--- /dev/null
+# secnet example configuration file
+
+# Log facility
+log logfile("secnet","local2"); # Not yet implemented, goes to stderr
+
+# Systemwide configuration (all other configuration is per-site):
+# log a log facility for program messages
+# userid who we try to run as after setup
+# pidfile
+system {
+ userid "secnet";
+ pidfile "/var/run/secnet.pid";
+};
+
+# Parameters for each remote site (arguments to the site() closure):
+# things we configure locally
+# buffer buffer for constructing/sending/receiving packets
+# netlink user/kernel netlink device for this tunnel
+# comm UDP communication
+# resolver resolver to use for name lookups
+# log a log destination for this connection
+# log-events string list: which events we log
+# random a source of randomness
+
+# our local configuration visible to the outside world
+# local-name string: how we identify ourselves to them
+# local-key our own private RSA key
+# local-port port number we listen on
+
+# their configuration visible to us
+# name string: how they identify themselves
+# address string: use with resolver to find their IP address
+# networks string list: their networks for us
+# key the remote site's RSA public key
+# port port we send to to contact remote site
+
+# things both ends must agree on
+# transform routine for bulk encryption
+# dh Diffie-Hellman parameters
+# hash secure hash function
+
+# things both ends ought to agree on, but don't have to
+# key-lifetime max session key lifetime, in milliseconds
+# setup-retries max retransmits of a key setup packet
+# setup-timeout wait between retransmits of key setup packets, in ms
+# wait-time wait between unsuccessful key setup attempts, in ms
+
+# Use the universal TUN/TAP driver to get packets to and from the kernel
+netlink tun {
+ name "netlink-tun"; # Printed in log messages from this netlink
+# interface "tun0"; # You may set your own interface name if you wish;
+ # if you don't one will be chosen for you.
+
+ # local networks served by this netlink device
+ # incoming tunneled packets for other networks will be discarded
+ networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24";
+ local-address "192.168.x.x"; # IP address of host's tunnel interface
+ secnet-address "192.168.x.x"; # IP address of this secnet
+
+ # MTU of the tunnel interface. Should be kept under the path-MTU
+ # (by at least 60 bytes) between this secnet and its peers for
+ # optimum performance.
+ mtu 1400;
+
+ # This buffer is used to pass incoming packets onto the 'site'
+ # module. It should be at least as big as the MTU plus 60 bytes.
+ # Buffers can sometimes be shared between netlink devices - see
+ # full documentation for more details. (XXX TODO)
+ buffer sysbuffer(2048);
+};
+
+# Alternatively (or additionally, if you like) use userv-ipif to get
+# packets to and from the kernel.
+#netlink userv-ipif {
+# name "netlink-userv-ipif";
+# # userv-path "/usr/bin/userv";
+# # service-user "root";
+# # service-name "ipif";
+# networks "whatever";
+# local-address "whatever";
+# secnet-address "whatever";
+# mtu 1400;
+# buffer sysbuffer(2048);
+#};
+
+# This defines the port that this instance of secnet will listen on, and
+# originate packets on. It does not _have_ to correspond to the advertised
+# port for your site: you may be doing network address translation, for
+# example. You need to arrange that any UDP packets sent to the advertised
+# host and port for your site end up on this machine at the port you
+# specify here.
+comm udp {
+ port xxxx;
+ buffer sysbuffer(4096);
+};
+
+# The resolver is used to look up IP addresses from the DNS names provided
+# in the sites file. You may specify an alternative resolv.conf for
+# ADNS here if you wish.
+resolver adns {
+# config=readfile("/etc/secnet/adns.conf");
+};
+
+# log is defined earlier - we share it with the system
+log-events "init","up","down"; # XXX not yet used
+
+# A source of random bits for nonces and session keys. The 'no' specifies
+# that it's non-blocking. XXX 'yes' isn't implemented yet.
+random randomfile("/dev/urandom",no);
+
+local-name "your-site-name";
+local-key rsa-private("/etc/secnet/key");
+
+# On dodgy links you may want to specify a higher maximum sequence number skew
+transform serpent256-cbc {
+ max-sequence-skew 10;
+};
+
+include /etc/secnet/sites
+
+# Here you must list all the VPN sites that you wish to communicate with.
+# The /etc/secnet/sites file contains information on all reachable sites;
+# if the site you want to communicate with isn't listed, you should get
+# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
+# contains public keys for all sites.
+
+sites
+ site(example-vpn/some-site),
+ site(example-vpn/some-other-site),
+ site(example-vpn/a-third-site);