changelog: start 0.6.8

[secnet.git] / example.conf

# secnet example configuration file

# This file is part of secnet.
# See LICENCE and this file CREDITS for full list of copyright holders.
# SPDX-License-Identifier: GPL-3.0-or-later
# There is NO WARRANTY.

# Log facility
# If you use this unaltered you should consider providing automatic log
# rotation for /var/log/secnet.  secnet will close and re-open its logfiles
# when it receives SIGHUP.
log logfile {
        filename "/var/log/secnet";
        class "info","notice","warning","error","security","fatal";
        # There are some useful message classes that could replace
        # this list:
        #  'default' -> warning,error,security,fatal
        #  'verbose' -> info,notice,default
        #  'quiet'   -> fatal
};

# Alternatively you could log through syslog:
# log syslog {
#       ident "secnet";
#       facility "local0";
# };


# Systemwide configuration (all other configuration is per-site):
# log           a log facility for program messages
# userid        who we try to run as after setup
# pidfile
system {
        # Note that you should not specify 'userid' here unless secnet
        # is being invoked as root.
        userid "secnet";
        pidfile "/var/run/secnet.pid";
};

# Parameters for each remote site (arguments to the site() closure):
#  things we configure locally
# buffer                buffer for constructing/sending/receiving packets
# netlink               user/kernel netlink device for this tunnel
# comm                  UDP communication
# resolver              resolver to use for name lookups
# log                   a log destination for this connection
# log-events            string list: which events we log
# random                a source of randomness

#  our local configuration visible to the outside world
# local-name            string: how we identify ourselves to them
# local-key             our own private RSA key
# local-port            port number we listen on

#  their configuration visible to us
# name                  string: how they identify themselves
# address               string: use with resolver to find their IP address
# networks              string list: their networks for us
# key                   the remote site's RSA public key
# port                  port we send to to contact remote site

#  things both ends must agree on
# transform             routine for bulk encryption
# dh                    Diffie-Hellman parameters
# hash                  secure hash function

#  things both ends ought to agree on, but don't have to
# key-lifetime          max session key lifetime, in milliseconds
# setup-retries         max retransmits of a key setup packet
# setup-timeout         wait between retransmits of key setup packets, in ms
# wait-time             wait between unsuccessful key setup attempts, in ms
# renegotiate-time      set up a new key if we see any traffic after this time

# Defaults that may be overridden on a per-site basis:
#setup-retries 10;
#setup-timeout 2000;

# Use the universal TUN/TAP driver to get packets to and from the kernel,
# through a single interface.  secnet will act as a router; it requires
# its own IP address which is specified below (you'll see it on traceroute,
# etc. for routes that go via tunnels).  If you don't want secnet to act
# as a router, and instead want a separate kernel network interface per
# tunnel, then see the alternative configuration below

# If you want to use userv-ipif to manage interfaces then replace the
# word "tun" with "userv-ipif".
netlink tun {
        name "netlink-tun"; # Printed in log messages from this netlink
#       interface "tun0"; # You may set your own interface name if you wish;
                # if you don't one will be chosen for you.
#       device "/dev/net/tun";

        local-address "192.168.x.x"; # IP address of host's tunnel interface
        secnet-address "192.168.x.x"; # IP address of this secnet

        # Tunnels are only allowed to use these networks; attempts to
        # claim IP addresses in any other ranges is a configuration error
        remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8";

        # MTU of the tunnel interface. Should be kept under the path-MTU
        # (by at least 60 bytes) between this secnet and its peers for
        # optimum performance.
        mtu 1400;

        # This buffer is used to pass incoming packets onto the 'site'
        # module. It should be at least as big as the MTU plus 60 bytes.
        # Buffers can sometimes be shared between netlink devices - see
        # full documentation for more details. (XXX TODO)
        buffer sysbuffer(2048);
};

# This alternative configuration allows you to create one kernel network
# interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT
# WORK WITH "userv-ipif".  This is because "tun" can share a single
# buffer between multiple network interfaces, but userv-ipif can't.
# To use userv-ipif in this style, process the sites.conf file so that
# each "netlink" section contains a "buffer sysbuffer(2048);" line.
#netlink tun;
#local-address "192.168.x.x"; # Address of local interfaces - all the same
#mtu 1400;
#buffer sysbuffer(2048);

# This is small enough that it fits without fragmentation into
# the foolish wifi on Greater Anglia's now-retired Class 379s.
# This is good because they mishandle fragmentation.
mtu-target 1260;


# This defines the port that this instance of secnet will listen on, and
# originate packets on. It does not _have_ to correspond to the advertised
# port for your site: you may be doing network address translation, for
# example. You need to arrange that any UDP packets sent to the advertised
# host and port for your site end up on this machine at the port you
# specify here.
comm udp {
        port 410;
        buffer sysbuffer(4096);
};

# The resolver is used to look up IP addresses from the DNS names provided
# in the sites file. You may specify an alternative resolv.conf for
# ADNS here if you wish.
resolver adns {
#       config=readfile("/etc/secnet/adns.conf");
};

# log is defined earlier - we share it with the system
log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
        "security";

# A source of random bits for nonces and session keys. The 'no' specifies
# that it's non-blocking. XXX 'yes' isn't implemented yet.
random randomfile("/dev/urandom",no);

# If you're using the make-secnet-sites script then your local-name
# will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister"
local-name "your-site-name";
local-key rsa-private("/etc/secnet/key");

# Are we a mobile site?
#local-mobile true;

# On dodgy links you may want to specify a higher maximum sequence number skew
transform eax-serpent { }, serpent256-cbc { };

include /etc/secnet/sites.conf

# The /etc/secnet/sites file contains information on all reachable sites;
# if the site you want to communicate with isn't listed, you should get
# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
# contains public keys for all sites.

# If you want to communicate with all the VPN sites, you can use something
# like the following:

sites map(site,all-sites);

# Or with a particular VPN
#sites map(site,vpn/Vexample/all-sites);

# If you only want to communicate with a subset of the VPN sites, list
# them explicitly:

# sites map(site,
#       vpn-data/example/location1/site1,
#       vpn-data/example/location2/site1,
#       vpn-data/example/location2/site2);

# If you want to communicate with a subset of locations, try the following:

# sites map(site,vpn/example/location1,vpn/example/location2);

# This file is placed in the public domain (insofar as possible.)
# Authors:  Stephen Early, Ian Jackson