diff --git a/Point-to-Point-Tutorial.md b/Point-to-Point-Tutorial.md index 1801874..4ca159f 100644 --- a/Point-to-Point-Tutorial.md +++ b/Point-to-Point-Tutorial.md @@ -1,12 +1,11 @@ -## Goals -* Connect several single nodes via a VPN -* Nodes should be able to reach each others even through NATs -* Traffic should be secured with a password -* Nodes should be accessible by IP addresses and names like `NODE.myvpn` +## Scenario +![imgs/point_to_point_scenario.png](Point to point scenario) + +Three single nodes should be connected via a secure VPN. `node1` and `node3` have fixed addresses but `node2` has a dynamic address that changes regularly. -## Preparations -To be able to set up the VPN, at least one node needs to be reachable by an +#### Note +To be able to set up the VPN, at least one node needs to have a be reachable by an unchanging address of hostname. This is normally not the case with common DSL uplinks (they change addresses every day). Please see [[Dynamic DNS]] for a solution. @@ -16,9 +15,9 @@ a solution. The actual VpnCloud setup is pretty simple. A new network config in `/etc/vpncloud` has to be created on each node. -There is an example file to start with in `/etc/vpncloud/example.net`. +There is an example file in `/etc/vpncloud/example.net.disabled` that explains all the parameters. - $> sudo cp /etc/vpncloud/example.net /etc/vpncloud/mynet.net + $> sudo cp /etc/vpncloud/example.net.disabled /etc/vpncloud/mynet.net Now that file has to edited to change a few values: @@ -26,21 +25,38 @@ Now that file has to edited to change a few values: The following values have to be modified: -- **PEERS**: This is a list of all peers that this node should connect to. - Only unchanging addresses can be used here. Several addresses can be appended - and separated by spaces like `"node1.dyndns.org:3210 node2.dyndns.org:3210"`. - All nodes that have an unchanging address should be listed here. +- **peers**: This is a list of all peers that this node should connect to. + Only unchanging addresses can be used here. -- **SHARED_KEY**: This is a shared password for all nodes that secures the +- **shared_key**: This is a shared password for all nodes that secures the communication. It must be the same on all nodes and of course it should be a strong password. -- **IFUP**: `ifconfig $IFNAME 10.0.0.X/24 mtu 1400` where `X` is different for +- **ifup**: `ifconfig $IFNAME 10.0.0.X/24 mtu 1400` where `X` is different for every node. It is good idea to use incrementing numbers here and to track the assigned numbers and nodes in a list. -- **ENABLED**: This needs to be set to `1` when everything is finished so the - network is started automatically. +This leads to the following configuration files: + +#### Node1 + peers: + - node3.example.com + shared_key: "mysupersecretkey" + ifup: "ifconfig $IFNAME 10.0.0.1/24 mtu 1400" + +#### Node2 + peers: + - node1.example.com + - node3.example.com + shared_key: "mysupersecretkey" + ifup: "ifconfig $IFNAME 10.0.0.2/24 mtu 1400" + +#### Node3 + peers: + - node1.example.com + shared_key: "mysupersecretkey" + ifup: "ifconfig $IFNAME 10.0.0.3/24 mtu 1400" + After the config file has been set up correctly, VpnCloud needs to be restarted: @@ -48,8 +64,16 @@ After the config file has been set up correctly, VpnCloud needs to be restarted: If you want to, you can [[associate names with the nodes|Naming Hosts]]. Please note that this procedure has to be done on all nodes. + ## Testing the network When everything has been setup properly, the connection can be checked using the `ping` command: - $> ping NAME.myvpn + $node1> ping 10.0.0.2 + $node2> ping 10.0.0.3 + $node3> ping 10.0.0.1 + + +## Advanced settings +- **crypto**: This setting defines the used encryption method. Options are `chacha20` (the default) and `aes256`. Both are pretty secure but `aes256` is only supported on newer CPUs (check support with `vpncloud -V`). If all nodes support `aes256` the method can be changed and might bring some speed improvements. +- **magic**: This setting can be changed to hide the protocol header and make VpnCloud undetectable. This setting must be the same on all nodes. diff --git a/imgs/point_to_point_scenario.dia b/imgs/point_to_point_scenario.dia new file mode 100644 index 0000000..5cfa20f Binary files /dev/null and b/imgs/point_to_point_scenario.dia differ diff --git a/imgs/point_to_point_scenario.png b/imgs/point_to_point_scenario.png new file mode 100644 index 0000000..1ce506f Binary files /dev/null and b/imgs/point_to_point_scenario.png differ