This file is located under /etc/mcc/mcc.conf path by default.
To override the path pass the new one as the argument to mccd.
listen-addr = 0.0.0.0:9376
Listen address (ip:port).
parents
Parent nodes' socket addresses (ip:port, hostname:port, ...).
parents-resolve-period = 1h
How frequently the parents' hostnames need to be resolved.
resolver.ipv4-network = 10.83.0.0/16
IPv4 network that is used to resolve node IDs. Beware that the addresses from this network are always local to the current node and are assigned dynamically. The same address on different nodes may point to a different node ID. The address is reassigned only if the system runs out of IP addresses, i.e. you resolve over 65536 unique node IDs from a single node.
resolver.ipv6-network = 200::/7
IPv6 network that is used to resolve node IDs. The default is unused IPv6 range deprecated in RFC 4048.
resolver.mac-address-mask = AE:00:00:00:00:00
MAC address mask that is used to resolve node IDs.
resolver.domain = .home.arpa
Domain under which node IDs are resolved.
The default is .home.arpa (RFC 8375).
resolver.ttl = 0
TTL of DNS entries in seconds.
unix-socket-path = /tmp/.mcc-socket
UNIX socket path used by mcc command.
unix-enable = true
Enable UNIX socket server.
Without this server mcc commands do not work.
keep-alive-period = 30s
How frequently the parent node needs to be checked.
topology-update-period = 2m
How frequently topology needs to be sent to the parent node.
rejoin-period = 1m
How frequently a node tries to switch to the first parent.
log-level = info
Log verbosity level.
Possible values: off, error, warn, info, debug, trace.
log-file
Redirect all MCC output to the specified file.
data-dir = /var/lib/mcc
Internal data storage directory.
tun-device-name = mcc0
tun-device-name = utun83
TUN device name (utun83 on MacOS, mcc0 otherwise).
tun-device-mtu = 1280
TUN device MTU.
firewall-chain-name = MCC
Firewall chain name.
dns-addr = 127.0.0.1:8353
Bind address (ip:port) of internal DNS server that is used to resolve node IDs.
dns-enable = true
Enable local DNS server. Without this server node ID resolution does not work on musl-based Linux distributions and MacOS, but still works on glibc-based Linux distributions via NSS module.
node-certificate = /etc/mcc/node-certificate.txt
Node's certificate path.
node-private-key = /etc/mcc/node-private-key.txt
Node's private key path.
network-certificates = /etc/mcc/network-certificate.txt
Comma-separated list of files with trusted network certificates.
compression = none
Compression method for tunneled packets.
Possible values: none, lz4.
cert-update-addr = cas.staex.io:8081
The address (ip:port) of a server to get updated certificates from.
cert-update-enable = true
Enable automatic update of network certificates.
cert-update-period = 3h
How frequently to update network certificates.
dns-names
Comma-separated list of DNS names associated with the node.
dependent-nodes = /etc/mcc/dependent-nodes
A directory that contains dependent nodes configuration files.
static-addr = 10.115.0.0/16
Static IP address of this node in overlay network. Please note that dynamic IP addresses is more secure against man-in-the-middle attacks than static ones: dynamic addresses resolve to node ids locally whereas static addresses resolve to node ids by contacting a parent node. This also means that dynamic addresses are much faster to resolve than static ones.
network-lookup-ttl = 64
Network lookup TTL, i.e. the maximum number of hops a packet will travel before being dropped. This applies to static IP address and DNS name resolution.
network-lookup-timeout = 20s
Network lookup timeout. This applies to static IP address and DNS name resolution.
forwarding-rules = /etc/mcc/forwarding-rules.conf
Packet forwarding rules.
forwarding-rules-commit-timeout = 7s
The timeout of applying new forwarding rules with
mcc apply-forwarding-rules
command.
dnsmasq-enable
Enable Dnsmasq integration.
When enabled MCC will generate configuration file for Dnsmasq and
place it under dnsmasq-directory.
The integration is enabled by default if dnsmasq-directory exists.
Note that MCC does not restart Dnsmasq and does not delete generated configuration file.
dnsmasq-directory = /etc/dnsmasq.d
Dnsmasq directory that contains additional (usually per-domain) configuration files.
dnsmasq-restart-command
Dnsmasq restart shell command.
By default MCC does not restart Dnsmasq after the configuration file is generated,
because it may interfere with system boot sequence.
If you are sure that this is not an issue, specify restart command here.
Something like systemctl restart dnsmasq.
exit-node = false
Allow to route the traffic outside MCC network through this node. Use in conjunction with gateway to tunnel all the traffic through MCC network. Disabled by default.
gateway
The node id of the exit-node through which all the traffic generated by/routed through this node will go.
gateway-post-add-hook
Shell script that is executed after the gateway ip rules are added. Use this option to not route the traffic that goes through another VPN through MCC gateway. This is useful when you run multiple VPNs per node.
For example if you have another VPN runing on port 1234 the script that makes this port bypass the gateway looks like this.
gateway-post-add-hook = ip rule add sport 1234 lookup main
gateway-post-delete-hook = ip rule del sport 1234 lookup main || true
Please refer to ip-rule documentation to learn what other options do you have.
gateway-post-delete-hook
Shell script that is executed after the gateway ip rules are deleted. Please see gateway-post-add-hook for more information.
kill-switch = false
Disallow to route the traffic via the gateway when MCC is not running.
This option adds blackhole route
that is not removed even if mcc0 device is deleted (i.e. when MCC is restarted).
It is a good idea to test this option when you have physical access to your node,
otherwise it is easy to cut yourself out of the node.
nat-table-expiry = 60s
NAT table entries TTL. Network address translation (NAT) is used to route the traffic in/out of MCC network. You should increase this value only if you experience frequent connection drops.
reroute-dns
Reroute DNS traffic to the specified network node in MCC network specified by node-id:port.
Rerouting is implemented for any packet that goes to port 53.
Use this option in conjunction with Stubby to encrypt your DNS traffic.
reroute-ntp
Reroute NTP traffic to the specified network node in MCC network specified by node-id:port.
Rerouting is implemented for any packet that goes to port 123.
Use this option in conjunction with Chrony to encrypt your NTP traffic.
trusted-nodes
Node ids to/from which it is allowed to send/receive packets. By default only nodes from the same network (i.e. with the same network certificate) are allowed to communicate.
trusted-networks
Network public keys (in BASE64 format) to/from which it is allowed to send/receive packets. By default only nodes from the same network (i.e. with the same network certificate) are allowed to communicate. You can copy network public key from CAS.
ssl-install = false
Add SSL CA certificates obtained via MCC into the local trusted store using ssl-manage-script.
ssl-manage-script
The script that is used to install SSL CA certificates into the local trusted store. The script is called in the following way.
# Add new certificates to the store.
# The certificates are read from stdin as PEM encoded strings, one certificate per line.
# For each certificate the script should output the filename where it was stored.
# Remove certificates from the store
# The certificates are read from stdin as PEM encoded strings, one certificate per line.
# Remove all certificates added by MCC from the store.
ssl-certificates
Comma-separated list of files with PEM-encoded SSL CA certificates.
ssl-storage-timeout = 24h
How long SSL CA certificates are kept without an update.
ssl-storage-cleanup-period = 1h
How frequently expired SSL CA certificates are cleaned up.
ssl-certificates-ttl = 64
TTL of SSL-related packets, i.e. the maximum number of hops a packet will travel before being dropped.
ssl-update-batch-size = 10
The maximum number of SSL-related messages that are sent in parallel by a parent to its child nodes.
ssl-update-send-period = 30s
How frequently batches of SSL-related messages are sent by a parent to its child nodes.