Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
VTUND.CONF(5)		      File Formats Manual		 VTUND.CONF(5)

NAME
       vtund.conf - VTun(Virtual Tunnel) daemon	configuration file.

DESCRIPTION
       Configuration file for vtund(8) virtual tunnel daemon.

       File consists of	sections in the	form:

	      name {
		keyword	value;
		keyword	value;
		..
	      }

       Semicolon at the	end of each keyword-value pair is required, as well as
       grouping	curly braces {}.  Lines	which begin with  '#'  characters  are
       comments.

       Name of section (name) can be one of:

       options
	      this section specifies general options for vtund

       default
	      specifies	default	options	for all	sessions

       session
	      (any  other  word	except "options" and "default")	introduces new
	      session and specifies options for	it.

       All keyword names can be	abbreviated to a minimum of 4 characters.

GENERAL	OPTIONS
       This section, named  options,  specifies	 general  options  to  use  by
       vtund(8).  Possible keywords are:

       type stand|inetd
	      server  type.  vtund(8)  can operate in standalone mode (stand),
	      that is the default (but not available on	no-MMU systems), or be
	      invoked from inetd(8).

       port portnumber
	      server  port  number  to	listen	on or connect to.  By default,
	      vtund(8) uses port 5000.

       bindaddr	list
	      server listen address. Used to force vtund to bind to  the  spe-
	      cific address and	port in	server mode.  Format:
		bindaddr {
		 option	value;
		};

	      bindaddr options:

	      iface if_name
		     use interface address if_name as the bind address.

	      addr addr
		     bind address.  Can	be either IP address or	host name.

       timeout seconds
	      General timeout.

       persist yes|keep|no
	      persist  mode.   If yes, the client will try to reconnect	to the
	      server after connection termination.  If keep, the  client  will
	      not  remove and re-add the tunXX or tapXX	device when reconnect-
	      ing.  If no, the client will exit	(default).  This option	is ig-
	      nored by the server.

       syslog number|name
	      syslog facility specification, either numeric or name (from sys-
	      log (3)).

       ppp path
	      path to pppd(8) program.	Can be used in session sections.

       ifconfig	path
	      path to ifconfig(8) program.  Can	be used	in session sections.

       route path
	      path to route(8) program.	 Can be	used in	session	sections.

       ip path
	      path to iproute(8) program.  Can be used in session sections.

       firewall	path
	      program for the firewall setup.

       All the ppp, ifconfig, route and	 firewall  parameters  can  specify  a
       filename	 for  corresponding  program  or equivalent (or	shell script).
       This parameters are used	in session sections to	setup  network	inter-
       faces.

SESSION	OPTIONS
       Session	options	 can be	specified inside session section or inside de-
       fault section.  Default parameters apply	to any session section but can
       be overwritten there.  Parameters are:

       passwd secret
	      password	for authentication.  This should be the	same in	client
	      and server.

       type type
	      type of tunnel.  Possible	tunnel types are:

	      tun    IP	tunnel (no PPP,	Ether etc headers)

	      ether  Ethernet tunnel

	      tty    serial tunnel (PPP, SLIP etc)

	      pipe   pipe tunnel

	      Default tunnel type is tty.  This	option is ignored by client.

       device dev
	      network device to	use.  You can choose tapXX for ether tunnel or
	      tunXX  for  tun  tunnel.	By default vtund(8) will automatically
	      select available device.

       proto tcp|udp
	      protocol to use.	By default, vtund(8) will  use	TCP  protocol.
	      UDP  is recommended for ether and	tun tunnels only.  This	option
	      is ignored by the	client.

       nat_hack	client|server|no
	      side to use nat_hack on.	By default, vtund(8) uses a 'no'  set-
	      ting.   The  side	that the NAT hack is enabled on	will perform a
	      delayed UDP socket connect. Should only be enabled for the  side
	      outside  of  the NAT (typically the server)! Setting 'client' on
	      the server or 'server' on	the client is ignored, as  to  make  a
	      single configuration file	reusable on both sides.

	      This  is only relevant if	you use	proto udp. The NAT hack	delays
	      the UDP socket connect until the first UDP  packet  is  received
	      from  the	other side of the tunnel. The socket is	then connected
	      to the actual source port	of the packet (on the NAT box) and not
	      to  the  one indicated in	the handshake (which is	behind NAT and
	      probably unreachable).  The first	echo request is	also  disabled
	      on the side with the NAT hack enabled.

	      Currently	 the  mechanism	 works only for	one side, for a	single
	      NAT traversal.  If you enable it for both	sides, both will  wait
	      for a first packet and the tunnel	will never transport any data.

	      Security	warning!  Due to the nature of the delayed connection,
	      the tunnel can be	hijacked in theory by an attacker  behind  the
	      same  NAT,  sending the first UDP	packet to the server UDP port,
	      before the real client does. If you do not understand the	risks,
	      or  want to remain as secure as possible behind this kind	of NAT
	      router, use proto	tcp as a NAT traversal solution.

	      Because of the security issue mentioned above, this option might
	      be disabled during compilation (configure	--disable-nathack).

       timeout secounds
	      Connect timeout.

       compress	method[:level]
	      specifies	 compression  method  to use.  Compression methods in-
	      clude:

	      no     no	compression

	      yes    default compression method

	      zlib   ZLIB compression

	      lzo    LZO compression (if compiled in)

	      You can also specify level of compression	using one digit	(1  is
	      best  speed,  9  is best compression ratio).  This option	is ig-
	      nored by the client.

       encrypt method[:level]
	      specifies	encryption method to use.  Encryption methods include:

	      no     no	encryption

	      yes    default encryption	method (blowfish128ecb)

	      blowfish128ecb
		     Blowfish cipher, 128 bit key, mode	ECB

	      blowfish128cbc
		     Blowfish cipher, 128 bit key, mode	CBC

	      blowfish128cfb
		     Blowfish cipher, 128 bit key, mode	CFB

	      blowfish128ofb
		     Blowfish cipher, 128 bit key, mode	OFB

	      blowfish256ecb
		     Blowfish cipher, 256 bit key, mode	ECB

	      blowfish256cbc
		     Blowfish cipher, 256 bit key, mode	CBC

	      blowfish256cfb
		     Blowfish cipher, 256 bit key, mode	CFB

	      blowfish256ofb
		     Blowfish cipher, 256 bit key, mode	OFB

	      aes128ecb

	      oldblowfish128ecb
		     Blowfish cipher, 128bit key, mode ECB
		      (for use with 2.6	clients	only) AES cipher, 128 bit key,
		     mode ECB

	      aes128cbc
		     AES cipher, 128 bit key, mode CBC

	      aes128cfb
		     AES cipher, 128 bit key, mode CFB

	      aes128ofb
		     AES cipher, 128 bit key, mode OFB

	      aes256ecb
		     AES cipher, 256 bit key, mode ECB

	      aes256cbc
		     AES cipher, 256 bit key, mode CBC

	      aes256cfb
		     AES cipher, 256 bit key, mode CFB

	      aes256ofb
		     AES cipher, 256 bit key, mode OFB

	      This option is ignored by	the client.

       keepalive yes|no|interval:count
	      enable  or disable connection keep-alive.	Time interval is a pe-
	      riod between connection checks, in seconds,  and	count  is  the
	      maximum  number of retries (yes =	30:4).	This option is ignored
	      by the server.

       stat yes|no
	      enable or	disable	statistics.   If  enabled  vtund(8)  will  log
	      statistic	counters to /var/log/vtund/session_X every 5 minutes.

       speed kbps
	      specifies	 speed	of  the	 connection in kilobits/second.	 Valid
	      values for kbps are  8,16,32,64,128,256,etc.   0	(the  default)
	      means  maximum  possible speed without shaping.  You can specify
	      speed in form in:out, where in is	speed to client,  out  -  from
	      the  client.  Single number means	the same speed for in and out.
	      This option ignored by the client.

       srcaddr list
	      local (source) address. Used to force vtund to bind to the  spe-
	      cific address and	port.  Format:
		srcaddr	{
		 option	value;
		 option	value;
		 ..
		};

	      srcaddr options:

	      iface if_name
		     use interface address if_name as the source address.

	      addr addr
		     source address.  Can be either IP address or host name.

	      port portnumber
		     source port.

       multi value
	      control  multiple	connections.  value can	be yes or allow	to al-
	      low multiple connections,	no or deny to deny them	or killold  to
	      allow new	connection and kill old	one.  Ignored by the client.

       up list
	      list  of	programs to run	after connection has been established.
	      Used to initialize protocols,  devices,  routing	and  firewall.
	      This  option looks like whole section inside of session section.
	      For now, it's impossible to run up commands on  no-MMU  systems,
	      so the section is	ignored	there.	Format:
	       up {
		 option	value;
		 option	value;
		 ..
	       };

	      Options inside up	(and down) blocks:

	      program path arguments [wait]
		     run specified program.  path is the full path to the pro-
		     gram, arguments is	all arguments to pass to it  (enclosed
		     in	 double	 quotes).   If wait specified, vtund will wait
		     program termination.  Special characters that can be used
		     inside arguments parameter:

		     ' (single quotes) - group arguments
		     \ (back slash) - escape character
		     %d	- TUN or TAP device or TTY port	name
		     %%	(double	percent) - same	as %d
		     %A	- Local	IP address
		     %P	- Local	TCP or UDP port
		     %a	- Remote IP address
		     %p	- Remote TCP or	UDP port
		     %h	- Host profile name

	      ppp arguments
		     run  program  specified  by ppp statement in options sec-
		     tion.  All	special	character described above are valid in
		     arguments here.

	      ifconfig arguments
		     run  program  specified  by ifconfig statement in options
		     section.

	      route arguments
		     run program specified by route statement in options  sec-
		     tion.

	      ip arguments
		     run program specified by ip statement in options section.

	      firewall arguments
		     run  program  specified  by firewall statement in options
		     section.

       down list
	      list of programs to run after connection	has  been  terminated.
	      It  is  similar  to up parameter above.  Not available on	no-MMU
	      systems too.  Format:
	       down {
		 option	value;
		 option	value;
		 ..
	       };

NOTES
       Options ignored by the client are supplied by the  server  at  the  run
       time or are used	only on	the server side.

SEE ALSO
       vtund(8), inetd(8), ifconfig(8),	route(8), pppd(8), syslog(3), zlib(3).

AUTHOR
       Vtund  written  by  Maxim  Krasnyansky <max_mk@yahoo.com>.  This	manual
       page was	derived	from  comments	in  config  file  by  Michael  Tokarev
       <mjt@tls.msk.ru>

								 VTUND.CONF(5)

NAME | DESCRIPTION | GENERAL OPTIONS | SESSION OPTIONS | NOTES | SEE ALSO | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=vtund.conf&sektion=5&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help