-
Notifications
You must be signed in to change notification settings - Fork 947
/
edge.8
285 lines (270 loc) · 11.2 KB
/
edge.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
.TH edge 8 "18 Jul 2021" "version 3" "SUPERUSER COMMANDS"
.SH NAME
edge \- n2n edge node daemon
.SH SYNOPSIS
.B edge
<config file>
.br
.B edge
\-c <community> \-l <supernode host:port> [further options]...
.SH DESCRIPTION
N2N is a peer-to-peer VPN system. Edge is the edge node daemon for n2n which
creates a TAP interface to expose the n2n virtual LAN. On startup n2n creates
the TAP interface and configures it then registers with the supernode so it can
begin to find other nodes in the community.
.PP
The config file is similar to the command line, with one option per line.
Lines starting with a "#" are ignored.
An equal sign ('=') should be used between key and value. Example: -p=7777
.SH OPTIONS FOR THE UNDERLYING NETWORK CONNECTION
.TP
\fB\-c \fR<\fIcommunity\fR>, \fB\-\-community\fR=<\fIcommunity\fR>
sets the n2n community name (see also N2N_COMMUNITY in ENVIRONMENT). All edges
within the same community appear on the same LAN (layer 2 network segment).
Community name is 16 bytes in length. A name smaller than this is padded with
0x00 bytes and a name longer than this is truncated to take the first 16 bytes.
.TP
\fB\-l \fR<\fIhost:port\fR>, \fB\-\-supernode-list\fR=<\fIhost:port\fR>
sets the n2n supernode IP address and port to register to. Multiple supernodes
can be specified.
.TP
\fB\-p \fR[<\fIlocal_ip_address\fR>:]<\fIlocal_port\fR>
binds edge to the given UDP port. Useful for keeping the same external socket
across restarts of edge. This allows peer edges which know the edge socket to
continue p2p operation without going back to the supernode. Also, home router's
port forwarding feature can refer to that fixed port.
Optionally, the edge can bind to the provided local ip address only. This is
useful in case restriction to a certain LAN or WiFi interface is desired.
By default, the edge binds to any interface.
.TP
\fB\-T \fR<\fItos\fR>
TOS for packets, e.g. 0x48 for SSH like priority
.TP
\fB\-D\fR
enable PMTU discovery, it can reduce fragmentation but
causes connections to stall if not properly supported
.TP
\fB\-e \fR<\fIlocal_ip_address\fR>
advertises the provided local IP address as preferred,
useful if multicast peer detection is not available, e.g.
disabled on routers. \fB\-e auto\fR tries auto-detection of
local IP address.
.TP
\fB\-S1\fR ... \fB\-S2\fR
do not connect p2p, always use the supernode,
\-S1 = via UDP, \-S2 = via TCP
.TP
\fB\-i \fR<\fIreg_interval\fR>
Supernode registration interval. It specifies the interval in seconds
between consecutive REGISTER_SUPER packets and it's used to keep NAT hole
open via the UDP NAT hole punching technique. This only works for asymmetric
NATs and allows for P2P communication.
.TP
\fB\-L \fR<\fIreg_ttl\fR>
set the TTL for the hole punching packet. This is an advanced flag to make
sure that the registration packet is dropped immediately when it goes out of
local nat so that it will not trigger some firewall behavior on target peer.
Actually, the registration packet is only expected to make local nat UDP hole
and is not expected to reach the target peer, see
https://tools.ietf.org/html/rfc5389. To achieve this, the flag should be set as
nat level + 1. For example, if we have 2 layer nat in local, we should set -L 3.
Usually we know exactly how much nat layers in local.
If we are not sure how much nat layers in local, we can use traceroute on
Linux to check. The following example shows a local single layer nat because on
second jump it shows a public ip address. In this case it should set -L 2.
$ /usr/sbin/traceroute -w1 8.8.8.8
.br
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.3.1 (192.168.3.1) 0.464 ms 0.587 ms 0.719 ms
2 112.65.17.217 (112.65.17.217) 5.269 ms 7.031 ms 8.666 ms
But this method does not always work due to various local network device policy.
.TP
\fB\-k \fR<\fIkey\fR>
encryption key (ASCII) - also N2N_KEY=<key>
\-k <keystring>
sets the encryption key from ASCII text (see also N2N_KEY in
ENVIRONMENT). All edges communicating must use the same key and community
name. If -k not specified then edge uses cleartext mode (no encryption).
.TP
\fB\-A1\fR
disable payload encryption, do not use with key, defaults to AES then
.TP
\fB\-A2\fR ... \fB\-A5\fR
choose a cipher for payload encryption, requires a key,
\-A2 = Twofish, \-A3 = AES (default if key provided),
\-A4 = ChaCha20, \-A5 = Speck-CTR
.TP
\fB\-H\fR
use header encryption, supernode needs fixed community
.TP
\fB\-z1\fR ... \fB\-z2\fR
compress outgoing data packets, -z1 = lzo1x, disabled by default
.TP
\fB\-\-select-rtt\fR
select supernode by round trip time if several to choose from (federation),
defaults to load-based selection strategy if not provided.
.TP
\fB\-\-select-mac\fR
select supernode by MAC address if several to choose from (federation),
lowest MAC address first.
.SH TAP DEVICE AND OVERLAY NETWORK CONFIGURATION
.TP
\fB\-a \fR[\fImode\fR]<\fIip\fR>[\fI/n\fR]
interface address and optional CIDR subnet, default '/24',
mode = [static|dhcp]:, for DHCP use '\-r -a dhcp:0.0.0.0',
edge draws IP address from supernode if no '\-a ...' given
.TP
\fB\-m \fR<\fImac\fR>
start the TAP interface with the given MAC address. This is highly recommended
as it means the same address will be used if edge stops and restarts. If this is
not done, the ARP caches of all peers will be wrong and packets will not flow to
this edge until the next ARP refresh.
e.g. '\-m 10:20:30:40:50:60', by default a random MAC address is used.
.TP
\fB\-d \fR<\fIdevice\fR>, \fB\-\-device\fR=<\fIdevice\fR>
TAP device name
.TP
\fB\-M \fR<\fImtu\fR>
specify n2n MTU of TAP interface, default 1290
.TP
\fB\-r\fR
enable IP packet forwarding/routing through the n2n virtual LAN. Without this
option, IP packets arriving over n2n are dropped if not for the -a <addr> (or
DHCP assigned) IP address of the edge interface. This option is also required
to allow n2n device being used in network bridging, e.g. with brctl.
.TP
\fB\-E\fR
accept packets destined for multicast ethernet MAC addresses. These addresses
are used in multicast ethernet and IPv6 neighbour discovery. If this option is
not present these multicast packets are discarded as most users do not need or
understand them.
.TP
\fB\-I \fR<\fIdescription\fR>
annotate the edge's description used for easier
identification in management port output or username
.TP
\fB\-J \fR<\fIpassword\fR>
password for user-password edge authentication (see also N2N_PASSWORD in ENVIRONMENT)
.TP
\fB\-P \fR<\fIpublic key\fR>
federation public key for user-password authentication
.TP
\fB\-R \fR<\fIrule_str\fR>
Add rule to drop or accept specific packet transmit over edge network interface.
-R rule_str can be used multiple times to add multiple rules. Each -R rule_str add
one rule.
rule_str format:"src_ip/len:[b_port,e_port],dst_ip/len:[s_port,e_port],TCP+/-,UDP+/-,ICMP+/-".
ip/len indicate a cidr block, len can be ignore, means single ip(not cidr block)
will be use in filter rule.
+,- after TCP,UDP,ICMP proto type indicate allow or drop packet of that proto.
if any of above three proto missed, the rule will not take effect for that proto.
Ports range [s_port,e_port] can be instead by single port number. If not specify, [0,65535]
will be used. Ports range include start_port and end_port. If multiple rules matching packet's
ips and ports, the rule with smaller cidr block(smaller address space) will be selected. That
means rules with larger len value has higher priority.
Packets that cannot match any rule will be accepted by default. Users can add rules to
block traffics. This behavior can be change by add the rule : `0.0.0.0/0:[0,65535],0.0.0.0/0:
[0,65535],TCP-,UDP-,ICMP-`. Then all traffic will be dropped, users need add rules to allow
traffics.
for example : `-R 0.0.0.0/0,0.0.0.0/0,TCP-,UDP-,ICMP- -R 192.168.100.0/24,192.168.100.0/24,ICMP+`,
.TP
\fB\-x \fR<\fImetric\fR>
set TAP interface metric, defaults to 0 (auto),
e.g. set to 1 for better multiplayer game detection.
.br
(Windows only)
.SH LOCAL OPTIONS
.TP
\fB\-f\fR
do not fork and run as a daemon, rather run in foreground
.TP
\fB\-t \fR<\fIport\fR>
binds the edge management system to the given UDP port. Default 5644. Use this
if you need to run multiple instance of edge; or something is bound to that
port.
.TP
\fB\-\-management-password \fR<\fIpassword\fR>
sets the password for access to JSON API at the management port, defaults to 'n2n'. The password
has to be provided when using 'scripts/n2n-ctl', 'scripts/n2n-httpd' or for any other relevant
access to JSON API at the management port.
.TP
\fB\-v\fR, \fB\-\-verbose\fR
make more verbose, repeat as required
.TP
\fB\-V\fR
make less verbose, repeat as required
.TP
\fB\-u \fR<\fIUID\fR>, \fB\-\-euid\fR=<\fIUID\fR>
numeric user ID to use when privileges are dropped
.TP
\fB\-g \fR<\fIGID\fR>, \fB\-\-egid\fR=<\fIGID\fR>
numeric group ID to use when privileges are dropped
.TP
\fb\-h\fr
write usage then exit.
.TP
\fb\--help\fr
shows detailed parameter description
.SH ENVIRONMENT
.TP
.B N2N_KEY
set the encryption key so it is not visible at the command line
.TP
.B N2N_COMMUNITY
set the community name so it is not visible at the command line
.TP
.B N2N_PASSWORD
set the password for user-password authentication so it is not visible at the command line
.SH EXAMPLES
.TP
.B edge \-d n2n0 \-c mynetwork \-k encryptme \-u 99 \-g 99 \-m DE:AD:BE:EF:01:23 \-a 192.168.254.7 \-p 50001 \-l 123.121.120.119:7654
Start edge with TAP device n2n0 on community "mynetwork" with community
supernode at 123.121.120.119 UDP port 7654 and bind the locally used UDP port to
50001. Use "encryptme" as the single permanent shared encryption key. Assign MAC
address DE:AD:BE:EF:01:23 to the n2n interface and drop to user=99 and group=99
after the TAP device is successfully configured.
.PP
Add the -f option to stop edge running as a daemon.
.PP
Somewhere else setup another edge with similar parameters, eg.
.B edge \-d n2n0 \-c mynetwork \-k encryptme \-u 99 \-g 99 \-m DE:AD:BE:EF:01:21 \-a 192.168.254.5 \-p 50001 \-l 123.121.120.119:7654
.PP
Now you can ping from 192.168.254.5 to 192.168.254.7.
.PP
The MAC address (-m <MAC>) and virtual IP address (-a <addr>) must be different
on all edges in the same community.
.SH CLEARTEXT MODE
If
.B -k
is not specified then edge uses cleartext mode. In cleartext mode there is no
transform of the packet data it is simply encrypted. This is useful for
debugging n2n as packet contents can be seen clearly.
To prevent accidental exposure of data, edge only enters cleartext mode when no
keying parameters are specified. In the case where keying parameters are
specified but no valid keys can be determined, edge exits with an error at
startup. If all keys become invalid while running, edge continues to encode
using the last key that was valid.
.SH MANAGEMENT INTERFACE
Edge provides a very simple management system on UDP port 5644. Send a newline
to receive a status output. Send 'stop' to cause edge to exit cleanly.
.TP
.B echo | nc -w1 -u 127.0.0.1 5644
Shows the current statistics of a running edge.
.SH EXIT STATUS
edge is a daemon and any exit is an error.
.SH AUTHORS
.TP
Richard Andrews
andrews (at) ntop.org - n2n-1 maintainer and main author of n2n-2
.TP
Luca Deri
deri (at) ntop.org - original author of n2n
.TP
Don Bindner
(--) - significant contributions to n2n-1
.SH SEE ALSO
ifconfig(8) supernode(1) tunctl(8) n2n(7)
.br
the documentation contained in the source code
.br
the extensive documentation found in n2n's \fBdoc/\fR folder