summaryrefslogtreecommitdiff
path: root/src/man/anytun.8.txt
diff options
context:
space:
mode:
Diffstat (limited to 'src/man/anytun.8.txt')
-rw-r--r--src/man/anytun.8.txt350
1 files changed, 350 insertions, 0 deletions
diff --git a/src/man/anytun.8.txt b/src/man/anytun.8.txt
new file mode 100644
index 0000000..1de30bf
--- /dev/null
+++ b/src/man/anytun.8.txt
@@ -0,0 +1,350 @@
+anytun(8)
+=========
+
+NAME
+----
+anytun - anycast tunneling daemon
+
+SYNOPSIS
+--------
+
+*anytun*
+[ *-h|--help* ]
+[ *-D|--nodaemonize* ]
+[ *-C|--chroot* ]
+[ *-u|--username* <username> ]
+[ *-H|--chroot-dir* <directory> ]
+[ *-P|--write-pid* <filename> ]
+[ *-s|--sender-id* <sender id> ]
+[ *-i|--interface* <ip-address> ]
+[ *-p|--port* <port> ]
+[ *-I|--sync-interface* <ip-address> ]
+[ *-S|--sync-port* port> ]
+[ *-M|--sync-hosts* <hostname|ip>:<port>[,<hostname|ip>:<port>[...]] ]
+[ *-X|--control-host* <hostname|ip>:<port>
+[ *-r|--remote-host* <hostname|ip> ]
+[ *-o|--remote-port* <port> ]
+[ *-d|--dev* <name> ]
+[ *-t|--type* <tun|tap> ]
+[ *-n|--ifconfig* <local> <remote|netmask> ]
+[ *-x|--post-up-script* <script> ]
+[ *-w|--window-size* <window size> ]
+[ *-m|--mux* <mux-id> ]
+[ *-c|--cipher* <cipher type> ]
+[ *-K|--key* <master key> ]
+[ *-A|--salt* <master salt> ]
+[ *-a|--auth-algo* <algo type> ]
+
+DESCRIPTION
+-----------
+
+Anytun is an implementation of the Secure Anycast Tunneling Protocol
+(SATP). Anycast provides a complete VPN solution similar to OpenVPN or
+IPsec in tunnel mode. The main difference is that anycast enables the
+setup of tunnels between an arbitrary combination of anycast, unicast
+and multicast hosts.
+
+OPTIONS
+-------
+
+Anytun has been designed as a peer to peer application, so there is
+no difference between client and server. The following options can be
+passed to the daemon:
+
+-D|--nodaemonize
+~~~~~~~~~~~~~~~~
+
+This option instructs anytun to run in the foreground
+instead of becoming a daemon.
+
+
+-C|--chroot
+~~~~~~~~~~~
+
+chroot and drop privileges
+
+-u|--username <username>
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+if chroot change to this user
+
+-H|--chroot-dir <directory>
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+chroot to this directory
+
+-P|--write-pid <filename>
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+write pid to this file
+
+-s|--sender-id <sender id>
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Each anycast tunnel endpoint needs a uniqe sender id
+(1, 2, 3, ...). It is needed to distinguish the senders
+in case of replay attacks. This option is ignored by
+unicast endpoints.
+
+-i|--interface <ip address>
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This IP address is used as the sender address for outgoing
+packets. In case of anycast tunnel endpoints, the anycast
+IP has to be used. In case of unicast endpoints, the
+address is usually derived correctly from the routing
+table.
+
+-p|--port <port>
+~~~~~~~~~~~~~~~~
+
+local anycast(data) port to bind to
+
+The local UDP port that is used to send and receive the
+payload data. The two tunnel endpoints can use different
+ports. If a tunnel endpoint consists of multiple anycast
+hosts, all hosts have to use the same port.
+
+-I|--sync-interface <ip-address>
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+local unicast(sync) ip address to bind to
+
+This option is only needed for tunnel endpoints consisting
+of multiple anycast hosts. The unicast IP address of
+the anycast host can be used here. This is needed for
+communication with the other anycast hosts.
+
+-S|--sync-port <port>
+~~~~~~~~~~~~~~~~~~~~~
+
+local unicast(sync) port to bind to
+
+This option is only needed for tunnel endpoints
+consisting of multiple anycast hosts. This port is used
+by anycast hosts to synchronize information about tunnel
+endpoints. No payload data is transmitted via this port.
+
+It is possible to obtain a list of active connections
+by telnetting into this port. This port is read-only
+and unprotected by default. It is advised to protect
+this port using firewall rules and, eventually, IPsec.
+
+-M|--sync-hosts <hostname|ip>:<port>,[<hostname|ip>:<port>[...]]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+remote hosts to sync with
+
+This option is only needed for tunnel endpoints consisting
+of multiple anycast hosts. Here, one has to specify all
+unicast IP addresses of all other anycast hosts that
+comprise the anycast tunnel endpoint.
+
+-X|--control-host <hostname|ip>:<port>
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+fetch the config from this host
+
+-r|--remote-host <hostname|ip>
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+remote host
+
+This option can be used to specify the remote tunnel
+endpoint. In case of anycast tunnel endpoints, the
+anycast IP address has to be used. If you do not specify
+an address, it is automatically determined after receiving
+the first data packet.
+
+-o|--remote-port <port>
+~~~~~~~~~~~~~~~~~~~~~~~
+remote port
+
+The UDP port used for payload data by the remote host
+(specified with -p on the remote host).
+
+-d|--dev <name>
+~~~~~~~~~~~~~~~
+device name
+
+By default, tap0 is used for Ethernet tunnel interfaces,
+and tun0 for IP tunnels, respectively. This option can
+be used to manually override these defaults.
+
+-t|--type <tun|tap>
+~~~~~~~~~~~~~~~~~~~
+
+device type
+
+Type of the tunnels to create. Use tap for Ethernet
+tunnels, tun for IP tunnels.
+
+-n|--ifconfig <local> <remote|netmask>
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*<local>* the local IP address for the tun/tap device
+
+*<remote|netmask>* the remote IP address (tun) or netmask (tap)
+
+In tap/Ethernet tunnel mode:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The local IP address and subnet mask of the tunnel
+interface, in ifconfig style. The remote tunnel endpoint
+has to use a different IP address in the same subnet.
+
+In tun/IP tunnel mode:
+
+The local IP address of the tunnel interface ant the
+IP address of the tunnel interface on the remote tunnel
+endpoint.
+
+-x|--post-up-script <script>
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+script gets called after interface is created
+
+-w|--window-size <window size>
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+seqence window size
+
+Sometimes, packets arrive out of order on the receiver
+side. This option defines the size of a list of received
+packets' sequence numbers. If, according to this list,
+a received packet has been previously received or has
+been transmitted in the past, and is therefore not in
+the list anymore, this is interpreted as a replay attack
+and the packet is dropped. A value of 0 deactivates this
+list and, as a consequence, the replay protection employed
+by filtering packets according to their secuence number.
+
+-m|--mux <mux-id>
+~~~~~~~~~~~~~~~~~
+
+the multiplex id to use
+
+-c|--cipher <cipher type>
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+payload encryption algorithm
+
+Encryption algorithm used for encrypting the payload
+
+Possible values:
+
+* *null* - no encryption
+* *aes-ctr* - AES in counter mode
+
+-K|--key <master key>
+~~~~~~~~~~~~~~~~~~~~~
+
+master key to use for encryption
+
+Master key in hexadecimal notation, eg
+01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length
+of 32 characters (16 bytes).
+
+-A|--salt <master salt>
+~~~~~~~~~~~~~~~~~~~~~~~
+
+master salt to use for encryption
+
+Master salt in hexadecimal notation, eg
+01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length
+of 28 characters (14 bytes).
+
+-a|--auth-algo <algo type>
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+message authentication algorithm
+
+This option sets the message authentication algorithm.
+
+Possible values:
+
+* *null* - no message authentication
+* *sha1* - HMAC-SHA1
+
+If HMAC-SHA1 is used, the packet length is increased by
+10 bytes. These 10 bytes contain the authentication data.
+
+EXAMPLES
+--------
+
+One unicast and one anycast tunnel endpoint:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Unicast tunnel endpoint:
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+anytun -r anycast.anytun.org -d anytun0 -t tun -n 192.0.2.2
+192.0.2.1 -w 0 -c null
+
+Anycast tunnel endpoints:
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+On the host with unicast hostname unicast1.anycast.anytun.org and anycast
+hostname anycast.anytun.org:
+--------------------------------------------------------------------------------------
+# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1 192.0.2.2 -w 0 -S 2342 \
+ -M unicast2.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342
+--------------------------------------------------------------------------------------
+
+On the host with unicast hostname unicast2.anycast.anytun.org and anycast
+hostname anycast.anytun.org:
+--------------------------------------------------------------------------------------
+# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1 192.0.2.2 -w 0 -S 2342 \
+ -M unicast1.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342
+--------------------------------------------------------------------------------------
+
+On the host with unicast hostname unicast3.anycast.anytun.org and anycast
+hostname anycast.anytun.org:
+--------------------------------------------------------------------------------------
+# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1 192.0.2.2 -w 0 -S 2342 \
+ -M unicast1.anycast.anytun.org:2342,unicast2.anycast.anytun.org:2342
+--------------------------------------------------------------------------------------
+
+For more sophisticated examples (like multiple unicast endpoints to one
+anycast tunnel endpoint) please consult the man page of anytun-config(8).
+
+
+BUGS
+----
+Most likely there are some bugs in anytun. If you find a bug, please let
+the developers know at satp@anytun.org. Of course, patches are preferred.
+
+SEE ALSO
+--------
+anytun-config(8), anytun-controld(8), anytun-showtables(8)
+
+AUTHORS
+-------
+Design of SATP and wizards of this implementation:
+
+Othmar Gsenger <otti@anytun.org>
+Erwin Nindl <nine@anytun.org>
+Christian Pointner <equinox@anytun.org>
+
+Debian packaging:
+
+Andreas Hirczy <ahi@itp.tu-graz.ac.at>
+
+Manual page:
+
+Alexander List <alex@debian.org>
+
+RESOURCES
+---------
+
+Main web site: http://www.anytun.org/
+
+
+COPYING
+-------
+
+Copyright \(C) 2007-2008 Othmar Gsenger, Erwin Nindl and Christian
+Pointner. This program is free software; you can redistribute
+it and/or modify it under the terms of the GNU General Public License
+version 2 as published by the Free Software Foundation.
+