DESCRIPTION

Configuration file for vtund(8) virtual tunnel daemon.

File consists of sections in the form:

  • name {
      keyword value;
      keyword value;
      ..
    }
    

Semicolon at the end of each keyword-value pair is required, as well as grouping curly braces {}. Lines which begin with '#' characters are comments.

Name of section (name) can be one of:

options

this section specifies general options for vtund

default

specifies default options for all sessions

session

(any other word except "options" and "default") introduces new session and specifies options for it.

All keyword names can be abbreviated to a minimum of 4 characters.

GENERAL OPTIONS

This section, named options, specifies general options to use by vtund(8). Possible keywords are:

type

server type. vtund(8) can operate in standalone mode (stand), that is the default, or be invoked from inetd(8).

ipv4

use IPv4 as transport medium. This is the default. Inside the tunnel other types are of course usable.

ipv6

use IPv6 as transport medium.

port

server port number to listen on or connect to. By default, vtund(8) uses port 5000.

bindaddr

server listen address. Used to force vtund to bind to the specific address and port in server mode. Format:

  bindaddr {
   option value;
  };

bindaddr options:

iface

use interface address if_name as the bind address.

addr

bind address. Can be either IP address or host name.

timeout

General timeout.

persist

persist mode. If yes, the client will try to reconnect to the server after connection termination. If keep, the client will not remove and re-add the tunXX or tapXX device when reconnecting. If no, the client will exit (default). This option is ignored by the server.

syslog

syslog facility specification, either numeric or name (from syslog (3)).

ppp

path to pppd(8) program. Can be used in session sections.

ifconfig

path to ifconfig(8) program. Can be used in session sections.

route

path to route(8) program. Can be used in session sections.

ip

path to iproute(8) program. Can be used in session sections.

firewall

program for the firewall setup.

All the ppp, ifconfig, route and firewall parameters can specify a filename for corresponding program or equivalent (or shell script). This parameters are used in session sections to setup network interfaces.

SESSION OPTIONS

Session options can be specified inside session section or inside default section. Default parameters apply to any session section but can be overwritten there. Parameters are:

passwd

password for authentication. This should be the same in client and server.

type

type of tunnel. Possible tunnel types are:

tun

IP tunnel (no PPP, Ether etc headers)

ether

Ethernet tunnel

tty

serial tunnel (PPP, SLIP etc)

pipe

pipe tunnel

Default tunnel type is tty. This option is ignored by client.

device

network device to use. You can choose tapXX for ether tunnel or tunXX for tun tunnel. By default vtund(8) will automatically select available device.

proto

protocol to use. By default, vtund(8) will use TCP protocol. UDP is recommended for ether and tun tunnels only. This option is ignored by the client.

nat_hack

side to use nat_hack on. By default, vtund(8) uses a 'no' setting. The side that the NAT hack is enabled on will perform a delayed UDP socket connect. Should only be enabled for the side outside of the NAT (typically the server)! Setting 'client' on the server or 'server' on the client is ignored, as to make a single configuration file reusable on both sides.

This is only relevant if you use proto udp. The NAT hack delays the UDP socket connect until the first UDP packet is received from the other side of the tunnel. The socket is then connected to the actual source port of the packet (on the NAT box) and not to the one indicated in the handshake (which is behind NAT and probably unreachable). The first echo request is also disabled on the side with the NAT hack enabled.

Currently the mechanism works only for one side, for a single NAT traversal. If you enable it for both sides, both will wait for a first packet and the tunnel will never transport any data.

Security warning! Due to the nature of the delayed connection, the tunnel can be hijacked in theory by an attacker behind the same NAT, sending the first UDP packet to the server UDP port, before the real client does. If you do not understand the risks, or want to remain as secure as possible behind this kind of NAT router, use proto tcp as a NAT traversal solution.

Because of the security issue mentioned above, this option might be disabled during compilation (configure --disable-nathack).

timeout

Connect timeout.

compress

specifies compression method to use. Compression methods include:

no

no compression

yes

default compression method

zlib

ZLIB compression

lzo

LZO compression (if compiled in)

You can also specify level of compression using one digit (1 is best speed, 9 is best compression ratio). This option is ignored by the client.

encrypt

specifies encryption method to use. Encryption methods include:

no

no encryption

yes

default encryption method (blowfish128ecb)

blowfish128ecb

Blowfish cipher, 128 bit key, mode ECB

blowfish128cbc

Blowfish cipher, 128 bit key, mode CBC

blowfish128cfb

Blowfish cipher, 128 bit key, mode CFB

blowfish128ofb

Blowfish cipher, 128 bit key, mode OFB

blowfish256ecb

Blowfish cipher, 256 bit key, mode ECB

blowfish256cbc

Blowfish cipher, 256 bit key, mode CBC

blowfish256cfb

Blowfish cipher, 256 bit key, mode CFB

blowfish256ofb

Blowfish cipher, 256 bit key, mode OFB

aes128ecb
oldblowfish128ecb

Blowfish cipher, 128bit key, mode ECB (for use with 2.6 clients only) AES cipher, 128 bit key, mode ECB

aes128cbc

AES cipher, 128 bit key, mode CBC

aes128cfb

AES cipher, 128 bit key, mode CFB

aes128ofb

AES cipher, 128 bit key, mode OFB

aes256ecb

AES cipher, 256 bit key, mode ECB

aes256cbc

AES cipher, 256 bit key, mode CBC

aes256cfb

AES cipher, 256 bit key, mode CFB

aes256ofb

AES cipher, 256 bit key, mode OFB

This option is ignored by the client.

keepalive

enable or disable connection keep-alive. Time interval is a period between connection checks, in seconds, and count is the maximum number of retries (yes = 30:4). This option is ignored by the server.

stat

enable or disable statistics. If enabled vtund(8) will log statistic counters to /var/log/vtund/session_X every 5 minutes.

speed

specifies speed of the connection in kilobits/second. Valid values for kbps are 8,16,32,64,128,256,etc. 0 (the default) means maximum possible speed without shaping. You can specify speed in form in:out, where in is speed to client, out - from the client. Single number means the same speed for in and out. This option ignored by the client.

srcaddr

local (source) address. Used to force vtund to bind to the specific address and port. Format:

  srcaddr {
   option value;
   option value;
   ..
  };

srcaddr options:

iface

use interface address if_name as the source address.

addr

source address. Can be either IP address or host name.

port

source port.

multi

control multiple connections. value can be yes or allow to allow multiple connections, no or deny to deny them or killold to allow new connection and kill old one. Ignored by the client.

up

list of programs to run after connection has been established. Used to initialize protocols, devices, routing and firewall. This option looks like whole section inside of session section. Format:

 up {
   option value;
   option value;
   ..
 };

Options inside up (and down) blocks:

program

run specified program. path is the full path to the program, arguments is all arguments to pass to it (enclosed in double quotes). If wait specified, vtund will wait program termination. Special characters that can be used inside arguments parameter:

\' (single quotes) - group arguments

\ (back slash) - escape character

%d - TUN or TAP device or TTY port name

%% (double percent) - same as %d

%A - Local IP address

%P - Local TCP or UDP port

%a - Remote IP address

%p - Remote TCP or UDP port

ppp

run program specified by ppp statement in options section. All special character described above are valid in arguments here.

ifconfig

run program specified by ifconfig statement in options section.

route

run program specified by route statement in options section.

ip

run program specified by ip statement in options section.

firewall

run program specified by firewall statement in options section.

down

list of programs to run after connection has been terminated. It is similar to up parameter above. Format:

 down {
   option value;
   option value;
   ..
 };

NOTES

Options ignored by the client are supplied by the server at the run time or are used only on the server side.

RELATED TO vtund.conf…

AUTHOR

Vtund written by Maxim Krasnyansky <[email protected]>. This manual page was derived from comments in config file by Michael Tokarev <[email protected]>