~mdw / secnet / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Import release 0.1.2
[secnet] / example.conf
1 # secnet example configuration file
2
3 # Log facility
4 log logfile("secnet","local2"); # Not yet implemented, goes to stderr
5
6 # Systemwide configuration (all other configuration is per-site):
7 # log a log facility for program messages
8 # userid who we try to run as after setup
9 # pidfile
10 system {
11 userid "secnet";
12 pidfile "/var/run/secnet.pid";
13 };
14
15 # Parameters for each remote site (arguments to the site() closure):
16 # things we configure locally
17 # buffer buffer for constructing/sending/receiving packets
18 # netlink user/kernel netlink device for this tunnel
19 # comm UDP communication
20 # resolver resolver to use for name lookups
21 # log a log destination for this connection
22 # log-events string list: which events we log
23 # random a source of randomness
24
25 # our local configuration visible to the outside world
26 # local-name string: how we identify ourselves to them
27 # local-key our own private RSA key
28 # local-port port number we listen on
29
30 # their configuration visible to us
31 # name string: how they identify themselves
32 # address string: use with resolver to find their IP address
33 # networks string list: their networks for us
34 # key the remote site's RSA public key
35 # port port we send to to contact remote site
36
37 # things both ends must agree on
38 # transform routine for bulk encryption
39 # dh Diffie-Hellman parameters
40 # hash secure hash function
41
42 # things both ends ought to agree on, but don't have to
43 # key-lifetime max session key lifetime, in milliseconds
44 # setup-retries max retransmits of a key setup packet
45 # setup-timeout wait between retransmits of key setup packets, in ms
46 # wait-time wait between unsuccessful key setup attempts, in ms
47 # renegotiate-time set up a new key if we see any traffic after this time
48
49 # Use the universal TUN/TAP driver to get packets to and from the kernel
50 # (use tun-old if you are not on Linux-2.4)
51 netlink tun {
52 name "netlink-tun"; # Printed in log messages from this netlink
53 # interface "tun0"; # You may set your own interface name if you wish;
54 # if you don't one will be chosen for you.
55
56 # local networks served by this netlink device
57 # incoming tunneled packets for other networks will be discarded
58 networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24";
59 local-address "192.168.x.x"; # IP address of host's tunnel interface
60 secnet-address "192.168.x.x"; # IP address of this secnet
61
62 # MTU of the tunnel interface. Should be kept under the path-MTU
63 # (by at least 60 bytes) between this secnet and its peers for
64 # optimum performance.
65 mtu 1400;
66
67 # This buffer is used to pass incoming packets onto the 'site'
68 # module. It should be at least as big as the MTU plus 60 bytes.
69 # Buffers can sometimes be shared between netlink devices - see
70 # full documentation for more details. (XXX TODO)
71 buffer sysbuffer(2048);
72 };
73
74 # Alternatively (or additionally, if you like) use userv-ipif to get
75 # packets to and from the kernel.
76 #netlink userv-ipif {
77 # name "netlink-userv-ipif";
78 # # userv-path "/usr/bin/userv";
79 # # service-user "root";
80 # # service-name "ipif";
81 # networks "whatever";
82 # local-address "whatever";
83 # secnet-address "whatever";
84 # mtu 1400;
85 # buffer sysbuffer(2048);
86 #};
87
88 # This defines the port that this instance of secnet will listen on, and
89 # originate packets on. It does not _have_ to correspond to the advertised
90 # port for your site: you may be doing network address translation, for
91 # example. You need to arrange that any UDP packets sent to the advertised
92 # host and port for your site end up on this machine at the port you
93 # specify here.
94 comm udp {
95 port xxxx;
96 buffer sysbuffer(4096);
97 };
98
99 # The resolver is used to look up IP addresses from the DNS names provided
100 # in the sites file. You may specify an alternative resolv.conf for
101 # ADNS here if you wish.
102 resolver adns {
103 # config=readfile("/etc/secnet/adns.conf");
104 };
105
106 # log is defined earlier - we share it with the system
107 log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
108 "security";
109
110 # A source of random bits for nonces and session keys. The 'no' specifies
111 # that it's non-blocking. XXX 'yes' isn't implemented yet.
112 random randomfile("/dev/urandom",no);
113
114 local-name "your-site-name";
115 local-key rsa-private("/etc/secnet/key");
116
117 # On dodgy links you may want to specify a higher maximum sequence number skew
118 transform serpent256-cbc {
119 max-sequence-skew 10;
120 };
121
122 include /etc/secnet/sites
123
124 # Here you must list all the VPN sites that you wish to communicate with.
125 # The /etc/secnet/sites file contains information on all reachable sites;
126 # if the site you want to communicate with isn't listed, you should get
127 # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
128 # contains public keys for all sites.
129
130 sites
131 site(example-vpn/some-site),
132 site(example-vpn/some-other-site),
133 site(example-vpn/a-third-site);
134
135 # If you want to communicate with all the VPN sites, you can use something
136 # like the following instead:
137
138 # sites map(site,makelist(example-vpn));
Secnet virtual private network: clone of http://www.chiark.greenend.org.uk/ucgi/~ian/git/secnet.git/