daily: we no longer provide sha1/md5 files, but switched to sha256

[grml.org.git] / online-docs / grml-vpn.8.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"\r
    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">\r
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">\r
<head>\r
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />\r
<meta name="generator" content="AsciiDoc 7.1.2" />\r
<style type="text/css">\r
/* Debug borders */\r
p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {\r
/*\r
  border: 1px solid red;\r
*/\r
}\r
\r
body {\r
  margin: 1em 5% 1em 5%;\r
}\r
\r
a {\r
  color: blue;\r
  text-decoration: underline;\r
}\r
a:visited {\r
  color: fuchsia;\r
}\r
\r
em {\r
  font-style: italic;\r
}\r
\r
strong {\r
  font-weight: bold;\r
}\r
\r
tt {\r
  color: navy;\r
}\r
\r
h1, h2, h3, h4, h5, h6 {\r
  color: #527bbd;\r
  font-family: sans-serif;\r
  margin-top: 1.2em;\r
  margin-bottom: 0.5em;\r
  line-height: 1.3;\r
}\r
\r
h1 {\r
  border-bottom: 2px solid silver;\r
}\r
h2 {\r
  border-bottom: 2px solid silver;\r
  padding-top: 0.5em;\r
}\r
\r
div.sectionbody {\r
  font-family: serif;\r
  margin-left: 0;\r
}\r
\r
hr {\r
  border: 1px solid silver;\r
}\r
\r
p {\r
  margin-top: 0.5em;\r
  margin-bottom: 0.5em;\r
}\r
\r
pre {\r
  padding: 0;\r
  margin: 0;\r
}\r
\r
span#author {\r
  color: #527bbd;\r
  font-family: sans-serif;\r
  font-weight: bold;\r
  font-size: 1.2em;\r
}\r
span#email {\r
}\r
span#revision {\r
  font-family: sans-serif;\r
}\r
\r
div#footer {\r
  font-family: sans-serif;\r
  font-size: small;\r
  border-top: 2px solid silver;\r
  padding-top: 0.5em;\r
  margin-top: 4.0em;\r
}\r
div#footer-text {\r
  float: left;\r
  padding-bottom: 0.5em;\r
}\r
div#footer-badges {\r
  float: right;\r
  padding-bottom: 0.5em;\r
}\r
\r
div#preamble,\r
div.tableblock, div.imageblock, div.exampleblock, div.verseblock,\r
div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,\r
div.admonitionblock {\r
  margin-right: 10%;\r
  margin-top: 1.5em;\r
  margin-bottom: 1.5em;\r
}\r
div.admonitionblock {\r
  margin-top: 2.5em;\r
  margin-bottom: 2.5em;\r
}\r
\r
div.content { /* Block element content. */\r
  padding: 0;\r
}\r
\r
/* Block element titles. */\r
div.title, caption.title {\r
  font-family: sans-serif;\r
  font-weight: bold;\r
  text-align: left;\r
  margin-top: 1.0em;\r
  margin-bottom: 0.5em;\r
}\r
div.title + * {\r
  margin-top: 0;\r
}\r
\r
td div.title:first-child {\r
  margin-top: 0.0em;\r
}\r
div.content div.title:first-child {\r
  margin-top: 0.0em;\r
}\r
div.content + div.title {\r
  margin-top: 0.0em;\r
}\r
\r
div.sidebarblock > div.content {\r
  background: #ffffee;\r
  border: 1px solid silver;\r
  padding: 0.5em;\r
}\r
\r
div.listingblock > div.content {\r
  border: 1px solid silver;\r
  background: #f4f4f4;\r
  padding: 0.5em;\r
}\r
\r
div.quoteblock > div.content {\r
  padding-left: 2.0em;\r
}\r
\r
div.attribution {\r
  text-align: right;\r
}\r
div.verseblock + div.attribution {\r
  text-align: left;\r
}\r
\r
div.admonitionblock .icon {\r
  vertical-align: top;\r
  font-size: 1.1em;\r
  font-weight: bold;\r
  text-decoration: underline;\r
  color: #527bbd;\r
  padding-right: 0.5em;\r
}\r
div.admonitionblock td.content {\r
  padding-left: 0.5em;\r
  border-left: 2px solid silver;\r
}\r
\r
div.exampleblock > div.content {\r
  border-left: 2px solid silver;\r
  padding: 0.5em;\r
}\r
\r
div.verseblock div.content {\r
  white-space: pre;\r
}\r
\r
div.imageblock div.content { padding-left: 0; }\r
div.imageblock img { border: 1px solid silver; }\r
span.image img { border-style: none; }\r
\r
dl {\r
  margin-top: 0.8em;\r
  margin-bottom: 0.8em;\r
}\r
dt {\r
  margin-top: 0.5em;\r
  margin-bottom: 0;\r
  font-style: italic;\r
}\r
dd > *:first-child {\r
  margin-top: 0;\r
}\r
\r
ul, ol {\r
    list-style-position: outside;\r
}\r
ol.olist2 {\r
  list-style-type: lower-alpha;\r
}\r
\r
div.tableblock > table {\r
  border: 3px solid #527bbd;\r
}\r
thead {\r
  font-family: sans-serif;\r
  font-weight: bold;\r
}\r
tfoot {\r
  font-weight: bold;\r
}\r
\r
div.hlist {\r
  margin-top: 0.8em;\r
  margin-bottom: 0.8em;\r
}\r
td.hlist1 {\r
  vertical-align: top;\r
  font-style: italic;\r
  padding-right: 0.8em;\r
}\r
td.hlist2 {\r
  vertical-align: top;\r
}\r
\r
@media print {\r
  div#footer-badges { display: none; }\r
}\r
/* Workarounds for IE6's broken and incomplete CSS2. */\r
\r
div.sidebar-content {\r
  background: #ffffee;\r
  border: 1px solid silver;\r
  padding: 0.5em;\r
}\r
div.sidebar-title, div.image-title {\r
  font-family: sans-serif;\r
  font-weight: bold;\r
  margin-top: 0.0em;\r
  margin-bottom: 0.5em;\r
}\r
\r
div.listingblock div.content {\r
  border: 1px solid silver;\r
  background: #f4f4f4;\r
  padding: 0.5em;\r
}\r
\r
div.quoteblock-content {\r
  padding-left: 2.0em;\r
}\r
\r
div.exampleblock-content {\r
  border-left: 2px solid silver;\r
  padding-left: 0.5em;\r
}\r
</style>\r
<title>GRML-VPN(8)</title>\r
</head>\r
<body>\r
<div id="header">\r
<h1>GRML-VPN(8)</h1>\r
<span id="author">Michael Gebetsroither</span><br />\r
<span id="email"><tt>&lt;<a href="mailto:michael.geb@gmx.at">michael.geb@gmx.at</a>&gt;</tt></span><br />\r
</div>\r
<h2>NAME</h2>\r
<div class="sectionbody">\r
<p>grml-vpn - program to establish encrypted communication channels in a network</p>\r
</div>\r
<h2>SYNOPSIS</h2>\r
<div class="sectionbody">\r
<p><strong>grml-vpn</strong> [OPTIONS] <em>&lt;ACTION&gt;</em> <em>&lt;SPI&gt;</em> [IPs]</p>\r
</div>\r
<h2>DESCRIPTION</h2>\r
<div class="sectionbody">\r
<p><strong>grml-vpn</strong> is a program that\r
provides an easy wrapper around ipsec and setkey (without any ike daemon).\r
With this program you can create a vpn based uppon ipsec to any number of computers.\r
It's intended purpose is for example for wlan sessions to create an encrypted network between all computers on the wlan.\r
It is also possible to create a standalone shellscript which only needs the setkey command to setup the vpn (using the -x option).</p>\r
</div>\r
<h2>ACTIONS</h2>\r
<div class="sectionbody">\r
<dl>\r
<dt>\r
<strong>add</strong>\r
</dt>\r
<dd>\r
<p>\r
  Add an ipsec entry\r
</p>\r
</dd>\r
<dt>\r
<strong>del</strong>\r
</dt>\r
<dd>\r
<p>\r
  Delete an specific ipsec entry\r
</p>\r
</dd>\r
<dt>\r
<strong>clear</strong>\r
</dt>\r
<dd>\r
<p>\r
  Delete all ipsec entries (attention, really deletes _all_ entrys, even from other setkey commands and isakmpd).\r
</p>\r
</dd>\r
<dt>\r
<strong>show</strong>\r
</dt>\r
<dd>\r
<p>\r
  Show all infos about ipsec entrys.\r
</p>\r
</dd>\r
<dt>\r
<strong>info</strong>\r
</dt>\r
<dd>\r
<p>\r
  Give infos about ciphers and there allowed keysizes.\r
</p>\r
</dd>\r
<dt>\r
<strong>help</strong>\r
</dt>\r
<dd>\r
<p>\r
  Show the help message.\r
</p>\r
</dd>\r
</dl>\r
</div>\r
<h2>OPTIONS</h2>\r
<div class="sectionbody">\r
<dl>\r
<dt>\r
<strong>-h, help</strong>\r
</dt>\r
<dd>\r
<p>\r
Show summary of options.\r
</p>\r
</dd>\r
<dt>\r
<strong>-v</strong>\r
</dt>\r
<dd>\r
<p>\r
Show what is going on (more v =&gt; more out).\r
</p>\r
</dd>\r
<dt>\r
<strong>-a &lt;IP&gt;</strong>\r
</dt>\r
<dd>\r
<p>\r
Your IP (currently necessary for vpns with more than 2 computers given in file or on stdin). If IPs are given on commandline, the script tries hard to guess your IP.\r
</p>\r
</dd>\r
<dt>\r
<strong>-e &lt;ciphername&gt; (default=rijndael-cbc, better known as AES)</strong>\r
</dt>\r
<dd>\r
<p>\r
Cipher name. Will be matched against ciphers available for ipsec (all ciphers not only the available ciphers on your box).\r
eg. "-e two" will match twofish-cbc. If more then one ciphers matches your regexp than the matches are printed and grml-vpn aborts.\r
</p>\r
</dd>\r
<dt>\r
<strong>-b &lt;keysize&gt; (default=256 bit)</strong>\r
</dt>\r
<dd>\r
<p>\r
Keysize used for your encryption.\r
</p>\r
</dd>\r
<dt>\r
<strong>-k &lt;key&gt;</strong>\r
</dt>\r
<dd>\r
<p>\r
Your key/password for the vpn (will be hashed).\r
</p>\r
</dd>\r
<dt>\r
<strong>-K &lt;raw-key&gt;</strong>\r
</dt>\r
<dd>\r
<p>\r
Set raw key (you determine the keysize, not -b).\r
</p>\r
</dd>\r
<dt>\r
<strong>-f &lt;input-file&gt;</strong>\r
</dt>\r
<dd>\r
<p>\r
Read IPs for encrypted connections from file (same as from stdin).\r
</p>\r
</dd>\r
<dt>\r
<strong>-c</strong>\r
</dt>\r
<dd>\r
<p>\r
Read IPs from stdin (setkey commands are not written until _all_ IPs are read from stdin).\r
</p>\r
</dd>\r
<dt>\r
<strong>-p</strong>\r
</dt>\r
<dd>\r
<p>\r
Only print the setkey commands (eg. grml-vpn -p &#8230; |setkey -c).\r
USE THIS if you create a vpn with many computers, because this is a bit faster).\r
</p>\r
</dd>\r
<dt>\r
<strong>-x</strong>\r
</dt>\r
<dd>\r
<p>\r
Print a standalone shellscript which only needs setkey to setup the vpn.\r
</p>\r
</dd>\r
</dl>\r
</div>\r
<h2>EXAMPLES</h2>\r
<div class="sectionbody">\r
<dl>\r
<dt>\r
<strong>grml-vpn -k testpw -b 128 add 1000 192.168.0.1 192.168.0.2</strong>\r
</dt>\r
<dd>\r
<p>\r
Creates encrypted connections between the two IPs possible, with the pre shared key (PSK) testpw and 128bit rijndael-cbc. You have to execute this command on both computers (if you type this command only on one computer, then it's impossible to create an connection between the two computers).\r
NOTE: with only 2 computers it's not necessary to specify your own ip with -a.\r
</p>\r
</dd>\r
<dt>\r
<strong>fakeroot grml-vpn -p -k testpw -b 128 add 1000 192.168.0.1 192.168.0.2</strong>\r
</dt>\r
<dd>\r
<p>\r
Same as above, but also possible as user.\r
Use -x instead of -p if you want a full functional shellscript to be printed to stdout.\r
</p>\r
</dd>\r
<dt>\r
<strong>grml-vpn -e bl -b 255 -a 192.168.0.2 add 2000 192.168.0.1 192.168.0.2 192.168.0.3</strong>\r
</dt>\r
<dd>\r
<p>\r
Encrypted connections between all 3 computers. This command should be executed on 192.168.0.2 (-a) and on the other two computers with the appropriate -a &lt;IP&gt;.\r
The cipher is blowfisch-cbc (no, -e bl is NO typo ;).\r
</p>\r
</dd>\r
<dt>\r
<strong>grml-vpn -a 192.168.0.2 del 2000 192.168.0.1 192.168.0.2 192.168.0.3</strong>\r
</dt>\r
<dd>\r
<p>\r
This command deletes the previous created encrypted connections on 192.168.0.2 (after this command it's impossible to send data to 192.168.0.{1,3} until you delete the vpn entrys on them (no, even ssh does not work anymore).\r
You should execute this command on all computers of the vpn (with the appropriate -a &lt;IP&gt; option). You could also use grml-crypt clear to clear all vpn settings.\r
</p>\r
</dd>\r
</dl>\r
</div>\r
<h2>SEE ALSO</h2>\r
<div class="sectionbody">\r
<p>setkey(8)</p>\r
</div>\r
<h2>AUTHOR</h2>\r
<div class="sectionbody">\r
<p>grml-vpn was written by Michael Gebetsroither &lt;michael.geb@gmx.at&gt;.</p>\r
<p>This manual page was written by Michael Gebetsroither &lt;gebi@grml.org&gt;.</p>\r
</div>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated 16-Sep-2007 02:51:42 CEST\r
</div>\r
</div>\r
</body>\r
</html>\r