| 1 |
=head1 NAME |
| 2 |
|
| 3 |
vped.conf - vpe daemon configuration file |
| 4 |
|
| 5 |
=head1 SYNOPSIS |
| 6 |
|
| 7 |
udp-port = 407 |
| 8 |
mtu = 1492 |
| 9 |
ifname = vpn0 |
| 10 |
|
| 11 |
node = branch1 |
| 12 |
hostname = 1.2.3.4 |
| 13 |
|
| 14 |
node = branch2 |
| 15 |
hostname = www.example.net |
| 16 |
udp-port = 500 # this host uses a different udp-port |
| 17 |
|
| 18 |
node = branch3 |
| 19 |
connect = ondemand |
| 20 |
|
| 21 |
=head1 DESCRIPTION |
| 22 |
|
| 23 |
The vpe config file consists of a series of lines that contain C<variable |
| 24 |
= value> pairs. Empty lines are ignored. Comments start with a C<#> and |
| 25 |
extend to the end of the line. They can be used on their own lines, or |
| 26 |
after any directives. Spaces are allowed before or after the C<=> sign or |
| 27 |
after values, but not within the variable names or values themselves. |
| 28 |
|
| 29 |
The only exception to the above is the "on" directive that can prefix any |
| 30 |
C<name = value> setting and will only "execute" it on the named node, or |
| 31 |
(if the nodename starts with "!") on all nodes except the named one. |
| 32 |
|
| 33 |
name = value |
| 34 |
on branch1 loglevel = noise |
| 35 |
on !branch2 connect = ondemand |
| 36 |
|
| 37 |
All settings are executed "in order", that is, later settings of the same |
| 38 |
variable overwrite earlier ones. |
| 39 |
|
| 40 |
=head1 ANATOMY OF A CONFIG FILE |
| 41 |
|
| 42 |
Usually, a config file starts with global settings (like the udp port to |
| 43 |
listen on), followed by node-specific sections that begin with a C<node = |
| 44 |
nickname> line. |
| 45 |
|
| 46 |
Every node that is part of the network must have a section that starts |
| 47 |
with C<node = nickname>. The number and order of the nodes is important |
| 48 |
and must be the same on all hosts. It is not uncommon for node sections to |
| 49 |
be completely empty - if the default values are right. |
| 50 |
|
| 51 |
Node-specific settings can be used at any time. If used before the first |
| 52 |
node section they will set the default values for all following nodes. |
| 53 |
|
| 54 |
=head1 CONFIG VARIABLES |
| 55 |
|
| 56 |
=head2 GLOBAL SETTINGS |
| 57 |
|
| 58 |
Global settings will affect the behaviour of the running vped daemon, that |
| 59 |
is, they are in some sense node-specific (config files can set different |
| 60 |
values on different nodes using C<on>), but will affect the behaviour of |
| 61 |
the vped daemon and all connections it creates. |
| 62 |
|
| 63 |
=over 4 |
| 64 |
|
| 65 |
=item loglevel = noise|trace|debug|info|notice|warn|error|critical |
| 66 |
|
| 67 |
Set the logging level. Connection established messages are logged at level |
| 68 |
C<info>, notable errors are logged with C<error>. Default is C<info>. |
| 69 |
|
| 70 |
=item node = nickname |
| 71 |
|
| 72 |
Not really a config setting but introduces a node section. The nickname is |
| 73 |
used to select the right configuration section and must be passed as an |
| 74 |
argument to the vped daemon. |
| 75 |
|
| 76 |
=item private-key = relative-path-to-key |
| 77 |
|
| 78 |
Sets the path (relative to the config directory) to the private key |
| 79 |
(default: C<hostkey>). This is a printf format string so every C<%> must |
| 80 |
be doubled. A single C<%s> is replaced by the hostname, so you could |
| 81 |
use paths like C<hostkeys/%s> to fetch the files at the location where |
| 82 |
C<vpectrl> puts them. |
| 83 |
|
| 84 |
Since only the private key file of the current node is used and the |
| 85 |
private key file should be kept secret per-host to avoid spoofings, it is |
| 86 |
not recommended to use this feature. |
| 87 |
|
| 88 |
=item ifpersist = yes|true|on | no|false|off |
| 89 |
|
| 90 |
Should the tun/tap device be made persistent, that is, should the device |
| 91 |
stay up even when vped exits? Some versions of the tunnel device have |
| 92 |
problems sending packets when vped is restarted in persistent mode, so |
| 93 |
if the connections can be established but you cannot send packets from |
| 94 |
the local node, try to set this to C<off> and do an ifconfig down on the |
| 95 |
device. |
| 96 |
|
| 97 |
=item ifname = devname |
| 98 |
|
| 99 |
Sets the tun interface name to the given name. The default is OS-specific |
| 100 |
and most probably something like C<tun0>. |
| 101 |
|
| 102 |
=item rekey = seconds |
| 103 |
|
| 104 |
Sets the rekeying interval in seconds (default: C<3600>). Connections are |
| 105 |
reestablished every C<rekey> seconds. |
| 106 |
|
| 107 |
=item keepalive = seconds |
| 108 |
|
| 109 |
Sets the keepalive probe interval in seconds (default: C<60>). After this |
| 110 |
many seconds of inactivity the daemon will start to send keepalive probe |
| 111 |
every 5 seconds until it receives a reply from the other end. If no reply |
| 112 |
is received within 30 seconds, the peer is considered unreachable and the |
| 113 |
connection is closed. |
| 114 |
|
| 115 |
=item mtu = bytes |
| 116 |
|
| 117 |
Sets the maximum MTU that should be used on outgoing packets (basically |
| 118 |
the MTU of the outgoing interface) The daemon will automatically calculate |
| 119 |
maximum overhead (e.g. udp header size, encryption blocksize...) and pass |
| 120 |
this information to the C<if-up> script. |
| 121 |
|
| 122 |
Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
| 123 |
|
| 124 |
This value must be the minimum of the mtu values of all hosts. |
| 125 |
|
| 126 |
=item ip-proto = numerical-ip-protocol |
| 127 |
|
| 128 |
Sets the protocol number to be used for the rawip protocol. This is a |
| 129 |
global option because all hosts must use the same protocol, and since |
| 130 |
there are no port numbers, you cannot easily run more than one vped |
| 131 |
instance using the same protocol, nor can you share the protocol with |
| 132 |
other programs. |
| 133 |
|
| 134 |
The default is 47 (GRE), which has a good chance of tunneling through |
| 135 |
firewalls (but note that the rawip protocol is not GRE compatible). Other |
| 136 |
common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4 (IPIP tunnels) or 98 |
| 137 |
(ENCAP, rfc1241) |
| 138 |
|
| 139 |
=item enable-udp = yes|true|on | no|false|off |
| 140 |
|
| 141 |
Enable the UDPv4 transport using the C<udp-port> port |
| 142 |
(default: C<yes>). This is a good general choice since UDP tunnels well |
| 143 |
through many firewalls. |
| 144 |
|
| 145 |
=item enable-rawip = yes|true|on | no|false|off |
| 146 |
|
| 147 |
Enable the RAW IPv4 transport using the C<ip-proto> protocol |
| 148 |
(default: C<no>). This is the best choice, since the overhead per packet |
| 149 |
is only 38 bytes, as opposed to UDP's 58 (or TCP's 60+). |
| 150 |
|
| 151 |
=item if-up = relative-or-absolute-path |
| 152 |
|
| 153 |
Sets the path of a script that should be called immediately after the |
| 154 |
network interface is initialized (but not neccessarily up). The following |
| 155 |
environment variables are passed to it (the values are just examples): |
| 156 |
|
| 157 |
=over 4 |
| 158 |
|
| 159 |
=item CONFBASE=/etc/vpe |
| 160 |
|
| 161 |
The configuration base directory. |
| 162 |
|
| 163 |
=item IFNAME=vpn0 |
| 164 |
|
| 165 |
The interface to initialize. |
| 166 |
|
| 167 |
=item MTU=1436 |
| 168 |
|
| 169 |
The MTU to set the interface to. You can use lower values (if done |
| 170 |
consistently on all hosts), but this is usually ineffective. |
| 171 |
|
| 172 |
=item MAC=fe:fd:80:00:00:01 |
| 173 |
|
| 174 |
The MAC address to set the interface to. The script *must* set the |
| 175 |
interface MAC to this value. On GNU/Linux you will most likely use this: |
| 176 |
|
| 177 |
ip link set $IFNAME address $MAC mtu $MTU up |
| 178 |
|
| 179 |
=item NODENAME=branch1 |
| 180 |
|
| 181 |
The nickname of the current node, as passed to the vped daemon. |
| 182 |
|
| 183 |
=item NODEID=1 |
| 184 |
|
| 185 |
The numerical node id of the current node. The first node mentioned in the |
| 186 |
config file gets ID 1, the second ID 2 and so on. |
| 187 |
|
| 188 |
=back |
| 189 |
|
| 190 |
Here is a simple if-up script: |
| 191 |
|
| 192 |
#!/bin/sh |
| 193 |
ip link set $IFNAME address $MAC mtu $MTU up |
| 194 |
[ $NODENAME = branch1 ] && ip addr add 10.0.0.1 dev $IFNAME |
| 195 |
[ $NODENAME = branch2 ] && ip addr add 10.1.0.1 dev $IFNAME |
| 196 |
ip route add 10.0.0.0/8 dev $IFNAME |
| 197 |
|
| 198 |
More complicated examples (using routing to reduce arp traffic) can be |
| 199 |
found in the etc/ subdirectory of the distribution. |
| 200 |
|
| 201 |
=item node-up = relative-or-absolute-path |
| 202 |
|
| 203 |
Sets a command (default: no script) that should be called whenever a |
| 204 |
connection is established (even on rekeying operations). In addition |
| 205 |
to the variables passed to C<if-up> scripts, the following environment |
| 206 |
variables will be set: |
| 207 |
|
| 208 |
=over 4 |
| 209 |
|
| 210 |
=item DESTNODE=branch2 |
| 211 |
|
| 212 |
The name of the remote node. |
| 213 |
|
| 214 |
=item DESTID=2 |
| 215 |
|
| 216 |
The node id of the remote node. |
| 217 |
|
| 218 |
=item DESTIP=188.13.66.8 |
| 219 |
|
| 220 |
The numerical IP address of the remote host (vped accepts connections from |
| 221 |
everywhere, as long as the other host can authenticate itself). |
| 222 |
|
| 223 |
=item DESTPORT=407 # deprecated |
| 224 |
|
| 225 |
The UDP port used by the other side. |
| 226 |
|
| 227 |
=item STATE=UP |
| 228 |
|
| 229 |
Node-up scripts get called with STATE=UP, node-down scripts get called |
| 230 |
with STATE=DOWN. |
| 231 |
|
| 232 |
=back |
| 233 |
|
| 234 |
Here is a nontrivial example that uses nsupdate to update the name => ip |
| 235 |
mapping in some dns zone: |
| 236 |
|
| 237 |
#!/bin/sh |
| 238 |
{ |
| 239 |
echo update delete $DESTNODE.lowttl.example.net. a |
| 240 |
echo update add $DESTNODE.lowttl.example.net. 1 in a $DESTIP |
| 241 |
echo |
| 242 |
} | nsupdate -d -k $CONFBASE:key.example.net. |
| 243 |
|
| 244 |
=item node-down = relative-or-absolute-path |
| 245 |
|
| 246 |
Same as C<node-up>, but gets called whenever a connection is lost. |
| 247 |
|
| 248 |
=back |
| 249 |
|
| 250 |
=head2 NODE SPECIFIC SETTINGS |
| 251 |
|
| 252 |
The following settings are node-specific, that is, every node can have |
| 253 |
different settings, even within the same vped instance. Settings that are |
| 254 |
executed before the first node section set the defaults, settings that are |
| 255 |
executed within a node section only apply to the given node. |
| 256 |
|
| 257 |
=over 4 |
| 258 |
|
| 259 |
=item udp-port = port-number |
| 260 |
|
| 261 |
Sets the port number used by the UDP protocol (default: C<407>, not |
| 262 |
officially assigned by IANA!). |
| 263 |
|
| 264 |
=item router-priority = positive-number |
| 265 |
|
| 266 |
Sets the router priority of the given host (default: C<0>, disabled). If |
| 267 |
some host tries to connect to another host without a hostname, it asks |
| 268 |
the router host for it's IP address. The router host is the one with the |
| 269 |
highest priority that is currently reachable. Make sure all clients always |
| 270 |
connect to the router hosts, otherwise conencting to them is impossible. |
| 271 |
|
| 272 |
=item connect = ondemand|never|always|disabled |
| 273 |
|
| 274 |
Sets the connect mode (default: C<always>). It can be C<always> (always |
| 275 |
try to establish and keep a conenction to the given host), C<never> |
| 276 |
(nevr initiate a connection to the given host, but accept connections), |
| 277 |
C<ondemand> (try to establish a connection on the first packet sent, and |
| 278 |
take it down after the keepalive interval) or C<disabled> (node is bad, |
| 279 |
don't talk to it). |
| 280 |
|
| 281 |
=item inherit-tos = yes|true|on | no|false|off |
| 282 |
|
| 283 |
Wether to inherit the TOS settings of packets sent to the tunnel when |
| 284 |
sending packets to this node (default: C<yes>). If set to C<yes> then |
| 285 |
outgoing tunnel packets will have the same TOS setting as the packets sent |
| 286 |
to the tunnel device, which is usually what you want. |
| 287 |
|
| 288 |
=item compress = yes|true|on | no|false|off |
| 289 |
|
| 290 |
Wether to compress data packets sent to this host (default: C<yes>). |
| 291 |
Compression is really cheap even on slow computers and has no size |
| 292 |
overhead at all, so enabling this is a good idea. |
| 293 |
|
| 294 |
=back |
| 295 |
|
| 296 |
=head1 CONFIG DIRECTORY LAYOUT |
| 297 |
|
| 298 |
The default (or recommended) directory layout for the config directory is: |
| 299 |
|
| 300 |
=over 4 |
| 301 |
|
| 302 |
=item vped.conf |
| 303 |
|
| 304 |
The config file. |
| 305 |
|
| 306 |
=item if-up |
| 307 |
|
| 308 |
The if-up script |
| 309 |
|
| 310 |
=item node-up, node-down |
| 311 |
|
| 312 |
If used the node up or node-down scripts. |
| 313 |
|
| 314 |
=item hostkey |
| 315 |
|
| 316 |
The private key (taken from C<hostkeys/nodename>) of the current host. |
| 317 |
|
| 318 |
=item pubkey/nodename |
| 319 |
|
| 320 |
The public keys of the other nodes, one file per node. |
| 321 |
|
| 322 |
=back |
| 323 |
|
| 324 |
=head1 SEE ALSO |
| 325 |
|
| 326 |
vpe(5), vped(8), vpectrl(8). |
| 327 |
|
| 328 |
=head1 AUTHOR |
| 329 |
|
| 330 |
Marc Lehmann <vpe@plan9.de> |
| 331 |
|
