X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?a=blobdiff_plain;f=example.conf;fp=example.conf;h=cfaa847a67429a043540925028609d977846c83c;hb=df1b18fc6f4d422268eff0ed1d8f04ae0b11b82f;hp=0000000000000000000000000000000000000000;hpb=4efd681a66c15bc6f81eefc69396669e165e5e0f;p=secnet.git diff --git a/example.conf b/example.conf new file mode 100644 index 0000000..cfaa847 --- /dev/null +++ b/example.conf @@ -0,0 +1,130 @@ +# secnet example configuration file + +# Log facility +log logfile("secnet","local2"); # Not yet implemented, goes to stderr + +# Systemwide configuration (all other configuration is per-site): +# log a log facility for program messages +# userid who we try to run as after setup +# pidfile +system { + userid "secnet"; + pidfile "/var/run/secnet.pid"; +}; + +# Parameters for each remote site (arguments to the site() closure): +# things we configure locally +# buffer buffer for constructing/sending/receiving packets +# netlink user/kernel netlink device for this tunnel +# comm UDP communication +# resolver resolver to use for name lookups +# log a log destination for this connection +# log-events string list: which events we log +# random a source of randomness + +# our local configuration visible to the outside world +# local-name string: how we identify ourselves to them +# local-key our own private RSA key +# local-port port number we listen on + +# their configuration visible to us +# name string: how they identify themselves +# address string: use with resolver to find their IP address +# networks string list: their networks for us +# key the remote site's RSA public key +# port port we send to to contact remote site + +# things both ends must agree on +# transform routine for bulk encryption +# dh Diffie-Hellman parameters +# hash secure hash function + +# things both ends ought to agree on, but don't have to +# key-lifetime max session key lifetime, in milliseconds +# setup-retries max retransmits of a key setup packet +# setup-timeout wait between retransmits of key setup packets, in ms +# wait-time wait between unsuccessful key setup attempts, in ms + +# Use the universal TUN/TAP driver to get packets to and from the kernel +netlink tun { + name "netlink-tun"; # Printed in log messages from this netlink +# interface "tun0"; # You may set your own interface name if you wish; + # if you don't one will be chosen for you. + + # local networks served by this netlink device + # incoming tunneled packets for other networks will be discarded + networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24"; + local-address "192.168.x.x"; # IP address of host's tunnel interface + secnet-address "192.168.x.x"; # IP address of this secnet + + # MTU of the tunnel interface. Should be kept under the path-MTU + # (by at least 60 bytes) between this secnet and its peers for + # optimum performance. + mtu 1400; + + # This buffer is used to pass incoming packets onto the 'site' + # module. It should be at least as big as the MTU plus 60 bytes. + # Buffers can sometimes be shared between netlink devices - see + # full documentation for more details. (XXX TODO) + buffer sysbuffer(2048); +}; + +# Alternatively (or additionally, if you like) use userv-ipif to get +# packets to and from the kernel. +#netlink userv-ipif { +# name "netlink-userv-ipif"; +# # userv-path "/usr/bin/userv"; +# # service-user "root"; +# # service-name "ipif"; +# networks "whatever"; +# local-address "whatever"; +# secnet-address "whatever"; +# mtu 1400; +# buffer sysbuffer(2048); +#}; + +# This defines the port that this instance of secnet will listen on, and +# originate packets on. It does not _have_ to correspond to the advertised +# port for your site: you may be doing network address translation, for +# example. You need to arrange that any UDP packets sent to the advertised +# host and port for your site end up on this machine at the port you +# specify here. +comm udp { + port xxxx; + buffer sysbuffer(4096); +}; + +# The resolver is used to look up IP addresses from the DNS names provided +# in the sites file. You may specify an alternative resolv.conf for +# ADNS here if you wish. +resolver adns { +# config=readfile("/etc/secnet/adns.conf"); +}; + +# log is defined earlier - we share it with the system +log-events "init","up","down"; # XXX not yet used + +# A source of random bits for nonces and session keys. The 'no' specifies +# that it's non-blocking. XXX 'yes' isn't implemented yet. +random randomfile("/dev/urandom",no); + +local-name "your-site-name"; +local-key rsa-private("/etc/secnet/key"); + +# On dodgy links you may want to specify a higher maximum sequence number skew +transform serpent256-cbc { + max-sequence-skew 10; +}; + +include /etc/secnet/sites + +# Here you must list all the VPN sites that you wish to communicate with. +# The /etc/secnet/sites file contains information on all reachable sites; +# if the site you want to communicate with isn't listed, you should get +# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it +# contains public keys for all sites. + +sites + site(example-vpn/some-site), + site(example-vpn/some-other-site), + site(example-vpn/a-third-site);