~mdw / secnet / blame
| Commit | Line | Data |
|---|---|---|
| 2fe58dfd SE |
1 | INSTALLATION INSTRUCTIONS for SECNET |
| 2 | ||
| 3 | Ensure that you have libgmp2-dev and adns installed (and bison and | |
| 4 | flex, and for that matter gcc...). | |
| 5 | ||
| 6 | If you intend to configure secnet to obtain packets from the kernel | |
| 7 | through userv-ipif, install and configure userv-ipif. It is part of | |
| 8 | userv-utils, available from ftp.chiark.greenend.org.uk in | |
| 9 | /users/ian/userv | |
| 10 | ||
| 11 | Then, to install secnet do | |
| 12 | ||
| 13 | $ ./configure | |
| 14 | $ make | |
| 15 | # cp secnet /usr/local/sbin/secnet | |
| 16 | # mkdir /etc/secnet | |
| 17 | # cp example.conf /etc/secnet/secnet.conf | |
| 18 | # cd /etc/secnet | |
| 19 | # ssh-keygen -f key -N "" | |
| 20 | ||
| 21 | (When upgrading, just install the new /usr/local/sbin/secnet; keep | |
| 22 | your current configuration file.) | |
| 23 | ||
| 24 | If you intend to start secnet as root, I suggest you create an userid | |
| 25 | for it to run as once it's ready to drop its privileges. Example: | |
| 26 | # adduser --system --no-create-home secnet | |
| 27 | ||
| 28 | Generate a site file fragment for your site, and submit it for | |
| 29 | inclusion in the vpn-sites file. Download the vpn-sites file. | |
| 30 | ||
| 31 | * Constructing a site file fragment | |
| 32 | ||
| 33 | You need the following information: | |
| 34 | ||
| 35 | 1. a short name for your site, eg. "greenend". This is used to | |
| 36 | identify your site in the vpn-sites file. | |
| 37 | ||
| 38 | 2. the name your site will use in the key setup protocol, | |
| 39 | eg. "greenend" (these two will usually be similar or the same). | |
| 40 | ||
| 41 | 3. the DNS name of the machine that will be the "front-end" for your | |
| 42 | secnet installation. This will typically be the name of the gateway | |
| 43 | machine for your network, eg. sinister.dynamic.greenend.org.uk | |
| 44 | ||
| 45 | secnet does not actually have to run on this machine, as long as the | |
| 46 | machine can be configured to forward UDP packets to the machine that | |
| 47 | is running secnet. | |
| 48 | ||
| 49 | 4. the port number used to contact secnet at your site. This is the | |
| 50 | port number on the front-end machine, and does not necessarily have to | |
| 51 | match the port number on the machine running secnet. | |
| 52 | ||
| 53 | 5. the list of networks accessible at your site over the VPN. | |
| 54 | ||
| 55 | 6. the public part of the RSA key you generated during installation | |
| 56 | (in /etc/secnet/key.pub if you followed the installation | |
| 57 | instructions). This file contains three numbers and a comment on one | |
| 58 | line. The first number is the key length in bits, and can be | |
| 59 | ignored. The second number (typically small) is the encryption key | |
| 60 | 'e', and the third number (large) is the modulus 'n'. | |
| 61 | ||
| 62 | If you are running secnet on a particularly slow machine, you may like | |
| 63 | to specify a larger value for the key setup retry timeout than the | |
| 64 | default, to prevent unnecessary retransmissions of key setup | |
| 65 | packets. See the notes in the example configuration file for more on | |
| 66 | this. | |
| 67 | ||
| 68 | The site file fragment should look something like this: | |
| 69 | ||
| 70 | shortname { | |
| 71 | name "sitename"; | |
| 72 | address "your.public.address.org.uk"; | |
| 73 | port 5678; | |
| 74 | networks "172.18.45.0/24"; | |
| 75 | key rsa-public("35","153279875126380522437827076871354104097683702803616313419670959273217685015951590424876274370401136371563604396779864283483623325238228723798087715987495590765759771552692972297669972616769731553560605291312242789575053620182470998166393580503400960149506261455420521811814445675652857085993458063584337404329"); | |
| 76 | }; |