Commit | Line | Data |
---|---|---|
74eb47db | 1 | .\" -*-nroff-*- |
2 | .\". | |
fc916a09 MW |
3 | .\" Manual for the server |
4 | .\" | |
5 | .\" (c) 2008 Straylight/Edgeware | |
6 | .\" | |
7 | . | |
8 | .\"----- Licensing notice --------------------------------------------------- | |
9 | .\" | |
10 | .\" This file is part of Trivial IP Encryption (TrIPE). | |
11 | .\" | |
12 | .\" TrIPE is free software; you can redistribute it and/or modify | |
13 | .\" it under the terms of the GNU General Public License as published by | |
14 | .\" the Free Software Foundation; either version 2 of the License, or | |
15 | .\" (at your option) any later version. | |
16 | .\" | |
17 | .\" TrIPE is distributed in the hope that it will be useful, | |
18 | .\" but WITHOUT ANY WARRANTY; without even the implied warranty of | |
19 | .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
20 | .\" GNU General Public License for more details. | |
21 | .\" | |
22 | .\" You should have received a copy of the GNU General Public License | |
23 | .\" along with TrIPE; if not, write to the Free Software Foundation, | |
24 | .\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
25 | . | |
26 | .\"-------------------------------------------------------------------------- | |
27 | .so ../defs.man.in \" @@@PRE@@@ | |
28 | . | |
29 | .\"-------------------------------------------------------------------------- | |
74eb47db | 30 | .TH tripe 8 "10 February 2001" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption" |
fc916a09 MW |
31 | . |
32 | .\"-------------------------------------------------------------------------- | |
74eb47db | 33 | .SH "NAME" |
fc916a09 | 34 | . |
74eb47db | 35 | tripe \- a simple VPN daemon |
fc916a09 MW |
36 | . |
37 | .\"-------------------------------------------------------------------------- | |
74eb47db | 38 | .SH "SYNOPSIS" |
fc916a09 | 39 | . |
74eb47db | 40 | .B tripe |
46dde080 | 41 | .RB [ \-DF ] |
74eb47db | 42 | .RB [ \-d |
43 | .IR dir ] | |
d13e5724 | 44 | .RB [ \-b |
45 | .IR addr ] | |
33ced0d3 | 46 | .RB [ \-p |
47 | .IR port ] | |
42da2a58 | 48 | .RB [ \-n |
49 | .IR tunnel ] | |
d13e5724 | 50 | .br |
85b1ebd6 | 51 | \c |
33ced0d3 | 52 | .RB [ \-U |
53 | .IR user ] | |
54 | .RB [ \-G | |
55 | .IR group ] | |
d13e5724 | 56 | .RB [ \-a |
57 | .IR socket ] | |
58 | .RB [ \-T | |
59 | .IR trace-opts ] | |
74eb47db | 60 | .br |
85b1ebd6 | 61 | \c |
74eb47db | 62 | .RB [ \-k |
63 | .IR priv-keyring ] | |
64 | .RB [ \-K | |
65 | .IR pub-keyring ] | |
66 | .RB [ \-t | |
67 | .IR key-tag ] | |
fc916a09 MW |
68 | . |
69 | .\"-------------------------------------------------------------------------- | |
74eb47db | 70 | .SH "DESCRIPTION" |
fc916a09 | 71 | . |
74eb47db | 72 | The |
73 | .B tripe | |
74 | program is a server which can provide strong IP-level encryption and | |
1a19f865 | 75 | authentication between co-operating hosts. The program and its protocol |
76 | are deliberately very simple, to make analysing them easy and to help | |
77 | build trust rapidly in the system. | |
74eb47db | 78 | .SS "Overview" |
79 | The | |
80 | .B tripe | |
81 | server manages a number of secure connections to other `peer' hosts. | |
82 | Each daemon is given a private key of its own, and a file of public keys | |
83 | for the peers with which it is meant to communicate. It is responsible | |
84 | for negotiating sets of symmetric keys with its peers, and for | |
85 | encrypting, encapsulating and sending IP packets to its peers, and | |
86 | decrypting, checking and de-encapsulating packets it receives from | |
87 | them. | |
88 | .PP | |
89 | When the server starts, it creates a Unix-domain socket on which it | |
90 | listens for administration commands. It also logs warnings and | |
91 | diagnostic information to the programs connected to its admin socket. | |
92 | Clients connected to the socket can add new peers, and remove or find | |
93 | out about existing peers. The textual protocol used to give the | |
94 | .B tripe | |
95 | server admin commands is described in | |
96 | .BR tripe\-admin (5). | |
97 | A client program | |
98 | .BR tripectl (1) | |
99 | is provided to allow commands to be sent to the server either | |
100 | interactively or by simple scripts. | |
101 | .SS "Command-line arguments" | |
102 | If not given any command-line arguments, | |
103 | .B tripe | |
104 | will initialize by following these steps: | |
1a19f865 | 105 | .hP 1. |
106 | It sets the directory named by the | |
107 | .B TRIPEDIR | |
108 | environment variable (or | |
fc916a09 | 109 | .B "*(/c" |
1a19f865 | 110 | if the variable is unset) as the current directory. |
111 | .hP 2. | |
74eb47db | 112 | It acquires a UDP socket with an arbitrary kernel-selected port number. |
113 | It will use this socket to send and receive all communications with its | |
114 | peer servers. The port chosen may be discovered by means of the | |
115 | .B PORT | |
116 | admin command (see | |
117 | .BR tripe\-admin (5)). | |
1a19f865 | 118 | .hP 3. |
74eb47db | 119 | It loads the private key with the tag or type name |
120 | .B tripe\-dh | |
121 | from the Catacomb-format file | |
122 | .BR keyring , | |
123 | and loads the file | |
124 | .B keyring.pub | |
125 | ready for extracting the public keys of peers as they're introduced. | |
126 | (The format of these files is described in | |
127 | .BR keyring (5). | |
128 | They are maintained using the program | |
129 | .BR key (1) | |
130 | provided with the Catacomb distribution.) | |
1a19f865 | 131 | .hP 4. |
74eb47db | 132 | It creates and listens to the Unix-domain socket |
133 | .BR tripesock . | |
134 | .PP | |
135 | Following this, the server enters its main loop, accepting admin | |
136 | connections and obeying any administrative commands, and communicating | |
137 | with peers. It also treats its standard input and standard output | |
138 | streams as an admin connection, reading commands from standard input and | |
33ced0d3 | 139 | writing responses and diagnostics messages to standard output. Finally, |
140 | it will reload keys from its keyring files if it notices that they've | |
141 | changed (it checks inode number and modification time) \- there's no | |
142 | need to send a signal. | |
74eb47db | 143 | .PP |
144 | Much of this behaviour may be altered by giving | |
145 | .B tripe | |
146 | suitable command-line options: | |
147 | .TP | |
148 | .B "\-h, \-\-help" | |
149 | Writes a brief description of the command-line options available to | |
150 | standard output and exits with status 0. | |
151 | .TP | |
152 | .B "\-v, \-\-version" | |
153 | Writes | |
154 | .BR tripe 's | |
155 | version number to standard output and exits with status 0. | |
156 | .TP | |
157 | .B "\-u, \-\-usage" | |
158 | Writes a brief usage summary to standard output and exits with status 0. | |
159 | .TP | |
42da2a58 | 160 | .B "\-\-tunnels" |
161 | Writes to standard output a list of the configured tunnel drivers, one | |
162 | per line, and exits with status 0. This is intended for the use of the | |
3cdc3f3a | 163 | start-up script, so that it can check that it will actually work. |
164 | .TP | |
74eb47db | 165 | .B "\-D, \-\-daemon" |
166 | Dissociates from its terminal and starts running in the background after | |
167 | completing the initialization procedure described above. If running as | |
168 | a daemon, | |
169 | .B tripe | |
170 | will not read commands from standard input or write diagnostics to | |
171 | standard output. A better way to start | |
172 | .B tripe | |
173 | in the background is with | |
174 | .BR tripectl (1). | |
175 | .TP | |
46dde080 MW |
176 | .B "\-F, \-\-foreground" |
177 | Runs the server in the `foreground'; i.e., | |
178 | .B tripe | |
179 | will quit if it sees end-of-file on its standard input. This is | |
180 | incompatible with | |
181 | .BR \-D . | |
182 | .TP | |
74eb47db | 183 | .BI "\-d, \-\-directory=" dir |
184 | Makes | |
185 | .I dir | |
797cf76b MW |
186 | the current directory. The default directory to change to is given by |
187 | the environment variable | |
188 | .BR TRIPEDIR ; | |
189 | if that's not specified, a default default of | |
fc916a09 | 190 | .B "*(/c" |
797cf76b | 191 | is used. Give a current directory of |
74eb47db | 192 | .B . |
193 | if you don't want it to change directory at all. | |
194 | .TP | |
d13e5724 | 195 | .BI "\-b, \-\-bind-address="addr |
196 | Bind the UDP socket to IP address | |
197 | .I addr | |
198 | rather than the default of | |
199 | .BR INADDR_ANY . | |
200 | This is useful if your main globally-routable IP address is one you want | |
201 | to tunnel through the VPN. | |
202 | .TP | |
74eb47db | 203 | .BI "\-p, \-\-port=" port |
204 | Use the specified UDP port for all communications with peers, rather | |
205 | than an arbitarary kernel-assigned port. | |
206 | .TP | |
42da2a58 | 207 | .BI "\-n, \-\-tunnel=" tunnel |
208 | Use the specified tunnel driver for new peers by default. | |
209 | .TP | |
33ced0d3 | 210 | .BI "\-U, \-\-setuid=" user |
211 | Set uid to that of | |
212 | .I user | |
213 | (either a user name or integer uid) after initialization. Also set gid | |
214 | to | |
215 | .IR user 's | |
216 | primary group, unless overridden by a | |
217 | .B \-G | |
218 | option. | |
219 | .TP | |
220 | .BI "\-G, \-\-setgid=" group | |
221 | Set gid to that of | |
222 | .I group | |
223 | (either a group name or integer gid) after initialization. | |
224 | .TP | |
74eb47db | 225 | .BI "\-k, \-\-priv\-keyring=" file |
226 | Reads the private key from | |
227 | .I file | |
228 | rather than the default | |
229 | .BR keyring . | |
230 | .TP | |
231 | .BI "\-K, \-\-pub\-keyring=" file | |
232 | Reads public keys from | |
233 | .I file | |
234 | rather than the default | |
235 | .BR keyring.pub . | |
236 | This can be the same as the private keyring, but that's not recommended. | |
237 | .TP | |
238 | .BI "\-t, \-\-tag=" tag | |
239 | Uses the private key whose tag or type is | |
240 | .I tag | |
241 | rather than the default | |
242 | .BR tripe\-dh . | |
243 | .TP | |
244 | .BI "\-a, \-\-admin\-socket=" socket | |
245 | Accept admin connections to a Unix-domain socket named | |
797cf76b MW |
246 | .IR socket . |
247 | The default socket, if this option isn't specified, is given by the | |
248 | environment variable | |
249 | .BR TRIPESOCK ; | |
250 | if that's not set either, then a default default of | |
fc916a09 | 251 | .B "*(/s/tripesock" |
797cf76b | 252 | is used instead. |
74eb47db | 253 | .TP |
254 | .BI "\-T, \-\-trace=" trace-opts | |
255 | Allows the enabling or disabling of various internal diagnostics. See | |
256 | below for the list of options. | |
d6623498 | 257 | .SS "Setting up a VPN with tripe" |
258 | The | |
259 | .B tripe | |
260 | server identifies peers by name. While it's | |
261 | .I possible | |
262 | for each host to maintain its own naming system for its peers, this is | |
263 | likely to lead to confusion, and it's more sensible to organize a naming | |
264 | system that works everywhere. How you manage this naming is up to you. | |
265 | The only restriction on the format of names is that they must be valid | |
266 | Catacomb key tags, since this is how | |
267 | .B tripe | |
268 | identifies which public key to use for a particular peer: they may not | |
269 | contain whitespace characters, or a colon | |
270 | .RB ` : ' | |
271 | or dot | |
272 | .RB ` . ', | |
273 | .PP | |
274 | Allocating IP addresses for VPNs can get quite complicated. I'll | |
275 | attempt to illustrate with a relatively simple example. Our objective | |
276 | will be to set up a virtual private network between two sites of | |
277 | .BR example.com . | |
278 | The two sites are using distinct IP address ranges from the private | |
279 | address space described in RFC1918: site A is using addresses from | |
280 | 10.0.1.0/24 and site B is using 10.0.2.0/24. Each site has a gateway | |
281 | host set up with both an address on the site's private network, and an | |
282 | externally-routable address from the public IP address space. Site A's | |
283 | gateway machine, | |
284 | .BR alice , | |
285 | has the addresses 10.0.1.1 and 200.0.1.1; site B's gateway is | |
286 | .B bob | |
287 | and has addresses 10.0.2.1 and 200.0.2.1. | |
d6623498 | 288 | .hP 1. |
289 | Install | |
290 | .B tripe | |
291 | on both of the gateway hosts. Create the directory | |
292 | .BR /var/lib/tripe . | |
293 | .hP 2. | |
294 | On | |
295 | .BR alice , | |
296 | make | |
297 | .B /var/lib/tripe | |
298 | the current directory and generate a Diffie-Hellman group: | |
299 | .RS | |
74eb47db | 300 | .VS |
301 | key add \-adh\-param \-LS \-b2048 \-B256 \e | |
302 | \-eforever \-tparam tripe\-dh\-param | |
303 | .VE | |
d6623498 | 304 | (See |
305 | .BR key (1) | |
306 | from the Catacomb distribution for details about the | |
307 | .B key | |
308 | command.) Also generate a private key for | |
309 | .BR alice : | |
310 | .VS | |
311 | key add \-adh \-pparam \-talice \e | |
312 | \-e"now + 1 year" tripe\-dh | |
313 | .VE | |
314 | Extract the group parameters and | |
315 | .BR alice 's | |
316 | public key to | |
317 | .I separate | |
318 | files, and put the public key in | |
319 | .BR keyring.pub : | |
74eb47db | 320 | .VS |
321 | key extract param param | |
37075862 | 322 | key extract \-f\-secret alice.pub alice |
d6623498 | 323 | key \-kkeyring.pub merge alice.pub |
74eb47db | 324 | .VE |
d6623498 | 325 | Send the files |
326 | .B param | |
327 | and | |
328 | .B alice.pub | |
329 | to | |
330 | .B bob | |
331 | in some secure way (e.g., in PGP-signed email, or by using SSH), so that | |
332 | you can be sure they've not been altered in transit. | |
333 | .RE | |
334 | .hP 3. | |
335 | On | |
336 | .B bob | |
337 | now, make | |
338 | .B /var/lib/tripe | |
339 | the current directory, and import the key material from | |
340 | .BR alice : | |
341 | .RS | |
74eb47db | 342 | .VS |
343 | key merge param | |
d6623498 | 344 | key \-kkeyring.pub merge alice.pub |
74eb47db | 345 | .VE |
d6623498 | 346 | Generate a private key for |
347 | .B bob | |
348 | and extract the public half, as before: | |
74eb47db | 349 | .VS |
d6623498 | 350 | key add \-adh \-pparam \-tbob \e |
351 | \-e"now + 1 year" tripe\-dh | |
383f2a0b | 352 | key extract \-f\-secret bob.pub bob |
d6623498 | 353 | key \-kkeyring.pub merge bob.pub |
74eb47db | 354 | .VE |
d6623498 | 355 | and send |
356 | .B bob.pub | |
357 | back to | |
358 | .B alice | |
359 | using some secure method. | |
360 | .RE | |
361 | .hP 4 | |
362 | On | |
363 | .BR alice , | |
364 | merge | |
365 | .B bob 's | |
366 | key into the public keyring. Now, on each host, run | |
367 | .RS | |
368 | .VS | |
369 | key \-kkeyring.pub fingerprint | |
370 | .VE | |
371 | and check that the hashes match. If the two sites have separate | |
372 | administrators, they should read the hashes to each other over the | |
373 | telephone (assuming that they can recognize each other's voices). | |
374 | .RE | |
375 | .hP 5. | |
376 | Start the | |
377 | .B tripe | |
378 | servers up. Run | |
379 | .RS | |
380 | .VS | |
165efde7 | 381 | tripectl \-slD |
d6623498 | 382 | .VE |
383 | on each of | |
384 | .B alice | |
385 | and | |
386 | .BR bob . | |
d6623498 | 387 | .RE |
388 | .hP 6. | |
389 | To get | |
390 | .B alice | |
391 | talking to | |
392 | .BR bob , | |
393 | run this shell script (or one like it): | |
394 | .RS | |
395 | .VS | |
396 | #! /bin/sh | |
74eb47db | 397 | |
165efde7 | 398 | tripectl add bob 200.0.2.1 4070 |
d6623498 | 399 | ifname=`tripectl ifname bob` |
1f68dfc5 | 400 | ifconfig $ifname 10.0.1.1 pointopoint 10.0.2.1 |
d6623498 | 401 | route add -net \e |
402 | 10.0.2.0 netmask 255.255.255.0 \e | |
1f68dfc5 | 403 | gw 10.0.2.1 |
d6623498 | 404 | .VE |
405 | Read | |
406 | .BR ifconfig (8) | |
407 | and | |
408 | .BR route (8) | |
409 | to find out about your system's variants of these commands. The | |
410 | versions shown above assume a Linux system. | |
411 | Run a similar script on | |
412 | .BR bob , | |
413 | to tell its | |
414 | .B tripe | |
415 | server to talk to | |
416 | .BR alice . | |
417 | .RE | |
418 | .hP 7. | |
419 | Congratulations. The two servers will exchange keys and begin sending | |
420 | packets almost immediately. You've set up a virtual private network. | |
52c03a2a | 421 | .SS "Using elliptic curve keys" |
422 | The | |
423 | .B tripe | |
424 | server can use elliptic curve Diffie-Hellman for key exchange, rather | |
425 | than traditional integer Diffie-Hellman. Given current public | |
426 | knowledge, elliptic curves can provide similar or better security to | |
427 | systems based on integer discrete log problems, faster, and with less | |
428 | transmitted data. It's a matter of controversy whether this will | |
429 | continue to be the case. The author uses elliptic curves. | |
430 | .PP | |
431 | The server works out which it | |
432 | should be doing based on the key type, which is either | |
433 | .B tripe\-dh | |
434 | for standard Diffie-Hellman, or | |
435 | .B tripe\-ec | |
436 | for elliptic curves. To create elliptic curve keys, say something like | |
437 | .VS | |
438 | key add \-aec\-param \-Cnist-p192 \-eforever \e | |
439 | \-tparam tripe\-ec\-param | |
440 | .VE | |
441 | to construct a parameters key, using your preferred elliptic curve in | |
442 | the | |
443 | .B \-C | |
444 | option (see | |
445 | .BR key (1) | |
446 | for details); and create the private keys by | |
447 | .VS | |
448 | key add \-aec \-pparam \-talice \e | |
449 | \-e"now + 1 year" tripe\-ec | |
450 | .VE | |
451 | Now start | |
452 | .B tripe | |
453 | with the | |
454 | .B \-ttripe\-ec | |
455 | option, and all should be well. | |
b5c45da1 | 456 | .SS "Using other symmetric algorithms" |
457 | The default symmetric algorithms | |
458 | .B tripe | |
459 | uses are Blowfish (by Schneier) for symmetric encryption, and RIPEMD-160 | |
460 | (by Dobbertin, Bosselaers and Preneel) for hashing and as a MAC (in HMAC | |
461 | mode, designed by Bellare, Canetti and Krawczyk). These can all be | |
462 | overridden by setting attributes on your private key, as follows. | |
463 | .TP | |
464 | .B cipher | |
465 | Names the symmetric encryption scheme to use. The default is | |
466 | .BR blowfish\-cbc . | |
467 | .TP | |
468 | .B hash | |
469 | Names the hash function to use. The default is | |
470 | .BR rmd160 . | |
471 | .TP | |
472 | .B mac | |
473 | Names the message authentication code to use. The name of the MAC may | |
474 | be followed by a | |
475 | .RB ` / ' | |
476 | and the desired tag length in bits. The default is | |
477 | .IB hash \-hmac | |
478 | at half the underlying hash function's output length. | |
479 | .TP | |
480 | .B mgf | |
481 | A `mask-generation function', used in the key-exchange. The default is | |
482 | .IB hash \-mgf | |
483 | and there's no good reason to change it. | |
b9066fbb | 484 | .SS "Using SLIP interfaces" |
485 | Though not for the faint of heart, it is possible to get | |
486 | .B tripe | |
487 | to read and write network packets to a pair of file descriptors using | |
488 | SLIP encapsulation. No fancy header compression of any kind is | |
98fdb08d | 489 | supported. |
490 | .PP | |
491 | Two usage modes are supported: a preallocation system, whereby SLIP | |
492 | interfaces are created and passed to the | |
493 | .B tripe | |
494 | server at startup; and a dynamic system, where the server runs a script | |
495 | to allocate a new SLIP interface when it needs one. It is possible to | |
496 | use a mixture of these two modes, starting | |
b9066fbb | 497 | .B tripe |
98fdb08d | 498 | with a few preallocated interfaces and having it allocate more |
499 | dynamically as it needs them. | |
500 | .PP | |
501 | The behaviour of | |
502 | .BR tripe 's | |
503 | SLIP driver is controlled by the | |
504 | .B TRIPE_SLIPIF | |
1f68dfc5 | 505 | environment variable. The server will not create SLIP tunnels if this |
506 | variable is not defined. The variable's value is a colon-delimited list | |
507 | of preallocated interfaces, followed optionally by the filename of a | |
508 | script to run to dynamically allocate more interfaces. | |
b9066fbb | 509 | .PP |
98fdb08d | 510 | A static allocation entry has the form |
b9066fbb | 511 | .IR infd [ \c |
512 | .BI , outfd \c | |
513 | .RB ] \c | |
514 | .BI = \c | |
98fdb08d | 515 | .IR ifname , |
b9066fbb | 516 | If the |
517 | .I outfd | |
518 | is omitted, the same file descriptor is used for input and output. | |
519 | .PP | |
98fdb08d | 520 | The dynamic allocation script must be named by an absolute or relative |
e04c2d50 | 521 | pathname, beginning with |
98fdb08d | 522 | .RB ` / ' |
523 | or | |
524 | .RB ` . '. | |
525 | The server will pass the script an argument, which is the name of the | |
526 | peer for which the interface is being created. The script should | |
527 | allocate a new SLIP interface (presumably by creating a pty pair), | |
528 | configure it appropriately, and write the interface's name to its | |
529 | standard output, followed by a newline. It should then read and write | |
530 | SLIP packets on its stdin and stdout. The script's stdin will be closed | |
531 | when the interface is no longer needed, and the server will attempt to | |
532 | send it a | |
533 | .B SIGTERM | |
534 | signal (though this may fail if the script runs with higher privileges | |
535 | than the server). | |
536 | .PP | |
b9066fbb | 537 | The output file descriptor should not block unless it really needs to: |
538 | the | |
539 | .B tripe | |
1f68dfc5 | 540 | daemon assumes that it won't, and will get wedged waiting for it to |
541 | accept output. | |
74eb47db | 542 | .SS "About the name" |
543 | The program's name is | |
544 | .BR tripe , | |
545 | all in lower-case. The name of the protocol it uses is `TrIPE', with | |
546 | four capital letters and one lower-case. The name stands for `Trivial | |
547 | IP Encryption'. | |
fc916a09 MW |
548 | . |
549 | .\"-------------------------------------------------------------------------- | |
74eb47db | 550 | .SH "BUGS" |
fc916a09 | 551 | . |
74eb47db | 552 | The code hasn't been audited. It may contain security bugs. If you |
553 | find one, please inform the author | |
554 | .IR immediately . | |
fc916a09 MW |
555 | . |
556 | .\"-------------------------------------------------------------------------- | |
74eb47db | 557 | .SH "SEE ALSO" |
fc916a09 | 558 | . |
74eb47db | 559 | .BR key (1), |
560 | .BR tripectl (1), | |
561 | .BR tripe\-admin (5). | |
562 | .PP | |
563 | .IR "The Trivial IP Encryption Protocol" , | |
564 | .IR "The Wrestlers Protocol" . | |
fc916a09 MW |
565 | . |
566 | .\"-------------------------------------------------------------------------- | |
74eb47db | 567 | .SH "AUTHOR" |
fc916a09 | 568 | . |
d36eda2a | 569 | Mark Wooding, <mdw@distorted.org.uk> |
fc916a09 MW |
570 | . |
571 | .\"----- That's all, folks -------------------------------------------------- |