Configuration settings¶
Exceptional settings¶
serverSpecifies
<servername>. Is looked up in[SERVER]and[COMMON]only. If not specified there, it isSERVER.Used by server to select the appropriate parts of the rest of the configuration. Ignored by the client.
secretLooked up in the usual way, but used by client and server to determine which possible peerings to try to set up, and which to ignore.
We define the sets of putative clients and servers, as follows: all those, for which there is any section (even an empty one) whose name is based on
<client>or<servername>(as applicable). (LIMITsections do not count.)The server queue packets for, and accept requests from, each putative client for which the config search yields a secret.
Each client will create a local interface, and try to communicate with the server, for each possible pair (putative server, putative client) for which the config search yields a secret.
The value is a string, fed directly into HMAC.
ipifCommand to run to create and communicate with local network interface. Passed to sh -c. Must speak SLIP on stdin/stdout.
(For compatibility with older hippotat,
%(var)sis supported too but this is deprecated since the extrasis confusing.)On server: applies to all clients; not looked up in client-specific sections. On client: may be different for different servers.
[string;
userv root ipif %{local},%{peer},%{mtu},slip '%{rnets}']
ipif interpolations:¶
The following interpolations aare substituted in the value for ipif:
| Input | %{local} |
%{peer} |
%{rnets} |
%{ifname} |
|---|---|---|---|---|
| on server | vaddr |
vrelay |
vnetwork |
ifname_server |
| on client | client |
vaddr |
vroutes |
ifname_client |
Always: %{mtu}, and %% to indicate a literal %.
Capped settings¶
Values in [<server> LIMIT] and [LIMIT] are a cap (maximum) on
those from the other sections (including COMMON). If a larger
value is obtained, it is (silently) reduced to the limit value.
max_batch_downSize limit for response payloads.
On client, incoming response bodies are limited to this (plus a fixed constant metadata overhead). Server uses minimum of client’s and server’s configured values (old servers just use server’s value).
[
65536(bytes);LIMIT:262144]max_batch_upSize limit for request upbound payloads. On client, used directly, with
LIMITapplied.On server, only
LIMITis relevant, and must be at least the client’s configured value (checked).[
4000(bytes);LIMIT:262144]max_queue_timeDiscard packets after they have been queued this long waiting for http.
On server: setting applies to downward packets. On client: setting applies to upward packets.
[
10(s);LIMIT:121]http_timeoutOn server: return with empty payload any http request oustanding for this long.
On client: give up on any http request outstanding for for this long plus
http_timeout_grace.Warning messages about link problems, printed by the client, are rate limited to no more than one per effective timeout.
Client’s effective timeout must be at least server’s (checked).
[
30(s);LIMIT:121]target_requests_outstandingOn client: try to keep this many requests outstanding, to allow for downbound data transfer. On server: whenever number of outstanding requests for a client exceeds this, returns oldest with empty payload. Must match between client and server (checked). [
3;LIMIT:10]
Ordinary settings, used by both, not client-specific¶
On the server these are forbidden in the client-specific config sections.
addrsPublic IP (v4 or v6) address(es) of the server; space-separated. On server: mandatory; used for bind. On client: used only to construct default
url. No default.vnetworkPrivate network range. Must contain all
<client>s. Must containvaddrandvrelay, and is used to compute their defaults. [CIDR syntax (<prefix>/<length>);172.24.230.192/28]vaddrAddress of server’s virtual interface. [default: first host entry in
vnetwork, so172.24.230.193]vrelayVirtual point-to-point address used for tunnel routing (does not appear in packets). [default: first host entry in
vnetworkother thanvaddr, so172.24.230.194]portPublic port number of the server. On server: used for bind. On client: used only to construct default url. [
80]Do not set this to
443- the server will speak plain unencrypted HTTP on the port you specify, which would be wrong for443. While the client has integrated TLS support, the server does not. To use hippotat with TLS:Set up a TLS reverse proxy (such as apache or nginx), probably with a certificate from Let’s Encrypt.
Configure
portandaddrsto the internal address and port (to which the reverse proxy forwards the requests).Configure
urlto the public URL of the reverse proxy.
mtuOf virtual interface. Must match exactly at each end (checked). [
1500(bytes)]
Ordinary settings, used by server only¶
max_clock_skewPermissible clock skew between client and server. Hippotat will not work if clock skew is more than this. Conversely: when moving client from one public network to another, the first network can deny service to the client for this period after the client leaves the first network. [
300(s)]ifname_serverVirtual interface name on the server. [
shippo%d] NB: any%dis interpolated (by the kernel).
Ordinary settings, used by client only¶
http_timeout_graceSee
http_timeout. [5(s)]max_requests_outstandingClient will hold off sending more requests than this to server even if it has data to send. [
6]success_report_intervalIf nonzero, report success periodically. Otherwise just report it when we first have success. [
3600(s)]http_retryIf a request fails, wait this long before considering it “finished” - to limit rate of futile requests (and also to limit rate of moaning on stderr). [
5s]urlPublic url of server. [
http://<first-entry-in-addrs>:<port>/]vroutesAdditional virtual addresses to be found at the server end, space-separated. Routes to those will be created on the client.
vrelayis included implicitly. [CIDR syntax, space separated; default: none]ifname_clientVirtual interface name on the client. [
hippo%d] NB: any%dis interpolated (by the kernel).