[secnet] / README

secnet - flexible VPN software

* Copying

secnet is Copyright (C) 1995--2001 Stephen Early <steve@greenend.org.uk>
It is distributed under the terms of the GNU General Public License,
version 2 or later.  See the file COPYING for more information.

The portable snprintf implementation in snprintf.c is Copyright (C)
1999 Mark Martinec <mark.martinec@ijs.si> and is distributed under the
terms of the Frontier Artistic License.  You can find the standard
version of snprintf.c at http://www.ijs.si/software/snprintf/

The IP address handling library in ipaddr.py is Copyright (C)
1996--2000 Cendio Systems AB, and is distributed under the terms of
the GPL.

* Introduction

secnet allows large virtual private networks to be constructed
spanning multiple separate sites.  It is designed for the case where a
private network connecting many hosts is 'hidden' behind a single
globally-routable IP address, but can also be applied in other
circumstances.  It communicates entirely using UDP, and works well
with gateways that implement network address translation.

If you are installing secnet to join an existing VPN, you should read
the 'INSTALL' file and your particular VPN's documentation now.  You
may need to refer back to this file for information on the netlink and
comm sections of the configuration file.

If you are thinking about setting up a new VPN of any size (from one
providing complete links between multiple sites to a simple
laptop-to-host link), read the section in this file on 'Creating a
VPN'.

* Creating a VPN

XXX TODO

* secnet configuration file format

By default secnet on linux reads /etc/secnet/secnet.conf.  The default
may be different on other platforms.

This file defines a dictionary (a mapping from keys to values) full of
configuration information for secnet.  Two keys must be defined in
this file for secnet to start.  One is "system", a dictionary
containing systemwide control parameters.  The other is "sites", a
list of all the sites that you intend to communicate with.

The configuration file has a very simple syntax; keys are defined as
follows:

key definition;
or
key = definition;

(the "=" is optional)

Keys must match the following regular expression:
[[:alpha:]_][[:alnum:]\-_]*

i.e. the first character must be an alpha or an underscore, and the
remaining characters may be alphanumeric, '-' or '_'.

Keys can be defined to be a comma-separated list of any of the
following types:

  a boolean
  a string, in quotes
  a number, in decimal
  a dictionary of definitions, enclosed in { }
  a "closure", followed by arguments
  a path to a key that already exists, to reference that definition

Note that dictionaries can be nested: a key in one dictionary can
refer to another dictionary. When secnet looks for a key in a
particular directory and can't find it, it looks in the dictionary's
lexical 'parents' in turn until it finds it (or fails to find it at
all and stops with an error).

Definitions can refer to previous definitions by naming them with a
path.  Paths are key1/key2/key3... (starting from wherever we find
key1, i.e. in the current dictionary or any of its parents), or
alternatively /key1/key2/key3... (to start from the root).
Definitions cannot refer to future definitions.

Example:

a=1;
b=2;
c={ d=3; e=a; };
f={ a=4; g=c; };

The following paths are valid:
a is 1
b is 2
c is a dictionary:
 c/d is 3
 c/e is 1
f is a dictionary:
 f/a is 4
 f/g is a dictionary:
  f/g/d is 3
  f/g/e is 1

Note that f/g/e is NOT 4.

In a future version of secnet it will also be permissible to list
other dictionaries before a dictionary definition,
eg. <defaults,otherdefaults>{definitions}.  These will be searched in
order for keys, before the lexical parent.  (This is not yet
implemented)

Elements that are lists are inserted into lists in definitions, not
referenced by them (i.e. you can't have lists of lists).

Some closures may be followed by an argument list in ( ), and may
return any number of whatever type they like (including other
closures).  Some types of closure (typically those returned from
invokations of other closures) cannot be invoked.

closure { definitions } is short for closure({definitions}).

The main body of secnet, and all the additional modules, predefine
some keys in the root dictionary.  The main ones are:

  yes, true, True, TRUE:   the boolean value True
  no, false, False, FALSE: the boolean value False
  makelist:   turns a dictionary (arg1) into a list of definitions
              (ignoring the keys)
  readfile:   reads a file (arg1) and returns it as a string

Keys defined by modules are described below, in the module
documentation.

Other configuration files can be included inline by writing "include
filename" at the start of a line.

After the configuration file is read, secnet looks for particular keys
in configuration space to tell it what to do:

 system: a dictionary which can contain the following keys:
   log (log closure): a destination for system messages
   userid (string): the userid for secnet to run as once it drops privileges
   pidfile (string): where to store its PID
   
 sites: a list of closures of type 'site', which define other tunnel
        endpoints that secnet will attempt to communicate with

* secnet command line options

XXX TODO

* secnet builtin modules

** resolver

Defines:
  adns (closure => resolver closure)

adns: dict argument
  config (string): optional, a resolv.conf for ADNS to use

** random

Defines:
  randomsrc (closure => randomsrc closure)

randomsrc: string[,bool]
  arg1: filename of random source
  arg2: if True then source is blocking

** udp

Defines:
  udp (closure => comm closure)

udp: dict argument
  port (integer): UDP port to listen and send on
  buffer (buffer closure): buffer for incoming packets
  authbind (string): optional, path to authbind-helper program

** log

Defines:
  logfile (closure => log closure)
  syslog (closure => log closure)

logfile: dict argument
  filename (string): where to log to
  class (string list): what type of messages to log
    { "debug-config", M_DEBUG_CONFIG },
    { "debug-phase", M_DEBUG_PHASE },
    { "debug", M_DEBUG },
    { "all-debug", M_DEBUG|M_DEBUG_PHASE|M_DEBUG_CONFIG },
    { "info", M_INFO },
    { "notice", M_NOTICE },
    { "warning", M_WARNING },
    { "error", M_ERROR },
    { "security", M_SECURITY },
    { "fatal", M_FATAL },
    { "default", M_WARNING|M_ERROR|M_SECURITY|M_FATAL },
    { "verbose", M_INFO|M_NOTICE|M_WARNING|M_ERROR|M_SECURITY|M_FATAL },
    { "quiet", M_FATAL }

logfile will close and reopen its file upon receipt of SIGHUP.

syslog: dict argument
  ident (string): include this string in every log message
  facility (string): facility to log as
    { "authpriv", LOG_AUTHPRIV },
    { "cron", LOG_CRON },
    { "daemon", LOG_DAEMON },
    { "kern", LOG_KERN },
    { "local0", LOG_LOCAL0 },
    { "local1", LOG_LOCAL1 },
    { "local2", LOG_LOCAL2 },
    { "local3", LOG_LOCAL3 },
    { "local4", LOG_LOCAL4 },
    { "local5", LOG_LOCAL5 },
    { "local6", LOG_LOCAL6 },
    { "local7", LOG_LOCAL7 },
    { "lpr", LOG_LPR },
    { "mail", LOG_MAIL },
    { "news", LOG_NEWS },
    { "syslog", LOG_SYSLOG },
    { "user", LOG_USER },
    { "uucp", LOG_UUCP }

** util

Defines:
  sysbuffer (closure => buffer closure)

sysbuffer: integer[,dict]
  arg1: buffer length
  arg2: options:
    lockdown (boolean): if True, mlock() the buffer

** site

Defines:
  site (closure => site closure)

site: dict argument
  local-name (string): this site's name for itself
  name (string): the name of the site's peer
  netlink (netlink closure)
  comm (comm closure)
  resolver (resolver closure)
  random (randomsrc closure)
  local-key (rsaprivkey closure)
  address (string): optional, DNS name used to find our peer
  port (integer): mandatory if 'address' is specified: the port used
    to contact our peer
  networks (string list): networks that our peer may claim traffic for
  key (rsapubkey closure): our peer's public key
  transform (transform closure): how to mangle packets sent between sites
  dh (dh closure)
  hash (hash closure)
  key-lifetime (integer): max lifetime of a session key, in ms [one hour]
  setup-retries (integer): max number of times to transmit a key negotiation
    packet [5]
  setup-timeout (integer): time between retransmissions of key negotiation
    packets, in ms [1000]
  wait-time (integer): after failed key setup, wait this long (in ms) before
    allowing another attempt [20000]
  renegotiate-time (integer): if we see traffic on the link after this time
    then renegotiate another session key immediately [depends on key-lifetime]
  keepalive (bool): if True then attempt always to keep a valid session key
  log-events (string list): types of events to log for this site
    unexpected: unexpected key setup packets (may be late retransmissions)
    setup-init: start of attempt to setup a session key
    setup-timeout: failure of attempt to setup a session key, through timeout
    activate-key: activation of a new session key
    timeout-key: deletion of current session key through age
    security: anything potentially suspicious
    state-change: steps in the key setup protocol
    packet-drop: whenever we throw away an outgoing packet
    dump-packets: every key setup packet we see
    errors: failure of name resolution, internal errors
    all: everything (too much!)
  netlink-options (string list): options to pass to netlink device when
    registering remote networks
    soft: create 'soft' routes that go away when there's no key established
      with the peer
    allow-route: allow packets from our peer to be sent down other tunnels,
      as well as to the host

** transform

Defines:
  serpent256-cbc (closure => transform closure)

** netlink

Defines:
  null-netlink (closure => netlink closure)

null-netlink: dict argument
  name (string): name for netlink device, used in log messages
  networks (string list): networks on the host side of the netlink device
  exclude-remote-networks (string list): networks that may never be claimed
    by any remote site using this netlink device
  local-address (string): IP address of host's tunnel interface
  secnet-address (string): IP address of this netlink device
  ptp-address (string): IP address of the other end of a point-to-point link
  mtu (integer): MTU of host's tunnel interface

Only one of secnet-address or ptp-address may be specified. If
point-to-point mode is in use then precisely one tunnel must register
with the netlink device.

Netlink will dump its current routing table to the system/log on
receipt of SIGUSR1.

** slip

Defines:
  userv-ipif (closure => netlink closure)

userv-ipif: dict argument
  userv-path (string): optional, where to find userv ["userv"]
  service-user (string): optional, username for userv-ipif service ["root"]
  service-name (string): optional, name of userv-ipif service ["ipif"]
  buffer (buffer closure): buffer for assembly of host->secnet packets
 plus generic netlink options, as for 'null-netlink'

** tun

Defines:
  tun (closure => netlink closure) [only on linux-2.4]
  tun-old (closure => netlink closure)

tun: dict argument
  device (string): optional, path of TUN/TAP device file ["/dev/net/tun"]
  interface (string): optional, name of tunnel network interface
  ifconfig-path (string): optional, path to ifconfig command
  route-path (string): optional, path to route command
  buffer (buffer closure): buffer for host->secnet packets
 plus generic netlink options, as for 'null-netlink'

tun-old: dict argument
  device (string): optional, path of TUN/TAP device file ["/dev/tun*"]
  interface (string): optional, name of tunnel network interface
  interface-search (bool): optional, whether to search for a free tunnel
    interface (True if 'device' not specified, otherwise False)
  ifconfig-path (string): optional, path to ifconfig command
  route-path (string): optional, path to route command
 plus generic netlink options, as for 'null-netlink'

 I recommend you don't specify the 'interface' option unless you're
 doing something that requires the interface name to be constant.

** rsa

Defines:
  rsa-private (closure => rsaprivkey closure)
  rsa-public (closure => rsapubkey closure)

rsa-private: string[,bool]
  arg1: filename of SSH private key file (version 1, no password)
  arg2: whether to check that the key is usable [default True]

rsa-public: string,string
  arg1: encryption key (decimal)
  arg2: modulus (decimal)

** dh

Defines:
  diffie-hellman (closure => dh closure)

diffie-hellman: string,string[,bool]
  arg1: modulus (hex)
  arg2: generator (hex)
  arg3: whether to check that the modulus is prime [default True]

** md5

Defines:
  md5 (hash closure)

** sha1

Defines:
  sha1 (hash closure)

** conffile

Defines:
  makelist (dictionary => list of definitions)
  readfile (string => string)
  map (closure,list => list)

makelist: dictionary
  returns a list consisting of the definitions in the dictionary. The keys
  are discarded.

readfile: string
  reads the named file and returns its contents as a string

map:
  applies the closure specified as arg1 to each of the elements in the list.
  Returns a list made up of the outputs of the closure.
Commit	Line	Data
558fa3fb SE	1	secnet - flexible VPN software
558fa3fb SE	2
8dea8d37 SE	3	* Copying
	4
	5	secnet is Copyright (C) 1995--2001 Stephen Early <steve@greenend.org.uk>
	6	It is distributed under the terms of the GNU General Public License,
	7	version 2 or later. See the file COPYING for more information.
	8
	9	The portable snprintf implementation in snprintf.c is Copyright (C)
	10	1999 Mark Martinec <mark.martinec@ijs.si> and is distributed under the
	11	terms of the Frontier Artistic License. You can find the standard
	12	version of snprintf.c at http://www.ijs.si/software/snprintf/
	13
	14	The IP address handling library in ipaddr.py is Copyright (C)
	15	1996--2000 Cendio Systems AB, and is distributed under the terms of
	16	the GPL.
	17
558fa3fb SE	18	* Introduction
	19
	20	secnet allows large virtual private networks to be constructed
	21	spanning multiple separate sites. It is designed for the case where a
	22	private network connecting many hosts is 'hidden' behind a single
	23	globally-routable IP address, but can also be applied in other
	24	circumstances. It communicates entirely using UDP, and works well
	25	with gateways that implement network address translation.
	26
	27	If you are installing secnet to join an existing VPN, you should read
	28	the 'INSTALL' file and your particular VPN's documentation now. You
	29	may need to refer back to this file for information on the netlink and
	30	comm sections of the configuration file.
	31
	32	If you are thinking about setting up a new VPN of any size (from one
	33	providing complete links between multiple sites to a simple
	34	laptop-to-host link), read the section in this file on 'Creating a
	35	VPN'.
	36
	37	* Creating a VPN
	38
	39	XXX TODO
	40
	41	* secnet configuration file format
	42
	43	By default secnet on linux reads /etc/secnet/secnet.conf. The default
	44	may be different on other platforms.
	45
	46	This file defines a dictionary (a mapping from keys to values) full of
	47	configuration information for secnet. Two keys must be defined in
	48	this file for secnet to start. One is "system", a dictionary
	49	containing systemwide control parameters. The other is "sites", a
	50	list of all the sites that you intend to communicate with.
	51
	52	The configuration file has a very simple syntax; keys are defined as
	53	follows:
	54
	55	key definition;
	56	or
	57	key = definition;
	58
	59	(the "=" is optional)
	60
	61	Keys must match the following regular expression:
	62	[[:alpha:]_][[:alnum:]\-_]*
	63
	64	i.e. the first character must be an alpha or an underscore, and the
	65	remaining characters may be alphanumeric, '-' or '_'.
	66
	67	Keys can be defined to be a comma-separated list of any of the
	68	following types:
	69
	70	a boolean
	71	a string, in quotes
	72	a number, in decimal
	73	a dictionary of definitions, enclosed in { }
	74	a "closure", followed by arguments
	75	a path to a key that already exists, to reference that definition
	76
	77	Note that dictionaries can be nested: a key in one dictionary can
	78	refer to another dictionary. When secnet looks for a key in a
	79	particular directory and can't find it, it looks in the dictionary's
	80	lexical 'parents' in turn until it finds it (or fails to find it at
	81	all and stops with an error).
82
83	Definitions can refer to previous definitions by naming them with a
84	path. Paths are key1/key2/key3... (starting from wherever we find
85	key1, i.e. in the current dictionary or any of its parents), or
86	alternatively /key1/key2/key3... (to start from the root).
87	Definitions cannot refer to future definitions.
88
89	Example:
90
91	a=1;
92	b=2;
93	c={ d=3; e=a; };
94	f={ a=4; g=c; };
95
96	The following paths are valid:
97	a is 1
98	b is 2
99	c is a dictionary:
100	c/d is 3
101	c/e is 1
102	f is a dictionary:
103	f/a is 4
104	f/g is a dictionary:
105	f/g/d is 3
106	f/g/e is 1
107
108	Note that f/g/e is NOT 4.
109
110	In a future version of secnet it will also be permissible to list
111	other dictionaries before a dictionary definition,
112	eg. <defaults,otherdefaults>{definitions}. These will be searched in
113	order for keys, before the lexical parent. (This is not yet
114	implemented)
115
116	Elements that are lists are inserted into lists in definitions, not
117	referenced by them (i.e. you can't have lists of lists).
118
119	Some closures may be followed by an argument list in ( ), and may
120	return any number of whatever type they like (including other
121	closures). Some types of closure (typically those returned from
122	invokations of other closures) cannot be invoked.
123
124	closure { definitions } is short for closure({definitions}).
125
126	The main body of secnet, and all the additional modules, predefine
127	some keys in the root dictionary. The main ones are:
128
129	yes, true, True, TRUE: the boolean value True
130	no, false, False, FALSE: the boolean value False
131	makelist: turns a dictionary (arg1) into a list of definitions
132	(ignoring the keys)
133	readfile: reads a file (arg1) and returns it as a string
134
135	Keys defined by modules are described below, in the module
136	documentation.
137
138	Other configuration files can be included inline by writing "include
139	filename" at the start of a line.
140
141	After the configuration file is read, secnet looks for particular keys
142	in configuration space to tell it what to do:
143
144	system: a dictionary which can contain the following keys:
145	log (log closure): a destination for system messages
146	userid (string): the userid for secnet to run as once it drops privileges
147	pidfile (string): where to store its PID
148
149	sites: a list of closures of type 'site', which define other tunnel
150	endpoints that secnet will attempt to communicate with
151
152	* secnet command line options
153
154	XXX TODO
155
156	* secnet builtin modules
157
158	** resolver
159
160	Defines:
161	adns (closure => resolver closure)
162
3454dce4 SE	163	adns: dict argument
	164	config (string): optional, a resolv.conf for ADNS to use
	165
558fa3fb SE	166	** random
	167
	168	Defines:
	169	randomsrc (closure => randomsrc closure)
	170
3454dce4 SE	171	randomsrc: string[,bool]
	172	arg1: filename of random source
	173	arg2: if True then source is blocking
	174
558fa3fb SE	175	** udp
	176
	177	Defines:
	178	udp (closure => comm closure)
	179
3454dce4 SE	180	udp: dict argument
	181	port (integer): UDP port to listen and send on
	182	buffer (buffer closure): buffer for incoming packets
b2a56f7c	183	authbind (string): optional, path to authbind-helper program
3454dce4	184
042a8da9	185	** log
558fa3fb SE	186
	187	Defines:
	188	logfile (closure => log closure)
b2a56f7c	189	syslog (closure => log closure)
558fa3fb	190
b2a56f7c SE	191	logfile: dict argument
	192	filename (string): where to log to
	193	class (string list): what type of messages to log
	194	{ "debug-config", M_DEBUG_CONFIG },
	195	{ "debug-phase", M_DEBUG_PHASE },
	196	{ "debug", M_DEBUG },
	197	{ "all-debug", M_DEBUG\|M_DEBUG_PHASE\|M_DEBUG_CONFIG },
	198	{ "info", M_INFO },
	199	{ "notice", M_NOTICE },
	200	{ "warning", M_WARNING },
	201	{ "error", M_ERROR },
	202	{ "security", M_SECURITY },
	203	{ "fatal", M_FATAL },
	204	{ "default", M_WARNING\|M_ERROR\|M_SECURITY\|M_FATAL },
	205	{ "verbose", M_INFO\|M_NOTICE\|M_WARNING\|M_ERROR\|M_SECURITY\|M_FATAL },
	206	{ "quiet", M_FATAL }
	207
042a8da9 SE	208	logfile will close and reopen its file upon receipt of SIGHUP.
042a8da9 SE	209
b2a56f7c SE	210	syslog: dict argument
	211	ident (string): include this string in every log message
	212	facility (string): facility to log as
	213	{ "authpriv", LOG_AUTHPRIV },
	214	{ "cron", LOG_CRON },
	215	{ "daemon", LOG_DAEMON },
	216	{ "kern", LOG_KERN },
	217	{ "local0", LOG_LOCAL0 },
	218	{ "local1", LOG_LOCAL1 },
	219	{ "local2", LOG_LOCAL2 },
	220	{ "local3", LOG_LOCAL3 },
	221	{ "local4", LOG_LOCAL4 },
	222	{ "local5", LOG_LOCAL5 },
	223	{ "local6", LOG_LOCAL6 },
	224	{ "local7", LOG_LOCAL7 },
	225	{ "lpr", LOG_LPR },
	226	{ "mail", LOG_MAIL },
	227	{ "news", LOG_NEWS },
	228	{ "syslog", LOG_SYSLOG },
	229	{ "user", LOG_USER },
	230	{ "uucp", LOG_UUCP }
	231
042a8da9 SE	232	** util
	233
	234	Defines:
	235	sysbuffer (closure => buffer closure)
	236
b2a56f7c SE	237	sysbuffer: integer[,dict]
	238	arg1: buffer length
	239	arg2: options:
	240	lockdown (boolean): if True, mlock() the buffer
	241
558fa3fb SE	242	** site
	243
	244	Defines:
	245	site (closure => site closure)
	246
3454dce4 SE	247	site: dict argument
	248	local-name (string): this site's name for itself
	249	name (string): the name of the site's peer
	250	netlink (netlink closure)
	251	comm (comm closure)
	252	resolver (resolver closure)
	253	random (randomsrc closure)
	254	local-key (rsaprivkey closure)
	255	address (string): optional, DNS name used to find our peer
	256	port (integer): mandatory if 'address' is specified: the port used
	257	to contact our peer
	258	networks (string list): networks that our peer may claim traffic for
	259	key (rsapubkey closure): our peer's public key
	260	transform (transform closure): how to mangle packets sent between sites
	261	dh (dh closure)
	262	hash (hash closure)
	263	key-lifetime (integer): max lifetime of a session key, in ms [one hour]
	264	setup-retries (integer): max number of times to transmit a key negotiation
	265	packet [5]
	266	setup-timeout (integer): time between retransmissions of key negotiation
	267	packets, in ms [1000]
	268	wait-time (integer): after failed key setup, wait this long (in ms) before
	269	allowing another attempt [20000]
	270	renegotiate-time (integer): if we see traffic on the link after this time
	271	then renegotiate another session key immediately [depends on key-lifetime]
	272	keepalive (bool): if True then attempt always to keep a valid session key
	273	log-events (string list): types of events to log for this site
	274	unexpected: unexpected key setup packets (may be late retransmissions)
	275	setup-init: start of attempt to setup a session key
	276	setup-timeout: failure of attempt to setup a session key, through timeout
	277	activate-key: activation of a new session key
	278	timeout-key: deletion of current session key through age
	279	security: anything potentially suspicious
	280	state-change: steps in the key setup protocol
	281	packet-drop: whenever we throw away an outgoing packet
	282	dump-packets: every key setup packet we see
	283	errors: failure of name resolution, internal errors
	284	all: everything (too much!)
	285	netlink-options (string list): options to pass to netlink device when
	286	registering remote networks
	287	soft: create 'soft' routes that go away when there's no key established
	288	with the peer
	289	allow-route: allow packets from our peer to be sent down other tunnels,
	290	as well as to the host
	291
558fa3fb SE	292	** transform
	293
	294	Defines:
	295	serpent256-cbc (closure => transform closure)
	296
	297	** netlink
	298
	299	Defines:
3454dce4 SE	300	null-netlink (closure => netlink closure)
	301
	302	null-netlink: dict argument
	303	name (string): name for netlink device, used in log messages
	304	networks (string list): networks on the host side of the netlink device
	305	exclude-remote-networks (string list): networks that may never be claimed
	306	by any remote site using this netlink device
	307	local-address (string): IP address of host's tunnel interface
	308	secnet-address (string): IP address of this netlink device
c6f79b17	309	ptp-address (string): IP address of the other end of a point-to-point link
3454dce4 SE	310	mtu (integer): MTU of host's tunnel interface
3454dce4 SE	311
c6f79b17 SE	312	Only one of secnet-address or ptp-address may be specified. If
	313	point-to-point mode is in use then precisely one tunnel must register
	314	with the netlink device.
	315
042a8da9 SE	316	Netlink will dump its current routing table to the system/log on
	317	receipt of SIGUSR1.
	318
3454dce4 SE	319	** slip
	320
	321	Defines:
558fa3fb	322	userv-ipif (closure => netlink closure)
3454dce4 SE	323
	324	userv-ipif: dict argument
	325	userv-path (string): optional, where to find userv ["userv"]
	326	service-user (string): optional, username for userv-ipif service ["root"]
	327	service-name (string): optional, name of userv-ipif service ["ipif"]
	328	buffer (buffer closure): buffer for assembly of host->secnet packets
	329	plus generic netlink options, as for 'null-netlink'
	330
	331	** tun
	332
	333	Defines:
558fa3fb SE	334	tun (closure => netlink closure) [only on linux-2.4]
558fa3fb SE	335	tun-old (closure => netlink closure)
3454dce4 SE	336
	337	tun: dict argument
	338	device (string): optional, path of TUN/TAP device file ["/dev/net/tun"]
	339	interface (string): optional, name of tunnel network interface
	340	ifconfig-path (string): optional, path to ifconfig command
	341	route-path (string): optional, path to route command
	342	buffer (buffer closure): buffer for host->secnet packets
	343	plus generic netlink options, as for 'null-netlink'
	344
	345	tun-old: dict argument
	346	device (string): optional, path of TUN/TAP device file ["/dev/tun*"]
	347	interface (string): optional, name of tunnel network interface
	348	interface-search (bool): optional, whether to search for a free tunnel
	349	interface (True if 'device' not specified, otherwise False)
	350	ifconfig-path (string): optional, path to ifconfig command
	351	route-path (string): optional, path to route command
	352	plus generic netlink options, as for 'null-netlink'
558fa3fb	353
c6f79b17 SE	354	I recommend you don't specify the 'interface' option unless you're
	355	doing something that requires the interface name to be constant.
	356
558fa3fb SE	357	** rsa
	358
	359	Defines:
	360	rsa-private (closure => rsaprivkey closure)
	361	rsa-public (closure => rsapubkey closure)
	362
3454dce4 SE	363	rsa-private: string[,bool]
	364	arg1: filename of SSH private key file (version 1, no password)
	365	arg2: whether to check that the key is usable [default True]
	366
	367	rsa-public: string,string
	368	arg1: encryption key (decimal)
	369	arg2: modulus (decimal)
	370
558fa3fb SE	371	** dh
	372
	373	Defines:
	374	diffie-hellman (closure => dh closure)
	375
3454dce4 SE	376	diffie-hellman: string,string[,bool]
	377	arg1: modulus (hex)
	378	arg2: generator (hex)
	379	arg3: whether to check that the modulus is prime [default True]
	380
558fa3fb SE	381	** md5
	382
	383	Defines:
	384	md5 (hash closure)
3454dce4 SE	385
	386	** sha1
	387
	388	Defines:
	389	sha1 (hash closure)
c6f79b17 SE	390
	391	** conffile
	392
	393	Defines:
	394	makelist (dictionary => list of definitions)
	395	readfile (string => string)
	396	map (closure,list => list)
	397
	398	makelist: dictionary
	399	returns a list consisting of the definitions in the dictionary. The keys
	400	are discarded.
	401
	402	readfile: string
	403	reads the named file and returns its contents as a string
	404
	405	map:
	406	applies the closure specified as arg1 to each of the elements in the list.
	407	Returns a list made up of the outputs of the closure.