diff options
-rw-r--r-- | doc/Makefile (renamed from src/man/Makefile) | 8 | ||||
-rw-r--r-- | doc/anyrtpproxy.8.txt (renamed from src/man/anyrtpproxy.8.txt) | 0 | ||||
-rw-r--r-- | doc/anytun-config.8 | 219 | ||||
-rw-r--r-- | doc/anytun-config.8.txt (renamed from src/man/anytun-config.8.txt) | 0 | ||||
-rw-r--r-- | doc/anytun-controld.8 | 127 | ||||
-rw-r--r-- | doc/anytun-controld.8.txt (renamed from src/man/anytun-controld.8.txt) | 0 | ||||
-rw-r--r-- | doc/anytun-showtables.8 | 73 | ||||
-rw-r--r-- | doc/anytun-showtables.8.txt (renamed from src/man/anytun-showtables.8.txt) | 0 | ||||
-rw-r--r-- | doc/anytun.8 | 487 | ||||
-rw-r--r-- | doc/anytun.8.txt (renamed from src/man/anytun.8.txt) | 0 | ||||
-rwxr-xr-x | etc/init.d/anytun | 2 | ||||
-rw-r--r-- | src/Makefile | 12 |
12 files changed, 918 insertions, 10 deletions
diff --git a/src/man/Makefile b/doc/Makefile index adc9919..4f8d8e8 100644 --- a/src/man/Makefile +++ b/doc/Makefile @@ -30,12 +30,12 @@ ## along with anytun. If not, see <http://www.gnu.org/licenses/>. ## -VERSION=$(shell cat ../../version) +VERSION=$(shell cat ../version) MANPAGES := anytun.8 anytun-controld.8 anytun-config.8 anytun-showtables.8 #anyrtpproxy.8 XML := $(MANPAGES:%.8=%.8.xml) -.PHONY: clean +.PHONY: clean realclean all: manpage @@ -53,5 +53,7 @@ endef manpage: $(MANPAGES) clean: - rm -f $(MANPAGES) rm -f $(XML) + +realclean: + rm -f $(MANPAGES) diff --git a/src/man/anyrtpproxy.8.txt b/doc/anyrtpproxy.8.txt index a92d2e6..a92d2e6 100644 --- a/src/man/anyrtpproxy.8.txt +++ b/doc/anyrtpproxy.8.txt diff --git a/doc/anytun-config.8 b/doc/anytun-config.8 new file mode 100644 index 0000000..317aa54 --- /dev/null +++ b/doc/anytun-config.8 @@ -0,0 +1,219 @@ +'\" t +.\" Title: anytun-config +.\" Author: [see the "AUTHORS" section] +.\" Generator: DocBook XSL Stylesheets v1.75.1 <http://docbook.sf.net/> +.\" Date: 12/22/2009 +.\" Manual: anytun-config user manual +.\" Source: anytun trunk +.\" Language: English +.\" +.TH "ANYTUN\-CONFIG" "8" "12/22/2009" "anytun trunk" "anytun-config user manual" +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +anytun-config \- anycast tunneling configuration utility +.SH "SYNOPSIS" +.sp +.nf +\fBanytun\-config\fR + [ \fB\-h|\-\-help\fR ] + [ \fB\-L|\-\-log\fR <target>:<level>[,<param1>[,<param2>[\&.\&.]]] + [ \fB\-r|\-\-remote\-host\fR <hostname|ip> ] + [ \fB\-o|\-\-remote\-port\fR <port> ] + [ \fB\-4|\-\-ipv4\-only\fR ] + [ \fB\-6|\-\-ipv6\-only\fR ] + [ \fB\-R|\-\-route\fR <net>/<prefix length> ] + [ \fB\-m|\-\-mux\fR <mux\-id> ] + [ \fB\-w|\-\-window\-size\fR <window size> ] + [ \fB\-k|\-\-kd\-prf\fR <kd\-prf type> ] + [ \fB\-e|\-\-role\fR <role> ] + [ \fB\-E|\-\-passphrase\fR <pass phrase> ] + [ \fB\-K|\-\-key\fR <master key> ] + [ \fB\-A|\-\-salt\fR <master salt> ] +.fi +.SH "DESCRIPTION" +.sp +\fBanytun\-config\fR writes routing/connection table entries, that can be read by \fBanytun\-controld\fR\&. +.SH "OPTIONS" +.PP +\fB\-L, \-\-log <target>:<level>[,<param1>[,<param2>[\&.\&.]]]\fR +.RS 4 +add log target to logging system\&. This can be invoked several times in order to log to different targets at the same time\&. Every target hast its own log level which is a number between 0 and 5\&. Where 0 means disabling log and 5 means debug messages are enabled\&. + +The file target can be used more the once with different levels\&. If no target is provided at the command line a single target with the config +\fBsyslog:3,anytun\-config,daemon\fR +is added\&. + +The following targets are supported: +.PP +\fBsyslog\fR +.RS 4 +log to syslog daemon, parameters <level>[,<logname>[,<facility>]] +.RE +.PP +\fBfile\fR +.RS 4 +log to file, parameters <level>[,<path>] +.RE +.PP +\fBstdout\fR +.RS 4 +log to standard output, parameters <level> +.RE +.PP +\fBstderr\fR +.RS 4 +log to standard error, parameters <level> +.RE +.RE +.PP +\fB\-r, \-\-remote\-host <hostname|ip>\fR +.RS 4 +This option can be used to specify the remote tunnel endpoint\&. In case of anycast tunnel endpoints, the anycast IP address has to be used\&. If you do not specify an address, it is automatically determined after receiving the first data packet\&. +.RE +.PP +\fB\-o, \-\-remote\-port <port>\fR +.RS 4 +The UDP port used for payload data by the remote host (specified with \-p on the remote host)\&. If you do not specify a port, it is automatically determined after receiving the first data packet\&. +.RE +.PP +\fB\-4, \-\-ipv4\-only\fR +.RS 4 +Resolv to IPv4 addresses only\&. The default is to resolv both IPv4 and IPv6 addresses\&. +.RE +.PP +\fB\-6, \-\-ipv6\-only\fR +.RS 4 +Resolv to IPv6 addresses only\&. The default is to resolv both IPv4 and IPv6 addresses\&. +.RE +.PP +\fB\-R, \-\-route <net>/<prefix length>\fR +.RS 4 +add a route to connection\&. This can be invoked several times\&. +.RE +.PP +\fB\-m, \-\-mux <mux\-id>\fR +.RS 4 +the multiplex id to use\&. default: 0 +.RE +.PP +\fB\-w, \-\-window\-size <window size>\fR +.RS 4 +seqence window size + +Sometimes, packets arrive out of order on the receiver side\&. This option defines the size of a list of received packets\' sequence numbers\&. If, according to this list, a received packet has been previously received or has been transmitted in the past, and is therefore not in the list anymore, this is interpreted as a replay attack and the packet is dropped\&. A value of 0 deactivates this list and, as a consequence, the replay protection employed by filtering packets according to their secuence number\&. By default the sequence window is disabled and therefore a window size of 0 is used\&. +.RE +.PP +\fB\-k, \-\-kd\(emprf <kd\-prf type>\fR +.RS 4 +key derivation pseudo random function + +The pseudo random function which is used for calculating the session keys and session salt\&. + +Possible values: +.PP +\fBnull\fR +.RS 4 +no random function, keys and salt are set to 0\&.\&.00 +.RE +.PP +\fBaes\-ctr\fR +.RS 4 +AES in counter mode with 128 Bits, default value +.RE +.PP +\fBaes\-ctr\-128\fR +.RS 4 +AES in counter mode with 128 Bits +.RE +.PP +\fBaes\-ctr\-192\fR +.RS 4 +AES in counter mode with 192 Bits +.RE +.PP +\fBaes\-ctr\-256\fR +.RS 4 +AES in counter mode with 256 Bits +.RE +.RE +.PP +\fB\-e, \-\-role <role>\fR +.RS 4 +SATP uses different session keys for inbound and outbound traffic\&. The role parameter is used to determine which keys to use for outbound or inbound packets\&. On both sides of a vpn connection different roles have to be used\&. Possible values are +\fBleft\fR +and +\fBright\fR\&. You may also use +\fBalice\fR +or +\fBserver\fR +as a replacement for +\fBleft\fR +and +\fBbob\fR +or +\fBclient\fR +as a replacement for +\fBright\fR\&. By default +\fBleft\fR +is used\&. +.RE +.PP +\fB\-E, \-\-passphrase <pass phrase>\fR +.RS 4 +This passphrase is used to generate the master key and master salt\&. For the master key the last n bits of the SHA256 digest of the passphrase (where n is the length of the master key in bits) is used\&. The master salt gets generated with the SHA1 digest\&. You may force a specific key and or salt by using +\fB\-\-key\fR +and +\fB\-\-salt\fR\&. +.RE +.PP +\fB\-K, \-\-key <master key>\fR +.RS 4 +master key to use for key derivation + +Master key in hexadecimal notation, e\&.g\&. 01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length of 32, 48 or 64 characters (128, 192 or 256 bits)\&. +.RE +.PP +\fB\-A, \-\-salt <master salt>\fR +.RS 4 +master salt to use for key derivation + +Master salt in hexadecimal notation, e\&.g\&. 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length of 28 characters (14 bytes)\&. +.RE +.SH "EXAMPLES" +.sp +Add a client with Connection ID (Mux) 12 and add 2 Routes to this client +.sp +.if n \{\ +.RS 4 +.\} +.nf +# anytun\-config \-w 0 \-m 12 \-K 0123456789ABCDEFFEDCBA9876543210 \-A 0123456789ABCDDCBA9876543210 \e + \-R 192\&.0\&.2\&.0/24 \-R 192\&.168\&.1\&.1/32 \-e server >> routingtable +.fi +.if n \{\ +.RE +.\} +.SH "BUGS" +.sp +Most likely there are some bugs in \fBAnytun\fR\&. If you find a bug, please let the developers know at satp@anytun\&.org\&. Of course, patches are preferred\&. +.SH "SEE ALSO" +.sp +anytun(8), anytun\-controld(8), anytun\-showtables(8) +.SH "AUTHORS" +.sp +Othmar Gsenger <otti@anytun\&.org> Erwin Nindl <nine@anytun\&.org> Christian Pointner <equinox@anytun\&.org> +.SH "RESOURCES" +.sp +Main web site: http://www\&.anytun\&.org/ +.SH "COPYING" +.sp +Copyright (C) 2007\-2009 Othmar Gsenger, Erwin Nindl and Christian Pointner\&. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version\&. diff --git a/src/man/anytun-config.8.txt b/doc/anytun-config.8.txt index 6a80b4d..6a80b4d 100644 --- a/src/man/anytun-config.8.txt +++ b/doc/anytun-config.8.txt diff --git a/doc/anytun-controld.8 b/doc/anytun-controld.8 new file mode 100644 index 0000000..7503857 --- /dev/null +++ b/doc/anytun-controld.8 @@ -0,0 +1,127 @@ +'\" t +.\" Title: anytun-controld +.\" Author: [see the "AUTHORS" section] +.\" Generator: DocBook XSL Stylesheets v1.75.1 <http://docbook.sf.net/> +.\" Date: 12/22/2009 +.\" Manual: anytun-controld user manual +.\" Source: anytun trunk +.\" Language: English +.\" +.TH "ANYTUN\-CONTROLD" "8" "12/22/2009" "anytun trunk" "anytun-controld user manual" +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +anytun-controld \- anycast tunneling control daemon +.SH "SYNOPSIS" +.sp +.nf +\fBanytun\-controld\fR + [ \fB\-h|\-\-help\fR ] + [ \fB\-D|\-\-nodaemonize\fR ] + [ \fB\-u|\-\-username\fR <username> ] + [ \fB\-g|\-\-groupname\fR <groupname> ] + [ \fB\-C|\-\-chroot\fR <path> ] + [ \fB\-P|\-\-write\-pid\fR <filename> ] + [ \fB\-L|\-\-log\fR <target>:<level>[,<param1>[,<param2>[\&.\&.]]] ] + [ \fB\-f|\-\-file\fR <path> ] + [ \fB\-X|\-\-control\-host\fR < <host>[:port>] | :<port> > ] +.fi +.SH "DESCRIPTION" +.sp +\fBanytun\-controld\fR configures the multi\-connection support for \fBAnytun\fR\&. It reads a connection/routing table and outputs it via a tcp socket to all connected \fBAnytun\fR servers\&. When the control daemon is restarted with a new connection/routing table all \fBAnytun\fR servers automatically load the new configuration\&. Please make sure to protect that information as it contains the connection keys\&. +.SH "OPTIONS" +.PP +\fB\-D, \-\-nodaemonize\fR +.RS 4 +This option instructs +\fBanytun\-controld\fR +to run in foreground instead of becoming a daemon which is the default\&. +.RE +.PP +\fB\-u, \-\-username <username>\fR +.RS 4 +run as this user\&. If no group is specified (\fB\-g\fR) the default group of the user is used\&. The default is to not drop privileges\&. +.RE +.PP +\fB\-g, \-\-groupname <groupname>\fR +.RS 4 +run as this group\&. If no username is specified (\fB\-u\fR) this gets ignored\&. The default is to not drop privileges\&. +.RE +.PP +\fB\-C, \-\-chroot <path>\fR +.RS 4 +Instruct +\fBanytun\-controld\fR +to run in a chroot jail\&. The default is to not run in chroot\&. +.RE +.PP +\fB\-P, \-\-write\-pid <filename>\fR +.RS 4 +Instruct +\fBanytun\-controld\fR +to write it\(cqs pid to this file\&. The default is to not create a pid file\&. +.RE +.PP +\fB\-L, \-\-log <target>:<level>[,<param1>[,<param2>[\&.\&.]]]\fR +.RS 4 +add log target to logging system\&. This can be invoked several times in order to log to different targets at the same time\&. Every target hast its own log level which is a number between 0 and 5\&. Where 0 means disabling log and 5 means debug messages are enabled\&. + +The file target can be used more the once with different levels\&. If no target is provided at the command line a single target with the config +\fBsyslog:3,anytun\-controld,daemon\fR +is added\&. + +The following targets are supported: +.PP +\fBsyslog\fR +.RS 4 +log to syslog daemon, parameters <level>[,<logname>[,<facility>]] +.RE +.PP +\fBfile\fR +.RS 4 +log to file, parameters <level>[,<path>] +.RE +.PP +\fBstdout\fR +.RS 4 +log to standard output, parameters <level> +.RE +.PP +\fBstderr\fR +.RS 4 +log to standard error, parameters <level> +.RE +.RE +.PP +\fB\-f, \-\-file <path>\fR +.RS 4 +The path to the file which holds the sync information\&. +.RE +.PP +\fB\-X, \-\-control\-host <hostname|ip>[:<port>]\fR +.RS 4 +fetch the config from this host\&. The default is not to use a control host and therefore this is empty\&. Mind that the port can be omitted in which case port 2323 is used\&. If you want to specify an ipv6 address and a port you have to use [ and ] to seperate the address from the port, eg\&.: [::1]:1234\&. If you want to use the default port [ and ] can be omitted\&. +.RE +.SH "BUGS" +.sp +Most likely there are some bugs in \fBAnytun\fR\&. If you find a bug, please let the developers know at satp@anytun\&.org\&. Of course, patches are preferred\&. +.SH "SEE ALSO" +.sp +anytun(8), anytun\-config(8), anytun\-showtables(8) +.SH "AUTHORS" +.sp +Othmar Gsenger <otti@anytun\&.org> Erwin Nindl <nine@anytun\&.org> Christian Pointner <equinox@anytun\&.org> +.SH "RESOURCES" +.sp +Main web site: http://www\&.anytun\&.org/ +.SH "COPYING" +.sp +Copyright (C) 2007\-2009 Othmar Gsenger, Erwin Nindl and Christian Pointner\&. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version\&. diff --git a/src/man/anytun-controld.8.txt b/doc/anytun-controld.8.txt index 0d3e0b8..0d3e0b8 100644 --- a/src/man/anytun-controld.8.txt +++ b/doc/anytun-controld.8.txt diff --git a/doc/anytun-showtables.8 b/doc/anytun-showtables.8 new file mode 100644 index 0000000..a1230e4 --- /dev/null +++ b/doc/anytun-showtables.8 @@ -0,0 +1,73 @@ +'\" t +.\" Title: anytun-showtables +.\" Author: [see the "AUTHORS" section] +.\" Generator: DocBook XSL Stylesheets v1.75.1 <http://docbook.sf.net/> +.\" Date: 12/22/2009 +.\" Manual: anytun-showtables user manual +.\" Source: anytun trunk +.\" Language: English +.\" +.TH "ANYTUN\-SHOWTABLES" "8" "12/22/2009" "anytun trunk" "anytun-showtables user manual" +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +anytun-showtables \- anycast tunneling routing table visualization utility +.SH "SYNOPSIS" +.sp +.nf +\fBanytun\-showtables\fR +.fi +.SH "DESCRIPTION" +.sp +\fBanytun\-showtables\fR displays routing and connection tables used by \fBAnytun\fR\&. It can be used to display a saved routing/connection table used by \fBanytun\-controld\fR or to connect to a the sync port of \fBAnytun\fR\&. +.SH "OPTIONS" +.sp +This Tool does not take any options\&. It takes the sync information from the standard input and prints the routing table to the standard output\&. +.SH "EXAMPLES" +.sp +Print routing table stored in local file +.sp +.if n \{\ +.RS 4 +.\} +.nf +# perl \-ne \'chomp; print\' < routingtable | \&./anytun\-showtables +.fi +.if n \{\ +.RE +.\} +.sp +Print current routing table and watch changes +.sp +.if n \{\ +.RS 4 +.\} +.nf +# nc unicast1\&.anycast\&.anytun\&.org 23 | \&./anytun\-showtables +.fi +.if n \{\ +.RE +.\} +.SH "BUGS" +.sp +Most likely there are some bugs in \fBAnytun\fR\&. If you find a bug, please let the developers know at satp@anytun\&.org\&. Of course, patches are preferred\&. +.SH "SEE ALSO" +.sp +anytun(8), anytun\-controld(8), anytun\-config(8) +.SH "AUTHORS" +.sp +Othmar Gsenger <otti@anytun\&.org> Erwin Nindl <nine@anytun\&.org> Christian Pointner <equinox@anytun\&.org> +.SH "RESOURCES" +.sp +Main web site: http://www\&.anytun\&.org/ +.SH "COPYING" +.sp +Copyright (C) 2007\-2009 Othmar Gsenger, Erwin Nindl and Christian Pointner\&. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version\&. diff --git a/src/man/anytun-showtables.8.txt b/doc/anytun-showtables.8.txt index 3a1fa8d..3a1fa8d 100644 --- a/src/man/anytun-showtables.8.txt +++ b/doc/anytun-showtables.8.txt diff --git a/doc/anytun.8 b/doc/anytun.8 new file mode 100644 index 0000000..f739978 --- /dev/null +++ b/doc/anytun.8 @@ -0,0 +1,487 @@ +'\" t +.\" Title: anytun +.\" Author: [see the "AUTHORS" section] +.\" Generator: DocBook XSL Stylesheets v1.75.1 <http://docbook.sf.net/> +.\" Date: 12/22/2009 +.\" Manual: anytun user manual +.\" Source: anytun trunk +.\" Language: English +.\" +.TH "ANYTUN" "8" "12/22/2009" "anytun trunk" "anytun user manual" +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +anytun \- anycast tunneling daemon +.SH "SYNOPSIS" +.sp +.nf +\fBanytun\fR + [ \fB\-h|\-\-help\fR ] + [ \fB\-D|\-\-nodaemonize\fR ] + [ \fB\-u|\-\-username\fR <username> ] + [ \fB\-g|\-\-groupname\fR <groupname> ] + [ \fB\-C|\-\-chroot\fR <path> ] + [ \fB\-P|\-\-write\-pid\fR <filename> ] + [ \fB\-L|\-\-log\fR <target>:<level>[,<param1>[,<param2>[\&.\&.]]] ] + [ \fB\-i|\-\-interface\fR <ip\-address> ] + [ \fB\-p|\-\-port\fR <port> ] + [ \fB\-r|\-\-remote\-host\fR <hostname|ip> ] + [ \fB\-o|\-\-remote\-port\fR <port> ] + [ \fB\-4|\-\-ipv4\-only\fR ] + [ \fB\-6|\-\-ipv6\-only\fR ] + [ \fB\-I|\-\-sync\-interface\fR <ip\-address> ] + [ \fB\-S|\-\-sync\-port\fR port> ] + [ \fB\-M|\-\-sync\-hosts\fR <hostname|ip>[:<port>][,<hostname|ip>[:<port>][\&.\&.\&.]] ] + [ \fB\-X|\-\-control\-host\fR <hostname|ip>[:<port>] + [ \fB\-d|\-\-dev\fR <name> ] + [ \fB\-t|\-\-type\fR <tun|tap> ] + [ \fB\-n|\-\-ifconfig\fR <local>/<prefix> ] + [ \fB\-x|\-\-post\-up\-script\fR <script> ] + [ \fB\-R|\-\-route\fR <net>/<prefix length> ] + [ \fB\-m|\-\-mux\fR <mux\-id> ] + [ \fB\-s|\-\-sender\-id\fR <sender id> ] + [ \fB\-w|\-\-window\-size\fR <window size> ] + [ \fB\-k|\-\-kd\-prf\fR <kd\-prf type> ] + [ \fB\-e|\-\-role\fR <role> ] + [ \fB\-E|\-\-passphrase\fR <pass phrase> ] + [ \fB\-K|\-\-key\fR <master key> ] + [ \fB\-A|\-\-salt\fR <master salt> ] + [ \fB\-c|\-\-cipher\fR <cipher type> ] + [ \fB\-a|\-\-auth\-algo\fR <algo type> ] + [ \fB\-b|\-\-auth\-tag\-length\fR <length> ] +.fi +.SH "DESCRIPTION" +.sp +\fBAnytun\fR is an implementation of the Secure Anycast Tunneling Protocol (SATP)\&. It provides a complete VPN solution similar to OpenVPN or IPsec in tunnel mode\&. The main difference is that anycast allows a setup of tunnels between an arbitrary combination of anycast, unicast and multicast hosts\&. +.SH "OPTIONS" +.sp +\fBAnytun\fR has been designed as a peer to peer application, so there is no difference between client and server\&. The following options can be passed to the daemon: +.PP +\fB\-D, \-\-nodaemonize\fR +.RS 4 +This option instructs +\fBAnytun\fR +to run in foreground instead of becoming a daemon which is the default\&. +.RE +.PP +\fB\-u, \-\-username <username>\fR +.RS 4 +run as this user\&. If no group is specified (\fB\-g\fR) the default group of the user is used\&. The default is to not drop privileges\&. +.RE +.PP +\fB\-g, \-\-groupname <groupname>\fR +.RS 4 +run as this group\&. If no username is specified (\fB\-u\fR) this gets ignored\&. The default is to not drop privileges\&. +.RE +.PP +\fB\-C, \-\-chroot <path>\fR +.RS 4 +Instruct +\fBAnytun\fR +to run in a chroot jail\&. The default is to not run in chroot\&. +.RE +.PP +\fB\-P, \-\-write\-pid <filename>\fR +.RS 4 +Instruct +\fBAnytun\fR +to write it\(cqs pid to this file\&. The default is to not create a pid file\&. +.RE +.PP +\fB\-L, \-\-log <target>:<level>[,<param1>[,<param2>[\&.\&.]]]\fR +.RS 4 +add log target to logging system\&. This can be invoked several times in order to log to different targets at the same time\&. Every target hast its own log level which is a number between 0 and 5\&. Where 0 means disabling log and 5 means debug messages are enabled\&. + +The file target can be used more the once with different levels\&. If no target is provided at the command line a single target with the config +\fBsyslog:3,anytun,daemon\fR +is added\&. + +The following targets are supported: +.PP +\fBsyslog\fR +.RS 4 +log to syslog daemon, parameters <level>[,<logname>[,<facility>]] +.RE +.PP +\fBfile\fR +.RS 4 +log to file, parameters <level>[,<path>] +.RE +.PP +\fBstdout\fR +.RS 4 +log to standard output, parameters <level> +.RE +.PP +\fBstderr\fR +.RS 4 +log to standard error, parameters <level> +.RE +.RE +.PP +\fB\-i, \-\-interface <ip address>\fR +.RS 4 +This IP address is used as the sender address for outgoing packets\&. In case of anycast tunnel endpoints, the anycast IP has to be used\&. In case of unicast endpoints, the address is usually derived correctly from the routing table\&. The default is to not use a special inteface and just bind on all interfaces\&. +.RE +.PP +\fB\-p, \-\-port <port>\fR +.RS 4 +The local UDP port that is used to send and receive the payload data\&. The two tunnel endpoints can use different ports\&. If a tunnel endpoint consists of multiple anycast hosts, all hosts have to use the same port\&. default: 4444 +.RE +.PP +\fB\-r, \-\-remote\-host <hostname|ip>\fR +.RS 4 +This option can be used to specify the remote tunnel endpoint\&. In case of anycast tunnel endpoints, the anycast IP address has to be used\&. If you do not specify an address, it is automatically determined after receiving the first data packet\&. +.RE +.PP +\fB\-o, \-\-remote\-port <port>\fR +.RS 4 +The UDP port used for payload data by the remote host (specified with \-p on the remote host)\&. If you do not specify a port, it is automatically determined after receiving the first data packet\&. +.RE +.PP +\fB\-4, \-\-ipv4\-only\fR +.RS 4 +Resolv to IPv4 addresses only\&. The default is to resolv both IPv4 and IPv6 addresses\&. +.RE +.PP +\fB\-6, \-\-ipv6\-only\fR +.RS 4 +Resolv to IPv6 addresses only\&. The default is to resolv both IPv4 and IPv6 addresses\&. +.RE +.PP +\fB\-I, \-\-sync\-interface <ip\-address>\fR +.RS 4 +local unicast(sync) ip address to bind to + +This option is only needed for tunnel endpoints consisting of multiple anycast hosts\&. The unicast IP address of the anycast host can be used here\&. This is needed for communication with the other anycast hosts\&. The default is to not use a special inteface and just bind on all interfaces\&. However this is only the case if synchronisation is active see +\fB\-\-sync\-port\fR\&. +.RE +.PP +\fB\-S, \-\-sync\-port <port>\fR +.RS 4 +local unicast(sync) port to bind to + +This option is only needed for tunnel endpoints consisting of multiple anycast hosts\&. This port is used by anycast hosts to synchronize information about tunnel endpoints\&. No payload data is transmitted via this port\&. By default the synchronisation is disabled an therefore the port is kept empty\&. + +It is possible to obtain a list of active connections by telnetting into this port\&. This port is read\-only and unprotected by default\&. It is advised to protect this port using firewall rules and, eventually, IPsec\&. +.RE +.PP +\fB\-M, \-\-sync\-hosts <hostname|ip>[:<port>],[<hostname|ip>[:<port>][\&...]]\fR +.RS 4 +remote hosts to sync with + +This option is only needed for tunnel endpoints consisting of multiple anycast hosts\&. Here, one has to specify all unicast IP addresses of all other anycast hosts that comprise the anycast tunnel endpoint\&. By default synchronisation is disabled and therefore this is empty\&. Mind that the port can be omitted in which case port 2323 is used\&. If you want to specify an ipv6 address and a port you have to use [ and ] to seperate the address from the port, eg\&.: [::1]:1234\&. If you want to use the default port [ and ] can be omitted\&. +.RE +.PP +\fB\-X, \-\-control\-host <hostname|ip>[:<port>]\fR +.RS 4 +fetch the config from this host\&. The default is not to use a control host and therefore this is empty\&. Mind that the port can be omitted in which case port 2323 is used\&. If you want to specify an ipv6 address and a port you have to use [ and ] to seperate the address from the port, eg\&.: [::1]:1234\&. If you want to use the default port [ and ] can be omitted\&. +.RE +.PP +\fB\-d, \-\-dev <name>\fR +.RS 4 +device name + +By default, tapN is used for Ethernet tunnel interfaces, and tunN for IP tunnels, respectively\&. This option can be used to manually override these defaults\&. +.RE +.PP +\fB\-t, \-\-type <tun|tap>\fR +.RS 4 +device type + +Type of the tunnels to create\&. Use tap for Ethernet tunnels, tun for IP tunnels\&. +.RE +.PP +\fB\-n, \-\-ifconfig <local>/<prefix>\fR +.RS 4 +The local IP address and prefix length\&. The remote tunnel endpoint has to use a different IP address in the same subnet\&. +.PP +\fB<local>\fR +.RS 4 +the local IP address for the tun/tap device +.RE +.PP +\fB<prefix>\fR +.RS 4 +the prefix length of the network +.RE +.RE +.PP +\fB\-x, \-\-post\-up\-script <script>\fR +.RS 4 +This option instructs +\fBAnytun\fR +to run this script after the interface is created\&. By default no script will be executed\&. +.RE +.PP +\fB\-R, \-\-route <net>/<prefix length>\fR +.RS 4 +add a route to connection\&. This can be invoked several times\&. +.RE +.PP +\fB\-m, \-\-mux <mux\-id>\fR +.RS 4 +the multiplex id to use\&. default: 0 +.RE +.PP +\fB\-s, \-\-sender\-id <sender id>\fR +.RS 4 +Each anycast tunnel endpoint needs a uniqe sender id (1, 2, 3, \&...)\&. It is needed to distinguish the senders in case of replay attacks\&. This option can be ignored on unicast endpoints\&. default: 0 +.RE +.PP +\fB\-w, \-\-window\-size <window size>\fR +.RS 4 +seqence window size + +Sometimes, packets arrive out of order on the receiver side\&. This option defines the size of a list of received packets\' sequence numbers\&. If, according to this list, a received packet has been previously received or has been transmitted in the past, and is therefore not in the list anymore, this is interpreted as a replay attack and the packet is dropped\&. A value of 0 deactivates this list and, as a consequence, the replay protection employed by filtering packets according to their secuence number\&. By default the sequence window is disabled and therefore a window size of 0 is used\&. +.RE +.PP +\fB\-k, \-\-kd\(emprf <kd\-prf type>\fR +.RS 4 +key derivation pseudo random function + +The pseudo random function which is used for calculating the session keys and session salt\&. + +Possible values: +.PP +\fBnull\fR +.RS 4 +no random function, keys and salt are set to 0\&.\&.00 +.RE +.PP +\fBaes\-ctr\fR +.RS 4 +AES in counter mode with 128 Bits, default value +.RE +.PP +\fBaes\-ctr\-128\fR +.RS 4 +AES in counter mode with 128 Bits +.RE +.PP +\fBaes\-ctr\-192\fR +.RS 4 +AES in counter mode with 192 Bits +.RE +.PP +\fBaes\-ctr\-256\fR +.RS 4 +AES in counter mode with 256 Bits +.RE +.RE +.PP +\fB\-e, \-\-role <role>\fR +.RS 4 +SATP uses different session keys for inbound and outbound traffic\&. The role parameter is used to determine which keys to use for outbound or inbound packets\&. On both sides of a vpn connection different roles have to be used\&. Possible values are +\fBleft\fR +and +\fBright\fR\&. You may also use +\fBalice\fR +or +\fBserver\fR +as a replacement for +\fBleft\fR +and +\fBbob\fR +or +\fBclient\fR +as a replacement for +\fBright\fR\&. By default +\fBleft\fR +is used\&. +.RE +.PP +\fB\-E, \-\-passphrase <pass phrase>\fR +.RS 4 +This passphrase is used to generate the master key and master salt\&. For the master key the last n bits of the SHA256 digest of the passphrase (where n is the length of the master key in bits) is used\&. The master salt gets generated with the SHA1 digest\&. You may force a specific key and or salt by using +\fB\-\-key\fR +and +\fB\-\-salt\fR\&. +.RE +.PP +\fB\-K, \-\-key <master key>\fR +.RS 4 +master key to use for key derivation + +Master key in hexadecimal notation, e\&.g\&. 01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length of 32, 48 or 64 characters (128, 192 or 256 bits)\&. +.RE +.PP +\fB\-A, \-\-salt <master salt>\fR +.RS 4 +master salt to use for key derivation + +Master salt in hexadecimal notation, e\&.g\&. 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length of 28 characters (14 bytes)\&. +.RE +.PP +\fB\-c, \-\-cipher <cipher type>\fR +.RS 4 +payload encryption algorithm + +Encryption algorithm used for encrypting the payload + +Possible values: +.PP +\fBnull\fR +.RS 4 +no encryption +.RE +.PP +\fBaes\-ctr\fR +.RS 4 +AES in counter mode with 128 Bits, default value +.RE +.PP +\fBaes\-ctr\-128\fR +.RS 4 +AES in counter mode with 128 Bits +.RE +.PP +\fBaes\-ctr\-192\fR +.RS 4 +AES in counter mode with 192 Bits +.RE +.PP +\fBaes\-ctr\-256\fR +.RS 4 +AES in counter mode with 256 Bits +.RE +.RE +.PP +\fB\-a, \-\-auth\-algo <algo type>\fR +.RS 4 +message authentication algorithm + +This option sets the message authentication algorithm\&. + +If HMAC\-SHA1 is used, the packet length is increased\&. The additional bytes contain the authentication data\&. see +\fB\-\-auth\-tag\-length\fR +for more info\&. + +Possible values: +.PP +\fBnull\fR +.RS 4 +no message authentication +.RE +.PP +\fBsha1\fR +.RS 4 +HMAC\-SHA1, default value +.RE +.RE +.PP +\fB\-b, \-\-auth\-tag\-length <length>\fR +.RS 4 +The number of bytes to use for the auth tag\&. This value defaults to 10 bytes unless the +\fBnull\fR +auth algo is used in which case it defaults to 0\&. +.RE +.SH "EXAMPLES" +.SS "P2P Setup between two unicast enpoints:" +.sp +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.br +.ps +1 +\fBHost A:\fR +.RS 4 +.sp +anytun \-r hostb\&.example\&.com \-t tun \-n 192\&.168\&.123\&.1/30 \-c aes\-ctr\-256 \-k aes\-ctr\-256 \e \-E have_a_very_safe_and_productive_day \-e left +.RE +.sp +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.br +.ps +1 +\fBHost B:\fR +.RS 4 +.sp +anytun \-r hosta\&.example\&.com \-t tun \-n 192\&.168\&.123\&.2/30 \-c aes\-ctr\-256 \-k aes\-ctr\-256 \e \-E have_a_very_safe_and_productive_day \-e right +.RE +.SS "One unicast and one anycast tunnel endpoint:" +.sp +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.br +.ps +1 +\fBUnicast tunnel endpoint:\fR +.RS 4 +.sp +anytun \-r anycast\&.anytun\&.org \-d anytun0 \-t tun \-n 192\&.0\&.2\&.2/30 \-a null \-c null \-w 0 \-e client +.RE +.sp +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.br +.ps +1 +\fBAnycast tunnel endpoints:\fR +.RS 4 +.sp +On the host with unicast hostname unicast1\&.anycast\&.anytun\&.org and anycast hostname anycast\&.anytun\&.org: +.sp +.if n \{\ +.RS 4 +.\} +.nf +# anytun \-i anycast\&.anytun\&.org \-d anytun0 \-t tun \-n 192\&.0\&.2\&.1/30 \-a null \-c null \-w 0 \-e server \e + \-S 2342 \-M unicast2\&.anycast\&.anytun\&.org:2342,unicast3\&.anycast\&.anytun\&.org:2342 +.fi +.if n \{\ +.RE +.\} +.sp +On the host with unicast hostname unicast2\&.anycast\&.anytun\&.org and anycast hostname anycast\&.anytun\&.org: +.sp +.if n \{\ +.RS 4 +.\} +.nf +# anytun \-i anycast\&.anytun\&.org \-d anytun0 \-t tun \-n 192\&.0\&.2\&.1/30 \-a null \-c null \-w 0 \-e server \e + \-S 2342 \-M unicast1\&.anycast\&.anytun\&.org:2342,unicast3\&.anycast\&.anytun\&.org:2342 +.fi +.if n \{\ +.RE +.\} +.sp +On the host with unicast hostname unicast3\&.anycast\&.anytun\&.org and anycast hostname anycast\&.anytun\&.org: +.sp +.if n \{\ +.RS 4 +.\} +.nf +# anytun \-i anycast\&.anytun\&.org \-d anytun0 \-t tun \-n 192\&.0\&.2\&.1/30 \-a null \-c null \-w 0 \-e server \e + \-S 2342 \-M unicast1\&.anycast\&.anytun\&.org:2342,unicast2\&.anycast\&.anytun\&.org:2342 +.fi +.if n \{\ +.RE +.\} +.sp +For more sophisticated examples (like multiple unicast endpoints to one anycast tunnel endpoint) please consult the man page of anytun\-config(8)\&. +.RE +.SH "BUGS" +.sp +Most likely there are some bugs in \fBAnytun\fR\&. If you find a bug, please let the developers know at satp@anytun\&.org\&. Of course, patches are preferred\&. +.SH "SEE ALSO" +.sp +anytun\-config(8), anytun\-controld(8), anytun\-showtables(8) +.SH "AUTHORS" +.sp +Othmar Gsenger <otti@anytun\&.org> Erwin Nindl <nine@anytun\&.org> Christian Pointner <equinox@anytun\&.org> +.SH "RESOURCES" +.sp +Main web site: http://www\&.anytun\&.org/ +.SH "COPYING" +.sp +Copyright (C) 2007\-2009 Othmar Gsenger, Erwin Nindl and Christian Pointner\&. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version\&. diff --git a/src/man/anytun.8.txt b/doc/anytun.8.txt index 377bb2d..377bb2d 100644 --- a/src/man/anytun.8.txt +++ b/doc/anytun.8.txt diff --git a/etc/init.d/anytun b/etc/init.d/anytun index 3bf1e91..752eb8d 100755 --- a/etc/init.d/anytun +++ b/etc/init.d/anytun @@ -16,7 +16,7 @@ NAME=anytun DESC=anytun CONFIG_DIR=/etc/anytun VARCONFIG_DIR=/var/run/anytun-controld -VARRUN_DIR=/var/run/anytun +VARRUN_DIR=/var/run/$NAME/ test -x $DAEMON || exit 0 diff --git a/src/Makefile b/src/Makefile index 9d1b4b0..a53336e 100644 --- a/src/Makefile +++ b/src/Makefile @@ -182,7 +182,7 @@ distclean: cleanall rm -f include.mk cleanall: clean - $(MAKE) --directory=$(CURDIR)/man clean + $(MAKE) --directory="../doc" clean clean: rm -f *.o @@ -196,7 +196,7 @@ clean: $(MAKE) --directory=$(CURDIR)/anyrtpproxy clean manpage: - @cd man ; $(MAKE) + $(MAKE) --directory="../doc" manpage INSTALL_TARGETS := install-bin install-etc @@ -263,10 +263,10 @@ install-examples: install-man: manpage $(INSTALL) -d $(DESTDIR)$(MANDIR)/man8/ - $(INSTALL) -m 644 man/anytun.8 $(DESTDIR)$(MANDIR)/man8/ - $(INSTALL) -m 644 man/anytun-config.8 $(DESTDIR)$(MANDIR)/man8/ - $(INSTALL) -m 644 man/anytun-controld.8 $(DESTDIR)$(MANDIR)/man8/ - $(INSTALL) -m 644 man/anytun-showtables.8 $(DESTDIR)$(MANDIR)/man8/ + $(INSTALL) -m 644 ../doc/anytun.8 $(DESTDIR)$(MANDIR)/man8/ + $(INSTALL) -m 644 ../doc/anytun-config.8 $(DESTDIR)$(MANDIR)/man8/ + $(INSTALL) -m 644 ../doc/anytun-controld.8 $(DESTDIR)$(MANDIR)/man8/ + $(INSTALL) -m 644 ../doc/anytun-showtables.8 $(DESTDIR)$(MANDIR)/man8/ uninstall: remove |