summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--etc/anytun/client1/config110
-rwxr-xr-xetc/anytun/client1/post-up.sh2
-rw-r--r--etc/anytun/client2/config110
-rwxr-xr-xetc/anytun/client2/post-up.sh5
-rw-r--r--etc/anytun/client3/config110
-rwxr-xr-xetc/anytun/client3/post-up.sh5
-rw-r--r--etc/anytun/server/conf.d/client17
-rw-r--r--etc/anytun/server/conf.d/client249
-rw-r--r--etc/anytun/server/conf.d/client349
-rw-r--r--etc/anytun/server/config44
-rwxr-xr-xetc/anytun/server/post-up.sh18
11 files changed, 332 insertions, 177 deletions
diff --git a/etc/anytun/client1/config b/etc/anytun/client1/config
index 0b3c2d1..10e7ad1 100644
--- a/etc/anytun/client1/config
+++ b/etc/anytun/client1/config
@@ -1,52 +1,70 @@
-## Global Parameters
-## don't run in background
-#nodaemonize
-## the sender id to use (has to be unique for multible anycast servers)
-#sender-id 1
-## log to syslog with level of 3
-log syslog:3,anytun-client1,daemon
-## local anycast ip address to bind to
-#interface <ip-address>
-## local anycast(data) port to bind to
-#port 4444
-## local unicast(sync) ip address to bind to
-# sync-interface <ip-address>
-## local unicast(sync) port to bind to
-#sync-port 1234
-## remote hosts to sync with
-#sync-hosts <hostname|ip>:<port>[,<hostname|ip>:<port>[...]]
-## Device name
-#dev anytun0
-# device type tun = ip/ipv6, tap = ethernet
+#############################
+## Main options #
+#############################
+
+## Client ID
+## (has to be unique for each client)
+mux 1
+
+## device type tun = ip/ipv6, tap = ethernet
type tun
+
## payload encryption algorithm
+#cipher null
+#cipher aes-ctr-128
+#cipher aes-ctr-192
+#cipher aes-ctr-256
cipher aes-ctr
-# cipher null
+
## message authentication algorithm
+#auth-algo null
auth-algo sha1
-# auth-algo null
+
+## Passphrase
+## this is used to generate the crypto-key and salt
+## this should be al least 30 characters
+passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
+
+## local ip address to bind to (for tunnel data)
+## (if you run an anycast cluster this has to be the anycast ip address)
+#interface <ip-address>
+
+## local port to bind to (for tunnel data)
+## make sure to use a different port for every server and client!
+port 4444
+
+## log to syslog with a level of 3
+log syslog:3,anytun-client1,daemon
+
+#############################
+## Debug options #
+#############################
+
+## don't run in background
+#nodaemonize
+
+## additional log to standard output with a level of 5
+#log stdout:5
+
+#############################
+## Expert options #
+#############################
+
+## Device name
+#dev anytun0
+
## Automaticaly configure the interface an set a route
-## 1st argument the local address for the tun/tap device
-## 2nd argument is either the remote address(tun) or netmask(tap)
-#ifconfig <local> <remote|netmask>
-## Controll Host for multi client support
-#control-host 127.0.0.1:4445
-
-### Connection Parameters (for clients without config server)
-## Allow all ipv4 and ipv6 traffic
-## this does not set operating system routes
-route 0.0.0.0/0
-route ::/0
-## remote host
-remote-host example.com
-## remote port
-remote-port 4444
-##seqence number window size
-## 0 turns off replay protection (for manualk keying)
-window-size 0
-## the multiplex id to use
-mux 1
-## master key to use for encryption
-key 0123456789ABCDEF0123456789ABCDEF
-## master salt to use for encryption
-salt 0123456789ABCD0123456789ABCD
+##
+## We highly recommend the use of the post up script to do this
+##
+## the address hast to be supplied in CIDR notation
+#ifconfig <local>/<prefix length>
+
+##Manually set encryption key and salt
+## (this replaces the passphrase)
+#key 0123456789ABCDEF0123456789ABCDEF
+#salt 0123456789ABCD0123456789ABCD
+
+## Setting a window size > 0 will enable replay protection
+## This most likely will only work with external rekeying
+#window-size 0
diff --git a/etc/anytun/client1/post-up.sh b/etc/anytun/client1/post-up.sh
index e9e3a8b..dd18fe5 100755
--- a/etc/anytun/client1/post-up.sh
+++ b/etc/anytun/client1/post-up.sh
@@ -5,7 +5,7 @@ ip link set dev $1 mtu 1400
ip addr add dev $1 192.168.123.1/24
ip addr add dev $1 fec0::1/128
-# Disable ICMP Redirects as they don't work within the tunnel
+# disable ICMP redirects as they don't work within the tunnel
echo 0 > /proc/sys/net/ipv4/conf/$1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/$1/accept_redirects
diff --git a/etc/anytun/client2/config b/etc/anytun/client2/config
index 007c58b..41da4d7 100644
--- a/etc/anytun/client2/config
+++ b/etc/anytun/client2/config
@@ -1,52 +1,70 @@
-## Global Parameters
-## don't run in background
-#nodaemonize
-## the sender id to use (has to be unique for multible anycast servers)
-#sender-id 1
-## log to syslog with level of 3
-log syslog:3,anytun-client2,daemon
-## local anycast ip address to bind to
-#interface <ip-address>
-## local anycast(data) port to bind to
-#port 4444
-## local unicast(sync) ip address to bind to
-# sync-interface <ip-address>
-## local unicast(sync) port to bind to
-#sync-port 1234
-## remote hosts to sync with
-#sync-hosts <hostname|ip>:<port>[,<hostname|ip>:<port>[...]]
-## Device name
-#dev anytun0
-# device type tun = ip/ipv6, tap = ethernet
+#############################
+## Main options #
+#############################
+
+## Client ID
+## (has to be unique for each client)
+mux 2
+
+## device type tun = ip/ipv6, tap = ethernet
type tun
+
## payload encryption algorithm
+#cipher null
+#cipher aes-ctr-128
+#cipher aes-ctr-192
+#cipher aes-ctr-256
cipher aes-ctr
-# cipher null
+
## message authentication algorithm
+#auth-algo null
auth-algo sha1
-# auth-algo null
+
+## Passphrase
+## this is used to generate the crypto-key and salt
+## this should be al least 30 characters
+passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
+
+## local ip address to bind to (for tunnel data)
+## (if you run an anycast cluster this has to be the anycast ip address)
+#interface <ip-address>
+
+## local port to bind to (for tunnel data)
+## make sure to use a different port for every server and client!
+port 4444
+
+## log to syslog with a level of 3
+log syslog:3,anytun-client2,daemon
+
+#############################
+## Debug options #
+#############################
+
+## don't run in background
+#nodaemonize
+
+## additional log to standard output with a level of 5
+#log stdout:5
+
+#############################
+## Expert options #
+#############################
+
+## Device name
+#dev anytun0
+
## Automaticaly configure the interface an set a route
-## 1st argument the local address for the tun/tap device
-## 2nd argument is either the remote address(tun) or netmask(tap)
-#ifconfig <local> <remote|netmask>
-## Controll Host for multi client support
-#control-host 127.0.0.1:4445
-
-### Connection Parameters (for clients without config server)
-## Allow all ipv4 and ipv6 traffic
-## this does not set operating system routes
-route 0.0.0.0/0
-route ::/0
-## remote host
-remote-host example.com
-## remote port
-remote-port 4444
-##seqence number window size
-## 0 turns off replay protection (for manualk keying)
-window-size 0
-## the multiplex id to use
-mux 2
-## master key to use for encryption
-key 2123456789ABCDEF0123456789ABCDEF
-## master salt to use for encryption
-salt 2123456789ABCD0123456789ABCD
+##
+## We highly recommend the use of the post up script to do this
+##
+## the address hast to be supplied in CIDR notation
+#ifconfig <local>/<prefix length>
+
+##Manually set encryption key and salt
+## (this replaces the passphrase)
+#key 2123456789ABCDEF0123456789ABCDEF
+#salt 2123456789ABCD0123456789ABCD
+
+## Setting a window size > 0 will enable replay protection
+## This most likely will only work with external rekeying
+#window-size 0
diff --git a/etc/anytun/client2/post-up.sh b/etc/anytun/client2/post-up.sh
index 7ba0f90..9348f47 100755
--- a/etc/anytun/client2/post-up.sh
+++ b/etc/anytun/client2/post-up.sh
@@ -3,5 +3,10 @@
ip link set dev $1 up
ip link set dev $1 mtu 1400
ip addr add dev $1 192.168.123.2/24
+ip addr add dev $1 fec0::2/128
+
+# disable ICMP redirects as they don't work within the tunnel
+echo 0 > /proc/sys/net/ipv4/conf/$1/send_redirects
+echo 0 > /proc/sys/net/ipv4/conf/$1/accept_redirects
exit 0
diff --git a/etc/anytun/client3/config b/etc/anytun/client3/config
index 972364c..2a97caa 100644
--- a/etc/anytun/client3/config
+++ b/etc/anytun/client3/config
@@ -1,52 +1,70 @@
-## Global Parameters
-## don't run in background
-#nodaemonize
-## the sender id to use (has to be unique for multible anycast servers)
-#sender-id 1
-## log to syslog with level of 3
-log syslog:3,anytun-client3,daemon
-## local anycast ip address to bind to
-#interface <ip-address>
-## local anycast(data) port to bind to
-#port 4444
-## local unicast(sync) ip address to bind to
-# sync-interface <ip-address>
-## local unicast(sync) port to bind to
-#sync-port 1234
-## remote hosts to sync with
-#sync-hosts <hostname|ip>:<port>[,<hostname|ip>:<port>[...]]
-## Device name
-#dev anytun0
-# device type tun = ip/ipv6, tap = ethernet
+#############################
+## Main options #
+#############################
+
+## Client ID
+## (has to be unique for each client)
+mux 3
+
+## device type tun = ip/ipv6, tap = ethernet
type tun
+
## payload encryption algorithm
+#cipher null
+#cipher aes-ctr-128
+#cipher aes-ctr-192
+#cipher aes-ctr-256
cipher aes-ctr
-# cipher null
+
## message authentication algorithm
+#auth-algo null
auth-algo sha1
-# auth-algo null
+
+## Passphrase
+## this is used to generate the crypto-key and salt
+## this should be al least 30 characters
+passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
+
+## local ip address to bind to (for tunnel data)
+## (if you run an anycast cluster this has to be the anycast ip address)
+#interface <ip-address>
+
+## local port to bind to (for tunnel data)
+## make sure to use a different port for every server and client!
+port 4444
+
+## log to syslog with a level of 3
+log syslog:3,anytun-client3,daemon
+
+#############################
+## Debug options #
+#############################
+
+## don't run in background
+#nodaemonize
+
+## additional log to standard output with a level of 5
+#log stdout:5
+
+#############################
+## Expert options #
+#############################
+
+## Device name
+#dev anytun0
+
## Automaticaly configure the interface an set a route
-## 1st argument the local address for the tun/tap device
-## 2nd argument is either the remote address(tun) or netmask(tap)
-#ifconfig <local> <remote|netmask>
-## Controll Host for multi client support
-#control-host 127.0.0.1:4445
-
-### Connection Parameters (for clients without config server)
-## Allow all ipv4 and ipv6 traffic
-## this does not set operating system routes
-route 0.0.0.0/0
-route ::/0
-## remote host
-remote-host example.com
-## remote port
-remote-port 4444
-##seqence number window size
-## 0 turns off replay protection (for manualk keying)
-window-size 0
-## the multiplex id to use
-mux 3
-## master key to use for encryption
-key 3123456789ABCDEF0123456789ABCDEF
-## master salt to use for encryption
-salt 3123456789ABCD0123456789ABCD
+##
+## We highly recommend the use of the post up script to do this
+##
+## the address hast to be supplied in CIDR notation
+#ifconfig <local>/<prefix length>
+
+##Manually set encryption key and salt
+## (this replaces the passphrase)
+#key 3123456789ABCDEF0123456789ABCDEF
+#salt 3123456789ABCD0123456789ABCD
+
+## Setting a window size > 0 will enable replay protection
+## This most likely will only work with external rekeying
+#window-size 0
diff --git a/etc/anytun/client3/post-up.sh b/etc/anytun/client3/post-up.sh
index f93c347..330d5be 100755
--- a/etc/anytun/client3/post-up.sh
+++ b/etc/anytun/client3/post-up.sh
@@ -3,5 +3,10 @@
ip link set dev $1 up
ip link set dev $1 mtu 1400
ip addr add dev $1 192.168.123.3/24
+ip addr add dev $1 fec0::3/128
+
+# disable ICMP redirects as they don't work within the tunnel
+echo 0 > /proc/sys/net/ipv4/conf/$1/send_redirects
+echo 0 > /proc/sys/net/ipv4/conf/$1/accept_redirects
exit 0
diff --git a/etc/anytun/server/conf.d/client1 b/etc/anytun/server/conf.d/client1
index 894fee7..71a14f8 100644
--- a/etc/anytun/server/conf.d/client1
+++ b/etc/anytun/server/conf.d/client1
@@ -11,7 +11,7 @@ mux 1
## this should be al least 30 characters
passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
-## Staticially configure remote address
+## staticially configure client address
## (autodetect if skiped)
#remote-host <hostname|ip>
#remote-port 4444
@@ -21,14 +21,14 @@ passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
#############################
## Internal Routing entries
-## multible routes allowed
+## multiple routes allowed
## make sure to also set a system route in the post-up script
route 192.168.123.1/32
route fec0::1/128
## Add a subnet route
## make sure to also set a system route in the post-up script
-#route 192.168.12.0/24
+#route 192.168.11.0/24
#route fec0:1::/48
@@ -40,6 +40,7 @@ route fec0::1/128
## (this replaces the passphrase)
#key 0123456789ABCDEF0123456789ABCDEF
#salt 0123456789ABCD0123456789ABCD
+
## Setting a window size > 0 will enable replay protection
## This most likely will only work with external rekeying
#window-size 0
diff --git a/etc/anytun/server/conf.d/client2 b/etc/anytun/server/conf.d/client2
index f875ed0..597c897 100644
--- a/etc/anytun/server/conf.d/client2
+++ b/etc/anytun/server/conf.d/client2
@@ -1,9 +1,46 @@
-route 192.168.123.2/32
-window-size 0
+#############################
+## main options #
+#############################
+
+## Client ID
+## (has to be unique for each client)
mux 2
-key 2123456789ABCDEF0123456789ABCDEF
-salt 2123456789ABCD0123456789ABCD
-## remote host (autodetect if skiped)
+
+## Passphrase
+## this is used to generate the crypto-key and salt
+## this should be al least 30 characters
+passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
+
+## staticially configure client address
+## (autodetect if skiped)
#remote-host <hostname|ip>
-## remote host (autodetect if skiped)
#remote-port 4444
+
+#############################
+## routing options #
+#############################
+
+## Internal Routing entries
+## multiple routes allowed
+## make sure to also set a system route in the post-up script
+route 192.168.123.2/32
+route fec0::2/128
+
+## Add a subnet route
+## make sure to also set a system route in the post-up script
+#route 192.168.12.0/24
+#route fec0:2::/48
+
+
+#############################
+## Expert options #
+#############################
+
+##Manually set encryption key and salt
+## (this replaces the passphrase)
+#key 2123456789ABCDEF0123456789ABCDEF
+#salt 2123456789ABCD0123456789ABCD
+
+## Setting a window size > 0 will enable replay protection
+## This most likely will only work with external rekeying
+#window-size 0
diff --git a/etc/anytun/server/conf.d/client3 b/etc/anytun/server/conf.d/client3
index 2108cb3..a3d7f25 100644
--- a/etc/anytun/server/conf.d/client3
+++ b/etc/anytun/server/conf.d/client3
@@ -1,9 +1,46 @@
-route 192.168.123.3/32
-window-size 0
+#############################
+## main options #
+#############################
+
+## Client ID
+## (has to be unique for each client)
mux 3
-key 3123456789ABCDEF0123456789ABCDEF
-salt 3123456789ABCD0123456789ABCD
-## remote host (autodetect if skiped)
+
+## Passphrase
+## this is used to generate the crypto-key and salt
+## this should be al least 30 characters
+passphrase Creating_VPN_Tunnels_With_Anytun_Is_Easy
+
+## staticially configure client address
+## (autodetect if skiped)
#remote-host <hostname|ip>
-## remote host (autodetect if skiped)
#remote-port 4444
+
+#############################
+## routing options #
+#############################
+
+## Internal Routing entries
+## multiple routes allowed
+## make sure to also set a system route in the post-up script
+route 192.168.123.3/32
+route fec0::3/128
+
+## Add a subnet route
+## make sure to also set a system route in the post-up script
+#route 192.168.13.0/24
+#route fec0:3::/48
+
+
+#############################
+## Expert options #
+#############################
+
+##Manually set encryption key and salt
+## (this replaces the passphrase)
+#key 3123456789ABCDEF0123456789ABCDEF
+#salt 3123456789ABCD0123456789ABCD
+
+## Setting a window size > 0 will enable replay protection
+## This most likely will only work with external rekeying
+#window-size 0
diff --git a/etc/anytun/server/config b/etc/anytun/server/config
index 2736b15..358cdbe 100644
--- a/etc/anytun/server/config
+++ b/etc/anytun/server/config
@@ -2,65 +2,77 @@
## multi connection support #
#############################
-## Controll Host for multi client support
-## This enables multi-connection support and split configuration files per client
-## Make sure to use a unique port for each server, when runnig multible servers
+## control host for multi-client support
+## This enables multi-connection support and splits configuration files per client
+## Make sure to use a unique port for each server, when runnig multiple servers
control-host 127.0.0.1:4444
#############################
## Main options #
#############################
-## Device name
-dev anytun0
-
-# device type tun = ip/ipv6, tap = ethernet
+## device type tun = ip/ipv6, tap = ethernet
type tun
## payload encryption algorithm
-cipher aes-ctr
#cipher null
+#cipher aes-ctr-128
+#cipher aes-ctr-192
+#cipher aes-ctr-256
+cipher aes-ctr
## message authentication algorithm
-auth-algo sha1
#auth-algo null
+auth-algo sha1
## local ip address to bind to (for tunnel data)
-## (if you operate an anycast cluster this must be the anycast ip address)
+## (if you run an anycast cluster this has to be the anycast ip address)
#interface <ip-address>
## local port to bind to (for tunnel data)
## make sure to use a different port for every server and client!
port 4444
-## log to syslog with level of 3
+## log to syslog with a level of 3
log syslog:3,anytun-server,daemon
#############################
## Debug options #
#############################
+
## don't run in background
#nodaemonize
+## additional log to standard output with a level of 5
+#log stdout:5
+
+
#############################
## Expert options #
#############################
+
+## Device name
+#dev anytun0
+
## Automaticaly configure the interface an set a route
##
## We highly recommend the use of the post up script to do this
##
-## 1st argument the local address for the tun/tap device
-## 2nd argument is either the remote address(tun) or netmask(tap)
-#ifconfig <local> <remote|netmask>
+## the address hast to be supplied in CIDR notation
+#ifconfig <local>/<prefix length>
#############################
## Cluster options #
#############################
-## the sender id to use (has to be unique for multible anycast servers)
+
+## the sender id to use (has to be unique for multiple anycast servers)
#sender-id 1
+
## local unicast(sync) ip address to bind to
-# sync-interface <ip-address>
+#sync-interface <ip-address>
+
## local unicast(sync) port to bind to
#sync-port 1234
+
## remote hosts to sync with
#sync-hosts <hostname|ip>:<port>[,<hostname|ip>:<port>[...]]
diff --git a/etc/anytun/server/post-up.sh b/etc/anytun/server/post-up.sh
index dc30f09..9d585a1 100755
--- a/etc/anytun/server/post-up.sh
+++ b/etc/anytun/server/post-up.sh
@@ -2,24 +2,28 @@
ip link set dev $1 up
ip link set mtu 1400 dev $1
-# Add tunnel addresses
+# add tunnel addresses
ip addr add 192.168.123.254/24 dev $1
ip addr add fec0::fd/64 dev $1
-# Add routes to client subnets
-# you also have to add these routes to the client configuration file of one client
-# ip route add 192.168.12.0/24 dev $1
+# add routes to client subnets
+# you also have to add these routes to the client configuration file of each client
+# ip route add 192.168.11.0/24 dev $1
# ip route add fec0:1::/48 dev $1
+# ip route add 192.168.12.0/24 dev $1
+# ip route add fec0:2::/48 dev $1
+# ip route add 192.168.13.0/24 dev $1
+# ip route add fec0:3::/48 dev $1
-# Disable ICMP Redirects as they don't work within the tunnel
+# disable ICMP redirects as they don't work within the tunnel
echo 0 > /proc/sys/net/ipv4/conf/$1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/$1/accept_redirects
-# Enable Packet forwarding
+# enable packet forwarding
echo 1 > /proc/sys/net/ipv6/conf/$1/forwarding
echo 1 > /proc/sys/net/ipv4/conf/$1/forwarding
-# Enable Routing to lokal ethernet interface
+# enable routing to local ethernet interface
# echo 1 > /proc/sys/net/ipv6/conf/eth0/forwarding
# echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding