diff --git a/docs/tunneling/fastd.md b/docs/tunneling/fastd.md index a774bc5..baca8c7 100644 --- a/docs/tunneling/fastd.md +++ b/docs/tunneling/fastd.md @@ -31,6 +31,9 @@ mode multitap; # The encryption method (don't change this unless you need to) method "salsa2012+umac"; +method "salsa2012+poly1305"; +method "salsa20+umac"; +method "salsa20+poly1305"; # Bind to and listen for incoming connections on this address and port bind [::]:; @@ -103,6 +106,17 @@ Now we need to fill in the peer details of the node you are connecting to: Fastd can provide a tunnel with `multitap` mode on layer 2 or a tunnel with `tun` mode on layer 3. Note that the fatsd has 20 bytes less overhead when using tun. +### Methods + +fastd supports various transmission encryptions. The encryption and authentication recommended by fastd is `salsa2012+umac`. If you specify multiple encryption methods, the first one specified is preferred. The others are used as fallbacks if the peer does not support the preferred one. +fastd has three groups of transmission ciphers: + - Encrypt and Authenticate + - Authenticate Only + - Transfer Only without Authentication + +It should be noted that poly1305 is very slow on embedded systems and AES is very slow without OpenSSL. +When fastd is used without encryption or authentication, the data is authenticated only by the sender IP address. This authentication can be disabled with `float yes;`. + ### MTU The default MTU of a fastd tunnel is 1500 bytes. However, this can be problematic if the Internet uplink also has an MTU of 1500 or less. In this case IP fragmentation can occur. This is usually something you want to avoid. @@ -139,3 +153,4 @@ To enable the systemd unit on startup run `systemctl enable fastd@crxn` - [fastd documentation](https://fastd.readthedocs.io/en/stable/) - [fastd mtu documentation](https://fastd.readthedocs.io/en/stable/manual/mtu.html) +- [Encryption & authentication methods in fastd](https://fastd.readthedocs.io/en/stable/manual/methods.html)