Page MenuHomeMiraheze

Install and puppetize VPNCloud
Closed, DeclinedPublic

Description

VPNCloud is a solution that allows us to create a virtual private network with encryption. It is not packaged in debian, so we'll need to grab a deb from the releases page. Version 0.9.x has depedencies that requires buster (which we don't have yet), thus we must use the 0.8.x version.

Below is an example for a 'working' config (/etc/vpncloud/miraheze-internal.net), albeit with a few TODO's:

  • All OpenVZ servers MUST have TUN/TAP enabled, this can be done in SolusVM but requires a reboot
  • Change to use aes256 with long secret
  • Determine if running under root/root is necessary
  • Add a pid file
  • Determine device_type and mode values (default does work actually, but other options may bring better performance)
  • On cp5 the ifconfig command didn't exist, I had to install package net-tools for that. It looks like ifconfig is deprecated. Have to decide whether to install net-tools package or use another command (if that is possible...)
  • Do some additional testing with regards to throughput, optimal MTU and packet loss
# This configuration file uses the YAML format.

# This configuration can be enabled/disabled and controlled by adding the
# network to `/etc/default/vpncloud` and starting/stopping it via
# `/etc/init.d/vpncloud start/stop` on non-systemd systems and via
# `systemctl enable/disable vpncloud@NAME` and
# `service vpncloud@NAME start/stop` on systemd systems.


# The port number on which to listen for data.
# Note: Every VPN needs a different port number.
port: 3210

# Address of a peer to connect to. The address should be in the form
# `addr:port`. If the node is not started, the connection will be retried
# periodically. This parameter can be repeated to connect to multiple peers.
# Note: Several entries can be separated by spaces.
peers:
  - 172.104.111.8:3210
#  - node3.example.com:3210

# Peer timeout in seconds. The peers will exchange information periodically
# and drop peers that are silent for this period of time.
#peer_timeout: 1800

# Switch table entry timeout in seconds. This parameter is only used in switch
# mode. Addresses that have not been seen for the given period of time  will
# be forgot.
#dst_timeout: 300

# An optional token that identifies the network and helps to distinguish it
# from other networks.
magic: "76706e01"

# An optional shared key to encrypt the VPN data. If this option is not set,
# the traffic will be sent unencrypted.
#shared_key: "blabla123"

# The encryption method to use ("aes256", or "chacha20"). Most current CPUs
# have special support for AES256 so this should be faster. For older
# computers lacking this support, only CHACHA20 is supported.
#crypto: aes256

# Name of the virtual device. Any `%d` will be filled with a free number.
#device_name: "vpncloud%d"

# Set the type of network. There are two options: **tap** devices process
# Ethernet frames **tun** devices process IP packets. [default: `tap`]
#device_type: tap

# The mode of the VPN. The VPN can like a router, a switch or a hub. A **hub**
# will send all data always to all peers. A **switch** will learn addresses
# from incoming data and only send data to all peers when the address is
# unknown. A **router** will send data according to known subnets of the
# peers and ignore them otherwise. The **normal** mode is switch for tap
# devices and router for tun devices. [default: `normal`]
#mode: normal

# The local subnets to use. This parameter should be in the form
# `address/prefixlen` where address is an IPv4 address, an IPv6 address, or a
# MAC address. The prefix length is the number of significant front bits that
# distinguish the subnet from other subnets. Example: `10.1.1.0/24`.
# Note: Several entries can be separated by spaces.
subnets:
  - 10.0.1.0/24

# A command to setup the network interface. The command will be run (as
# parameter to `sh -c`) when the device has been created to configure it.
# The name of the allocated device will be available via the environment
# variable `IFNAME`.
ifup: "ifconfig $IFNAME 10.0.1.10/24 mtu 1350"

# A command to bring down the network interface. The command will be run (as
# parameter to `sh -c`) to remove any configuration from the device.
# The name of the allocated device will be available via the environment
# variable `IFNAME`.
ifdown: "ifconfig $IFNAME down"

# Store the process id in this file when running in the background. If set,
# the given file will be created containing the process id of the new
# background process. This option is only used when running in background.
#pid_file: ""

# Change the user and/or group of the process once all the setup has been
# done and before spawning the background process. This option is only used
# when running in background.
user: "root"
group: "root"

Event Timeline

Southparkfan triaged this task as Normal priority.Feb 22 2019, 23:42
Southparkfan created this task.
Southparkfan updated the task description. (Show Details)Feb 22 2019, 23:44

Task filed to bring 0.9.x to stretch

Note to self for ifconfig -> ip:

# The name of the allocated device will be available via the environment
# variable `IFNAME`.
#ifup: "ip addr add 10.0.1.5/16 dev $IFNAME && ip link set dev $IFNAME mtu 1400 && ip link set $IFNAME up"
ifup: "ifconfig $IFNAME 10.0.1.5/16 mtu 1400"

# A command to bring down the network interface. The command will be run (as
# parameter to `sh -c`) to remove any configuration from the device.
# The name of the allocated device will be available via the environment
# variable `IFNAME`.
#ifdown: "ip link set $IFNAME down"
ifdown: "ifconfig $IFNAME down"

might work

So, after some hassle with a broken tun/tap on elasticsearch1 we have the following servers running vpncloud now:

cp310.0.1.4
db410.0.1.3
elasticsearch110.0.1.1
test110.0.1.2

Created T4346 for enabling TUN/TAP on all servers.

Paladox updated the task description. (Show Details)
Paladox updated the task description. (Show Details)Jun 1 2019, 00:42

Went with installing net-tools globally. We can revisit looking for something else.

Paladox raised the priority of this task from Normal to High.Jun 1 2019, 01:00

With goal period ending really soon, this is now a high priority task.

Paladox added a comment.Jun 2 2019, 23:54

I think we should decline and try strongswan?

John closed this task as Resolved.Jun 5 2019, 18:34
John changed the task status from Resolved to Declined.