Main Configuration File

The main configuration file is located at /etc/mcc/mcc.conf by default. You can override the configuration directory path by passing it as an argument to mccd. The file uses a key-value format with optional sections.

• listen-addr = 0.0.0.0:9376 -- address and port for incoming connections
• parents -- comma-separated list of parent node socket addresses
• parents-resolve-period = 1h -- how often to re-resolve parent hostnames
• keep-alive-period = 30s -- interval between keepalive packets
• topology-update-period = 2m -- interval between topology update broadcasts
• rejoin-period = 1m -- interval between reconnection attempts to offline parents

• resolver.ipv4-network = 10.83.0.0/16 -- IPv4 address range for the overlay
• resolver.ipv6-network = 200::/7 -- IPv6 address range for the overlay
• resolver.mac-address-mask = AE:00:00:00:00:00 -- base MAC address for virtual interfaces
• resolver.domain = .home.arpa -- domain suffix for DNS resolution (commonly changed to .staex)
• resolver.ttl = 0 -- DNS record time-to-live

• dns-addr = 127.0.0.1:8353 -- address and port for the built-in DNS server
• dns-enable = true -- enable or disable the DNS resolver
• dns-names -- comma-separated list of DNS names for this node
• dnsmasq-enable -- enable automatic dnsmasq configuration
• dnsmasq-directory = /etc/dnsmasq.d -- directory for dnsmasq drop-in configs
• dnsmasq-restart-command -- command to execute after updating dnsmasq configuration

• node-certificate -- path to the node certificate file
• node-private-key -- path to the node private key file
• network-certificates -- additional trusted network certificates (for inter-company tunneling)
• trusted-nodes -- list of explicitly trusted node IDs from other networks
• trusted-networks -- list of explicitly trusted network certificate fingerprints
• cert-update-addr = cas.staex.io:8081 -- certificate authority address for updates
• cert-update-enable = true -- enable automatic certificate renewal
• cert-update-period = 3h -- interval between certificate update checks

• tunnels = /etc/mcc/tunnels -- directory containing tunnel configuration files
• forwarding-rules -- path to the forwarding rules file
• forwarding-rules-commit-timeout = 7s -- timeout for interactive forwarding rule confirmation

• unix-socket-path -- path to the UNIX socket for the mcc client
• unix-enable = true -- enable the UNIX socket interface
• log-level = info -- logging verbosity (trace, debug, info, warn, error)
• log-file -- path to a log file (empty = stderr)
• data-dir = /var/lib/mcc -- persistent data directory
• tun-device-name -- name of the TUN network interface
• tun-device-mtu = 1280 -- MTU for the TUN device
• firewall-chain-name = MCC -- iptables chain name for MCC rules
• compression = none -- traffic compression algorithm (none or lz4)
• static-addr -- static overlay address for this node
• network-lookup-ttl = 64 -- TTL for network lookup packets
• network-lookup-timeout = 20s -- timeout for network lookup queries
• nat-table-expiry = 60s -- expiry time for NAT translation table entries

• exit-node = false -- configure this node as an exit node (gateway to the internet)
• gateway -- node ID of the exit node to route internet traffic through
• gateway-post-add-hook -- script to execute after adding gateway routes
• gateway-post-delete-hook -- script to execute after removing gateway routes
• kill-switch = false -- block all internet traffic when the gateway is unreachable
• reroute-dns -- reroute DNS traffic through the gateway
• reroute-ntp -- reroute NTP traffic through the gateway

• ssl-install = false -- enable SSL CA certificate distribution
• ssl-manage-script -- path to the script that installs certificates into the trust store
• ssl-certificates -- path to the CA certificates to distribute
• ssl-storage-timeout = 24h -- how long to cache distributed certificates
• ssl-storage-cleanup-period = 1h -- interval between cache cleanup runs
• ssl-certificates-ttl = 64 -- TTL for certificate distribution packets
• ssl-update-batch-size = 10 -- number of certificates to send per update batch
• ssl-update-send-period = 30s -- interval between certificate distribution batches