VPNCloud is a solution that allows us to create a virtual private network with encryption. It is not packaged in debian, so we'll need to grab a deb from the releases page. Version 0.9.x has depedencies that requires buster (which we don't have yet), thus we must use the 0.8.x version.
Below is an example for a 'working' config (/etc/vpncloud/miraheze-internal.net), albeit with a few TODO's:
- All OpenVZ servers MUST have TUN/TAP enabled, this can be done in SolusVM but requires a reboot
- Change to use aes256 with long secret
- Determine if running under root/root is necessary
- Add a pid file
- Determine device_type and mode values (default does work actually, but other options may bring better performance)
- On cp5 the ifconfig command didn't exist, I had to install package net-tools for that. It looks like ifconfig is deprecated. Have to decide whether to install net-tools package or use another command (if that is possible...)
- Do some additional testing with regards to throughput, optimal MTU and packet loss
# This configuration file uses the YAML format. # This configuration can be enabled/disabled and controlled by adding the # network to `/etc/default/vpncloud` and starting/stopping it via # `/etc/init.d/vpncloud start/stop` on non-systemd systems and via # `systemctl enable/disable vpncloud@NAME` and # `service vpncloud@NAME start/stop` on systemd systems. # The port number on which to listen for data. # Note: Every VPN needs a different port number. port: 3210 # Address of a peer to connect to. The address should be in the form # `addr:port`. If the node is not started, the connection will be retried # periodically. This parameter can be repeated to connect to multiple peers. # Note: Several entries can be separated by spaces. peers: - 126.96.36.199:3210 # - node3.example.com:3210 # Peer timeout in seconds. The peers will exchange information periodically # and drop peers that are silent for this period of time. #peer_timeout: 1800 # Switch table entry timeout in seconds. This parameter is only used in switch # mode. Addresses that have not been seen for the given period of time will # be forgot. #dst_timeout: 300 # An optional token that identifies the network and helps to distinguish it # from other networks. magic: "76706e01" # An optional shared key to encrypt the VPN data. If this option is not set, # the traffic will be sent unencrypted. #shared_key: "blabla123" # The encryption method to use ("aes256", or "chacha20"). Most current CPUs # have special support for AES256 so this should be faster. For older # computers lacking this support, only CHACHA20 is supported. #crypto: aes256 # Name of the virtual device. Any `%d` will be filled with a free number. #device_name: "vpncloud%d" # Set the type of network. There are two options: **tap** devices process # Ethernet frames **tun** devices process IP packets. [default: `tap`] #device_type: tap # The mode of the VPN. The VPN can like a router, a switch or a hub. A **hub** # will send all data always to all peers. A **switch** will learn addresses # from incoming data and only send data to all peers when the address is # unknown. A **router** will send data according to known subnets of the # peers and ignore them otherwise. The **normal** mode is switch for tap # devices and router for tun devices. [default: `normal`] #mode: normal # The local subnets to use. This parameter should be in the form # `address/prefixlen` where address is an IPv4 address, an IPv6 address, or a # MAC address. The prefix length is the number of significant front bits that # distinguish the subnet from other subnets. Example: `10.1.1.0/24`. # Note: Several entries can be separated by spaces. subnets: - 10.0.1.0/24 # A command to setup the network interface. The command will be run (as # parameter to `sh -c`) when the device has been created to configure it. # The name of the allocated device will be available via the environment # variable `IFNAME`. ifup: "ifconfig $IFNAME 10.0.1.10/24 mtu 1350" # A command to bring down the network interface. The command will be run (as # parameter to `sh -c`) to remove any configuration from the device. # The name of the allocated device will be available via the environment # variable `IFNAME`. ifdown: "ifconfig $IFNAME down" # Store the process id in this file when running in the background. If set, # the given file will be created containing the process id of the new # background process. This option is only used when running in background. #pid_file: "" # Change the user and/or group of the process once all the setup has been # done and before spawning the background process. This option is only used # when running in background. user: "root" group: "root"