for. Can be used to select the correct syntax to use for network-related commands. |
766 | The interface type (@t{native} or @t{tincd}) and the subtype (usually the OS name in lowercase) that this GVPE was configured for. Can be used to select the correct syntax to use for network-related commands. |
| 767 | @refill |
767 | @refill |
| 768 | |
768 | |
| 769 | |
769 | |
| 770 | @item |
770 | @item |
| 771 | @b{MTU=1436} |
771 | MTU=1436 |
| 772 | |
772 | |
| 773 | @cindex MTU |
773 | @cindex MTU |
| 774 | The MTU to set the interface to. You can use lower values (if done consistently on all hosts), but this is usually ineffective. |
774 | The MTU to set the interface to. You can use lower values (if done consistently on all nodes), but this is usually either inefficient or simply ineffective. |
| 775 | @refill |
775 | @refill |
| 776 | |
776 | |
| 777 | |
777 | |
| 778 | @item |
778 | @item |
| 779 | @b{NODES=5} |
779 | NODES=5 |
| 780 | |
780 | |
| 781 | @cindex NODES |
781 | @cindex NODES |
| 782 | The number of nodes in this GVPE network. |
782 | The number of nodes in this GVPE network. |
| 783 | @refill |
783 | @refill |
| 784 | @end itemize |
784 | @end itemize |
| … | |
… | |
| 789 | |
789 | |
| 790 | @itemize |
790 | @itemize |
| 791 | |
791 | |
| 792 | |
792 | |
| 793 | @item |
793 | @item |
| 794 | @b{IFUPDATA=string} |
794 | IFUPDATA=string |
| 795 | |
795 | |
| 796 | @cindex IFUPDATA |
796 | @cindex IFUPDATA |
| 797 | The value of the configuration directive @t{if-up-data}. |
797 | The value of the configuration directive @t{if-up-data}. |
| 798 | @refill |
798 | @refill |
| 799 | |
799 | |
| 800 | |
800 | |
| 801 | @item |
801 | @item |
| 802 | @b{MAC=fe:fd:80:00:00:01} |
802 | MAC=fe:fd:80:00:00:01 |
| 803 | |
803 | |
| 804 | @cindex MAC |
804 | @cindex MAC |
| 805 | The MAC address the network interface has to use. |
805 | The MAC address the network interface has to use. |
| 806 | @refill |
806 | @refill |
| 807 | Might be used to initialize interfaces on platforms where GVPE does not do this automatically. Please see the @t{gvpe.osdep(5)} manpage for platform-specific information. |
807 | Might be used to initialize interfaces on platforms where GVPE does not do this automatically. Please see the @t{gvpe.osdep(5)} manpage for platform-specific information. |
| 808 | @refill |
808 | @refill |
| 809 | |
809 | |
| 810 | |
810 | |
| 811 | @item |
811 | @item |
| 812 | @b{NODENAME=branch1} |
812 | NODENAME=branch1 |
| 813 | |
813 | |
| 814 | @cindex NODENAME |
814 | @cindex NODENAME |
| 815 | The nickname of the node. |
815 | The nickname of the node. |
| 816 | @refill |
816 | @refill |
| 817 | |
817 | |
| 818 | |
818 | |
| 819 | @item |
819 | @item |
| 820 | @b{NODEID=1} |
820 | NODEID=1 |
| 821 | |
821 | |
| 822 | @cindex NODEID |
822 | @cindex NODEID |
| 823 | The numerical node ID of the node running this instance of GVPE. The first node mentioned in the config file gets ID 1, the second ID 2 and so on. |
823 | The numerical node ID of the node running this instance of GVPE. The first node mentioned in the config file gets ID 1, the second ID 2 and so on. |
| 824 | @refill |
824 | @refill |
| 825 | @end itemize |
825 | @end itemize |
| … | |
… | |
| 841 | More complicated examples (using routing to reduce arp traffic) can be found in the etc/ subdirectory of the distribution. |
841 | More complicated examples (using routing to reduce arp traffic) can be found in the etc/ subdirectory of the distribution. |
| 842 | @refill |
842 | @refill |
| 843 | |
843 | |
| 844 | |
844 | |
| 845 | @item |
845 | @item |
| 846 | @b{ifname = devname} |
846 | ifname = devname |
| 847 | |
847 | |
| 848 | @cindex ifname |
848 | @cindex ifname |
| 849 | Sets the tun interface name to the given name. The default is OS-specific and most probably something like @t{tun0}. |
849 | Sets the tun interface name to the given name. The default is OS-specific and most probably something like @t{tun0}. |
| 850 | @refill |
850 | @refill |
| 851 | |
851 | |
| 852 | |
852 | |
| 853 | @item |
853 | @item |
| 854 | @b{ifpersist = yes|true|on | no|false|off} |
854 | ifpersist = yes|true|on | no|false|off |
| 855 | |
855 | |
| 856 | @cindex ifpersist |
856 | @cindex ifpersist |
| 857 | Should the tun/tap device be made persistent, that is, should the device stay up even when gvpe exits? Some versions of the tunnel device have problems sending packets when gvpe is restarted in persistent mode, so if the connections can be established but you cannot send packets from the local node, try to set this to @t{off} and do an ifconfig down on the device. |
857 | Should the tun/tap device be made persistent, that is, should the device stay up even when gvpe exits? Some versions of the tunnel device have problems sending packets when gvpe is restarted in persistent mode, so if the connections can be established but you cannot send packets from the local node, try to set this to @t{off} and do an ifconfig down on the device. |
| 858 | @refill |
858 | @refill |
| 859 | |
859 | |
| 860 | |
860 | |
| 861 | @item |
861 | @item |
| 862 | @b{ip-proto = numerical-ip-protocol} |
862 | ip-proto = numerical-ip-protocol |
| 863 | |
863 | |
| 864 | @cindex ip-proto |
864 | @cindex ip-proto |
| 865 | Sets the protocol number to be used for the rawip protocol. This is a global option because all hosts must use the same protocol, and since there are no port numbers, you cannot easily run more than one gvpe instance using the same protocol, nor can you share the protocol with other programs. |
865 | Sets the protocol number to be used for the rawip protocol. This is a global option because all nodes must use the same protocol, and since there are no port numbers, you cannot easily run more than one gvpe instance using the same protocol, nor can you share the protocol with other programs. |
| 866 | @refill |
866 | @refill |
| 867 | The default is 47 (GRE), which has a good chance of tunneling through firewalls (but note that the rawip protocol is not GRE compatible). Other common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4 (IPIP tunnels) or 98 (ENCAP, rfc1241) |
867 | The default is 47 (GRE), which has a good chance of tunneling through firewalls (but note that the rawip protocol is not GRE compatible). Other common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4 (IPIP tunnels) or 98 (ENCAP, rfc1241) |
| 868 | @refill |
868 | @refill |
| 869 | |
869 | |
| 870 | |
870 | |
| 871 | @item |
871 | @item |
| 872 | @b{http-proxy-host = hostname/ip} |
872 | http-proxy-host = hostname/ip |
| 873 | |
873 | |
| 874 | @cindex http-proxy-host |
874 | @cindex http-proxy-host |
| 875 | The @t{http-proxy-*} family of options are only available if gvpe was compiled with the @t{--enable-http-proxy} option and enable tunneling of tcp connections through a http proxy server. |
875 | The @t{http-proxy-*} family of options are only available if gvpe was compiled with the @t{--enable-http-proxy} option and enable tunneling of tcp connections through a http proxy server. |
| 876 | @refill |
876 | @refill |
| 877 | @t{http-proxy-host} and @t{http-proxy-port} should specify the hostname and port number of the proxy server. See @t{http-proxy-loginpw} if your proxy requires authentication. |
877 | @t{http-proxy-host} and @t{http-proxy-port} should specify the hostname and port number of the proxy server. See @t{http-proxy-loginpw} if your proxy requires authentication. |
| 878 | @refill |
878 | @refill |
| 879 | Please note that gvpe will still try to resolve all hostnames in the configuration file, so if you are behind a proxy without access to a dns server better use numerical IP addresses. |
879 | Please note that gvpe will still try to resolve all hostnames in the configuration file, so if you are behind a proxy without access to a dns server better use numerical IP addresses. |
| 880 | @refill |
880 | @refill |
| 881 | To make best use of this option disable all protocols except tcp in your config file and make sure your routers (or all other hosts) are listening on a port that the proxy allows (443, https, is a common choice). |
881 | To make best use of this option disable all protocols except tcp in your config file and make sure your routers (or all other nodes) are listening on a port that the proxy allows (443, https, is a common choice). |
| 882 | @refill |
882 | @refill |
| 883 | If you have a router, connecting to it will suffice. Otherwise tcp must be enabled on all hosts. |
883 | If you have a router, connecting to it will suffice. Otherwise tcp must be enabled on all nodes. |
| 884 | @refill |
884 | @refill |
| 885 | Example: |
885 | Example: |
| 886 | @refill |
886 | @refill |
| 887 | |
887 | |
| 888 | |
888 | |
| … | |
… | |
| 893 | @end example |
893 | @end example |
| 894 | |
894 | |
| 895 | |
895 | |
| 896 | |
896 | |
| 897 | @item |
897 | @item |
| 898 | @b{http-proxy-port = proxy-tcp-port} |
898 | http-proxy-port = proxy-tcp-port |
| 899 | |
899 | |
| 900 | @cindex http-proxy-port |
900 | @cindex http-proxy-port |
| 901 | The port where your proxy server listens. |
901 | The port where your proxy server listens. |
| 902 | @refill |
902 | @refill |
| 903 | |
903 | |
| 904 | |
904 | |
| 905 | @item |
905 | @item |
| 906 | @b{http-proxy-auth = login:password} |
906 | http-proxy-auth = login:password |
| 907 | |
907 | |
| 908 | @cindex http-proxy-auth |
908 | @cindex http-proxy-auth |
| 909 | The optional login and password used to authenticate to the proxy server, seperated by a literal colon (@t{:}). Only basic authentication is currently supported. |
909 | The optional login and password used to authenticate to the proxy server, seperated by a literal colon (@t{:}). Only basic authentication is currently supported. |
| 910 | @refill |
910 | @refill |
| 911 | |
911 | |
| 912 | |
912 | |
| 913 | @item |
913 | @item |
| 914 | @b{keepalive = seconds} |
914 | keepalive = seconds |
| 915 | |
915 | |
| 916 | @cindex keepalive |
916 | @cindex keepalive |
| 917 | Sets the keepalive probe interval in seconds (default: @t{60}). After this many seconds of inactivity the daemon will start to send keepalive probe every 5 seconds until it receives a reply from the other end. If no reply is received within 30 seconds, the peer is considered unreachable and the connection is closed. |
917 | Sets the keepalive probe interval in seconds (default: @t{60}). After this many seconds of inactivity the daemon will start to send keepalive probe every 5 seconds until it receives a reply from the other end. If no reply is received within 30 seconds, the peer is considered unreachable and the connection is closed. |
| 918 | @refill |
918 | @refill |
| 919 | |
919 | |
| 920 | |
920 | |
| 921 | @item |
921 | @item |
| 922 | @b{loglevel = noise|trace|debug|info|notice|warn|error|critical} |
922 | loglevel = noise|trace|debug|info|notice|warn|error|critical |
| 923 | |
923 | |
| 924 | @cindex loglevel |
924 | @cindex loglevel |
| 925 | Set the logging level. Connection established messages are logged at level @t{info}, notable errors are logged with @t{error}. Default is @t{info}. |
925 | Set the logging level. Connection established messages are logged at level @t{info}, notable errors are logged with @t{error}. Default is @t{info}. |
| 926 | @refill |
926 | @refill |
| 927 | |
927 | |
| 928 | |
928 | |
| 929 | @item |
929 | @item |
| 930 | @b{mtu = bytes} |
930 | mtu = bytes |
| 931 | |
931 | |
| 932 | @cindex mtu |
932 | @cindex mtu |
| 933 | Sets the maximum MTU that should be used on outgoing packets (basically the MTU of the outgoing interface) The daemon will automatically calculate maximum overhead (e.g. udp header size, encryption blocksize...) and pass this information to the @t{if-up} script. |
933 | Sets the maximum MTU that should be used on outgoing packets (basically the MTU of the outgoing interface) The daemon will automatically calculate maximum overhead (e.g. udp header size, encryption blocksize...) and pass this information to the @t{if-up} script. |
| 934 | @refill |
934 | @refill |
| 935 | Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
935 | Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
| 936 | @refill |
936 | @refill |
| 937 | This value must be the minimum of the mtu values of all hosts. |
937 | This value must be the minimum of the mtu values of all nodes. |
| 938 | @refill |
938 | @refill |
| 939 | |
939 | |
| 940 | |
940 | |
| 941 | @item |
941 | @item |
| 942 | @b{node = nickname} |
942 | node = nickname |
| 943 | |
943 | |
| 944 | @cindex node |
944 | @cindex node |
| 945 | Not really a config setting but introduces a node section. The nickname is used to select the right configuration section and must be passed as an argument to the gvpe daemon. |
945 | Not really a config setting but introduces a node section. The nickname is used to select the right configuration section and must be passed as an argument to the gvpe daemon. |
| 946 | @refill |
946 | @refill |
| 947 | |
947 | |
| 948 | |
948 | |
| 949 | @item |
949 | @item |
| 950 | @b{node-up = relative-or-absolute-path} |
950 | node-up = relative-or-absolute-path |
| 951 | |
951 | |
| 952 | @cindex node-up |
952 | @cindex node-up |
| 953 | Sets a command (default: no script) that should be called whenever a connection is established (even on rekeying operations). In addition to all the variables passed to @t{if-up} scripts, the following environment variables will be set: |
953 | Sets a command (default: none) that should be called whenever a connection is established (even on rekeying operations). Note that node-up/down scripts will be run asynchronously, but execution is serialised, so there will only ever be one such script running. |
|
|
954 | @refill |
|
|
955 | In addition to all the variables passed to @t{if-up} scripts, the following environment variables will be set: |
| 954 | @refill |
956 | @refill |
| 955 | |
957 | |
| 956 | |
958 | |
| 957 | @itemize |
959 | @itemize |
| 958 | |
960 | |
| 959 | |
961 | |
| 960 | @item |
962 | @item |
| 961 | @b{DESTNODE=branch2} |
963 | DESTNODE=branch2 |
| 962 | |
964 | |
| 963 | @cindex DESTNODE |
965 | @cindex DESTNODE |
| 964 | The name of the remote node. |
966 | The name of the remote node. |
| 965 | @refill |
967 | @refill |
| 966 | |
968 | |
| 967 | |
969 | |
| 968 | @item |
970 | @item |
| 969 | @b{DESTID=2} |
971 | DESTID=2 |
| 970 | |
972 | |
| 971 | @cindex DESTID |
973 | @cindex DESTID |
| 972 | The node id of the remote node. |
974 | The node id of the remote node. |
| 973 | @refill |
975 | @refill |
| 974 | |
976 | |
| 975 | |
977 | |
| 976 | @item |
978 | @item |
| 977 | @b{DESTIP=188.13.66.8} |
979 | DESTIP=188.13.66.8 |
| 978 | |
980 | |
| 979 | @cindex DESTIP |
981 | @cindex DESTIP |
| 980 | The numerical IP address of the remote host (gvpe accepts connections from everywhere, as long as the other host can authenticate itself). |
982 | The numerical IP address of the remote node (gvpe accepts connections from everywhere, as long as the other node can authenticate itself). |
| 981 | @refill |
983 | @refill |
| 982 | |
984 | |
| 983 | |
985 | |
| 984 | @item |
986 | @item |
| 985 | @b{DESTPORT=655 # deprecated} |
987 | DESTPORT=655 # deprecated |
| 986 | |
988 | |
| 987 | @cindex DESTPORT |
989 | @cindex DESTPORT |
| 988 | The UDP port used by the other side. |
990 | The UDP port used by the other side. |
| 989 | @refill |
991 | @refill |
| 990 | |
992 | |
| 991 | |
993 | |
| 992 | @item |
994 | @item |
| 993 | @b{STATE=UP} |
995 | STATE=UP |
| 994 | |
996 | |
| 995 | @cindex STATE |
997 | @cindex STATE |
| 996 | Node-up scripts get called with STATE=UP, node-down scripts get called with STATE=DOWN. |
998 | Node-up scripts get called with STATE=UP, node-down scripts get called with STATE=DOWN. |
| 997 | @refill |
999 | @refill |
| 998 | @end itemize |
1000 | @end itemize |
| … | |
… | |
| 1011 | @end example |
1013 | @end example |
| 1012 | |
1014 | |
| 1013 | |
1015 | |
| 1014 | |
1016 | |
| 1015 | @item |
1017 | @item |
| 1016 | @b{node-down = relative-or-absolute-path} |
1018 | node-down = relative-or-absolute-path |
| 1017 | |
1019 | |
| 1018 | @cindex node-down |
1020 | @cindex node-down |
| 1019 | Same as @t{node-up}, but gets called whenever a connection is lost. |
1021 | Same as @t{node-up}, but gets called whenever a connection is lost. |
| 1020 | @refill |
1022 | @refill |
| 1021 | |
1023 | |
| 1022 | |
1024 | |
| 1023 | @item |
1025 | @item |
| 1024 | @b{pid-file = path} |
1026 | pid-file = path |
| 1025 | |
1027 | |
| 1026 | @cindex pid-file |
1028 | @cindex pid-file |
| 1027 | The path to the pid file to check and create (default: @t{LOCALSTATEDIR/run/gvpe.pid}). |
1029 | The path to the pid file to check and create (default: @t{LOCALSTATEDIR/run/gvpe.pid}). |
| 1028 | @refill |
1030 | @refill |
| 1029 | |
1031 | |
| 1030 | |
1032 | |
| 1031 | @item |
1033 | @item |
| 1032 | @b{private-key = relative-path-to-key} |
1034 | private-key = relative-path-to-key |
| 1033 | |
1035 | |
| 1034 | @cindex private-key |
1036 | @cindex private-key |
| 1035 | Sets the path (relative to the config directory) to the private key (default: @t{hostkey}). This is a printf format string so every @t{%} must be doubled. A single @t{%s} is replaced by the hostname, so you could use paths like @t{hostkeys/%s} to fetch the files at the location where @t{gvpectrl} puts them. |
1037 | Sets the path (relative to the config directory) to the private key (default: @t{hostkey}). This is a printf format string so every @t{%} must be doubled. A single @t{%s} is replaced by the hostname, so you could use paths like @t{hostkeys/%s} to fetch the files at the location where @t{gvpectrl} puts them. |
| 1036 | @refill |
1038 | @refill |
| 1037 | Since only the private key file of the current node is used and the private key file should be kept secret per-host to avoid spoofings, it is not recommended to use this feature. |
1039 | Since only the private key file of the current node is used and the private key file should be kept secret per-node to avoid spoofings, it is not recommended to use this feature. |
| 1038 | @refill |
1040 | @refill |
| 1039 | |
1041 | |
| 1040 | |
1042 | |
| 1041 | @item |
1043 | @item |
| 1042 | @b{rekey = seconds} |
1044 | rekey = seconds |
| 1043 | |
1045 | |
| 1044 | @cindex rekey |
1046 | @cindex rekey |
| 1045 | Sets the rekeying interval in seconds (default: @t{3600}). Connections are reestablished every @t{rekey} seconds. |
1047 | Sets the rekeying interval in seconds (default: @t{3600}). Connections are reestablished every @t{rekey} seconds. |
| 1046 | @refill |
1048 | @refill |
| 1047 | @end itemize |
1049 | @end itemize |
| … | |
… | |
| 1055 | |
1057 | |
| 1056 | @itemize |
1058 | @itemize |
| 1057 | |
1059 | |
| 1058 | |
1060 | |
| 1059 | @item |
1061 | @item |
| 1060 | @b{allow-direct = nodename} |
1062 | allow-direct = nodename |
| 1061 | |
1063 | |
| 1062 | @cindex allow-direct |
1064 | @cindex allow-direct |
| 1063 | Allow direct connections to this node. See @t{deny-direct} for more info. |
1065 | Allow direct connections to this node. See @t{deny-direct} for more info. |
| 1064 | @refill |
1066 | @refill |
| 1065 | |
1067 | |
| 1066 | |
1068 | |
| 1067 | @item |
1069 | @item |
| 1068 | @b{compress = yes|true|on | no|false|off} |
1070 | compress = yes|true|on | no|false|off |
| 1069 | |
1071 | |
| 1070 | @cindex compress |
1072 | @cindex compress |
| 1071 | Wether to compress data packets sent to this host (default: @t{yes}). Compression is really cheap even on slow computers and has no size overhead at all, so enabling this is a good idea. |
1073 | Wether to compress data packets sent to this node (default: @t{yes}). Compression is really cheap even on slow computers and has no size overhead at all, so enabling this is a good idea. |
| 1072 | @refill |
1074 | @refill |
| 1073 | |
1075 | |
| 1074 | |
1076 | |
| 1075 | @item |
1077 | @item |
| 1076 | @b{connect = ondemand | never | always | disabled} |
1078 | connect = ondemand | never | always | disabled |
| 1077 | |
1079 | |
| 1078 | @cindex connect |
1080 | @cindex connect |
| 1079 | Sets the connect mode (default: @t{always}). It can be @t{always} (always try to establish and keep a connection to the given host), @t{never} (never initiate a connection to the given host, but accept connections), @t{ondemand} (try to establish a connection on the first packet sent, and take it down after the keepalive interval) or @t{disabled} (node is bad, don't talk to it). |
1081 | Sets the connect mode (default: @t{always}). It can be @t{always} (always try to establish and keep a connection to the given node), @t{never} (never initiate a connection to the given host, but accept connections), @t{ondemand} (try to establish a connection when there are outstanding packets in the queue and take it down after the keepalive interval) or @t{disabled} (node is bad, don't talk to it). |
| 1080 | @refill |
1082 | @refill |
|
|
1083 | Routers will automatically be forced to @t{always} unless they are @t{disabled}, to ensure all nodes can talk to each other. |
|
|
1084 | @refill |
| 1081 | |
1085 | |
| 1082 | |
1086 | |
| 1083 | @item |
1087 | @item |
| 1084 | @b{deny-direct = nodename | *} |
1088 | deny-direct = nodename | * |
| 1085 | |
1089 | |
| 1086 | @cindex deny-direct |
1090 | @cindex deny-direct |
| 1087 | Deny direct connections to the specified node (or all nodes when @t{*} is given). Only one node can be specified, but you can use multiple @t{allow-direct} and @t{deny-direct} statements. This only makes sense in networks with routers, as routers are required for indirect connections. |
1091 | Deny direct connections to the specified node (or all nodes when @t{*} is given). Only one node can be specified, but you can use multiple @t{allow-direct} and @t{deny-direct} statements. This only makes sense in networks with routers, as routers are required for indirect connections. |
| 1088 | @refill |
1092 | @refill |
| 1089 | Sometimes, a node cannot reach some other nodes for reasons of network connectivity. For example, a node behind a firewall that only allows conenctions to/from a single other node in the network. In this case one should specify @t{deny-direct = *} and @t{allow-direct = othernodename} (the other node @emph{must} be a router for this to work). |
1093 | Sometimes, a node cannot reach some other nodes for reasons of network connectivity. For example, a node behind a firewall that only allows conenctions to/from a single other node in the network. In this case one should specify @t{deny-direct = *} and @t{allow-direct = othernodename} (the other node @emph{must} be a router for this to work). |
| … | |
… | |
| 1101 | The check is done in both directions, i.e. both nodes must allow a direct connection before one is attempted, so you only need to specify connect limitations on one node. |
1105 | The check is done in both directions, i.e. both nodes must allow a direct connection before one is attempted, so you only need to specify connect limitations on one node. |
| 1102 | @refill |
1106 | @refill |
| 1103 | |
1107 | |
| 1104 | |
1108 | |
| 1105 | @item |
1109 | @item |
| 1106 | @b{dns-domain = domain-suffix} |
1110 | dns-domain = domain-suffix |
| 1107 | |
1111 | |
| 1108 | @cindex dns-domain |
1112 | @cindex dns-domain |
| 1109 | The DNS domain suffix that points to the DNS tunnel server for this node. |
1113 | The DNS domain suffix that points to the DNS tunnel server for this node. |
| 1110 | @refill |
1114 | @refill |
| 1111 | The domain must point to a NS record that points to the @emph{dns-hostname}, i.e. |
1115 | The domain must point to a NS record that points to the @emph{dns-hostname}, i.e. |
| … | |
… | |
| 1127 | @end example |
1131 | @end example |
| 1128 | |
1132 | |
| 1129 | |
1133 | |
| 1130 | |
1134 | |
| 1131 | @item |
1135 | @item |
| 1132 | @b{dns-hostname = hostname/ip} |
1136 | dns-hostname = hostname/ip |
| 1133 | |
1137 | |
| 1134 | @cindex dns-hostname |
1138 | @cindex dns-hostname |
| 1135 | The address to bind the DNS tunnel socket to, similar to the @t{hostname}, but for the DNS tunnel protocol only. Default: @t{0.0.0.0}, but that might change. |
1139 | The address to bind the DNS tunnel socket to, similar to the @t{hostname}, but for the DNS tunnel protocol only. Default: @t{0.0.0.0}, but that might change. |
| 1136 | @refill |
1140 | @refill |
| 1137 | |
1141 | |
| 1138 | |
1142 | |
| 1139 | @item |
1143 | @item |
| 1140 | @b{dns-port = port-number} |
1144 | dns-port = port-number |
| 1141 | |
1145 | |
| 1142 | @cindex dns-port |
1146 | @cindex dns-port |
| 1143 | The port to bind the DNS tunnel socket to. Must be @t{53} on DNS tunnel servers. |
1147 | The port to bind the DNS tunnel socket to. Must be @t{53} on DNS tunnel servers. |
| 1144 | @refill |
1148 | @refill |
| 1145 | |
1149 | |
| 1146 | |
1150 | |
| 1147 | @item |
1151 | @item |
| 1148 | @b{enable-dns = yes|true|on | no|false|off} |
1152 | enable-dns = yes|true|on | no|false|off |
| 1149 | |
1153 | |
| 1150 | @cindex enable-dns |
1154 | @cindex enable-dns |
| 1151 | See gvpe.protocol(7) for a description of the DNS transport protocol. Avoid this protocol if you can. |
1155 | See gvpe.protocol(7) for a description of the DNS transport protocol. Avoid this protocol if you can. |
| 1152 | @refill |
1156 | @refill |
| 1153 | Enable the DNS tunneling protocol on this node, either as server or as client. Support for this transport protocol is only available when gvpe was compiled using the @t{--enable-dns} option. |
1157 | Enable the DNS tunneling protocol on this node, either as server or as client. Support for this transport protocol is only available when gvpe was compiled using the @t{--enable-dns} option. |
| 1154 | @refill |
1158 | @refill |
| 1155 | |
1159 | |
| 1156 | |
1160 | |
| 1157 | @item |
1161 | @item |
| 1158 | @b{enable-icmp = yes|true|on | no|false|off} |
1162 | enable-icmp = yes|true|on | no|false|off |
| 1159 | |
1163 | |
| 1160 | @cindex enable-icmp |
1164 | @cindex enable-icmp |
| 1161 | See gvpe.protocol(7) for a description of the ICMP transport protocol. |
1165 | See gvpe.protocol(7) for a description of the ICMP transport protocol. |
| 1162 | @refill |
1166 | @refill |
| 1163 | Enable the ICMP transport using icmp packets of type @t{icmp-type} on this node. |
1167 | Enable the ICMP transport using icmp packets of type @t{icmp-type} on this node. |
| 1164 | @refill |
1168 | @refill |
| 1165 | |
1169 | |
| 1166 | |
1170 | |
| 1167 | @item |
1171 | @item |
| 1168 | @b{enable-rawip = yes|true|on | no|false|off} |
1172 | enable-rawip = yes|true|on | no|false|off |
| 1169 | |
1173 | |
| 1170 | @cindex enable-rawip |
1174 | @cindex enable-rawip |
| 1171 | See gvpe.protocol(7) for a description of the RAW IP transport protocol. |
1175 | See gvpe.protocol(7) for a description of the RAW IP transport protocol. |
| 1172 | @refill |
1176 | @refill |
| 1173 | Enable the RAW IPv4 transport using the @t{ip-proto} protocol (default: @t{no}). |
1177 | Enable the RAW IPv4 transport using the @t{ip-proto} protocol (default: @t{no}). |
| 1174 | @refill |
1178 | @refill |
| 1175 | |
1179 | |
| 1176 | |
1180 | |
| 1177 | @item |
1181 | @item |
| 1178 | @b{enable-tcp = yes|true|on | no|false|off} |
1182 | enable-tcp = yes|true|on | no|false|off |
| 1179 | |
1183 | |
| 1180 | @cindex enable-tcp |
1184 | @cindex enable-tcp |
| 1181 | See gvpe.protocol(7) for a description of the TCP transport protocol. |
1185 | See gvpe.protocol(7) for a description of the TCP transport protocol. |
| 1182 | @refill |
1186 | @refill |
| 1183 | Enable the TCPv4 transport using the @t{tcp-port} port (default: @t{no}). Support for this transport protocol is only available when gvpe was compiled using the @t{--enable-tcp} option. |
1187 | Enable the TCPv4 transport using the @t{tcp-port} port (default: @t{no}). Support for this transport protocol is only available when gvpe was compiled using the @t{--enable-tcp} option. |
| 1184 | @refill |
1188 | @refill |
| 1185 | |
1189 | |
| 1186 | |
1190 | |
| 1187 | @item |
1191 | @item |
| 1188 | @b{enable-udp = yes|true|on | no|false|off} |
1192 | enable-udp = yes|true|on | no|false|off |
| 1189 | |
1193 | |
| 1190 | @cindex enable-udp |
1194 | @cindex enable-udp |
| 1191 | See gvpe.protocol(7) for a description of the UDP transport protocol. |
1195 | See gvpe.protocol(7) for a description of the UDP transport protocol. |
| 1192 | @refill |
1196 | @refill |
| 1193 | Enable the UDPv4 transport using the @t{udp-port} port (default: @t{no}, unless no other protocol is enabled for a node, in which case this protocol is enabled automatically). |
1197 | Enable the UDPv4 transport using the @t{udp-port} port (default: @t{no}, unless no other protocol is enabled for a node, in which case this protocol is enabled automatically). |
| … | |
… | |
| 1195 | NOTE: Please specify @t{enable-udp = yes} if you want t use it even though it might get switched on automatically, as some future version might default to another default protocol. |
1199 | NOTE: Please specify @t{enable-udp = yes} if you want t use it even though it might get switched on automatically, as some future version might default to another default protocol. |
| 1196 | @refill |
1200 | @refill |
| 1197 | |
1201 | |
| 1198 | |
1202 | |
| 1199 | @item |
1203 | @item |
| 1200 | @b{hostname = hostname | ip [can not be defaulted]} |
1204 | hostname = hostname | ip [can not be defaulted] |
| 1201 | |
1205 | |
| 1202 | @cindex hostname |
1206 | @cindex hostname |
| 1203 | Forces the address of this node to be set to the given dns hostname or ip address. It will be resolved before each connect request, so dyndns should work fine. If this setting is not specified and a router is available, then the router will be queried for the address of this node. Otherwise, the connection attempt will fail. |
1207 | Forces the address of this node to be set to the given dns hostname or ip address. It will be resolved before each connect request, so dyndns should work fine. If this setting is not specified and a router is available, then the router will be queried for the address of this node. Otherwise, the connection attempt will fail. |
| 1204 | @refill |
1208 | @refill |
| 1205 | |
1209 | |
| 1206 | |
1210 | |
| 1207 | @item |
1211 | @item |
| 1208 | @b{icmp-type = integer} |
1212 | icmp-type = integer |
| 1209 | |
1213 | |
| 1210 | @cindex icmp-type |
1214 | @cindex icmp-type |
| 1211 | Sets the type value to be used for outgoing (and incoming) packets sent via the ICMP transport. |
1215 | Sets the type value to be used for outgoing (and incoming) packets sent via the ICMP transport. |
| 1212 | @refill |
1216 | @refill |
| 1213 | The default is @t{0} (which is @t{echo-reply}, also known as "ping-replies"). Other useful values include @t{8} (@t{echo-request}, a.k.a. "ping") and @t{11} (@t{time-exceeded}), but any 8-bit value can be used. |
1217 | The default is @t{0} (which is @t{echo-reply}, also known as "ping-replies"). Other useful values include @t{8} (@t{echo-request}, a.k.a. "ping") and @t{11} (@t{time-exceeded}), but any 8-bit value can be used. |
| 1214 | @refill |
1218 | @refill |
| 1215 | |
1219 | |
| 1216 | |
1220 | |
| 1217 | @item |
1221 | @item |
| 1218 | @b{if-up-data = value} |
1222 | if-up-data = value |
| 1219 | |
1223 | |
| 1220 | @cindex if-up-data |
1224 | @cindex if-up-data |
| 1221 | The value specified using this directive will be passed to the @t{if-up} script in the environment variable @t{IFUPDATA}. |
1225 | The value specified using this directive will be passed to the @t{if-up} script in the environment variable @t{IFUPDATA}. |
| 1222 | @refill |
1226 | @refill |
| 1223 | |
1227 | |
| 1224 | |
1228 | |
| 1225 | @item |
1229 | @item |
| 1226 | @b{inherit-tos = yes|true|on | no|false|off} |
1230 | inherit-tos = yes|true|on | no|false|off |
| 1227 | |
1231 | |
| 1228 | @cindex inherit-tos |
1232 | @cindex inherit-tos |
| 1229 | Wether to inherit the TOS settings of packets sent to the tunnel when sending packets to this node (default: @t{yes}). If set to @t{yes} then outgoing tunnel packets will have the same TOS setting as the packets sent to the tunnel device, which is usually what you want. |
1233 | Wether to inherit the TOS settings of packets sent to the tunnel when sending packets to this node (default: @t{yes}). If set to @t{yes} then outgoing tunnel packets will have the same TOS setting as the packets sent to the tunnel device, which is usually what you want. |
| 1230 | @refill |
1234 | @refill |
| 1231 | |
1235 | |
| 1232 | |
1236 | |
| 1233 | @item |
1237 | @item |
| 1234 | @b{max-retry = positive-number} |
1238 | max-retry = positive-number |
| 1235 | |
1239 | |
| 1236 | @cindex max-retry |
1240 | @cindex max-retry |
| 1237 | The maximum interval in seconds (default: @t{3600}, one hour) between retries to establish a connection to this node. When a connection cannot be established, gvpe uses exponential backoff capped at this value. It's sometimes useful to set this to a much lower value (e.g. @t{120}) on connections to routers that usually are stable but sometimes are down, to assure quick reconnections even after longer downtimes. |
1241 | The maximum interval in seconds (default: @t{3600}, one hour) between retries to establish a connection to this node. When a connection cannot be established, gvpe uses exponential backoff capped at this value. It's sometimes useful to set this to a much lower value (e.g. @t{120}) on connections to routers that usually are stable but sometimes are down, to assure quick reconnections even after longer downtimes. |
| 1238 | @refill |
1242 | @refill |
| 1239 | |
1243 | |
| 1240 | |
1244 | |
| 1241 | @item |
1245 | @item |
|
|
1246 | max-ttl = seconds |
|
|
1247 | |
|
|
1248 | @cindex max-ttl |
|
|
1249 | Expire packets that couldn't be sent after this many seconds (default: @t{60}). Gvpe will normally queue packets for a node without an active connection, in the hope of establishing a connection soon. This value specifies the maximum lifetime a packet will stay in the queue, if a packet gets older, it will be thrown away. |
|
|
1250 | @refill |
|
|
1251 | |
|
|
1252 | |
|
|
1253 | @item |
|
|
1254 | max-queue = positive-number>=1 |
|
|
1255 | |
|
|
1256 | @cindex max-queue |
|
|
1257 | The maximum number of packets that will be queued (default: @t{512}) for this node. If more packets are sent then earlier packets will be expired. See @t{max-ttl}, above. |
|
|
1258 | @refill |
|
|
1259 | |
|
|
1260 | |
|
|
1261 | @item |
| 1242 | @b{router-priority = 0 | 1 | positive-number>=2} |
1262 | router-priority = 0 | 1 | positive-number>=2 |
| 1243 | |
1263 | |
| 1244 | @cindex router-priority |
1264 | @cindex router-priority |
| 1245 | Sets the router priority of the given host (default: @t{0}, disabled). If some host tries to connect to another host without a hostname, it asks the router host for it's IP address. The router host is the one with the highest priority larger than @t{1} that is currently reachable. |
1265 | Sets the router priority of the given node (default: @t{0}, disabled). |
| 1246 | @refill |
1266 | @refill |
| 1247 | Make sure all hosts always connect (@t{connect = always}) to the router hosts, otherwise connecting to them might be impossible. |
1267 | If some node tries to connect to another node but it doesn't have a hostname, it asks a router node for it's IP address. The router node chosen is the one with the highest priority larger than @t{1} that is currently reachable. This is called a @emph{mediated} connection, as the connection itself will still be direct, but it uses another node to mediate between the two nodes. |
| 1248 | @refill |
1268 | @refill |
| 1249 | The special value @t{1} allows other hosts to route through the router host, but they will never route through it by default. The value @t{0} disables routing. The idea behind this is that some hosts can, if required, bump the @t{router-priority} setting to higher than @t{1} in their local config to route through specific hosts. If @t{router-priority} is @t{0}, then routing will be refused, so @t{1} serves as a "enable, but do not use by default" switch. |
1269 | The value @t{0} disables routing, that means if the node receives a packet not for itself it will not forward it but instead drop it. |
| 1250 | @refill |
1270 | @refill |
|
|
1271 | The special value @t{1} allows other hosts to route through the router host, but they will never route through it by default (i.e. the config file of another node needs to specify a router priority higher than one to choose such a node for routing). |
|
|
1272 | @refill |
|
|
1273 | The idea behind this is that some hosts can, if required, bump the @t{router-priority} setting to higher than @t{1} in their local config to route through specific hosts. If @t{router-priority} is @t{0}, then routing will be refused, so @t{1} serves as a "enable, but do not use by default" switch. |
|
|
1274 | @refill |
|
|
1275 | Nodes with @t{router-priority} set to @t{2} or higher will always be forced to @t{connect} = @t{always} (unless they are @t{disabled}). |
|
|
1276 | @refill |
| 1251 | |
1277 | |
| 1252 | |
1278 | |
| 1253 | @item |
1279 | @item |
| 1254 | @b{tcp-port = port-number} |
1280 | tcp-port = port-number |
| 1255 | |
1281 | |
| 1256 | @cindex tcp-port |
1282 | @cindex tcp-port |
| 1257 | Similar to @t{udp-port} (default: @t{655}), but sets the TCP port number. |
1283 | Similar to @t{udp-port} (default: @t{655}), but sets the TCP port number. |
| 1258 | @refill |
1284 | @refill |
| 1259 | |
1285 | |
| 1260 | |
1286 | |
| 1261 | @item |
1287 | @item |
| 1262 | @b{udp-port = port-number} |
1288 | udp-port = port-number |
| 1263 | |
1289 | |
| 1264 | @cindex udp-port |
1290 | @cindex udp-port |
| 1265 | Sets the port number used by the UDP protocol (default: @t{655}, not officially assigned by IANA!). |
1291 | Sets the port number used by the UDP protocol (default: @t{655}, not officially assigned by IANA!). |
| 1266 | @refill |
1292 | @refill |
| 1267 | @end itemize |
1293 | @end itemize |
| … | |
… | |
| 1275 | |
1301 | |
| 1276 | @itemize |
1302 | @itemize |
| 1277 | |
1303 | |
| 1278 | |
1304 | |
| 1279 | @item |
1305 | @item |
| 1280 | @b{ |
1306 | |
| 1281 | @cindex gvpe.conf |
1307 | @cindex gvpe.conf |
| 1282 | gvpe.conf} |
1308 | gvpe.conf |
| 1283 | |
1309 | |
| 1284 | The config file. |
1310 | The config file. |
| 1285 | @refill |
1311 | @refill |
| 1286 | |
1312 | |
| 1287 | |
1313 | |
| 1288 | @item |
1314 | @item |
| 1289 | @b{ |
1315 | |
| 1290 | @cindex if-up |
1316 | @cindex if-up |
| 1291 | if-up} |
1317 | if-up |
| 1292 | |
1318 | |
| 1293 | The if-up script |
1319 | The if-up script |
| 1294 | @refill |
1320 | @refill |
| 1295 | |
1321 | |
| 1296 | |
1322 | |
| 1297 | @item |
1323 | @item |
| 1298 | @b{ |
1324 | |
| 1299 | @cindex node-up |
1325 | @cindex node-up |
| 1300 | node-up, |
1326 | node-up, |
| 1301 | @cindex node-down |
1327 | @cindex node-down |
| 1302 | node-down} |
1328 | node-down |
| 1303 | |
1329 | |
| 1304 | If used the node up or node-down scripts. |
1330 | If used the node up or node-down scripts. |
| 1305 | @refill |
1331 | @refill |
| 1306 | |
1332 | |
| 1307 | |
1333 | |
| 1308 | @item |
1334 | @item |
| 1309 | @b{ |
1335 | |
| 1310 | @cindex hostkey |
1336 | @cindex hostkey |
| 1311 | hostkey} |
1337 | hostkey |
| 1312 | |
1338 | |
| 1313 | The private key (taken from @t{hostkeys/nodename}) of the current host. |
1339 | The private key (taken from @t{hostkeys/nodename}) of the current host. |
| 1314 | @refill |
1340 | @refill |
| 1315 | |
1341 | |
| 1316 | |
1342 | |
| 1317 | @item |
1343 | @item |
| 1318 | @b{ |
1344 | |
| 1319 | @cindex pubkey/nodename |
1345 | @cindex pubkey/nodename |
| 1320 | pubkey/nodename} |
1346 | pubkey/nodename |
| 1321 | |
1347 | |
| 1322 | The public keys of the other nodes, one file per node. |
1348 | The public keys of the other nodes, one file per node. |
| 1323 | @refill |
1349 | @refill |
| 1324 | @end itemize |
1350 | @end itemize |
| 1325 | |
1351 | |
| … | |
… | |
| 1350 | |
1376 | |
| 1351 | @itemize |
1377 | @itemize |
| 1352 | |
1378 | |
| 1353 | |
1379 | |
| 1354 | @item |
1380 | @item |
| 1355 | @b{@strong{-c}, @strong{--config=}@emph{DIR}} |
1381 | @strong{-c}, @strong{--config=}@emph{DIR} |
| 1356 | |
1382 | |
| 1357 | Read configuration options from @emph{DIR}. |
1383 | Read configuration options from @emph{DIR}. |
| 1358 | @refill |
1384 | @refill |
| 1359 | |
1385 | |
| 1360 | |
1386 | |
| 1361 | @item |
1387 | @item |
| 1362 | @b{@strong{-g}, @strong{--generate-keys}} |
1388 | @strong{-g}, @strong{--generate-keys} |
| 1363 | |
1389 | |
| 1364 | Generate public/private RSA keypair and exit. |
1390 | Generate public/private RSA keypair and exit. |
| 1365 | @refill |
1391 | @refill |
| 1366 | |
1392 | |
| 1367 | |
1393 | |
| 1368 | @item |
1394 | @item |
|
|
1395 | @strong{-q}, @strong{--quiet} |
|
|
1396 | |
|
|
1397 | Suppresses messages the author finds nonessential for scripting purposes. |
|
|
1398 | @refill |
|
|
1399 | |
|
|
1400 | |
|
|
1401 | @item |
| 1369 | @b{@strong{--help}} |
1402 | @strong{--help} |
| 1370 | |
1403 | |
| 1371 | Display short list of options. |
1404 | Display short list of options. |
| 1372 | @refill |
1405 | @refill |
| 1373 | |
1406 | |
| 1374 | |
1407 | |
| 1375 | @item |
1408 | @item |
| 1376 | @b{@strong{--kill}[@strong{=}@emph{SIGNAL}]} |
1409 | @strong{--kill}[@strong{=}@emph{SIGNAL}] |
| 1377 | |
1410 | |
| 1378 | Attempt to kill a running @t{gvpectrl} (optionally with the specified @emph{SIGNAL} instead of @t{SIGTERM}) and exit. |
1411 | Attempt to kill a running @t{gvpectrl} (optionally with the specified @emph{SIGNAL} instead of @t{SIGTERM}) and exit. |
| 1379 | @refill |
1412 | @refill |
| 1380 | |
1413 | |
| 1381 | |
1414 | |
| 1382 | @item |
1415 | @item |
| 1383 | @b{@strong{--show-config}} |
1416 | @strong{--show-config} |
| 1384 | |
1417 | |
| 1385 | Show a summary of the configuration, and how gvpe interprets it. Can also be very useful when designing firewall scripts. |
1418 | Show a summary of the configuration, and how gvpe interprets it. Can also be very useful when designing firewall scripts. |
| 1386 | @refill |
1419 | @refill |
| 1387 | |
1420 | |
| 1388 | |
1421 | |
| 1389 | @item |
1422 | @item |
| 1390 | @b{@strong{--version}} |
1423 | @strong{--version} |
| 1391 | |
1424 | |
| 1392 | Output version information and exit. |
1425 | Output version information and exit. |
| 1393 | @refill |
1426 | @refill |
| 1394 | @end itemize |
1427 | @end itemize |
| 1395 | |
1428 | |
| … | |
… | |
| 1447 | |
1480 | |
| 1448 | @itemize |
1481 | @itemize |
| 1449 | |
1482 | |
| 1450 | |
1483 | |
| 1451 | @item |
1484 | @item |
| 1452 | @b{@strong{-c}, @strong{--config=}@emph{DIR}} |
1485 | @strong{-c}, @strong{--config=}@emph{DIR} |
| 1453 | |
1486 | |
| 1454 | Read configuration options from @emph{DIR} |
1487 | Read configuration options from @emph{DIR} |
| 1455 | @refill |
1488 | @refill |
| 1456 | |
1489 | |
| 1457 | |
1490 | |
| 1458 | @item |
1491 | @item |
| 1459 | @b{@strong{-d}, @strong{--l=}@emph{LEVEL}} |
1492 | @strong{-d}, @strong{--l=}@emph{LEVEL} |
| 1460 | |
1493 | |
| 1461 | Set logging level to @emph{LEVEL} (one of: noise, trace, debug, info, notice, warn, error, critical). |
1494 | Set logging level to @emph{LEVEL} (one of: noise, trace, debug, info, notice, warn, error, critical). |
| 1462 | @refill |
1495 | @refill |
| 1463 | |
1496 | |
| 1464 | |
1497 | |
| 1465 | @item |
1498 | @item |
| 1466 | @b{@strong{--help}} |
1499 | @strong{--help} |
| 1467 | |
1500 | |
| 1468 | Display short list of options. |
1501 | Display short list of options. |
| 1469 | @refill |
1502 | @refill |
| 1470 | |
1503 | |
| 1471 | |
1504 | |
| 1472 | @item |
1505 | @item |
| 1473 | @b{@strong{-D}, @strong{--no-detach}} |
1506 | @strong{-D}, @strong{--no-detach} |
| 1474 | |
1507 | |
| 1475 | Don't fork and detach but stay in foreground and log messages to stderr in addition to syslog. |
1508 | Don't fork and detach but stay in foreground and log messages to stderr in addition to syslog. |
| 1476 | @refill |
1509 | @refill |
| 1477 | |
1510 | |
| 1478 | |
1511 | |
| 1479 | @item |
1512 | @item |
| 1480 | @b{@strong{-L}, @strong{--mlock}} |
1513 | @strong{-L}, @strong{--mlock} |
| 1481 | |
1514 | |
| 1482 | Lock @t{gvpe} into main memory. This will prevent sensitive data like shared private keys to be written to the system swap files/partitions. |
1515 | Lock @t{gvpe} into main memory. This will prevent sensitive data like shared private keys to be written to the system swap files/partitions. |
| 1483 | @refill |
1516 | @refill |
| 1484 | |
1517 | |
| 1485 | |
1518 | |
| 1486 | @item |
1519 | @item |
| 1487 | @b{@strong{--version}} |
1520 | @strong{--version} |
| 1488 | |
1521 | |
| 1489 | Output version information and exit. |
1522 | Output version information and exit. |
| 1490 | @refill |
1523 | @refill |
| 1491 | @end itemize |
1524 | @end itemize |
| 1492 | |
1525 | |
| … | |
… | |
| 1497 | |
1530 | |
| 1498 | @itemize |
1531 | @itemize |
| 1499 | |
1532 | |
| 1500 | |
1533 | |
| 1501 | @item |
1534 | @item |
| 1502 | @b{HUP} |
1535 | HUP |
| 1503 | |
1536 | |
| 1504 | Closes/resets all connections, resets the retry time and will start connecting again (it will NOT re-read the config file). This is useful e.g. in a @t{/etc/ppp/if-up} script. |
1537 | Closes/resets all connections, resets the retry time and will start connecting again (it will NOT re-read the config file). This is useful e.g. in a @t{/etc/ppp/if-up} script. |
| 1505 | @refill |
1538 | @refill |
| 1506 | |
1539 | |
| 1507 | |
1540 | |
| 1508 | @item |
1541 | @item |
| 1509 | @b{TERM} |
1542 | TERM |
| 1510 | |
1543 | |
| 1511 | Closes/resets all connections and exits. |
1544 | Closes/resets all connections and exits. |
| 1512 | @refill |
1545 | @refill |
| 1513 | |
1546 | |
| 1514 | |
1547 | |
| 1515 | @item |
1548 | @item |
| 1516 | @b{USR1} |
1549 | USR1 |
| 1517 | |
1550 | |
| 1518 | Dump current network status into the syslog (at loglevel @t{notice}, so make sure your loglevel allows this). |
1551 | Dump current network status into the syslog (at loglevel @t{notice}, so make sure your loglevel allows this). |
| 1519 | @refill |
1552 | @refill |
| 1520 | @end itemize |
1553 | @end itemize |
| 1521 | |
1554 | |
| … | |
… | |
| 1526 | |
1559 | |
| 1527 | @itemize |
1560 | @itemize |
| 1528 | |
1561 | |
| 1529 | |
1562 | |
| 1530 | @item |
1563 | @item |
| 1531 | @b{@t{/etc/gvpe/gvpe.conf}} |
1564 | @t{/etc/gvpe/gvpe.conf} |
| 1532 | |
1565 | |
| 1533 | The configuration file for @t{gvpe}. |
1566 | The configuration file for @t{gvpe}. |
| 1534 | @refill |
1567 | @refill |
| 1535 | |
1568 | |
| 1536 | |
1569 | |
| 1537 | @item |
1570 | @item |
| 1538 | @b{@t{/etc/gvpe/if-up}} |
1571 | @t{/etc/gvpe/if-up} |
| 1539 | |
1572 | |
| 1540 | Script which is executed as soon as the virtual network device has been allocated. Purpose is to further configure that device. |
1573 | Script which is executed as soon as the virtual network device has been allocated. Purpose is to further configure that device. |
| 1541 | @refill |
1574 | @refill |
| 1542 | |
1575 | |
| 1543 | |
1576 | |
| 1544 | @item |
1577 | @item |
| 1545 | @b{@t{/etc/gvpe/node-up}} |
1578 | @t{/etc/gvpe/node-up} |
| 1546 | |
1579 | |
| 1547 | Script which is executed whenever a node connects to this node. This can be used for example to run nsupdate. |
1580 | Script which is executed whenever a node connects to this node. This can be used for example to run nsupdate. |
| 1548 | @refill |
1581 | @refill |
| 1549 | |
1582 | |
| 1550 | |
1583 | |
| 1551 | @item |
1584 | @item |
| 1552 | @b{@t{/etc/gvpe/node-down}} |
1585 | @t{/etc/gvpe/node-down} |
| 1553 | |
1586 | |
| 1554 | Script which is executed whenever a connection to another node is lost. for example to run nsupdate. |
1587 | Script which is executed whenever a connection to another node is lost. for example to run nsupdate. |
| 1555 | @refill |
1588 | @refill |
| 1556 | |
1589 | |
| 1557 | |
1590 | |
| 1558 | @item |
1591 | @item |
| 1559 | @b{@t{/etc/gvpe/pubkey/*}} |
1592 | @t{/etc/gvpe/pubkey/*} |
| 1560 | |
1593 | |
| 1561 | The directory containing the public keys for every node, usually autogenerated by executing @t{gvpectrl --generate-keys}. |
1594 | The directory containing the public keys for every node, usually autogenerated by executing @t{gvpectrl --generate-keys}. |
| 1562 | @refill |
1595 | @refill |
| 1563 | |
1596 | |
| 1564 | |
1597 | |
| 1565 | @item |
1598 | @item |
| 1566 | @b{@t{/var/run/gvpe.pid}} |
1599 | @t{/var/run/gvpe.pid} |
| 1567 | |
1600 | |
| 1568 | The PID of the currently running @t{gvpe} is stored in this file. |
1601 | The PID of the currently running @t{gvpe} is stored in this file. |
| 1569 | @refill |
1602 | @refill |
| 1570 | @end itemize |
1603 | @end itemize |
| 1571 | |
1604 | |
| … | |
… | |
| 1592 | The first part of this document describes the transport protocols which are used by GVPE to send it's data packets over the network. |
1625 | The first part of this document describes the transport protocols which are used by GVPE to send it's data packets over the network. |
| 1593 | @refill |
1626 | @refill |
| 1594 | |
1627 | |
| 1595 | |
1628 | |
| 1596 | @section PART 1: Transport protocols |
1629 | @section PART 1: Transport protocols |
| 1597 | GVPE offers a range of transport protocols that can be used to interchange data between nodes. Protocols differ in their overhead, speed, reliability, and robustness. |
1630 | GVPE offers a wide range of transport protocols that can be used to interchange data between nodes. Protocols differ in their overhead, speed, reliability, and robustness. |
| 1598 | @refill |
1631 | @refill |
| 1599 | The following sections describe each transport protocol in more detail. They are sorted by overhead/efficiency, the most efficient transport is listed first: |
1632 | The following sections describe each transport protocol in more detail. They are sorted by overhead/efficiency, the most efficient transport is listed first: |
| 1600 | @refill |
1633 | @refill |
| 1601 | |
1634 | |
| 1602 | |
1635 | |
| … | |
… | |
| 1608 | Using raw ip frames has the drawback that many firewalls block "unknown" protocols, so this transport only works if you have full IP connectivity between nodes. |
1641 | Using raw ip frames has the drawback that many firewalls block "unknown" protocols, so this transport only works if you have full IP connectivity between nodes. |
| 1609 | @refill |
1642 | @refill |
| 1610 | |
1643 | |
| 1611 | |
1644 | |
| 1612 | @subsection ICMP |
1645 | @subsection ICMP |
| 1613 | This protocol offers very low overhead (minimum 42 bytes), and can sometimes tunnel through firewalls when other protocols cannot. |
1646 | This protocol offers very low overhead (minimum 42 bytes), and can sometimes tunnel through firewalls when other protocols can not. |
| 1614 | @refill |
1647 | @refill |
| 1615 | It works by prepending a ICMP header with type @t{icmp-type} and a code of @t{255}. The default @t{icmp-type} is @t{echo-reply}, so the resulting packets look like echo replies, which looks rather strange to network admins. |
1648 | It works by prepending an ICMP header with type @t{icmp-type} and a code of @t{255}. The default @t{icmp-type} is @t{echo-reply}, so the resulting packets look like echo replies, which looks rather strange to network admins. |
| 1616 | @refill |
1649 | @refill |
| 1617 | This transport should only be used if other transports (i.e. raw ip) are not available or undesirable (due to their overhead). |
1650 | This transport should only be used if other transports (i.e. raw ip) are not available or undesirable (due to their overhead). |
| 1618 | @refill |
1651 | @refill |
| 1619 | |
1652 | |
| 1620 | |
1653 | |
| … | |
… | |
| 1630 | @refill |
1663 | @refill |
| 1631 | It's only useful when tunneling through firewalls that block better protocols. If a node doesn't have direct internet access but a HTTP proxy that supports the CONNECT method it can be used to tunnel through a web proxy. For this to work, the @t{tcp-port} should be @t{443} (@t{https}), as most proxies do not allow connections to other ports. |
1664 | It's only useful when tunneling through firewalls that block better protocols. If a node doesn't have direct internet access but a HTTP proxy that supports the CONNECT method it can be used to tunnel through a web proxy. For this to work, the @t{tcp-port} should be @t{443} (@t{https}), as most proxies do not allow connections to other ports. |
| 1632 | @refill |
1665 | @refill |
| 1633 | It is an abuse of the usage a proxy was designed for, so make sure you are allowed to use it for GVPE. |
1666 | It is an abuse of the usage a proxy was designed for, so make sure you are allowed to use it for GVPE. |
| 1634 | @refill |
1667 | @refill |
| 1635 | This protocol also has server and client sides. If the @t{tcp-port} is set to zero, other nodes cannot connect to this node directly (and @t{tcp-port} zero cannot be used). If the @t{tcp-port} is non-zero, the node can act both as a client as well as a server. |
1668 | This protocol also has server and client sides. If the @t{tcp-port} is set to zero, other nodes cannot connect to this node directly. If the @t{tcp-port} is non-zero, the node can act both as a client as well as a server. |
| 1636 | @refill |
1669 | @refill |
| 1637 | |
1670 | |
| 1638 | |
1671 | |
| 1639 | @subsection DNS |
1672 | @subsection DNS |
| 1640 | @strong{WARNING:} Parsing and generating DNS packets is rather tricky. The code almost certainly contains buffer overflows and other, likely exploitable, bugs. You have been warned. |
1673 | @strong{WARNING:} Parsing and generating DNS packets is rather tricky. The code almost certainly contains buffer overflows and other, likely exploitable, bugs. You have been warned. |
| 1641 | @refill |
1674 | @refill |
| 1642 | This is the worst choice of transport protocol with respect to overhead (overhead can be 2-3 times higher than the transferred data), and latency (which can be many seconds). Some DNS servers might not be prepared to handle the traffic and drop or corrupt packets. The client also has to constantly poll the server for data, so the client will constantly create traffic even if it doesn't need to transport packets. |
1675 | This is the worst choice of transport protocol with respect to overhead (overhead can be 2-3 times higher than the transferred data), and latency (which can be many seconds). Some DNS servers might not be prepared to handle the traffic and drop or corrupt packets. The client also has to constantly poll the server for data, so the client will constantly create traffic even if it doesn't need to transport packets. |
| 1643 | @refill |
1676 | @refill |
| 1644 | In addition, the same problems as the TCP transport also plague this protocol. |
1677 | In addition, the same problems as the TCP transport also plague this protocol. |
| 1645 | @refill |
1678 | @refill |
| 1646 | Most configuration needs to be done by editing @t{src/vpn_dns.C} directly. |
|
|
| 1647 | @refill |
|
|
| 1648 | It's only use is to tunnel through firewalls that do not allow direct internet access. Similar to using a HTTP proxy (as the TCP transport does), it uses a local DNS server/forwarder (given by the @t{dns-forw-host} configuration value) as a proxy to send and receive data as a client, and a @t{NS} record pointing to the GVPE server (as given by the @t{dns-hostname} directive). |
1679 | It's only use is to tunnel through firewalls that do not allow direct internet access. Similar to using a HTTP proxy (as the TCP transport does), it uses a local DNS server/forwarder (given by the @t{dns-forw-host} configuration value) as a proxy to send and receive data as a client, and an @t{NS} record pointing to the GVPE server (as given by the @t{dns-hostname} directive). |
| 1649 | @refill |
1680 | @refill |
| 1650 | The only good side of this protocol is that it can tunnel through most firewalls undetected, iff the local DNS server/forwarder is sane (which is true for most routers, wlan gateways and nameservers). |
1681 | The only good side of this protocol is that it can tunnel through most firewalls mostly undetected, iff the local DNS server/forwarder is sane (which is true for most routers, WLAN gateways and nameservers). |
|
|
1682 | @refill |
|
|
1683 | Finetuning needs to be done by editing @t{src/vpn_dns.C} directly. |
| 1651 | @refill |
1684 | @refill |
| 1652 | |
1685 | |
| 1653 | |
1686 | |
| 1654 | @section PART 2: The GNU VPE protocol |
1687 | @section PART 2: The GNU VPE protocol |
| 1655 | This section, unfortunately, is not yet finished, although the protocol is stable (until bugs in the cryptography are found, which will likely completely change the following description). Nevertheless, it should give you some overview over the protocol. |
1688 | This section, unfortunately, is not yet finished, although the protocol is stable (until bugs in the cryptography are found, which will likely completely change the following description). Nevertheless, it should give you some overview over the protocol. |
| … | |
… | |
| 1669 | |
1702 | |
| 1670 | The HMAC field is present in all packets, even if not used (e.g. in auth request packets), in which case it is set to all zeroes. The checksum itself is calculated over the TYPE, SRCDST and DATA fields in all cases. |
1703 | The HMAC field is present in all packets, even if not used (e.g. in auth request packets), in which case it is set to all zeroes. The checksum itself is calculated over the TYPE, SRCDST and DATA fields in all cases. |
| 1671 | @refill |
1704 | @refill |
| 1672 | The TYPE field is a single byte and determines the purpose of the packet (e.g. RESET, COMPRESSED/UNCOMPRESSED DATA, PING, AUTH REQUEST/RESPONSE, CONNECT REQUEST/INFO etc.). |
1705 | The TYPE field is a single byte and determines the purpose of the packet (e.g. RESET, COMPRESSED/UNCOMPRESSED DATA, PING, AUTH REQUEST/RESPONSE, CONNECT REQUEST/INFO etc.). |
| 1673 | @refill |
1706 | @refill |
| 1674 | SRCDST is a three byte field which contains the source and destination node ids (12 bits each). The protocol does not yet scale well beyond 30+ hosts, since all hosts must connect to each other once on startup. But if restarts are rare or tolerable and most connections are on demand, much larger networks are feasible. |
1707 | SRCDST is a three byte field which contains the source and destination node IDs (12 bits each). |
| 1675 | @refill |
1708 | @refill |
| 1676 | The DATA portion differs between each packet type, naturally, and is the only part that can be encrypted. Data packets contain more fields, as shown: |
1709 | The DATA portion differs between each packet type, naturally, and is the only part that can be encrypted. Data packets contain more fields, as shown: |
| 1677 | @refill |
1710 | @refill |
| 1678 | |
1711 | |
| 1679 | |
1712 | |
| … | |
… | |
| 1683 | +------+------+--------+------+-------+------+ |
1716 | +------+------+--------+------+-------+------+ |
| 1684 | @end example |
1717 | @end example |
| 1685 | |
1718 | |
| 1686 | RAND is a sequence of fully random bytes, used to increase the entropy of the data for encryption purposes. |
1719 | RAND is a sequence of fully random bytes, used to increase the entropy of the data for encryption purposes. |
| 1687 | @refill |
1720 | @refill |
| 1688 | SEQNO is a 32-bit sequence number. It is negotiated at every connection initialization and starts at some random 31 bit value. VPE currently uses a sliding window of 512 packets/sequence numbers to detect reordering, duplication and reply attacks. |
1721 | SEQNO is a 32-bit sequence number. It is negotiated at every connection initialization and starts at some random 31 bit value. VPE currently uses a sliding window of 512 packets/sequence numbers to detect reordering, duplication and replay attacks. |
| 1689 | @refill |
1722 | @refill |
| 1690 | |
1723 | |
| 1691 | |
1724 | |
| 1692 | @subsection The authentification protocol |
1725 | @subsection The authentication protocol |
| 1693 | Before hosts can exchange packets, they need to establish authenticity of the other side and a key. Every host has a private RSA key and the public RSA keys of all other hosts. |
1726 | Before hosts can exchange packets, they need to establish authenticity of the other side and a key. Every host has a private RSA key and the public RSA keys of all other hosts. |
| 1694 | @refill |
1727 | @refill |
| 1695 | A host establishes a simplex connection by sending the other host a RSA encrypted challenge containing a random challenge (consisting of the encryption key to use when sending packets, more random data and PKCS1_OAEP padding) and a random 16 byte "challenge-id" (used to detect duplicate auth packets). The destination host will respond by replying with an (unencrypted) RIPEMD160 hash of the decrypted challenge, which will authentify that host. The destination host will also set the outgoing encryption parameters as given in the packet. |
1728 | A host establishes a simplex connection by sending the other host an RSA encrypted challenge containing a random challenge (consisting of the encryption key to use when sending packets, more random data and PKCS1_OAEP padding) and a random 16 byte "challenge-id" (used to detect duplicate auth packets). The destination host will respond by replying with an (unencrypted) RIPEMD160 hash of the decrypted challenge, which will authenticate that host. The destination host will also set the outgoing encryption parameters as given in the packet. |
| 1696 | @refill |
1729 | @refill |
| 1697 | When the source host receives a correct auth reply (by verifying the hash and the id, which will expire after 120 seconds), it will start to accept data packets from the destination host. |
1730 | When the source host receives a correct auth reply (by verifying the hash and the id, which will expire after 120 seconds), it will start to accept data packets from the destination host. |
| 1698 | @refill |
1731 | @refill |
| 1699 | This means that a host can only initate a simplex connection, telling the other side the key it has to use when it sends packets. The challenge reply is only used to set the current IP address of the other side and protocol parameters. |
1732 | This means that a host can only initate a simplex connection, telling the other side the key it has to use when it sends packets. The challenge reply is only used to set the current IP address of the other side and protocol parameters. |
| 1700 | @refill |
1733 | @refill |
| 1701 | This protocol is completely symmetric, so to be able to send packets the destination host must send a challenge in the exact same way as already described (so, in essence, two simplex connections are created per host pair). |
1734 | This protocol is completely symmetric, so to be able to send packets the destination host must send a challenge in the exact same way as already described (so, in essence, two simplex connections are created per host pair). |
| 1702 | @refill |
1735 | @refill |
| 1703 | |
1736 | |
| 1704 | |
1737 | |
| 1705 | @subsection Retrying |
1738 | @subsection Retrying |
| 1706 | When there is no response to an auth request, the host will send auth requests in bursts with an exponential backoff. After some time it will resort to PING packets, which are very small (8 bytes) and lightweight (no RSA operations required). A host that receives ping requests from an unconnected peer will respond by trying to create a connection. |
1739 | When there is no response to an auth request, the host will send auth requests in bursts with an exponential backoff. After some time it will resort to PING packets, which are very small (8 bytes + protocol header) and lightweight (no RSA operations required). A host that receives ping requests from an unconnected peer will respond by trying to create a connection. |
| 1707 | @refill |
1740 | @refill |
| 1708 | In addition to the exponential backoff, there is a global rate-limit on a per-IP base. It allows long bursts but will limit total packet rate to something like one control packet every ten seconds, to avoid accidental floods due to protocol problems (like a RSA key file mismatch between two hosts). |
1741 | In addition to the exponential backoff, there is a global rate-limit on a per-IP base. It allows long bursts but will limit total packet rate to something like one control packet every ten seconds, to avoid accidental floods due to protocol problems (like a RSA key file mismatch between two hosts). |
| 1709 | @refill |
1742 | @refill |
|
|
1743 | The intervals between retries are limited by the @t{max-retry} configuration value. A node with @t{connect} = @t{always} will always retry, a node with @t{connect} = @t{ondemand} will only try (and re-try) to connect as long as there are packets in the queue, usually this limits the retry period to @t{max-ttl} seconds. |
|
|
1744 | @refill |
|
|
1745 | Sending packets over the VPN will reset the retry intervals as well, which means as long as somebody is trying to send packets to a given node, GVPE will try to connect every few seconds. |
|
|
1746 | @refill |
| 1710 | |
1747 | |
| 1711 | |
1748 | |
| 1712 | @subsection Routing and Protocol translation |
1749 | @subsection Routing and Protocol translation |
| 1713 | The gvpe routing algorithm is easy: there isn't any routing. GVPE always tries to establish direct connections, if the protocol abilities of the two hosts allow it. |
1750 | The GVPE routing algorithm is easy: there isn't much routing to speak of: When routing packets to another node, GVPE trues the following options, in order: |
| 1714 | @refill |
1751 | @refill |
| 1715 | If the two hosts should be able to reach each other (common protocol, ip and port all known), but cannot (network down), then there will be no connection, point. |
1752 | |
| 1716 | @refill |
1753 | |
|
|
1754 | @itemize |
|
|
1755 | |
|
|
1756 | |
|
|
1757 | @item |
|
|
1758 | If the two hosts should be able to reach each other directly (common protocol, port known), then GVPE will send the packet directly to the other node. |
|
|
1759 | |
|
|
1760 | |
|
|
1761 | |
|
|
1762 | @item |
|
|
1763 | If this isn't possible (e.g. because the node doesn't have a @t{hostname} or known port), but the nodes speak a common protocol and a router is available, then GVPE will ask a router to "mediate" between both nodes (see below). |
|
|
1764 | |
|
|
1765 | |
|
|
1766 | |
|
|
1767 | @item |
|
|
1768 | If a direct connection isn't possible (no common protocols) or forbidden (@t{deny-direct}) and there are any routers, then GVPE will try to send packets to the router with the highest priority that is connected already @emph{and} is able (as specified by the config file) to connect directly to the target node. |
|
|
1769 | |
|
|
1770 | |
|
|
1771 | |
|
|
1772 | @item |
|
|
1773 | If no such router exists, then GVPE will simply send the packet to the node with the highest priority available. |
|
|
1774 | |
|
|
1775 | |
|
|
1776 | |
|
|
1777 | @item |
|
|
1778 | Failing all that, the packet will be dropped. |
|
|
1779 | |
|
|
1780 | @end itemize |
|
|
1781 | |
| 1717 | A host can usually declare itself unreachable directly by setting it's port number(s) to zero. It can declare other hosts as unreachable by using a config-file that disables all protocols for these other hosts. |
1782 | A host can usually declare itself unreachable directly by setting it's port number(s) to zero. It can declare other hosts as unreachable by using a config-file that disables all protocols for these other hosts. Another option is to disable all protocols on that host in the other config files. |
| 1718 | @refill |
1783 | @refill |
| 1719 | If two hosts cannot connect to each other because their IP address(es) are not known (such as dialup hosts), one side will send a connection request to a router (routers must be configured to act as routers!), which will send both the originating and the destination host a connection info request with protocol information and IP address of the other host (if known). Both hosts will then try to establish a connection to the other peer, which is usually possible even when both hosts are behind a NAT gateway. |
1784 | If two hosts cannot connect to each other because their IP address(es) are not known (such as dialup hosts), one side will send a @emph{mediated} connection request to a router (routers must be configured to act as routers!), which will send both the originating and the destination host a connection info request with protocol information and IP address of the other host (if known). Both hosts will then try to establish a direct connection to the other peer, which is usually possible even when both hosts are behind a NAT gateway. |
| 1720 | @refill |
1785 | @refill |
| 1721 | If the hosts cannot reach each other because they have no common protocol, the originator instead use the router with highest priority and matching protocol as peer. Since the SRCDST field is not encrypted, the router host can just forward the packet to the destination host. Since each host uses it's own private key, the router will not be able to decrypt or encrypt packets, it will just act as a simple router and protocol translator. |
1786 | Routing via other nodes works because the SRCDST field is not encrypted, so the router can just forward the packet to the destination host. Since each host uses it's own private key, the router will not be able to decrypt or encrypt packets, it will just act as a simple router and protocol translator. |
| 1722 | @refill |
|
|
| 1723 | When no router is connected, the host will aggressively try to connect to all routers, and if a router is asked for an unconnected host it will try to ask another router to establish the connection. |
|
|
| 1724 | @refill |
|
|
| 1725 | ... more not yet written about the details of the routing, please bug me ... |
|
|
| 1726 | @refill |
1787 | @refill |
| 1727 | |
1788 | |
| 1728 | |
1789 | |
| 1729 | |
1790 | |
| 1730 | @node Simple Example,Complex Example,gvpe.protocol,Top |
1791 | @node Simple Example,Complex Example,gvpe.protocol,Top |
