updated sample config

11 files changed, 332 insertions, 177 deletions

diff --git a/etc/anytun/client1/config b/etc/anytun/client1/config
index 0b3c2d1..10e7ad1 100644
--- a/etc/anytun/client1/config
+++ b/etc/anytun/client1/config
@@ -1,52 +1,70 @@
-## Global Parameters
-## don't run in background
-#nodaemonize
-## the sender id to use (has to be unique for multible anycast servers)
-#sender-id 1
-## log to syslog with level of 3
-log syslog:3,anytun-client1,daemon
-## local anycast ip address to bind to
-#interface <ip-address>
-## local anycast(data) port to bind to
-#port 4444
-## local unicast(sync) ip address to bind to
-# sync-interface <ip-address>
-## local unicast(sync) port to bind to
-#sync-port 1234
-## remote hosts to sync with
-#sync-hosts <hostname|ip>:<port>[,<hostname|ip>:<port>[...]]
-## Device name
-#dev anytun0
-# device type tun = ip/ipv6, tap = ethernet
+#############################
+## Main options             #
+#############################
+
+## Client ID
+##  (has to be unique for each client)
+mux 1
+
+## device type tun = ip/ipv6, tap = ethernet
 type tun
+
 ## payload encryption algorithm
+#cipher null
+#cipher aes-ctr-128
+#cipher aes-ctr-192
+#cipher aes-ctr-256
 cipher aes-ctr
-# cipher null
+
 ## message authentication algorithm
+#auth-algo null
 auth-algo sha1
-# auth-algo null
+
+## Passphrase
+## this is used to generate the crypto-key and salt
+## this should be al least 30 characters
+passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
+
+## local ip address to bind to (for tunnel data)
+## (if you run an anycast cluster this has to be the anycast ip address)
+#interface <ip-address>
+
+## local port to bind to (for tunnel data)
+## make sure to use a different port for every server and client!
+port 4444
+
+## log to syslog with a level of 3
+log syslog:3,anytun-client1,daemon
+
+#############################
+## Debug options            #
+#############################
+
+## don't run in background
+#nodaemonize
+
+## additional log to standard output with a level of 5
+#log stdout:5
+
+#############################
+## Expert options           #
+#############################
+
+## Device name
+#dev anytun0
+
 ## Automaticaly configure the interface an set a route
-## 1st argument the local address for the tun/tap device
-## 2nd argument is either the remote address(tun) or netmask(tap)
-#ifconfig <local> <remote|netmask>
-## Controll Host for multi client support
-#control-host 127.0.0.1:4445
-
-### Connection Parameters (for clients without config server)
-## Allow all ipv4 and ipv6 traffic 
-## this does not set operating system routes
-route 0.0.0.0/0
-route ::/0
-## remote host
-remote-host example.com
-## remote port
-remote-port 4444
-##seqence number window size
-## 0 turns off replay protection (for manualk keying)
-window-size 0
-## the multiplex id to use
-mux 1
-## master key to use for encryption
-key 0123456789ABCDEF0123456789ABCDEF
-## master salt to use for encryption
-salt 0123456789ABCD0123456789ABCD
+##
+## We highly recommend the use of the post up script to do this
+##
+## the address hast to be supplied in CIDR notation
+#ifconfig <local>/<prefix length>
+
+##Manually set encryption key and salt
+## (this replaces the passphrase)
+#key 0123456789ABCDEF0123456789ABCDEF
+#salt 0123456789ABCD0123456789ABCD
+
+## Setting a window size > 0 will enable replay protection
+## This most likely will only work with external rekeying
+#window-size 0
diff --git a/etc/anytun/client1/post-up.sh b/etc/anytun/client1/post-up.sh
index e9e3a8b..dd18fe5 100755
--- a/etc/anytun/client1/post-up.sh
+++ b/etc/anytun/client1/post-up.sh
@@ -5,7 +5,7 @@ ip link set dev $1 mtu 1400
 ip addr add dev $1 192.168.123.1/24
 ip addr add dev $1 fec0::1/128
 
-# Disable ICMP Redirects as they don't work within the tunnel
+# disable ICMP redirects as they don't work within the tunnel
 echo 0 > /proc/sys/net/ipv4/conf/$1/send_redirects
 echo 0 > /proc/sys/net/ipv4/conf/$1/accept_redirects
 
diff --git a/etc/anytun/client2/config b/etc/anytun/client2/config
index 007c58b..41da4d7 100644
--- a/etc/anytun/client2/config
+++ b/etc/anytun/client2/config
@@ -1,52 +1,70 @@
-## Global Parameters
-## don't run in background
-#nodaemonize
-## the sender id to use (has to be unique for multible anycast servers)
-#sender-id 1
-## log to syslog with level of 3
-log syslog:3,anytun-client2,daemon
-## local anycast ip address to bind to
-#interface <ip-address>
-## local anycast(data) port to bind to
-#port 4444
-## local unicast(sync) ip address to bind to
-# sync-interface <ip-address>
-## local unicast(sync) port to bind to
-#sync-port 1234
-## remote hosts to sync with
-#sync-hosts <hostname|ip>:<port>[,<hostname|ip>:<port>[...]]
-## Device name
-#dev anytun0
-# device type tun = ip/ipv6, tap = ethernet
+#############################
+## Main options             #
+#############################
+
+## Client ID
+##  (has to be unique for each client)
+mux 2
+
+## device type tun = ip/ipv6, tap = ethernet
 type tun
+
 ## payload encryption algorithm
+#cipher null
+#cipher aes-ctr-128
+#cipher aes-ctr-192
+#cipher aes-ctr-256
 cipher aes-ctr
-# cipher null
+
 ## message authentication algorithm
+#auth-algo null
 auth-algo sha1
-# auth-algo null
+
+## Passphrase
+## this is used to generate the crypto-key and salt
+## this should be al least 30 characters
+passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
+
+## local ip address to bind to (for tunnel data)
+## (if you run an anycast cluster this has to be the anycast ip address)
+#interface <ip-address>
+
+## local port to bind to (for tunnel data)
+## make sure to use a different port for every server and client!
+port 4444
+
+## log to syslog with a level of 3
+log syslog:3,anytun-client2,daemon
+
+#############################
+## Debug options            #
+#############################
+
+## don't run in background
+#nodaemonize
+
+## additional log to standard output with a level of 5
+#log stdout:5
+
+#############################
+## Expert options           #
+#############################
+
+## Device name
+#dev anytun0
+
 ## Automaticaly configure the interface an set a route
-## 1st argument the local address for the tun/tap device
-## 2nd argument is either the remote address(tun) or netmask(tap)
-#ifconfig <local> <remote|netmask>
-## Controll Host for multi client support
-#control-host 127.0.0.1:4445
-
-### Connection Parameters (for clients without config server)
-## Allow all ipv4 and ipv6 traffic 
-## this does not set operating system routes
-route 0.0.0.0/0
-route ::/0
-## remote host
-remote-host example.com
-## remote port
-remote-port 4444
-##seqence number window size
-## 0 turns off replay protection (for manualk keying)
-window-size 0
-## the multiplex id to use
-mux 2
-## master key to use for encryption
-key 2123456789ABCDEF0123456789ABCDEF
-## master salt to use for encryption
-salt 2123456789ABCD0123456789ABCD
+##
+## We highly recommend the use of the post up script to do this
+##
+## the address hast to be supplied in CIDR notation
+#ifconfig <local>/<prefix length>
+
+##Manually set encryption key and salt
+## (this replaces the passphrase)
+#key 2123456789ABCDEF0123456789ABCDEF
+#salt 2123456789ABCD0123456789ABCD
+
+## Setting a window size > 0 will enable replay protection
+## This most likely will only work with external rekeying
+#window-size 0
diff --git a/etc/anytun/client2/post-up.sh b/etc/anytun/client2/post-up.sh
index 7ba0f90..9348f47 100755
--- a/etc/anytun/client2/post-up.sh
+++ b/etc/anytun/client2/post-up.sh
@@ -3,5 +3,10 @@
 ip link set dev $1 up
 ip link set dev $1 mtu 1400
 ip addr add dev $1 192.168.123.2/24
+ip addr add dev $1 fec0::2/128
+
+# disable ICMP redirects as they don't work within the tunnel
+echo 0 > /proc/sys/net/ipv4/conf/$1/send_redirects
+echo 0 > /proc/sys/net/ipv4/conf/$1/accept_redirects
 
 exit 0
diff --git a/etc/anytun/client3/config b/etc/anytun/client3/config
index 972364c..2a97caa 100644
--- a/etc/anytun/client3/config
+++ b/etc/anytun/client3/config
@@ -1,52 +1,70 @@
-## Global Parameters
-## don't run in background
-#nodaemonize
-## the sender id to use (has to be unique for multible anycast servers)
-#sender-id 1
-## log to syslog with level of 3
-log syslog:3,anytun-client3,daemon
-## local anycast ip address to bind to
-#interface <ip-address>
-## local anycast(data) port to bind to
-#port 4444
-## local unicast(sync) ip address to bind to
-# sync-interface <ip-address>
-## local unicast(sync) port to bind to
-#sync-port 1234
-## remote hosts to sync with
-#sync-hosts <hostname|ip>:<port>[,<hostname|ip>:<port>[...]]
-## Device name
-#dev anytun0
-# device type tun = ip/ipv6, tap = ethernet
+#############################
+## Main options             #
+#############################
+
+## Client ID
+##  (has to be unique for each client)
+mux 3
+
+## device type tun = ip/ipv6, tap = ethernet
 type tun
+
 ## payload encryption algorithm
+#cipher null
+#cipher aes-ctr-128
+#cipher aes-ctr-192
+#cipher aes-ctr-256
 cipher aes-ctr
-# cipher null
+
 ## message authentication algorithm
+#auth-algo null
 auth-algo sha1
-# auth-algo null
+
+## Passphrase
+## this is used to generate the crypto-key and salt
+## this should be al least 30 characters
+passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
+
+## local ip address to bind to (for tunnel data)
+## (if you run an anycast cluster this has to be the anycast ip address)
+#interface <ip-address>
+
+## local port to bind to (for tunnel data)
+## make sure to use a different port for every server and client!
+port 4444
+
+## log to syslog with a level of 3
+log syslog:3,anytun-client3,daemon
+
+#############################
+## Debug options            #
+#############################
+
+## don't run in background
+#nodaemonize
+
+## additional log to standard output with a level of 5
+#log stdout:5
+
+#############################
+## Expert options           #
+#############################
+
+## Device name
+#dev anytun0
+
 ## Automaticaly configure the interface an set a route
-## 1st argument the local address for the tun/tap device
-## 2nd argument is either the remote address(tun) or netmask(tap)
-#ifconfig <local> <remote|netmask>
-## Controll Host for multi client support
-#control-host 127.0.0.1:4445
-
-### Connection Parameters (for clients without config server)
-## Allow all ipv4 and ipv6 traffic 
-## this does not set operating system routes
-route 0.0.0.0/0
-route ::/0
-## remote host
-remote-host example.com
-## remote port
-remote-port 4444
-##seqence number window size
-## 0 turns off replay protection (for manualk keying)
-window-size 0
-## the multiplex id to use
-mux 3
-## master key to use for encryption
-key 3123456789ABCDEF0123456789ABCDEF
-## master salt to use for encryption
-salt 3123456789ABCD0123456789ABCD
+##
+## We highly recommend the use of the post up script to do this
+##
+## the address hast to be supplied in CIDR notation
+#ifconfig <local>/<prefix length>
+
+##Manually set encryption key and salt
+## (this replaces the passphrase)
+#key 3123456789ABCDEF0123456789ABCDEF
+#salt 3123456789ABCD0123456789ABCD
+
+## Setting a window size > 0 will enable replay protection
+## This most likely will only work with external rekeying
+#window-size 0
diff --git a/etc/anytun/client3/post-up.sh b/etc/anytun/client3/post-up.sh
index f93c347..330d5be 100755
--- a/etc/anytun/client3/post-up.sh
+++ b/etc/anytun/client3/post-up.sh
@@ -3,5 +3,10 @@
 ip link set dev $1 up
 ip link set dev $1 mtu 1400
 ip addr add dev $1 192.168.123.3/24
+ip addr add dev $1 fec0::3/128
+
+# disable ICMP redirects as they don't work within the tunnel
+echo 0 > /proc/sys/net/ipv4/conf/$1/send_redirects
+echo 0 > /proc/sys/net/ipv4/conf/$1/accept_redirects
 
 exit 0
diff --git a/etc/anytun/server/conf.d/client1 b/etc/anytun/server/conf.d/client1
index 894fee7..71a14f8 100644
--- a/etc/anytun/server/conf.d/client1
+++ b/etc/anytun/server/conf.d/client1
@@ -11,7 +11,7 @@ mux 1
 ## this should be al least 30 characters
 passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
 
-## Staticially configure remote address
+## staticially configure client address
 ## (autodetect if skiped)
 #remote-host <hostname|ip>
 #remote-port 4444
@@ -21,14 +21,14 @@ passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
 #############################
 
 ## Internal Routing entries
-## multible routes allowed
+## multiple routes allowed
 ## make sure to also set a system route in the post-up script
 route 192.168.123.1/32
 route fec0::1/128
 
 ## Add a subnet route
 ## make sure to also set a system route in the post-up script
-#route 192.168.12.0/24
+#route 192.168.11.0/24
 #route fec0:1::/48
 
 
@@ -40,6 +40,7 @@ route fec0::1/128
 ## (this replaces the passphrase)
 #key 0123456789ABCDEF0123456789ABCDEF
 #salt 0123456789ABCD0123456789ABCD
+
 ## Setting a window size > 0 will enable replay protection
 ## This most likely will only work with external rekeying
 #window-size 0
diff --git a/etc/anytun/server/conf.d/client2 b/etc/anytun/server/conf.d/client2
index f875ed0..597c897 100644
--- a/etc/anytun/server/conf.d/client2
+++ b/etc/anytun/server/conf.d/client2
@@ -1,9 +1,46 @@
-route 192.168.123.2/32
-window-size 0
+#############################
+## main options             #
+#############################
+
+## Client ID
+##  (has to be unique for each client)
 mux 2
-key 2123456789ABCDEF0123456789ABCDEF
-salt 2123456789ABCD0123456789ABCD
-## remote host (autodetect if skiped)
+
+## Passphrase
+## this is used to generate the crypto-key and salt
+## this should be al least 30 characters
+passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
+
+## staticially configure client address
+## (autodetect if skiped)
 #remote-host <hostname|ip>
-## remote host (autodetect if skiped)
 #remote-port 4444
+
+#############################
+## routing options          #
+#############################
+
+## Internal Routing entries
+## multiple routes allowed
+## make sure to also set a system route in the post-up script
+route 192.168.123.2/32
+route fec0::2/128
+
+## Add a subnet route
+## make sure to also set a system route in the post-up script
+#route 192.168.12.0/24
+#route fec0:2::/48
+
+
+#############################
+## Expert options           #
+#############################
+
+##Manually set encryption key and salt
+## (this replaces the passphrase)
+#key 2123456789ABCDEF0123456789ABCDEF
+#salt 2123456789ABCD0123456789ABCD
+
+## Setting a window size > 0 will enable replay protection
+## This most likely will only work with external rekeying
+#window-size 0
diff --git a/etc/anytun/server/conf.d/client3 b/etc/anytun/server/conf.d/client3
index 2108cb3..a3d7f25 100644
--- a/etc/anytun/server/conf.d/client3
+++ b/etc/anytun/server/conf.d/client3
@@ -1,9 +1,46 @@
-route 192.168.123.3/32
-window-size 0
+#############################
+## main options             #
+#############################
+
+## Client ID
+##  (has to be unique for each client)
 mux 3
-key 3123456789ABCDEF0123456789ABCDEF
-salt 3123456789ABCD0123456789ABCD
-## remote host (autodetect if skiped)
+
+## Passphrase
+## this is used to generate the crypto-key and salt
+## this should be al least 30 characters
+passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
+
+## staticially configure client address
+## (autodetect if skiped)
 #remote-host <hostname|ip>
-## remote host (autodetect if skiped)
 #remote-port 4444
+
+#############################
+## routing options          #
+#############################
+
+## Internal Routing entries
+## multiple routes allowed
+## make sure to also set a system route in the post-up script
+route 192.168.123.3/32
+route fec0::3/128
+
+## Add a subnet route
+## make sure to also set a system route in the post-up script
+#route 192.168.13.0/24
+#route fec0:3::/48
+
+
+#############################
+## Expert options           #
+#############################
+
+##Manually set encryption key and salt
+## (this replaces the passphrase)
+#key 3123456789ABCDEF0123456789ABCDEF
+#salt 3123456789ABCD0123456789ABCD
+
+## Setting a window size > 0 will enable replay protection
+## This most likely will only work with external rekeying
+#window-size 0
diff --git a/etc/anytun/server/config b/etc/anytun/server/config
index 2736b15..358cdbe 100644
--- a/etc/anytun/server/config
+++ b/etc/anytun/server/config
@@ -2,65 +2,77 @@
 ## multi connection support #
 #############################
 
-## Controll Host for multi client support
-## This enables multi-connection support and split configuration files per client
-## Make sure to use a unique port for each server, when runnig multible servers
+## control host for multi-client support
+## This enables multi-connection support and splits configuration files per client
+## Make sure to use a unique port for each server, when runnig multiple servers
 control-host 127.0.0.1:4444
 
 #############################
 ## Main options             #
 #############################
 
-## Device name
-dev anytun0
-
-# device type tun = ip/ipv6, tap = ethernet
+## device type tun = ip/ipv6, tap = ethernet
 type tun
 
 ## payload encryption algorithm
-cipher aes-ctr
 #cipher null
+#cipher aes-ctr-128
+#cipher aes-ctr-192
+#cipher aes-ctr-256
+cipher aes-ctr
 
 ## message authentication algorithm
-auth-algo sha1
 #auth-algo null
+auth-algo sha1
 
 ## local ip address to bind to (for tunnel data)
-## (if you operate an anycast cluster this must be the anycast ip address)
+## (if you run an anycast cluster this has to be the anycast ip address)
 #interface <ip-address>
 
 ## local port to bind to (for tunnel data)
 ## make sure to use a different port for every server and client!
 port 4444
 
-## log to syslog with level of 3
+## log to syslog with a level of 3
 log syslog:3,anytun-server,daemon
 
 #############################
 ## Debug options            #
 #############################
+
 ## don't run in background
 #nodaemonize
 
+## additional log to standard output with a level of 5
+#log stdout:5
+
+
 #############################
 ## Expert options           #
 #############################
+
+## Device name
+#dev anytun0
+
 ## Automaticaly configure the interface an set a route
 ##
 ## We highly recommend the use of the post up script to do this
 ##
-## 1st argument the local address for the tun/tap device
-## 2nd argument is either the remote address(tun) or netmask(tap)
-#ifconfig <local> <remote|netmask>
+## the address hast to be supplied in CIDR notation
+#ifconfig <local>/<prefix length>
 
 #############################
 ## Cluster options          #
 #############################
-## the sender id to use (has to be unique for multible anycast servers)
+
+## the sender id to use (has to be unique for multiple anycast servers)
 #sender-id 1
+
 ## local unicast(sync) ip address to bind to
-# sync-interface <ip-address>
+#sync-interface <ip-address>
+
 ## local unicast(sync) port to bind to
 #sync-port 1234
+
 ## remote hosts to sync with
 #sync-hosts <hostname|ip>:<port>[,<hostname|ip>:<port>[...]]
diff --git a/etc/anytun/server/post-up.sh b/etc/anytun/server/post-up.sh
index dc30f09..9d585a1 100755
--- a/etc/anytun/server/post-up.sh
+++ b/etc/anytun/server/post-up.sh
@@ -2,24 +2,28 @@
 ip link set dev $1 up
 ip link set mtu 1400 dev $1
 
-# Add tunnel addresses
+# add tunnel addresses
 ip addr add 192.168.123.254/24 dev $1
 ip addr add fec0::fd/64 dev $1
 
-# Add routes to client subnets
-# you also have to add these routes to the client configuration file of one client
-# ip route add 192.168.12.0/24 dev $1
+# add routes to client subnets
+# you also have to add these routes to the client configuration file of each client
+# ip route add 192.168.11.0/24 dev $1
 # ip route add fec0:1::/48 dev $1
+# ip route add 192.168.12.0/24 dev $1
+# ip route add fec0:2::/48 dev $1
+# ip route add 192.168.13.0/24 dev $1
+# ip route add fec0:3::/48 dev $1
 
-# Disable ICMP Redirects as they don't work within the tunnel
+# disable ICMP redirects as they don't work within the tunnel
 echo 0 > /proc/sys/net/ipv4/conf/$1/send_redirects
 echo 0 > /proc/sys/net/ipv4/conf/$1/accept_redirects
 
-# Enable Packet forwarding
+# enable packet forwarding
 echo 1 > /proc/sys/net/ipv6/conf/$1/forwarding
 echo 1 > /proc/sys/net/ipv4/conf/$1/forwarding
 
-# Enable Routing to lokal ethernet interface
+# enable routing to local ethernet interface
 # echo 1 > /proc/sys/net/ipv6/conf/eth0/forwarding
 # echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding