updated example configurations

4 files changed, 118 insertions, 37 deletions

diff --git a/etc/anytun/client1/post-up.sh b/etc/anytun/client1/post-up.sh
index bf01387..e9e3a8b 100755
--- a/etc/anytun/client1/post-up.sh
+++ b/etc/anytun/client1/post-up.sh
@@ -3,5 +3,10 @@
 ip link set dev $1 up
 ip link set dev $1 mtu 1400
 ip addr add dev $1 192.168.123.1/24
+ip addr add dev $1 fec0::1/128
+
+# Disable ICMP Redirects as they don't work within the tunnel
+echo 0 > /proc/sys/net/ipv4/conf/$1/send_redirects
+echo 0 > /proc/sys/net/ipv4/conf/$1/accept_redirects
 
 exit 0
diff --git a/etc/anytun/server/conf.d/client1 b/etc/anytun/server/conf.d/client1
index c9b6f56..894fee7 100644
--- a/etc/anytun/server/conf.d/client1
+++ b/etc/anytun/server/conf.d/client1
@@ -1,9 +1,45 @@
-route 192.168.123.1/32
-window-size 0
+#############################
+## main options             #
+#############################
+
+## Client ID
+##  (has to be unique for each client)
 mux 1
-key 0123456789ABCDEF0123456789ABCDEF
-salt 0123456789ABCD0123456789ABCD
-## remote host (autodetect if skiped)
+
+## Passphrase
+## this is used to generate the crypto-key and salt
+## this should be al least 30 characters
+passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
+
+## Staticially configure remote address
+## (autodetect if skiped)
 #remote-host <hostname|ip>
-## remote host (autodetect if skiped)
 #remote-port 4444
+
+#############################
+## routing options          #
+#############################
+
+## Internal Routing entries
+## multible routes allowed
+## make sure to also set a system route in the post-up script
+route 192.168.123.1/32
+route fec0::1/128
+
+## Add a subnet route
+## make sure to also set a system route in the post-up script
+#route 192.168.12.0/24
+#route fec0:1::/48
+
+
+#############################
+## Expert options           #
+#############################
+
+##Manually set encryption key and salt
+## (this replaces the passphrase)
+#key 0123456789ABCDEF0123456789ABCDEF
+#salt 0123456789ABCD0123456789ABCD
+## Setting a window size > 0 will enable replay protection
+## This most likely will only work with external rekeying
+#window-size 0
diff --git a/etc/anytun/server/config b/etc/anytun/server/config
index 2706b97..a23ddfb 100644
--- a/etc/anytun/server/config
+++ b/etc/anytun/server/config
@@ -1,45 +1,63 @@
-## Global Parameters
-## don't run in background
-#nodaemonize
-## the sender id to use (has to be unique for multible anycast servers)
-sender-id 1
-## local anycast ip address to bind to
-#interface <ip-address>
-## local anycast(data) port to bind to
-port 4444
-## local unicast(sync) ip address to bind to
-# sync-interface <ip-address>
-## local unicast(sync) port to bind to
-#sync-port 1234
-## remote hosts to sync with
-#sync-hosts <hostname|ip>:<port>[,<hostname|ip>:<port>[...]]
+#############################
+## multi connection support #
+#############################
+
+## Controll Host for multi client support
+## This enables multi-connection support and split configuration files per client
+## Make sure to use a unique port for each server, when runnig multible servers
+control-host 127.0.0.1:4444
+
+#############################
+## Main options             #
+#############################
+
 ## Device name
 dev anytun0
+
 # device type tun = ip/ipv6, tap = ethernet
 type tun
+
 ## payload encryption algorithm
 cipher aes-ctr
 #cipher null
+
 ## message authentication algorithm
 auth-algo sha1
 #auth-algo null
+
+## local ip address to bind to (for tunnel data)
+## (if you operate an anycast cluster this must be the anycast ip address)
+#interface <ip-address>
+
+## local port to bind to (for tunnel data)
+## make sure to use a different port for every server and client!
+port 4444
+
+#############################
+## Debug options            #
+#############################
+## don't run in background
+#nodaemonize
+
+#############################
+## Expert options           #
+#############################
 ## Automaticaly configure the interface an set a route
+##
+## We highly recommend the use of the post up script to do this
+##
 ## 1st argument the local address for the tun/tap device
 ## 2nd argument is either the remote address(tun) or netmask(tap)
 #ifconfig <local> <remote|netmask>
-## Controll Host for multi client support
-control-host 127.0.0.1:4445
-### Connection Parameters (for clients without config server)
-## remote host
-#remote-host <hostname|ip>
-## remote port
-#remote-port <port>
-##seqence number window size
-## 0 turns off replay protection (for manualk keying)
-#window-size 0
-## the multiplex id to use
-#mux <mux-id>
-## master key to use for encryption
-#key <master key>
-## master salt to use for encryption
-#salt <master salt>
+
+#############################
+## Cluster options          #
+#############################
+## the sender id to use (has to be unique for multible anycast servers)
+#sender-id 1
+## local unicast(sync) ip address to bind to
+# sync-interface <ip-address>
+## local unicast(sync) port to bind to
+#sync-port 1234
+## remote hosts to sync with
+#sync-hosts <hostname|ip>:<port>[,<hostname|ip>:<port>[...]]
diff --git a/etc/anytun/server/post-up.sh b/etc/anytun/server/post-up.sh
index 1a3c443..dc30f09 100755
--- a/etc/anytun/server/post-up.sh
+++ b/etc/anytun/server/post-up.sh
@@ -1,4 +1,26 @@
 #!/bin/sh
 ip link set dev $1 up
 ip link set mtu 1400 dev $1
+
+# Add tunnel addresses
 ip addr add 192.168.123.254/24 dev $1
+ip addr add fec0::fd/64 dev $1
+
+# Add routes to client subnets
+# you also have to add these routes to the client configuration file of one client
+# ip route add 192.168.12.0/24 dev $1
+# ip route add fec0:1::/48 dev $1
+
+# Disable ICMP Redirects as they don't work within the tunnel
+echo 0 > /proc/sys/net/ipv4/conf/$1/send_redirects
+echo 0 > /proc/sys/net/ipv4/conf/$1/accept_redirects
+
+# Enable Packet forwarding
+echo 1 > /proc/sys/net/ipv6/conf/$1/forwarding
+echo 1 > /proc/sys/net/ipv4/conf/$1/forwarding
+
+# Enable Routing to lokal ethernet interface
+# echo 1 > /proc/sys/net/ipv6/conf/eth0/forwarding
+# echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
+
+exit 0