# # VTun - Virtual Tunnel over TCP/IP network. # Copyright (C) 1998-2016 Maxim Krasnyansky # # Cleanup of English and spelling by # Ted Rolle # # Configuration file example # $Id: vtund.conf,v 1.5 2016/09/19 04:42:26 mtbishop Exp $ # # # Lines which begin with '#' are comments # # File format: # # XXXXX { # option param; option param; # option param; # ...... # } # Where XXXXX: # options - General options. # default - default session options. # session - Session options. # # Options _must_ be grouped by curly braces '{' '}'. # Each option _must_ end with ';' # # ----------- # General options: # # type - Server type. # 'stand' - Stand alone server (default). # 'inetd' - Started by inetd. # Used only by the server. # # ----------- # port - Server TCP port number. # # ----------- # bindaddr - Server listen address. Used to force vtund to bind # to the specific address and port in server mode. # Format: # bindaddr { # option .....; # }; # # 'bindaddr' options: # # iface - Use interface address as the listen address. # Format: # iface if_name; # # addr - Listen address. # Format: # addr ip_address; # addr host_name; # # ----------- # syslog - Syslog facility. # # ----------- # timeout - General VTun timeout. # # ----------- # ppp - Program for the ppp initialization. # # ----------- # ifconfig - Program for the net interface initialization. # # ----------- # route - Program for the routing table manipulation. # # ----------- # firewall - Program for the firewall setup. # # ----------- # # Session options: # # passwd - Password for authentication. # # ----------- # type - Tunnel type. # 'tun' - IP tunnel (No PPP,Ether,.. headers). # 'ether' - Ethernet tunnel. # 'tty' - Serial tunnel, PPP, SLIP, etc. # 'pipe' - Pipe tunnel. # Default type is 'tty'. # Ignored by the client. # # ----------- # device - Network device. # 'tapXX' - for 'ether' # 'tunXX' - for 'tun' # By default VTun will automatically select available # device. # # ----------- # proto - Protocol. # 'tcp' - TCP protocol. # 'udp' - UDP protocol. # # 'tcp' is default for all tunnel types. # 'udp' is recommended for 'ether' and 'tun' only. # # This option is ignored by the client. # # ----------- # nat_hack - Delay UDP set-up connection until Server or Client sends # a UDP packet, depending on setting. Useful to work around # routers which use mismatched port numbers for UDP traffic. # # 'client' - Delay UDP set-up on the client side # 'server' - Delay UDP set-up on the server side. # 'no' - Disable the NAT hack on both sides (default). # # Setting 'nat_hack client' on the server or 'nat_hack server' # on the client is ignored. Please see the vtund.conf man page # for more details and security information. # # ----------- # persist - Persist mode. # 'yes' - Reconnect to the server after connection # termination. # 'no' - Exit after connection termination (default). # Used only by the client. # # ----------- # keepalive - Enable 'yes' or disable 'no' connection # keep-alive. Ignored by the client. # # May be in the form 'interval:count', where 'interval' is the # period of connection checks and 'count' is the maximum number # of retries. 'yes' is equivalent to '30:4'. # # ----------- # timeout - Connect timeout. # # ----------- # compress - Enable 'yes' or disable 'no' compression. # It is also possible to specify a method: # 'zlib' - ZLIB compression # 'lzo' - LZO compression # and level: # from 1(best speed) to 9(best compression) # separated by ':'. Default method is 'zlib:1'. # Ignored by the client. # # ----------- # encrypt - Enable 'yes' or disable 'no' encryption. # It is also possible to specify a method: # 'blowfish128ecb' - Blowfish cipher, 128 bit key, mode ECB # 'blowfish128cbc' - Blowfish cipher, 128 bit key, mode CBC # 'blowfish128cfb' - Blowfish cipher, 128 bit key, mode CFB # 'blowfish128ofb' - Blowfish cipher, 128 bit key, mode OFB # 'blowfish256ecb' - Blowfish cipher, 256 bit key, mode ECB # 'blowfish256cbc' - Blowfish cipher, 256 bit key, mode CBC # 'blowfish256cfb' - Blowfish cipher, 256 bit key, mode CFB # 'blowfish256ofb' - Blowfish cipher, 256 bit key, mode OFB # 'aes128ecb' - AES cipher, 128 bit key, mode ECB # 'aes128cbc' - AES cipher, 128 bit key, mode CBC # 'aes128cfb' - AES cipher, 128 bit key, mode CFB # 'aes128ofb' - AES cipher, 128 bit key, mode OFB # 'aes256ecb' - AES cipher, 256 bit key, mode ECB # 'aes256cbc' - AES cipher, 256 bit key, mode CBC # 'aes256cfb' - AES cipher, 256 bit key, mode CFB # 'aes256ofb' - AES cipher, 256 bit key, mode OFB # # A special encryption method is provided for use with clients # running pre-3.0 versions: # 'oldblowfish128ecb' - Blowfish cipher, 128bit key, mode ECB # # Default method is 'blowfish128ecb'. # Ignored by the client. # # ----------- # stat - Enable 'yes' or disable 'no' statistics. # If enabled vtund will log statistic counters every # 5 minutes. # # ----------- # speed - Speed of the connection in kilobits/second. # 8,16,32,64,128,256,etc. # 0 means maximum possible speed without shaping. # You can specify speed in form IN:OUT. # IN - to the client, OUT - from the client. # Single number means same speed for IN and OUT. # Ignored by the client. # # ----------- # up - List of programs to run after connection has been # established. Used to initialize protocols, devices, # routing and firewall. # Format: # up { # option .....; # option .....; # }; # # down - List of programs to run after connection has been # terminated. Used to reset protocols, devices, routing # and firewall. # Format: # down { # option .....; # option .....; # }; # # 'up' and 'down' options: # # program - Run specified program. # Format: # program path arguments wait; # # path - Full path to the program. # '/bin/sh' will be used if path was omitted. # # arguments - Arguments to pass to the program. # Must be enclosed in double quotes. # Special characters and expansions: # ' (single quotes) - group arguments # \ (back slash) - escape character # %%(double percent) - same as %d # %d - TUN or TAP device or TTY port name # %A - Local IP address # %P - Local TCP or UDP port # %a - Remote IP address # %p - Remote TCP or UDP port # # wait - Wait for the program termination. # # ppp - Run program specified by 'ppp' statement in # 'options' section. # Format: # ppp arguments; # # ifconfig - Run program specified by 'ifconfig' statement in # 'options' section. # Format: # ifconfig arguments; # # route - Run program specified by 'route' statement in # 'options' section. # Format: # route arguments; # # firewall - Run program specified by 'firewall' statement in # 'options' section. # Format: # firewall arguments; # # ----------- # srcaddr - Local (source) address. Used to force vtund to bind # to the specific address and port in client mode. # Format: # srcaddr { # option .....; # option .....; # }; # # 'srcaddr' options: # # iface - Use interface address as the Source address. # Format: # iface if_name; # # addr - Source address. # Format: # addr ip_address; # addr host_name; # # port - Source port. # Format: # port port_no; # # ----------- # multi - Multiple connections. # 'yes' or 'allow' - allow multiple connections. # 'no' or 'deny' - deny multiple connections. # 'killold' - allow new connection and kill old one. # Ignored by the client. # # ----------- # Notes: # Options 'Ignored by the client' are provided by server # at the connection initialization. # # Option names cannot be abbreviated. # # ----- CUT HERE --- Server config --- CUT HERE ----- # options { port 5000; # Listen on this port. bindaddr { iface lo; }; # Listen only on loopback device. # Syslog facility syslog daemon; # Path to various programs ppp /usr/sbin/pppd; ifconfig /sbin/ifconfig; route /sbin/route; firewall /sbin/ipchains; ip /sbin/ip; } # Default session options default { compress no; # Compression is off by default speed 0; # By default maximum speed, NO shaping } # TUN example. Session 'cobra'. cobra { passwd Ma&^TU; # Password type tun; # IP tunnel proto udp; # UDP protocol compress lzo:9; # LZO compression level 9 encrypt yes; # Encryption keepalive yes; # Keep connection alive up { # Connection is Up # 10.3.0.1 - local, 10.3.0.2 - remote ifconfig "%% 10.3.0.1 pointopoint 10.3.0.2 mtu 1450"; }; } # the same as above, but with iproute2 command cobra { passwd Ma&^TU; # Password type tun; # IP tunnel proto udp; # UDP protocol compress lzo:9; # LZO compression level 9 encrypt yes; # Encryption keepalive yes; # Keep connection alive up { # Connection is Up # 10.3.0.1 - local, 10.3.0.2 - remote ip "link set %% up multicast off mtu 1450"; ip "-family inet addr add 10.3.0.1 peer 10.3.0.2 dev %%"; }; } # Ethernet example. Session 'lion'. lion { passwd Ma&^TU; # Password type ether; # Ethernet tunnel device tap0; # Device tap0 proto udp; # UDP protocol compress lzo:1; # LZO compression level 1 encrypt yes; # Encryption stat yes; # Log connection statistic keepalive yes; # Keep connection alive up { # Connection is Up # Assign IP address ifconfig "%% 10.1.0.1 netmask 255.255.255.0"; # Add route to net 10.2.0.0/24 route "add -net 10.2.0.0 netmask 255.255.255.0 gw 10.1.0.2"; # Enable masquerading for net 10.2.0.0.0/24 firewall "-A forward -s 10.2.0.0/24 -d 0.0.0.0/0 -j MASQ"; }; down { # Connection is Down # Shutdown tap device. ifconfig "%% down"; # Disable masquerading for net 10.2.0.0.0/24 firewall "-D forward -s 10.2.0.0/24 -d 0.0.0.0/0 -j MASQ"; }; } # PPP example. Session 'viper'. viper { passwd TTT$bio; # Password compress yes; # ZLIB compression level 1 encrypt yes; # Encryption up { # Connection is Up (established) # Assign IP addresses 10.0.0.1 - local, 10.0.0.2 - remote ppp "10.0.0.1:10.0.0.2 proxyarp"; }; } # Pipe example. Session 'backup'. backup { passwd OnlyME; # Password type pipe; # Pipe tunnel speed 256:128; # Shaping speed 256K IN and 128K OUT. encrypt yes; # Encryption up { # Connection is Up # Start shell and tar '/etc' directory to # the stdout (pipe tunnel). program /bin/sh "-c 'tar cf - /etc/*'"; }; } # TTY example. Session 'sz'. # Silly example to show that VTun can tunnel ALMOST # anything :-). sz { passwd OnlyME; # Password type tty; # TTY tunnel speed 64; # Shaping speed 64K IN/OUT encrypt yes; # Encryption up { # Connection is Up # Send '/etc/profile' via ZMODEM to the # stdout(tty tunnel). program /bin/sh "-c 'sz /etc/termcap'"; }; } # # ----- CUT HERE -------- End -------- CUT HERE ----- # # # ----- CUT HERE --- Client config --- CUT HERE ----- # options { port 5000; # Connect to this port. timeout 60; # General timeout # Path to various programs ppp /usr/sbin/pppd; ifconfig /sbin/ifconfig; route /sbin/route; firewall /sbin/ipchains; ip /sbin/ip; } # TUN example. Session 'cobra'. cobra { passwd Ma&^TU; # Password device tun1; # Device tun1 persist yes; # Persist mode up { # Connection is Up # Assign IP addresses. ifconfig "%% 10.3.0.2 pointopoint 10.3.0.1 mtu 1450"; }; } # same as above, but with iproute2 command cobra { passwd Ma&^TU; # Password device tun1; # Device tun1 persist yes; # Persist mode up { # Connection is Up # Assign IP addresses. ip "link set %% up multicast off mtu 1450"; ip "-family inet addr add 10.3.0.2 peer 10.3.0.1 dev %%"; }; } # Ethernet example. Session 'lion'. lion { passwd Ma&^TU; # Password type ether; # Ethernet tunnel device tap1; # Device tap1 up { # Connection is Up # Assign IP address and netmask. ifconfig "%% 10.1.0.2 netmask 255.255.255.0"; }; down { # Connection is Down # Shutdown tap device ifconfig "%% down"; }; } # PPP example. Session 'viper'. viper { passwd TTT$bio; # Password up { # Connection is Up # IP address will be assigned by the server ppp "noipdefault"; }; } # Pipe example. Session 'backup'. backup { passwd OnlyME; # Password up { # Connection is Up # Start shell and untar files from # stdin(pipe tunnel). program /bin/sh "-c 'cd /tmp; tar xf -"; }; } # TTY example. Session 'sz'. # Silly example to show that VTun can tunnel ALMOST # anything :-). sz { passwd OnlyME; # Password up { # Receive file via ZMODEM from the # stdin(tty tunnel). program /bin/sh "-c 'cd /tmp; rz'"; }; }