6 anytun - anycast tunneling daemon
15 [ -u|--username <username> ]
16 [ -g|--groupname <groupname> ]
17 [ -C|--chroot <path> ]
18 [ -P|--write-pid <filename> ]
19 [ -L|--log <target>:<level>[,<param1>[,<param2>[..]]] ]
20 [ -i|--interface <ip-address> ]
22 [ -r|--remote-host <hostname|ip> ]
23 [ -o|--remote-port <port> ]
26 [ -I|--sync-interface <ip-address> ]
27 [ -S|--sync-port port> ]
28 [ -M|--sync-hosts <hostname|ip>[:<port>][,<hostname|ip>[:<port>][...]] ]
29 [ -X|--control-host <hostname|ip>[:<port>]
31 [ -t|--type <tun|tap> ]
32 [ -n|--ifconfig <local>/<prefix> ]
33 [ -x|--post-up-script <script> ]
34 [ -R|--route <net>/<prefix length> ]
36 [ -s|--sender-id <sender id> ]
37 [ -w|--window-size <window size> ]
38 [ -k|--kd-prf <kd-prf type> ]
40 [ -E|--passphrase <pass phrase> ]
41 [ -K|--key <master key> ]
42 [ -A|--salt <master salt> ]
43 [ -c|--cipher <cipher type> ]
44 [ -a|--auth-algo <algo type> ]
45 [ -b|--auth-tag-length <length> ]
51 *Anytun* is an implementation of the Secure Anycast Tunneling Protocol
52 (SATP). It provides a complete VPN solution similar to OpenVPN or
53 IPsec in tunnel mode. The main difference is that anycast allows a
54 setup of tunnels between an arbitrary combination of anycast, unicast
60 *Anytun* has been designed as a peer to peer application, so there is
61 no difference between client and server. The following options can be
65 This option instructs *Anytun* to run in foreground
66 instead of becoming a daemon which is the default.
68 *-u, --username <username>*::
69 run as this user. If no group is specified (*-g*) the default group of
70 the user is used. The default is to not drop privileges.
72 *-g, --groupname <groupname>*::
73 run as this group. If no username is specified (*-u*) this gets ignored.
74 The default is to not drop privileges.
76 *-C, --chroot <path>*::
77 Instruct *Anytun* to run in a chroot jail. The default is
80 *-P, --write-pid <filename>*::
81 Instruct *Anytun* to write it's pid to this file. The default is
82 to not create a pid file.
84 *-L, --log <target>:<level>[,<param1>[,<param2>[..]]]*::
85 add log target to logging system. This can be invoked several times
86 in order to log to different targets at the same time. Every target
87 hast its own log level which is a number between 0 and 5. Where 0 means
88 disabling log and 5 means debug messages are enabled. +
89 The file target can be used more the once with different levels.
90 If no target is provided at the command line a single target with the
91 config *syslog:3,anytun,daemon* is added. +
92 The following targets are supported:
94 *syslog*;; log to syslog daemon, parameters <level>[,<logname>[,<facility>]]
95 *file*;; log to file, parameters <level>[,<path>]
96 *stdout*;; log to standard output, parameters <level>
97 *stderr*;; log to standard error, parameters <level>
99 *-i, --interface <ip address>*::
100 This IP address is used as the sender address for outgoing
101 packets. In case of anycast tunnel endpoints, the anycast
102 IP has to be used. In case of unicast endpoints, the
103 address is usually derived correctly from the routing
104 table. The default is to not use a special inteface and just
105 bind on all interfaces.
107 *-p, --port <port>*::
108 The local UDP port that is used to send and receive the
109 payload data. The two tunnel endpoints can use different
110 ports. If a tunnel endpoint consists of multiple anycast
111 hosts, all hosts have to use the same port. default: 4444
113 *-r, --remote-host <hostname|ip>*::
114 This option can be used to specify the remote tunnel
115 endpoint. In case of anycast tunnel endpoints, the
116 anycast IP address has to be used. If you do not specify
117 an address, it is automatically determined after receiving
118 the first data packet.
120 *-o, --remote-port <port>*::
121 The UDP port used for payload data by the remote host
122 (specified with -p on the remote host). If you do not specify
123 a port, it is automatically determined after receiving
124 the first data packet.
127 Resolv to IPv4 addresses only. The default is to resolv both
128 IPv4 and IPv6 addresses.
131 Resolv to IPv6 addresses only. The default is to resolv both
132 IPv4 and IPv6 addresses.
134 *-I, --sync-interface <ip-address>*::
135 local unicast(sync) ip address to bind to +
136 This option is only needed for tunnel endpoints consisting
137 of multiple anycast hosts. The unicast IP address of
138 the anycast host can be used here. This is needed for
139 communication with the other anycast hosts. The default is to
140 not use a special inteface and just bind on all interfaces. However
141 this is only the case if synchronisation is active see *--sync-port*.
143 *-S, --sync-port <port>*::
144 local unicast(sync) port to bind to +
145 This option is only needed for tunnel endpoints
146 consisting of multiple anycast hosts. This port is used
147 by anycast hosts to synchronize information about tunnel
148 endpoints. No payload data is transmitted via this port.
149 By default the synchronisation is disabled an therefore the
150 port is kept empty. +
151 It is possible to obtain a list of active connections
152 by telnetting into this port. This port is read-only
153 and unprotected by default. It is advised to protect
154 this port using firewall rules and, eventually, IPsec.
156 *-M, --sync-hosts <hostname|ip>[:<port>],[<hostname|ip>[:<port>][...]]*::
157 remote hosts to sync with +
158 This option is only needed for tunnel endpoints consisting
159 of multiple anycast hosts. Here, one has to specify all
160 unicast IP addresses of all other anycast hosts that
161 comprise the anycast tunnel endpoint. By default synchronisation is
162 disabled and therefore this is empty. Mind that the port can be
163 omitted in which case port 2323 is used. If you want to specify an
164 ipv6 address and a port you have to use [ and ] to seperate the address
165 from the port, eg.: [::1]:1234. If you want to use the default port
166 [ and ] can be omitted.
168 *-X, --control-host <hostname|ip>[:<port>]*::
169 fetch the config from this host. The default is not to use a control
170 host and therefore this is empty. Mind that the port can be omitted
171 in which case port 2323 is used. If you want to specify an
172 ipv6 address and a port you have to use [ and ] to seperate the address
173 from the port, eg.: [::1]:1234. If you want to use the default port
174 [ and ] can be omitted.
178 By default, tapN is used for Ethernet tunnel interfaces,
179 and tunN for IP tunnels, respectively. This option can
180 be used to manually override these defaults.
182 *-t, --type <tun|tap>*::
184 Type of the tunnels to create. Use tap for Ethernet
185 tunnels, tun for IP tunnels.
187 *-n, --ifconfig <local>/<prefix>*::
188 The local IP address and prefix length. The remote tunnel endpoint
189 has to use a different IP address in the same subnet.
191 *<local>*;; the local IP address for the tun/tap device
192 *<prefix>*;; the prefix length of the network
194 *-x, --post-up-script <script>*::
195 This option instructs *Anytun* to run this script after the interface
196 is created. By default no script will be executed.
198 *-R, --route <net>/<prefix length>*::
199 add a route to connection. This can be invoked several times.
201 *-m, --mux <mux-id>*::
202 the multiplex id to use. default: 0
204 *-s, --sender-id <sender id>*::
205 Each anycast tunnel endpoint needs a uniqe sender id
206 (1, 2, 3, ...). It is needed to distinguish the senders
207 in case of replay attacks. This option can be ignored on
208 unicast endpoints. default: 0
210 *-w, --window-size <window size>*::
211 seqence window size +
212 Sometimes, packets arrive out of order on the receiver
213 side. This option defines the size of a list of received
214 packets' sequence numbers. If, according to this list,
215 a received packet has been previously received or has
216 been transmitted in the past, and is therefore not in
217 the list anymore, this is interpreted as a replay attack
218 and the packet is dropped. A value of 0 deactivates this
219 list and, as a consequence, the replay protection employed
220 by filtering packets according to their secuence number.
221 By default the sequence window is disabled and therefore a
222 window size of 0 is used.
224 *-k, --kd--prf <kd-prf type>*::
225 key derivation pseudo random function +
226 The pseudo random function which is used for calculating the
227 session keys and session salt. +
230 *null*;; no random function, keys and salt are set to 0..00
231 *aes-ctr*;; AES in counter mode with 128 Bits, default value
232 *aes-ctr-128*;; AES in counter mode with 128 Bits
233 *aes-ctr-192*;; AES in counter mode with 192 Bits
234 *aes-ctr-256*;; AES in counter mode with 256 Bits
236 *-e, --role <role>*::
237 SATP uses different session keys for inbound and outbound traffic. The
238 role parameter is used to determine which keys to use for outbound or
239 inbound packets. On both sides of a vpn connection different roles have
240 to be used. Possible values are *left* and *right*. You may also use
241 *alice* or *server* as a replacement for *left* and *bob* or *client* as
242 a replacement for *right*. By default *left* is used.
244 *-E, --passphrase <pass phrase>*::
245 This passphrase is used to generate the master key and master salt.
246 For the master key the last n bits of the SHA256 digest of the
247 passphrase (where n is the length of the master key in bits) is used.
248 The master salt gets generated with the SHA1 digest.
249 You may force a specific key and or salt by using *--key* and *--salt*.
251 *-K, --key <master key>*::
252 master key to use for key derivation +
253 Master key in hexadecimal notation, e.g.
254 01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length
255 of 32, 48 or 64 characters (128, 192 or 256 bits).
257 *-A, --salt <master salt>*::
258 master salt to use for key derivation +
259 Master salt in hexadecimal notation, e.g.
260 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length
261 of 28 characters (14 bytes).
263 *-c, --cipher <cipher type>*::
264 payload encryption algorithm +
265 Encryption algorithm used for encrypting the payload +
268 *null*;; no encryption
269 *aes-ctr*;; AES in counter mode with 128 Bits, default value
270 *aes-ctr-128*;; AES in counter mode with 128 Bits
271 *aes-ctr-192*;; AES in counter mode with 192 Bits
272 *aes-ctr-256*;; AES in counter mode with 256 Bits
274 *-a, --auth-algo <algo type>*::
275 message authentication algorithm +
276 This option sets the message authentication algorithm. +
277 If HMAC-SHA1 is used, the packet length is increased. The additional bytes
278 contain the authentication data. see *--auth-tag-length* for more info. +
281 *null*;; no message authentication
282 *sha1*;; HMAC-SHA1, default value
284 *-b, --auth-tag-length <length>*::
285 The number of bytes to use for the auth tag. This value defaults to 10 bytes
286 unless the *null* auth algo is used in which case it defaults to 0.
292 P2P Setup between two unicast enpoints:
293 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
298 anytun -r hostb.example.com -t tun -n 192.168.123.1/30 -c aes-ctr-256 -k aes-ctr-256 \
299 -E have_a_very_safe_and_productive_day -e left
303 anytun -r hosta.example.com -t tun -n 192.168.123.2/30 -c aes-ctr-256 -k aes-ctr-256 \
304 -E have_a_very_safe_and_productive_day -e right
307 One unicast and one anycast tunnel endpoint:
308 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
310 Unicast tunnel endpoint:
311 ^^^^^^^^^^^^^^^^^^^^^^^^
313 anytun -r anycast.anytun.org -d anytun0 -t tun -n 192.0.2.2/30 -a null -c null -w 0 -e client
315 Anycast tunnel endpoints:
316 ^^^^^^^^^^^^^^^^^^^^^^^^^
318 On the host with unicast hostname unicast1.anycast.anytun.org and anycast
319 hostname anycast.anytun.org:
320 -------------------------------------------------------------------------------------------------
321 # anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \
322 -S 2342 -M unicast2.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342
323 -------------------------------------------------------------------------------------------------
325 On the host with unicast hostname unicast2.anycast.anytun.org and anycast
326 hostname anycast.anytun.org:
327 -------------------------------------------------------------------------------------------------
328 # anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \
329 -S 2342 -M unicast1.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342
330 -------------------------------------------------------------------------------------------------
332 On the host with unicast hostname unicast3.anycast.anytun.org and anycast
333 hostname anycast.anytun.org:
334 -------------------------------------------------------------------------------------------------
335 # anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \
336 -S 2342 -M unicast1.anycast.anytun.org:2342,unicast2.anycast.anytun.org:2342
337 -------------------------------------------------------------------------------------------------
339 For more sophisticated examples (like multiple unicast endpoints to one
340 anycast tunnel endpoint) please consult the man page of anytun-config(8).
345 Most likely there are some bugs in *Anytun*. If you find a bug, please let
346 the developers know at satp@anytun.org. Of course, patches are preferred.
350 anytun-config(8), anytun-controld(8), anytun-showtables(8)
355 Othmar Gsenger <otti@anytun.org>
356 Erwin Nindl <nine@anytun.org>
357 Christian Pointner <equinox@anytun.org>
363 Main web site: http://www.anytun.org/
369 Copyright \(C) 2007-2009 Othmar Gsenger, Erwin Nindl and Christian
370 Pointner. This program is free software: you can redistribute it
371 and/or modify it under the terms of the GNU General Public License
372 as published by the Free Software Foundation, either version 3 of
373 the License, or any later version.