# This is the FreeLAN configuration file
#
# All file and directory paths are relative to this file.

[server]

# Whether to use the embedded HTTP(S) server.
#
# The embedded HTTP(S) server allows one host to sign certificates for other
# hosts and to provide them with a centralized configuration.
#
# Possible values: yes, no
#
# Default: no
#enabled=no

# The endpoint to listen on.
#
# The endpoint can be in both numeric and hostname format, and must always
# contain a port specification.
#
# Hostnames are resolved using the method specified by
# network.hostname_resolution_protocol.
#
# Using a numeric value is recommended.
#
# Example values: 0.0.0.0:80, [::]:80, localhost:80, 10.0.0.1:80
# Default: 0.0.0.0:443
#listen_on=0.0.0.0:443

# The protocol.
#
# The protocol to use to contact the server.
#
# The only reason to specify something else than "https" here is if the
# server is hosted behind a proxying web server.
#
# Note: while freelan's embedded web server is perfectly capable of
# serving over https, its configuration options are really limited by
# design. If you are serious about serving thousands of users over HTTPS
# and/or need a complex certificate setup, switch to HTTP and host freelan's
# web server behind a proxying web server that can handle the load (nginx,
# apache, IIS).
#
# Default: https
#protocol=https

# The web server certificate file to use when in "https" mode.
#
# If no server certificate is specifed, one is generated using the hostname
# guessed from the operating system which may or may not be the correct one.
#
# Default: <none>
#server_certificate_file=VPNserver.crt

# The web server private key file associated to the certificate file.
#
# Default: <none>
#server_private_key_file=VPNserver.pem

# The certificate authority certificate file used for signing.
#
# This file will be used to sign certificate requests issued by other hosts.
#
# If no certificate is provided, one will be generated on each run. This means
# that the network won't be as robust as is NOT recommended.
#
# Default: <none>
#certification_authority_certificate_file=CA.crt

# The private key associated to the certification authority certificate file.
#
# This private key must match the specified certification authority certificate
# file.
#
# Default: <none>
#certification_authority_private_key_file=

# The authentication script to call.
#
# Every time an user tries to authenticate, this script will be called.
#
# The script environment will contain the following variables:
# - FREELAN_USERNAME: The specified username.
# - FREELAN_PASSWORD: The specified password.
# - FREELAN_REMOTE_HOST: The hostname/address of the connecting user.
# - FREELAN_REMOTE_PORT: The port number of the connecting user.
# initiating the authentication request.
#
# If the script exit status is zero, the authentication is accepted.
# If the script exit status is non-zero, the authentication is rejected.
#
# Warning: failing to specify an authentication_script will cause ALL
# authentication requests to be rejected !
#
# Default: <empty>
#authentication_script=

[client]

# Whether to connect to a freelan server to get client information.
#
# Possible values: yes, no
#
# Default: no
#enabled=no

# The server endpoint to connect to.
#
# The endpoint can be in both numeric and hostname format, and must always
# contain a port specification.
#
# Hostnames are resolved using the method specified by
# network.hostname_resolution_protocol.
#
# Example values: 127.0.0.1:443, [fe80::1]:443, somehost:443
# Default: 127.0.0.1:443
#server_endpoint=127.0.0.1:443

# The protocol.
#
# The protocol to use to contact the server.
#
# Using another value than https completely nullifies security and must NEVER
# be used in a production environment !
#
# Default: https
#protocol=https

# Whether to disable peer verification.
#
# Turn off checks for peer certificate verification. Useful for accepting
# self-signed certificates but be aware that this allows an attacker to pretend
# he is the server and get your username and password. Should NEVER be used in
# a production environment.
#
# Default: no
#disable_peer_verification=no

# Whether to disable host verification.
#
# Turn off checks for host certificate verification. This allows the remote host
# to present any certificate, even with a non-matching hostname. This completely
# nullifies security and should NEVER be used in production !
# a production environment.
#
# Default: no
#disable_host_verification=no

# The username.
#
# The username to use to connect to the server.
#
# Default: <empty>
#username=

# The password.
#
# The password to use to connect to the server.
#
# Default: <empty>
#password=

# Specify hostnames or IP addresses to advertise.
#
# You may repeat the public_endpoint option to add several hostnames or IP
# addresses.
#
# Specifying either 0.0.0.0 or :: in an IP address declaration has a special
# meaning: the server will replace the IP address with the visible address
# of the host as it makes the HTTP(S) request.
#
# Note: if only :: is specified and the server is contacted using IPv4, then
# the address is discarded. Same goes for the reverse situation (0.0.0.0 and
# server contacted in IPv6).
#
# If the port number is omitted, then the currently bound port number will be
# used instead before sending public endpoint information to the server. As a
# result, specifying an explicit port number is only useful when your client
# is behind a NAT-operating device that might change the source port number.
#
# Examples: 192.168.0.1, [fe80::1]:12000, hostname:1234, 0.0.0.0, ::
# Default: <none>
public_endpoint=0.0.0.0

[fscp]

# The protocol to use for hostname resolution.
#
# Possible values are: ipv4, ipv6
#
# Default: ipv4
#hostname_resolution_protocol=ipv4

# The endpoint to listen on.
#
# The endpoint can be in both numeric and hostname format, and must always
# contain a port specification.
#
# Hostnames are resolved using the method specified by
# network.hostname_resolution_protocol.
#
# Using a numeric value is recommended.
#
# Example values: 0.0.0.0:12000, [::]:12000, localhost:12000, 10.0.0.1:12000
# Default: 0.0.0.0:12000
#listen_on=0.0.0.0:12000

# The interface to listen on.
#
# This options restricts all VPN traffic to the specified interface. This is
# useful to avoid VPN death-loops in case the routing table is misconfigured.
#
# This option is only available on Linux.
#
# Example values: eth0, eth1, wlan0
# Default: <none>
#listen_on_device=

# The timeout for hello messages.
#
# The time to wait for hello responses, in milliseconds.
#
# Default: 3000
#hello_timeout=3000

# The contact list.
#
# The list of hosts to connect to.
#
# You may repeat the contact option to add several hosts.
#
# Examples: 192.168.0.1, [fe80::1]:12000, hostname:1234, some.other.host.org:1234
# Default: <none>
contact=104.168.x.x:12000
contact=xxxx.ddns.net:12000

# Whether to accept contact requests.
#
# If set to yes, freelan will answer to contact requests sent by other hosts.
#
# It is recommended that this option is set to enhance connectivity.
#
# Possible values: yes, no
#
# Default: yes
#accept_contact_requests=yes

# Whether to accept contacts.
#
# If set to yes, freelan will accept contacts sent by other hosts and will try
# to establish a session with those contacts, just as if there was a "contact="
# option for them.
#
# It is recommended that this option is set to enhance connectivity.
#
# To control which hosts are contacted automatically, see the "never_contact"
# option.
#
# Possible values: yes, no
#
# Default: yes
#accept_contacts=yes

# Specify certificates for which a dynamic host search must be performed.
#
# The freelan daemon will periodically send a contact request to his neighbors
# for each of these certificates.
#
# Note: this option can only be used with certificate-based authentication. If
# you are using a passphrase there is no way of identifying the peers since
# they all share the same secret passhrase. There is no way of implementing the
# feature: please don't ask, it just isn't possible.
#
# This option is only useful if "accept_contacts" is set.
#
# You may repeat the dynamic_contact option to add several dynamic hosts.
#
# Default: <none>
dynamic_contact_file=hw-sweethome.crt

# Specify IP networks that should never be automatically contacted.
#
# If the freelan deamon receives a contact which belongs to one of the
# specified "never_contact" networks, it will not try to establish a session
# with it.
#
# You may repeat the never_contact option to add several IP networks.
#
# Default: <none>
#never_contact=9.0.0.0/24
#never_contact=2aa1::1/8
#never_contact=1.2.3.4

# Specify the cipher suites to use for the sessions.
#
# The cipher suites must be declared in order of preference.
#
# If another host doesn't support any of the specified suites, no session
# can be established with it.
#
# You may repeat the cipher_suite_capability option to add several supported
# cipher suites.
#
# Available values:
# * ecdhe_rsa_aes256_gcm_sha384
# * ecdhe_rsa_aes128_gcm_sha256
#
# Default: ecdhe_rsa_aes256_gcm_sha384, ecdhe_rsa_aes128_gcm_sha256
#cipher_capability=ecdhe_rsa_aes256_gcm_sha384
#cipher_capability=ecdhe_rsa_aes128_gcm_sha256

# Specify the elliptic curves to use for the sessions.
#
# The elliptic curves must be declared in order of preference.
#
# If another host doesn't support any of the specified curves, no session
# can be established with it.
#
# You may repeat the elliptic_curve_capability option to add several supported
# elliptic curves.
#
# Available values:
# * sect571k1
# * secp384r1
# * secp521r1
#
# Default: sect571k1, secp384r1
#elliptic_curve_capability=sect571k1
#elliptic_curve_capability=secp384r1

[tap_adapter]

# The tap adapter type.
#
# The tap adapter type determines the encapsulation layer for VPN frames. Even
# if there is no tap adapter enabled, this parameter determines if the freelan
# instances runs in switch (layer 2) or router (layer 3) mode.
#
# Note: If you want to use tun on POSIX systems, make sure you have IP
# forwarding enabled. Namely, on Linux make sure that the following command:
#
# > cat /proc/sys/net/ipv4/ip_forward
#
# Displays 1.
#
# Possible values: tap, tun
#
# Default: tap
#type=tap

# Whether to use the tap adapter.
#
# Possible values: yes, no
#
# Default: yes
#enabled=yes

# The name of the tap adapter to use or create.
#
# On Windows, the GUID of an existing tap adapter is expected. It may be found
# in the registry:
#
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
#
# If no name or an empty name is provided, the first available adapter will be
# used.
#
# On UNIX, it is the name of the tap adapter to create. Depending on your
# system, some names might be restricted, and something in the form of tapX
# (where X is a positive number) is recommended.
#
# If no name or an empty name is provided, a tap adapter will be created with
# an available name.
#
# Should you need to know it, you may get that name by specifying an up_script.
#
# Default: <empty>
#name=

# The Maximum Transmission Unit (MTU) for the tap adapter.
#
# This value is used to set the MTU on the tap adapter.
#
# You may specify anything but note that specifying a too small or too big
# value can cause performance issues or kernel crashes.
#
# Also note that changing the MTU of the interface is done in a best effort
# manner: there is no guarantee that the setting will stick or will be exactly
# as requested.
#
# Use this at your own risk.
#
# Possible values: auto, system, <any positive integer value>
#
# - auto: The value for the MTU is computed automatically.
# - system: The system default value is taken (usually 1500).
# - Any strictly positive integer value (eg. 1446).
#
# Default: auto
#mtu=auto

# The MSS override.
#
# If the MSS override is enabled, FreeLAN will hijack outgoing TCP SYN frames
# that contain a MSS value higher than the specified treshold and replace its
# value. This has the effect of preventing IP fragmentation at the physical
# interface level and results in tremendous performance gains for TCP connections.
#
# Possible values: auto, disabled, <any positive integer value>
#
# - auto: Compute the MSS value automatically based on the effective MTU value
# (the one read from the interface, which may differ from the one set in the
# configuration file).
# - disabled: The MSS override is disabled.
# - Any strictly positive integer value (eg. 1392).
#
# Default: auto
#mss_override=auto

# The metric for the tap adapter.
#
# This value is used only on Windows and affects routing.
#
# By default Windows assign a metric to an interface according to its link speed.
# Since Win32 TAP Adapters incorrectly report a speed link of 10 Mbits/s, the
# default system-assigned metric is high (30) which can cause routes for this
# interface not to be chosen.
#
# Possible values: auto, system, <any positive integer value>
#
# - auto: The value for the metric is chosen by freelan so that the VPN network
# has precedence over the physical one.
# - system: The system default value is taken (usually 30).
# - Any positive integer value (eg. 3).
#
# Default: auto
#metric=auto

# The tap adapter IPv4 address and prefix length to use.
#
# The network address must be in numeric format with a netmask suffix.
#
# On Windows, the prefix length is ignored (but still must be specified) and
# the netmask is determined according to the IPv4 class. It is recommended that
# you set the network.enable_dhcp_proxy option.
#
# Commenting out, will result in no IPv4 networking. You cannot supply a blank value.
#
ipv4_address_prefix_length=10.17.2.38/28

# The tap adapter IPv6 address and prefix length to use.
#
# The network address must be in numeric format with a netmask suffix.
#
# Commenting out, will result in no IPv6 networking. You cannot supply a blank value.
#
ipv6_address_prefix_length=2aa1::1/8

# The remote IPv4 address for tun interfaces.
#
# Some systems use this address combined with the prefix length specified in
# `ipv4_address_prefix_length` to create the route that uses the tun adapter.
#
# If not specified, the default is the network address associated with
# `ipv4_address_prefix_length`.
#
# For instance, if `ipv4_address_prefix_length` is "9.0.1.5/24", then the
# default value of `remote_ipv4_address` will be "9.0.1.0".
#
# This parameter is ignored in tap mode.
#
# Default: <network address of `ipv4_address_prefix_length`>
#remote_ipv4_address=9.0.0.0

# Whether to enable the ARP proxy.
#
# When the ARP proxy is enabled, all ARP requests are silently rerouted to an
# internal ARP server that always replies positively. Remote hosts never
# receive any ARP request.
#
# Warning: Setting this parameter can lead to connectivity issues. It is
# provided solely for debugging and testing purposes.
#
# Default: no
#arp_proxy_enabled=no

# The ARP proxy fake ethernet address.
#
# If tap_adapter.arp_proxy_enabled is not set, this option is ignored.
#
# Default: 00:aa:bb:cc:dd:ee
#arp_proxy_fake_ethernet_address=00:aa:bb:cc:dd:ee

# Whether to enable the DHCP proxy.
#
# When the DHCP proxy is enabled, all BOOTP/DHCP requests are silently rerouted
# to an internal DHCP server. Remote hosts never receive any DHCP request.
#
# The TAP interface must be ready to issue DHCP requests if this option is set.
#
# The use of this option is useful mainly on old Windows version for IPv4
# addresses. On Windows, if this option is set, no attempt to directly set the
# IPv4 address will be made.
#
# Default: yes
#dhcp_proxy_enabled=yes

# The DHCP proxy server IPv4 address and prefix length to use.
#
# This value should be different from
# network.ipv4_address_prefix_length but within the same network.
#
# Note that while this option expects a valid host IPv4 address, providing a
# network address also works on both Windows and POSIX operating systems.
#
# Default: 9.0.0.0/24
#dhcp_server_ipv4_address_prefix_length=9.0.0.0/24

# The DHCP proxy server IPv6 address and prefix length to use.
#
# This value should be different from
# network.ipv6_address_prefix_length but within the same network.
#
# Note that while this option expects a valid host IPv6 address, providing a
# network address also works on both Windows and POSIX operating systems.
#
# Default: 2aa1::/8
#dhcp_server_ipv6_address_prefix_length=2aa1::/8

# The script to call when the tap adapter is up and running.
#
# The script is called with the tap adapter's name as it's first argument.
#
# The script exit status is ignored.
#
# Default: <empty>
#up_script=

# The script to call when the tap adapter is set down.
#
# The script is called with the tap adapter's name as it's first argument.
#
# The script exit status is ignored.
#
# Default: <empty>
#down_script=

[switch]

# The routing method for messages.
#
# Possible values: switch, hub
#
# - switch: Act like a switch. Messages are only sent to the right host when
# its address is known.
# - hub: Send all messages to everyone on the network. The memory footprint is
# slightly reduced at the cost of much higher bandwitdh usage. Recommended for
# 1-to-1 networks only.
#
# Warning: At any time, if the memory consumption is too high, the
# routing_method may be temporarily switched from "switch" to "hub" to prevent
# DoS attacks.
#
# Default: switch
#routing_method=switch

# Whether to enable the relay mode.
#
# Possible values: no, yes
#
# - no: Not relaying frames from one remote host to the other.
# - yes: Transmits frames from one host to the other.
#
# If you enable relay mode, it is recommended that routing_method is set to
# switch.
#
# Default: no
#relay_mode_enabled=no

[router]

# The local IP routes.
#
# The list of routes to advertise to the other peers.
#
# Those routes may contain a gateway.
#
# You may repeat the local_ip_route option to add several routes.
#
# Examples:
# - 192.168.0.0/24
# - 192.168.0.0/24 => 9.0.0.1
# - fe80::1/64
# - fe80::1/64 => fe80::ffff
# - 0.0.0.0/0
# - 0.0.0.0/0 => 9.0.0.1
# - ::/0
# - ::/0 => fe80::ffff
# - ipv4_proxy
# - ipv6_proxy
#
# `ipv4_proxy` and `ipv4_proxy` are special values that are equivalent to
# `0.0.0.0/0 => <tap_adapter.ipv4_address>` and `::/0 =>
# <tap_adapter.ipv6_address>`.
#
# These basically instruct other peers to use this host as a default gateway
# and are particularly useful when setting up a VPN proxy.
#
# Default: <none>
#local_ip_route=192.168.0.0/24

# The local DNS servers.
#
# The list of DNS servers to advertise to the other peers.
#
# You may repeat the local_dns_server option to add several DNS servers.
#
# Examples:
# - 8.8.8.8
# - 2001:4860:4860::8888
#
# Default: <none>
#local_dns_server=192.168.0.254

# Whether to enable client routing.
#
# Possible values: no, yes
#
# - no: Not relaying IP frames from one remote host to the other.
# - yes: Act as an IP router and relay IP frames from one host to the other.
#
#
# Default: yes
#client_routing_enabled=yes

# Accept or reject routes requests from other peers.
#
# Disabling this option in tun mode will cause connectivity issues.
#
# Default: yes
#accept_routes_requests=yes

# The internal routes acceptance policy.
#
# Indicates the kind of routes to accept from other hosts.
#
# The routes will be used internally.
#
# Possible values: none, unicast_in_network, unicast, subnet, any
#
# - none: Not accepting any route. Use this to disable the feature.
# - unicast_in_network: Accept only unicast routes that belong to the local
# interface's network.
# - unicast: Accept only unicast routes.
# - subnet: Accept only subnet routes that belong to the local interface's
# network.
# - any: Accept any route.
#
# Note: this option is ignored in tap mode, as tap does not do internal IP
# routing.
#
# Default: unicast_in_network
#internal_route_acceptance_policy=unicast_in_network

# The system routes acceptance policy.
#
# Indicates the kind of routes to accept from other hosts.
#
# These routes will be added to the system routing table.
#
# Possible values: none, unicast, any, unicast_with_gateway, any_with_gateway
#
# - none: Not accepting any route. Use this to disable the feature.
# - unicast: Accept only unicast routes. Those that contain a gateway are
# rejected.
# - any: Accept any route except those that contain a gateway.
# - unicast_with_gateway: Accept only unicast routes, even those that contain a
# gateway.
# - any_with_gateway: Accept any route, even those that contain a gateway.
#
# Routes that belong to the current interface network are silently ignored as
# the system routing table already contains them.
#
# Note: this option is effective in both tun and tap mode as it affects the
# system routing table.
#
# Note 2: In tun mode, the routes are first filtered by the
# internal_route_acceptance_policy.
#
# Warning: make sure you understand what implications this option can have.
# Allowing modifications of the system routing table for other hosts can be
# a huge security risk.
#
# Default: none
#system_route_acceptance_policy=none

# The maximum count of routes to accept for a given host.
#
# Possible values: 0, <a positive number>
#
# - 0: No limit.
# - <a positive number>: Only a finite number of routes is accepted from
# other hosts.
#
# Note: the limit is applied to IPv4 and IPv6 addresses separately. Meaning
# that a limit of 1 will allow one address of each type.
#
# Default: 1
#maximum_routes_limit=1

# The DNS servers acceptance policy.
#
# Indicates the kind of DNS server addresses to accept from other hosts.
#
# Possible values: none, in_network, any
#
# - none: Not accepting any DNS servers. Use this to disable the feature.
# - in_network: Accept only DNS server addresses which belong to the interface
# IP network.
# - any: Accept any DNS server address.
#
# Default: in_network
#dns_servers_acceptance_policy=in_network

# The script to call when a DNS entry is to be added or removed.
#
# The script is called with the tap adapter's name as it's first argument.
# The second argument is a verb which can be:
# - add: A DNS entry must be added.
# - remove: A DNS entry must be removed.
# The third argument is the DNS server address to add or remove.
#
# If the script exits with a non-zero value, it is assumed that the addition or
# removal of the DNS entry failed. If the addition fails for a given address,
# the script won't be called for removal for this same address.
#
# On Windows, if no script is provided, FreeLAN will add/remove the DNS server
# using system calls.
#
# On Mac OS X and Linux, there is sadly no reliable system call and you MUST
# provide a script or DNS settings will simply be ignored.
#
# Default: <empty>
#dns_script=

[security]

# The passphrase used to generate a pre-shared key to use for encryption.
#
# The PSK is derived using PBKDF2.
#
# Using a PSK is less secure than using a certificate and should never be a
# first choice. It is useful in cases where generating certificates, private
# keys is not feasible.
#
# You can specify a PSK even if you have a certificate, which allows to connect
# with certificate-less nodes.
#
# The passphrase MUST remain secret.
#
# Default: <none>
#passphrase=

# The salt to use when deriving the PSK from the passphrase.
#
# It is recommended that you change this value for your own freelan
# installation when using PSKs. It doesn't have to be secret but it should
# ideally be unique.
#
# Default: freelan
#passphrase_salt=freelan

# The number of iterations to use when deriving the PSK from the passphrase.
#
# You can increase (or decrease, but please, don't) this number to increase the
# time it takes to derive the key from the passphrase and reduces the
# likelyhood of brute-force attacks.
#
# Default: 2000
#passphrase_iterations_count=2000

# The salt to use when deriving the PSK from the passphrase.
#
# Default: freelan
#passphrase_salt=freelan

# The X509 certificate file to use for signing.
#
# Unless client.enabled is set to "yes" or a PSK is specified, this parameter
# is mandatory.
#
# Default: <none>
signature_certificate_file=hw-hp-p14.crt

# The private key file to use for signing.
#
# Unless client.enabled is set to "yes" or PSK is specified, this parameter is
# mandatory.
#
# This private key must match with the specified signing certificate file.
#
# Default: <none>
signature_private_key_file=hw-hp-p14.pem

# The certificate validation method to use.
#
# Possible values are: default, none
#
# - default: Matches any presented certificate against the specified
# certificate authorities.
# - none: Disable certificate validation.
#
# Warning: Think twice before setting "none" here, as this completely disables
# certificate validation. If you choose to do so, ensure that you have a robust
# certificate validation script set as certificate_validation_script.
#
# Default: default
#certificate_validation_method=default

# The certificate validation script to call.
#
# Every time a external certificate is received and accepted by the specified
# certificate_validation_method, the specified script is called with a X509
# certificate filename as its first argument.
#
# If the script exit status is zero, the certificate is accepted.
# If the script exit status is non-zero, the certificate is rejected.
#
# The certificate validation script is called even if
# certificate_validation_method is set to "none".
#
# Specify an empty validation script path to disable script validation.
#
# Default: <empty>
#certificate_validation_script=

# The authority certificates.
#
# You may repeat the authority_certificate_file option to specify several
# authority certificates.
#
# Default: <none>
authority_certificate_file=CA.crt

# The certificate revocation validation method to use.
#
# Possible values are: last, all, none
#
# - last: Only the last certificate of the certification chain is checked for
# revocation.
# - all: All certificates from the certification chain are checked for
# revocation.
# - none: Certificates are not checked for revocation.
#
# Default: none
#certificate_revocation_validation_method=none

# The certificate revocation lists.
#
# You may repeat the certificate_revocation_list_file option to specify several
# certificate revocation lists.
#
# Default: <none>
#certificate_revocation_list_file=