vtund.conf - VTun(Virtual Tunnel) daemon configuration file.
Configuration file for vtund(8) virtual tunnel daemon.
File consists of sections in the form:
-
name {
keyword value;
keyword value;
..
}
Semicolon at the end of each keyword-value pair is required, as
well as grouping curly braces {}. Lines which begin with '#' characters are
comments.
Name of section (name) can be one of:
- options
- this section specifies general options for vtund
- default
- specifies default options for all sessions
- session
- (any other word except "options" and "default")
introduces new session and specifies options for it.
All keyword names can be abbreviated to a minimum of 4
characters.
This section, named options, specifies general options to
use by vtund(8). Possible keywords are:
- type stand|inetd
- server type. vtund(8) can operate in standalone mode
(stand), that is the default (but not available on no-MMU systems),
or be invoked from inetd(8).
- ipv4
- use IPv4 as transport medium. This is the default. Inside the tunnel other
types are of course usable.
- ipv6
- use IPv6 as transport medium.
- port portnumber
- server port number to listen on or connect to. By default, vtund(8)
uses port 5000.
- bindaddr list
- server listen address. Used to force vtund to bind to the specific address
and port in server mode. Format:
bindaddr {
option value;
};
- bindaddr options:
- iface if_name
- use interface address if_name as the bind address.
- addr addr
- bind address. Can be either IP address or host name.
- timeout seconds
- General timeout.
- persist yes|keep|no
- persist mode. If yes, the client will try to reconnect to the
server after connection termination. If keep, the client will not
remove and re-add the tunXX or tapXX device
when reconnecting. If no, the client will exit (default). This
option is ignored by the server.
- syslog number|name
- syslog facility specification, either numeric or name (from syslog (3)).
- ppp path
- path to pppd(8) program. Can be used in session sections.
- ifconfig path
- path to ifconfig(8) program. Can be used in session sections.
- route path
- path to route(8) program. Can be used in session sections.
- ip path
- path to iproute(8) program. Can be used in session sections.
- firewall path
- program for the firewall setup.
All the ppp, ifconfig, route and
firewall parameters can specify a filename for corresponding program
or equivalent (or shell script). This parameters are used in session
sections to setup network interfaces.
Session options can be specified inside session section or inside
default section. Default parameters apply to any session section but
can be overwritten there. Parameters are:
- passwd secret
- password for authentication. This should be the same in client and server.
- type type
- type of tunnel. Possible tunnel types are:
- tun
- IP tunnel (no PPP, Ether etc headers)
- ether
- Ethernet tunnel
- tty
- serial tunnel (PPP, SLIP etc)
- pipe
- pipe tunnel
- Default tunnel type is tty. This option is ignored by client.
- device dev
- network device to use. You can choose tapXX for ether
tunnel or tunXX for tun tunnel. By default
vtund(8) will automatically select available device.
- proto tcp|udp
- protocol to use. By default, vtund(8) will use TCP protocol. UDP is
recommended for ether and tun tunnels only. This option is
ignored by the client.
- nat_hack client|server|no
- side to use nat_hack on. By default, vtund(8) uses a 'no' setting.
The side that the NAT hack is enabled on will perform a delayed UDP socket
connect. Should only be enabled for the side outside of the NAT (typically
the server)! Setting 'client' on the server or 'server' on the client is
ignored, as to make a single configuration file reusable on both sides.
This is only relevant if you use proto udp. The NAT
hack delays the UDP socket connect until the first UDP packet is
received from the other side of the tunnel. The socket is then connected
to the actual source port of the packet (on the NAT box) and not to the
one indicated in the handshake (which is behind NAT and probably
unreachable). The first echo request is also disabled on the side with
the NAT hack enabled.
Currently the mechanism works only for one side, for a single
NAT traversal. If you enable it for both sides, both will wait for a
first packet and the tunnel will never transport any data.
Security warning! Due to the nature of the delayed
connection, the tunnel can be hijacked in theory by an attacker behind
the same NAT, sending the first UDP packet to the server UDP port,
before the real client does. If you do not understand the risks, or want
to remain as secure as possible behind this kind of NAT router, use
proto tcp as a NAT traversal solution.
Because of the security issue mentioned above, this option
might be disabled during compilation (configure --disable-nathack).
- timeout secounds
- Connect timeout.
- compress method[:level]
- specifies compression method to use. Compression methods
include:
- no
- no compression
- yes
- default compression method
- zlib
- ZLIB compression
- lzo
- LZO compression (if compiled in)
- You can also specify level of compression using one digit (1 is
best speed, 9 is best compression ratio). This option is ignored by the
client.
- encrypt method[:level]
- specifies encryption method to use. Encryption methods
include:
- no
- no encryption
- yes
- default encryption method (blowfish128ecb)
- blowfish128ecb
- Blowfish cipher, 128 bit key, mode ECB
- blowfish128cbc
- Blowfish cipher, 128 bit key, mode CBC
- blowfish128cfb
- Blowfish cipher, 128 bit key, mode CFB
- blowfish128ofb
- Blowfish cipher, 128 bit key, mode OFB
- blowfish256ecb
- Blowfish cipher, 256 bit key, mode ECB
- blowfish256cbc
- Blowfish cipher, 256 bit key, mode CBC
- blowfish256cfb
- Blowfish cipher, 256 bit key, mode CFB
- blowfish256ofb
- Blowfish cipher, 256 bit key, mode OFB
- aes128ecb
- oldblowfish128ecb
- Blowfish cipher, 128bit key, mode ECB
(for use with 2.6 clients only) AES cipher, 128 bit key, mode ECB
- aes128cbc
- AES cipher, 128 bit key, mode CBC
- aes128cfb
- AES cipher, 128 bit key, mode CFB
- aes128ofb
- AES cipher, 128 bit key, mode OFB
- aes256ecb
- AES cipher, 256 bit key, mode ECB
- aes256cbc
- AES cipher, 256 bit key, mode CBC
- aes256cfb
- AES cipher, 256 bit key, mode CFB
- aes256ofb
- AES cipher, 256 bit key, mode OFB
- This option is ignored by the client.
- keepalive yes|no|interval:count
- enable or disable connection keep-alive. Time interval is a period
between connection checks, in seconds, and count is the maximum
number of retries (yes = 30:4). This option is
ignored by the server.
- stat yes|no
- enable or disable statistics. If enabled vtund(8) will log
statistic counters to /var/log/vtund/session_X every 5 minutes.
- speed kbps
- specifies speed of the connection in kilobits/second. Valid values for
kbps are 8,16,32,64,128,256,etc. 0 (the default) means maximum
possible speed without shaping. You can specify speed in form
in:out, where in is speed to client,
out - from the client. Single number means the same speed for in
and out. This option ignored by the client.
- srcaddr list
- local (source) address. Used to force vtund to bind to the specific
address and port. Format:
srcaddr {
option value;
option value;
..
};
- srcaddr options:
- multi value
- control multiple connections. value can be yes or
allow to allow multiple connections, no or deny to
deny them or killold to allow new connection and kill old one.
Ignored by the client.
- up list
- list of programs to run after connection has been established. Used to
initialize protocols, devices, routing and firewall. This option looks
like whole section inside of session section. For now, it's impossible to
run up commands on no-MMU systems, so the section is ignored there.
Format:
up {
option value;
option value;
..
};
- Options inside up (and down) blocks:
- program path arguments [wait]
- run specified program. path is the full path to the program,
arguments is all arguments to pass to it (enclosed in double
quotes). If wait specified, vtund will wait program
termination. Special characters that can be used inside arguments
parameter:
- ´ (single quotes) - group arguments
\ (back slash) - escape character
%d - TUN or TAP device or TTY port name
%% (double percent) - same as %d
%A - Local IP address
%P - Local TCP or UDP port
%a - Remote IP address
%p - Remote TCP or UDP port
%h - Host profile name
- ppp arguments
- run program specified by ppp statement in options section.
All special character described above are valid in arguments
here.
- ifconfig arguments
- run program specified by ifconfig statement in options
section.
- route arguments
- run program specified by route statement in options
section.
- ip arguments
- run program specified by ip statement in options
section.
- firewall arguments
- run program specified by firewall statement in options
section.
- down list
- list of programs to run after connection has been terminated. It is
similar to up parameter above. Not available on no-MMU systems too.
Format:
down {
option value;
option value;
..
};
Options ignored by the client are supplied by the server at the
run time or are used only on the server side.
Vtund written by Maxim Krasnyansky <max_mk@yahoo.com>. This
manual page was derived from comments in config file by Michael Tokarev
<mjt@tls.msk.ru>