--- gvpe/doc/vpe.pod 2003/03/23 14:47:39 1.1 +++ gvpe/doc/vpe.pod 2003/03/24 15:20:24 1.2 @@ -45,13 +45,14 @@ =head1 PROGRAMS Vpe comes with two programs: one daemon (C) and one control program -C). +(C). =over 4 =item vpectrl -Is used to generate the keys and give an overview of the configuration. +Is used to generate the keys, check and give an overview of of the +configuration and contorl the daemon (restarting etc.). =item vped @@ -60,30 +61,35 @@ =back -=head1 CONFIGURING VPE +=head1 COMPILETIME CONFIGURATION -Here are a few recipes for configuring your vpe: +Here are a few recipes for compiling your vpe: =head2 AS LOW PACKET OVERHEAD AS POSSIBLE - ./configure --enable-hmac-length=4 --enable-rand-length=0 + ./configure --enable-hmac-length=4 --enable-rand-length=0 -Minimize the header overhead of VPN packets. +Minimize the header overhead of VPN packets (the above will result in only +4 bytes of overhead over the raw ethernet frame). =head2 MINIMIZE CPU TIME REQUIRED - ./configure --enable-cipher=bf --enable-digest=md4 + ./configure --enable-cipher=bf --enable-digest=md4 -Use the fastest cipher and digest algorithms. +Use the fastest cipher and digest algorithms currently available in vpe. =head2 MAXIMIZE SECURITY - ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 + ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 + +This uses a 16 byte HMAC checksum to authenticate packets (I guess 8-12 +would also be pretty secure ;) and will additionally prefix each packet +with 8 bytes of random data. In general, remember that AES-128 seems to be more secure and faster than -AES-192 or AES-256, more randomness and longer hmac is more secure, MD4 is -a fast digest, SHA1 or RIPEMD160 are better, and Blowfish is a fast and -so-far quite secure cipher. +AES-192 or AES-256, more randomness helps against sniffing and a longer +HMAC helps against spoofing. MD4 is a fast digest, SHA1 or RIPEMD160 are +better, and Blowfish is a fast cipher (and also quite secure). =head1 HOW TO SET UP A SIMPLE VPN @@ -98,29 +104,29 @@ Put the following lines into C: - udp-port = 50000 # the external port to listen on (configure your firewall) - mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts - ifname = vpn0 # the local network device name + udp-port = 50000 # the external port to listen on (configure your firewall) + mtu = 1400 # minimum MTU of all outgoing interfaces on all hosts + ifname = vpn0 # the local network device name - node = first # just a nickname - hostname = first.example.net # the DNS name or IP address of the host + node = first # just a nickname + hostname = first.example.net # the DNS name or IP address of the host - node = second - hostname = 133.55.82.9 + node = second + hostname = 133.55.82.9 - node = third - hostname = third.example.net + node = third + hostname = third.example.net The only other file neccessary if the C script that initializes the local ethernet interface. Put the following lines into C and make it execute (C): - #!/bin/sh - ip link set $IFNAME address $MAC mtu $MTU up - [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME - [ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME - [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME - ip route add 10.0.0.0/16 dev $IFNAME + #!/bin/sh + ip link set $IFNAME address $MAC mtu $MTU up + [ $NODENAME = first ] && ip addr add 10.0.1.1 dev $IFNAME + [ $NODENAME = second ] && ip addr add 10.0.2.1 dev $IFNAME + [ $NODENAME = third ] && ip addr add 10.0.3.1 dev $IFNAME + ip route add 10.0.0.0/16 dev $IFNAME This script will give each node a different IP address in the C<10.0/16> network. The internal network (e.g. the C interface) should then be @@ -137,7 +143,7 @@ Run the following command to generate all key pairs (that might take a while): - vpectrl -c /etc/vpe -g + vpectrl -c /etc/vpe -g This command will put the public keys into C<< /etc/vpe/pubkeys/I >> and the private keys into C<< @@ -150,15 +156,15 @@ First all the config files without the hostkeys should be distributed: - rsync -avzessh /etc/vpe first.example.net:/etc/. --exclude hostkeys - rsync -avzessh /etc/vpe 133.55.82.9:/etc/. --exclude hostkeys - rsync -avzessh /etc/vpe third.example.net:/etc/. --exclude hostkeys + rsync -avzessh /etc/vpe first.example.net:/etc/. --exclude hostkeys + rsync -avzessh /etc/vpe 133.55.82.9:/etc/. --exclude hostkeys + rsync -avzessh /etc/vpe third.example.net:/etc/. --exclude hostkeys Then the hostkeys should be copied: - rsync -avzessh /etc/vpe/hostkeys/first first.example.net:/etc/hostkey - rsync -avzessh /etc/vpe/hostkeys/second 133.55.82.9:/etc/hostkey - rsync -avzessh /etc/vpe/hostkeys/third third.example.net:/etc/hostkey + rsync -avzessh /etc/vpe/hostkeys/first first.example.net:/etc/hostkey + rsync -avzessh /etc/vpe/hostkeys/second 133.55.82.9:/etc/hostkey + rsync -avzessh /etc/vpe/hostkeys/third third.example.net:/etc/hostkey You should now check the configration by issuing the command C on each node and verify it's output. @@ -167,7 +173,7 @@ You should then start vped on each node by issuing a command like: - vped -D -linfo first # first is the nodename + vped -D -linfo first # first is the nodename This will make the vped stay in foreground. You should then see "connection established" messages. If you don't see them check your @@ -180,7 +186,7 @@ (by starting it without the C<-D> switch), or, much better, from your inittab. I use a line like this on my systems: - t1:2345:respawn:/opt/vpe/sbin/vped -D -L first >/dev/null 2>&1 + t1:2345:respawn:/opt/vpe/sbin/vped -D -L first >/dev/null 2>&1 =head2 STEP 5: enjoy