# ============================ # vpnd config file (vpnd.conf) # ============================ # # You will need to start a separate vpnd daemon for # every parallel vpn connection. Each daemon will # need it's own config file. # # --------------------------------------------------- # general parameters # --------------------------------------------------- # # pidfile <pathname-of-file> # # optional, file where pid of vpnd is stored, if not # given no file is used, file is deleted when daemon # terminates # # example: pidfile /var/run/vpnd.pid # # randomdev <random-number-device-file> # # optional, source of random data, default is /dev/random # which may block if insufficient entropy is available so # you may decide to use /dev/urandom instead which should # be safe enough but does not block, # note that for Linux 1.x system you may have to start # the supplied randomd daemon if you don't have a good # random number source, in this case your random device # is /dev/randomd # # example: randomdev /dev/urandom # # keysize <key-length-in-bytes> # # optional, may be used to downgrade key length, valid # range is 0 to 72, default is 72 which is a key length # of 72*8=576 bits, must be the same value on peer side, # be adviced to use the longest key legally possible, # note that keysize of 0 is unencrypted SLIP mode # # example: keysize 5 # # keyttl <key-time-to-live> # # optional, time in minutes after which a new key has to be used, # is ignored if mode is client as only the server generates keys, # if 0 is given, key replacement is disabled, default is 60 minutes, # ignored if keysize is 0 (no key replacement) # # example: keyttl 30 # # keepalive [<time-in-seconds>] # # optional, when given pings peer every n seconds where n is # the optional time in seconds parameter, if parameter is not # given default to ping every second, if keepalive is not given # default is not to ping, ignored if keysize is 0 (no ping) # # example: keepalive 2 # # noanswer <packet-amount> # # optional, amount of idle ping packets in serial line # mode after which the line will be dropped if there # is no ping reply, works only, if keepalive option # is given, default is to drop line after 10 unanswered # packets # # example: noanswer 3 # # retry <retry-delay-time> # # optional, retry delay time for access and communication # failures, default is 10 seconds # # example: retry 5 # # nocompress # # optional, disables data compression, use only if peer # doesn't support compression # # example: nocompress # # threshold <icompression-test-threshold-size> # # optional, works only if nocompress is not given, defines # the packet size threshold from which on data compression # is tried, range is 1 to 2047, default is 16, use only # for systems with slow or continously busy cpu # # example: threshold 512 # # --------------------------------------------------- # general parameters (available with version 1.0.3) # --------------------------------------------------- # # rxmax <maximum-wait-time> # # optional, defines the maximum time to wait for expected data # from peer, default is 10 seconds # # example: rxmax 5 # # # txmax <maximum-wait-time> # # optional, defines the maximum time to wait to be able to # transmit data to peer, default is 10 seconds # # example: txmax 5 # # --------------------------------------------------- # general parameters (available with version 1.0.4) # --------------------------------------------------- # # linkup <process-pathname> # # optional, full pathname of (hashed) process # which is called asynchonously when the vpn # link is established # # example: linkup /etc/vpnd.linkup # # linkdown <process-pathname> # # optional, full pathname of (hashed) process # which is called asynchonously when the vpn # link is terminated # # example: linkdown /etc/vpnd.linkdown # # --------------------------------------------------- # basic operation mode # --------------------------------------------------- # # mode client|server # # mandatory, selects client or server mode # # example: mode client # # client <ip>|<device-file> [<port>] # # mandatory, defines client device file or ip, in case of # client ip (host name may be given if the -l command line parameter # is used) client port number may be given (default is any port), # if mode is server and client ip is 0.0.0.0 no peer ip check is done, # if client is device file device file must be located in /dev, # if ip, server must be ip, if device, server must be device, # note that ip in example below is deliberately wrong # # examples: client 393.405.5.55 2001 # client /dev/cua1 # # server <ip|device-file> [<port>] # # mandatory, defines server device file or ip, in case # of server ip (host name may be given if the -l command line parameter # is used) server port number may be given (default port is 379), # if server device file device file must be located in /dev, # if ip, client must be ip, if device, client must be device, # note that ip in example below is deliberately wrong # # examples: server 327.526.4.27 2001 # server /dev/cua0 # # keyfile <shared-secret-file> # # optional, defines the pathname of the shared secret file which # must be created with the -m option of vpnd, if not given default # of /etc/vpnd.key is used # # example: keyfile /var/adm/mysecret.key # # --------------------------------------------------- # basic operation mode (available with version 1.0.7) # --------------------------------------------------- # # hmac <hmac-mode> [md5|sha1|ripemd160] # # optional, defines if HMAC should be used instead # of a fast checksum for message authentication, 1 # for hmac-mode (only with extended key file format) # means use HMAC if peer supports it, 2 means always # use HMAC and fail if peer doesn't support it # (note that the header length of any message is 4 # bytes when the checksum is used whereas it is # 18 or 22 bytes when HMAC is used, you will have to # to choose between fast processing and minimal # overhead versus additional security and message length # as well as processing overhead, see SPEED.TXT), # the second parameter selects the authentication # method, if not given the default is HMAC-MD5, # if given it is HMAC-MD5 in case of md5, HMAC-SHA1 # in case of sha1 or HMAC-RIPEMD160 in case of # rmd160, note the ascending priority from md5 to # rmd160 (the higest priority requested from one of # the peers involved will be used in case of extended # key file format, the same value must be given for # both peers in case of basic key file format) # # --------------------------------------------------- # basic operation mode (available with version 1.1.0) # --------------------------------------------------- # # facility <syslog-facility> # # optional, selects the syslog facility vpnd uses, # if not given the default facility is daemon # # example: facility local0 # # --------------------------------------------------- # SLIP parameters # --------------------------------------------------- # # local <ip> # # mandatory, defines local ip of encrypted network interface, # a host name may be given if the command line option -l is # used, note that ip in example below is deliberately wrong # # example: local 393.405.5.57 # # remote <ip> # # mandatory, defines peer ip of encrypted network interface, # a host name may be given if the command line option -l is # used, note that ip in example below is deliberately wrong # # example: remote 327.526.4.25 # # mtu <maximum-transfer-unit> # # optional, if given must be the same for server and client, # default is 1500 # # example: mtu 1600 # # nocslip # # optional, turns off slip header compression, if given # must be given on peer side, too # # example: nocslip # # autoroute # # optional, when given prevents duplicate routes when the # kernel automatically creates a route to the peer when the # SLIP network interface is created, Linux 2.2.x Intel # kernels do this, ignored for FreeBSD # # example: autoroute # # route1 <destination-ip> <netmask-in-dot-notation> <gateway-ip> # route2 <destination-ip> <netmask-in-dot-notation> <gateway-ip> # route3 <destination-ip> <netmask-in-dot-notation> <gateway-ip> # route4 <destination-ip> <netmask-in-dot-notation> <gateway-ip> # route5 <destination-ip> <netmask-in-dot-notation> <gateway-ip> # route6 <destination-ip> <netmask-in-dot-notation> <gateway-ip> # route7 <destination-ip> <netmask-in-dot-notation> <gateway-ip> # route8 <destination-ip> <netmask-in-dot-notation> <gateway-ip> # route9 <destination-ip> <netmask-in-dot-notation> <gateway-ip> # # optional, adds/deletes additional route when encrypted interface # is created/dropped, during addition route1 is processed first, # during deletion route1 is processed last, host names instead # of ips may be used if the command line parameter -l is given, # note that ips in the example below are deliberately wrong # # example: route1 327.526.4.0 255.255.255.0 327.526.4.25 # route2 327.526.4.9 255.255.255.255 327.526.4.88 # # --------------------------------------------------- # SLIP parameters (available with version 1.0.7) # --------------------------------------------------- # # slipup <process-pathname> # # optional, full pathname of (hashed) process # which is called asynchonously when the SLIP # interface is established, the SLIP interface # name is the parameter for the process # # example: slipup /etc/vpnd.slipup # # slipdown <process-pathname> # # optional, full pathname of (hashed) process # which is called asynchonously when the SLIP # link is terminated, the SLIP interface # name is the parameter for the process # # example: slipdown /etc/vpnd.slipdown # # # --------------------------------------------------- # serial line parameters # --------------------------------------------------- # # speed <serial-line-speed> # # optional, speed is one of 19200,38400,57600,115200,230400 # or 460800 (not on all systems), default is 115200 # # example: speed 38400 # # localline # # optional, disables modem control signals for serial line # # example: localline # # nortscts # # optional, disables use of rts/cts for serial line # # example: nortscts # # xfilter # # optional, escapes all XON/XOFF characters on send and filters # all unescaped XON/XOFF characters on receive, use if your # modem sends XON/XOFF even if you disable XON/XOFF, must # be set on both peers # # example: xfilter # # modemchat <init-chat-file> # # optional, pathname of file containing modem initialization # chat sequence, default is not to perform init chat # # example: modemchat /etc/vpnd.chat # # --------------------------------------------------- # TCP/IP parameters (available with version 1.0.2) # --------------------------------------------------- # # peerroute [<device>] # # optional, sets up a priority host route to the # vpnd peer system, if device is given the route # is added with flags UH to the given device, # if device is not given the kernel routing # table is searched for a proper route and the # host route is set up accordingly # # linktest <idle-seconds> # # optional, performs TCP link test if peer link was idle # for at least idle-seconds and data have to be sent to # peer, peer must respond within 5 seconds, otherwise # link is assumed to be broken, you may need the oobfix # option (see below) for this option to work # # example: linktest 30 # # oobfix # # optional, must be given if linktest is given for Linux kernels # < 2.0.36 (you have to find out yourself for the 2.1.x series), # this is a out of band data kernel bug workaround, it is # strongly recommended to upgrade your kernel if you would need # this fix and require the linktest option # # example: oobfix # # --------------------------------------------------- # TCP/IP parameters (available with version 1.0.3) # --------------------------------------------------- # # suspend <idle-seconds> # # optional, disconnects TCP link from peer if the link was idle # for at least idle-seconds, furthermore prevents link from # being established before any data have to be sent to peer # (client to server) # # example: suspend 110 # # --------------------------------------------------- # TCP/IP parameters (available with version 1.0.4) # --------------------------------------------------- # # ipopts <type-of-service-and-precedence-flags> # # optional, if given an decimal value which represents # a combination of the following values: # 1 high reliability type of service # 2 high throughput type of service # 4 low delay type of service # 8 priority precedence # please keep in mind that nearly all routers do # ignore these settings so except for very special # environments you won't gain anything # # example: ipopts 10 # # --------------------------------------------------- # TCP/IP parameters (available with version 1.0.5) # --------------------------------------------------- # # sendbuf <buffer-size-in-bytes> # # optional, sets the TCP send buffer size to the # given buffer size in bytes, this can help if both # interactive and bulk transfer sessions are handled # over a slow TCP link (e.g. analogue modem), a value # to start experimenting with is 4096 though you # will have to find out yourself what is best for you # # example: sendbuf 4096 # # connwait <connect-timeout-in-seconds> # # optional, used for client only, defines the maximum # time to wait for connect to server to complete, # if not given system imposes default time # # example: connwait 30 #