anytun(8) ========= NAME ---- anytun - anycast tunneling daemon SYNOPSIS -------- anytun [-h|--help] [-D|--nodaemonize] [-s|--sender-id ] [-i|--interface] [-p|--port] [-I|--sync-interface] [-S|--sync-port] [-M|--sync-hosts] :[,:[...]] [-r|--remote-host] [-o|--remote-port] [-d|--dev] [-t|--type] [-n|--ifconfig] [-w|--window-size] [-c|--cipher] [-K|--key] [-A|--salt] [-k|--kd-prf] [-a|--auth-algo] DESCRIPTION ----------- Anytun is an implementation of the Secure Anycast Tunneling Protocol (SATP). Anycast provides a complete VPN solution similar to OpenVPN or IPsec in tunnel mode. The main difference is that anycast enables the setup of tunnels between an arbitrary combination of anycast, unicast and multicast hosts. OPTIONS ------- Anytun has been designed as a peer to peer application, so there is no difference between client and server. The following options can be passed to the daemon: [-D|--nodaemonize] This option instructs anytun to run in the foreground instead of becoming a daemon. [-s|--sender-id ] Each anycast tunnel endpoint needs a uniqe sender id (1, 2, 3, ...). It is needed to distinguish the senders in case of replay attacks. This option is ignored by unicast endpoints. [-i|--interface] This IP address is used as the sender address for outgoing packets. In case of anycast tunnel endpoints, the anycast IP has to be used. In case of unicast endpoints, the address is usually derived correctly from the routing table. [-p|--port] local anycast(data) port to bind to The local UDP port that is used to send and receive the payload data. The two tunnel endpoints can use different ports. If a tunnel endpoint consists of multiple anycast hosts, all hosts have to use the same port. [-I|--sync-interface] local unicast(sync) ip address to bind to This option is only needed for tunnel endpoints consisting of multiple anycast hosts. The unicast IP address of the anycast host can be used here. This is needed for communication with the other anycast hosts. [-S|--sync-port] local unicast(sync) port to bind to This option is only needed for tunnel endpoints consisting of multiple anycast hosts. This port is used by anycast hosts to synchronize information about tunnel endpoints. No payload data is transmitted via this port. It is possible to obtain a list of active connections by telnetting into this port. This port is read-only and unprotected by default. It is advised to protect this port using firewall rules and, eventually, IPsec. [-M|--sync-hosts] :[,:[...]] remote hosts to sync with This option is only needed for tunnel endpoints consisting of multiple anycast hosts. Here, one has to specify all unicast IP addresses of all other anycast hosts that comprise the anycast tunnel endpoint. [-r|--remote-host] remote host This option can be used to specify the remote tunnel endpoint. In case of anycast tunnel endpoints, the anycast IP address has to be used. If you do not specify an address, it is automatically determined after receiving the first data packet. [-o|--remote-port] remote port The UDP port used for payload data by the remote host (specified with -p on the remote host). [-d|--dev] device name By default, tap0 is used for Ethernet tunnel interfaces, and tun0 for IP tunnels, respectively. This option can be used to manually override these defaults. [-t|--type] device type Type of the tunnels to create. Use tap for Ethernet tunnels, tun for IP tunnels. [-n|--ifconfig] [-n|--ifconfig] the local IP address for the tun/tap device the remote IP address (tun) or netmask (tap) In tap/Ethernet tunnel mode: The local IP address and subnet mask of the tunnel interface, in ifconfig style. The remote tunnel endpoint has to use a different IP address in the same subnet. In tun/IP tunnel mode: The local IP address of the tunnel interface ant the IP address of the tunnel interface on the remote tunnel endpoint. [-w|--window-size] seqence window size Sometimes, packets arrive out of order on the receiver side. This option defines the size of a list of received packets' sequence numbers. If, according to this list, a received packet has been previously received or has been transmitted in the past, and is therefore not in the list anymore, this is interpreted as a replay attack and the packet is dropped. A value of 0 deactivates this list and, as a consequence, the replay protection employed by filtering packets according to their secuence number. [-c|--cipher] payload encryption algorithm Encryption algorithm used for encrypting the payload Possible values: * null - no encryption * aes-ctr - AES in counter mode [-K|--key] master key to use for encryption Master key in hexadecimal notation, eg 01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length of 32 characters (16 bytes). [-A|--salt] master salt to use for encryption Master salt in hexadecimal notation, eg 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length of 28 characters (14 bytes). [-a|--auth-algo] message authentication algorithm This option sets the message authentication algorithm. Possible values: * null - no message authentication * sha1 - HMAC-SHA1 If HMAC-SHA1 is used, the packet length is increased by 10 bytes. These 10 bytes contain the authentication data. EXAMPLES -------- One unicast and one anycast tunnel endpoint: Unicast tunnel endpoint: anytun -r anycast.anytun.org -d anytun0 -t tun -n 192.0.2.2 192.0.2.1 -w 0 -c null Anycast tunnel endpoints: On the host with unicast hostname unicast1.anycast.anytun.org and anycast hostname anycast.anytun.org anytun -i anycast.anytun.org -d anytun0 -t \ tun -n 192.0.2.1 192.0.2.2 -w 0 -S 2342 -M \ unicast2.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342 On the host with unicast hostname unicast2.anycast.anytun.org and anycast hostname anycast.anytun.org anytun -i anycast.anytun.org -d anytun0 -t \ tun -n 192.0.2.1 192.0.2.2 -w 0 -S 2342 -M \ unicast1.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342 On the host with unicast hostname unicast3.anycast.anytun.org and anycast hostname anycast.anytun.org anytun -i anycast.anytun.org -d anytun0 -t \ tun -n 192.0.2.1 192.0.2.2 -w 0 -S 2342 -M \ unicast1.anycast.anytun.org:2342,unicast2.anycast.anytun.org:2342 For more sophisticated examples (like multiple unicast endpoints to one anycast tunnel endpoint) please consult the man page of anytun-config(8). BUGS ---- Most likely there are some bugs in anytun. If you find a bug, please let the developers know at satp@anytun.org. Of course, patches are preferred. SEE ALSO -------- anytun-config(8), anytun-controld(8), anytun-showtables(8) AUTHORS ------- Design of SATP and wizards of this implementation: Othmar Gsenger Erwin Nindl Christian Pointner Debian packaging: Andreas Hirczy Manual page: Alexander List RESOURCES --------- Main web site: http://www.anytun.org/ COPYING ------- Copyright (C) 2007-2008 Othmar Gsenger, Erwin Nindl and Christian Pointner. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation.