X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=secnet.git;a=blobdiff_plain;f=example.conf;h=d6908ff7c820c0b13b0c9e798d0e1c72b7b13f93;hp=0d7a546684df550603f4bcca17624aae7c4aff48;hb=92a7d254975db245c3320855515bffc1aebda9e4;hpb=08f344d3bdffe4bb83b47b5e2d53758ce231ebc4 diff --git a/example.conf b/example.conf index 0d7a546..d6908ff 100644 --- a/example.conf +++ b/example.conf @@ -1,13 +1,33 @@ # secnet example configuration file # Log facility -log logfile("secnet","local2"); # Not yet implemented, goes to stderr +# If you use this unaltered you should consider providing automatic log +# rotation for /var/log/secnet. secnet will close and re-open its logfiles +# when it receives SIGHUP. +log logfile { + filename "/var/log/secnet"; + class "info","notice","warning","error","security","fatal"; + # There are some useful message classes that could replace + # this list: + # 'default' -> warning,error,security,fatal + # 'verbose' -> info,notice,default + # 'quiet' -> fatal +}; + +# Alternatively you could log through syslog: +# log syslog { +# ident "secnet"; +# facility "local0"; +# }; + # Systemwide configuration (all other configuration is per-site): # log a log facility for program messages # userid who we try to run as after setup # pidfile system { + # Note that you should not specify 'userid' here unless secnet + # is being invoked as root. userid "secnet"; pidfile "/var/run/secnet.pid"; }; @@ -46,19 +66,32 @@ system { # wait-time wait between unsuccessful key setup attempts, in ms # renegotiate-time set up a new key if we see any traffic after this time -# Use the universal TUN/TAP driver to get packets to and from the kernel -# (use tun-old if you are not on Linux-2.4) +# Defaults that may be overridden on a per-site basis: +setup-retries 10; +setup-timeout 2000; + +# Use the universal TUN/TAP driver to get packets to and from the kernel, +# through a single interface. secnet will act as a router; it requires +# its own IP address which is specified below (you'll see it on traceroute, +# etc. for routes that go via tunnels). If you don't want secnet to act +# as a router, and instead want a separate kernel network interface per +# tunnel, then see the alternative configuration below + +# If you want to use userv-ipif to manage interfaces then replace the +# word "tun" with "userv-ipif". netlink tun { name "netlink-tun"; # Printed in log messages from this netlink # interface "tun0"; # You may set your own interface name if you wish; # if you don't one will be chosen for you. +# device "/dev/net/tun"; - # local networks served by this netlink device - # incoming tunneled packets for other networks will be discarded - networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24"; local-address "192.168.x.x"; # IP address of host's tunnel interface secnet-address "192.168.x.x"; # IP address of this secnet + # Tunnels are only allowed to use these networks; attempts to + # claim IP addresses in any other ranges is a configuration error + remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"; + # MTU of the tunnel interface. Should be kept under the path-MTU # (by at least 60 bytes) between this secnet and its peers for # optimum performance. @@ -71,19 +104,17 @@ netlink tun { buffer sysbuffer(2048); }; -# Alternatively (or additionally, if you like) use userv-ipif to get -# packets to and from the kernel. -#netlink userv-ipif { -# name "netlink-userv-ipif"; -# # userv-path "/usr/bin/userv"; -# # service-user "root"; -# # service-name "ipif"; -# networks "whatever"; -# local-address "whatever"; -# secnet-address "whatever"; -# mtu 1400; -# buffer sysbuffer(2048); -#}; +# This alternative configuration allows you to create one kernel network +# interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT +# WORK WITH "userv-ipif". This is because "tun" can share a single +# buffer between multiple network interfaces, but userv-ipif can't. +# To use userv-ipif in this style, process the sites.conf file so that +# each "netlink" section contains a "buffer sysbuffer(2048);" line. +#netlink tun; +#local-address "192.168.x.x"; # Address of local interfaces - all the same +#mtu 1400; +#buffer sysbuffer(2048); + # This defines the port that this instance of secnet will listen on, and # originate packets on. It does not _have_ to correspond to the advertised @@ -92,7 +123,7 @@ netlink tun { # host and port for your site end up on this machine at the port you # specify here. comm udp { - port xxxx; + port 410; buffer sysbuffer(4096); }; @@ -111,6 +142,8 @@ log-events "setup-init","setup-timeout","activate-key","timeout-key","errors", # that it's non-blocking. XXX 'yes' isn't implemented yet. random randomfile("/dev/urandom",no); +# If you're using the make-secnet-sites script then your local-name +# will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister" local-name "your-site-name"; local-key rsa-private("/etc/secnet/key"); @@ -121,22 +154,25 @@ transform serpent256-cbc { include /etc/secnet/sites.conf -# Here you must list all the VPN sites that you wish to communicate with. # The /etc/secnet/sites file contains information on all reachable sites; # if the site you want to communicate with isn't listed, you should get # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it # contains public keys for all sites. -sites - site(vpn-data/example/location1/site1), - site(vpn-data/example/location2/site1), - site(vpn-data/example/location2/site2); - # If you want to communicate with all the VPN sites, you can use something -# like the following instead: +# like the following: + +sites map(site,vpn/example/all-sites); -# sites map(site,vpn/example/all-sites); +# If you only want to communicate with a subset of the VPN sites, list +# them explicitly: + +# sites map(site, +# vpn-data/example/location1/site1, +# vpn-data/example/location2/site1, +# vpn-data/example/location2/site2); # If you want to communicate with a subset of locations, try the following: # sites map(site,vpn/example/location1,vpn/example/location2); +