+++ /dev/null
-anytun(8)
-=========
-
-NAME
-----
-anytun - anycast tunneling daemon
-
-SYNOPSIS
---------
-
-....
-anytun
- [ -h|--help ]
- [ -D|--nodaemonize ]
- [ -u|--username <username> ]
- [ -g|--groupname <groupname> ]
- [ -C|--chroot <path> ]
- [ -P|--write-pid <filename> ]
- [ -L|--log <target>:<level>[,<param1>[,<param2>[..]]] ]
- [ -i|--interface <ip-address> ]
- [ -p|--port <port> ]
- [ -r|--remote-host <hostname|ip> ]
- [ -o|--remote-port <port> ]
- [ -4|--ipv4-only ]
- [ -6|--ipv6-only ]
- [ -I|--sync-interface <ip-address> ]
- [ -S|--sync-port port> ]
- [ -M|--sync-hosts <hostname|ip>[:<port>][,<hostname|ip>[:<port>][...]] ]
- [ -X|--control-host <hostname|ip>[:<port>]
- [ -d|--dev <name> ]
- [ -t|--type <tun|tap> ]
- [ -n|--ifconfig <local>/<prefix> ]
- [ -x|--post-up-script <script> ]
- [ -R|--route <net>/<prefix length> ]
- [ -m|--mux <mux-id> ]
- [ -s|--sender-id <sender id> ]
- [ -w|--window-size <window size> ]
- [ -k|--kd-prf <kd-prf type> ]
- [ -e|--role <role> ]
- [ -E|--passphrase <pass phrase> ]
- [ -K|--key <master key> ]
- [ -A|--salt <master salt> ]
- [ -c|--cipher <cipher type> ]
- [ -a|--auth-algo <algo type> ]
- [ -b|--auth-tag-length <length> ]
-....
-
-DESCRIPTION
------------
-
-*Anytun* is an implementation of the Secure Anycast Tunneling Protocol
-(SATP). It provides a complete VPN solution similar to OpenVPN or
-IPsec in tunnel mode. The main difference is that anycast allows a
-setup of tunnels between an arbitrary combination of anycast, unicast
-and multicast hosts.
-
-OPTIONS
--------
-
-*Anytun* has been designed as a peer to peer application, so there is
-no difference between client and server. The following options can be
-passed to the daemon:
-
-*-D, --nodaemonize*::
- This option instructs *Anytun* to run in foreground
- instead of becoming a daemon which is the default.
-
-*-u, --username <username>*::
- run as this user. If no group is specified (*-g*) the default group of
- the user is used. The default is to not drop privileges.
-
-*-g, --groupname <groupname>*::
- run as this group. If no username is specified (*-u*) this gets ignored.
- The default is to not drop privileges.
-
-*-C, --chroot <path>*::
- Instruct *Anytun* to run in a chroot jail. The default is
- to not run in chroot.
-
-*-P, --write-pid <filename>*::
- Instruct *Anytun* to write it's pid to this file. The default is
- to not create a pid file.
-
-*-L, --log <target>:<level>[,<param1>[,<param2>[..]]]*::
- add log target to logging system. This can be invoked several times
- in order to log to different targets at the same time. Every target
- hast its own log level which is a number between 0 and 5. Where 0 means
- disabling log and 5 means debug messages are enabled. +
- The file target can be used more the once with different levels.
- If no target is provided at the command line a single target with the
- config *syslog:3,anytun,daemon* is added. +
- The following targets are supported:
-
- *syslog*;; log to syslog daemon, parameters <level>[,<logname>[,<facility>]]
- *file*;; log to file, parameters <level>[,<path>]
- *stdout*;; log to standard output, parameters <level>
- *stderr*;; log to standard error, parameters <level>
-
-*-i, --interface <ip address>*::
- This IP address is used as the sender address for outgoing
- packets. In case of anycast tunnel endpoints, the anycast
- IP has to be used. In case of unicast endpoints, the
- address is usually derived correctly from the routing
- table. The default is to not use a special inteface and just
- bind on all interfaces.
-
-*-p, --port <port>*::
- The local UDP port that is used to send and receive the
- payload data. The two tunnel endpoints can use different
- ports. If a tunnel endpoint consists of multiple anycast
- hosts, all hosts have to use the same port. default: 4444
-
-*-r, --remote-host <hostname|ip>*::
- This option can be used to specify the remote tunnel
- endpoint. In case of anycast tunnel endpoints, the
- anycast IP address has to be used. If you do not specify
- an address, it is automatically determined after receiving
- the first data packet.
-
-*-o, --remote-port <port>*::
- The UDP port used for payload data by the remote host
- (specified with -p on the remote host). If you do not specify
- a port, it is automatically determined after receiving
- the first data packet.
-
-*-4, --ipv4-only*::
- Resolv to IPv4 addresses only. The default is to resolv both
- IPv4 and IPv6 addresses.
-
-*-6, --ipv6-only*::
- Resolv to IPv6 addresses only. The default is to resolv both
- IPv4 and IPv6 addresses.
-
-*-I, --sync-interface <ip-address>*::
- local unicast(sync) ip address to bind to +
- This option is only needed for tunnel endpoints consisting
- of multiple anycast hosts. The unicast IP address of
- the anycast host can be used here. This is needed for
- communication with the other anycast hosts. The default is to
- not use a special inteface and just bind on all interfaces. However
- this is only the case if synchronisation is active see *--sync-port*.
-
-*-S, --sync-port <port>*::
- local unicast(sync) port to bind to +
- This option is only needed for tunnel endpoints
- consisting of multiple anycast hosts. This port is used
- by anycast hosts to synchronize information about tunnel
- endpoints. No payload data is transmitted via this port.
- By default the synchronisation is disabled an therefore the
- port is kept empty. +
- It is possible to obtain a list of active connections
- by telnetting into this port. This port is read-only
- and unprotected by default. It is advised to protect
- this port using firewall rules and, eventually, IPsec.
-
-*-M, --sync-hosts <hostname|ip>[:<port>],[<hostname|ip>[:<port>][...]]*::
- remote hosts to sync with +
- This option is only needed for tunnel endpoints consisting
- of multiple anycast hosts. Here, one has to specify all
- unicast IP addresses of all other anycast hosts that
- comprise the anycast tunnel endpoint. By default synchronisation is
- disabled and therefore this is empty. Mind that the port can be
- omitted in which case port 2323 is used. If you want to specify an
- ipv6 address and a port you have to use [ and ] to seperate the address
- from the port, eg.: [::1]:1234. If you want to use the default port
- [ and ] can be omitted.
-
-*-X, --control-host <hostname|ip>[:<port>]*::
- fetch the config from this host. The default is not to use a control
- host and therefore this is empty. Mind that the port can be omitted
- in which case port 2323 is used. If you want to specify an
- ipv6 address and a port you have to use [ and ] to seperate the address
- from the port, eg.: [::1]:1234. If you want to use the default port
- [ and ] can be omitted.
-
-*-d, --dev <name>*::
- device name +
- By default, tapN is used for Ethernet tunnel interfaces,
- and tunN for IP tunnels, respectively. This option can
- be used to manually override these defaults.
-
-*-t, --type <tun|tap>*::
- device type +
- Type of the tunnels to create. Use tap for Ethernet
- tunnels, tun for IP tunnels.
-
-*-n, --ifconfig <local>/<prefix>*::
- The local IP address and prefix length. The remote tunnel endpoint
- has to use a different IP address in the same subnet.
-
- *<local>*;; the local IP address for the tun/tap device
- *<prefix>*;; the prefix length of the network
-
-*-x, --post-up-script <script>*::
- This option instructs *Anytun* to run this script after the interface
- is created. By default no script will be executed.
-
-*-R, --route <net>/<prefix length>*::
- add a route to connection. This can be invoked several times.
-
-*-m, --mux <mux-id>*::
- the multiplex id to use. default: 0
-
-*-s, --sender-id <sender id>*::
- Each anycast tunnel endpoint needs a uniqe sender id
- (1, 2, 3, ...). It is needed to distinguish the senders
- in case of replay attacks. This option can be ignored on
- unicast endpoints. default: 0
-
-*-w, --window-size <window size>*::
- seqence window size +
- Sometimes, packets arrive out of order on the receiver
- side. This option defines the size of a list of received
- packets' sequence numbers. If, according to this list,
- a received packet has been previously received or has
- been transmitted in the past, and is therefore not in
- the list anymore, this is interpreted as a replay attack
- and the packet is dropped. A value of 0 deactivates this
- list and, as a consequence, the replay protection employed
- by filtering packets according to their secuence number.
- By default the sequence window is disabled and therefore a
- window size of 0 is used.
-
-*-k, --kd--prf <kd-prf type>*::
- key derivation pseudo random function +
- The pseudo random function which is used for calculating the
- session keys and session salt. +
- Possible values:
-
- *null*;; no random function, keys and salt are set to 0..00
- *aes-ctr*;; AES in counter mode with 128 Bits, default value
- *aes-ctr-128*;; AES in counter mode with 128 Bits
- *aes-ctr-192*;; AES in counter mode with 192 Bits
- *aes-ctr-256*;; AES in counter mode with 256 Bits
-
-*-e, --role <role>*::
- SATP uses different session keys for inbound and outbound traffic. The
- role parameter is used to determine which keys to use for outbound or
- inbound packets. On both sides of a vpn connection different roles have
- to be used. Possible values are *left* and *right*. You may also use
- *alice* or *server* as a replacement for *left* and *bob* or *client* as
- a replacement for *right*. By default *left* is used.
-
-*-E, --passphrase <pass phrase>*::
- This passphrase is used to generate the master key and master salt.
- For the master key the last n bits of the SHA256 digest of the
- passphrase (where n is the length of the master key in bits) is used.
- The master salt gets generated with the SHA1 digest.
- You may force a specific key and or salt by using *--key* and *--salt*.
-
-*-K, --key <master key>*::
- master key to use for key derivation +
- Master key in hexadecimal notation, e.g.
- 01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length
- of 32, 48 or 64 characters (128, 192 or 256 bits).
-
-*-A, --salt <master salt>*::
- master salt to use for key derivation +
- Master salt in hexadecimal notation, e.g.
- 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length
- of 28 characters (14 bytes).
-
-*-c, --cipher <cipher type>*::
- payload encryption algorithm +
- Encryption algorithm used for encrypting the payload +
- Possible values:
-
- *null*;; no encryption
- *aes-ctr*;; AES in counter mode with 128 Bits, default value
- *aes-ctr-128*;; AES in counter mode with 128 Bits
- *aes-ctr-192*;; AES in counter mode with 192 Bits
- *aes-ctr-256*;; AES in counter mode with 256 Bits
-
-*-a, --auth-algo <algo type>*::
- message authentication algorithm +
- This option sets the message authentication algorithm. +
- If HMAC-SHA1 is used, the packet length is increased. The additional bytes
- contain the authentication data. see *--auth-tag-length* for more info. +
- Possible values:
-
- *null*;; no message authentication
- *sha1*;; HMAC-SHA1, default value
-
-*-b, --auth-tag-length <length>*::
- The number of bytes to use for the auth tag. This value defaults to 10 bytes
- unless the *null* auth algo is used in which case it defaults to 0.
-
-
-EXAMPLES
---------
-
-P2P Setup between two unicast enpoints:
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Host A:
-^^^^^^^
-
-anytun -r hostb.example.com -t tun -n 192.168.123.1/30 -c aes-ctr-256 -k aes-ctr-256 \
- -E have_a_very_safe_and_productive_day -e left
-
-Host B:
-^^^^^^^
-anytun -r hosta.example.com -t tun -n 192.168.123.2/30 -c aes-ctr-256 -k aes-ctr-256 \
- -E have_a_very_safe_and_productive_day -e right
-
-
-One unicast and one anycast tunnel endpoint:
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Unicast tunnel endpoint:
-^^^^^^^^^^^^^^^^^^^^^^^^
-
-anytun -r anycast.anytun.org -d anytun0 -t tun -n 192.0.2.2/30 -a null -c null -w 0 -e client
-
-Anycast tunnel endpoints:
-^^^^^^^^^^^^^^^^^^^^^^^^^
-
-On the host with unicast hostname unicast1.anycast.anytun.org and anycast
-hostname anycast.anytun.org:
--------------------------------------------------------------------------------------------------
-# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \
- -S 2342 -M unicast2.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342
--------------------------------------------------------------------------------------------------
-
-On the host with unicast hostname unicast2.anycast.anytun.org and anycast
-hostname anycast.anytun.org:
--------------------------------------------------------------------------------------------------
-# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \
- -S 2342 -M unicast1.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342
--------------------------------------------------------------------------------------------------
-
-On the host with unicast hostname unicast3.anycast.anytun.org and anycast
-hostname anycast.anytun.org:
--------------------------------------------------------------------------------------------------
-# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \
- -S 2342 -M unicast1.anycast.anytun.org:2342,unicast2.anycast.anytun.org:2342
--------------------------------------------------------------------------------------------------
-
-For more sophisticated examples (like multiple unicast endpoints to one
-anycast tunnel endpoint) please consult the man page of anytun-config(8).
-
-
-BUGS
-----
-Most likely there are some bugs in *Anytun*. If you find a bug, please let
-the developers know at satp@anytun.org. Of course, patches are preferred.
-
-SEE ALSO
---------
-anytun-config(8), anytun-controld(8), anytun-showtables(8)
-
-AUTHORS
--------
-
-Othmar Gsenger <otti@anytun.org>
-Erwin Nindl <nine@anytun.org>
-Christian Pointner <equinox@anytun.org>
-
-
-RESOURCES
----------
-
-Main web site: http://www.anytun.org/
-
-
-COPYING
--------
-
-Copyright \(C) 2007-2009 Othmar Gsenger, Erwin Nindl and Christian
-Pointner. This program is free software: you can redistribute it
-and/or modify it under the terms of the GNU General Public License
-as published by the Free Software Foundation, either version 3 of
-the License, or any later version.
projects / anytun.git / blobdiff