1VTUND.CONF(5) File Formats Manual VTUND.CONF(5)
2
6 vtund.conf - VTun(Virtual Tunnel) daemon configuration file.
7
10 Configuration file for vtund(8) virtual tunnel daemon.
11 File consists of sections in the form:
13 name {
15 keyword value;
16 keyword value;
17 ..
18 }
19 Semicolon at the end of each keyword-value pair is required, as well as
22 grouping curly braces {}. Lines which begin with '#' characters are
23 comments.
24 Name of section (name) can be one of:
26 options
28 this section specifies general options for vtund
29 default
31 specifies default options for all sessions
32 session
34 (any other word except "options" and "default") introduces new
35 session and specifies options for it.
36 All keyword names can be abbreviated to a minimum of 4 characters.
38
40 This section, named options, specifies general options to use by
41 vtund(8). Possible keywords are:
42 type stand|inetd
44 server type. vtund(8) can operate in standalone mode (stand),
45 that is the default (but not available on no-MMU systems), or be
46 invoked from inetd(8).
47 port portnumber
50 server port number to listen on or connect to. By default,
51 vtund(8) uses port 5000.
52 bindaddr list
55 server listen address. Used to force vtund to bind to the spe‐
56 cific address and port in server mode. Format:
57 bindaddr {
58 option value;
59 };
60 bindaddr options:
62 iface if_name
64 use interface address if_name as the bind address.
65 addr addr
67 bind address. Can be either IP address or host name.
68 timeout seconds
71 General timeout.
72 persist yes|keep|no
75 persist mode. If yes, the client will try to reconnect to the
76 server after connection termination. If keep, the client will
77 not remove and re-add the tunXX or tapXX device when reconnect‐
78 ing. If no, the client will exit (default). This option is
79 ignored by the server.
80 syslog number|name
83 syslog facility specification, either numeric or name (from sys‐
84 log (3)).
85 ppp path
88 path to pppd(8) program. Can be used in session sections.
89 ifconfig path
92 path to ifconfig(8) program. Can be used in session sections.
93 route path
96 path to route(8) program. Can be used in session sections.
97 ip path
100 path to iproute(8) program. Can be used in session sections.
101 firewall path
104 program for the firewall setup.
105 All the ppp, ifconfig, route and firewall parameters can specify a
108 filename for corresponding program or equivalent (or shell script).
109 This parameters are used in session sections to setup network inter‐
110 faces.
111
114 Session options can be specified inside session section or inside
115 default section. Default parameters apply to any session section but
116 can be overwritten there. Parameters are:
117 passwd secret
120 password for authentication. This should be the same in client
121 and server.
122 type type
125 type of tunnel. Possible tunnel types are:
126 tun IP tunnel (no PPP, Ether etc headers)
128 ether Ethernet tunnel
130 tty serial tunnel (PPP, SLIP etc)
132 pipe pipe tunnel
134 Default tunnel type is tty. This option is ignored by client.
136 device dev
139 network device to use. You can choose tapXX for ether tunnel or
140 tunXX for tun tunnel. By default vtund(8) will automatically
141 select available device.
142 proto tcp|udp
145 protocol to use. By default, vtund(8) will use TCP protocol.
146 UDP is recommended for ether and tun tunnels only. This option
147 is ignored by the client.
148 nat_hack client|server|no
151 side to use nat_hack on. By default, vtund(8) uses a 'no' set‐
152 ting. The side that the NAT hack is enabled on will perform a
153 delayed UDP socket connect. Should only be enabled for the side
154 outside of the NAT (typically the server)! Setting 'client' on
155 the server or 'server' on the client is ignored, as to make a
156 single configuration file reusable on both sides.
157 This is only relevant if you use proto udp. The NAT hack delays
159 the UDP socket connect until the first UDP packet is received
160 from the other side of the tunnel. The socket is then connected
161 to the actual source port of the packet (on the NAT box) and not
162 to the one indicated in the handshake (which is behind NAT and
163 probably unreachable). The first echo request is also disabled
164 on the side with the NAT hack enabled.
165 Currently the mechanism works only for one side, for a single
167 NAT traversal. If you enable it for both sides, both will wait
168 for a first packet and the tunnel will never transport any data.
169 Security warning! Due to the nature of the delayed connection,
171 the tunnel can be hijacked in theory by an attacker behind the
172 same NAT, sending the first UDP packet to the server UDP port,
173 before the real client does. If you do not understand the risks,
174 or want to remain as secure as possible behind this kind of NAT
175 router, use proto tcp as a NAT traversal solution.
176 Because of the security issue mentioned above, this option might
178 be disabled during compilation (configure --disable-nathack).
179 timeout secounds
182 Connect timeout.
183 compress method[:level]
186 specifies compression method to use. Compression methods
187 include:
188 no no compression
190 yes default compression method
192 zlib ZLIB compression
194 lzo LZO compression (if compiled in)
196 You can also specify level of compression using one digit (1 is
198 best speed, 9 is best compression ratio). This option is
199 ignored by the client.
200 encrypt method[:level]
203 specifies encryption method to use. Encryption methods include:
204 no no encryption
206 yes default encryption method (blowfish128ecb)
208 blowfish128ecb
210 Blowfish cipher, 128 bit key, mode ECB
211 blowfish128cbc
213 Blowfish cipher, 128 bit key, mode CBC
214 blowfish128cfb
216 Blowfish cipher, 128 bit key, mode CFB
217 blowfish128ofb
219 Blowfish cipher, 128 bit key, mode OFB
220 blowfish256ecb
222 Blowfish cipher, 256 bit key, mode ECB
223 blowfish256cbc
225 Blowfish cipher, 256 bit key, mode CBC
226 blowfish256cfb
228 Blowfish cipher, 256 bit key, mode CFB
229 blowfish256ofb
231 Blowfish cipher, 256 bit key, mode OFB
232 aes128ecb
234 oldblowfish128ecb
236 Blowfish cipher, 128bit key, mode ECB
237 (for use with 2.6 clients only) AES cipher, 128 bit key,
238 mode ECB
239 aes128cbc
241 AES cipher, 128 bit key, mode CBC
242 aes128cfb
244 AES cipher, 128 bit key, mode CFB
245 aes128ofb
247 AES cipher, 128 bit key, mode OFB
248 aes256ecb
250 AES cipher, 256 bit key, mode ECB
251 aes256cbc
253 AES cipher, 256 bit key, mode CBC
254 aes256cfb
256 AES cipher, 256 bit key, mode CFB
257 aes256ofb
259 AES cipher, 256 bit key, mode OFB
260 This option is ignored by the client.
262 keepalive yes|no|interval:count
264 enable or disable connection keep-alive. Time interval is a
265 period between connection checks, in seconds, and count is the
266 maximum number of retries (yes = 30:4). This option is ignored
267 by the server.
268 stat yes|no
270 enable or disable statistics. If enabled vtund(8) will log
271 statistic counters to /var/log/vtund/session_X every 5 minutes.
272 speed kbps
274 specifies speed of the connection in kilobits/second. Valid
275 values for kbps are 8,16,32,64,128,256,etc. 0 (the default)
276 means maximum possible speed without shaping. You can specify
277 speed in form in:out, where in is speed to client, out - from
278 the client. Single number means the same speed for in and out.
279 This option ignored by the client.
280 srcaddr list
282 local (source) address. Used to force vtund to bind to the spe‐
283 cific address and port. Format:
284 srcaddr {
285 option value;
286 option value;
287 ..
288 };
289 srcaddr options:
291 iface if_name
293 use interface address if_name as the source address.
294 addr addr
296 source address. Can be either IP address or host name.
297 port portnumber
299 source port.
300 multi value
302 control multiple connections. value can be yes or allow to
303 allow multiple connections, no or deny to deny them or killold
304 to allow new connection and kill old one. Ignored by the
305 client.
306 up list
308 list of programs to run after connection has been established.
309 Used to initialize protocols, devices, routing and firewall.
310 This option looks like whole section inside of session section.
311 For now, it's impossible to run up commands on no-MMU systems,
312 so the section is ignored there. Format:
313 up {
314 option value;
315 option value;
316 ..
317 };
318 Options inside up (and down) blocks:
320 program path arguments [wait]
322 run specified program. path is the full path to the pro‐
323 gram, arguments is all arguments to pass to it (enclosed
324 in double quotes). If wait specified, vtund will wait
325 program termination. Special characters that can be used
326 inside arguments parameter:
327 ´ (single quotes) - group arguments
329 \ (back slash) - escape character
330 %d - TUN or TAP device or TTY port name
331 %% (double percent) - same as %d
332 %A - Local IP address
333 %P - Local TCP or UDP port
334 %a - Remote IP address
335 %p - Remote TCP or UDP port
336 %h - Host profile name
337 ppp arguments
339 run program specified by ppp statement in options sec‐
340 tion. All special character described above are valid in
341 arguments here.
342 ifconfig arguments
344 run program specified by ifconfig statement in options
345 section.
346 route arguments
348 run program specified by route statement in options sec‐
349 tion.
350 ip arguments
352 run program specified by ip statement in options section.
353 firewall arguments
355 run program specified by firewall statement in options
356 section.
357 down list
359 list of programs to run after connection has been terminated.
360 It is similar to up parameter above. Not available on no-MMU
361 systems too. Format:
362 down {
363 option value;
364 option value;
365 ..
366 };
367
370 Options ignored by the client are supplied by the server at the run
371 time or are used only on the server side.
372
375 vtund(8), inetd(8), ifconfig(8), route(8), pppd(8), syslog(3), zlib(3).
376
379 Vtund written by Maxim Krasnyansky <max_mk@yahoo.com>. This manual
380 page was derived from comments in config file by Michael Tokarev
381 <mjt@tls.msk.ru>
382 VTUND.CONF(5)