@node User manual @unnumbered User manual GoVPN is split into two pieces: client and server. Each of them work on top of UDP and TAP virtual network interfaces. Client and server have several common configuration command line options: @table @asis @item Timeout Because of stateless UDP nature there is no way to know if remote peer is dead, but after some timeout. Client and server heartbeats each other every third part of heartbeat. Also this timeout is the time when server purge his obsolete handshake and peers states. @item Allowable nonce difference To prevent replay attacks we just remembers latest received nonce number from the remote peer and drops those who has lower ones. Because UDP packets can be reordered during: that behaviour can lead to dropping of not replayed ones. This options gives ability to create some window of allows difference. That opens the door for replay attacks for narrow time interval. @item MTU Maximum transmission unit. @end table Client needs to know his identification, path to the authentication key, remote server's address, TAP interface name, and optional path to up and down scripts, that will be executed after connection is either initiated or terminated. Server needs to know only the address to listen on and path to directory containing peers information. This directory must contain subdirectories with the names equal to client's identifications. Each of them must have key file with corresponding authentication key, up.sh script that has to print interface's name on the first line and optional down.sh. @menu * Example usage:: @end menu @node Example usage @section Example usage Let's assume that there is some insecure link between your computer and WiFi-reachable gateway. You have got preconfigured @code{wlan0} network interface with 192.168.0/24 network. You want to create virtual encrypted and authenticated 172.16.0/24 network and use it as a default transport. MTU for that wlan0 is 1500 bytes. GoVPN will say that maximum MTU for the link is 1476, however it does not take in account TAP's Ethernet frame header length, that in my case is 14 bytes long (1476 - 14). Do not forget about setting @code{GOMAXPROC} environment variable for using more than one CPU. At first you have to generate client's authentication key and client's unique identification. There is @code{utils/newclient.sh} script for convenience. @example % ./utils/newclient.sh Alice peers/9b40701bdaf522f2b291cb039490312/Alice @end example @code{9b40701bdaf522f2b291cb039490312} is client's identification. @code{Alice} is just an empty file that can help to search them like this: @verb{|find peers -name Alice|}. @code{key} file inside peer's directory contains authentication key. GNU/Linux IPv4 client-server example: @example server% echo "#!/bin/sh" > peers/CLIENTID/up.sh server% echo "echo tap10" >> peers/CLIENTID/up.sh server% chmod 500 peers/CLIENTID/up.sh server% ip addr add 192.168.0.1/24 dev wlan0 server% tunctl -t tap10 server% ip link set mtu 1462 dev tap10 server% ip addr add 172.16.0.1/24 dev tap10 server% ip link set up dev tap10 server% GOMAXPROC=4 govpn-server -bind 192.168.0.1:1194 @end example @example client% umask 066 client% echo MYLONG64HEXKEY > key.txt client% ip addr add 192.168.0.2/24 dev wlan0 client% tunctl -t tap10 client% ip link set mtu 1462 dev tap10 client% ip addr add 172.16.0.2/24 dev tap10 client% ip link set up dev tap10 client% ip route add default via 172.16.0.1 client% export GOMAXPROC=4 client% while :; do govpn-client -key key.txt -id CLIENTID -iface tap10 -remote 192.168.0.1:1194 done @end example FreeBSD IPv6 client-server example: @example server% cat > peers/CLIENTID/up.sh < up.sh <