X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=blobdiff_plain;f=INSTALL;h=08eac9a0ec8dd4b73ec6e5deaf494d48278d7607;hp=ab4debdc87ab6f59e04b0741ed64c024a85fbbf0;hb=59938e0ed0c8ac267c3715a25a0a3ed27f7a7e47;hpb=8dea8d37a13fcc615daba3375809900f04a2e5a2;ds=sidebyside diff --git a/INSTALL b/INSTALL index ab4debd..08eac9a 100644 --- a/INSTALL +++ b/INSTALL @@ -4,11 +4,6 @@ USE AT YOUR OWN RISK. THIS IS ALPHA TEST SOFTWARE. I DO NOT GUARANTEE THAT THERE WILL BE PROTOCOL COMPATIBILITY BETWEEN DIFFERENT VERSIONS. -PROTOCOL COMPATIBILITY WAS BROKEN BETWEEN secnet-0.06, secnet-0.07 AND -secnet-0.08 FOR ENDIANNESS FIXES. - -THERE WILL BE ANOTHER CHANGE IN PROTOCOL IN THE secnet-0.1.x SERIES - * Preparation ** System software support @@ -32,12 +27,6 @@ linux/Documentation/networking/tuntap.txt If you're using TUN/TAP on a platform other than Linux-2.4, see http://vtun.sourceforge.net/tun/ -Note than TUN comes in two flavours, one (called 'tun' in the secnet -config file) which has only one device file (usually /dev/net/tun) and -the other (called 'tun-old') which has many device files (/dev/tun*). -Linux-2.4 has new-style TUN, Linux-2.2, BSD and Solaris have old-style -TUN. - ** System and network configuration If you intend to start secnet as root, I suggest you create a userid @@ -54,18 +43,18 @@ modify the routing table.) If you are joining an existing VPN, read that VPN's documentation now. It may supersede the next paragraph. -You will need to allocate two IP addresses for use by secnet. One -will be for the tunnel interface on your tunnel endpoint machine (i.e. -the address you see in 'ifconfig' when you look at the tunnel -interface). The other will be for secnet itself. These addresses -should probably be allocated from the range used by your internal -network: if you do this, you should provide appropriate proxy-ARP on -the internal network interface of the machine running secnet (eg. add -an entry net/ipv4/conf/eth_whatever/proxy_arp = 1 to /etc/sysctl.conf -on Debian systems and run sysctl -p). Alternatively the addresses -could be from some other range - this works well if the machine -running secnet is the default route out of your network - but this -requires more thought. +In most configurations, you will need to allocate two IP addresses for +use by secnet. One will be for the tunnel interface on your tunnel +endpoint machine (i.e. the address you see in 'ifconfig' when you look +at the tunnel interface). The other will be for secnet itself. These +addresses should probably be allocated from the range used by your +internal network: if you do this, you should provide appropriate +proxy-ARP on the internal network interface of the machine running +secnet (eg. add an entry net/ipv4/conf/eth_whatever/proxy_arp = 1 to +/etc/sysctl.conf on Debian systems and run sysctl -p). Alternatively +the addresses could be from some other range - this works well if the +machine running secnet is the default route out of your network - but +this requires more thought. http://www.ucam.org/cam-grin/ may be useful. @@ -83,10 +72,32 @@ $ make # mkdir /etc/secnet (Note: you may see the following warning while compiling -conffile.tab.c; I believe this is a bison bug: +conffile.tab.c; this is a bug in bison-1.28: /usr/share/bison/bison.simple: In function `yyparse': /usr/share/bison/bison.simple:285: warning: `yyval' might be used uninitialized in this function + +You may if you wish apply the following patch to bison.simple: +diff -pu -r1.28.0.1 -r1.28.0.3 +--- bison.s1 1999/08/30 19:23:24 1.28.0.1 ++++ bison.s1 1999/08/30 21:15:18 1.28.0.3 +@@ -523,8 +523,14 @@ yydefault: + /* Do a reduction. yyn is the number of a rule to reduce with. */ + yyreduce: + yylen = yyr2[yyn]; +- if (yylen > 0) +- yyval = yyvsp[1-yylen]; /* implement default value of the action */ ++ ++ /* If yylen is nonzero, implement the default value of the action. ++ Otherwise, the following line sets yyval to the semantic value of ++ the lookahead token. This behavior is undocumented and bison ++ users should not rely upon it. Assigning to yyval ++ unconditionally makes the parser a bit smaller, and it avoids a ++ GCC warning that yyval may be used uninitialized. */ ++ yyval = yyvsp[1-yylen]; + + #if YYDEBUG != 0 + if (yydebug) ) Any other warnings or errors should be reported to @@ -96,29 +107,30 @@ If installing for the first time, do # cp example.conf /etc/secnet/secnet.conf # cd /etc/secnet -# ssh-keygen -f key -N "" +# ssh-keygen -f key -t rsa1 -N "" [On BSD use $ LDFLAGS="-L/usr/local/lib" ./configure $ gmake CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" XXX this should eventually be worked out automatically by 'configure'.] -Generate a site file fragment for your site (see below), and submit it -for inclusion in your VPN's 'sites' file. Download the vpn-sites file -to /etc/secnet/sites - MAKE SURE YOU GET AN AUTHENTIC COPY because the -sites file contains public keys for all the sites in the VPN. Use the -make-secnet-sites program provided with the secnet distribution to -convert the distributed sites file into one that can be included in a -secnet configuration file: +Generate a site file fragment for your site (see your VPN's +documentation, or see below), and submit it for inclusion in your +VPN's 'sites' file. Download the vpn-sites file to /etc/secnet/sites +- MAKE SURE YOU GET AN AUTHENTIC COPY because the sites file contains +public keys for all the sites in the VPN. Use the make-secnet-sites +program provided with the secnet distribution to convert the +distributed sites file into one that can be included in a secnet +configuration file: -# make-secnet-sites sites sites.conf +# make-secnet-sites /etc/secnet/sites /etc/secnet/sites.conf * Configuration Should be reasonably obvious - edit /etc/secnet/secnet.conf as -prompted by the comments. XXX Fuller documentation of the -configuration file format should be forthcoming in time. Its syntax -is described in the README file at the moment. +prompted by the comments in example.conf. XXX Fuller documentation of +the configuration file format should be forthcoming in time. Its +syntax is described in the README file at the moment. * Constructing your site file fragment @@ -144,8 +156,7 @@ is running secnet. port number on the front-end machine, and does not necessarily have to match the port number on the machine running secnet. If you want to use a privileged port number we suggest 410. An appropriate -unprivileged port number is 51396. (These numbers were picked at -random.) +unprivileged port number is 51396. 6. the list of networks accessible at your site over the VPN.