This repository has been archived by the owner on May 1, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
wiresep.conf.5
231 lines (228 loc) · 6.93 KB
/
wiresep.conf.5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
.\" Copyright (c) 2019, 2020 Tim Kuijsten
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: April 2 2020 $
.Dt WIRESEP.CONF 5
.Os
.Sh NAME
.Nm wiresep.conf
.Nd WireSep configuration file
.Sh DESCRIPTION
.Nm
is the configuration file used by
.Xr wiresep 8 .
The file consists of global settings, interface specific settings and peer
specific settings.
All global settings can be overridden per interface and some global and
interface specific settings can be overridden per peer.
.Ss GLOBAL SETTINGS
The following global settings are recognized:
.Bl -tag -width Ds
.It Ic group Ar name
Set the group as which to run
.Xr wiresep 8 .
.Ar name
must be either the name of an existing group from the
.Xr group 5
database or an id in the range of 1 to 65535.
If not set it defaults to the primary group of the effective
.Ar user .
.It Ic interface Ar name Brq ...
The name of an interface.
.Ar name
must start with
.Dq tun
followed by a number.
The named interface must exist in
.Pa /dev .
See the section about interface specific settings for what can be contained in
the block.
.It Ic log facility Ar facility
Set the log facility as used by
.Xr syslog 3 .
.Ar facility
must be one of auth, authpriv, cron, daemon, ftp, kern, lpr, mail, news, user,
uucp or local0 through local7.
.It Ic pskfile Ar file
The name of a file that contains a pre-shared key for global use with all peers
on all interfaces.
The use of a pre-shared key is optional.
If the file
.Pa /etc/wiresep/global.psk
exists it is automatically used.
This setting can be overridden per interface and per peer.
.Xr wiresep-keygen 1
can be used to generate a pre-shared key.
.It Ic user Ar name
Set the user as which to run
.Xr wiresep 8 .
.Ar name
must be either the name of an existing user in the
.Xr passwd 5
database or an id in the range of 1 to 65535.
If a name is specified the primary group of this user will be used as the group
of the process.
If an id is specified for
.Ar name
then the group of the process will be set to the same id.
If not set it defaults to the user
.Dq _wiresep .
.El
.Ss INTERFACE SPECIFIC SETTINGS
The following interface specific settings are recognized:
.Bl -tag -width Ds
.It Ic desc Ar text
A descriptive
.Ar text
for the interface as showed by
.Xr ifconfig 8 .
If not set it defaults to the public key of the interface.
.It Ic ifaddr Ar ip/mask
The ip address and mask of the interface in CIDR notation.
This setting is required since configuration via
.Xr hostname.if 5
is not yet supported.
It may be set multiple times.
.It Ic listen Ar ip:port
The ip address and port on which to listen for encrypted incoming packets.
This setting is optional and determines whether to operate in server or
client-only mode.
It may be set multiple times.
.It Ic privkeyfile Ar file
The name of a file that contains the private key for this interface.
If not set the default path of the private key is
.Pa /etc/wiresep/tunN.privkey
where
.Ar tunN
is the name of the interface.
A private key can be generated with
.Xr wiresep-keygen 1 .
.It Ic peer Oo Ar name Oc Brq ...
A peer with an optional
.Ar name
followed by a required block containing peer specific settings.
.Ar name
is used in the logs.
If it is not set the first eight characters of the peers public key are used.
See the section about peer specific settings for what can be contained in the
block.
.It Ic pskfile Ar file
The name of a file that contains a pre-shared key for communication with all
peers on this interface.
The use of a pre-shared key is optional.
If the file
.Pa /etc/wiresep/tunN.psk
exists it is automatically used, where
.Ar tunN
is the name of the interface.
An interface specific pre-shared key overrides any global
.Ar pskfile .
.Xr wiresep-keygen 1
can be used to generate a pre-shared key.
.El
.Pp
Note that all global settings can be used within an interface block to override
the global setting.
.Ss PEER SPECIFIC SETTINGS
The following peer specific settings are recognized:
.Bl -tag -width Ds
.It Ic allowedips Ar ip/mask
The ip addresses that this peer is allowed to use as a source address.
.Ar 0.0.0.0/0
means any IPv4 address.
.Ar ::/0
means any IPv6 address.
.Ar *
is a shorthand for
.Ar ::/0 0.0.0.0/0 .
This setting is required and may be set multiple times.
.It Ic endpoint Ar ip:port
A known endpoint for this peer.
.It Ic pskfile Ar file
The name of a file that contains a pre-shared key for communication with this
peer.
The use of a pre-shared key is optional.
If the file
.Pa /etc/wiresep/tunN.peername.psk
or
.Pa /etc/wiresep/peername.psk
exists it is automatically used, where
.Ar tunN
is the name of the interface and
.Ar peername
is the
.Ar name
of this
.Ic peer .
A peer specific pre-shared key overrides any global or interface specific
.Ar pskfile .
.Xr wiresep-keygen 1
can be used to generate a pre-shared key.
.It Ic pubkey Ar key
The peers public key.
This setting is required.
.El
.Sh EXAMPLES
What follows is an example of a configuration of a server that is listening on
the public ip 198.51.100.7 port 1022.
It uses the tun0 device with the internal ip addresses 2001:db8::7 and
172.16.0.1 and allows communication with the peer Jane and Joe.
Jane is allowed to use any source ip, while Joe may only use 2001:db8::4 or
172.16.0.11/30 as the source ip of his packets.
The private key for the tun0 interface can be generated with
.Ic wiresep-keygen tun0 .
Furthermore, with Joe a peer specific pre-shared key is used for quantum-proof
encryption by simply creating a pre-shared key using the
.Ic wiresep-keygen -s tun0 Ic joe
command.
.Pp
The content of
.Pa /etc/wiresep/wiresep.conf
looks as follows:
.Bd -literal -offset indent
interface tun0 {
ifaddr 2001:db8::7/126
ifaddr 172.16.0.1/24
listen 198.51.100.7:1022
peer jane {
pubkey BhyBpDfD7joIPPpjBW/g/Wdhiu3iVOzQhKodbsLqJ3A=
allowedips *
}
peer joe {
pubkey AhyBpDfD7joIPPpjBW/g/Wdhiu3iVOzQhKodbsLqJ3A=
allowedips 2001:db8::4
allowedips 172.16.0.11/30
}
}
.Ed
.Pp
Note that
.Pa /etc/hostname.tun0
should not be created as
.Xr wiresep 8
should do the setup and teardown of the interface by itself.
.Sh SEE ALSO
.Xr wiresep-keygen 1 ,
.Xr wiresep 8
.Sh AUTHORS
.An -nosplit
.An Tim Kuijsten
.Sh CAVEATS
Currently the use of
.Xr hostname.if 5
or manual creation of the tunnel interface using
.Xr ifconfig 8
is not well-tested and it is recommended to let
.Xr wiresep 8
do the setup and teardown of the interface.