Direct connections should work now.

[clw.git] / doc / clw.1

.\" This manpage has been automatically generated by docbook2man 
.\" from a DocBook document.  This tool can be found at:
.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/> 
.\" Please send any bug reports, improvements, comments, patches, 
.\" etc. to Steve Cheng <steve@ggi-project.org>.
.TH "CLW" "1" "01 Mai 2007" "Clarkway" ""

.SH NAME
clw \- an SSL tunnelling application
.SH SYNOPSIS

\fBclw\fR { \fB\fIMODE\fB\fR | \fB\fIOPTION\fB\fR\fI ...\fR }

.SH "INTRODUCTION"
.PP
\fBclw\fR, short for Clarkway, is a simple SSL tunnel
written in \fBruby(1)\fR\&.  Its main purpose is to make
hosts inside a local area network available to the outside world,
thereby bypassing firewalls.
.PP
Usually, forwarding of a virtual private network (VPN,
\fBopenvpn(8)\fR) is a smarter way to achieve that, but
sometimes, it can be a security risk to make your computer a part of a
network which is potentially far away.  At this point, Clarkway comes in
handy: It has a very strict distinction between source and target of the
connection.  While an attacker on the ``target'' host can
connect to the ``source'' host when a VPN exists between
them, Clarkway operates unidirectionally.  If the target host is
properly secured and bidirectionality is important to you, a VPN is
almost certainly the right choice.  Else, read on.
.SH "DESCRIPTION"

.nf
                                                   +--------------+
         MASTER LAN                           +--- | --< [client] |
+--------------------------+                  |    +--------------+
| [.] [.] [.] [master] >-- | --> [gateway] <--+
+--------------------------+                  |    +--------------+
                                              +--- | --< [client] |
                                                   +--------------+
     
.fi
.PP
The figure above shows the typical Clarkway architecture.  The
\fBmaster\fR, part of the master LAN, is the host that
you want to connect to.  One or more \fBclient\fRs, which
may also be behind a firewall, want to connect to a host in the master
network.  To achieve that, the master and the clients connect to a
\fBgateway\fR which virtually connects them.
.PP
The usual procedure is as follows:
.TP 3
1. 
The Clarkway gateway starts up and waits for a master (control)
connection.
.TP 3
2. 
The master connects to the gateway and waits for instructions.  The
gateway is now ready to accept client connections.
.TP 3
3. 
A client connects to the gateway and requests a connection to a
certain host and port in the master LAN.
.TP 3
4. 
The gateway forwards the connection request to the master host.
.TP 3
5. 
The master opens a TCP socket connected to the requested host and
port.  Then, it opens another connection back to the gateway.  This
complication is necessary because the gateway cannot connect to the
master; a firewall might be between them.
.TP 3
6. 
The gateway notifies the client that the connection is available and
starts to redirect the traffic between client and master.
.PP
To make sure that the first host which connects to the gateway really
\fBis\fR the master, as well as assuring that only
clients connect to the gateway, OpenSSL is used.  This means that you
will have to set up a certificate authority before you can start using
Clarkway.  \fBopenssl(1)\fR and several tutorials on the
World Wide Web will help you with that.
.SH "INVOCATION"
.PP
Clarkway does not follow the usual GNU command line syntax.  All options
start with two dashes (``--'').  Arguments to options have to
be separated using a whitespace; the ``assignment style''
involving the equation mark is not supported.  Command line parameters
which do not start with two dashes are treated as profile filenames.
.TP
\fBmaster\fR
Act as Clarkway master: Connect to the gateway and handle
connection requests from the clients.

This mode requires \fB--ca\fR, \fB--cert\fR,
\fB--key\fR, \fB--subject\fR and
\fB--gateway\fR\&.
.TP
\fBgateway\fR
Act as Clarkway gateway: Start up an SSL server and wait for the
master connection.  Then, allow clients to connect and arbitrate
between them and the master.

This mode requires \fB--ca\fR, \fB--cert\fR,
\fB--key\fR and \fB--subject\fR\&.
.TP
\fBclient\fR
Act as Clarkway client: Connect to the gateway and be virtually
connected to a host in the master network.  Redirect this traffic
to another TCP port (which, absurdly, makes a Clarkway client a
TCP server) or to standard output.

This mode requires \fB--ca\fR, \fB--cert\fR,
\fB--key\fR, \fB--subject\fR,
\fB--gateway\fR and \fB--connect\fR\&.
.TP
\fB\fIPROFILE\fB\fR
Load a YAML configuration file from
\fI~/.clw/profiles/PROFILE\fR\&.
This only works if \fIPROFILE\fR does not
contain dots or slashes.  See the ``YAML
configuration'' section below.
.TP
\fB\fIFILENAME\fB\fR
Load a YAML configuration file from
\fIFILENAME\fR\&.  If
\fIFILENAME\fR does not contain slashes or
dots, a profile name is expected instead; you may prepend
``\&./'' to resolve the issue if the file is in the
working directory.
.TP
\fB--ca \fIFILE\fB\fR
Use the certificate authority (CA) found in
\fIFILE\fR\&.  It will be
used to check the identification of the site you connect to, or
the site that connects to you, respectively.  Clients which are
not known to the given CA will be refused.  This option is
mandatory for all modes.
.TP
\fB--cert \fIFILE\fB\fR
Load the certificate from
\fIFILE\fR\&.  This option
is mandatory for all modes.
.TP
\fB--key \fIFILE\fB\fR
Load the RSA private key from
\fIFILE\fR\&.  If
necessary, the user is prompted for a passphrase to unlock the key
before Clarkway is daemonized.  Always protect your private key;
don't take it with you if it has not got a passphrase or is stored
on a encrypted filesystem and watch out not to make it
world-readable.  This option is mandatory for all modes.
.TP
\fB--crl \fIFILE\fB\fR
Use the certificate revocation list stored in
\fIFILE\fR\&.  The use of a CRL is optional.
.TP
\fB--subject \fIDN\fB\fR
Master or client mode: Expect the gateway's certificate to have
the given distinguished name (DN).  If the expected and the actual
DN do not match, immediately close the connection again.

Gateway mode: Expect the master's certificate to have the given
distinguished name.  If the expected and the actual DN do not
match, consider peer to be a Clarkway client.
.TP
\fB--gateway \fIHOST\fB[:\fIPORT\fB]\fR
Connect to the gateway listening on the given host and port.  If
\fIPORT\fR is omitted, 4354 is used.  This
option is mandatory for the client and master modes and ignored if
running as a gateway.
.TP
\fB--reconnect \fIN\fB\fR
If the master loses the gateway connection, retry after
\fIN\fR instead of 60 seconds.  This option
is optional for master mode and ignored otherwise.
.TP
\fB--connect \fIHOST\fB:\fIPORT\fB\fR
Connect the client to the given host and port.  This will be read
by the Clarkway master.  Thus, domain names are resolved in the
master network instead of locally, and
\fBlocalhost\fR will refer to the master
itself.  This option is mandatory for client mode and ignored
otherwise.
.TP
\fB--direct \fIHOST\fB[:\fIPORT\fB]\fR
If a Clarkway client connects to the master LAN, the gateway
usually has to forward all traffic between master and client.
Alternatively, the client can ask the master to connect to it
directly, bypassing the gateway.  This mode is faster and avoids
traffic on the gateway host, but it requires that the host running
the client is not firewalled (or at least accessible via port
forwarding).  To activate direct connections, just pass the public
IP address of the local host as \fIHOST\fR;
\fIPORT\fR is chosen randomly if it is
omitted.

If the gateway answers with ``sorry'', its Clarkway
version is too old to support direct connection handling.
.TP
\fB--[no-]stdio\fR
Write to standard output and read from standard input instead of
opening a TCP server.  This is useful for debugging purposes and
together with the \fBProxyCommand\fR option of
\fBssh(1)\fR (see \fBssh_config(5)\fR).
This option is optional for client mode and ignored otherwise.
.TP
\fB--listen [\fIHOST\fB:]\fIPORT\fB\fR
Open a server on the given host and port.  If
\fIHOST\fR is omitted, it defaults to
\fB0.0.0.0\fR (all interfaces, gateway mode) or
\fB127.0.0.1\fR (only available locally, client
mode).  If \fB--listen\fR is not specified, the port
will be chosen randomly if Clarkway acts as client, or set to 4354
if acting as gateway.  This option is optional for client and
gateway modes and ignored otherwise.
.TP
\fB--[no-]once\fR
If operating in client mode, break down the server after the first
connection finishes.  Otherwise, the option is ignored.
.TP
\fB--[no-]daemon\fR
By default, Clarkway masters and gateways will go to background
and detach from the current session.  You can use
\fB--no-daemon\fR to avoid that.  Clients can also be
given the \fB--daemon\fR switch to make them fork; as a
special exception, clients with activated \fB--stdio\fR
switch will never daemonize.
.TP
\fB--exec \fICOMMAND\fB\fR
If operating in client mode, Clarkway will execute
\fICOMMAND\fR after startup:  If
\fB--stdio\fR is enabled, a pipe to the command is
opened; otherwise, the command will be run upon server setup, and
``%h'' (hostname) and ``%p'' (port) will be
substituted.  Implies \fB--once\fR\&.
.TP
\fB--pidfile \fIFILE\fB\fR
Write Clarkway's process ID to \fIFILE\fR\&.
If the file already exists on startup and contains a PID of a
process that is still running, do not start.
.TP
\fB--logfile \fIFILE\fB\fR
Log to \fIFILE\fR\&.  By default, logging is
disabled or, if \fB--no-daemon\fR or
\fB--stdio\fR is active, directed to standard error
output.  Use the special value ``-'' to force logging
to stderr, or ``off'' to disable it.

Clarkway will re-open the logfile on
\fBSIGHUP\fR; this is useful for programs like
\fBlogrotate(8)\fR\&.
.TP
\fB--loglevel \fILEVEL\fB\fR
Set the minimum severity of log messages to
\fILEVEL\fR\&.  Possible values are
``info'' (default), ``warn'' and
``fatal''\&.
.TP
\fB--logname \fINAME\fB\fR
When logging, identify as program \fINAME\fR\&.
This makes it easier to distinguish between multiple Clarkway
daemons writing to one shared logfile.
.TP
\fB--help\fR
Print a short usage information.
.SH "YAML CONFIGURATION"
.PP
To simplify the invocation of Clarkway, YAML (YAML Ain't Markup
Language) is used to provide for configuration files.  When stored in
\fI~/.clw/profiles/\fR, these configuration files are
called \fBprofiles\fR, and can be used like the
\fBmaster\fR, \fBgateway\fR and
\fBclient\fR options.  Inside the file, every option is
specified on a line on its own, without the double dash, followed by a
colon and the option's value.  Boolean options are set using the values
\fByes\fR and \fBno\fR\&.  Option names
inside curly braces are substituted by the according value,
\fB{~}\fR expands to \fI~/.clw\fR,
\fB{host}\fR/\fB{port}\fR to the given
attribute of the \fB--connect\fR option and
\fB{open}\fR/\fB{close}\fR to the
respective brace.
.SH "EXAMPLES"

.nf
$ clw master --ca ~/.clw/example.com/ca.pem \\
             --cert ~/.clw/example.com/master.pem \\
             --key ~/.clw/example.com/masterkey.pem \\
             --subject '/C=AT/CN=Clarkway Example Gateway' \\
             --gateway example.com \\
             --reconnect 600 \\
             --pidfile /var/run/clarkway.pid \\
             --logfile /var/log/clarkway.log
    
.fi
.PP
Be a master using the specified SSL options.  On startup, connect to
\fBexample.com\fR, port 4354, and reconnect after ten
minutes (600 seconds) if the connection is lost.  Log everything to
\fI/var/log/clarkway.log\fR\&.  Write the process ID to
\fI/var/run/clarkway.pid\fR and refuse to start if
another instance is already running.

.nf
$ clw gateway --ca ~/.clw/example.com/ca.pem \\
              --cert ~/.clw/example.com/gateway.pem \\
              --key ~/.clw/example.com/gatewaykey.pem \\
              --subject '/C=AT/CN=Clarkway Example Master' \\
              --no-daemon
    
.fi
.PP
Act as a gateway using the specified SSL options.  All connections whose
certificate subject are \fB/C=AT/CN=Clarkway Example
Master\fR will be treated as master connections.  Clarkway
will not daemonize, but instead stay in foreground and write its log
messages to the standard error output.
.PP
For the last two examples, suppose the following file is saved as
\fI~/.clw/profiles/irc\fR:

.nf
  mode: client
  ca: "{~}/example.com/ca.pem"
  cert: "{~}/example.com/client.pem"
  key: "{~}/example.com/clientkey.pem"
  subject: /C=AT/CN=Clarkway Example Gateway
  gateway: example.com
  connect: localhost:6667
  listen: "{port}"
  exec: "irssi -p %p -c %h"
    
.fi

.nf
$ clw irc
$ clw ~/.clw/profiles/irc
$ clw client --ca ~/.clw/example.com/ca.pem \\
             --cert ~/.clw/example.com/client.pem \\
             --key ~/.clw/example.com/clientkey.pem \\
             --subject '/C=AT/CN=Clarkway Example Gateway' \\
             --gateway example.com \\
             --connect localhost:6667 \\
             --listen 6667 \\
             --exec 'irssi -p %p -c %h'
    
.fi
.PP
These three lines have the same effect: Start a client listening on port
6667, using the specified CA, certificate and key, connected to port
6667 on master and managed by the gateway on
\fBexample.com\fR:4354.  Afterwards, run
\fBirssi(1)\fR and connect it to
\fBlocalhost\fR:6667.

.nf
$ clw irc --connect localhost:5678
    
.fi
.PP
Use the \fIirc\fR profile defined above, but instead of
connecting to port 6667 on the master server, open the non-standard port
5678.  This will, in turn, cause Clarkway to listen on port 5678, and to
execute \fBirssi\fR correctly.
.SH "BUGS"
.PP
Please report bugs to the author.
.SH "SEE ALSO"
.PP
\fBruby(1), openssl(1), openvpn(8)\fR
.SH "COPYRIGHT"
.PP
Copyright (C) 2007 Michael Schutte <m.schutte.jr@gmail.com>
.PP
This is free software; you may redistribute unmodified and modified
copies of it under the terms of the GNU General Public License.  There
is \fBno warranty\fR, to the extent permitted by law.