diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/Makefile | 20 | ||||
-rw-r--r-- | doc/uanytun.8 | 45 | ||||
-rw-r--r-- | doc/uanytun.8.txt | 85 |
3 files changed, 94 insertions, 56 deletions
diff --git a/doc/Makefile b/doc/Makefile index b5eecb8..f2b6ac9 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -13,9 +13,9 @@ ## message authentication based on the methodes used by SRTP. It is ## intended to deliver a generic, scaleable and secure solution for ## tunneling and relaying of packets of any protocol. -## ## -## Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org> +## +## Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org> ## ## This file is part of uAnytun. ## @@ -35,21 +35,21 @@ VERSION=$(shell cat ../version) -.PHONY: clean +.PHONY: clean all: manpage uanytun.8: uanytun.8.txt - a2x -f manpage $< - @ sed -i -e 's/\[FIXME: source\]/uanytun ${VERSION}/' $@ - @ sed -i -e 's/\[FIXME: manual\]/uanytun user manual/' $@ - @ sed -i -e 's/^uanytun$$/\\fBuanytun\\fR/' $@ - @ sed -i -e 's/^ \[ \([^ ]*\)/ [ \\fB\1\\fR/' $@ + a2x -f manpage $< + @ sed -i -e 's/\[FIXME: source\]/uanytun ${VERSION}/' $@ + @ sed -i -e 's/\[FIXME: manual\]/uanytun user manual/' $@ + @ sed -i -e 's/^uanytun$$/\\fBuanytun\\fR/' $@ + @ sed -i -e 's/^ \[ \([^ ]*\)/ [ \\fB\1\\fR/' $@ manpage: uanytun.8 clean: - rm -f uanytun.8.xml + rm -f uanytun.8.xml realclean: clean - rm -f uanytun.8 + rm -f uanytun.8 diff --git a/doc/uanytun.8 b/doc/uanytun.8 index aae36cb..4e60f6b 100644 --- a/doc/uanytun.8 +++ b/doc/uanytun.8 @@ -1,13 +1,22 @@ '\" t .\" Title: uanytun .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.75.1 <http://docbook.sf.net/> -.\" Date: 12/14/2010 -.\" Manual: uanytun user manual -.\" Source: uanytun trunk +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 02/07/2014 +.\" Manual: \ \& +.\" Source: \ \& .\" Language: English .\" -.TH "UANYTUN" "8" "12/14/2010" "uanytun trunk" "uanytun user manual" +.TH "UANYTUN" "8" "02/07/2014" "\ \&" "\ \&" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- @@ -33,9 +42,9 @@ uanytun \- micro anycast tunneling daemon [ \fB\-L|\-\-log\fR <target>:<level>[,<param1>[,<param2>[\&.\&.]]] ] [ \fB\-U|\-\-debug\fR ] [ \fB\-i|\-\-interface\fR <ip\-address> ] - [ \fB\-p|\-\-port\fR <port> ] + [ \fB\-p|\-\-port\fR <port>[:<port>] ] [ \fB\-r|\-\-remote\-host\fR <hostname|ip> ] - [ \fB\-o|\-\-remote\-port\fR <port> ] + [ \fB\-o|\-\-remote\-port\fR <port>[:<port>] ] [ \fB\-4|\-\-ipv4\-only\fR ] [ \fB\-6|\-\-ipv6\-only\fR ] [ \fB\-d|\-\-dev\fR <name> ] @@ -139,9 +148,13 @@ to run in debug mode\&. It implicits This IP address is used as the sender address for outgoing packets\&. The default is to not use a special inteface and just bind on all interfaces\&. .RE .PP -\fB\-p, \-\-port \fR\fB\fI<port>\fR\fR +\fB\-p, \-\-port \fR\fB\fI<port>[:<port>]\fR\fR .RS 4 -The local UDP port that is used to send and receive the payload data\&. The two tunnel endpoints can use different ports\&. default: 4444 +The local UDP port that is used to send and receive the payload data\&. The two tunnel endpoints can use different ports\&. The default port is 4444\&. You can also specify a port range which enables +\fBRAIL\fR +mode\&. See section +\fBRAIL\fR +below to find out what this is\&. .RE .PP \fB\-r, \-\-remote\-host \fR\fB\fI<hostname|ip>\fR\fR @@ -149,9 +162,12 @@ The local UDP port that is used to send and receive the payload data\&. The two This option can be used to specify the remote tunnel endpoint\&. In case of anycast tunnel endpoints, the anycast IP address has to be used\&. If you do not specify an address, it is automatically determined after receiving the first data packet\&. .RE .PP -\fB\-o, \-\-remote\-port \fR\fB\fI<port>\fR\fR +\fB\-o, \-\-remote\-port \fR\fB\fI<port>[:<port>]\fR\fR .RS 4 -The UDP port used for payload data by the remote host (specified with \-p on the remote host)\&. If you do not specify a port, it is automatically determined after receiving the first data packet\&. +The UDP port used for payload data by the remote host (specified with \-p on the remote host)\&. If you do not specify a port, it is automatically determined after receiving the first data packet\&. When RAIL mode is enabled the port range must be of the same length as the range defined with +\fB\-p, \-\-port\fR\&. See section +\fBRAIL\fR +below for more information about this mode\&. .RE .PP \fB\-4, \-\-ipv4\-only\fR @@ -216,7 +232,7 @@ does not support synchronisation it can\(cqt be used as an anycast endpoint ther .RS 4 seqence window size -Sometimes, packets arrive out of order on the receiver side\&. This option defines the size of a list of received packets\' sequence numbers\&. If, according to this list, a received packet has been previously received or has been transmitted in the past, and is therefore not in the list anymore, this is interpreted as a replay attack and the packet is dropped\&. A value of 0 deactivates this list and, as a consequence, the replay protection employed by filtering packets according to their secuence number\&. By default the sequence window is disabled and therefore a window size of 0 is used\&. +Sometimes, packets arrive out of order on the receiver side\&. This option defines the size of a list of received packets\*(Aq sequence numbers\&. If, according to this list, a received packet has been previously received or has been transmitted in the past, and is therefore not in the list anymore, this is interpreted as a replay attack and the packet is dropped\&. A value of 0 deactivates this list and, as a consequence, the replay protection employed by filtering packets according to their secuence number\&. By default the sequence window is disabled and therefore a window size of 0 is used\&. .RE .PP \fB\-k, \-\-kd\(emprf \fR\fB\fI<kd\-prf type>\fR\fR @@ -359,6 +375,9 @@ The number of bytes to use for the auth tag\&. This value defaults to 10 bytes u \fInull\fR auth algo is used in which case it defaults to 0\&. .RE +.SH "RAIL" +.sp +\fBRAIL\fR stands for Redundant Array of Inexpensive Links\&. Like RAID spreads the blocks of a disk volume over multiple physical disks, \fBRAIL\fR will spread the UDP packets over multiple physical links\&. More precisly for each packet \fBuAnytun\fR reads, from the TUN/TAP device, it will send out multiple UDP packets\&. All of those to the same host but with different destination ports\&. Using policy\-based routing mechanisms these packets can now be seperated and sent out on several interfaces\&. The server\-side will then pick the first of the packets that arrives and discards all others\&. For this to work the size of the sequence window (\fB\-w\fR) must not be set to 0\&. As soon as the server\-side learns the remote endpoints of all or some of the links it will as well send multiple UDP packets for each payload packet\&. .SH "EXAMPLES" .SS "P2P Setup between two unicast enpoints:" .sp @@ -417,4 +436,4 @@ Christian Pointner <equinox@anytun\&.org> Main web site: http://www\&.anytun\&.org/ .SH "COPYING" .sp -Copyright (C) 2008\-2010 Christian Pointner\&. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version\&. +Copyright (C) 2008\-2014 Christian Pointner\&. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version\&. diff --git a/doc/uanytun.8.txt b/doc/uanytun.8.txt index 1ebed47..5a75bcb 100644 --- a/doc/uanytun.8.txt +++ b/doc/uanytun.8.txt @@ -21,9 +21,9 @@ uanytun [ -L|--log <target>:<level>[,<param1>[,<param2>[..]]] ] [ -U|--debug ] [ -i|--interface <ip-address> ] - [ -p|--port <port> ] + [ -p|--port <port>[:<port>] ] [ -r|--remote-host <hostname|ip> ] - [ -o|--remote-port <port> ] + [ -o|--remote-port <port>[:<port>] ] [ -4|--ipv4-only ] [ -6|--ipv6-only ] [ -d|--dev <name> ] @@ -51,9 +51,9 @@ DESCRIPTION (SATP). It provides a complete VPN solution similar to OpenVPN or IPsec in tunnel mode. The main difference is that anycast enables the setup of tunnels between an arbitrary combination of anycast, unicast -and multicast hosts. Unlike Anytun which is a full featured implementation -uAnytun has no support for multiple connections or synchronisation. It is a -small single threaded implementation intended to act as a client on small +and multicast hosts. Unlike Anytun which is a full featured implementation +uAnytun has no support for multiple connections or synchronisation. It is a +small single threaded implementation intended to act as a client on small platforms. @@ -69,7 +69,7 @@ passed to the daemon: instead of becoming a daemon which is the default. *-u, --username '<username>'*:: - run as this user. If no group is specified (*-g*) the default group of + run as this user. If no group is specified (*-g*) the default group of the user is used. The default is to not drop privileges. *-g, --groupname '<groupname>'*:: @@ -77,30 +77,30 @@ passed to the daemon: The default is to not drop privileges. *-C, --chroot '<path>'*:: - Instruct *uAnytun* to run in a chroot jail. The default is + Instruct *uAnytun* to run in a chroot jail. The default is to not run in chroot. *-P, --write-pid <filename>*:: - Instruct *uAnytun* to write it's pid to this file. The default is + Instruct *uAnytun* to write it's pid to this file. The default is to not create a pid file. *-L, --log '<target>:<level>[,<param1>[,<param2>[..]]]'*:: add log target to logging system. This can be invoked several times - in order to log to different targets at the same time. Every target + in order to log to different targets at the same time. Every target has its own log level which is a number between 0 and 5. Where 0 means disabling log and 5 means debug messages are enabled. + The file target can be used more than once with different levels. - If no target is provided at the command line a single target with the + If no target is provided at the command line a single target with the config 'syslog:3,uanytun,daemon' is added. + The following targets are supported: 'syslog';; log to syslog daemon, parameters <level>[,<logname>[,<facility>]] 'file';; log to file, parameters <level>[,<path>] 'stdout';; log to standard output, parameters <level> - 'stderr';; log to standard error, parameters <level> + 'stderr';; log to standard error, parameters <level> *-U, --debug*:: - This option instructs *uAnytun* to run in debug mode. It implicits *-D* + This option instructs *uAnytun* to run in debug mode. It implicits *-D* (don't daemonize) and adds a log target with the configuration 'stdout:5' (logging with maximum level). In future releases there might be additional output when this option is supplied. @@ -110,10 +110,12 @@ passed to the daemon: packets. The default is to not use a special inteface and just bind on all interfaces. -*-p, --port '<port>'*:: +*-p, --port '<port>[:<port>]'*:: The local UDP port that is used to send and receive the payload data. The two tunnel endpoints can use different - ports. default: 4444 + ports. The default port is 4444. + You can also specify a port range which enables *RAIL* mode. See section + *RAIL* below to find out what this is. *-r, --remote-host '<hostname|ip>'*:: This option can be used to specify the remote tunnel @@ -122,11 +124,14 @@ passed to the daemon: an address, it is automatically determined after receiving the first data packet. -*-o, --remote-port '<port>'*:: +*-o, --remote-port '<port>[:<port>]'*:: The UDP port used for payload data by the remote host (specified with -p on the remote host). If you do not specify a port, it is automatically determined after receiving the first data packet. + When RAIL mode is enabled the port range must be of the same length + as the range defined with *-p, --port*. + See section *RAIL* below for more information about this mode. *-4, --ipv4-only*:: Resolv to IPv4 addresses only. The default is to resolv both @@ -155,7 +160,7 @@ passed to the daemon: '<prefix>';; the prefix length of the network *-x, --post-up-script '<script>'*:: - This option instructs *uAnytun* to run this script after the interface + This option instructs *uAnytun* to run this script after the interface is created. By default no script will be executed. *-m, --mux '<mux-id>'*:: @@ -164,9 +169,9 @@ passed to the daemon: *-s, --sender-id '<sender id>'*:: Each anycast tunnel endpoint needs a unique sender id (1, 2, 3, ...). It is needed to distinguish the senders - in case of replay attacks. As *uAnytun* does not support - synchronisation it can't be used as an anycast endpoint therefore - this option is quite useless but implemented for compatibility + in case of replay attacks. As *uAnytun* does not support + synchronisation it can't be used as an anycast endpoint therefore + this option is quite useless but implemented for compatibility reasons. default: 0 *-w, --window-size '<window size>'*:: @@ -185,7 +190,7 @@ passed to the daemon: *-k, --kd--prf '<kd-prf type>'*:: key derivation pseudo random function + - The pseudo random function which is used for calculating the + The pseudo random function which is used for calculating the session keys and session salt. + Possible values: @@ -198,16 +203,16 @@ passed to the daemon: *-e, --role '<role>'*:: SATP uses different session keys for inbound and outbound traffic. The role parameter is used to determine which keys to use for outbound or - inbound packets. On both sides of a vpn connection different roles have - to be used. Possible values are 'left' and 'right'. You may also use - 'alice' or 'server' as a replacement for 'left' and 'bob' or 'client' as + inbound packets. On both sides of a vpn connection different roles have + to be used. Possible values are 'left' and 'right'. You may also use + 'alice' or 'server' as a replacement for 'left' and 'bob' or 'client' as a replacement for 'right'. By default 'left' is used. *-E, --passphrase '<pass phrase>'*:: This passphrase is used to generate the master key and master salt. - For the master key the last n bits of the SHA256 digest of the - passphrase (where n is the length of the master key in bits) is used. - The master salt gets generated with the SHA1 digest. + For the master key the last n bits of the SHA256 digest of the + passphrase (where n is the length of the master key in bits) is used. + The master salt gets generated with the SHA1 digest. You may force a specific key and or salt by using *--key* and *--salt*. *-K, --key '<master key>'*:: @@ -236,7 +241,7 @@ passed to the daemon: *-a, --auth-algo '<algo type>'*:: message authentication algorithm + This option sets the message authentication algorithm. + - If HMAC-SHA1 is used, the packet length is increased. The additional bytes + If HMAC-SHA1 is used, the packet length is increased. The additional bytes contain the authentication data. see *--auth-tag-length* for more info. + Possible values: @@ -244,8 +249,22 @@ passed to the daemon: 'sha1';; HMAC-SHA1, default value *-b, --auth-tag-length '<length>'*:: - The number of bytes to use for the auth tag. This value defaults to 10 bytes - unless the 'null' auth algo is used in which case it defaults to 0. + The number of bytes to use for the auth tag. This value defaults to 10 bytes + unless the 'null' auth algo is used in which case it defaults to 0. + +RAIL +---- + +*RAIL* stands for Redundant Array of Inexpensive Links. Like RAID spreads +the blocks of a disk volume over multiple physical disks, *RAIL* will spread the +UDP packets over multiple physical links. More precisly for each packet *uAnytun* +reads, from the TUN/TAP device, it will send out multiple UDP packets. All of those to +the same host but with different destination ports. Using policy-based routing mechanisms +these packets can now be seperated and sent out on several interfaces. +The server-side will then pick the first of the packets that arrives and discards all others. +For this to work the size of the sequence window (*-w*) must not be set to 0. +As soon as the server-side learns the remote endpoints of all or some of the links it will +as well send multiple UDP packets for each payload packet. EXAMPLES @@ -267,7 +286,7 @@ uanytun -r hosta.example.com -t tun -n 192.168.123.2/30 -c aes-ctr-256 -k aes-ct One unicast and one anycast tunnel endpoint: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - + Unicast tunnel endpoint: ^^^^^^^^^^^^^^^^^^^^^^^^ @@ -300,7 +319,7 @@ Main web site: http://www.anytun.org/ COPYING ------- -Copyright \(C) 2008-2010 Christian Pointner. This program is free -software: you can redistribute it and/or modify it under the terms -of the GNU General Public License as published by the Free Software +Copyright \(C) 2008-2014 Christian Pointner. This program is free +software: you can redistribute it and/or modify it under the terms +of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. |