X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=blobdiff_plain;f=example.conf;h=d6908ff7c820c0b13b0c9e798d0e1c72b7b13f93;hp=cfaa847a67429a043540925028609d977846c83c;hb=1e80c220a810380ae8b5a155e2bd6937c951c83c;hpb=df1b18fc6f4d422268eff0ed1d8f04ae0b11b82f diff --git a/example.conf b/example.conf index cfaa847..d6908ff 100644 --- a/example.conf +++ b/example.conf @@ -1,13 +1,33 @@ # secnet example configuration file # Log facility -log logfile("secnet","local2"); # Not yet implemented, goes to stderr +# If you use this unaltered you should consider providing automatic log +# rotation for /var/log/secnet. secnet will close and re-open its logfiles +# when it receives SIGHUP. +log logfile { + filename "/var/log/secnet"; + class "info","notice","warning","error","security","fatal"; + # There are some useful message classes that could replace + # this list: + # 'default' -> warning,error,security,fatal + # 'verbose' -> info,notice,default + # 'quiet' -> fatal +}; + +# Alternatively you could log through syslog: +# log syslog { +# ident "secnet"; +# facility "local0"; +# }; + # Systemwide configuration (all other configuration is per-site): # log a log facility for program messages # userid who we try to run as after setup # pidfile system { + # Note that you should not specify 'userid' here unless secnet + # is being invoked as root. userid "secnet"; pidfile "/var/run/secnet.pid"; }; @@ -44,19 +64,34 @@ system { # setup-retries max retransmits of a key setup packet # setup-timeout wait between retransmits of key setup packets, in ms # wait-time wait between unsuccessful key setup attempts, in ms +# renegotiate-time set up a new key if we see any traffic after this time + +# Defaults that may be overridden on a per-site basis: +setup-retries 10; +setup-timeout 2000; -# Use the universal TUN/TAP driver to get packets to and from the kernel +# Use the universal TUN/TAP driver to get packets to and from the kernel, +# through a single interface. secnet will act as a router; it requires +# its own IP address which is specified below (you'll see it on traceroute, +# etc. for routes that go via tunnels). If you don't want secnet to act +# as a router, and instead want a separate kernel network interface per +# tunnel, then see the alternative configuration below + +# If you want to use userv-ipif to manage interfaces then replace the +# word "tun" with "userv-ipif". netlink tun { name "netlink-tun"; # Printed in log messages from this netlink # interface "tun0"; # You may set your own interface name if you wish; # if you don't one will be chosen for you. +# device "/dev/net/tun"; - # local networks served by this netlink device - # incoming tunneled packets for other networks will be discarded - networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24"; local-address "192.168.x.x"; # IP address of host's tunnel interface secnet-address "192.168.x.x"; # IP address of this secnet + # Tunnels are only allowed to use these networks; attempts to + # claim IP addresses in any other ranges is a configuration error + remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"; + # MTU of the tunnel interface. Should be kept under the path-MTU # (by at least 60 bytes) between this secnet and its peers for # optimum performance. @@ -69,19 +104,17 @@ netlink tun { buffer sysbuffer(2048); }; -# Alternatively (or additionally, if you like) use userv-ipif to get -# packets to and from the kernel. -#netlink userv-ipif { -# name "netlink-userv-ipif"; -# # userv-path "/usr/bin/userv"; -# # service-user "root"; -# # service-name "ipif"; -# networks "whatever"; -# local-address "whatever"; -# secnet-address "whatever"; -# mtu 1400; -# buffer sysbuffer(2048); -#}; +# This alternative configuration allows you to create one kernel network +# interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT +# WORK WITH "userv-ipif". This is because "tun" can share a single +# buffer between multiple network interfaces, but userv-ipif can't. +# To use userv-ipif in this style, process the sites.conf file so that +# each "netlink" section contains a "buffer sysbuffer(2048);" line. +#netlink tun; +#local-address "192.168.x.x"; # Address of local interfaces - all the same +#mtu 1400; +#buffer sysbuffer(2048); + # This defines the port that this instance of secnet will listen on, and # originate packets on. It does not _have_ to correspond to the advertised @@ -90,7 +123,7 @@ netlink tun { # host and port for your site end up on this machine at the port you # specify here. comm udp { - port xxxx; + port 410; buffer sysbuffer(4096); }; @@ -102,12 +135,15 @@ resolver adns { }; # log is defined earlier - we share it with the system -log-events "init","up","down"; # XXX not yet used +log-events "setup-init","setup-timeout","activate-key","timeout-key","errors", + "security"; # A source of random bits for nonces and session keys. The 'no' specifies # that it's non-blocking. XXX 'yes' isn't implemented yet. random randomfile("/dev/urandom",no); +# If you're using the make-secnet-sites script then your local-name +# will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister" local-name "your-site-name"; local-key rsa-private("/etc/secnet/key"); @@ -116,15 +152,27 @@ transform serpent256-cbc { max-sequence-skew 10; }; -include /etc/secnet/sites +include /etc/secnet/sites.conf -# Here you must list all the VPN sites that you wish to communicate with. # The /etc/secnet/sites file contains information on all reachable sites; # if the site you want to communicate with isn't listed, you should get # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it # contains public keys for all sites. -sites - site(example-vpn/some-site), - site(example-vpn/some-other-site), - site(example-vpn/a-third-site); +# If you want to communicate with all the VPN sites, you can use something +# like the following: + +sites map(site,vpn/example/all-sites); + +# If you only want to communicate with a subset of the VPN sites, list +# them explicitly: + +# sites map(site, +# vpn-data/example/location1/site1, +# vpn-data/example/location2/site1, +# vpn-data/example/location2/site2); + +# If you want to communicate with a subset of locations, try the following: + +# sites map(site,vpn/example/location1,vpn/example/location2); +