# This is the FreeLAN configuration file## All file and directory paths are

1. # This is the FreeLAN configuration file
2. #
3. # All file and directory paths are relative to this file.
4.  
5. [server]
6.  
7. # Whether to use the embedded HTTP(S) server.
8. #
9. # The embedded HTTP(S) server allows one host to sign certificates for other
10. # hosts and to provide them with a centralized configuration.
11. #
12. # Possible values: yes, no
13. #
14. # Default: no
15. #enabled=no
16.  
17. # The endpoint to listen on.
18. #
19. # The endpoint can be in both numeric and hostname format, and must always
20. # contain a port specification.
21. #
22. # Hostnames are resolved using the method specified by
23. # network.hostname_resolution_protocol.
24. #
25. # Using a numeric value is recommended.
26. #
27. # Example values: 0.0.0.0:80, [::]:80, localhost:80, 10.0.0.1:80
28. # Default: 0.0.0.0:443
29. #listen_on=0.0.0.0:443
30.  
31. # The protocol.
32. #
33. # The protocol to use to contact the server.
34. #
35. # The only reason to specify something else than "https" here is if the
36. # server is hosted behind a proxying web server.
37. #
38. # Note: while freelan's embedded web server is perfectly capable of
39. # serving over https, its configuration options are really limited by
40. # design. If you are serious about serving thousands of users over HTTPS
41. # and/or need a complex certificate setup, switch to HTTP and host freelan's
42. # web server behind a proxying web server that can handle the load (nginx,
43. # apache, IIS).
44. #
45. # Default: https
46. #protocol=https
47.  
48. # The web server certificate file to use when in "https" mode.
49. #
50. # If no server certificate is specifed, one is generated using the hostname
51. # guessed from the operating system which may or may not be the correct one.
52. #
53. # Default: <none>
54. #server_certificate_file=
55.  
56. # The web server private key file associated to the certificate file.
57. #
58. # Default: <none>
59. #server_private_key_file=
60.  
61. # The certificate authority certificate file used for signing.
62. #
63. # This file will be used to sign certificate requests issued by other hosts.
64. #
65. # If no certificate is provided, one will be generated on each run. This means
66. # that the network won't be as robust as is NOT recommended.
67. #
68. # Default: <none>
69. #certification_authority_certificate_file=
70.  
71. # The private key associated to the certification authority certificate file.
72. #
73. # This private key must match the specified certification authority certificate
74. # file.
75. #
76. # Default: <none>
77. #certification_authority_private_key_file=
78.  
79. # The authentication script to call.
80. #
81. # Every time an user tries to authenticate, this script will be called.
82. #
83. # The script environment will contain the following variables:
84. # - FREELAN_USERNAME: The specified username.
85. # - FREELAN_PASSWORD: The specified password.
86. # - FREELAN_REMOTE_HOST: The hostname/address of the connecting user.
87. # - FREELAN_REMOTE_PORT: The port number of the connecting user.
88. # initiating the authentication request.
89. #
90. # If the script exit status is zero, the authentication is accepted.
91. # If the script exit status is non-zero, the authentication is rejected.
92. #
93. # Warning: failing to specify an authentication_script will cause ALL
94. # authentication requests to be rejected !
95. #
96. # Default: <empty>
97. #authentication_script=
98.  
99. [client]
100.  
101. # Whether to connect to a freelan server to get client information.
102. #
103. # Possible values: yes, no
104. #
105. # Default: no
106. #enabled=no
107.  
108. # The server endpoint to connect to.
109. #
110. # The endpoint can be in both numeric and hostname format, and must always
111. # contain a port specification.
112. #
113. # Hostnames are resolved using the method specified by
114. # network.hostname_resolution_protocol.
115. #
116. # Example values: 127.0.0.1:443, [fe80::1]:443, somehost:443
117. # Default: 127.0.0.1:443
118. #server_endpoint=127.0.0.1:443
119.  
120. # The protocol.
121. #
122. # The protocol to use to contact the server.
123. #
124. # Using another value than https completely nullifies security and must NEVER
125. # be used in a production environment !
126. #
127. # Default: https
128. #protocol=https
129.  
130. # Whether to disable peer verification.
131. #
132. # Turn off checks for peer certificate verification. Useful for accepting
133. # self-signed certificates but be aware that this allows an attacker to pretend
134. # he is the server and get your username and password. Should NEVER be used in
135. # a production environment.
136. #
137. # Default: no
138. #disable_peer_verification=no
139.  
140. # Whether to disable host verification.
141. #
142. # Turn off checks for host certificate verification. This allows the remote host
143. # to present any certificate, even with a non-matching hostname. This completely
144. # nullifies security and should NEVER be used in production !
145. # a production environment.
146. #
147. # Default: no
148. #disable_host_verification=no
149.  
150. # The username.
151. #
152. # The username to use to connect to the server.
153. #
154. # Default: <empty>
155. #username=
156.  
157. # The password.
158. #
159. # The password to use to connect to the server.
160. #
161. # Default: <empty>
162. #password=
163.  
164. # Specify hostnames or IP addresses to advertise.
165. #
166. # You may repeat the public_endpoint option to add several hostnames or IP
167. # addresses.
168. #
169. # Specifying either 0.0.0.0 or :: in an IP address declaration has a special
170. # meaning: the server will replace the IP address with the visible address
171. # of the host as it makes the HTTP(S) request.
172. #
173. # Note: if only :: is specified and the server is contacted using IPv4, then
174. # the address is discarded. Same goes for the reverse situation (0.0.0.0 and
175. # server contacted in IPv6).
176. #
177. # If the port number is omitted, then the currently bound port number will be
178. # used instead before sending public endpoint information to the server. As a
179. # result, specifying an explicit port number is only useful when your client
180. # is behind a NAT-operating device that might change the source port number.
181. #
182. # Examples: 192.168.0.1, [fe80::1]:12000, hostname:1234, 0.0.0.0, ::
183. # Default: <none>
184. public_endpoint=0.0.0.0
185.  
186. [fscp]
187.  
188. # The protocol to use for hostname resolution.
189. #
190. # Possible values are: ipv4, ipv6
191. #
192. # Default: ipv4
193. #hostname_resolution_protocol=ipv4
194.  
195. # The endpoint to listen on.
196. #
197. # The endpoint can be in both numeric and hostname format, and must always
198. # contain a port specification.
199. #
200. # Hostnames are resolved using the method specified by
201. # network.hostname_resolution_protocol.
202. #
203. # Using a numeric value is recommended.
204. #
205. # Example values: 0.0.0.0:12000, [::]:12000, localhost:12000, 10.0.0.1:12000
206. # Default: 0.0.0.0:12000
207. listen_on=0.0.0.0:50000
208.  
209. # The interface to listen on.
210. #
211. # This options restricts all VPN traffic to the specified interface. This is
212. # useful to avoid VPN death-loops in case the routing table is misconfigured.
213. #
214. # This option is only available on Linux.
215. #
216. # Example values: eth0, eth1, wlan0
217. # Default: <none>
218. #listen_on_device=
219.  
220. # The timeout for hello messages.
221. #
222. # The time to wait for hello responses, in milliseconds.
223. #
224. # Default: 3000
225. #hello_timeout=3000
226.  
227. # The contact list.
228. #
229. # The list of hosts to connect to.
230. #
231. # You may repeat the contact option to add several hosts.
232. #
233. # Examples: 192.168.0.1, [fe80::1]:12000, hostname:1234, some.other.host.org:1234
234. # Default: <none>
235. #contact=192.168.0.1:12000
236. contact=66.25.32.230:12000
237.  
238. # Whether to accept contact requests.
239. #
240. # If set to yes, freelan will answer to contact requests sent by other hosts.
241. #
242. # It is recommended that this option is set to enhance connectivity.
243. #
244. # Possible values: yes, no
245. #
246. # Default: yes
247. #accept_contact_requests=yes
248.  
249. # Whether to accept contacts.
250. #
251. # If set to yes, freelan will accept contacts sent by other hosts and will try
252. # to establish a session with those contacts, just as if there was a "contact="
253. # option for them.
254. #
255. # It is recommended that this option is set to enhance connectivity.
256. #
257. # To control which hosts are contacted automatically, see the "never_contact"
258. # option.
259. #
260. # Possible values: yes, no
261. #
262. # Default: yes
263. #accept_contacts=yes
264.  
265. # Specify certificates for which a dynamic host search must be performed.
266. #
267. # The freelan daemon will periodically send a contact request to his neighbors
268. # for each of these certificates.
269. #
270. # Note: this option can only be used with certificate-based authentication. If
271. # you are using a passphrase there is no way of identifying the peers since
272. # they all share the same secret passhrase. There is no way of implementing the
273. # feature: please don't ask, it just isn't possible.
274. #
275. # This option is only useful if "accept_contacts" is set.
276. #
277. # You may repeat the dynamic_contact option to add several dynamic hosts.
278. #
279. # Default: <none>
280. #dynamic_contact_file=
281.  
282. # Specify IP networks that should never be automatically contacted.
283. #
284. # If the freelan deamon receives a contact which belongs to one of the
285. # specified "never_contact" networks, it will not try to establish a session
286. # with it.
287. #
288. # You may repeat the never_contact option to add several IP networks.
289. #
290. # Default: <none>
291. #never_contact=9.0.0.0/24
292. #never_contact=2aa1::1/8
293. #never_contact=1.2.3.4
294.  
295. # Specify the cipher suites to use for the sessions.
296. #
297. # The cipher suites must be declared in order of preference.
298. #
299. # If another host doesn't support any of the specified suites, no session
300. # can be established with it.
301. #
302. # You may repeat the cipher_suite_capability option to add several supported
303. # cipher suites.
304. #
305. # Available values:
306. # * ecdhe_rsa_aes256_gcm_sha384
307. # * ecdhe_rsa_aes128_gcm_sha256
308. #
309. # Default: ecdhe_rsa_aes256_gcm_sha384, ecdhe_rsa_aes128_gcm_sha256
310. #cipher_capability=ecdhe_rsa_aes256_gcm_sha384
311. cipher_capability=ecdhe_rsa_aes128_gcm_sha256
312.  
313. # Specify the elliptic curves to use for the sessions.
314. #
315. # The elliptic curves must be declared in order of preference.
316. #
317. # If another host doesn't support any of the specified curves, no session
318. # can be established with it.
319. #
320. # You may repeat the elliptic_curve_capability option to add several supported
321. # elliptic curves.
322. #
323. # Available values:
324. # * sect571k1
325. # * secp384r1
326. # * secp521r1
327. #
328. # Default: sect571k1, secp384r1
329. #elliptic_curve_capability=sect571k1
330. #elliptic_curve_capability=secp384r1
331.  
332. [tap_adapter]
333.  
334. # The tap adapter type.
335. #
336. # The tap adapter type determines the encapsulation layer for VPN frames. Even
337. # if there is no tap adapter enabled, this parameter determines if the freelan
338. # instances runs in switch (layer 2) or router (layer 3) mode.
339. #
340. # Note: If you want to use tun on POSIX systems, make sure you have IP
341. # forwarding enabled. Namely, on Linux make sure that the following command:
342. #
343. # > cat /proc/sys/net/ipv4/ip_forward
344. #
345. # Displays 1.
346. #
347. # Possible values: tap, tun
348. #
349. # Default: tap
350. #type=tap
351.  
352. # Whether to use the tap adapter.
353. #
354. # Possible values: yes, no
355. #
356. # Default: yes
357. #enabled=yes
358.  
359. # The name of the tap adapter to use or create.
360. #
361. # On Windows, the GUID of an existing tap adapter is expected. It may be found
362. # in the registry:
363. #
364. # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
365. #
366. # If no name or an empty name is provided, the first available adapter will be
367. # used.
368. #
369. # On UNIX, it is the name of the tap adapter to create. Depending on your
370. # system, some names might be restricted, and something in the form of tapX
371. # (where X is a positive number) is recommended.
372. #
373. # If no name or an empty name is provided, a tap adapter will be created with
374. # an available name.
375. #
376. # Should you need to know it, you may get that name by specifying an up_script.
377. #
378. # Default: <empty>
379. #name=
380.  
381. # The Maximum Transmission Unit (MTU) for the tap adapter.
382. #
383. # This value is used to set the MTU on the tap adapter.
384. #
385. # You may specify anything but note that specifying a too small or too big
386. # value can cause performance issues or kernel crashes.
387. #
388. # Also note that changing the MTU of the interface is done in a best effort
389. # manner: there is no guarantee that the setting will stick or will be exactly
390. # as requested.
391. #
392. # Use this at your own risk.
393. #
394. # Possible values: auto, system, <any positive integer value>
395. #
396. # - auto: The value for the MTU is computed automatically.
397. # - system: The system default value is taken (usually 1500).
398. # - Any strictly positive integer value (eg. 1446).
399. #
400. # Default: auto
401. #mtu=auto
402.  
403. # The MSS override.
404. #
405. # If the MSS override is enabled, FreeLAN will hijack outgoing TCP SYN frames
406. # that contain a MSS value higher than the specified treshold and replace its
407. # value. This has the effect of preventing IP fragmentation at the physical
408. # interface level and results in tremendous performance gains for TCP connections.
409. #
410. # Possible values: auto, disabled, <any positive integer value>
411. #
412. # - auto: Compute the MSS value automatically based on the effective MTU value
413. # (the one read from the interface, which may differ from the one set in the
414. # configuration file).
415. # - disabled: The MSS override is disabled.
416. # - Any strictly positive integer value (eg. 1392).
417. #
418. # Default: auto
419. #mss_override=auto
420.  
421. # The metric for the tap adapter.
422. #
423. # This value is used only on Windows and affects routing.
424. #
425. # By default Windows assign a metric to an interface according to its link speed.
426. # Since Win32 TAP Adapters incorrectly report a speed link of 10 Mbits/s, the
427. # default system-assigned metric is high (30) which can cause routes for this
428. # interface not to be chosen.
429. #
430. # Possible values: auto, system, <any positive integer value>
431. #
432. # - auto: The value for the metric is chosen by freelan so that the VPN network
433. # has precedence over the physical one.
434. # - system: The system default value is taken (usually 30).
435. # - Any positive integer value (eg. 3).
436. #
437. # Default: auto
438. #metric=auto
439.  
440. # The tap adapter IPv4 address and prefix length to use.
441. #
442. # The network address must be in numeric format with a netmask suffix.
443. #
444. # On Windows, the prefix length is ignored (but still must be specified) and
445. # the netmask is determined according to the IPv4 class. It is recommended that
446. # you set the network.enable_dhcp_proxy option.
447. #
448. # Commenting out, will result in no IPv4 networking. You cannot supply a blank value.
449. #
450. ipv4_address_prefix_length=9.0.0.2/24
451.  
452. # The tap adapter IPv6 address and prefix length to use.
453. #
454. # The network address must be in numeric format with a netmask suffix.
455. #
456. # Commenting out, will result in no IPv6 networking. You cannot supply a blank value.
457. #
458. ipv6_address_prefix_length=2aa1::1/8
459.  
460. # The remote IPv4 address for tun interfaces.
461. #
462. # Some systems use this address combined with the prefix length specified in
463. # `ipv4_address_prefix_length` to create the route that uses the tun adapter.
464. #
465. # If not specified, the default is the network address associated with
466. # `ipv4_address_prefix_length`.
467. #
468. # For instance, if `ipv4_address_prefix_length` is "9.0.1.5/24", then the
469. # default value of `remote_ipv4_address` will be "9.0.1.0".
470. #
471. # This parameter is ignored in tap mode.
472. #
473. # Default: <network address of `ipv4_address_prefix_length`>
474. #remote_ipv4_address=9.0.0.0
475.  
476. # Whether to enable the ARP proxy.
477. #
478. # When the ARP proxy is enabled, all ARP requests are silently rerouted to an
479. # internal ARP server that always replies positively. Remote hosts never
480. # receive any ARP request.
481. #
482. # Warning: Setting this parameter can lead to connectivity issues. It is
483. # provided solely for debugging and testing purposes.
484. #
485. # Default: no
486. #arp_proxy_enabled=no
487.  
488. # The ARP proxy fake ethernet address.
489. #
490. # If tap_adapter.arp_proxy_enabled is not set, this option is ignored.
491. #
492. # Default: 00:aa:bb:cc:dd:ee
493. #arp_proxy_fake_ethernet_address=00:aa:bb:cc:dd:ee
494.  
495. # Whether to enable the DHCP proxy.
496. #
497. # When the DHCP proxy is enabled, all BOOTP/DHCP requests are silently rerouted
498. # to an internal DHCP server. Remote hosts never receive any DHCP request.
499. #
500. # The TAP interface must be ready to issue DHCP requests if this option is set.
501. #
502. # The use of this option is useful mainly on old Windows version for IPv4
503. # addresses. On Windows, if this option is set, no attempt to directly set the
504. # IPv4 address will be made.
505. #
506. # Default: yes
507. dhcp_proxy_enabled=yes
508.  
509. # The DHCP proxy server IPv4 address and prefix length to use.
510. #
511. # This value should be different from
512. # network.ipv4_address_prefix_length but within the same network.
513. #
514. # Note that while this option expects a valid host IPv4 address, providing a
515. # network address also works on both Windows and POSIX operating systems.
516. #
517. # Default: 9.0.0.0/24
518. dhcp_server_ipv4_address_prefix_length=9.0.0.0/24
519.  
520. # The DHCP proxy server IPv6 address and prefix length to use.
521. #
522. # This value should be different from
523. # network.ipv6_address_prefix_length but within the same network.
524. #
525. # Note that while this option expects a valid host IPv6 address, providing a
526. # network address also works on both Windows and POSIX operating systems.
527. #
528. # Default: 2aa1::/8
529. #dhcp_server_ipv6_address_prefix_length=2aa1::/8
530.  
531. # The script to call when the tap adapter is up and running.
532. #
533. # The script is called with the tap adapter's name as it's first argument.
534. #
535. # The script exit status is ignored.
536. #
537. # Default: <empty>
538. #up_script=
539.  
540. # The script to call when the tap adapter is set down.
541. #
542. # The script is called with the tap adapter's name as it's first argument.
543. #
544. # The script exit status is ignored.
545. #
546. # Default: <empty>
547. #down_script=
548.  
549. [switch]
550.  
551. # The routing method for messages.
552. #
553. # Possible values: switch, hub
554. #
555. # - switch: Act like a switch. Messages are only sent to the right host when
556. # its address is known.
557. # - hub: Send all messages to everyone on the network. The memory footprint is
558. # slightly reduced at the cost of much higher bandwitdh usage. Recommended for
559. # 1-to-1 networks only.
560. #
561. # Warning: At any time, if the memory consumption is too high, the
562. # routing_method may be temporarily switched from "switch" to "hub" to prevent
563. # DoS attacks.
564. #
565. # Default: switch
566. #routing_method=switch
567.  
568. # Whether to enable the relay mode.
569. #
570. # Possible values: no, yes
571. #
572. # - no: Not relaying frames from one remote host to the other.
573. # - yes: Transmits frames from one host to the other.
574. #
575. # If you enable relay mode, it is recommended that routing_method is set to
576. # switch.
577. #
578. # Default: no
579. #relay_mode_enabled=no
580.  
581. [router]
582.  
583. # The local IP routes.
584. #
585. # The list of routes to advertise to the other peers.
586. #
587. # Those routes may contain a gateway.
588. #
589. # You may repeat the local_ip_route option to add several routes.
590. #
591. # Examples:
592. # - 192.168.0.0/24
593. # - 192.168.0.0/24 => 9.0.0.1
594. # - fe80::1/64
595. # - fe80::1/64 => fe80::ffff
596. # - 0.0.0.0/0
597. # - 0.0.0.0/0 => 9.0.0.1
598. # - ::/0
599. # - ::/0 => fe80::ffff
600. # - ipv4_proxy
601. # - ipv6_proxy
602. #
603. # `ipv4_proxy` and `ipv4_proxy` are special values that are equivalent to
604. # `0.0.0.0/0 => <tap_adapter.ipv4_address>` and `::/0 =>
605. # <tap_adapter.ipv6_address>`.
606. #
607. # These basically instruct other peers to use this host as a default gateway
608. # and are particularly useful when setting up a VPN proxy.
609. #
610. # Default: <none>
611. #local_ip_route=192.168.0.0/24
612.  
613. # The local DNS servers.
614. #
615. # The list of DNS servers to advertise to the other peers.
616. #
617. # You may repeat the local_dns_server option to add several DNS servers.
618. #
619. # Examples:
620. # - 8.8.8.8
621. # - 2001:4860:4860::8888
622. #
623. # Default: <none>
624. #local_dns_server=192.168.0.254
625.  
626. # Whether to enable client routing.
627. #
628. # Possible values: no, yes
629. #
630. # - no: Not relaying IP frames from one remote host to the other.
631. # - yes: Act as an IP router and relay IP frames from one host to the other.
632. #
633. #
634. # Default: yes
635. #client_routing_enabled=yes
636.  
637. # Accept or reject routes requests from other peers.
638. #
639. # Disabling this option in tun mode will cause connectivity issues.
640. #
641. # Default: yes
642. #accept_routes_requests=yes
643.  
644. # The internal routes acceptance policy.
645. #
646. # Indicates the kind of routes to accept from other hosts.
647. #
648. # The routes will be used internally.
649. #
650. # Possible values: none, unicast_in_network, unicast, subnet, any
651. #
652. # - none: Not accepting any route. Use this to disable the feature.
653. # - unicast_in_network: Accept only unicast routes that belong to the local
654. # interface's network.
655. # - unicast: Accept only unicast routes.
656. # - subnet: Accept only subnet routes that belong to the local interface's
657. # network.
658. # - any: Accept any route.
659. #
660. # Note: this option is ignored in tap mode, as tap does not do internal IP
661. # routing.
662. #
663. # Default: unicast_in_network
664. #internal_route_acceptance_policy=unicast_in_network
665.  
666. # The system routes acceptance policy.
667. #
668. # Indicates the kind of routes to accept from other hosts.
669. #
670. # These routes will be added to the system routing table.
671. #
672. # Possible values: none, unicast, any, unicast_with_gateway, any_with_gateway
673. #
674. # - none: Not accepting any route. Use this to disable the feature.
675. # - unicast: Accept only unicast routes. Those that contain a gateway are
676. # rejected.
677. # - any: Accept any route except those that contain a gateway.
678. # - unicast_with_gateway: Accept only unicast routes, even those that contain a
679. # gateway.
680. # - any_with_gateway: Accept any route, even those that contain a gateway.
681. #
682. # Routes that belong to the current interface network are silently ignored as
683. # the system routing table already contains them.
684. #
685. # Note: this option is effective in both tun and tap mode as it affects the
686. # system routing table.
687. #
688. # Note 2: In tun mode, the routes are first filtered by the
689. # internal_route_acceptance_policy.
690. #
691. # Warning: make sure you understand what implications this option can have.
692. # Allowing modifications of the system routing table for other hosts can be
693. # a huge security risk.
694. #
695. # Default: none
696. #system_route_acceptance_policy=none
697.  
698. # The maximum count of routes to accept for a given host.
699. #
700. # Possible values: 0, <a positive number>
701. #
702. # - 0: No limit.
703. # - <a positive number>: Only a finite number of routes is accepted from
704. # other hosts.
705. #
706. # Note: the limit is applied to IPv4 and IPv6 addresses separately. Meaning
707. # that a limit of 1 will allow one address of each type.
708. #
709. # Default: 1
710. #maximum_routes_limit=1
711.  
712. # The DNS servers acceptance policy.
713. #
714. # Indicates the kind of DNS server addresses to accept from other hosts.
715. #
716. # Possible values: none, in_network, any
717. #
718. # - none: Not accepting any DNS servers. Use this to disable the feature.
719. # - in_network: Accept only DNS server addresses which belong to the interface
720. # IP network.
721. # - any: Accept any DNS server address.
722. #
723. # Default: in_network
724. #dns_servers_acceptance_policy=in_network
725.  
726. # The script to call when a DNS entry is to be added or removed.
727. #
728. # The script is called with the tap adapter's name as it's first argument.
729. # The second argument is a verb which can be:
730. # - add: A DNS entry must be added.
731. # - remove: A DNS entry must be removed.
732. # The third argument is the DNS server address to add or remove.
733. #
734. # If the script exits with a non-zero value, it is assumed that the addition or
735. # removal of the DNS entry failed. If the addition fails for a given address,
736. # the script won't be called for removal for this same address.
737. #
738. # On Windows, if no script is provided, FreeLAN will add/remove the DNS server
739. # using system calls.
740. #
741. # On Mac OS X and Linux, there is sadly no reliable system call and you MUST
742. # provide a script or DNS settings will simply be ignored.
743. #
744. # Default: <empty>
745. #dns_script=
746.  
747. [security]
748.  
749. # The passphrase used to generate a pre-shared key to use for encryption.
750. #
751. # The PSK is derived using PBKDF2.
752. #
753. # Using a PSK is less secure than using a certificate and should never be a
754. # first choice. It is useful in cases where generating certificates, private
755. # keys is not feasible.
756. #
757. # You can specify a PSK even if you have a certificate, which allows to connect
758. # with certificate-less nodes.
759. #
760. # The passphrase MUST remain secret.
761. #
762. # Default: <none>
763. #passphrase=
764.  
765. # The salt to use when deriving the PSK from the passphrase.
766. #
767. # It is recommended that you change this value for your own freelan
768. # installation when using PSKs. It doesn't have to be secret but it should
769. # ideally be unique.
770. #
771. # Default: freelan
772. #passphrase_salt=freelan
773.  
774. # The number of iterations to use when deriving the PSK from the passphrase.
775. #
776. # You can increase (or decrease, but please, don't) this number to increase the
777. # time it takes to derive the key from the passphrase and reduces the
778. # likelyhood of brute-force attacks.
779. #
780. # Default: 2000
781. #passphrase_iterations_count=2000
782.  
783. # The salt to use when deriving the PSK from the passphrase.
784. #
785. # Default: freelan
786. #passphrase_salt=freelan
787.  
788. # The X509 certificate file to use for signing.
789. #
790. # Unless client.enabled is set to "yes" or a PSK is specified, this parameter
791. # is mandatory.
792. #
793. # Default: <none>
794. signature_certificate_file="G:\games\FreeLAN\config\alice.crt"
795.  
796. # The private key file to use for signing.
797. #
798. # Unless client.enabled is set to "yes" or PSK is specified, this parameter is
799. # mandatory.
800. #
801. # This private key must match with the specified signing certificate file.
802. #
803. # Default: <none>
804. signature_private_key_file="G:\games\FreeLAN\config\alice.key"
805.  
806. # The certificate validation method to use.
807. #
808. # Possible values are: default, none
809. #
810. # - default: Matches any presented certificate against the specified
811. # certificate authorities.
812. # - none: Disable certificate validation.
813. #
814. # Warning: Think twice before setting "none" here, as this completely disables
815. # certificate validation. If you choose to do so, ensure that you have a robust
816. # certificate validation script set as certificate_validation_script.
817. #
818. # Default: default
819. #certificate_validation_method=default
820.  
821. # The certificate validation script to call.
822. #
823. # Every time a external certificate is received and accepted by the specified
824. # certificate_validation_method, the specified script is called with a X509
825. # certificate filename as its first argument.
826. #
827. # If the script exit status is zero, the certificate is accepted.
828. # If the script exit status is non-zero, the certificate is rejected.
829. #
830. # The certificate validation script is called even if
831. # certificate_validation_method is set to "none".
832. #
833. # Specify an empty validation script path to disable script validation.
834. #
835. # Default: <empty>
836. #certificate_validation_script=
837.  
838. # The authority certificates.
839. #
840. # You may repeat the authority_certificate_file option to specify several
841. # authority certificates.
842. #
843. # Default: <none>
844. authority_certificate_file="G:\games\FreeLAN\config\ca.crt"
845.  
846. # The certificate revocation validation method to use.
847. #
848. # Possible values are: last, all, none
849. #
850. # - last: Only the last certificate of the certification chain is checked for
851. # revocation.
852. # - all: All certificates from the certification chain are checked for
853. # revocation.
854. # - none: Certificates are not checked for revocation.
855. #
856. # Default: none
857. #certificate_revocation_validation_method=none
858.  
859. # The certificate revocation lists.
860. #
861. # You may repeat the certificate_revocation_list_file option to specify several
862. # certificate revocation lists.
863. #
864. # Default: <none>
865. #certificate_revocation_list_file=