# secnet example configuration file
# Log facility
-log syslog {
- ident "secnet";
- facility "local0";
+log logfile {
+ filename "/var/log/secnet";
+ class "info","notice","warning","error","security","fatal";
+ # There are some useful message classes that could replace
+ # this list:
+ # 'default' -> warning,error,security,fatal
+ # 'verbose' -> info,notice,default
+ # 'quiet' -> fatal
};
-# Alternatively you could log to a file:
-# log logfile {
-# filename "/var/log/secnet";
-# class "info","notice","warning","error","security","fatal";
-# # There are some useful message classes that could replace
-# # this list:
-# # 'default' -> warning,error,security,fatal
-# # 'verbose' -> info,notice,default
-# # 'quiet' -> fatal
+# Alternatively you could log to syslog:
+# log syslog {
+# ident "secnet";
+# facility "local0";
# };
+
# Systemwide configuration (all other configuration is per-site):
# log a log facility for program messages
# userid who we try to run as after setup
setup-timeout 2000;
# Use the universal TUN/TAP driver to get packets to and from the kernel
-# (use tun-old if you are not on Linux-2.4)
netlink tun {
name "netlink-tun"; # Printed in log messages from this netlink
# interface "tun0"; # You may set your own interface name if you wish;
# if you don't one will be chosen for you.
+# device "/dev/net/tun";
- # local networks served by this netlink device
- # incoming tunneled packets for other networks will be discarded
- networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24";
local-address "192.168.x.x"; # IP address of host's tunnel interface
secnet-address "192.168.x.x"; # IP address of this secnet
+ # Tunnels are only allowed to use these networks; attempts to
+ # claim IP addresses in any other ranges is a configuration error
+ remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8";
+
# MTU of the tunnel interface. Should be kept under the path-MTU
# (by at least 60 bytes) between this secnet and its peers for
# optimum performance.
# host and port for your site end up on this machine at the port you
# specify here.
comm udp {
- port xxxx;
+ port 410;
buffer sysbuffer(4096);
};
# that it's non-blocking. XXX 'yes' isn't implemented yet.
random randomfile("/dev/urandom",no);
-# If you're using the make-secnet-sites.py script then your local-name
+# If you're using the make-secnet-sites script then your local-name
# will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister"
local-name "your-site-name";
local-key rsa-private("/etc/secnet/key");
# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
# contains public keys for all sites.
-sites
- site(vpn-data/example/location1/site1),
- site(vpn-data/example/location2/site1),
- site(vpn-data/example/location2/site2);
+sites map(site,
+ vpn-data/example/location1/site1,
+ vpn-data/example/location2/site1,
+ vpn-data/example/location2/site2);
# If you want to communicate with all the VPN sites, you can use something
# like the following instead: