1Installing tcpcrypt on Linux
2============================
3
4Tcpcrypt has 2 separate Linux implementations: kernel and userland. These
5instructions cover only the userland tcpcrypt, which is easier to set up.
6
7
8Dependencies
9============
10
11 * OpenSSL >= 0.9.8
12 * libnfnetlink >= 0.0.40
13 * libnetfilter_queue >= 0.0.16
14 * libnetfilter_conntrack >= 1.0.1
15 * libcap
16 * Kernel divert socket support (NFQUEUE)
17
18
19Ubuntu and Debian package dependencies
20--------------------------------------
21    apt-get install iptables libcap-dev libssl-dev \
22                    libnfnetlink-dev \
23                    libnetfilter-queue-dev \
24                    libnetfilter-conntrack-dev
25
26
27Arch Linux package dependencies
28-------------------------------
29
30pacman -S --needed \
31        base-devel \
32        iptables \
33        openssl \
34        libnfnetlink \
35        libnetfilter_queue \
36        libcap \
37        libnetfilter_queue \
38        libnetfilter_conntrack
39
40
41Kernel divert sockets (NFQUEUE)
42-------------------------------
43
44Installing your distribution's libnfnetfilter_queue package most likely handles
45this for you. If not, then you need to enable the following in `make
46menuconfig`:
47
48* Networking -> Networking options -> Network packet filtering framework (Netfilter) and the following suboptions
49* Core Netfilter Configuration -> Netfilter NFQUEUE over NFNETLINK interface
50* Core Netfilter Configuration -> Netfilter Xtables support -> "NFQUEUE" target Support
51
52The `.config` options for these are:
53
54    CONFIG_NETFILTER_NETLINK
55    CONFIG_NETFILTER_NETLINK_QUEUE
56    CONFIG_NETFILTER_XT_TARGET_NFQUEUE
57
58
59Compiling
60---------
61
62Run:
63
64    cd tcpcrypt
65    ./bootstrap.sh
66    ./configure
67    make
68
69Optional: running `make install` will install `libtcpcrypt` and tcpcrypt
70headers, for building apps that use tcpcrypt's session ID.
71
72
73Try it out
74----------
75
76See the included `README.markdown` file for ways to try out tcpcrypt.
77
78
79Reported issues
80---------------
81
82Tcpcrypt is incompatible with ECN (explicit congestion notification, RFC 3168). To disable ECN (if you know what you're doing), run `sudo sysctl net.ipv4.tcp_ecn=0`. Reported by jech at https://github.com/sorbo/tcpcrypt/issues/7.
83
84
85iptables firewall setup
86=======================
87
88The included `launch_tcpcryptd.sh` script adds iptable rules to divert all TCP
89traffic port 80 to tcpcryptd.  See src/iptables.sh for details.
90