From c34b202fa90294a607e1ea926264edf30fd89ea6 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Thu, 4 Sep 2014 21:09:12 +0200 Subject: Add user manual as Sphinx doc --- doc/source/manual/cmdline.rst | 97 +++++++++++++ doc/source/manual/config.rst | 309 ++++++++++++++++++++++++++++++++++++++++++ doc/source/manual/methods.rst | 100 ++++++++++++++ doc/source/manual/mtu.rst | 30 ++++ 4 files changed, 536 insertions(+) create mode 100644 doc/source/manual/cmdline.rst create mode 100644 doc/source/manual/config.rst create mode 100644 doc/source/manual/methods.rst create mode 100644 doc/source/manual/mtu.rst (limited to 'doc/source/manual') diff --git a/doc/source/manual/cmdline.rst b/doc/source/manual/cmdline.rst new file mode 100644 index 0000000..66211ca --- /dev/null +++ b/doc/source/manual/cmdline.rst @@ -0,0 +1,97 @@ +Command line options +==================== + +Command line options and config files are parsed in order they are specified, so config files specified before other options are overwritten by the other options, config files specified later will overwrite options specified before. + +--help, -h + Shows this help text + +--version, -v + Shows the fastd version + +--daemon, -d + Runs fastd in the background + +--pid-file + Writes fastd's PID to the specified file. + +--log-level + Sets the stderr log level; default is info, + if no alternative log destination ist configured. + If logging to syslog or files is enabled, the default is not to log to stderr. + +--syslog-level + Sets the log level for syslog output; default is not to use syslog. + +--syslog-ident + Sets the syslog identification; default is 'fastd'. + +--config, -c + Loads a config file. - can be specified to read a config file from stdin. + +--config-peer + Loads a config file for a single peer. The filename will be used as the peer name. + +--config-peer-dir + Loads all files from a directory as peer configs. On SIGHUP fastd will reload peer directories. + +--mode, -m + Sets the mode of the interface; default is TAP mode. + +--interface, -i + Sets the name of the TUN/TAP interface to use. If not specified, default names specified by the system will be used. + +--mtu, -M + Sets the MTU; must be at least 576. You should read MTU configuration, the default 1500 is suboptimal in most setups. + +--bind, -b + Sets the bind address. Address can be an IPv4 address or an IPv6 address, or the keyword any. IPv6 addresses must be put in square brackets. + + Default is to bind to a random port, for IPv4 and IPv6. You can specify one IPv4 and one IPv6 bind address, or both at once as any. It is currently + not possible to specify an IPv6 link-local address on the command line. + +--protocol, -p + Sets the handshake protocol. Currently the only protocol available is ec25519-fhmqvc, which provides a secure authentication of peers based on public/secret keys. + +--method + Sets the encryption/authentication method. See the page :doc:`methods` for more information about the supported methods. More than one method can be specified; the earlier you specify + a method the higher is the preference for a method, so methods speficied later will only be used if a peer doesn't support the first methods. + +--forward + Enables forwarding of packets between clients; read the paragraph about this option before use! + +--on-pre-up + Sets a shell command to execute before interface creation. See the detailed documentation below for an overview of the available environment variables. + +--on-up + Sets a shell command to execute after interface creation. See the detailed documentation below for an overview of the available environment variables. + +--on-down + Sets a shell command to execute before interface destruction. See the detailed documentation below for an overview of the available environment variables. + +--on-post-down + Sets a shell command to execute after interface destruction. See the detailed documentation below for an overview of the available environment variables. + +--on-connect + Sets a shell command to execute when a handshake is sent to establish a new connection. + +--on-establish + Sets a shell command to execute when a new connection is established. See the detailed documentation below for an overview of the available environment variables. + +--on-disestablish + Sets a shell command to execute when a connection is lost. See the detailed documentation below for an overview of the available environment variables. + +--on-verify + Sets a shell command to execute to check a connection attempt by an unknown peer. See the detailed documentation below for more information and an overview of the available environment variables. + +--verify-config + Checks the configuration and exits. + +--generate-key + Generates a new keypair. + +--show-key + Shows the public key corresponding to the configured secret. + +--machine-readable + Suppresses output of explaining text in the --show-key and --generate-key commands. diff --git a/doc/source/manual/config.rst b/doc/source/manual/config.rst new file mode 100644 index 0000000..ba924e8 --- /dev/null +++ b/doc/source/manual/config.rst @@ -0,0 +1,309 @@ +Configuration file format +========================= + +Main configuration +------------------ + +Example config: + +:: + + # Log warnings and errors to stderr + log level warn; + + # Log everything to syslog + log to syslog level debug; + + # Set the interface name + interface "mesh-vpn"; + + # Support xsalsa20 and aes128 encryption methods, prefer xsalsa20 + method "xsalsa20-poly1305"; + method "aes128-gcm"; + + # Bind to a fixed port, IPv4 only + bind 0.0.0.0:10000; + + # Secret key generated by `fastd --generate-key` + secret "78dfb05fe0aa586fb017de566b0d21398ac64032fcf1c765855f4d538cc5a357"; + + # Set the interface MTU for TAP mode with xsalsa20/aes128 over IPv4 with a base MTU of 1492 (PPPoE) + # (see MTU selection documentation) + mtu 1426; + + # Include peers from the directory 'peers' + include peers from "peers"; + + +| ``bind : [ interface "" ] [ default [ ipv4 ] ];`` +| ``bind : [ interface "" ] [ default [ ipv6 ] ];`` +| ``bind any: [ interface "" ] [ default [ ipv4|ipv6 ] ];`` +| ``bind port [ interface "" ] [ default [ ipv4 ] ];`` +| ``bind port [ interface "" ] [ default [ ipv6 ] ];`` +| ``bind any port [ interface "" ] [ default [ ipv4|ipv6 ] ];`` + + Sets the bind address, port and possibly interface. May be specified multiple times. The keyword + any makes fastd bind to the unspecified address for both IPv4 and IPv6. When + no bind address is configured at all, for each outgoing connection a new socket with a random + port is created. + + IPv6 address must be put in square brackets. It is possible to specify an IPv6 link-local address + with an interface in the usual notation (e.g. [fe80::1%eth0]). + + The default option makes it the default address for outgoing connections + for IPv4, IPv6 or both. + + +| ``cipher "" use "";`` + + Chooses a specific impelemenation for a cipher. Normally, the default setting is already the best choice. + Note that specific implementations may be unavailable on some platforms or disabled during compilation. + The available ciphers and implementations are: + + * ``aes128-ctr``: AES128 in counter mode + + - ``openssl``: Use implementation from OpenSSL's libcrypto + - ``nacl``: Use implementation from NaCl or libsodium + + * ``null``: No encryption (for authenticated-only methods using composed_gmac) + + - ``memcpy``: Simple memcpy-based implementation + + * ``salsa20``: The Salsa20 stream cipher + + - ``xmm``: Optimized implementation for x86/amd64 CPUs with SSE2 support + - ``nacl``: Use implementation from NaCl or libsodium + + * ``salsa2012``: The Salsa20/12 stream cipher + + - ``xmm``: Optimized implementation for x86/amd64 CPUs with SSE2 support + - ``nacl``: Use implementation from NaCl or libsodium + + +| ``drop capabilities yes|no|early;`` + + By default, fastd switches to the configured user and/or drops its + POSIX capabilities after the on up command has been run. + When drop capabilities is set to early, the on up command + is run after the privileges have been dropped, when set to no, the POSIX capabilities + aren't dropped at all (but the user is switched after the on up command + has been run nevertheless). + +| ``forward yes|no;`` + + Enables or disabled forwarding packets between peers. Care must be taken not to create forwarding loops. + +| ``group "";`` + + Sets the group to run fastd as. + +| ``hide ip addresses yes|no;`` + + Hides IP addresses in log output. + +| ``hide mac addresses yes|no;`` + + Hides MAC addresses in log output. + +| ``include "";`` + + Includes another configuration file. Relative paths are interpreted relatively to the + including file. + +| ``include peer "" [ as "" ];`` + + Includes a peer configuration (and optionally gives the peer a name). + +| ``include peers from "";`` + + Includes each file in a directory as a peer configuration. These peers are reloaded when + fastd receives a SIGHUP signal. + +| ``interface "";`` + + Sets the name of the TUN/TAP interface to use; it will be set by the OS when no name is configured explicitly. + +| ``log level fatal|error|warn|info|verbose|debug|debug2;`` + + Sets the default log level, meaning syslog if there is currently a level set for syslog, and stderr + otherwise. + +| ``log to stderr level fatal|error|warn|info|verbose|debug|debug2;`` + + Sets the stderr log level. By default no log messages are printed on stderr, unless no other + log destination is configured, which causes fastd to log to stderr with level info. + +| ``log to syslog [ as "" ] [ level fatal|error|warn|info|verbose|debug|debug2 ];`` + + Sets the syslog log level. By default syslog isn't used. + +| ``mac "" use "";`` + + Chooses a specific impelemenation for a message authentication code. Normally, the default setting is already the best + choice. Note that specific implementations may be unavailable on some platforms or disabled during compilation. + The available MACs and implementations are: + + * ``ghash``: The MAC used by the GCM and GMAC methods + + - ``pclmulqdq``: An optimized implementation for modern x86/amd64 CPUs supporting the PCLMULQDQ instruction + - ``builtin``: A generic implementation + + * ``uhash``: The MAC used by the UMAC methods + + - ``builtin``: A generic implementation + +| ``method "";`` + + Sets the encryption/authentication method. See the page :doc:`methods` for more information about the supported methods. + When multiple method statements are given, the first one has the highest preference. + +| ``mode tap|tun;`` + + Sets the mode of the interface; the default is TAP mode. + +| ``mtu ;`` + + Sets the MTU; must be at least 576. You should read the page :doc:`mtu` as the default 1500 is suboptimal in most setups. + +| ``on pre-up [ sync | async ] "";`` +| ``on up [ sync | async ] "";`` +| ``on down [ sync | async ] "";`` +| ``on post-down [ sync | async ] "";`` +| ``on connect [ sync | async ] "";`` +| ``on establish [ sync | async ] "";`` +| ``on disestablish [ sync | async ] "";`` + + Configures a shell command that is run after the interface is created, before the interface is destroyed, + when a handshake is sent to make a new connection, + when a new peer connection has been established, or after a peer connection has been lost. fastd will + block until the command has finished, to long-running processes should be started in the background. + + pre-up, up, down and post-down commands are executed synchronously by default, meaning fastd will block + until the commands have finished, while the other commands are executed asynchronously by default. This + can be changed using the keywords sync and async. + + The following environment variables are set by fastd for all commands: + + * ``FASTD_PID``: fastd's PID + * ``INTERFACE``: the interface name + * ``INTERFACE_MTU``: the configured MTU + * ``LOCAL_KEY``: the local public key + + For on connect, on establish and on disestablish the following variables are set in addition: + + * ``LOCAL_ADDRESS``: the local IP address + * ``LOCAL_PORT``: the local UDP port + * ``PEER_ADDRESS``: the peer's IP address + * ``PEER_PORT``: the peer's UDP port + * ``PEER_NAME``: the peer's name in the local configuration + * ``PEER_KEY``: the peer's public key + +| ``on verify [ sync | async ] "";`` + + Configures a shell command that is run on connection attempts by unknown peers. The same environment + variables as in the on establish command are supplied. When the commands returns 0, the + connection is accepted, otherwise the handshake is ignored. By default, fastd ignores connections + from unknown peers. + + Verify commands are executed asynchronously by default. This + can be changed using the keywords sync and async. + +| ``packet mark ;`` + + Defines a packet mark to set on fastd's packets, which can be used in an ip rule. + + Marks can be specified in decimal, hexadecimal (with a leading 0x), and octal (with a leading 0). + +| ``peer "" {`` *peer configuration* ``}`` + + An inline peer configuration. + +| ``peer group "" {`` *configuration* ``}`` + + Configures a peer group. + +| ``peer limit ;`` + + Sets the maximum number of connections for the current peer group. + +.. _option-pmtu: + +| ``pmtu yes|no|auto;`` + + Enables or disables Path MTU detection for IPv4. If enabled, all packets are sent with DF set, and all + fragmentation happens on the sending host itself. If disabled, routers may fragment the packets themselves, + possibly leading to multiple fragmentation. In general, disabling this should not be necessary, but in some + networks ICMP MTU Too Big packets are lost, so PMTU detection doesn't work correctly. + + If possible, fastd's mtu setting should be adjusted so the packets aren't fragmented at all instead of + relying on this option. + + The default is auto, which uses the system default as specified in /proc/sys/net/ipv4/ip_no_pmtu_disc. + + The pmtu option is available on Linux platforms only. + +| ``protocol "";`` + + Sets the handshake protocol; at the moment only ec25519-fhmqvc is supported. + +| ``secret "";`` + + Sets the secret key. + +| ``secure handshakes yes|no;`` + + fastd v11+ implements a revised handshake scheme which prevents downgrade attacks (i.e. an attacker forcing + two peers to use the least secure encryption method supported by both sides, or even half-establishing a + session with an encryption method supported by one side only). To maintain backwards compatiblity, the old + handshake is still supported when secure handshakes is set to no. + + Setting this option to yes (the default) on one side is enough to ensure that a session established by two peers has not + been downgraded. + +| ``user "";`` + +Sets the user to run fastd as. + +Peer configuration +------------------ + +Example config: + +:: + + key "f05c6f62337d291e34f50897d89b02ae43a6a2476e2969d1c8e8104fd11c1873"; + remote 192.0.2.1:10000; + remote [2001:db8::1]:10000; + remote ipv4 "fastd.example.com" port 10000; + +| ``include "";`` + + Includes another configuration file. + +| ``key "";`` + + Sets the peer's public key. + +| ``remote :;`` +| ``remote :;`` +| ``remote [ ipv4|ipv6 ] "":;`` +| ``remote port ;`` +| ``remote port ;`` +| ``remote [ ipv4|ipv6 ] "" port ;`` + + Sets the IP address or host name to connect to. If a peer doesn't have a remote address configured, + incoming connections are accepted, but no own connection attempts will be made. + + The ipv4 or ipv6 options can be used to force fastd to resolve the host name for the + specified protocol version only. + + Starting with fastd v9, multiple remotes may be given for a single peer. If this is the case, they + will be tried one after another. Starting with fastd v11, all addresses a given hostname resolves + to are taken into account, not only the first one. This can be use to specify alternative hostname, + addresses and/or ports for the same host; all remotes must still refer to the same peer as the public + key must be unique. + +| ``float yes|no;`` + + The float option can be used to accept connections from the peer with the specified key from + other addresses that the configured ones. diff --git a/doc/source/manual/methods.rst b/doc/source/manual/methods.rst new file mode 100644 index 0000000..e4ea962 --- /dev/null +++ b/doc/source/manual/methods.rst @@ -0,0 +1,100 @@ +Encryption & authentication methods +=================================== +fastd supports various combinations of ciphers and authentication schemes using +different method providers. All ciphers, message authentication codes (MACs) and +method providers can be disabled during compilation to reduce the binary size. + +See `Benchmarks `_ for an +overview of the performance of the different methods. + +Recommended methods +~~~~~~~~~~~~~~~~~~~ +The method ``salsa2012+umac`` is recommended for authenticated encyption. ``null+salsa2012+umac`` is the +recommended method for authenticated-only operation. + +Salsa20/12 is a stream cipher with very high speed and a very comfortable security margin. +It has been chosed for the software profile in the `eSTREAM `_ project in 2008. + +`UMAC `_ is an extremely fast message authentication code which is provably +secure and optimized for software implementations. + +OpenWrt +------- +Too keep the binary as small as possible, only the following methods are enabled on OpenWrt +by default: + +* ``salsa2012+gmac`` +* ``salsa2012+umac`` +* ``null+salsa2012+gmac`` +* ``null+salsa2012+umac`` +* ``null`` + +Of these, the GMAC-based methods may be dropped in the future to further reduce the binary size, as UMAC is +the superior authentication scheme (it is faster than GMAC, provably secure and its software implementation +isn't suspect to timing side channels). + +List of methods +~~~~~~~~~~~~~~~ + +Encrypted methods +----------------- +======================= ================ ========== ========= ====== +Method Method provider Cipher MAC Notes +======================= ================ ========== ========= ====== +``aes128-gcm`` generic-gmac aes128-ctr ghash [2]_ +``salsa20+gmac`` generic-gmac salsa20 ghash +``salsa2012+gmac`` generic-gmac salsa2012 ghash +``aes128-ctr+umac`` generic-umac aes128-ctr uhash [2]_ +``salsa20+umac`` generic-umac salsa20 uhash +``salsa2012+umac`` generic-umac salsa2012 uhash +``aes128-ctr+poly1305`` generic-poly1305 aes128-ctr none [1]_ [2]_, [3]_ +``salsa20+poly1305`` generic-poly1305 salsa20 none [1]_ [3]_ +``salsa2012+poly1305`` generic-poly1305 salsa2012 none [1]_ [3]_ +======================= ================ ========== ========= ====== + +This list is not exhaustive. It is possible to combine different ciphers for +data and authentication tag encryption using the *composed-gmac* and *composed-umac* +method providers; these methods aren't listed here as this is not very useful. + +Authenticated-only methods +-------------------------- +======================== ================ ========== ===== ====== +Method Method provider Cipher MAC Notes +======================== ================ ========== ===== ====== +``null+aes128-gmac`` composed-gmac aes128-ctr ghash [2]_, [4]_ +``null+salsa20+gmac`` composed-gmac salsa20 ghash [4]_ +``null+salsa2012+gmac`` composed-gmac salsa2012 ghash [4]_ +``null+aes128-ctr+umac`` composed-umac aes128-ctr uhash [2]_, [4]_ +``null+salsa20+umac`` composed-umac salsa20 uhash [4]_ +``null+salsa2012+umac`` composed-umac salsa2012 uhash [4]_ +======================== ================ ========== ===== ====== + +Methods without security +------------------------ +======== =============== ====== ==== ===== +Method Method provider Cipher MAC Notes +======== =============== ====== ==== ===== +``null`` null none none [5]_ +======== =============== ====== ==== ===== + + +Deprecated methods +------------------ + +======================== ================= ========== ===== ====== +Method Method provider Cipher MAC Notes +======================== ================= ========== ===== ====== +``xsalsa20-poly1305`` xsalsa20-poly1305 none none [6]_ +======================== ================= ========== ===== ====== + + Since fastd v11 ``salsa20+poly1305`` should be used instead (or even better a more performant + method like salsa2012+gmac); ``xsalsa20-poly1305`` will be removed eventually. + + +.. [1] The MAC is integrated in the method provider. +.. [2] AES is very slow without OpenSSL support. OpenSSL's AES implementation may be suspect to cache timing side channels when no hardware support like AES-NI is available. +.. [3] Poly1305 is very slow on embedded systems. +.. [4] The cipher is used to encrypt the authentication tag only, the actual data is transmitted unencrypted. +.. [5] Only authentication of peers' IP addresses, but no encryption or authentication of any data is provided. +.. [6] Both the cipher and the MAC are integrated in the method provider. + diff --git a/doc/source/manual/mtu.rst b/doc/source/manual/mtu.rst new file mode 100644 index 0000000..68731e0 --- /dev/null +++ b/doc/source/manual/mtu.rst @@ -0,0 +1,30 @@ +MTU configuration +================= +The default MTU of fastd is 1500. This allows briding the fastd interface in TAP +mode with other interface with the same MTU, but will usually cause fastd's UDP +packets to be fragmented (see also the option :ref:`pmtu `). Fragmentation can lower the +performance or even cause connectivty problems when broken routers filter ICMP packets, +so if possible the MTU should be chosed small enough so that IP fragmentation can be avoided. +Unlike OpenVPN, fastd doesn't support fragmentation itself, but relies on the IP stack to fragment packets when necessary. + +Guidelines +---------- + +* The basic overhead of a fastd packet in TUN mode over IPv4 is 39 Bytes when only null crypto is used and 52 Bytes for all other crypto methods +* TAP mode needs 14 bytes more than TUN mode +* Tunneling over IPv6 needs 20 bytes more than IPv4 + +Examples +-------- + +Your base MTU is 1500 and you want to use TUN mode over IPv4 with any crypto method: + Choose 1500 - 52 = 1448 bytes. + +Your base MTU is 1492 (like most German DSL lines) and you want to use TAP mode over IPv4 with any crypto method: + Choose 1492 - 52 - 14 = 1426 bytes. + +Conservative choice when you want to transfer IPv6 inside the tunnel: + Choose 1280 Bytes (not relevant when you use batman-adv inside the tunnel as batman-adv will take care of the inner fragmentation). + +Conservative choice when you don't know anything (but assume the base MTU is at least 1280 so IPv6 can be supported) and want to support tunnels over IPv4 and IPv6 in TAP mode with any crypto method: + Choose 1280 - 52 - 14 - 20 = 1194 bytes. -- cgit v1.2.3