1 secnet - flexible VPN software
5 secnet is Copyright (C) 1995--2001 Stephen Early <steve@greenend.org.uk>
6 It is distributed under the terms of the GNU General Public License,
7 version 2 or later. See the file COPYING for more information.
9 The portable snprintf implementation in snprintf.c is Copyright (C)
10 1999 Mark Martinec <mark.martinec@ijs.si> and is distributed under the
11 terms of the Frontier Artistic License. You can find the standard
12 version of snprintf.c at http://www.ijs.si/software/snprintf/
14 The IP address handling library in ipaddr.py is Copyright (C)
15 1996--2000 Cendio Systems AB, and is distributed under the terms of
20 secnet allows large virtual private networks to be constructed
21 spanning multiple separate sites. It is designed for the case where a
22 private network connecting many hosts is 'hidden' behind a single
23 globally-routable IP address, but can also be applied in other
24 circumstances. It communicates entirely using UDP, and works well
25 with gateways that implement network address translation.
27 If you are installing secnet to join an existing VPN, you should read
28 the 'INSTALL' file and your particular VPN's documentation now. You
29 may need to refer back to this file for information on the netlink and
30 comm sections of the configuration file.
32 If you are thinking about setting up a new VPN of any size (from one
33 providing complete links between multiple sites to a simple
34 laptop-to-host link), read the section in this file on 'Creating a
37 * Mailing lists and bug reporting
39 There are two mailing lists associated with secnet: an 'announce' list
40 and a 'discuss' list. Their addresses are:
41 http://www.chiark.greenend.org.uk/mailman/listinfo/secnet-announce
42 http://www.chiark.greenend.org.uk/mailman/listinfo/secnet-discuss
44 The -announce list receives one message per secnet release. The
45 -discuss list is for general discussion, including help with
46 configuration, bug reports, feature requests, etc.
48 Bug reports should be sent to <steve@greenend.org.uk>; they will be
49 forwarded to the -discuss list by me.
55 * secnet configuration file format
57 By default secnet on linux reads /etc/secnet/secnet.conf. The default
58 may be different on other platforms.
60 This file defines a dictionary (a mapping from keys to values) full of
61 configuration information for secnet. Two keys must be defined in
62 this file for secnet to start. One is "system", a dictionary
63 containing systemwide control parameters. The other is "sites", a
64 list of all the sites that you intend to communicate with.
66 The configuration file has a very simple syntax; keys are defined as
75 Keys must match the following regular expression:
76 [[:alpha:]_][[:alnum:]\-_]*
78 i.e. the first character must be an alpha or an underscore, and the
79 remaining characters may be alphanumeric, '-' or '_'.
81 Keys can be defined to be a comma-separated list of any of the
87 a dictionary of definitions, enclosed in { }
88 a "closure", followed by arguments
89 a path to a key that already exists, to reference that definition
91 Note that dictionaries can be nested: a key in one dictionary can
92 refer to another dictionary. When secnet looks for a key in a
93 particular directory and can't find it, it looks in the dictionary's
94 lexical 'parents' in turn until it finds it (or fails to find it at
95 all and stops with an error).
97 Definitions can refer to previous definitions by naming them with a
98 path. Paths are key1/key2/key3... (starting from wherever we find
99 key1, i.e. in the current dictionary or any of its parents), or
100 alternatively /key1/key2/key3... (to start from the root).
101 Definitions cannot refer to future definitions.
110 The following paths are valid:
122 Note that f/g/e is NOT 4.
124 Elements that are lists are inserted into lists in definitions, not
125 referenced by them (i.e. you can't have lists of lists).
127 Some closures may be followed by an argument list in ( ), and may
128 return any number of whatever type they like (including other
129 closures). Some types of closure (typically those returned from
130 invokations of other closures) cannot be invoked.
132 closure { definitions } is short for closure({definitions}).
134 The main body of secnet, and all the additional modules, predefine
135 some keys in the root dictionary. The main ones are:
137 yes, true, True, TRUE, on: the boolean value True
138 no, false, False, FALSE, off: the boolean value False
139 makelist: turns a dictionary (arg1) into a list of definitions
141 readfile: reads a file (arg1) and returns it as a string
143 Keys defined by modules are described below, in the module
146 Other configuration files can be included inline by writing "include
147 filename" at the start of a line.
149 After the configuration file is read, secnet looks for particular keys
150 in configuration space to tell it what to do:
152 system: a dictionary which can contain the following keys:
153 log (log closure): a destination for system messages
154 userid (string): the userid for secnet to run as once it drops privileges
155 pidfile (string): where to store its PID
157 sites: a list of closures of type 'site', which define other tunnel
158 endpoints that secnet will attempt to communicate with
160 * secnet command line options
162 Usage: secnet [OPTION]...
164 -f, --silent, --quiet suppress error messages
165 -w, --nowarnings suppress warnings
166 -v, --verbose output extra diagnostics
167 -c, --config=filename specify a configuration file
168 -j, --just-check-config stop after reading configfile
169 -n, --nodetach do not run in background
170 -d, --debug=item,... set debug options
171 --help display this help and exit
172 --version output version information and exit
174 * secnet builtin modules
179 adns (closure => resolver closure)
182 config (string): optional, a resolv.conf for ADNS to use
187 randomsrc (closure => randomsrc closure)
189 randomsrc: string[,bool]
190 arg1: filename of random source
191 arg2: if True then source is blocking
196 udp (closure => comm closure)
199 port (integer): UDP port to listen and send on
200 buffer (buffer closure): buffer for incoming packets
201 authbind (string): optional, path to authbind-helper program
206 logfile (closure => log closure)
207 syslog (closure => log closure)
209 logfile: dict argument
210 filename (string): where to log to
211 class (string list): what type of messages to log
212 { "debug-config", M_DEBUG_CONFIG },
213 { "debug-phase", M_DEBUG_PHASE },
214 { "debug", M_DEBUG },
215 { "all-debug", M_DEBUG|M_DEBUG_PHASE|M_DEBUG_CONFIG },
217 { "notice", M_NOTICE },
218 { "warning", M_WARNING },
219 { "error", M_ERROR },
220 { "security", M_SECURITY },
221 { "fatal", M_FATAL },
222 { "default", M_WARNING|M_ERROR|M_SECURITY|M_FATAL },
223 { "verbose", M_INFO|M_NOTICE|M_WARNING|M_ERROR|M_SECURITY|M_FATAL },
226 logfile will close and reopen its file upon receipt of SIGHUP.
228 syslog: dict argument
229 ident (string): include this string in every log message
230 facility (string): facility to log as
231 { "authpriv", LOG_AUTHPRIV },
232 { "cron", LOG_CRON },
233 { "daemon", LOG_DAEMON },
234 { "kern", LOG_KERN },
235 { "local0", LOG_LOCAL0 },
236 { "local1", LOG_LOCAL1 },
237 { "local2", LOG_LOCAL2 },
238 { "local3", LOG_LOCAL3 },
239 { "local4", LOG_LOCAL4 },
240 { "local5", LOG_LOCAL5 },
241 { "local6", LOG_LOCAL6 },
242 { "local7", LOG_LOCAL7 },
244 { "mail", LOG_MAIL },
245 { "news", LOG_NEWS },
246 { "syslog", LOG_SYSLOG },
247 { "user", LOG_USER },
253 sysbuffer (closure => buffer closure)
255 sysbuffer: integer[,dict]
258 lockdown (boolean): if True, mlock() the buffer
263 site (closure => site closure)
266 local-name (string): this site's name for itself
267 name (string): the name of the site's peer
268 link (netlink closure)
270 resolver (resolver closure)
271 random (randomsrc closure)
272 local-key (rsaprivkey closure)
273 address (string): optional, DNS name used to find our peer
274 port (integer): mandatory if 'address' is specified: the port used
276 key (rsapubkey closure): our peer's public key
277 transform (transform closure): how to mangle packets sent between sites
280 key-lifetime (integer): max lifetime of a session key, in ms [one hour]
281 setup-retries (integer): max number of times to transmit a key negotiation
283 setup-timeout (integer): time between retransmissions of key negotiation
284 packets, in ms [1000]
285 wait-time (integer): after failed key setup, wait this long (in ms) before
286 allowing another attempt [20000]
287 renegotiate-time (integer): if we see traffic on the link after this time
288 then renegotiate another session key immediately [depends on key-lifetime]
289 keepalive (bool): if True then attempt always to keep a valid session key
290 log-events (string list): types of events to log for this site
291 unexpected: unexpected key setup packets (may be late retransmissions)
292 setup-init: start of attempt to setup a session key
293 setup-timeout: failure of attempt to setup a session key, through timeout
294 activate-key: activation of a new session key
295 timeout-key: deletion of current session key through age
296 security: anything potentially suspicious
297 state-change: steps in the key setup protocol
298 packet-drop: whenever we throw away an outgoing packet
299 dump-packets: every key setup packet we see
300 errors: failure of name resolution, internal errors
301 all: everything (too much!)
306 serpent256-cbc (closure => transform closure)
311 null-netlink (closure => closure or netlink closure)
313 null-netlink: dict argument
314 name (string): name for netlink device, used in log messages
315 networks (string list): networks on the host side of the netlink device
316 exclude-remote-networks (string list): networks that may never be claimed
317 by any remote site using this netlink device
318 local-address (string): IP address of host's tunnel interface
319 secnet-address (string): IP address of this netlink device
320 ptp-address (string): IP address of the other end of a point-to-point link
321 mtu (integer): MTU of host's tunnel interface
323 Only one of secnet-address or ptp-address may be specified. If
324 point-to-point mode is in use then the "routes" option must also be
325 specified, and netlink returns a netlink closure that should be used
326 directly with the "link" option to the site closure. If
327 point-to-point mode is not in use then netlink returns a closure that
328 may be invoked using a dict argument with the following keys to yield
330 routes (string list): networks reachable down the tunnel attached to
331 this instance of netlink
332 options (string list):
333 allow-route: allow packets coming from this tunnel to be routed to
334 other tunnels as well as the host (used for mobile devices like laptops)
335 soft-route: remove these routes from the host's routing table when
336 the tunnel link quality is zero
337 mtu (integer): default MTU over this link; may be updated by tunnel code
339 Netlink will dump its current routing table to the system/log on
345 userv-ipif (closure => netlink closure)
347 userv-ipif: dict argument
348 userv-path (string): optional, where to find userv ["userv"]
349 service-user (string): optional, username for userv-ipif service ["root"]
350 service-name (string): optional, name of userv-ipif service ["ipif"]
351 buffer (buffer closure): buffer for assembly of host->secnet packets
352 plus generic netlink options, as for 'null-netlink'
357 tun (closure => netlink closure) [only on linux-2.4]
358 tun-old (closure => netlink closure)
361 flavour (string): optional, type of TUN interface to use
362 ("guess","linux","bsd","streams")
363 device (string): optional, path of TUN/TAP device file ["/dev/net/tun"]
364 interface (string): optional, name of tunnel network interface
365 ifconfig-path (string): optional, path to ifconfig command
366 route-path (string): optional, path to route command
367 ifconfig-type (string): optional, how to perform ifconfig
368 route-type (string): optional, how to add and remove routes
369 types are: "guess", "ioctl", "bsd", "linux", "solaris-2.5"
370 buffer (buffer closure): buffer for host->secnet packets
371 plus generic netlink options, as for 'null-netlink'
373 I recommend you don't specify the 'interface' option unless you're
374 doing something that requires the interface name to be constant.
379 rsa-private (closure => rsaprivkey closure)
380 rsa-public (closure => rsapubkey closure)
382 rsa-private: string[,bool]
383 arg1: filename of SSH private key file (version 1, no password)
384 arg2: whether to check that the key is usable [default True]
386 rsa-public: string,string
387 arg1: encryption key (decimal)
388 arg2: modulus (decimal)
393 diffie-hellman (closure => dh closure)
395 diffie-hellman: string,string[,bool]
397 arg2: generator (hex)
398 arg3: whether to check that the modulus is prime [default True]
413 makelist (dictionary => list of definitions)
414 readfile (string => string)
415 map (closure,list => list)
418 returns a list consisting of the definitions in the dictionary. The keys
422 reads the named file and returns its contents as a string
425 applies the closure specified as arg1 to each of the elements in the list.
426 Returns a list made up of the outputs of the closure.