diff options
author | Christian Pointner <equinox@anytun.org> | 2009-12-22 20:18:51 +0000 |
---|---|---|
committer | Christian Pointner <equinox@anytun.org> | 2009-12-22 20:18:51 +0000 |
commit | a525c9c7412fb9483dd868b3504cd1be32dc7d23 (patch) | |
tree | 402f6e0f760558f9870e4aa4d8771d620256f084 /src/man | |
parent | added patch from Cyril Brulebois in order to enable build on Debian/Freebsd K... (diff) |
added manpage to svn (and later to release tarball)
moved manpages to doc directory
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/Makefile | 57 | ||||
-rw-r--r-- | src/man/anyrtpproxy.8.txt | 150 | ||||
-rw-r--r-- | src/man/anytun-config.8.txt | 173 | ||||
-rw-r--r-- | src/man/anytun-controld.8.txt | 110 | ||||
-rw-r--r-- | src/man/anytun-showtables.8.txt | 71 | ||||
-rw-r--r-- | src/man/anytun.8.txt | 373 |
6 files changed, 0 insertions, 934 deletions
diff --git a/src/man/Makefile b/src/man/Makefile deleted file mode 100644 index adc9919..0000000 --- a/src/man/Makefile +++ /dev/null @@ -1,57 +0,0 @@ -## -## anytun -## -## The secure anycast tunneling protocol (satp) defines a protocol used -## for communication between any combination of unicast and anycast -## tunnel endpoints. It has less protocol overhead than IPSec in Tunnel -## mode and allows tunneling of every ETHER TYPE protocol (e.g. -## ethernet, ip, arp ...). satp directly includes cryptography and -## message authentication based on the methodes used by SRTP. It is -## intended to deliver a generic, scaleable and secure solution for -## tunneling and relaying of packets of any protocol. -## -## -## Copyright (C) 2007-2009 Othmar Gsenger, Erwin Nindl, -## Christian Pointner <satp@wirdorange.org> -## -## This file is part of Anytun. -## -## Anytun is free software: you can redistribute it and/or modify -## it under the terms of the GNU General Public License as published by -## the Free Software Foundation, either version 3 of the License, or -## any later version. -## -## Anytun is distributed in the hope that it will be useful, -## but WITHOUT ANY WARRANTY; without even the implied warranty of -## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -## GNU General Public License for more details. -## -## You should have received a copy of the GNU General Public License -## along with anytun. If not, see <http://www.gnu.org/licenses/>. -## - -VERSION=$(shell cat ../../version) - -MANPAGES := anytun.8 anytun-controld.8 anytun-config.8 anytun-showtables.8 #anyrtpproxy.8 -XML := $(MANPAGES:%.8=%.8.xml) - -.PHONY: clean - -all: manpage - -define create-manpage - a2x -f manpage $(1) - @ sed -i -e 's/\[FIXME: source\]/anytun ${VERSION}/' $(2) - @ sed -i -e 's/\[FIXME: manual\]/$(2:.8=) user manual/' $(2) - @ sed -i -e 's/^\($(subst -,\\-,$(2:.8=))\)$$/\\fB\1\\fR/' $(2) - @ sed -i -e 's/^ \[ \([^ ]*\)/ [ \\fB\1\\fR/' $(2) -endef - -%.8: %.8.txt - $(call create-manpage,$<,$@) - -manpage: $(MANPAGES) - -clean: - rm -f $(MANPAGES) - rm -f $(XML) diff --git a/src/man/anyrtpproxy.8.txt b/src/man/anyrtpproxy.8.txt deleted file mode 100644 index a92d2e6..0000000 --- a/src/man/anyrtpproxy.8.txt +++ /dev/null @@ -1,150 +0,0 @@ -anyrtpproxy(8) -============== - -NAME ----- -anyrtpproxy - anycast rtpproxy - -SYNOPSIS --------- - -.... -anyrtpproxy - [ -h|--help ] - [ -D|--nodaemonize ] - [ -C|--chroot ] - [ -u|--username <username> ] - [ -H|--chroot-dir <directory> ] - [ -P|--write-pid <filename> ] - [ -i|--interface <ip-address> ] - [ -s|--control <hostname|ip>[:<port>] ] - [ -p|--port-range <start> <end> ] - [ -n|--nat ] - [ -o|--no-nat-once ] - [ -S|--sync-port port> ] - [ -M|--sync-hosts <hostname|ip>:<port>[,<hostname|ip>:<port>[...]] ] -.... - - -DESCRIPTION ------------ - -*anyrtpproxy* is a rtpproxy which can be used in combination with anycast. It uses -the same control protocol than rtpproxy though it can be controled through the nathelper -plugin of openser. *anyrtpproxy* uses the same synchronisation protocol than *Anytun* -to sync the session information among all anycast instances. - - -OPTIONS -------- - -*-D, --nodaemonize*:: - This option instructs *anyrtpproxy* to run in the foreground - instead of becoming a daemon. - -*-C, --chroot*:: - chroot and drop privileges - -*-u, --username <username>*:: - if chroot change to this user - -*-H, --chroot-dir <directory>*:: - chroot to this directory - -*-P, --write-pid <filename>*:: - write pid to this file - -*-i, --interface <ip address>*:: - The local interface to listen on for RTP packets - -*-s, --control <hostname|ip>[:<port>]*:: - The local address and port to listen on for control messages from openser - -*-p, --port-range <start> <end>*:: - A pool of ports which should be used by *anyrtpproxy* to relay RTP packets. - The range may not overlap between the anycast instances - -*-n, --nat*:: - Allow to learn the remote address and port in order to handle clients behind nat. - This option should only be enabled if the source is authenticated (i.e. through - *anytun*) - -*-o, --no-nat-once*:: - Disable learning of remote address and port in case the first packet does not - come from the client which is specified by openser during configuration. Invoking - this parameter increases the security level of the system but in case of nat needs - a working nat transversal such as stun. - -*-S, --sync-port <port>*:: - local unicast(sync) port to bind to + - This port is used by anycast hosts to synchronize information about tunnel - endpoints. No payload data is transmitted via this port. + - It is possible to obtain a list of active connections by telnetting into - this port. This port is read-only and unprotected by default. It is advised - to protect this port using firewall rules and, eventually, IPsec. - -*-M, --sync-hosts <hostname|ip>:<port>,[<hostname|ip>:<port>[...]]*:: - remote hosts to sync with + - Here, one has to specify all unicast IP addresses of all - other anycast hosts that comprise the anycast tunnel endpoint. - -EXAMPLES --------- - -Anycast Setup with 3 instances: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -On the host with unicast hostname unicast1.anycast.anytun.org and anycast -hostname anycast.anytun.org: --------------------------------------------------------------------------------------- -# anyrtpproxy -i anycast.anytun.org -p 20000 25000 -S 2342 \ - -M unicast2.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342 --------------------------------------------------------------------------------------- - -On the host with unicast hostname unicast2.anycast.anytun.org and anycast -hostname anycast.anytun.org: --------------------------------------------------------------------------------------- -# anyrtpproxy -i anycast.anytun.org -p 25000 30000 -S 2342 \ - -M unicast1.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342 --------------------------------------------------------------------------------------- - -On the host with unicast hostname unicast3.anycast.anytun.org and anycast -hostname anycast.anytun.org: --------------------------------------------------------------------------------------- -# anyrtpproxy -i anycast.anytun.org -p 30000 35000 -S 2342 \ - -M unicast1.anycast.anytun.org:2342,unicast2.anycast.anytun.org:2342 --------------------------------------------------------------------------------------- - - -BUGS ----- -Most likely there are some bugs in *anyrtpproxy*. If you find a bug, please let -the developers know at satp@anytun.org. Of course, patches are preferred. - -SEE ALSO --------- -anytun(8) - -AUTHORS -------- - -Othmar Gsenger <otti@anytun.org> -Erwin Nindl <nine@anytun.org> -Christian Pointner <equinox@anytun.org> - - -RESOURCES ---------- - -Main web site: http://www.anytun.org/ - - -COPYING -------- - -Copyright \(C) 2007-2009 Othmar Gsenger, Erwin Nindl and Christian -Pointner. This program is free software: you can redistribute it -and/or modify it under the terms of the GNU General Public License -as published by the Free Software Foundation, either version 3 of -the License, or any later version. - diff --git a/src/man/anytun-config.8.txt b/src/man/anytun-config.8.txt deleted file mode 100644 index 6a80b4d..0000000 --- a/src/man/anytun-config.8.txt +++ /dev/null @@ -1,173 +0,0 @@ -anytun-config(8) -================ - -NAME ----- -anytun-config - anycast tunneling configuration utility - -SYNOPSIS --------- - -.... -anytun-config - [ -h|--help ] - [ -L|--log <target>:<level>[,<param1>[,<param2>[..]]] - [ -r|--remote-host <hostname|ip> ] - [ -o|--remote-port <port> ] - [ -4|--ipv4-only ] - [ -6|--ipv6-only ] - [ -R|--route <net>/<prefix length> ] - [ -m|--mux <mux-id> ] - [ -w|--window-size <window size> ] - [ -k|--kd-prf <kd-prf type> ] - [ -e|--role <role> ] - [ -E|--passphrase <pass phrase> ] - [ -K|--key <master key> ] - [ -A|--salt <master salt> ] -.... - -DESCRIPTION ------------ - -*anytun-config* writes routing/connection table entries, that can be read by *anytun-controld*. - -OPTIONS -------- - -*-L, --log <target>:<level>[,<param1>[,<param2>[..]]]*:: - add log target to logging system. This can be invoked several times - in order to log to different targets at the same time. Every target - hast its own log level which is a number between 0 and 5. Where 0 means - disabling log and 5 means debug messages are enabled. + - The file target can be used more the once with different levels. - If no target is provided at the command line a single target with the - config *syslog:3,anytun-config,daemon* is added. + - The following targets are supported: - - *syslog*;; log to syslog daemon, parameters <level>[,<logname>[,<facility>]] - *file*;; log to file, parameters <level>[,<path>] - *stdout*;; log to standard output, parameters <level> - *stderr*;; log to standard error, parameters <level> - -*-r, --remote-host <hostname|ip>*:: - This option can be used to specify the remote tunnel - endpoint. In case of anycast tunnel endpoints, the - anycast IP address has to be used. If you do not specify - an address, it is automatically determined after receiving - the first data packet. - -*-o, --remote-port <port>*:: - The UDP port used for payload data by the remote host - (specified with -p on the remote host). If you do not specify - a port, it is automatically determined after receiving - the first data packet. - -*-4, --ipv4-only*:: - Resolv to IPv4 addresses only. The default is to resolv both - IPv4 and IPv6 addresses. - -*-6, --ipv6-only*:: - Resolv to IPv6 addresses only. The default is to resolv both - IPv4 and IPv6 addresses. - -*-R, --route <net>/<prefix length>*:: - add a route to connection. This can be invoked several times. - -*-m, --mux <mux-id>*:: - the multiplex id to use. default: 0 - -*-w, --window-size <window size>*:: - seqence window size + - Sometimes, packets arrive out of order on the receiver - side. This option defines the size of a list of received - packets' sequence numbers. If, according to this list, - a received packet has been previously received or has - been transmitted in the past, and is therefore not in - the list anymore, this is interpreted as a replay attack - and the packet is dropped. A value of 0 deactivates this - list and, as a consequence, the replay protection employed - by filtering packets according to their secuence number. - By default the sequence window is disabled and therefore a - window size of 0 is used. - -*-k, --kd--prf <kd-prf type>*:: - key derivation pseudo random function + - The pseudo random function which is used for calculating the - session keys and session salt. + - Possible values: - - *null*;; no random function, keys and salt are set to 0..00 - *aes-ctr*;; AES in counter mode with 128 Bits, default value - *aes-ctr-128*;; AES in counter mode with 128 Bits - *aes-ctr-192*;; AES in counter mode with 192 Bits - *aes-ctr-256*;; AES in counter mode with 256 Bits - -*-e, --role <role>*:: - SATP uses different session keys for inbound and outbound traffic. The - role parameter is used to determine which keys to use for outbound or - inbound packets. On both sides of a vpn connection different roles have - to be used. Possible values are *left* and *right*. You may also use - *alice* or *server* as a replacement for *left* and *bob* or *client* as - a replacement for *right*. By default *left* is used. - -*-E, --passphrase <pass phrase>*:: - This passphrase is used to generate the master key and master salt. - For the master key the last n bits of the SHA256 digest of the - passphrase (where n is the length of the master key in bits) is used. - The master salt gets generated with the SHA1 digest. - You may force a specific key and or salt by using *--key* and *--salt*. - -*-K, --key <master key>*:: - master key to use for key derivation + - Master key in hexadecimal notation, e.g. - 01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length - of 32, 48 or 64 characters (128, 192 or 256 bits). - -*-A, --salt <master salt>*:: - master salt to use for key derivation + - Master salt in hexadecimal notation, e.g. - 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length - of 28 characters (14 bytes). - - -EXAMPLES --------- - -Add a client with Connection ID (Mux) 12 and add 2 Routes to this client - ------------------------------------------------------------------------------------------------- -# anytun-config -w 0 -m 12 -K 0123456789ABCDEFFEDCBA9876543210 -A 0123456789ABCDDCBA9876543210 \ - -R 192.0.2.0/24 -R 192.168.1.1/32 -e server >> routingtable ------------------------------------------------------------------------------------------------- - -BUGS ----- -Most likely there are some bugs in *Anytun*. If you find a bug, please let -the developers know at satp@anytun.org. Of course, patches are preferred. - -SEE ALSO --------- -anytun(8), anytun-controld(8), anytun-showtables(8) - -AUTHORS -------- - -Othmar Gsenger <otti@anytun.org> -Erwin Nindl <nine@anytun.org> -Christian Pointner <equinox@anytun.org> - - -RESOURCES ---------- - -Main web site: http://www.anytun.org/ - - -COPYING -------- - -Copyright \(C) 2007-2009 Othmar Gsenger, Erwin Nindl and Christian -Pointner. This program is free software: you can redistribute it -and/or modify it under the terms of the GNU General Public License -as published by the Free Software Foundation, either version 3 of -the License, or any later version. diff --git a/src/man/anytun-controld.8.txt b/src/man/anytun-controld.8.txt deleted file mode 100644 index 0d3e0b8..0000000 --- a/src/man/anytun-controld.8.txt +++ /dev/null @@ -1,110 +0,0 @@ -anytun-controld(8) -================== - -NAME ----- -anytun-controld - anycast tunneling control daemon - -SYNOPSIS --------- - -.... -anytun-controld - [ -h|--help ] - [ -D|--nodaemonize ] - [ -u|--username <username> ] - [ -g|--groupname <groupname> ] - [ -C|--chroot <path> ] - [ -P|--write-pid <filename> ] - [ -L|--log <target>:<level>[,<param1>[,<param2>[..]]] ] - [ -f|--file <path> ] - [ -X|--control-host < <host>[:port>] | :<port> > ] -.... - -DESCRIPTION ------------ - -*anytun-controld* configures the multi-connection support for *Anytun*. It reads a connection/routing table and outputs it via a tcp socket to all connected *Anytun* servers. When the control daemon is restarted with a new connection/routing table all *Anytun* servers automatically load the new configuration. Please make sure to protect that information as it contains the connection keys. - -OPTIONS -------- - -*-D, --nodaemonize*:: - This option instructs *anytun-controld* to run in foreground - instead of becoming a daemon which is the default. - -*-u, --username <username>*:: - run as this user. If no group is specified (*-g*) the default group of - the user is used. The default is to not drop privileges. - -*-g, --groupname <groupname>*:: - run as this group. If no username is specified (*-u*) this gets ignored. - The default is to not drop privileges. - -*-C, --chroot <path>*:: - Instruct *anytun-controld* to run in a chroot jail. The default is - to not run in chroot. - -*-P, --write-pid <filename>*:: - Instruct *anytun-controld* to write it's pid to this file. The default is - to not create a pid file. - -*-L, --log <target>:<level>[,<param1>[,<param2>[..]]]*:: - add log target to logging system. This can be invoked several times - in order to log to different targets at the same time. Every target - hast its own log level which is a number between 0 and 5. Where 0 means - disabling log and 5 means debug messages are enabled. + - The file target can be used more the once with different levels. - If no target is provided at the command line a single target with the - config *syslog:3,anytun-controld,daemon* is added. + - The following targets are supported: - - *syslog*;; log to syslog daemon, parameters <level>[,<logname>[,<facility>]] - *file*;; log to file, parameters <level>[,<path>] - *stdout*;; log to standard output, parameters <level> - *stderr*;; log to standard error, parameters <level> - -*-f, --file <path>*:: - The path to the file which holds the sync information. - -*-X, --control-host <hostname|ip>[:<port>]*:: - fetch the config from this host. The default is not to use a control - host and therefore this is empty. Mind that the port can be omitted - in which case port 2323 is used. If you want to specify an - ipv6 address and a port you have to use [ and ] to seperate the address - from the port, eg.: [::1]:1234. If you want to use the default port - [ and ] can be omitted. - - -BUGS ----- -Most likely there are some bugs in *Anytun*. If you find a bug, please let -the developers know at satp@anytun.org. Of course, patches are preferred. - -SEE ALSO --------- -anytun(8), anytun-config(8), anytun-showtables(8) - -AUTHORS -------- - -Othmar Gsenger <otti@anytun.org> -Erwin Nindl <nine@anytun.org> -Christian Pointner <equinox@anytun.org> - - -RESOURCES ---------- - -Main web site: http://www.anytun.org/ - - -COPYING -------- - -Copyright \(C) 2007-2009 Othmar Gsenger, Erwin Nindl and Christian -Pointner. This program is free software: you can redistribute it -and/or modify it under the terms of the GNU General Public License -as published by the Free Software Foundation, either version 3 of -the License, or any later version. - diff --git a/src/man/anytun-showtables.8.txt b/src/man/anytun-showtables.8.txt deleted file mode 100644 index 3a1fa8d..0000000 --- a/src/man/anytun-showtables.8.txt +++ /dev/null @@ -1,71 +0,0 @@ -anytun-showtables(8) -==================== - -NAME ----- -anytun-showtables - anycast tunneling routing table visualization utility - -SYNOPSIS --------- - -.... -anytun-showtables -.... - -DESCRIPTION ------------ - -*anytun-showtables* displays routing and connection tables used by *Anytun*. It can be used to display a saved routing/connection table used by *anytun-controld* or to connect to a the sync port of *Anytun*. - -OPTIONS -------- - -This Tool does not take any options. It takes the sync information from -the standard input and prints the routing table to the standard output. - -EXAMPLES --------- - -Print routing table stored in local file - ------------------------------------------------------------------------------------ -# perl -ne 'chomp; print' < routingtable | ./anytun-showtables ------------------------------------------------------------------------------------ - -Print current routing table and watch changes - ------------------------------------------------------------------------------------ -# nc unicast1.anycast.anytun.org 23 | ./anytun-showtables ------------------------------------------------------------------------------------ - -BUGS ----- -Most likely there are some bugs in *Anytun*. If you find a bug, please let -the developers know at satp@anytun.org. Of course, patches are preferred. - -SEE ALSO --------- -anytun(8), anytun-controld(8), anytun-config(8) - -AUTHORS -------- - -Othmar Gsenger <otti@anytun.org> -Erwin Nindl <nine@anytun.org> -Christian Pointner <equinox@anytun.org> - - -RESOURCES ---------- - -Main web site: http://www.anytun.org/ - - -COPYING -------- - -Copyright \(C) 2007-2009 Othmar Gsenger, Erwin Nindl and Christian -Pointner. This program is free software: you can redistribute it -and/or modify it under the terms of the GNU General Public License -as published by the Free Software Foundation, either version 3 of -the License, or any later version. diff --git a/src/man/anytun.8.txt b/src/man/anytun.8.txt deleted file mode 100644 index 377bb2d..0000000 --- a/src/man/anytun.8.txt +++ /dev/null @@ -1,373 +0,0 @@ -anytun(8) -========= - -NAME ----- -anytun - anycast tunneling daemon - -SYNOPSIS --------- - -.... -anytun - [ -h|--help ] - [ -D|--nodaemonize ] - [ -u|--username <username> ] - [ -g|--groupname <groupname> ] - [ -C|--chroot <path> ] - [ -P|--write-pid <filename> ] - [ -L|--log <target>:<level>[,<param1>[,<param2>[..]]] ] - [ -i|--interface <ip-address> ] - [ -p|--port <port> ] - [ -r|--remote-host <hostname|ip> ] - [ -o|--remote-port <port> ] - [ -4|--ipv4-only ] - [ -6|--ipv6-only ] - [ -I|--sync-interface <ip-address> ] - [ -S|--sync-port port> ] - [ -M|--sync-hosts <hostname|ip>[:<port>][,<hostname|ip>[:<port>][...]] ] - [ -X|--control-host <hostname|ip>[:<port>] - [ -d|--dev <name> ] - [ -t|--type <tun|tap> ] - [ -n|--ifconfig <local>/<prefix> ] - [ -x|--post-up-script <script> ] - [ -R|--route <net>/<prefix length> ] - [ -m|--mux <mux-id> ] - [ -s|--sender-id <sender id> ] - [ -w|--window-size <window size> ] - [ -k|--kd-prf <kd-prf type> ] - [ -e|--role <role> ] - [ -E|--passphrase <pass phrase> ] - [ -K|--key <master key> ] - [ -A|--salt <master salt> ] - [ -c|--cipher <cipher type> ] - [ -a|--auth-algo <algo type> ] - [ -b|--auth-tag-length <length> ] -.... - -DESCRIPTION ------------ - -*Anytun* is an implementation of the Secure Anycast Tunneling Protocol -(SATP). It provides a complete VPN solution similar to OpenVPN or -IPsec in tunnel mode. The main difference is that anycast allows a -setup of tunnels between an arbitrary combination of anycast, unicast -and multicast hosts. - -OPTIONS -------- - -*Anytun* has been designed as a peer to peer application, so there is -no difference between client and server. The following options can be -passed to the daemon: - -*-D, --nodaemonize*:: - This option instructs *Anytun* to run in foreground - instead of becoming a daemon which is the default. - -*-u, --username <username>*:: - run as this user. If no group is specified (*-g*) the default group of - the user is used. The default is to not drop privileges. - -*-g, --groupname <groupname>*:: - run as this group. If no username is specified (*-u*) this gets ignored. - The default is to not drop privileges. - -*-C, --chroot <path>*:: - Instruct *Anytun* to run in a chroot jail. The default is - to not run in chroot. - -*-P, --write-pid <filename>*:: - Instruct *Anytun* to write it's pid to this file. The default is - to not create a pid file. - -*-L, --log <target>:<level>[,<param1>[,<param2>[..]]]*:: - add log target to logging system. This can be invoked several times - in order to log to different targets at the same time. Every target - hast its own log level which is a number between 0 and 5. Where 0 means - disabling log and 5 means debug messages are enabled. + - The file target can be used more the once with different levels. - If no target is provided at the command line a single target with the - config *syslog:3,anytun,daemon* is added. + - The following targets are supported: - - *syslog*;; log to syslog daemon, parameters <level>[,<logname>[,<facility>]] - *file*;; log to file, parameters <level>[,<path>] - *stdout*;; log to standard output, parameters <level> - *stderr*;; log to standard error, parameters <level> - -*-i, --interface <ip address>*:: - This IP address is used as the sender address for outgoing - packets. In case of anycast tunnel endpoints, the anycast - IP has to be used. In case of unicast endpoints, the - address is usually derived correctly from the routing - table. The default is to not use a special inteface and just - bind on all interfaces. - -*-p, --port <port>*:: - The local UDP port that is used to send and receive the - payload data. The two tunnel endpoints can use different - ports. If a tunnel endpoint consists of multiple anycast - hosts, all hosts have to use the same port. default: 4444 - -*-r, --remote-host <hostname|ip>*:: - This option can be used to specify the remote tunnel - endpoint. In case of anycast tunnel endpoints, the - anycast IP address has to be used. If you do not specify - an address, it is automatically determined after receiving - the first data packet. - -*-o, --remote-port <port>*:: - The UDP port used for payload data by the remote host - (specified with -p on the remote host). If you do not specify - a port, it is automatically determined after receiving - the first data packet. - -*-4, --ipv4-only*:: - Resolv to IPv4 addresses only. The default is to resolv both - IPv4 and IPv6 addresses. - -*-6, --ipv6-only*:: - Resolv to IPv6 addresses only. The default is to resolv both - IPv4 and IPv6 addresses. - -*-I, --sync-interface <ip-address>*:: - local unicast(sync) ip address to bind to + - This option is only needed for tunnel endpoints consisting - of multiple anycast hosts. The unicast IP address of - the anycast host can be used here. This is needed for - communication with the other anycast hosts. The default is to - not use a special inteface and just bind on all interfaces. However - this is only the case if synchronisation is active see *--sync-port*. - -*-S, --sync-port <port>*:: - local unicast(sync) port to bind to + - This option is only needed for tunnel endpoints - consisting of multiple anycast hosts. This port is used - by anycast hosts to synchronize information about tunnel - endpoints. No payload data is transmitted via this port. - By default the synchronisation is disabled an therefore the - port is kept empty. + - It is possible to obtain a list of active connections - by telnetting into this port. This port is read-only - and unprotected by default. It is advised to protect - this port using firewall rules and, eventually, IPsec. - -*-M, --sync-hosts <hostname|ip>[:<port>],[<hostname|ip>[:<port>][...]]*:: - remote hosts to sync with + - This option is only needed for tunnel endpoints consisting - of multiple anycast hosts. Here, one has to specify all - unicast IP addresses of all other anycast hosts that - comprise the anycast tunnel endpoint. By default synchronisation is - disabled and therefore this is empty. Mind that the port can be - omitted in which case port 2323 is used. If you want to specify an - ipv6 address and a port you have to use [ and ] to seperate the address - from the port, eg.: [::1]:1234. If you want to use the default port - [ and ] can be omitted. - -*-X, --control-host <hostname|ip>[:<port>]*:: - fetch the config from this host. The default is not to use a control - host and therefore this is empty. Mind that the port can be omitted - in which case port 2323 is used. If you want to specify an - ipv6 address and a port you have to use [ and ] to seperate the address - from the port, eg.: [::1]:1234. If you want to use the default port - [ and ] can be omitted. - -*-d, --dev <name>*:: - device name + - By default, tapN is used for Ethernet tunnel interfaces, - and tunN for IP tunnels, respectively. This option can - be used to manually override these defaults. - -*-t, --type <tun|tap>*:: - device type + - Type of the tunnels to create. Use tap for Ethernet - tunnels, tun for IP tunnels. - -*-n, --ifconfig <local>/<prefix>*:: - The local IP address and prefix length. The remote tunnel endpoint - has to use a different IP address in the same subnet. - - *<local>*;; the local IP address for the tun/tap device - *<prefix>*;; the prefix length of the network - -*-x, --post-up-script <script>*:: - This option instructs *Anytun* to run this script after the interface - is created. By default no script will be executed. - -*-R, --route <net>/<prefix length>*:: - add a route to connection. This can be invoked several times. - -*-m, --mux <mux-id>*:: - the multiplex id to use. default: 0 - -*-s, --sender-id <sender id>*:: - Each anycast tunnel endpoint needs a uniqe sender id - (1, 2, 3, ...). It is needed to distinguish the senders - in case of replay attacks. This option can be ignored on - unicast endpoints. default: 0 - -*-w, --window-size <window size>*:: - seqence window size + - Sometimes, packets arrive out of order on the receiver - side. This option defines the size of a list of received - packets' sequence numbers. If, according to this list, - a received packet has been previously received or has - been transmitted in the past, and is therefore not in - the list anymore, this is interpreted as a replay attack - and the packet is dropped. A value of 0 deactivates this - list and, as a consequence, the replay protection employed - by filtering packets according to their secuence number. - By default the sequence window is disabled and therefore a - window size of 0 is used. - -*-k, --kd--prf <kd-prf type>*:: - key derivation pseudo random function + - The pseudo random function which is used for calculating the - session keys and session salt. + - Possible values: - - *null*;; no random function, keys and salt are set to 0..00 - *aes-ctr*;; AES in counter mode with 128 Bits, default value - *aes-ctr-128*;; AES in counter mode with 128 Bits - *aes-ctr-192*;; AES in counter mode with 192 Bits - *aes-ctr-256*;; AES in counter mode with 256 Bits - -*-e, --role <role>*:: - SATP uses different session keys for inbound and outbound traffic. The - role parameter is used to determine which keys to use for outbound or - inbound packets. On both sides of a vpn connection different roles have - to be used. Possible values are *left* and *right*. You may also use - *alice* or *server* as a replacement for *left* and *bob* or *client* as - a replacement for *right*. By default *left* is used. - -*-E, --passphrase <pass phrase>*:: - This passphrase is used to generate the master key and master salt. - For the master key the last n bits of the SHA256 digest of the - passphrase (where n is the length of the master key in bits) is used. - The master salt gets generated with the SHA1 digest. - You may force a specific key and or salt by using *--key* and *--salt*. - -*-K, --key <master key>*:: - master key to use for key derivation + - Master key in hexadecimal notation, e.g. - 01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length - of 32, 48 or 64 characters (128, 192 or 256 bits). - -*-A, --salt <master salt>*:: - master salt to use for key derivation + - Master salt in hexadecimal notation, e.g. - 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length - of 28 characters (14 bytes). - -*-c, --cipher <cipher type>*:: - payload encryption algorithm + - Encryption algorithm used for encrypting the payload + - Possible values: - - *null*;; no encryption - *aes-ctr*;; AES in counter mode with 128 Bits, default value - *aes-ctr-128*;; AES in counter mode with 128 Bits - *aes-ctr-192*;; AES in counter mode with 192 Bits - *aes-ctr-256*;; AES in counter mode with 256 Bits - -*-a, --auth-algo <algo type>*:: - message authentication algorithm + - This option sets the message authentication algorithm. + - If HMAC-SHA1 is used, the packet length is increased. The additional bytes - contain the authentication data. see *--auth-tag-length* for more info. + - Possible values: - - *null*;; no message authentication - *sha1*;; HMAC-SHA1, default value - -*-b, --auth-tag-length <length>*:: - The number of bytes to use for the auth tag. This value defaults to 10 bytes - unless the *null* auth algo is used in which case it defaults to 0. - - -EXAMPLES --------- - -P2P Setup between two unicast enpoints: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Host A: -^^^^^^^ - -anytun -r hostb.example.com -t tun -n 192.168.123.1/30 -c aes-ctr-256 -k aes-ctr-256 \ - -E have_a_very_safe_and_productive_day -e left - -Host B: -^^^^^^^ -anytun -r hosta.example.com -t tun -n 192.168.123.2/30 -c aes-ctr-256 -k aes-ctr-256 \ - -E have_a_very_safe_and_productive_day -e right - - -One unicast and one anycast tunnel endpoint: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Unicast tunnel endpoint: -^^^^^^^^^^^^^^^^^^^^^^^^ - -anytun -r anycast.anytun.org -d anytun0 -t tun -n 192.0.2.2/30 -a null -c null -w 0 -e client - -Anycast tunnel endpoints: -^^^^^^^^^^^^^^^^^^^^^^^^^ - -On the host with unicast hostname unicast1.anycast.anytun.org and anycast -hostname anycast.anytun.org: -------------------------------------------------------------------------------------------------- -# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \ - -S 2342 -M unicast2.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342 -------------------------------------------------------------------------------------------------- - -On the host with unicast hostname unicast2.anycast.anytun.org and anycast -hostname anycast.anytun.org: -------------------------------------------------------------------------------------------------- -# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \ - -S 2342 -M unicast1.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342 -------------------------------------------------------------------------------------------------- - -On the host with unicast hostname unicast3.anycast.anytun.org and anycast -hostname anycast.anytun.org: -------------------------------------------------------------------------------------------------- -# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \ - -S 2342 -M unicast1.anycast.anytun.org:2342,unicast2.anycast.anytun.org:2342 -------------------------------------------------------------------------------------------------- - -For more sophisticated examples (like multiple unicast endpoints to one -anycast tunnel endpoint) please consult the man page of anytun-config(8). - - -BUGS ----- -Most likely there are some bugs in *Anytun*. If you find a bug, please let -the developers know at satp@anytun.org. Of course, patches are preferred. - -SEE ALSO --------- -anytun-config(8), anytun-controld(8), anytun-showtables(8) - -AUTHORS -------- - -Othmar Gsenger <otti@anytun.org> -Erwin Nindl <nine@anytun.org> -Christian Pointner <equinox@anytun.org> - - -RESOURCES ---------- - -Main web site: http://www.anytun.org/ - - -COPYING -------- - -Copyright \(C) 2007-2009 Othmar Gsenger, Erwin Nindl and Christian -Pointner. This program is free software: you can redistribute it -and/or modify it under the terms of the GNU General Public License -as published by the Free Software Foundation, either version 3 of -the License, or any later version. |