wiresep.conf
—
WireSep configuration file
wiresep.conf
is the configuration file
used by wiresep(8). The file consists of global settings,
interface specific settings and peer specific settings. All global settings
can be overridden per interface and some global and interface specific
settings can be overridden per peer.
The following global settings are recognized:
group
name
- Set the group as which to run wiresep(8).
name must be either the name of an existing group
from the group(5) database or an id in the range of 1 to
65535. If not set it defaults to the primary group of the effective
user.
interface
name {...}
- The name of an interface. name must start with
“tun” followed by a number. The named interface must exist
in /dev. See the section about interface specific
settings for what can be contained in the block.
log
facility
facility
- Set the log facility as used by syslog(3).
facility must be one of auth, authpriv, cron,
daemon, ftp, kern, lpr, mail, news, user, uucp or local0 through
local7.
pskfile
file
- The name of a file that contains a pre-shared key for global use with all
peers on all interfaces. The use of a pre-shared key is optional. If the
file /etc/wiresep/global.psk exists it is
automatically used. This setting can be overridden per interface and per
peer. wiresep-keygen(1) can be used to generate a
pre-shared key.
user
name
- Set the user as which to run wiresep(8).
name must be either the name of an existing user in
the passwd(5) database or an id in the range of 1 to
65535. If a name is specified the primary group of this user will be used
as the group of the process. If an id is specified for
name then the group of the process will be set to
the same id. If not set it defaults to the user
“_wiresep”.
The following interface specific settings are recognized:
desc
text
- A descriptive text for the interface as showed by
ifconfig(8). If not set it defaults to the public key of
the interface.
ifaddr
ip/mask
- The ip address and mask of the interface in CIDR notation. This setting is
required since configuration via hostname.if(5) is not
yet supported. It may be set multiple times.
listen
ip:port
- The ip address and port on which to listen for encrypted incoming packets.
This setting is optional and determines whether to operate in server or
client-only mode. It may be set multiple times.
privkeyfile
file
- The name of a file that contains the private key for this interface. If
not set the default path of the private key is
/etc/wiresep/tunN.privkey where
tunN is the name of the interface. A private key can
be generated with wiresep-keygen(1).
peer
[name] {...}
- A peer with an optional name followed by a required
block containing peer specific settings. name is
used in the logs. If it is not set the first eight characters of the peers
public key are used. See the section about peer specific settings for what
can be contained in the block.
pskfile
file
- The name of a file that contains a pre-shared key for communication with
all peers on this interface. The use of a pre-shared key is optional. If
the file /etc/wiresep/tunN.psk exists it is
automatically used, where tunN is the name of the
interface. An interface specific pre-shared key overrides any global
pskfile. wiresep-keygen(1) can be
used to generate a pre-shared key.
Note that all global settings can be used within an interface
block to override the global setting.
The following peer specific settings are recognized:
allowedips
ip/mask
- The ip addresses that this peer is allowed to use as a source address.
0.0.0.0/0 means any IPv4 address.
::/0 means any IPv6 address. *
is a shorthand for ::/0 0.0.0.0/0. This setting is
required and may be set multiple times.
endpoint
ip:port
- A known endpoint for this peer.
pskfile
file
- The name of a file that contains a pre-shared key for communication with
this peer. The use of a pre-shared key is optional. If the file
/etc/wiresep/tunN.peername.psk or
/etc/wiresep/peername.psk exists it is
automatically used, where tunN is the name of the
interface and peername is the
name of this
peer
. A peer
specific pre-shared key overrides any global or interface specific
pskfile. wiresep-keygen(1) can be
used to generate a pre-shared key.
pubkey
key
- The peers public key. This setting is required.
What follows is an example of a configuration of a server that is
listening on the public ip 198.51.100.7 port 1022. It uses the tun0 device
with the internal ip addresses 2001:db8::7 and 172.16.0.1 and allows
communication with the peer Jane and Joe. Jane is allowed to use any source
ip, while Joe may only use 2001:db8::4 or 172.16.0.11/30 as the source ip of
his packets. The private key for the tun0 interface can be generated with
wiresep-keygen tun0
. Furthermore, with Joe a peer
specific pre-shared key is used for quantum-proof encryption by simply
creating a pre-shared key using the wiresep-keygen -s
tun0
joe
command.
The content of /etc/wiresep/wiresep.conf
looks as follows:
interface tun0 {
ifaddr 2001:db8::7/126
ifaddr 172.16.0.1/24
listen 198.51.100.7:1022
peer jane {
pubkey BhyBpDfD7joIPPpjBW/g/Wdhiu3iVOzQhKodbsLqJ3A=
allowedips *
}
peer joe {
pubkey AhyBpDfD7joIPPpjBW/g/Wdhiu3iVOzQhKodbsLqJ3A=
allowedips 2001:db8::4
allowedips 172.16.0.11/30
}
}
Note that /etc/hostname.tun0 should not be
created as wiresep(8) should do the setup and teardown of
the interface by itself.
Currently the use of hostname.if(5) or manual
creation of the tunnel interface using ifconfig(8) is not
well-tested and it is recommended to let wiresep(8) do the
setup and teardown of the interface.