Commit | Line | Data |
---|---|---|
df1b18fc SE |
1 | # secnet example configuration file |
2 | ||
3 | # Log facility | |
4 | log logfile("secnet","local2"); # Not yet implemented, goes to stderr | |
5 | ||
6 | # Systemwide configuration (all other configuration is per-site): | |
7 | # log a log facility for program messages | |
8 | # userid who we try to run as after setup | |
9 | # pidfile | |
10 | system { | |
11 | userid "secnet"; | |
12 | pidfile "/var/run/secnet.pid"; | |
13 | }; | |
14 | ||
15 | # Parameters for each remote site (arguments to the site() closure): | |
16 | # things we configure locally | |
17 | # buffer buffer for constructing/sending/receiving packets | |
18 | # netlink user/kernel netlink device for this tunnel | |
19 | # comm UDP communication | |
20 | # resolver resolver to use for name lookups | |
21 | # log a log destination for this connection | |
22 | # log-events string list: which events we log | |
23 | # random a source of randomness | |
24 | ||
25 | # our local configuration visible to the outside world | |
26 | # local-name string: how we identify ourselves to them | |
27 | # local-key our own private RSA key | |
28 | # local-port port number we listen on | |
29 | ||
30 | # their configuration visible to us | |
31 | # name string: how they identify themselves | |
32 | # address string: use with resolver to find their IP address | |
33 | # networks string list: their networks for us | |
34 | # key the remote site's RSA public key | |
35 | # port port we send to to contact remote site | |
36 | ||
37 | # things both ends must agree on | |
38 | # transform routine for bulk encryption | |
39 | # dh Diffie-Hellman parameters | |
40 | # hash secure hash function | |
41 | ||
42 | # things both ends ought to agree on, but don't have to | |
43 | # key-lifetime max session key lifetime, in milliseconds | |
44 | # setup-retries max retransmits of a key setup packet | |
45 | # setup-timeout wait between retransmits of key setup packets, in ms | |
46 | # wait-time wait between unsuccessful key setup attempts, in ms | |
47 | ||
48 | # Use the universal TUN/TAP driver to get packets to and from the kernel | |
49 | netlink tun { | |
50 | name "netlink-tun"; # Printed in log messages from this netlink | |
51 | # interface "tun0"; # You may set your own interface name if you wish; | |
52 | # if you don't one will be chosen for you. | |
53 | ||
54 | # local networks served by this netlink device | |
55 | # incoming tunneled packets for other networks will be discarded | |
56 | networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24"; | |
57 | local-address "192.168.x.x"; # IP address of host's tunnel interface | |
58 | secnet-address "192.168.x.x"; # IP address of this secnet | |
59 | ||
60 | # MTU of the tunnel interface. Should be kept under the path-MTU | |
61 | # (by at least 60 bytes) between this secnet and its peers for | |
62 | # optimum performance. | |
63 | mtu 1400; | |
64 | ||
65 | # This buffer is used to pass incoming packets onto the 'site' | |
66 | # module. It should be at least as big as the MTU plus 60 bytes. | |
67 | # Buffers can sometimes be shared between netlink devices - see | |
68 | # full documentation for more details. (XXX TODO) | |
69 | buffer sysbuffer(2048); | |
70 | }; | |
71 | ||
72 | # Alternatively (or additionally, if you like) use userv-ipif to get | |
73 | # packets to and from the kernel. | |
74 | #netlink userv-ipif { | |
75 | # name "netlink-userv-ipif"; | |
76 | # # userv-path "/usr/bin/userv"; | |
77 | # # service-user "root"; | |
78 | # # service-name "ipif"; | |
79 | # networks "whatever"; | |
80 | # local-address "whatever"; | |
81 | # secnet-address "whatever"; | |
82 | # mtu 1400; | |
83 | # buffer sysbuffer(2048); | |
84 | #}; | |
85 | ||
86 | # This defines the port that this instance of secnet will listen on, and | |
87 | # originate packets on. It does not _have_ to correspond to the advertised | |
88 | # port for your site: you may be doing network address translation, for | |
89 | # example. You need to arrange that any UDP packets sent to the advertised | |
90 | # host and port for your site end up on this machine at the port you | |
91 | # specify here. | |
92 | comm udp { | |
93 | port xxxx; | |
94 | buffer sysbuffer(4096); | |
95 | }; | |
96 | ||
97 | # The resolver is used to look up IP addresses from the DNS names provided | |
98 | # in the sites file. You may specify an alternative resolv.conf for | |
99 | # ADNS here if you wish. | |
100 | resolver adns { | |
101 | # config=readfile("/etc/secnet/adns.conf"); | |
102 | }; | |
103 | ||
104 | # log is defined earlier - we share it with the system | |
105 | log-events "init","up","down"; # XXX not yet used | |
106 | ||
107 | # A source of random bits for nonces and session keys. The 'no' specifies | |
108 | # that it's non-blocking. XXX 'yes' isn't implemented yet. | |
109 | random randomfile("/dev/urandom",no); | |
110 | ||
111 | local-name "your-site-name"; | |
112 | local-key rsa-private("/etc/secnet/key"); | |
113 | ||
114 | # On dodgy links you may want to specify a higher maximum sequence number skew | |
115 | transform serpent256-cbc { | |
116 | max-sequence-skew 10; | |
117 | }; | |
118 | ||
119 | include /etc/secnet/sites | |
120 | ||
121 | # Here you must list all the VPN sites that you wish to communicate with. | |
122 | # The /etc/secnet/sites file contains information on all reachable sites; | |
123 | # if the site you want to communicate with isn't listed, you should get | |
124 | # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it | |
125 | # contains public keys for all sites. | |
126 | ||
127 | sites | |
128 | site(example-vpn/some-site), | |
129 | site(example-vpn/some-other-site), | |
130 | site(example-vpn/a-third-site); |