1edge(8) SUPERUSER COMMANDS edge(8)
2
6 edge - n2n edge node daemon
7
9 edge [-d <tun device>] -a <tun IP address> -c <community> {-k <encrypt
10 key>|-K <keyfile>} [-s <netmask>] -l <supernode host:port> [-p <local
11 port>] [-u <UID>] [-g <GID>] [-f] [-m <MAC address>] [-r] [-v]
12
14 N2N is a peer-to-peer VPN system. Edge is the edge node daemon for n2n
15 which creates a TAP interface to expose the n2n virtual LAN. On startup
16 n2n creates the TAP interface and configures it then registers with the
17 supernode so it can begin to find other nodes in the community.
18
20 -d <name>
21 sets the TAP device name as seen in ifconfig. Only available on
22 Linux.
23 -a {<addr>|static:<addr>|dhcp:0.0.0.0}
25 sets the n2n virtual LAN IP address being claimed. This is a
26 private IP address. All IP addresses in an n2n community typical
27 belong to the same /24 network (ie. only the last octet of the
28 IP addresses varies). If DHCP is used to assign interface
29 addresses then specify the address as -a dhcp:0.0.0.0
30 -b cause edge to perform hostname resolution for the supernode
32 address each time the supernode is periodically contacted. This
33 can cause reliability problems because all packet processing
34 stops while the supernode address is resolved which might take
35 15 seconds.
36 -c <community>
38 sets the n2n community name. All edges within the same community
39 appear on the same LAN (layer 2 network segment). Community name
40 is 16 bytes in length. A name smaller than this is padded with
41 0x00 bytes and a name longer than this is truncated to take the
42 first 16 bytes.
43 -h write usage then exit.
45 -k <keystring>
47 sets the twofish encryption key from ASCII text (see also
48 N2N_KEY in ENVIRONMENT). All edges communicating must use the
49 same key and community name. If neither -k nor -K is used to
50 specify a key source then edge uses cleartext mode (no encryp‐
51 tion). The -k and -K options are mutually exclusive.
52 -K <keyfile>
54 Reads a key-schedule file <keyfile> and populates the internal
55 transform operations with the data found there. This mechanism
56 allows keys to roll at pre-determined times for a group of
57 hosts. Accurate time synchronisation is not required as older
58 keys can be decoded for some time after expiry. If neither -k
59 nor -K is used to specify a key source then edge uses cleartext
60 mode (no encryption). The -k and -K options are mutually exclu‐
61 sive.
62 -l <addr>:<port>
64 sets the n2n supernode IP address and port to register to. Up to
65 2 supernodes can be specified by two invocations of -l
66 <addr>:<port>. eg. edge -l 12.34.56.78:7654 -l 98.76.54.32:7654
67 -p <num>
69 binds edge to the given UDP port. Useful for keeping the same
70 external socket across restarts of edge. This allows peer edges
71 which know the edge socket to continue p2p operation without
72 going back to the supernode.
73 -t <num>
75 binds the edge management system to the given UDP port. Default
76 5644. Use this if you need to run multiple instance of edge; or
77 something is bound to that port.
78 -u <uid>
80 causes the edge process to drop to the given user ID when privi‐
81 leges are no longer required (UNIX).
82 -g <gid>
84 causes the edge process to drop to the given group ID when priv‐
85 ileges are no longer required (UNIX).
86 -f disables daemon mode (UNIX) and causes edge to run in the fore‐
88 ground.
89 -m <MAC>
91 start the TAP interface with the given MAC address. This is
92 highly recommended as it means the same address will be used if
93 edge stops and restarts. If this is not done, the ARP caches of
94 all peers will be wrong and packets will not flow to this edge
95 until the next ARP refresh.
96 -M <MTU>
98 set the MTU of the edge interface in bytes. MTU is the largest
99 packet fragment size allowed to be moved throught the interface.
100 The default is 1400.
101 -s <netmask>
103 set the netmask of edge interface in IPv4 dotted decimal nota‐
104 tion. The default is 255.255.255.0 (ie. /24).
105 -r enable IP packet forwarding/routing through the n2n virtual LAN.
107 Without this option, IP packets arriving over n2n are dropped if
108 not for the -a <addr> (or DHCP assigned) IP address of the edge
109 interface.
110 -E accept packets destined for multicast ethernet MAC addresses.
112 These addresses are used in multicast ethernet and IPv6 neigh‐
113 bour discovery. If this option is not present these multicast
114 packets are discarded as most users do not need or understand
115 them.
116 -v more verbose logging (may be specified several times for more
118 verbosity).
119
121 N2N_KEY
122 set the encryption key so it is not visible on the command line
123
125 edge -d n2n0 -c mynetwork -k encryptme -u 99 -g 99 -m DE:AD:BE:EF:01:23
126 -a 192.168.254.7 -p 50001 -l 123.121.120.119:7654
127 Start edge with TAP device n2n0 on community "mynetwork" with
129 community supernode at 123.121.120.119 UDP port 7654 and bind
130 the locally used UDP port to 50001. Use "encryptme" as the sin‐
131 gle permanent shared encryption key. Assign MAC address
132 DE:AD:BE:EF:01:23 to the n2n interface and drop to user=99 and
133 group=99 after the TAP device is successfull configured.
134 Add the -f option to stop edge running as a daemon.
136 Somewhere else setup another edge with similar parameters, eg.
138 edge -d n2n0 -c mynetwork -k encryptme -u 99 -g 99 -m DE:AD:BE:EF:01:21
140 -a 192.168.254.5 -p 50001 -l 123.121.120.119:7654
141 Now you can ping from 192.168.254.5 to 192.168.254.7.
143 The MAC address (-m <MAC>) and virtual IP address (-a <addr>) must be
145 different on all edges in the same community.
146
149 (See n2n_v2(7) for more details).
150 The -K <keyfile> option reads a key schedule file.
152 edge -d n2n0 -c mynetwork -K /path/to/file -u 99 -g 99 -m
154 DE:AD:BE:EF:01:21 -a 192.168.254.5 -p 50001 -l 123.121.120.119:7654
155 The key schedule file consists of line, one per key in the schedule.
157 The purpose of key schedules is to encourage regular changing of the
158 encryption keys used by a community. The file structure also allows for
159 full binary keys to be specified as compared to the ASCII keys allowed
160 by the single key injection. Each key line consists of the following:
161 <from> <until> <transform> <data>
163 <from> and <until> are ASCII decimal values of the UNIX times during
165 which the key is valid. <transform> is the index of the transform that
166 <data> applies to. <data> is some text which is parsed by the transform
167 module to derive the key for that line.
168 Supported <transform> values are:
170 2 = TwoFish
172 <data> has the form <SA>_<hex_key>. eg.
173 1252327945 1252328305 2 602_3d7c7769b34b2a4812f8c0e9d87ce9
175 This specifies security association number 602 and a 16-octet
177 key of numeric value 0x3d7c7769b34b2a4812f8c0e9d87ce9. <SA> is a
178 32-bit unsigned integer which is used to identify the encryption
179 key to the receiver. The SA number is sent unencrypted so the
180 receiver may find the correct key from the key schedule.
181 <hex_key> is up to 16 octets although shorter keys are allowed.
182 3 = AES-CBC
185 <data> has the form <SA>_<hex_key>. Same rules as TwoFish.
186
189 If neither -k nor -K is specified then edge uses cleartext mode. In
190 cleartext mode there is no transform of the packet data it is simply
191 encrypted. This is useful for debugging n2n as packet contents can be
192 seen clearly.
193 To prevent accidental exposure of data, edge only enters cleartext mode
195 when no keying parameters are specified. In the case where keying
196 parameters are specified but no valid keys can be determined, edge
197 exits with an error at startup. If all keys become invalid while run‐
198 ning, edge continues to encode using the last key that was valid.
199
202 Edge provides a very simple management system on UDP port 5644. Send a
203 newline to receive a status output. Send 'reload' to cause re-read of
204 the keyfile. Send 'stop' to cause edge to exit cleanly.
205
208 edge is a daemon and any exit is an error.
209
211 Richard Andrews
212 andrews (at) ntop.org - n2n-1 maintainer and main author of
213 n2n-2
214 Luca Deri
216 deri (at) ntop.org - original author of n2n
217 Don Bindner
219 (--) - significant contributions to n2n-1
220
222 ifconfig(8) supernode(1) tunctl(8) n2n_v2(7)
223n2n-2.1 17 Mar 2010 edge(8)