-
Notifications
You must be signed in to change notification settings - Fork 0
3 Configuration
Sigma configuration files are in the fairly simple INI format. Each section denotes a session, and then a list of key pairs will set the options for that protocol. An example configuration file is shown below.
Note: SigmaVPN is sensitive to the order in which you specify configuration parameters in sigmavpn.conf. For example, proto should be defined before any other proto_* options, local should be defined before any other local_* options and peer should be defined before any peer_* options.
proto: possible values raw, nacl0, nacltai. Set the encoding/encryption protocol to be used. (nacltai is equivalent to selecting TAI64 nonce on SigmaVPN for Android).
local: possible values tuntap, udp. Set the local interface to use on your system (normally tuntap).
peer: possible values tuntap, udp. Set the interface that should be used to communicate with your peer (normally udp).
proto_privatekey: Your private key as 64-bit hex. This can be generated using the naclkeypair tool; place your private key here, and give the public key to your peer.
proto_publickey: Your peer's public key as 64-bit hex. Your peer should give you their generated public key; place it here.
peer_remoteaddr: IPv4/IPv6 address to send traffic to (corresponds with peer_localaddr on the remote side).
peer_remoteport:UDP port number (1 to 65535) to send traffic to (corresponds with peer_localport on the remote side).
peer_remotefloat: possible values 0 or 1. If set to 1, automatically update the remote endpoint when receiving correctly encrypted packets. This allows the remote client to change IP address or port number, and still communicate with this tunnel. (If you are setting up a tunnel for use with SigmaVPN on Android, you will probably need to use this instead of specifying peer_remoteaddr and peer_remoteport). Available since version 0.2. You may need to compile the latest source code from git for this option to be available.
peer_localaddr: IPv4/IPv6 address to listen for traffic on (corresponds with peer_remoteaddr on the remote side).
peer_localport: UDP port number (1 to 65535) to listen for traffic on (corresponds with peer_remoteport on the remote side).
peer_ipv6: 0 or 1. Specifies if the UDP connection should use IPv6. Both local and remote addresses must be specified in IPv6 format. If unspecified, IPv4 is assumed. (Please note that this option determines whether the tunnel itself should be carried over IPv6, not whether IPv6 traffic is contained inside the tunnel.)
local_interface: Depending on operating system, a valid network interface name (Linux 2.6+, i.e. mytunnel) or the path to a TUN or TAP device (Mac OS X, i.e. /dev/tun0).
local_tunmode: 0 or 1. Whether to use a TUN layer 3 adapter instead of a TAP layer 2 adapter (Linux 2.6+ only). TUN adapters carry only IP packets instead of Ethernet frames. Required if the other side is a SigmaVPN for Android client.
local_protocolinfo: 0 or 1. Whether to include the protocol information header when using TUN mode (Linux 2.6+ only). This is desirable - or maybe even necessary - if you wish to carry both IPv4 and IPv6 over a TUN layer 3 tunnel. Don't use this option if the other side is a SigmaVPN for Android client, even if tunnelling IPv6.
[peername]
proto = nacl0
proto_publickey = 1e22c6af59f23cd3c40464c29e307cbd616e3f6a743f17a33dd6bd0ae4c79e71
proto_privatekey = cf1d8756fdde0f73f0c06f7c3f4cf456c3d74596b9e559570cf27d8b34059121
local = tuntap
local_interface = /dev/tap0
peer = udp
peer_remoteaddr = 10.0.1.1
peer_remoteport = 4567
peer_localaddr = 10.0.2.1
peer_localport = 7654
On Linux 2.6+, it is likely that local_interface will just be a device name like tunnel rather than a full path like /dev/tap0.