6
anytun - anycast tunneling daemon
15
[ -u|--username <username> ]
16
[ -g|--groupname <groupname> ]
17
[ -C|--chroot <path> ]
18
[ -P|--write-pid <filename> ]
19
[ -L|--log <target>:<level>[,<param1>[,<param2>[..]]] ]
20
[ -i|--interface <ip-address> ]
22
[ -r|--remote-host <hostname|ip> ]
23
[ -o|--remote-port <port> ]
26
[ -I|--sync-interface <ip-address> ]
27
[ -S|--sync-port port> ]
28
[ -M|--sync-hosts <hostname|ip>[:<port>][,<hostname|ip>[:<port>][...]] ]
29
[ -X|--control-host <hostname|ip>[:<port>]
31
[ -t|--type <tun|tap> ]
32
[ -n|--ifconfig <local>/<prefix> ]
33
[ -x|--post-up-script <script> ]
34
[ -R|--route <net>/<prefix length> ]
36
[ -s|--sender-id <sender id> ]
37
[ -w|--window-size <window size> ]
38
[ -k|--kd-prf <kd-prf type> ]
40
[ -E|--passphrase <pass phrase> ]
41
[ -K|--key <master key> ]
42
[ -A|--salt <master salt> ]
43
[ -c|--cipher <cipher type> ]
44
[ -a|--auth-algo <algo type> ]
45
[ -b|--auth-tag-length <length> ]
51
*Anytun* is an implementation of the Secure Anycast Tunneling Protocol
52
(SATP). It provides a complete VPN solution similar to OpenVPN or
53
IPsec in tunnel mode. The main difference is that anycast allows a
54
setup of tunnels between an arbitrary combination of anycast, unicast
60
*Anytun* has been designed as a peer to peer application, so there is
61
no difference between client and server. The following options can be
65
This option instructs *Anytun* to run in foreground
66
instead of becoming a daemon which is the default.
68
*-u, --username <username>*::
69
run as this user. If no group is specified (*-g*) the default group of
70
the user is used. The default is to not drop privileges.
72
*-g, --groupname <groupname>*::
73
run as this group. If no username is specified (*-u*) this gets ignored.
74
The default is to not drop privileges.
76
*-C, --chroot <path>*::
77
Instruct *Anytun* to run in a chroot jail. The default is
80
*-P, --write-pid <filename>*::
81
Instruct *Anytun* to write it's pid to this file. The default is
82
to not create a pid file.
84
*-L, --log <target>:<level>[,<param1>[,<param2>[..]]]*::
85
add log target to logging system. This can be invoked several times
86
in order to log to different targets at the same time. Every target
87
hast its own log level which is a number between 0 and 5. Where 0 means
88
disabling log and 5 means debug messages are enabled. +
89
The file target can be used more the once with different levels.
90
If no target is provided at the command line a single target with the
91
config *syslog:3,anytun,daemon* is added. +
92
The following targets are supported:
94
*syslog*;; log to syslog daemon, parameters <level>[,<logname>[,<facility>]]
95
*file*;; log to file, parameters <level>[,<path>]
96
*stdout*;; log to standard output, parameters <level>
97
*stderr*;; log to standard error, parameters <level>
99
*-i, --interface <ip address>*::
100
This IP address is used as the sender address for outgoing
101
packets. In case of anycast tunnel endpoints, the anycast
102
IP has to be used. In case of unicast endpoints, the
103
address is usually derived correctly from the routing
104
table. The default is to not use a special inteface and just
105
bind on all interfaces.
107
*-p, --port <port>*::
108
The local UDP port that is used to send and receive the
109
payload data. The two tunnel endpoints can use different
110
ports. If a tunnel endpoint consists of multiple anycast
111
hosts, all hosts have to use the same port. default: 4444
113
*-r, --remote-host <hostname|ip>*::
114
This option can be used to specify the remote tunnel
115
endpoint. In case of anycast tunnel endpoints, the
116
anycast IP address has to be used. If you do not specify
117
an address, it is automatically determined after receiving
118
the first data packet.
120
*-o, --remote-port <port>*::
121
The UDP port used for payload data by the remote host
122
(specified with -p on the remote host). If you do not specify
123
a port, it is automatically determined after receiving
124
the first data packet.
127
Resolv to IPv4 addresses only. The default is to resolv both
128
IPv4 and IPv6 addresses.
131
Resolv to IPv6 addresses only. The default is to resolv both
132
IPv4 and IPv6 addresses.
134
*-I, --sync-interface <ip-address>*::
135
local unicast(sync) ip address to bind to +
136
This option is only needed for tunnel endpoints consisting
137
of multiple anycast hosts. The unicast IP address of
138
the anycast host can be used here. This is needed for
139
communication with the other anycast hosts. The default is to
140
not use a special inteface and just bind on all interfaces. However
141
this is only the case if synchronisation is active see *--sync-port*.
143
*-S, --sync-port <port>*::
144
local unicast(sync) port to bind to +
145
This option is only needed for tunnel endpoints
146
consisting of multiple anycast hosts. This port is used
147
by anycast hosts to synchronize information about tunnel
148
endpoints. No payload data is transmitted via this port.
149
By default the synchronisation is disabled an therefore the
150
port is kept empty. +
151
It is possible to obtain a list of active connections
152
by telnetting into this port. This port is read-only
153
and unprotected by default. It is advised to protect
154
this port using firewall rules and, eventually, IPsec.
156
*-M, --sync-hosts <hostname|ip>[:<port>],[<hostname|ip>[:<port>][...]]*::
157
remote hosts to sync with +
158
This option is only needed for tunnel endpoints consisting
159
of multiple anycast hosts. Here, one has to specify all
160
unicast IP addresses of all other anycast hosts that
161
comprise the anycast tunnel endpoint. By default synchronisation is
162
disabled and therefore this is empty. Mind that the port can be
163
omitted in which case port 2323 is used. If you want to specify an
164
ipv6 address and a port you have to use [ and ] to seperate the address
165
from the port, eg.: [::1]:1234. If you want to use the default port
166
[ and ] can be omitted.
168
*-X, --control-host <hostname|ip>[:<port>]*::
169
fetch the config from this host. The default is not to use a control
170
host and therefore this is empty. Mind that the port can be omitted
171
in which case port 2323 is used. If you want to specify an
172
ipv6 address and a port you have to use [ and ] to seperate the address
173
from the port, eg.: [::1]:1234. If you want to use the default port
174
[ and ] can be omitted.
178
By default, tapN is used for Ethernet tunnel interfaces,
179
and tunN for IP tunnels, respectively. This option can
180
be used to manually override these defaults.
182
*-t, --type <tun|tap>*::
184
Type of the tunnels to create. Use tap for Ethernet
185
tunnels, tun for IP tunnels.
187
*-n, --ifconfig <local>/<prefix>*::
188
The local IP address and prefix length. The remote tunnel endpoint
189
has to use a different IP address in the same subnet.
191
*<local>*;; the local IP address for the tun/tap device
192
*<prefix>*;; the prefix length of the network
194
*-x, --post-up-script <script>*::
195
This option instructs *Anytun* to run this script after the interface
196
is created. By default no script will be executed.
198
*-R, --route <net>/<prefix length>*::
199
add a route to connection. This can be invoked several times.
201
*-m, --mux <mux-id>*::
202
the multiplex id to use. default: 0
204
*-s, --sender-id <sender id>*::
205
Each anycast tunnel endpoint needs a uniqe sender id
206
(1, 2, 3, ...). It is needed to distinguish the senders
207
in case of replay attacks. This option can be ignored on
208
unicast endpoints. default: 0
210
*-w, --window-size <window size>*::
211
seqence window size +
212
Sometimes, packets arrive out of order on the receiver
213
side. This option defines the size of a list of received
214
packets' sequence numbers. If, according to this list,
215
a received packet has been previously received or has
216
been transmitted in the past, and is therefore not in
217
the list anymore, this is interpreted as a replay attack
218
and the packet is dropped. A value of 0 deactivates this
219
list and, as a consequence, the replay protection employed
220
by filtering packets according to their secuence number.
221
By default the sequence window is disabled and therefore a
222
window size of 0 is used.
224
*-k, --kd--prf <kd-prf type>*::
225
key derivation pseudo random function +
226
The pseudo random function which is used for calculating the
227
session keys and session salt. +
230
*null*;; no random function, keys and salt are set to 0..00
231
*aes-ctr*;; AES in counter mode with 128 Bits, default value
232
*aes-ctr-128*;; AES in counter mode with 128 Bits
233
*aes-ctr-192*;; AES in counter mode with 192 Bits
234
*aes-ctr-256*;; AES in counter mode with 256 Bits
236
*-e, --role <role>*::
237
SATP uses different session keys for inbound and outbound traffic. The
238
role parameter is used to determine which keys to use for outbound or
239
inbound packets. On both sides of a vpn connection different roles have
240
to be used. Possible values are *left* and *right*. You may also use
241
*alice* or *server* as a replacement for *left* and *bob* or *client* as
242
a replacement for *right*. By default *left* is used.
244
*-E, --passphrase <pass phrase>*::
245
This passphrase is used to generate the master key and master salt.
246
For the master key the last n bits of the SHA256 digest of the
247
passphrase (where n is the length of the master key in bits) is used.
248
The master salt gets generated with the SHA1 digest.
249
You may force a specific key and or salt by using *--key* and *--salt*.
251
*-K, --key <master key>*::
252
master key to use for key derivation +
253
Master key in hexadecimal notation, e.g.
254
01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length
255
of 32, 48 or 64 characters (128, 192 or 256 bits).
257
*-A, --salt <master salt>*::
258
master salt to use for key derivation +
259
Master salt in hexadecimal notation, e.g.
260
01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length
261
of 28 characters (14 bytes).
263
*-c, --cipher <cipher type>*::
264
payload encryption algorithm +
265
Encryption algorithm used for encrypting the payload +
268
*null*;; no encryption
269
*aes-ctr*;; AES in counter mode with 128 Bits, default value
270
*aes-ctr-128*;; AES in counter mode with 128 Bits
271
*aes-ctr-192*;; AES in counter mode with 192 Bits
272
*aes-ctr-256*;; AES in counter mode with 256 Bits
274
*-a, --auth-algo <algo type>*::
275
message authentication algorithm +
276
This option sets the message authentication algorithm. +
277
If HMAC-SHA1 is used, the packet length is increased. The additional bytes
278
contain the authentication data. see *--auth-tag-length* for more info. +
281
*null*;; no message authentication
282
*sha1*;; HMAC-SHA1, default value
284
*-b, --auth-tag-length <length>*::
285
The number of bytes to use for the auth tag. This value defaults to 10 bytes
286
unless the *null* auth algo is used in which case it defaults to 0.
292
P2P Setup between two unicast enpoints:
293
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
298
anytun -r hostb.example.com -t tun -n 192.168.123.1/30 -c aes-ctr-256 -k aes-ctr-256 \
299
-E have_a_very_safe_and_productive_day -e left
303
anytun -r hosta.example.com -t tun -n 192.168.123.2/30 -c aes-ctr-256 -k aes-ctr-256 \
304
-E have_a_very_safe_and_productive_day -e right
307
One unicast and one anycast tunnel endpoint:
308
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
310
Unicast tunnel endpoint:
311
^^^^^^^^^^^^^^^^^^^^^^^^
313
anytun -r anycast.anytun.org -d anytun0 -t tun -n 192.0.2.2/30 -a null -c null -w 0 -e client
315
Anycast tunnel endpoints:
316
^^^^^^^^^^^^^^^^^^^^^^^^^
318
On the host with unicast hostname unicast1.anycast.anytun.org and anycast
319
hostname anycast.anytun.org:
320
-------------------------------------------------------------------------------------------------
321
# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \
322
-S 2342 -M unicast2.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342
323
-------------------------------------------------------------------------------------------------
325
On the host with unicast hostname unicast2.anycast.anytun.org and anycast
326
hostname anycast.anytun.org:
327
-------------------------------------------------------------------------------------------------
328
# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \
329
-S 2342 -M unicast1.anycast.anytun.org:2342,unicast3.anycast.anytun.org:2342
330
-------------------------------------------------------------------------------------------------
332
On the host with unicast hostname unicast3.anycast.anytun.org and anycast
333
hostname anycast.anytun.org:
334
-------------------------------------------------------------------------------------------------
335
# anytun -i anycast.anytun.org -d anytun0 -t tun -n 192.0.2.1/30 -a null -c null -w 0 -e server \
336
-S 2342 -M unicast1.anycast.anytun.org:2342,unicast2.anycast.anytun.org:2342
337
-------------------------------------------------------------------------------------------------
339
For more sophisticated examples (like multiple unicast endpoints to one
340
anycast tunnel endpoint) please consult the man page of anytun-config(8).
345
Most likely there are some bugs in *Anytun*. If you find a bug, please let
346
the developers know at satp@anytun.org. Of course, patches are preferred.
350
anytun-config(8), anytun-controld(8), anytun-showtables(8)
355
Othmar Gsenger <otti@anytun.org>
356
Erwin Nindl <nine@anytun.org>
357
Christian Pointner <equinox@anytun.org>
363
Main web site: http://www.anytun.org/
369
Copyright \(C) 2007-2009 Othmar Gsenger, Erwin Nindl and Christian
370
Pointner. This program is free software: you can redistribute it
371
and/or modify it under the terms of the GNU General Public License
372
as published by the Free Software Foundation, either version 3 of
373
the License, or any later version.