1 # secnet example configuration file
3 # This file is part of secnet.
4 # See LICENCE and this file CREDITS for full list of copyright holders.
5 # SPDX-License-Identifier: GPL-3.0-or-later
6 # There is NO WARRANTY.
9 # If you use this unaltered you should consider providing automatic log
10 # rotation for /var/log/secnet. secnet will close and re-open its logfiles
11 # when it receives SIGHUP.
13 filename "/var/log/secnet";
14 class "info","notice","warning","error","security","fatal";
15 # There are some useful message classes that could replace
17 # 'default' -> warning,error,security,fatal
18 # 'verbose' -> info,notice,default
22 # Alternatively you could log through syslog:
29 # Systemwide configuration (all other configuration is per-site):
30 # log a log facility for program messages
31 # userid who we try to run as after setup
34 # Note that you should not specify 'userid' here unless secnet
35 # is being invoked as root.
37 pidfile "/var/run/secnet.pid";
40 # Parameters for each remote site (arguments to the site() closure):
41 # things we configure locally
42 # buffer buffer for constructing/sending/receiving packets
43 # netlink user/kernel netlink device for this tunnel
44 # comm UDP communication
45 # resolver resolver to use for name lookups
46 # log a log destination for this connection
47 # log-events string list: which events we log
48 # random a source of randomness
50 # our local configuration visible to the outside world
51 # local-name string: how we identify ourselves to them
52 # local-key our own private RSA key
53 # local-port port number we listen on
55 # their configuration visible to us
56 # name string: how they identify themselves
57 # address string: use with resolver to find their IP address
58 # networks string list: their networks for us
59 # key the remote site's RSA public key
60 # port port we send to to contact remote site
62 # things both ends must agree on
63 # transform routine for bulk encryption
64 # dh Diffie-Hellman parameters
65 # hash secure hash function
67 # things both ends ought to agree on, but don't have to
68 # key-lifetime max session key lifetime, in milliseconds
69 # setup-retries max retransmits of a key setup packet
70 # setup-timeout wait between retransmits of key setup packets, in ms
71 # wait-time wait between unsuccessful key setup attempts, in ms
72 # renegotiate-time set up a new key if we see any traffic after this time
74 # Defaults that may be overridden on a per-site basis:
78 # Use the universal TUN/TAP driver to get packets to and from the kernel,
79 # through a single interface. secnet will act as a router; it requires
80 # its own IP address which is specified below (you'll see it on traceroute,
81 # etc. for routes that go via tunnels). If you don't want secnet to act
82 # as a router, and instead want a separate kernel network interface per
83 # tunnel, then see the alternative configuration below
85 # If you want to use userv-ipif to manage interfaces then replace the
86 # word "tun" with "userv-ipif".
88 name "netlink-tun"; # Printed in log messages from this netlink
89 # interface "tun0"; # You may set your own interface name if you wish;
90 # if you don't one will be chosen for you.
91 # device "/dev/net/tun";
93 local-address "192.168.x.x"; # IP address of host's tunnel interface
94 secnet-address "192.168.x.x"; # IP address of this secnet
96 # Tunnels are only allowed to use these networks; attempts to
97 # claim IP addresses in any other ranges is a configuration error
98 remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8";
100 # MTU of the tunnel interface. Should be kept under the path-MTU
101 # (by at least 60 bytes) between this secnet and its peers for
102 # optimum performance.
105 # This buffer is used to pass incoming packets onto the 'site'
106 # module. It should be at least as big as the MTU plus 60 bytes.
107 # Buffers can sometimes be shared between netlink devices - see
108 # full documentation for more details. (XXX TODO)
109 buffer sysbuffer(2048);
112 # This alternative configuration allows you to create one kernel network
113 # interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT
114 # WORK WITH "userv-ipif". This is because "tun" can share a single
115 # buffer between multiple network interfaces, but userv-ipif can't.
116 # To use userv-ipif in this style, process the sites.conf file so that
117 # each "netlink" section contains a "buffer sysbuffer(2048);" line.
119 #local-address "192.168.x.x"; # Address of local interfaces - all the same
121 #buffer sysbuffer(2048);
123 # This is small enough that it fits without fragmentation into
124 # the foolish wifi on Greater Anglia's now-retired Class 379s.
125 # This is good because they mishandle fragmentation.
129 # This defines the port that this instance of secnet will listen on, and
130 # originate packets on. It does not _have_ to correspond to the advertised
131 # port for your site: you may be doing network address translation, for
132 # example. You need to arrange that any UDP packets sent to the advertised
133 # host and port for your site end up on this machine at the port you
137 buffer sysbuffer(4096);
140 # The resolver is used to look up IP addresses from the DNS names provided
141 # in the sites file. You may specify an alternative resolv.conf for
142 # ADNS here if you wish.
144 # config=readfile("/etc/secnet/adns.conf");
147 # log is defined earlier - we share it with the system
148 log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
151 # A source of random bits for nonces and session keys. The 'no' specifies
152 # that it's non-blocking. XXX 'yes' isn't implemented yet.
153 random randomfile("/dev/urandom",no);
155 # If you're using the make-secnet-sites script then your local-name
156 # will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister"
157 local-name "your-site-name";
158 local-key rsa-private("/etc/secnet/key");
160 # Are we a mobile site?
163 # On dodgy links you may want to specify a higher maximum sequence number skew
164 transform eax-serpent { }, serpent256-cbc { };
166 include /etc/secnet/sites.conf
168 # The /etc/secnet/sites file contains information on all reachable sites;
169 # if the site you want to communicate with isn't listed, you should get
170 # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
171 # contains public keys for all sites.
173 # If you want to communicate with all the VPN sites, you can use something
174 # like the following:
176 sites map(site,all-sites);
178 # Or with a particular VPN
179 #sites map(site,vpn/Vexample/all-sites);
181 # If you only want to communicate with a subset of the VPN sites, list
185 # vpn-data/example/location1/site1,
186 # vpn-data/example/location2/site1,
187 # vpn-data/example/location2/site2);
189 # If you want to communicate with a subset of locations, try the following:
191 # sites map(site,vpn/example/location1,vpn/example/location2);
193 # This file is placed in the public domain (insofar as possible.)
194 # Authors: Stephen Early, Ian Jackson