tcpcryptd as a system service on Debian
=======================================

If you run a Linux kernel with systemd as pid 1, the debian tcpcryptd
package ships a tcpcryptd.service file that is intended to update
iptables rules and to run the tcpcryptd daemon.

This system service is not enabled by default.  If you want it
enabled, you should:

 systemctl enable tcpcryptd

If the daemon fails or the systemd service is terminated, systemd will
attempt to tear down the iptables rules that it had set up before
launching tcpcryptd.

These iptables rules handle packet redirection to userspace on the
netfilter nfqueue socket.  They're defined in
/usr/share/tcpcryptd/iptables.sh.

If your system already uses systemd, but has firewalling rules that
are incompatible with these iptables rules, you should be able to
override the ExecStartPre and ExecStopPost entries in
tcpcryptd.service (see "Overriding vendor settings" in
systemd.unit(5)).

If you do not use systemd, take a look at
/usr/share/doc/tcpcryptd/examples/launch_tcpcryptd.sh for an example
of how to do the launch.

If you do not run a Linux kernel, you might also be interested in
/usr/share/tcpcryptd/pf.conf.

 -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Fri,  1 Apr 2016 16:30:12 -0300