1VTUND.CONF(5)                 File Formats Manual                VTUND.CONF(5)
2
3
4

NAME

6       vtund.conf - VTun(Virtual Tunnel) daemon configuration file.
7
8

DESCRIPTION

10       Configuration file for vtund(8) virtual tunnel daemon.
11
12       File consists of sections in the form:
13
14              name {
15                keyword value;
16                keyword value;
17                ..
18              }
19
20
21       Semicolon at the end of each keyword-value pair is required, as well as
22       grouping curly braces {}.  Lines which begin with  '#'  characters  are
23       comments.
24
25       Name of section (name) can be one of:
26
27       options
28              this section specifies general options for vtund
29
30       default
31              specifies default options for all sessions
32
33       session
34              (any  other  word except "options" and "default") introduces new
35              session and specifies options for it.
36
37       All keyword names can be abbreviated to a minimum of 4 characters.
38

GENERAL OPTIONS

40       This section, named  options,  specifies  general  options  to  use  by
41       vtund(8).  Possible keywords are:
42
43       type stand|inetd
44              server  type.  vtund(8)  can operate in standalone mode (stand),
45              that is the default (but not available on no-MMU systems), or be
46              invoked from inetd(8).
47
48
49       port portnumber
50              server  port  number  to  listen  on or connect to.  By default,
51              vtund(8) uses port 5000.
52
53
54       bindaddr list
55              server listen address. Used to force vtund to bind to  the  spe‐
56              cific address and port in server mode.  Format:
57                bindaddr {
58                 option value;
59                };
60
61              bindaddr options:
62
63              iface if_name
64                     use interface address if_name as the bind address.
65
66              addr addr
67                     bind address.  Can be either IP address or host name.
68
69
70       timeout seconds
71              General timeout.
72
73
74       persist yes|keep|no
75              persist  mode.   If yes, the client will try to reconnect to the
76              server after connection termination.  If keep, the  client  will
77              not  remove and re-add the tunXX or tapXX device when reconnect‐
78              ing.  If no, the client will exit  (default).   This  option  is
79              ignored by the server.
80
81
82       syslog number|name
83              syslog facility specification, either numeric or name (from sys‐
84              log (3)).
85
86
87       ppp path
88              path to pppd(8) program.  Can be used in session sections.
89
90
91       ifconfig path
92              path to ifconfig(8) program.  Can be used in session sections.
93
94
95       route path
96              path to route(8) program.  Can be used in session sections.
97
98
99       ip path
100              path to iproute(8) program.  Can be used in session sections.
101
102
103       firewall path
104              program for the firewall setup.
105
106
107       All the ppp, ifconfig, route and  firewall  parameters  can  specify  a
108       filename  for  corresponding  program  or equivalent (or shell script).
109       This parameters are used in session sections to  setup  network  inter‐
110       faces.
111
112

SESSION OPTIONS

114       Session  options  can  be  specified  inside  session section or inside
115       default section.  Default parameters apply to any session  section  but
116       can be overwritten there.  Parameters are:
117
118
119       passwd secret
120              password  for authentication.  This should be the same in client
121              and server.
122
123
124       type type
125              type of tunnel.  Possible tunnel types are:
126
127              tun    IP tunnel (no PPP, Ether etc headers)
128
129              ether  Ethernet tunnel
130
131              tty    serial tunnel (PPP, SLIP etc)
132
133              pipe   pipe tunnel
134
135              Default tunnel type is tty.  This option is ignored by client.
136
137
138       device dev
139              network device to use.  You can choose tapXX for ether tunnel or
140              tunXX  for  tun  tunnel.  By default vtund(8) will automatically
141              select available device.
142
143
144       proto tcp|udp
145              protocol to use.  By default, vtund(8) will  use  TCP  protocol.
146              UDP  is recommended for ether and tun tunnels only.  This option
147              is ignored by the client.
148
149
150       nat_hack client|server|no
151              side to use nat_hack on.  By default, vtund(8) uses a 'no'  set‐
152              ting.   The  side that the NAT hack is enabled on will perform a
153              delayed UDP socket connect. Should only be enabled for the  side
154              outside  of  the NAT (typically the server)! Setting 'client' on
155              the server or 'server' on the client is ignored, as  to  make  a
156              single configuration file reusable on both sides.
157
158              This  is only relevant if you use proto udp. The NAT hack delays
159              the UDP socket connect until the first UDP  packet  is  received
160              from  the other side of the tunnel. The socket is then connected
161              to the actual source port of the packet (on the NAT box) and not
162              to  the  one indicated in the handshake (which is behind NAT and
163              probably unreachable).  The first echo request is also  disabled
164              on the side with the NAT hack enabled.
165
166              Currently  the  mechanism  works only for one side, for a single
167              NAT traversal.  If you enable it for both sides, both will  wait
168              for a first packet and the tunnel will never transport any data.
169
170              Security  warning!  Due to the nature of the delayed connection,
171              the tunnel can be hijacked in theory by an attacker  behind  the
172              same  NAT,  sending the first UDP packet to the server UDP port,
173              before the real client does. If you do not understand the risks,
174              or  want to remain as secure as possible behind this kind of NAT
175              router, use proto tcp as a NAT traversal solution.
176
177              Because of the security issue mentioned above, this option might
178              be disabled during compilation (configure --disable-nathack).
179
180
181       timeout secounds
182              Connect timeout.
183
184
185       compress method[:level]
186              specifies   compression  method  to  use.   Compression  methods
187              include:
188
189              no     no compression
190
191              yes    default compression method
192
193              zlib   ZLIB compression
194
195              lzo    LZO compression (if compiled in)
196
197              You can also specify level of compression using one digit (1  is
198              best  speed,  9  is  best  compression  ratio).   This option is
199              ignored by the client.
200
201
202       encrypt method[:level]
203              specifies encryption method to use.  Encryption methods include:
204
205              no     no encryption
206
207              yes    default encryption method (blowfish128ecb)
208
209              blowfish128ecb
210                     Blowfish cipher, 128 bit key, mode ECB
211
212              blowfish128cbc
213                     Blowfish cipher, 128 bit key, mode CBC
214
215              blowfish128cfb
216                     Blowfish cipher, 128 bit key, mode CFB
217
218              blowfish128ofb
219                     Blowfish cipher, 128 bit key, mode OFB
220
221              blowfish256ecb
222                     Blowfish cipher, 256 bit key, mode ECB
223
224              blowfish256cbc
225                     Blowfish cipher, 256 bit key, mode CBC
226
227              blowfish256cfb
228                     Blowfish cipher, 256 bit key, mode CFB
229
230              blowfish256ofb
231                     Blowfish cipher, 256 bit key, mode OFB
232
233              aes128ecb
234
235              oldblowfish128ecb
236                     Blowfish cipher, 128bit key, mode ECB
237                      (for use with 2.6 clients only) AES cipher, 128 bit key,
238                     mode ECB
239
240              aes128cbc
241                     AES cipher, 128 bit key, mode CBC
242
243              aes128cfb
244                     AES cipher, 128 bit key, mode CFB
245
246              aes128ofb
247                     AES cipher, 128 bit key, mode OFB
248
249              aes256ecb
250                     AES cipher, 256 bit key, mode ECB
251
252              aes256cbc
253                     AES cipher, 256 bit key, mode CBC
254
255              aes256cfb
256                     AES cipher, 256 bit key, mode CFB
257
258              aes256ofb
259                     AES cipher, 256 bit key, mode OFB
260
261              This option is ignored by the client.
262
263       keepalive yes|no|interval:count
264              enable  or  disable  connection  keep-alive.  Time interval is a
265              period between connection checks, in seconds, and count  is  the
266              maximum  number of retries (yes = 30:4).  This option is ignored
267              by the server.
268
269       stat yes|no
270              enable or disable statistics.   If  enabled  vtund(8)  will  log
271              statistic counters to /var/log/vtund/session_X every 5 minutes.
272
273       speed kbps
274              specifies  speed  of  the  connection in kilobits/second.  Valid
275              values for kbps are  8,16,32,64,128,256,etc.   0  (the  default)
276              means  maximum  possible speed without shaping.  You can specify
277              speed in form in:out, where in is speed to client,  out  -  from
278              the  client.  Single number means the same speed for in and out.
279              This option ignored by the client.
280
281       srcaddr list
282              local (source) address. Used to force vtund to bind to the  spe‐
283              cific address and port.  Format:
284                srcaddr {
285                 option value;
286                 option value;
287                 ..
288                };
289
290              srcaddr options:
291
292              iface if_name
293                     use interface address if_name as the source address.
294
295              addr addr
296                     source address.  Can be either IP address or host name.
297
298              port portnumber
299                     source port.
300
301       multi value
302              control  multiple  connections.   value  can  be yes or allow to
303              allow multiple connections, no or deny to deny them  or  killold
304              to  allow  new  connection  and  kill  old  one.  Ignored by the
305              client.
306
307       up list
308              list of programs to run after connection has  been  established.
309              Used  to  initialize  protocols,  devices, routing and firewall.
310              This option looks like whole section inside of session  section.
311              For  now,  it's impossible to run up commands on no-MMU systems,
312              so the section is ignored there.  Format:
313               up {
314                 option value;
315                 option value;
316                 ..
317               };
318
319              Options inside up (and down) blocks:
320
321              program path arguments [wait]
322                     run specified program.  path is the full path to the pro‐
323                     gram,  arguments is all arguments to pass to it (enclosed
324                     in double quotes).  If wait specified,  vtund  will  wait
325                     program termination.  Special characters that can be used
326                     inside arguments parameter:
327
328                     ´ (single quotes) - group arguments
329                     \ (back slash) - escape character
330                     %d - TUN or TAP device or TTY port name
331                     %% (double percent) - same as %d
332                     %A - Local IP address
333                     %P - Local TCP or UDP port
334                     %a - Remote IP address
335                     %p - Remote TCP or UDP port
336                     %h - Host profile name
337
338              ppp arguments
339                     run program specified by ppp statement  in  options  sec‐
340                     tion.  All special character described above are valid in
341                     arguments here.
342
343              ifconfig arguments
344                     run program specified by ifconfig  statement  in  options
345                     section.
346
347              route arguments
348                     run  program specified by route statement in options sec‐
349                     tion.
350
351              ip arguments
352                     run program specified by ip statement in options section.
353
354              firewall arguments
355                     run program specified by firewall  statement  in  options
356                     section.
357
358       down list
359              list  of  programs  to run after connection has been terminated.
360              It is similar to up parameter above.  Not  available  on  no-MMU
361              systems too.  Format:
362               down {
363                 option value;
364                 option value;
365                 ..
366               };
367
368

NOTES

370       Options  ignored  by  the  client are supplied by the server at the run
371       time or are used only on the server side.
372
373

SEE ALSO

375       vtund(8), inetd(8), ifconfig(8), route(8), pppd(8), syslog(3), zlib(3).
376
377

AUTHOR

379       Vtund written by Maxim  Krasnyansky  <max_mk@yahoo.com>.   This  manual
380       page  was  derived  from  comments  in  config  file by Michael Tokarev
381       <mjt@tls.msk.ru>
382
383
384
385                                                                 VTUND.CONF(5)
Impressum