… | |
… | |
127 | .\} |
127 | .\} |
128 | .rm #[ #] #H #V #F C |
128 | .rm #[ #] #H #V #F C |
129 | .\" ======================================================================== |
129 | .\" ======================================================================== |
130 | .\" |
130 | .\" |
131 | .IX Title "VPE 8" |
131 | .IX Title "VPE 8" |
132 | .TH VPE 8 "2003-03-23" "0.1" "Virtual Private Ethernet" |
132 | .TH VPE 8 "2003-03-24" "0.1" "Virtual Private Ethernet" |
133 | .SH "NAME" |
133 | .SH "NAME" |
134 | vpe \- Overview of the virtual private ethernet suite. |
134 | vpe \- Overview of the virtual private ethernet suite. |
135 | .SH "DESCRIPTION" |
135 | .SH "DESCRIPTION" |
136 | .IX Header "DESCRIPTION" |
136 | .IX Header "DESCRIPTION" |
137 | Vpe is a suite designed to provide a virtual private network for multiple |
137 | Vpe is a suite designed to provide a virtual private network for multiple |
… | |
… | |
165 | address, e.g. to ensure that packets from a specific \s-1IP\s0 address come, in |
165 | address, e.g. to ensure that packets from a specific \s-1IP\s0 address come, in |
166 | fact, from a specific host. |
166 | fact, from a specific host. |
167 | .SH "PROGRAMS" |
167 | .SH "PROGRAMS" |
168 | .IX Header "PROGRAMS" |
168 | .IX Header "PROGRAMS" |
169 | Vpe comes with two programs: one daemon (\f(CW\*(C`vped\*(C'\fR) and one control program |
169 | Vpe comes with two programs: one daemon (\f(CW\*(C`vped\*(C'\fR) and one control program |
170 | \&\f(CW\*(C`vpectrl\*(C'\fR). |
170 | (\f(CW\*(C`vpectrl\*(C'\fR). |
171 | .IP "vpectrl" 4 |
171 | .IP "vpectrl" 4 |
172 | .IX Item "vpectrl" |
172 | .IX Item "vpectrl" |
173 | Is used to generate the keys and give an overview of the configuration. |
173 | Is used to generate the keys, check and give an overview of of the |
|
|
174 | configuration and contorl the daemon (restarting etc.). |
174 | .IP "vped" 4 |
175 | .IP "vped" 4 |
175 | .IX Item "vped" |
176 | .IX Item "vped" |
176 | Is the daemon used to establish and maintain conenctions to the other |
177 | Is the daemon used to establish and maintain conenctions to the other |
177 | network members. It should be run on the gateway machine. |
178 | network members. It should be run on the gateway machine. |
178 | .SH "CONFIGURING VPE" |
179 | .SH "COMPILETIME CONFIGURATION" |
179 | .IX Header "CONFIGURING VPE" |
180 | .IX Header "COMPILETIME CONFIGURATION" |
180 | Here are a few recipes for configuring your vpe: |
181 | Here are a few recipes for compiling your vpe: |
181 | .Sh "\s-1AS\s0 \s-1LOW\s0 \s-1PACKET\s0 \s-1OVERHEAD\s0 \s-1AS\s0 \s-1POSSIBLE\s0" |
182 | .Sh "\s-1AS\s0 \s-1LOW\s0 \s-1PACKET\s0 \s-1OVERHEAD\s0 \s-1AS\s0 \s-1POSSIBLE\s0" |
182 | .IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE" |
183 | .IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE" |
183 | .Vb 1 |
184 | .Vb 1 |
184 | \& ./configure --enable-hmac-length=4 --enable-rand-length=0 |
185 | \& ./configure --enable-hmac-length=4 --enable-rand-length=0 |
185 | .Ve |
186 | .Ve |
186 | .PP |
187 | .PP |
187 | Minimize the header overhead of \s-1VPN\s0 packets. |
188 | Minimize the header overhead of \s-1VPN\s0 packets (the above will result in only |
|
|
189 | 4 bytes of overhead over the raw ethernet frame). |
188 | .Sh "\s-1MINIMIZE\s0 \s-1CPU\s0 \s-1TIME\s0 \s-1REQUIRED\s0" |
190 | .Sh "\s-1MINIMIZE\s0 \s-1CPU\s0 \s-1TIME\s0 \s-1REQUIRED\s0" |
189 | .IX Subsection "MINIMIZE CPU TIME REQUIRED" |
191 | .IX Subsection "MINIMIZE CPU TIME REQUIRED" |
190 | .Vb 1 |
192 | .Vb 1 |
191 | \& ./configure --enable-cipher=bf --enable-digest=md4 |
193 | \& ./configure --enable-cipher=bf --enable-digest=md4 |
192 | .Ve |
194 | .Ve |
193 | .PP |
195 | .PP |
194 | Use the fastest cipher and digest algorithms. |
196 | Use the fastest cipher and digest algorithms currently available in vpe. |
195 | .Sh "\s-1MAXIMIZE\s0 \s-1SECURITY\s0" |
197 | .Sh "\s-1MAXIMIZE\s0 \s-1SECURITY\s0" |
196 | .IX Subsection "MAXIMIZE SECURITY" |
198 | .IX Subsection "MAXIMIZE SECURITY" |
197 | .Vb 1 |
199 | .Vb 1 |
198 | \& ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
200 | \& ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
199 | .Ve |
201 | .Ve |
|
|
202 | .PP |
|
|
203 | This uses a 16 byte \s-1HMAC\s0 checksum to authenticate packets (I guess 8\-12 |
|
|
204 | would also be pretty secure ;) and will additionally prefix each packet |
|
|
205 | with 8 bytes of random data. |
200 | .PP |
206 | .PP |
201 | In general, remember that \s-1AES\-128\s0 seems to be more secure and faster than |
207 | In general, remember that \s-1AES\-128\s0 seems to be more secure and faster than |
202 | \&\s-1AES\-192\s0 or \s-1AES\-256\s0, more randomness and longer hmac is more secure, \s-1MD4\s0 is |
208 | \&\s-1AES\-192\s0 or \s-1AES\-256\s0, more randomness helps against sniffing and a longer |
203 | a fast digest, \s-1SHA1\s0 or \s-1RIPEMD160\s0 are better, and Blowfish is a fast and |
209 | \&\s-1HMAC\s0 helps against spoofing. \s-1MD4\s0 is a fast digest, \s-1SHA1\s0 or \s-1RIPEMD160\s0 are |
204 | so-far quite secure cipher. |
210 | better, and Blowfish is a fast cipher (and also quite secure). |
205 | .SH "HOW TO SET UP A SIMPLE VPN" |
211 | .SH "HOW TO SET UP A SIMPLE VPN" |
206 | .IX Header "HOW TO SET UP A SIMPLE VPN" |
212 | .IX Header "HOW TO SET UP A SIMPLE VPN" |
207 | In this section I will describe how to get a simple \s-1VPN\s0 consisting of |
213 | In this section I will describe how to get a simple \s-1VPN\s0 consisting of |
208 | three hosts up and running. |
214 | three hosts up and running. |
209 | .Sh "\s-1STEP\s0 1: configuration" |
215 | .Sh "\s-1STEP\s0 1: configuration" |
… | |
… | |
213 | configured vpe, and can be overwritten using the \f(CW\*(C`\-c\*(C'\fR commandline switch. |
219 | configured vpe, and can be overwritten using the \f(CW\*(C`\-c\*(C'\fR commandline switch. |
214 | .PP |
220 | .PP |
215 | Put the following lines into \f(CW\*(C`/etc/vpe/vped.conf\*(C'\fR: |
221 | Put the following lines into \f(CW\*(C`/etc/vpe/vped.conf\*(C'\fR: |
216 | .PP |
222 | .PP |
217 | .Vb 3 |
223 | .Vb 3 |
218 | \& udp-port = 50000 # the external port to listen on (configure your firewall) |
224 | \& udp-port = 50000 # the external port to listen on (configure your firewall) |
219 | \& mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts |
225 | \& mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts |
220 | \& ifname = vpn0 # the local network device name |
226 | \& ifname = vpn0 # the local network device name |
221 | .Ve |
227 | .Ve |
222 | .PP |
228 | .PP |
223 | .Vb 2 |
229 | .Vb 2 |
224 | \& node = first # just a nickname |
230 | \& node = first # just a nickname |
225 | \& hostname = first.example.net # the DNS name or IP address of the host |
231 | \& hostname = first.example.net # the DNS name or IP address of the host |
226 | .Ve |
232 | .Ve |
227 | .PP |
233 | .PP |
228 | .Vb 2 |
234 | .Vb 2 |
229 | \& node = second |
235 | \& node = second |
230 | \& hostname = 133.55.82.9 |
236 | \& hostname = 133.55.82.9 |
231 | .Ve |
237 | .Ve |
232 | .PP |
238 | .PP |
233 | .Vb 2 |
239 | .Vb 2 |
234 | \& node = third |
240 | \& node = third |
235 | \& hostname = third.example.net |
241 | \& hostname = third.example.net |
236 | .Ve |
242 | .Ve |
237 | .PP |
243 | .PP |
238 | The only other file neccessary if the \f(CW\*(C`if\-up\*(C'\fR script that initializes the |
244 | The only other file neccessary if the \f(CW\*(C`if\-up\*(C'\fR script that initializes the |
239 | local ethernet interface. Put the following lines into \f(CW\*(C`/etc/vpe/if\-up\*(C'\fR |
245 | local ethernet interface. Put the following lines into \f(CW\*(C`/etc/vpe/if\-up\*(C'\fR |
240 | and make it execute (\f(CW\*(C`chmod 755 /etc/vpe/if\-up\*(C'\fR): |
246 | and make it execute (\f(CW\*(C`chmod 755 /etc/vpe/if\-up\*(C'\fR): |
241 | .PP |
247 | .PP |
242 | .Vb 6 |
248 | .Vb 6 |
243 | \& #!/bin/sh |
249 | \& #!/bin/sh |
244 | \& ip link set $IFNAME address $MAC mtu $MTU up |
250 | \& ip link set $IFNAME address $MAC mtu $MTU up |
245 | \& [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME |
251 | \& [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME |
246 | \& [ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME |
252 | \& [ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME |
247 | \& [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME |
253 | \& [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME |
248 | \& ip route add 10.0.0.0/16 dev $IFNAME |
254 | \& ip route add 10.0.0.0/16 dev $IFNAME |
249 | .Ve |
255 | .Ve |
250 | .PP |
256 | .PP |
251 | This script will give each node a different \s-1IP\s0 address in the \f(CW\*(C`10.0/16\*(C'\fR |
257 | This script will give each node a different \s-1IP\s0 address in the \f(CW\*(C`10.0/16\*(C'\fR |
252 | network. The internal network (e.g. the \f(CW\*(C`eth0\*(C'\fR interface) should then be |
258 | network. The internal network (e.g. the \f(CW\*(C`eth0\*(C'\fR interface) should then be |
253 | set to a subset of that network, e.g. \f(CW\*(C`10.0.1.0/24\*(C'\fR on node \f(CW\*(C`first\*(C'\fR, |
259 | set to a subset of that network, e.g. \f(CW\*(C`10.0.1.0/24\*(C'\fR on node \f(CW\*(C`first\*(C'\fR, |
… | |
… | |
261 | .IX Subsection "STEP 2: create the RSA key pairs for all hosts" |
267 | .IX Subsection "STEP 2: create the RSA key pairs for all hosts" |
262 | Run the following command to generate all key pairs (that might take a |
268 | Run the following command to generate all key pairs (that might take a |
263 | while): |
269 | while): |
264 | .PP |
270 | .PP |
265 | .Vb 1 |
271 | .Vb 1 |
266 | \& vpectrl -c /etc/vpe -g |
272 | \& vpectrl -c /etc/vpe -g |
267 | .Ve |
273 | .Ve |
268 | .PP |
274 | .PP |
269 | This command will put the public keys into \f(CW\*(C`/etc/vpe/pubkeys/\f(CInodename\f(CW\*(C'\fR and the private keys into \f(CW\*(C`/etc/vpe/hostkeys/\f(CInodename\f(CW\*(C'\fR. |
275 | This command will put the public keys into \f(CW\*(C`/etc/vpe/pubkeys/\f(CInodename\f(CW\*(C'\fR and the private keys into \f(CW\*(C`/etc/vpe/hostkeys/\f(CInodename\f(CW\*(C'\fR. |
270 | .Sh "\s-1STEP\s0 3: distribute the config files to all nodes" |
276 | .Sh "\s-1STEP\s0 3: distribute the config files to all nodes" |
271 | .IX Subsection "STEP 3: distribute the config files to all nodes" |
277 | .IX Subsection "STEP 3: distribute the config files to all nodes" |
… | |
… | |
273 | private keys should not be distributed. The example uses rsync-over-ssh |
279 | private keys should not be distributed. The example uses rsync-over-ssh |
274 | .PP |
280 | .PP |
275 | First all the config files without the hostkeys should be distributed: |
281 | First all the config files without the hostkeys should be distributed: |
276 | .PP |
282 | .PP |
277 | .Vb 3 |
283 | .Vb 3 |
278 | \& rsync -avzessh /etc/vpe first.example.net:/etc/. --exclude hostkeys |
284 | \& rsync -avzessh /etc/vpe first.example.net:/etc/. --exclude hostkeys |
279 | \& rsync -avzessh /etc/vpe 133.55.82.9:/etc/. --exclude hostkeys |
285 | \& rsync -avzessh /etc/vpe 133.55.82.9:/etc/. --exclude hostkeys |
280 | \& rsync -avzessh /etc/vpe third.example.net:/etc/. --exclude hostkeys |
286 | \& rsync -avzessh /etc/vpe third.example.net:/etc/. --exclude hostkeys |
281 | .Ve |
287 | .Ve |
282 | .PP |
288 | .PP |
283 | Then the hostkeys should be copied: |
289 | Then the hostkeys should be copied: |
284 | .PP |
290 | .PP |
285 | .Vb 3 |
291 | .Vb 3 |
286 | \& rsync -avzessh /etc/vpe/hostkeys/first first.example.net:/etc/hostkey |
292 | \& rsync -avzessh /etc/vpe/hostkeys/first first.example.net:/etc/hostkey |
287 | \& rsync -avzessh /etc/vpe/hostkeys/second 133.55.82.9:/etc/hostkey |
293 | \& rsync -avzessh /etc/vpe/hostkeys/second 133.55.82.9:/etc/hostkey |
288 | \& rsync -avzessh /etc/vpe/hostkeys/third third.example.net:/etc/hostkey |
294 | \& rsync -avzessh /etc/vpe/hostkeys/third third.example.net:/etc/hostkey |
289 | .Ve |
295 | .Ve |
290 | .PP |
296 | .PP |
291 | You should now check the configration by issuing the command \f(CW\*(C`vpectrl \-c |
297 | You should now check the configration by issuing the command \f(CW\*(C`vpectrl \-c |
292 | /etc/vpe \-s\*(C'\fR on each node and verify it's output. |
298 | /etc/vpe \-s\*(C'\fR on each node and verify it's output. |
293 | .Sh "\s-1STEP\s0 4: starting vped" |
299 | .Sh "\s-1STEP\s0 4: starting vped" |
294 | .IX Subsection "STEP 4: starting vped" |
300 | .IX Subsection "STEP 4: starting vped" |
295 | You should then start vped on each node by issuing a command like: |
301 | You should then start vped on each node by issuing a command like: |
296 | .PP |
302 | .PP |
297 | .Vb 1 |
303 | .Vb 1 |
298 | \& vped -D -linfo first # first is the nodename |
304 | \& vped -D -linfo first # first is the nodename |
299 | .Ve |
305 | .Ve |
300 | .PP |
306 | .PP |
301 | This will make the vped stay in foreground. You should then see |
307 | This will make the vped stay in foreground. You should then see |
302 | \&\*(L"connection established\*(R" messages. If you don't see them check your |
308 | \&\*(L"connection established\*(R" messages. If you don't see them check your |
303 | firewall and routing (use tcpdump ;). |
309 | firewall and routing (use tcpdump ;). |
… | |
… | |
308 | To make vped run more permanently you can either run it as a daemon |
314 | To make vped run more permanently you can either run it as a daemon |
309 | (by starting it without the \f(CW\*(C`\-D\*(C'\fR switch), or, much better, from your |
315 | (by starting it without the \f(CW\*(C`\-D\*(C'\fR switch), or, much better, from your |
310 | inittab. I use a line like this on my systems: |
316 | inittab. I use a line like this on my systems: |
311 | .PP |
317 | .PP |
312 | .Vb 1 |
318 | .Vb 1 |
313 | \& t1:2345:respawn:/opt/vpe/sbin/vped -D -L first >/dev/null 2>&1 |
319 | \& t1:2345:respawn:/opt/vpe/sbin/vped -D -L first >/dev/null 2>&1 |
314 | .Ve |
320 | .Ve |
315 | .Sh "\s-1STEP\s0 5: enjoy" |
321 | .Sh "\s-1STEP\s0 5: enjoy" |
316 | .IX Subsection "STEP 5: enjoy" |
322 | .IX Subsection "STEP 5: enjoy" |
317 | \&... and play around. Sending a \-HUP (\f(CW\*(C`vpectrl \-kHUP\*(C'\fR) to the daemon |
323 | \&... and play around. Sending a \-HUP (\f(CW\*(C`vpectrl \-kHUP\*(C'\fR) to the daemon |
318 | will make it try to connect to all other nodes again. If you run it from |
324 | will make it try to connect to all other nodes again. If you run it from |