diff --git a/edge.troff b/edge.troff index 5157653..07507a9 100644 --- a/edge.troff +++ b/edge.troff @@ -1,11 +1,11 @@ -.TH edge 8 "17 Mar 2010" "n2n-2.1" "SUPERUSER COMMANDS" +.TH edge 8 "May 19 2018" "n2n-2.1" "SUPERUSER COMMANDS" .SH NAME edge \- n2n edge node daemon .SH SYNOPSIS .B edge -[\-d ] \-a \-c {\-k |\-K } -[\-s ] \-l -[\-p ] [\-u ] [\-g ] [-f] [\-m ] [\-r] [\-v] +[\-d ] \-a [\-A ] \-c {\-k |\-K } +[\-s ] [\-4|\-6] \-l +[\-p ] [\-u ] [\-g ] [-f] [\-m ] [\-E][\-r] [\-v] .SH DESCRIPTION N2N is a peer-to-peer VPN system. Edge is the edge node daemon for n2n which creates a TAP interface to expose the n2n virtual LAN. On startup n2n creates @@ -15,15 +15,21 @@ begin to find other nodes in the community. .SH OPTIONS .TP \-d -sets the TAP device name as seen in ifconfig. Only available on Linux. +sets the TAP interface name. Only available on Linux. .TP \-a {|static:|dhcp:0.0.0.0} -sets the n2n virtual LAN IP address being claimed. This is a private IP +sets the n2n virtual LAN IP address. This is a private IP address. All IP addresses in an n2n community typical belong to the same /24 network (ie. only the last octet of the IP addresses varies). If DHCP is used to assign interface addresses then specify the address as .B -a dhcp:0.0.0.0 .TP +\-A [/] +set the n2n virtual LAN IPv6 address. Works only in conjunction with a set IPv4 address. +The default is no set IPv6. The default prefix for an address is /64 but this can be changed +by appending a prefix to the address. +.B -A fdf0:dead:beef::102/48 +.TP \-b cause edge to perform hostname resolution for the supernode address each time the supernode is periodically contacted. This can cause reliability problems @@ -55,9 +61,20 @@ encryption). The -k and -K options are mutually exclusive. .TP \-l : sets the n2n supernode IP address and port to register to. Up to 2 supernodes -can be specified by two invocations of -l :. eg. -.B edge -l 12.34.56.78:7654 -l 98.76.54.32:7654 -. +can be specified by two invocations of -l :. Also IPv6 addresses are +possible, they have to be enclosed in square brackets, if the port is ommited the +default 7654 is assumed. + +.B edge -l 203.0.113.21 -l [2001:db8:cafe:babe::fed0]:7654 + +If a DNS name is provided it is resolved. Provide the \-b switch +to periodically lookup the name, incase of a dynamic IP. +.TP +[\-4|\-6] +limit resolving the supernode DNS name provided with \-k to either +IPv4 or IPv6. If the supernode is provied using an numeric address, +this parameter does nothing. The default is to not specify any protocol +preference. .TP \-p binds edge to the given UDP port. Useful for keeping the same external socket @@ -101,9 +118,13 @@ DHCP assigned) IP address of the edge interface. .TP \-E accept packets destined for multicast ethernet MAC addresses. These addresses -are used in multicast ethernet and IPv6 neighbour discovery. If this option is -not present these multicast packets are discarded as most users do not need or +are used in multicast ethernet. If this option is not present these multicast +packets are discarded as most users do not need or understand them. + +ARP requests and IPv6 neighborhood discovery are not limited by this switch, +these packages are always sent, as they are required for the clients to +discover each other. .TP \-v more verbose logging (may be specified several times for more verbosity). @@ -113,25 +134,46 @@ more verbose logging (may be specified several times for more verbosity). set the encryption key so it is not visible on the command line .SH EXAMPLES .TP -.B edge \-d n2n0 \-c mynetwork \-k encryptme \-u 99 \-g 99 \-m DE:AD:BE:EF:01:23 \-a 192.168.254.7 \-p 50001 \-l 123.121.120.119:7654 +.B edge -f -d n2n0 -c mynetwork -k encryptme -u 99 -g 99 -m 00:DE:AD:BE:EF:01 -a 192.168.254.7 -l 123.121.120.119:7654 Start edge with TAP device n2n0 on community "mynetwork" with community supernode at 123.121.120.119 UDP port 7654 and bind the locally used UDP port to 50001. Use "encryptme" as the single permanent shared encryption key. Assign MAC -address DE:AD:BE:EF:01:23 to the n2n interface and drop to user=99 and group=99 +address 00:DE:AD:BE:EF:01 to the n2n interface and drop to user=99 and group=99 after the TAP device is successfull configured. .PP -Add the -f option to stop edge running as a daemon. +Remove the \-f option to run edge as a daemon. .PP Somewhere else setup another edge with similar parameters, eg. -.B edge \-d n2n0 \-c mynetwork \-k encryptme \-u 99 \-g 99 \-m DE:AD:BE:EF:01:21 \-a 192.168.254.5 \-p 50001 \-l 123.121.120.119:7654 +.B edge -f -d n2n0 -c mynetwork -k encryptme -u 99 -g 99 -m 00:DE:AD:BE:EF:02 -a 192.168.254.5 -l 123.121.120.119:7654 .PP Now you can ping from 192.168.254.5 to 192.168.254.7. .PP The MAC address (-m ) and virtual IP address (-a ) must be different on all edges in the same community. +.SH LINUX CAPABILITIES +Edge is aware of Linux +.B capabilities(7) +and drops all capabilities, after network setup. edge needs +.B CAP_NET_ADMIN +for network setup and +.B CAP_SETUID +and +.B CAP_SETGID +to change to a user/group if \-u and/or \-g was provided as a command line parameter. + +edge can run as any user by setting the set of permited capabilities to +.B CAP_NET_ADMIN +e.g., + +.B setcap cap_net_admin+p ./edge + +.SH IPv6 +When running in IPv6 mode (by using a IPv6 supernode), edge can only directly connect to other +IPv6 edges directly. + .SH KEY SCHEDULE FILES (See .B n2n_v2(7) @@ -139,7 +181,7 @@ for more details). The -K option reads a key schedule file. -.B edge \-d n2n0 \-c mynetwork \-K /path/to/file \-u 99 \-g 99 \-m DE:AD:BE:EF:01:21 \-a 192.168.254.5 \-p 50001 \-l 123.121.120.119:7654 +.B edge \-d n2n0 \-c mynetwork \-K /path/to/file \-u 99 \-g 99 \-m 00:DE:AD:BE:EF:01 \-a 192.168.254.5 \-p 50001 \-l 123.121.120.119:7654 .PP The key schedule file consists of line, one per key in the schedule. The purpose @@ -204,5 +246,8 @@ deri (at) ntop.org - original author of n2n .TP Don Bindner (--) - significant contributions to n2n-1 +.TP +Max Resch + .SH SEE ALSO -ifconfig(8) supernode(1) tunctl(8) n2n_v2(7) +supernode(1) n2n_v2(7) capabilities(7) diff --git a/n2n_v2.troff b/n2n_v2.troff index 092f2d3..3e4885c 100644 --- a/n2n_v2.troff +++ b/n2n_v2.troff @@ -39,11 +39,11 @@ sensitivity applications. .TP .B (2) TF Twofish AES candidate. -.P -The following additional ciphers are specified but not yet implemented: .TP .B (3) AES-CBC AES in CBC mode with 256-bit key. +.P +The following additional ciphers are specified but not yet implemented: .TP .B (4) LZO LZO compression of data (no encryption). @@ -153,4 +153,4 @@ Richard Andrews andrews (at) ntop.org - main author of n2n-2 Luca Deri deri (at) ntop.org - code inherited from n2n-1 .SH SEE ALSO -ifconfig(8) edge(8) supernode(1) +edge(8) supernode(1) diff --git a/supernode.troff b/supernode.troff index 26b1f70..c4b4fb1 100644 --- a/supernode.troff +++ b/supernode.troff @@ -1,8 +1,8 @@ -.TH supernode 1 "Jan 3, 2009" "revision 3679" "USER COMMANDS" +.TH supernode 1 "May 19 2018" "n2n-2.1" "USER COMMANDS" .SH NAME supernode \- n2n supernode daemon .SH SYNOPSIS -.B supernode \-l [\-v] +.B supernode [\-l ] [\-v] [\-4] [\-6] .SH DESCRIPTION N2N is a peer-to-peer VPN system. Supernode is a node introduction registry, broadcast conduit and packet relay node for the n2n system. On startup supernode @@ -19,7 +19,14 @@ All logging goes to stdout. .SH OPTIONS .TP \-l -listen on the given UDP port +listen on the given UDP port. Defaults to 7654 +.TP +\-4 +bind to the any interface IPv4 address. This is the default. +.TP +\-6 +bind to the any interface IPv6 address. This disables IPv4 but it can be combined with +the \-4 switch to allow IPv4 and IPv6 traffic. .TP \-v use verbose logging @@ -31,13 +38,16 @@ disable daemon mode (UNIX) and run in foreground. .B supernode -l 7654 -v Start supernode listening on UDP port 7654 with verbose output. .PP +.SH REMARKS +Additionally supernode opens UDP port 5645 on the IPv4 loopback interface (127.0.0.1). +On this management socket statistical information can be queried, i.e. using socat. .SH RESTART -When suprenode restarts it loses all registration information from associated +When supernode restarts it loses all registration information from associated edge nodes. It can take up to five minutes for the edge nodes to re-register and normal traffic flow to resume. .SH EXIT STATUS supernode is a daemon and any exit is an error .SH AUTHOR -Luca Deri ( deri (at) ntop.org ), Richard Andrews ( andrews (at) ntop.org ), Don Bindner +Luca Deri ( deri (at) ntop.org ), Richard Andrews ( andrews (at) ntop.org ), Don Bindner, Max Resch .SH SEE ALSO -ifconfig(8) edge(8) +edge(8) n2n(7)