diff options
Diffstat (limited to 'src/man/anytun.txt')
-rw-r--r-- | src/man/anytun.txt | 294 |
1 files changed, 294 insertions, 0 deletions
diff --git a/src/man/anytun.txt b/src/man/anytun.txt new file mode 100644 index 0000000..bdd8f3b --- /dev/null +++ b/src/man/anytun.txt @@ -0,0 +1,294 @@ +anytun(8) +========= + +NAME +---- +anytun - anycast tunneling daemon + +SYNOPSIS +-------- + +anytun [-h|--help] + [-D|--nodaemonize] + [-s|--sender-id ] <sender id> + [-i|--interface] <ip-address> + [-p|--port] <port> + [-I|--sync-interface] <ip-address> + [-S|--sync-port] <port> + [-M|--sync-hosts] <hostname|ip>:<port>[,<hostname|ip>:<port>[...]] + + [-r|--remote-host] <hostname|ip> + [-o|--remote-port] <port> + [-d|--dev] <name> + [-t|--type] <tun|tap> + [-n|--ifconfig] <local> + <remote|netmask> + [-w|--window-size] <window size> + [-c|--cipher] <cipher type> + [-K|--key] <master key> + [-A|--salt] <master salt> + [-k|--kd-prf] <kd-prf type> + [-a|--auth-algo] <algo type> + +DESCRIPTION +----------- + +Anytun is an implementation of the Secure Anycast Tunneling Protocol +(SATP). Anycast provides a complete VPN solution similar to OpenVPN or +IPsec in tunnel mode. The main difference is that anycast enables the +setup of tunnels between an arbitrary combination of anycast, unicast +and multicast hosts. + +OPTIONS +------- + +Anytun has been designed as a peer to peer application, so there is +no difference between client and server. The following options can be +passed to the daemon: + + [-D|--nodaemonize] + + This option instructs anytun to run in the foreground + instead of becoming a daemon. + + [-s|--sender-id ] <sender id> + + Each anycast tunnel endpoint needs a uniqe sender id + (1, 2, 3, ...). It is needed to distinguish the senders + in case of replay attacks. This option is ignored by + unicast endpoints. + + [-i|--interface] <ip address> + + This IP address is used as the sender address for outgoing + packets. In case of anycast tunnel endpoints, the anycast + IP has to be used. In case of unicast endpoints, the + address is usually derived correctly from the routing + table. + + [-p|--port] <port> + + local anycast(data) port to bind to + + The local UDP port that is used to send and receive the + payload data. The two tunnel endpoints can use different + ports. If a tunnel endpoint consists of multiple anycast + hosts, all hosts have to use the same port. + + [-I|--sync-interface] <ip-address> + + local unicast(sync) ip address to bind to + + This option is only needed for tunnel endpoints consisting + of multiple anycast hosts. The unicast IP address of + the anycast host can be used here. This is needed for + communication with the other anycast hosts. + + [-S|--sync-port] <port> + + local unicast(sync) port to bind to + + This option is only needed for tunnel endpoints + consisting of multiple anycast hosts. This port is used + by anycast hosts to synchronize information about tunnel + endpoints. No payload data is transmitted via this port. + + It is possible to obtain a list of active connections + by telnetting into this port. This port is read-only + and unprotected by default. It is advised to protect + this port using firewall rules and, eventually, IPsec. + + [-M|--sync-hosts] <hostname|ip>:<port>[,<hostname|ip>:<port>[...]] + + remote hosts to sync with + + This option is only needed for tunnel endpoints consisting + of multiple anycast hosts. Here, one has to specify all + unicast IP addresses of all other anycast hosts that + comprise the anycast tunnel endpoint. + + [-r|--remote-host] <hostname|ip> + + remote host + + This option can be used to specify the remote tunnel + endpoint. In case of anycast tunnel endpoints, the + anycast IP address has to be used. If you do not specify + an address, it is automatically determined after receiving + the first data packet. + + [-o|--remote-port] <port> + + remote port + + The UDP port used for payload data by the remote host + (specified with -p on the remote host). + + [-d|--dev] <name> + + device name + + By default, tap0 is used for Ethernet tunnel interfaces, + and tun0 for IP tunnels, respectively. This option can + be used to manually override these defaults. + + [-t|--type] <tun|tap> + + device type + + Type of the tunnels to create. Use tap for Ethernet + tunnels, tun for IP tunnels. + + [-n|--ifconfig] + + [-n|--ifconfig] <local> the local IP address + for the tun/tap + device + <remote|netmask> the remote IP address + (tun) or netmask + (tap) + + In tap/Ethernet tunnel mode: + + The local IP address and subnet mask of the tunnel + interface, in ifconfig style. The remote tunnel endpoint + has to use a different IP address in the same subnet. + + In tun/IP tunnel mode: + + The local IP address of the tunnel interface ant the + IP address of the tunnel interface on the remote tunnel + endpoint. + + [-w|--window-size] <window size> + + seqence window size + + Sometimes, packets arrive out of order on the receiver + side. This option defines the size of a list of received + packets' sequence numbers. If, according to this list, + a received packet has been previously received or has + been transmitted in the past, and is therefore not in + the list anymore, this is interpreted as a replay attack + and the packet is dropped. A value of 0 deactivates this + list and, as a consequence, the replay protection employed + by filtering packets according to their secuence number. + + [-c|--cipher] <cipher type> + + payload encryption algorithm + + Encryption algorithm used for encrypting the payload + + Possible values: + + * null - no encryption + * aes-ctr - AES in counter mode + + [-K|--key] <master key> + + master key to use for encryption + + Master key in hexadecimal notation, eg + 01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length + of 32 characters (16 bytes). + + [-A|--salt] <master salt> + + master salt to use for encryption + + Master salt in hexadecimal notation, eg + 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length + of 28 characters (14 bytes). + + [-a|--auth-algo] <algo type> + + message authentication algorithm + + This option sets the message authentication algorithm. + + Possible values: + + * null - no message authentication + * sha1 - HMAC-SHA1 + + If HMAC-SHA1 is used, the packet length is increased by + 10 bytes. These 10 bytes contain the authentication data. + +EXAMPLES +-------- + +One unicast and one anycast tunnel endpoint: + +Unicast tunnel endpoint: + + anytun -r anycast.anytun.org -d anytun0 -t tun -n 192.0.2.2 + 192.0.2.1 -w 0 -c null + + +Anycast tunnel endpoints: + +On the host with unicast hostname unicast1.anycast.anytun.org and anycast +hostname anycast.anytun.org + + anytun -i anycast.anytun.org -d anytun0 -t \ + tun -n 192.0.2.1 192.0.2.2 -w 0 -S 2342 -M \ + unicast2.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342 + +On the host with unicast hostname unicast2.anycast.anytun.org and anycast +hostname anycast.anytun.org + + anytun -i anycast.anytun.org -d anytun0 -t \ + tun -n 192.0.2.1 192.0.2.2 -w 0 -S 2342 -M \ + unicast1.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342 + +On the host with unicast hostname unicast3.anycast.anytun.org and anycast +hostname anycast.anytun.org + + anytun -i anycast.anytun.org -d anytun0 -t \ + tun -n 192.0.2.1 192.0.2.2 -w 0 -S 2342 -M \ + unicast1.anycast.anytun.org:2342,unicast2.anycast.anytun.org:2342 + +For more sophisticated examples (like multiple unicast endpoints to one +anycast tunnel endpoint) please consult the man page of anytun-config(8). + + +BUGS +---- +Most likely there are some bugs in anytun. If you find a bug, please let +the developers know at satp@anytun.org. Of course, patches are preferred. + +SEE ALSO +-------- +anytun-config(8), anytun-controld(8), anytun-showtables(8) + +AUTHORS +------- +Design of SATP and wizards of this implementation: + +Othmar Gsenger <otti@anytun.org> +Erwin Nindl <nine@anytun.org> +Christian Pointner <equinox@anytun.org> + +Debian packaging: + +Andreas Hirczy <ahi@itp.tu-graz.ac.at> + +Manual page: + +Alexander List <alex@debian.org> + +RESOURCES +--------- + +Main web site: http://www.anytun.org/ + + +COPYING +------- + +Copyright (C) 2007-2008 Othmar Gsenger, Erwin Nindl and Christian +Pointner. This program is free software; you can redistribute +it and/or modify it under the terms of the GNU General Public License +version 2 as published by the Free Software Foundation. + |