diff options
Diffstat (limited to 'src/man/anytun.8.txt')
| -rw-r--r-- | src/man/anytun.8.txt | 373 |
1 files changed, 0 insertions, 373 deletions
diff --git a/src/man/anytun.8.txt b/src/man/anytun.8.txt deleted file mode 100644 index 377bb2d..0000000 --- a/src/man/anytun.8.txt +++ /dev/null @@ -1,373 +0,0 @@ -anytun(8) -========= - -NAME ----- -anytun - anycast tunneling daemon - -SYNOPSIS --------- - -.... -anytun - [ -h|--help ] - [ -D|--nodaemonize ] - [ -u|--username <username> ] - [ -g|--groupname <groupname> ] - [ -C|--chroot <path> ] - [ -P|--write-pid <filename> ] - [ -L|--log <target>:<level>[,<param1>[,<param2>[..]]] ] - [ -i|--interface <ip-address> ] - [ -p|--port <port> ] - [ -r|--remote-host <hostname|ip> ] - [ -o|--remote-port <port> ] - [ -4|--ipv4-only ] - [ -6|--ipv6-only ] - [ -I|--sync-interface <ip-address> ] - [ -S|--sync-port port> ] - [ -M|--sync-hosts <hostname|ip>[:<port>][,<hostname|ip>[:<port>][...]] ] - [ -X|--control-host <hostname|ip>[:<port>] - [ -d|--dev <name> ] - [ -t|--type <tun|tap> ] - [ -n|--ifconfig <local>/<prefix> ] - [ -x|--post-up-script <script> ] - [ -R|--route <net>/<prefix length> ] - [ -m|--mux <mux-id> ] - [ -s|--sender-id <sender id> ] - [ -w|--window-size <window size> ] - [ -k|--kd-prf <kd-prf type> ] - [ -e|--role <role> ] - [ -E|--passphrase <pass phrase> ] - [ -K|--key <master key> ] - [ -A|--salt <master salt> ] - [ -c|--cipher <cipher type> ] - [ -a|--auth-algo <algo type> ] - [ -b|--auth-tag-length <length> ] -.... - -DESCRIPTION ------------ - -*Anytun* is an implementation of the Secure Anycast Tunneling Protocol -(SATP). It provides a complete VPN solution similar to OpenVPN or -IPsec in tunnel mode. The main difference is that anycast allows a -setup of tunnels between an arbitrary combination of anycast, unicast -and multicast hosts. - -OPTIONS -------- - -*Anytun* has been designed as a peer to peer application, so there is -no difference between client and server. The following options can be -passed to the daemon: - -*-D, --nodaemonize*:: - This option instructs *Anytun* to run in foreground - instead of becoming a daemon which is the default. - -*-u, --username <username>*:: - run as this user. If no group is specified (*-g*) the default group of - the user is used. The default is to not drop privileges. - -*-g, --groupname <groupname>*:: - run as this group. If no username is specified (*-u*) this gets ignored. - The default is to not drop privileges. - -*-C, --chroot <path>*:: - Instruct *Anytun* to run in a chroot jail. The default is - to not run in chroot. - -*-P, --write-pid <filename>*:: - Instruct *Anytun* to write it's pid to this file. The default is - to not create a pid file. - -*-L, --log <target>:<level>[,<param1>[,<param2>[..]]]*:: - add log target to logging system. This can be invoked several times - in order to log to different targets at the same time. Every target - hast its own log level which is a number between 0 and 5. Where 0 means - disabling log and 5 means debug messages are enabled. + - The file target can be used more the once with different levels. - If no target is provided at the command line a single target with the - config *syslog:3,anytun,daemon* is added. + - The following targets are supported: - - *syslog*;; log to syslog daemon, parameters <level>[,<logname>[,<facility>]] - *file*;; log to file, parameters <level>[,<path>] - *stdout*;; log to standard output, parameters <level> - *stderr*;; log to standard error, parameters <level> - -*-i, --interface <ip address>*:: - This IP address is used as the sender address for outgoing - packets. In case of anycast tunnel endpoints, the anycast - IP has to be used. In case of unicast endpoints, the - address is usually derived correctly from the routing - table. The default is to not use a special inteface and just - bind on all interfaces. - -*-p, --port <port>*:: - The local UDP port that is used to send and receive the - payload data. The two tunnel endpoints can use different - ports. If a tunnel endpoint consists of multiple anycast - hosts, all hosts have to use the same port. default: 4444 - -*-r, --remote-host <hostname|ip>*:: - This option can be used to specify the remote tunnel - endpoint. In case of anycast tunnel endpoints, the - anycast IP address has to be used. If you do not specify - an address, it is automatically determined after receiving - the first data packet. - -*-o, --remote-port <port>*:: - The UDP port used for payload data by the remote host - (specified with -p on the remote host). If you do not specify - a port, it is automatically determined after receiving - the first data packet. - -*-4, --ipv4-only*:: - Resolv to IPv4 addresses only. The default is to resolv both - IPv4 and IPv6 addresses. - -*-6, --ipv6-only*:: - Resolv to IPv6 addresses only. The default is to resolv both - IPv4 and IPv6 addresses. - -*-I, --sync-interface <ip-address>*:: - local unicast(sync) ip address to bind to + - This option is only needed for tunnel endpoints consisting - of multiple anycast hosts. The unicast IP address of - the anycast host can be used here. This is needed for - communication with the other anycast hosts. The default is to - not use a special inteface and just bind on all interfaces. However - this is only the case if synchronisation is active see *--sync-port*. - -*-S, --sync-port <port>*:: - local unicast(sync) port to bind to + - This option is only needed for tunnel endpoints - consisting of multiple anycast hosts. This port is used - by anycast hosts to synchronize information about tunnel - endpoints. No payload data is transmitted via this port. - By default the synchronisation is disabled an therefore the - port is kept empty. + - It is possible to obtain a list of active connections - by telnetting into this port. This port is read-only - and unprotected by default. It is advised to protect - this port using firewall rules and, eventually, IPsec. - -*-M, --sync-hosts <hostname|ip>[:<port>],[<hostname|ip>[:<port>][...]]*:: - remote hosts to sync with + - This option is only needed for tunnel endpoints consisting - of multiple anycast hosts. Here, one has to specify all - unicast IP addresses of all other anycast hosts that - comprise the anycast tunnel endpoint. By default synchronisation is - disabled and therefore this is empty. Mind that the port can be - omitted in which case port 2323 is used. If you want to specify an - ipv6 address and a port you have to use [ and ] to seperate the address - from the port, eg.: [::1]:1234. If you want to use the default port - [ and ] can be omitted. - -*-X, --control-host <hostname|ip>[:<port>]*:: - fetch the config from this host. The default is not to use a control - host and therefore this is empty. Mind that the port can be omitted - in which case port 2323 is used. If you want to specify an - ipv6 address and a port you have to use [ and ] to seperate the address - from the port, eg.: [::1]:1234. If you want to use the default port - [ and ] can be omitted. - -*-d, --dev <name>*:: - device name + - By default, tapN is used for Ethernet tunnel interfaces, - and tunN for IP tunnels, respectively. This option can - be used to manually override these defaults. - -*-t, --type <tun|tap>*:: - device type + - Type of the tunnels to create. Use tap for Ethernet - tunnels, tun for IP tunnels. - -*-n, --ifconfig <local>/<prefix>*:: - The local IP address and prefix length. The remote tunnel endpoint - has to use a different IP address in the same subnet. - - *<local>*;; the local IP address for the tun/tap device - *<prefix>*;; the prefix length of the network - -*-x, --post-up-script <script>*:: - This option instructs *Anytun* to run this script after the interface - is created. By default no script will be executed. - -*-R, --route <net>/<prefix length>*:: - add a route to connection. This can be invoked several times. - -*-m, --mux <mux-id>*:: - the multiplex id to use. default: 0 - -*-s, --sender-id <sender id>*:: - Each anycast tunnel endpoint needs a uniqe sender id - (1, 2, 3, ...). It is needed to distinguish the senders - in case of replay attacks. This option can be ignored on - unicast endpoints. default: 0 - -*-w, --window-size <window size>*:: - seqence window size + - Sometimes, packets arrive out of order on the receiver - side. This option defines the size of a list of received - packets' sequence numbers. If, according to this list, - a received packet has been previously received or has - been transmitted in the past, and is therefore not in - the list anymore, this is interpreted as a replay attack - and the packet is dropped. A value of 0 deactivates this - list and, as a consequence, the replay protection employed - by filtering packets according to their secuence number. - By default the sequence window is disabled and therefore a - window size of 0 is used. - -*-k, --kd--prf <kd-prf type>*:: - key derivation pseudo random function + - The pseudo random function which is used for calculating the - session keys and session salt. + - Possible values: - - *null*;; no random function, keys and salt are set to 0..00 - *aes-ctr*;; AES in counter mode with 128 Bits, default value - *aes-ctr-128*;; AES in counter mode with 128 Bits - *aes-ctr-192*;; AES in counter mode with 192 Bits - *aes-ctr-256*;; AES in counter mode with 256 Bits - -*-e, --role <role>*:: - SATP uses different session keys for inbound and outbound traffic. The - role parameter is used to determine which keys to use for outbound or - inbound packets. On both sides of a vpn connection different roles have - to be used. Possible values are *left* and *right*. You may also use - *alice* or *server* as a replacement for *left* and *bob* or *client* as - a replacement for *right*. By default *left* is used. - -*-E, --passphrase <pass phrase>*:: - This passphrase is used to generate the master key and master salt. - For the master key the last n bits of the SHA256 digest of the - passphrase (where n is the length of the master key in bits) is used. - The master salt gets generated with the SHA1 digest. - You may force a specific key and or salt by using *--key* and *--salt*. - -*-K, --key <master key>*:: - master key to use for key derivation + - Master key in hexadecimal notation, e.g. - 01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length - of 32, 48 or 64 characters (128, 192 or 256 bits). - -*-A, --salt <master salt>*:: - master salt to use for key derivation + - Master salt in hexadecimal notation, e.g. - 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length - of 28 characters (14 bytes). - -*-c, --cipher <cipher type>*:: - payload encryption algorithm + - Encryption algorithm used for encrypting the payload + - Possible values: - - *null*;; no encryption - *aes-ctr*;; AES in counter mode with 128 Bits, default value - *aes-ctr-128*;; AES in counter mode with 128 Bits - *aes-ctr-192*;; AES in counter mode with 192 Bits - *aes-ctr-256*;; AES in counter mode with 256 Bits - -*-a, --auth-algo <algo type>*:: - message authentication algorithm + - This option sets the message authentication algorithm. + - If HMAC-SHA1 is used, the packet length is increased. The additional bytes - contain the authentication data. see *--auth-tag-length* for more info. + - Possible values: - - *null*;; no message authentication - *sha1*;; HMAC-SHA1, default value - -*-b, --auth-tag-length <length>*:: - The number of bytes to use for the auth tag. This value defaults to 10 bytes - unless the *null* auth algo is used in which case it defaults to 0. - - -EXAMPLES --------- - -P2P Setup between two unicast enpoints: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Host A: -^^^^^^^ - -anytun -r hostb.example.com -t tun -n 192.168.123.1/30 -c aes-ctr-256 -k aes-ctr-256 \ - -E have_a_very_safe_and_productive_day -e left - -Host B: -^^^^^^^ -anytun -r hosta.example.com -t tun -n 192.168.123.2/30 -c aes-ctr-256 -k aes-ctr-256 \ - -E have_a_very_safe_and_productive_day -e right - - -One unicast and one anycast tunnel endpoint: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Unicast tunnel endpoint: -^^^^^^^^^^^^^^^^^^^^^^^^ - -anytun -r anycast.anytun.org -d anytun0 -t tun -n 192.0.2.2/30 -a null -c null -w 0 -e client - -Anycast tunnel endpoints: -^^^^^^^^^^^^^^^^^^^^^^^^^ - -On the host with unicast hostname unicast1.anycast.anytun.org and anycast -hostname anycast.anytun.org: -------------------------------------------------------------------------------------------------- -# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \ - -S 2342 -M unicast2.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342 -------------------------------------------------------------------------------------------------- - -On the host with unicast hostname unicast2.anycast.anytun.org and anycast -hostname anycast.anytun.org: -------------------------------------------------------------------------------------------------- -# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \ - -S 2342 -M unicast1.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342 -------------------------------------------------------------------------------------------------- - -On the host with unicast hostname unicast3.anycast.anytun.org and anycast -hostname anycast.anytun.org: -------------------------------------------------------------------------------------------------- -# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \ - -S 2342 -M unicast1.anycast.anytun.org:2342,unicast2.anycast.anytun.org:2342 -------------------------------------------------------------------------------------------------- - -For more sophisticated examples (like multiple unicast endpoints to one -anycast tunnel endpoint) please consult the man page of anytun-config(8). - - -BUGS ----- -Most likely there are some bugs in *Anytun*. If you find a bug, please let -the developers know at satp@anytun.org. Of course, patches are preferred. - -SEE ALSO --------- -anytun-config(8), anytun-controld(8), anytun-showtables(8) - -AUTHORS -------- - -Othmar Gsenger <otti@anytun.org> -Erwin Nindl <nine@anytun.org> -Christian Pointner <equinox@anytun.org> - - -RESOURCES ---------- - -Main web site: http://www.anytun.org/ - - -COPYING -------- - -Copyright \(C) 2007-2009 Othmar Gsenger, Erwin Nindl and Christian -Pointner. This program is free software: you can redistribute it -and/or modify it under the terms of the GNU General Public License -as published by the Free Software Foundation, either version 3 of -the License, or any later version. |