Предлагаю раздраконить тот пример который прилагается к VPND.
Дабы чтобы каждый мог настроить под себя впн-канал.
Т.к. пример на англицком, давайте будем переводить и объяснять смысл каждого параметра. После чего проблем у народа с настройкой VPND не будет....
Код: Выделить всё
# ============================
# vpnd config file (vpnd.conf)
# ============================
#
# You will need to start a separate vpnd daemon for
# every parallel vpn connection. Each daemon will
# need it's own config file.
#
# ---------------------------------------------------
# general parameters
# ---------------------------------------------------
#
# pidfile <pathname-of-file>
#
# optional, file where pid of vpnd is stored, if not
# given no file is used, file is deleted when daemon
# terminates
#
# example: pidfile /var/run/vpnd.pid
#
# randomdev <random-number-device-file>
#
# optional, source of random data, default is /dev/random
# (/dev/srandom on OpenBSD systems and /var/run/egd-pool
# on Solaris 8 systems) which may block if insufficient
# entropy is available so you may decide to use
# /dev/urandom instead (not on Solaris 8) which should be
# safe enough but does not block,
# note that for Linux 1.x system you may have to start
# the supplied randomd daemon if you don't have a good
# random number source, in this case your random device
# is /dev/randomd
#
# example: randomdev /dev/urandom
#
# keysize <key-length-in-bytes>
#
# optional, may be used to downgrade key length, valid
# range is 0 to 72, default is 72 which is a key length
# of 72*8=576 bits, must be the same value on peer side,
# be adviced to use the longest key legally possible,
# note that keysize of 0 is unencrypted SLIP mode
#
# example: keysize 5
#
# keyttl <key-time-to-live>
#
# optional, time in minutes after which a new key has to be used,
# is ignored if mode is client as only the server generates keys,
# if 0 is given, key replacement is disabled, default is 60 minutes,
# ignored if keysize is 0 (no key replacement)
#
# example: keyttl 30
#
# keepalive [<time-in-seconds>]
#
# optional, when given pings peer every n seconds where n is
# the optional time in seconds parameter, if parameter is not
# given default to ping every second, if keepalive is not given
# default is not to ping, ignored if keysize is 0 (no ping)
#
# example: keepalive 2
#
# noanswer <packet-amount>
#
# optional, amount of idle ping packets in serial line
# mode after which the line will be dropped if there
# is no ping reply, works only, if keepalive option
# is given, default is to drop line after 10 unanswered
# packets
#
# example: noanswer 3
#
# retry <retry-delay-time>
#
# optional, retry delay time for access and communication
# failures, default is 10 seconds
#
# example: retry 5
#
# nocompress
#
# optional, disables data compression, use only if peer
# doesn't support compression
#
# example: nocompress
#
# threshold <icompression-test-threshold-size>
#
# optional, works only if nocompress is not given, defines
# the packet size threshold from which on data compression
# is tried, range is 1 to 2047, default is 16, use only
# for systems with slow or continously busy cpu
#
# example: threshold 512
#
# ---------------------------------------------------
# general parameters (available with version 1.0.3)
# ---------------------------------------------------
#
# rxmax <maximum-wait-time>
#
# optional, defines the maximum time to wait for expected data
# from peer, default is 10 seconds
#
# example: rxmax 5
#
#
# txmax <maximum-wait-time>
#
# optional, defines the maximum time to wait to be able to
# transmit data to peer, default is 10 seconds
#
# example: txmax 5
#
# ---------------------------------------------------
# general parameters (available with version 1.0.4)
# ---------------------------------------------------
#
# linkup <process-pathname>
#
# optional, full pathname of (hashed) process
# which is called asynchonously when the vpn
# link is established
#
# example: linkup /usr/local/etc/vpnd.linkup
#
# linkdown <process-pathname>
#
# optional, full pathname of (hashed) process
# which is called asynchonously when the vpn
# link is terminated
#
# example: linkdown /usr/local/etc/vpnd.linkdown
#
# ---------------------------------------------------
# basic operation mode
# ---------------------------------------------------
#
# mode client|server
#
# mandatory, selects client or server mode
#
# example: mode client
#
# client <ip>|<device-file> [<port>]
#
# mandatory, defines client device file or ip, in case of
# client ip (host name may be given if the -l command line parameter
# is used) client port number may be given (default is any port),
# if mode is server and client ip is 0.0.0.0 no peer ip check is done,
# if client is device file device file must be located in /dev,
# if ip, server must be ip, if device, server must be device,
# note that ip in example below is deliberately wrong
#
# examples: client 393.405.5.55 2001
# client /dev/cua1
#
# server <ip|device-file> [<port>]
#
# mandatory, defines server device file or ip, in case
# of server ip (host name may be given if the -l command line parameter
# is used) server port number may be given (default port is 379),
# if server device file device file must be located in /dev,
# if ip, client must be ip, if device, client must be device,
# note that ip in example below is deliberately wrong
#
# examples: server 327.526.4.27 2001
# server /dev/cua0
#
# keyfile <shared-secret-file>
#
# optional, defines the pathname of the shared secret file which
# must be created with the -m option of vpnd, if not given default
# of /usr/local/etc/vpnd.key is used
#
# example: keyfile /var/adm/mysecret.key
#
# ---------------------------------------------------
# general parameters (available with version 1.1.1)
# ---------------------------------------------------
#
# control <control-socket-pathname>
#
# optional, defines the pathname of a unix domain
# control socket to be used by the vpnctl utility
#
# example: control /var/run/vpnd.ctrl
#
# ---------------------------------------------------
# basic operation mode (available with version 1.0.7)
# ---------------------------------------------------
#
# hmac <hmac-mode> [md5|sha1|ripemd160]
#
# optional, defines if HMAC should be used instead
# of a fast checksum for message authentication, 1
# for hmac-mode (only with extended key file format)
# means use HMAC if peer supports it, 2 means always
# use HMAC and fail if peer doesn't support it
# (note that the header length of any message is 4
# bytes when the checksum is used whereas it is
# 18 or 22 bytes when HMAC is used, you will have to
# to choose between fast processing and minimal
# overhead versus additional security and message length
# as well as processing overhead, see SPEED.TXT),
# the second parameter selects the authentication
# method, if not given the default is HMAC-MD5,
# if given it is HMAC-MD5 in case of md5, HMAC-SHA1
# in case of sha1 or HMAC-RIPEMD160 in case of
# rmd160, note the ascending priority from md5 to
# rmd160 (the higest priority requested from one of
# the peers involved will be used in case of extended
# key file format, the same value must be given for
# both peers in case of basic key file format)
#
# ---------------------------------------------------
# basic operation mode (available with version 1.1.0)
# ---------------------------------------------------
#
# facility <syslog-facility>
#
# optional, selects the syslog facility vpnd uses,
# if not given the default facility is daemon
#
# example: facility local0
#
# ---------------------------------------------------
# basic operation mode (available with version 1.1.1)
# ---------------------------------------------------
#
# ppp
#
# optional, use ppp interface instead of slip interface,
# note that on Solaris only ppp is supported, note
# that this option must be given in the peer config, too,
# if it is given
#
# example: ppp
#
# ---------------------------------------------------
# SLIP/PPP parameters
# ---------------------------------------------------
#
# local <ip>
#
# mandatory, defines local ip of encrypted network interface,
# a host name may be given if the command line option -l is
# used, note that ip in example below is deliberately wrong
#
# example: local 393.405.5.57
#
# remote <ip>
#
# mandatory, defines peer ip of encrypted network interface,
# a host name may be given if the command line option -l is
# used, note that ip in example below is deliberately wrong
#
# example: remote 327.526.4.25
#
# mtu <maximum-transfer-unit>
#
# optional, if given should be the same for server and client,
# default is 1500 (the maximum for Solaris 8), note that for
# SLIP interfaces on OpenBSD systems the default is 296 and
# this option is ignored
#
# example: mtu 1600
#
# nocslip
#
# optional, turns off slip/ppp header compression, if given
# must be given on peer side, too
#
# example: nocslip
#
# autoroute
#
# optional, when given prevents duplicate routes when the
# kernel automatically creates a route to the peer when the
# SLIP network interface is created, Linux 2.2.x Intel
# kernels do this, ignored for FreeBSD, NetBSD, OpenBSD and
# Solaris
#
# example: autoroute
#
# route1 <destination-ip> <netmask-in-dot-notation> <gateway-ip>
# route2 <destination-ip> <netmask-in-dot-notation> <gateway-ip>
# route3 <destination-ip> <netmask-in-dot-notation> <gateway-ip>
# route4 <destination-ip> <netmask-in-dot-notation> <gateway-ip>
# route5 <destination-ip> <netmask-in-dot-notation> <gateway-ip>
# route6 <destination-ip> <netmask-in-dot-notation> <gateway-ip>
# route7 <destination-ip> <netmask-in-dot-notation> <gateway-ip>
# route8 <destination-ip> <netmask-in-dot-notation> <gateway-ip>
# route9 <destination-ip> <netmask-in-dot-notation> <gateway-ip>
#
# optional, adds/deletes additional route when encrypted interface
# is created/dropped, during addition route1 is processed first,
# during deletion route1 is processed last, host names instead
# of ips may be used if the command line parameter -l is given,
# note that ips in the example below are deliberately wrong
#
# example: route1 327.526.4.0 255.255.255.0 327.526.4.25
# route2 327.526.4.9 255.255.255.255 327.526.4.88
#
# ---------------------------------------------------
# SLIP/PPP parameters (available with version 1.0.7)
# ---------------------------------------------------
#
# slipup <process-pathname>
#
# optional, full pathname of (hashed) process
# which is called asynchonously when the SLIP/PPP
# interface is established, the SLIP/PPP interface
# name is the parameter for the process
#
# example: slipup /usr/local/etc/vpnd.slipup
#
# slipdown <process-pathname>
#
# optional, full pathname of (hashed) process
# which is called asynchonously when the SLIP/PPP
# link is terminated, the SLIP/PPP interface
# name is the parameter for the process
#
# example: slipdown /usr/local/etc/vpnd.slipdown
#
#
# ---------------------------------------------------
# serial line parameters
# ---------------------------------------------------
#
# speed <serial-line-speed>
#
# optional, speed is one of 19200,38400,57600,115200,230400
# or 460800 (not on all systems), default is 115200
#
# example: speed 38400
#
# localline
#
# optional, disables modem control signals for serial line
#
# example: localline
#
# nortscts
#
# optional, disables use of rts/cts for serial line
#
# example: nortscts
#
# xfilter
#
# optional, escapes all XON/XOFF characters on send and filters
# all unescaped XON/XOFF characters on receive, use if your
# modem sends XON/XOFF even if you disable XON/XOFF, must
# be set on both peers
#
# example: xfilter
#
# modemchat <init-chat-file>
#
# optional, pathname of file containing modem initialization
# chat sequence, default is not to perform init chat
#
# example: modemchat /usr/local/etc/vpnd.chat
#
# ---------------------------------------------------
# TCP/IP parameters (available with version 1.0.2)
# ---------------------------------------------------
#
# peerroute [<device>]
#
# optional, sets up a priority host route to the
# vpnd peer system, if device is given the route
# is added with flags UH to the given device,
# if device is not given the kernel routing
# table is searched for a proper route and the
# host route is set up accordingly
#
# linktest <idle-seconds>
#
# optional, performs TCP link test if peer link was idle
# for at least idle-seconds and data have to be sent to
# peer, peer must respond within 5 seconds, otherwise
# link is assumed to be broken, you may need the oobfix
# option (see below) for this option to work
#
# example: linktest 30
#
# oobfix
#
# optional, must be given if linktest is given for Linux kernels
# < 2.0.36 (you have to find out yourself for the 2.1.x series),
# this is a out of band data kernel bug workaround, it is
# strongly recommended to upgrade your kernel if you would need
# this fix and require the linktest option
#
# example: oobfix
#
# ---------------------------------------------------
# TCP/IP parameters (available with version 1.0.3)
# ---------------------------------------------------
#
# suspend <idle-seconds>
#
# optional, disconnects TCP link from peer if the link was idle
# for at least idle-seconds, furthermore prevents link from
# being established before any data have to be sent to peer
# (client to server)
#
# example: suspend 110
#
# ---------------------------------------------------
# TCP/IP parameters (available with version 1.0.4)
# ---------------------------------------------------
#
# ipopts <type-of-service-and-precedence-flags>
#
# optional, if given an decimal value which represents
# a combination of the following values:
# 1 high reliability type of service
# 2 high throughput type of service
# 4 low delay type of service
# 8 priority precedence
# please keep in mind that nearly all routers do
# ignore these settings so except for very special
# environments you won't gain anything
#
# example: ipopts 10
#
# ---------------------------------------------------
# TCP/IP parameters (available with version 1.0.5)
# ---------------------------------------------------
#
# sendbuf <buffer-size-in-bytes>
#
# optional, sets the TCP send buffer size to the
# given buffer size in bytes, this can help if both
# interactive and bulk transfer sessions are handled
# over a slow TCP link (e.g. analogue modem), a value
# to start experimenting with is 4096 though you
# will have to find out yourself what is best for you
#
# example: sendbuf 4096
#
# connwait <connect-timeout-in-seconds>
#
# optional, used for client only, defines the maximum
# time to wait for connect to server to complete,
# if not given system imposes default time
#
# example: connwait 30
#
# ---------------------------------------------------
# TCP/IP parameters (available with version 1.1.1)
# ---------------------------------------------------
#
# socks <server-ip> [<server-port> [<username>]]
#
# optional, valid only in client mode, specifies
# a socks V4 server to be used to connect to the
# vpnd peer, server-ip is the socks server ip,
# server-port is the socks server port, if not
# given the default is 1080, username is an
# optional username for socks server access
#
# example: socks 301.299.5.77 1080 johndoe
#
Я так понимаю, этот параметр служит для того чтобы задать длину ключа. У меня она равна 72. Зачем его задавать? Я думаю если длина ключа изменится, то канал- не поднимется.
