1 |
pcg |
1.1 |
=head1 NAME |
2 |
|
|
|
3 |
|
|
vped.conf - vpe daemon configuration file |
4 |
|
|
|
5 |
|
|
=head1 SYNOPSIS |
6 |
|
|
|
7 |
|
|
udp-port = 407 |
8 |
|
|
mtu = 1492 |
9 |
|
|
ifname = vpn0 |
10 |
pcg |
1.2 |
|
11 |
pcg |
1.1 |
node = branch1 |
12 |
|
|
hostname = 1.2.3.4 |
13 |
|
|
|
14 |
|
|
node = branch2 |
15 |
|
|
hostname = www.example.net |
16 |
|
|
udp-port = 500 # this host uses a different udp-port |
17 |
|
|
|
18 |
|
|
node = branch3 |
19 |
|
|
connect = ondemand |
20 |
|
|
|
21 |
|
|
=head1 DESCRIPTION |
22 |
|
|
|
23 |
|
|
The vpe config file consists of a series of lines that contain C<variable |
24 |
|
|
= value> pairs. Empty lines are ignored. Comments start with a C<#> and |
25 |
|
|
extend to the end of the line. They can be used on their own lines, or |
26 |
|
|
after any directives. Spaces are allowed before or after the C<=> sign or |
27 |
|
|
after values, but not within the variable names or values themselves. |
28 |
|
|
|
29 |
|
|
The only exception to the above is the "on" directive that can prefix any |
30 |
|
|
C<name = value> setting and will only "execute" it on the named node, or |
31 |
|
|
(if the nodename starts with "!") on all nodes except the named one. |
32 |
|
|
|
33 |
|
|
name = value |
34 |
|
|
on branch1 loglevel = noise |
35 |
|
|
on !branch2 connect = ondemand |
36 |
|
|
|
37 |
|
|
All settings are executed "in order", that is, later settings of the same |
38 |
|
|
variable overwrite earlier ones. |
39 |
|
|
|
40 |
|
|
=head1 ANATOMY OF A CONFIG FILE |
41 |
|
|
|
42 |
|
|
Usually, a config file starts with global settings (like the udp port to |
43 |
|
|
listen on), followed by node-specific sections that begin with a C<node = |
44 |
|
|
nickname> line. |
45 |
|
|
|
46 |
|
|
Every node that is part of the network must have a section that starts |
47 |
|
|
with C<node = nickname>. The number and order of the nodes is important |
48 |
|
|
and must be the same on all hosts. It is not uncommon for node sections to |
49 |
|
|
be completely empty - if the default values are right. |
50 |
|
|
|
51 |
|
|
Node-specific settings can be used at any time. If used before the first |
52 |
|
|
node section they will set the default values for all following nodes. |
53 |
|
|
|
54 |
|
|
=head1 CONFIG VARIABLES |
55 |
|
|
|
56 |
|
|
=head2 GLOBAL SETTINGS |
57 |
|
|
|
58 |
|
|
Global settings will affect the behaviour of the running vped daemon, that |
59 |
|
|
is, they are in some sense node-specific (config files can set different |
60 |
|
|
values on different nodes using C<on>), but will affect the behaviour of |
61 |
|
|
the vped daemon and all connections it creates. |
62 |
|
|
|
63 |
|
|
=over 4 |
64 |
|
|
|
65 |
|
|
=item loglevel = noise|trace|debug|info|notice|warn|error|critical |
66 |
|
|
|
67 |
|
|
Set the logging level. Connection established messages are logged at level |
68 |
|
|
C<info>, notable errors are logged with C<error>. Default is C<info>. |
69 |
|
|
|
70 |
|
|
=item node = nickname |
71 |
|
|
|
72 |
|
|
Not really a config setting but introduces a node section. The nickname is |
73 |
|
|
used to select the right configuration section and must be passed as an |
74 |
|
|
argument to the vped daemon. |
75 |
|
|
|
76 |
|
|
=item private-key = relative-path-to-key |
77 |
|
|
|
78 |
|
|
Sets the path (relative to the config directory) to the private key |
79 |
|
|
(default: C<hostkey>). This is a printf format string so every C<%> must |
80 |
|
|
be doubled. A single C<%s> is replaced by the hostname, so you could |
81 |
|
|
use paths like C<hostkeys/%s> to fetch the files at the location where |
82 |
|
|
C<vpectrl> puts them. |
83 |
|
|
|
84 |
|
|
Since only the private key file of the current node is used and the |
85 |
|
|
private key file should be kept secret per-host to avoid spoofings, it is |
86 |
|
|
not recommended to use this feature. |
87 |
|
|
|
88 |
|
|
=item ifpersist = yes|true|on | no|false|off |
89 |
|
|
|
90 |
|
|
Should the tun/tap device be made persistent, that is, should the device |
91 |
|
|
stay up even when vped exits? Some versions of the tunnel device have |
92 |
|
|
problems sending packets when vped is restarted in persistent mode, so |
93 |
|
|
if the connections can be established but you cannot send packets from |
94 |
|
|
the local node, try to set this to C<off> and do an ifconfig down on the |
95 |
|
|
device. |
96 |
|
|
|
97 |
|
|
=item ifname = devname |
98 |
|
|
|
99 |
|
|
Sets the tun interface name to the given name. The default is OS-specific |
100 |
|
|
and most probably something like C<tun0>. |
101 |
|
|
|
102 |
|
|
=item rekey = seconds |
103 |
|
|
|
104 |
|
|
Sets the rekeying interval in seconds (default: C<3600>). Connections are |
105 |
|
|
reestablished every C<rekey> seconds. |
106 |
|
|
|
107 |
|
|
=item keepalive = seconds |
108 |
|
|
|
109 |
|
|
Sets the keepalive probe interval in seconds (default: C<60>). After this |
110 |
|
|
many seconds of inactivity the daemon will start to send keepalive probe |
111 |
|
|
every 5 seconds until it receives a reply from the other end. If no reply |
112 |
|
|
is received within 30 seconds, the peer is considered unreachable and the |
113 |
|
|
connection is closed. |
114 |
|
|
|
115 |
|
|
=item mtu = bytes |
116 |
|
|
|
117 |
|
|
Sets the maximum MTU that should be used on outgoing packets (basically |
118 |
|
|
the MTU of the outgoing interface) The daemon will automatically calculate |
119 |
|
|
maximum overhead (e.g. udp header size, encryption blocksize...) and pass |
120 |
|
|
this information to the C<if-up> script. |
121 |
|
|
|
122 |
|
|
Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
123 |
|
|
|
124 |
|
|
This value must be the minimum of the mtu values of all hosts. |
125 |
|
|
|
126 |
|
|
=item ip-proto = numerical-ip-protocol |
127 |
|
|
|
128 |
|
|
Sets the protocol number to be used for the rawip protocol. This is a |
129 |
|
|
global option because all hosts must use the same protocol, and since |
130 |
|
|
there are no port numbers, you cannot easily run more than one vped |
131 |
|
|
instance using the same protocol, nor can you share the protocol with |
132 |
|
|
other programs. |
133 |
|
|
|
134 |
|
|
The default is 47 (GRE), which has a good chance of tunneling through |
135 |
|
|
firewalls (but note that the rawip protocol is not GRE compatible). Other |
136 |
|
|
common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4 (IPIP tunnels) or 98 |
137 |
|
|
(ENCAP, rfc1241) |
138 |
|
|
|
139 |
|
|
=item if-up = relative-or-absolute-path |
140 |
|
|
|
141 |
|
|
Sets the path of a script that should be called immediately after the |
142 |
|
|
network interface is initialized (but not neccessarily up). The following |
143 |
|
|
environment variables are passed to it (the values are just examples): |
144 |
|
|
|
145 |
|
|
=over 4 |
146 |
|
|
|
147 |
|
|
=item CONFBASE=/etc/vpe |
148 |
|
|
|
149 |
|
|
The configuration base directory. |
150 |
|
|
|
151 |
|
|
=item IFNAME=vpn0 |
152 |
|
|
|
153 |
|
|
The interface to initialize. |
154 |
|
|
|
155 |
|
|
=item MTU=1436 |
156 |
|
|
|
157 |
|
|
The MTU to set the interface to. You can use lower values (if done |
158 |
|
|
consistently on all hosts), but this is usually ineffective. |
159 |
|
|
|
160 |
|
|
=item MAC=fe:fd:80:00:00:01 |
161 |
|
|
|
162 |
|
|
The MAC address to set the interface to. The script *must* set the |
163 |
pcg |
1.6 |
interface MAC to this value. You will most likely use one of these: |
164 |
pcg |
1.1 |
|
165 |
pcg |
1.6 |
ip link set $IFNAME address $MAC mtu $MTU up # GNU/Linux |
166 |
|
|
ifconfig $IFNAME ether $MAC mtu $MTU up # FreeBSD |
167 |
|
|
|
168 |
pcg |
1.8 |
Please see the C<vpe.osdep(5)> manpage for platform-specific information. |
169 |
|
|
|
170 |
|
|
=item IFTYPE=native # or tincd |
171 |
pcg |
1.6 |
|
172 |
|
|
=item IFSUBTYPE=linux # or freebsd, darwin etc.. |
173 |
|
|
|
174 |
|
|
The interface type (C<native> or C<tincd>) and the subtype (usually the os |
175 |
|
|
name in lowercase) that this vpe was configured for. Can be used to select |
176 |
|
|
the correct syntax to use for network-related commands. |
177 |
pcg |
1.1 |
|
178 |
|
|
=item NODENAME=branch1 |
179 |
|
|
|
180 |
|
|
The nickname of the current node, as passed to the vped daemon. |
181 |
|
|
|
182 |
|
|
=item NODEID=1 |
183 |
|
|
|
184 |
|
|
The numerical node id of the current node. The first node mentioned in the |
185 |
|
|
config file gets ID 1, the second ID 2 and so on. |
186 |
|
|
|
187 |
|
|
=back |
188 |
|
|
|
189 |
|
|
Here is a simple if-up script: |
190 |
|
|
|
191 |
|
|
#!/bin/sh |
192 |
|
|
ip link set $IFNAME address $MAC mtu $MTU up |
193 |
|
|
[ $NODENAME = branch1 ] && ip addr add 10.0.0.1 dev $IFNAME |
194 |
|
|
[ $NODENAME = branch2 ] && ip addr add 10.1.0.1 dev $IFNAME |
195 |
|
|
ip route add 10.0.0.0/8 dev $IFNAME |
196 |
|
|
|
197 |
|
|
More complicated examples (using routing to reduce arp traffic) can be |
198 |
|
|
found in the etc/ subdirectory of the distribution. |
199 |
|
|
|
200 |
|
|
=item node-up = relative-or-absolute-path |
201 |
|
|
|
202 |
|
|
Sets a command (default: no script) that should be called whenever a |
203 |
|
|
connection is established (even on rekeying operations). In addition |
204 |
|
|
to the variables passed to C<if-up> scripts, the following environment |
205 |
|
|
variables will be set: |
206 |
|
|
|
207 |
|
|
=over 4 |
208 |
|
|
|
209 |
|
|
=item DESTNODE=branch2 |
210 |
|
|
|
211 |
|
|
The name of the remote node. |
212 |
|
|
|
213 |
|
|
=item DESTID=2 |
214 |
|
|
|
215 |
|
|
The node id of the remote node. |
216 |
|
|
|
217 |
|
|
=item DESTIP=188.13.66.8 |
218 |
|
|
|
219 |
|
|
The numerical IP address of the remote host (vped accepts connections from |
220 |
|
|
everywhere, as long as the other host can authenticate itself). |
221 |
|
|
|
222 |
pcg |
1.7 |
=item DESTPORT=655 # deprecated |
223 |
pcg |
1.1 |
|
224 |
|
|
The UDP port used by the other side. |
225 |
|
|
|
226 |
|
|
=item STATE=UP |
227 |
|
|
|
228 |
|
|
Node-up scripts get called with STATE=UP, node-down scripts get called |
229 |
|
|
with STATE=DOWN. |
230 |
|
|
|
231 |
|
|
=back |
232 |
|
|
|
233 |
|
|
Here is a nontrivial example that uses nsupdate to update the name => ip |
234 |
|
|
mapping in some dns zone: |
235 |
|
|
|
236 |
|
|
#!/bin/sh |
237 |
|
|
{ |
238 |
|
|
echo update delete $DESTNODE.lowttl.example.net. a |
239 |
|
|
echo update add $DESTNODE.lowttl.example.net. 1 in a $DESTIP |
240 |
|
|
echo |
241 |
|
|
} | nsupdate -d -k $CONFBASE:key.example.net. |
242 |
|
|
|
243 |
|
|
=item node-down = relative-or-absolute-path |
244 |
|
|
|
245 |
|
|
Same as C<node-up>, but gets called whenever a connection is lost. |
246 |
|
|
|
247 |
pcg |
1.4 |
=item http-proxy-host = hostname/ip |
248 |
|
|
|
249 |
pcg |
1.5 |
The C<http-proxy-*> family of options are only available if vpe was |
250 |
pcg |
1.4 |
compiled with the C<--enable-http-proxy> option and enable tunneling of |
251 |
|
|
tcp connections through a http proxy server. |
252 |
|
|
|
253 |
|
|
C<http-proxy-host> and C<http-proxy-port> should specify the hostname and |
254 |
|
|
port number of the proxy server. See C<http-proxy-loginpw> if your proxy |
255 |
|
|
requires authentication. |
256 |
|
|
|
257 |
|
|
Please note that vpe will still try to resolve all hostnames in the |
258 |
|
|
configuration file, so if you are behind a proxy without access to a dns |
259 |
|
|
server better use numerical IP addresses. |
260 |
|
|
|
261 |
|
|
To make best use of this option disable all protocols except tcp in your |
262 |
|
|
config file and make sure your routers (or all other hosts) are listening |
263 |
|
|
on a port that the proxy allows (443, https, is a common choice). |
264 |
|
|
|
265 |
|
|
If you have a router, connecting to it will suffice. Otherwise tcp must be |
266 |
|
|
enabled on all hosts. |
267 |
|
|
|
268 |
|
|
Example: |
269 |
|
|
|
270 |
|
|
http-proxy-host = proxy.example.com |
271 |
|
|
http-proxy-port = 3128 # 8080 is another common choice |
272 |
|
|
http-proxy-auth = schmorp:grumbeere |
273 |
|
|
|
274 |
|
|
=item http-proxy-port = proxy-tcp-port |
275 |
|
|
|
276 |
|
|
The port where your proxy server listens. |
277 |
|
|
|
278 |
|
|
=item http-proxy-auth = login:password |
279 |
|
|
|
280 |
|
|
The optional login and password used to authenticate to the proxy server, |
281 |
|
|
seperated by a literal colon (C<:>). Only basic authentication is |
282 |
|
|
currently supported. |
283 |
|
|
|
284 |
pcg |
1.1 |
=back |
285 |
|
|
|
286 |
|
|
=head2 NODE SPECIFIC SETTINGS |
287 |
|
|
|
288 |
|
|
The following settings are node-specific, that is, every node can have |
289 |
|
|
different settings, even within the same vped instance. Settings that are |
290 |
|
|
executed before the first node section set the defaults, settings that are |
291 |
|
|
executed within a node section only apply to the given node. |
292 |
|
|
|
293 |
|
|
=over 4 |
294 |
|
|
|
295 |
|
|
=item udp-port = port-number |
296 |
|
|
|
297 |
pcg |
1.7 |
Sets the port number used by the UDP protocol (default: C<655>, not |
298 |
pcg |
1.1 |
officially assigned by IANA!). |
299 |
pcg |
1.3 |
|
300 |
|
|
=item tcp-port = port-number |
301 |
|
|
|
302 |
pcg |
1.7 |
Similar to C<udp-port> (default: C<655>), but sets the TCP port number. |
303 |
pcg |
1.3 |
|
304 |
|
|
=item enable-rawip = yes|true|on | no|false|off |
305 |
|
|
|
306 |
|
|
Enable the RAW IPv4 transport using the C<ip-proto> protocol |
307 |
|
|
(default: C<no>). This is the best choice, since the overhead per packet |
308 |
|
|
is only 38 bytes, as opposed to UDP's 58 (or TCP's 60+). |
309 |
|
|
|
310 |
|
|
=item enable-udp = yes|true|on | no|false|off |
311 |
|
|
|
312 |
|
|
Enable the UDPv4 transport using the C<udp-port> port |
313 |
|
|
(default: C<yes>). This is a good general choice since UDP tunnels well |
314 |
|
|
through many firewalls. |
315 |
|
|
|
316 |
|
|
=item enable-tcp = yes|true|on | no|false|off |
317 |
|
|
|
318 |
|
|
Enable the TCPv4 transport using the C<tcp-port> port |
319 |
|
|
(default: C<no>). Support for this horribly unsuitable protocol is only |
320 |
|
|
available when vpe was compiled using the C<--enable-tcp> option. Never |
321 |
|
|
use this transport unless you really must, it is horribly ineffiecent and |
322 |
|
|
resource-intensive compared to the other transports. |
323 |
pcg |
1.1 |
|
324 |
|
|
=item router-priority = positive-number |
325 |
|
|
|
326 |
|
|
Sets the router priority of the given host (default: C<0>, disabled). If |
327 |
|
|
some host tries to connect to another host without a hostname, it asks |
328 |
|
|
the router host for it's IP address. The router host is the one with the |
329 |
|
|
highest priority that is currently reachable. Make sure all clients always |
330 |
|
|
connect to the router hosts, otherwise conencting to them is impossible. |
331 |
|
|
|
332 |
|
|
=item connect = ondemand|never|always|disabled |
333 |
|
|
|
334 |
|
|
Sets the connect mode (default: C<always>). It can be C<always> (always |
335 |
|
|
try to establish and keep a conenction to the given host), C<never> |
336 |
|
|
(nevr initiate a connection to the given host, but accept connections), |
337 |
|
|
C<ondemand> (try to establish a connection on the first packet sent, and |
338 |
|
|
take it down after the keepalive interval) or C<disabled> (node is bad, |
339 |
|
|
don't talk to it). |
340 |
|
|
|
341 |
|
|
=item inherit-tos = yes|true|on | no|false|off |
342 |
|
|
|
343 |
|
|
Wether to inherit the TOS settings of packets sent to the tunnel when |
344 |
|
|
sending packets to this node (default: C<yes>). If set to C<yes> then |
345 |
|
|
outgoing tunnel packets will have the same TOS setting as the packets sent |
346 |
|
|
to the tunnel device, which is usually what you want. |
347 |
|
|
|
348 |
|
|
=item compress = yes|true|on | no|false|off |
349 |
|
|
|
350 |
|
|
Wether to compress data packets sent to this host (default: C<yes>). |
351 |
|
|
Compression is really cheap even on slow computers and has no size |
352 |
|
|
overhead at all, so enabling this is a good idea. |
353 |
|
|
|
354 |
|
|
=back |
355 |
|
|
|
356 |
|
|
=head1 CONFIG DIRECTORY LAYOUT |
357 |
|
|
|
358 |
|
|
The default (or recommended) directory layout for the config directory is: |
359 |
|
|
|
360 |
|
|
=over 4 |
361 |
|
|
|
362 |
|
|
=item vped.conf |
363 |
|
|
|
364 |
|
|
The config file. |
365 |
|
|
|
366 |
|
|
=item if-up |
367 |
|
|
|
368 |
|
|
The if-up script |
369 |
|
|
|
370 |
|
|
=item node-up, node-down |
371 |
|
|
|
372 |
|
|
If used the node up or node-down scripts. |
373 |
|
|
|
374 |
|
|
=item hostkey |
375 |
|
|
|
376 |
|
|
The private key (taken from C<hostkeys/nodename>) of the current host. |
377 |
|
|
|
378 |
|
|
=item pubkey/nodename |
379 |
|
|
|
380 |
|
|
The public keys of the other nodes, one file per node. |
381 |
|
|
|
382 |
|
|
=back |
383 |
|
|
|
384 |
|
|
=head1 SEE ALSO |
385 |
|
|
|
386 |
|
|
vpe(5), vped(8), vpectrl(8). |
387 |
|
|
|
388 |
|
|
=head1 AUTHOR |
389 |
|
|
|
390 |
|
|
Marc Lehmann <vpe@plan9.de> |
391 |
|
|
|