MCC main configuration file

This file is located under /etc/mcc/mcc.conf path by default. To override the path pass the new one as the argument to mccd.

listen-addr = 0.0.0.0:9376

Listen address (ip:port).

parents

Parent nodes' socket addresses (ip:port, hostname:port, ...).

parents-resolve-period = 1h

How frequently the parents' hostnames need to be resolved.

resolver.ipv4-network = 10.83.0.0/16

IPv4 network that is used to resolve node IDs. Beware that the addresses from this network are always local to the current node and are assigned dynamically. The same address on different nodes may point to a different node ID. The address is reassigned only if the system runs out of IP addresses, i.e. you resolve over 65536 unique node IDs from a single node.

resolver.ipv6-network = 200::/7

IPv6 network that is used to resolve node IDs. The default is unused IPv6 range deprecated in RFC 4048.

resolver.mac-address-mask = AE:00:00:00:00:00

MAC address mask that is used to resolve node IDs.

resolver.domain = .home.arpa

Domain under which node IDs are resolved. The default is .home.arpa (RFC 8375).

resolver.ttl = 0

TTL of DNS entries in seconds.

unix-socket-path = /tmp/.mcc-socket

UNIX socket path used by mcc command.

unix-enable = true

Enable UNIX socket server. Without this server mcc commands do not work.

keep-alive-period = 30s

How frequently the parent node needs to be checked.

topology-update-period = 2m

How frequently topology needs to be sent to the parent node.

rejoin-period = 1m

How frequently a node tries to switch to the first parent.

log-level = info

Log verbosity level. Possible values: off, error, warn, info, debug, trace.

log-file

Redirect all MCC output to the specified file.

data-dir = /var/lib/mcc

Internal data storage directory.

tun-device-name = mcc0
tun-device-name = utun83

TUN device name (utun83 on MacOS, mcc0 otherwise).

tun-device-mtu = 1280

TUN device MTU.

firewall-chain-name = MCC

Firewall chain name.

dns-addr = 127.0.0.1:8353

Bind address (ip:port) of internal DNS server that is used to resolve node IDs.

dns-enable = true

Enable local DNS server. Without this server node ID resolution does not work on Musl-based Linux distributions and MacOS, but still works on Glibc-based Linux distributions via NSS module.

node-certificate = /etc/mcc/node-certificate.txt

Node's certificate path.

node-private-key = /etc/mcc/node-private-key.txt

Node's private key path.

network-certificates = /etc/mcc/network-certificate.txt

Comma-separated list of files with trusted network certificates.

compression = none

Compression method for tunneled packets. Possible values: none, lz4.

cert-update-addr = cas.staex.io:8081

The address (ip:port) of a server to get updated certificates from.

cert-update-enable = true

Enable automatic update of network certificates.

cert-update-period = 3h

How frequently to update network certificates.

dns-names

Comma-separated list of DNS names associated with the node.

tunnels = /etc/mcc/tunnels

A directory that contains tunnels configuration files.

dependent-nodes = /etc/mcc/dependent-nodes

⚠️ This key was deprecated in MCC v2. Please use tunnels instead.

A directory that contains dependent nodes configuration files.

static-addr = 10.115.0.0/16

Static IP address of this node in overlay network. Please note that dynamic IP addresses is more secure against man-in-the-middle attacks than static ones: dynamic addresses resolve to node ids locally whereas static addresses resolve to node ids by contacting a parent node. This also means that dynamic addresses are much faster to resolve than static ones.

network-lookup-ttl = 64

Network lookup TTL, i.e. the maximum number of hops a packet will travel before being dropped. This applies to static IP address and DNS name resolution.

network-lookup-timeout = 20s

Network lookup timeout. This applies to static IP address and DNS name resolution.

forwarding-rules = /etc/mcc/forwarding-rules.conf

Packet forwarding rules.

forwarding-rules-commit-timeout = 7s

The timeout of applying new forwarding rules with mcc apply-forwarding-rules command.

dnsmasq-enable

Enable Dnsmasq integration. When enabled MCC will generate configuration file for Dnsmasq and place it under dnsmasq-directory. The integration is enabled by default if dnsmasq-directory exists. Note that MCC does not restart Dnsmasq and does not delete generated configuration file.

dnsmasq-directory = /etc/dnsmasq.d

Dnsmasq directory that contains additional (usually per-domain) configuration files.

dnsmasq-restart-command

Dnsmasq restart shell command. By default MCC does not restart Dnsmasq after the configuration file is generated, because it may interfere with system boot sequence. If you are sure that this is not an issue, specify restart command here. Something like systemctl restart dnsmasq.

exit-node = false

Allow to route the traffic outside MCC network through this node. Use in conjunction with gateway to tunnel all the traffic through MCC network. Disabled by default.

gateway

The node id of the exit-node through which all the traffic generated by/routed through this node will go.

gateway-post-add-hook

Shell script that is executed after the gateway IP rules are added. Use this option to not route the traffic that goes through another VPN through MCC gateway. This is useful when you run multiple VPNs per node.

For example if you have another VPN running on port 1234 the script that makes this port bypass the gateway looks like this.

gateway-post-add-hook = ip rule add sport 1234 lookup main
gateway-post-delete-hook = ip rule del sport 1234 lookup main || true

Please refer to ip-rule documentation to learn what other options do you have.

gateway-post-delete-hook

Shell script that is executed after the gateway IP rules are deleted. Please see gateway-post-add-hook for more information.

kill-switch = false

Disallow to route the traffic via the gateway when MCC is not running. This option adds blackhole route that is not removed even if mcc0 device is deleted (i.e. when MCC is restarted). It is a good idea to test this option when you have physical access to your node, otherwise it is easy to cut yourself out of the node.

nat-table-expiry = 60s

NAT table entries TTL. Network address translation (NAT) is used to route the traffic in/out of MCC network. You should increase this value only if you experience frequent connection drops.

reroute-dns

Reroute DNS traffic to the specified network node in MCC network specified by node-id:port. Rerouting is implemented for any packet that goes to port 53. Use this option in conjunction with Stubby to encrypt your DNS traffic.

reroute-ntp

Reroute NTP traffic to the specified network node in MCC network specified by node-id:port. Rerouting is implemented for any packet that goes to port 123. Use this option in conjunction with Chrony to encrypt your NTP traffic.

trusted-nodes

Node ids to/from which it is allowed to send/receive packets. By default only nodes from the same network (i.e. with the same network certificate) are allowed to communicate.

trusted-networks

Network public keys (in BASE64 format) to/from which it is allowed to send/receive packets. By default only nodes from the same network (i.e. with the same network certificate) are allowed to communicate. You can copy network public key from CAS.

ssl-install = false

Add SSL CA certificates obtained via MCC into the local trusted store using ssl-manage-script.

ssl-manage-script

The script that is used to install SSL CA certificates into the local trusted store. The script is called in the following way.

# Add new certificates to the store.
# The certificates are read from stdin as PEM encoded strings, one certificate per line.
# For each certificate the script should output the filename where it was stored.
./script.sh add
# Remove certificates from the store
# The certificates are read from stdin as PEM encoded strings, one certificate per line.
./script.sh remove 
# Remove all certificates added by MCC from the store.
./script.sh cleanup

ssl-certificates

Comma-separated list of files with PEM-encoded SSL CA certificates.

ssl-storage-timeout = 24h

How long SSL CA certificates are kept without an update.

ssl-storage-cleanup-period = 1h

How frequently expired SSL CA certificates are cleaned up.

ssl-certificates-ttl = 64

TTL of SSL-related packets, i.e. the maximum number of hops a packet will travel before being dropped.

ssl-update-batch-size = 10

The maximum number of SSL-related messages that are sent in parallel by a parent to its child nodes.

ssl-update-send-period = 30s

How frequently batches of SSL-related messages are sent by a parent to its child nodes.

See also