package fastd config fastd sample_config # Set to 1 to enable this instance: option enabled 0 # Sets a static config file, optional # Options set via UCI have higher priority that statically configured ones # list config '/etc/fastd/sample_config/fastd.conf' # Configures a single static peer from a configuration file # list config_peer '/etc/fastd/sample_config/sample_peer.conf' # Sets an additional directory from which peers configurations are read # The peer list can be reloaded without restarting fastd # Peer can either be configured via UCI (see examples below) or via peer dirs # Can't be used in tun mode # list config_peer_dir '/etc/fastd/sample_config/peers' # Sets the log level # Possible values: error, warn, info, verbose, debug # Default: info option syslog_level 'info' # IP address and port of the local end, optional # 'any' can be used to bind to both IPv4 and IPv6 # If no port is given fastd will bind to a random port # list bind 'any:1337' # list bind '0.0.0.0:1337' # list bind '[::]:1337' # "method null" uses no encryption or MAC # "method salsa2012+umac" uses the Salsa20/12 encryption and the UMAC message authentication code # See the fastd documentation for the other supported encryption methods list method 'salsa2012+umac' # "mode tap" will create an ethernet tunnel (tap device), # "mode tun" will create an IP tunnel (tun device). option mode 'tap' # Set the name of the tunnel interface to use option interface 'tap0' # option interface 'tun0' # option interface 'fastd0' # Sets the MTU of the tunnel interface, default is 1500 # 1426 is a good value that avoids fragmentation for the xsalsa20-poly1305 method # when the tunnel uses an IPv4 connection on a line with an MTU of 1492 or higher option mtu 1426 # Enables direct forwaring of packets between peers # WARNING: Only enable this if you know what you are doing, as this can lead to forwarding loops! option forward 0 # Disable for compatiblity with fastd v10 and older option secure_handshakes 1 # Set a packet mark to filter for with iptables or ip rules # option packet_mark 42 # Socket to get fastd's status # option status_socket '/var/run/fastd-example.sock' # Limits the maximum number of connections (optional) # May also be used in peer groups # option peer_limit 5 # The secret key # A keypair can be generated with `fastd --generate-key` # When the corresponding public key is lost it can be recovered with `/etc/init.d/fastd show-key ` # option secret '0000000000000000000000000000000000000000000000000000000000000000' # Sets the user to run fastd as. Defaults to root # option user 'daemon' # Sets the group to run fastd as. Defaults to the user's primary group # option group 'daemon' # If set to 1, the logs won't contain peers' IP addresses # option hide_ip_addresses '0' # If set to 1, the logs won't contain peers' MAC addresses # option hide_mac_addresses '0' # If set to 0, peer-specific interfaces will only exist as long as there is an active connection # option persist_interface '1' # If fastd was compiled with libcap support, defines how capabilities are handled # Possible values: 1, 0, early, force (see fastd documentation for a description of the values) # option drop_capabilities '1' # Command to configure IP addresses etc. after the tunnel interface is up; $1 will be the interface name (optional) # option up '' # Command to execute before the tunnel interface is set down; $1 will be the interface name (optional) # option down '' # Commands executed by fastd ($INTERFACE can be used for the interface name; optional) # All except on_pre_up and on_post_down may also be used in peer groups # option on_pre_up '' # option on_up '' # option on_down '' # option on_post_down '' # option on_connect '' # option on_establish '' # option on_disestablish '' # option on_verify '' config peer sample_peer # Set to 1 to enable this peer # In tap mode peers can be reloaded dynamically option enabled 0 # Controls which instance this peer is associated with option net 'sample_config' # Controls which peer group this peer belongs to, optional # For most use cases peer groups aren't necessary # option group 'sample_group' # The peer's public key option key '0000000000000000000000000000000000000000000000000000000000000000' # A remote specification consists of an address or a hostname, and a port # When a hostname is given, it is recommended to specify the address family to use # It is possible to specify no, one or multiple remotes # (but all entries must designate the same host as the public key must be unique) # list remote '192.0.2.1:1337' # list remote '[2001:db8::1]:1337' # list remote '"example.com" port 1337' # list remote 'ipv4 "example.com" port 1337' # list remote 'ipv6 "example.com" port 1337' # Setting float to 1 allow incoming connections with this key from other addresses/hostnames/ports than the specified remotes # option float 0 config peer_group sample_group # Set to 1 to enable this peer group option enabled 0 # Controls which instance this peer group is associated with # Peer groups can't be used in tun mode option net 'sample_config' # Allows configuring nested groups # option parent 'other_group' # Includes another config file inside the peer group definition # list config '/etc/fastd/sample_config/sample_group.conf' # Configures a single static peer from a configuration file # list config_peer '/etc/fastd/sample_config/sample_peer.conf' # Configures an additional peer directory for this group # list config_peer_dir '/etc/fastd/sample_config/peers2' # Methods set in the peer group override the ones configured in the parent group or globally # list method 'null'