mirror of https://github.com/dswd/vpncloud.git
Updated Dial in Tutorial (markdown)
parent
ab18a63f3a
commit
76431af9bb
|
@ -1,96 +1 @@
|
|||
## Scenario
|
||||
![Dial in scenario](imgs/dial_in_scenario.png)
|
||||
|
||||
Two single nodes should be connected via a secure VPN to a third node and its private network. The private network uses addresses in the range `192.168.1.0/24` and the subnet `192.168.254.0/24` is currently unused.
|
||||
|
||||
|
||||
#### Note
|
||||
To be able to set up the VPN, the gateway node needs to have a be reachable by an
|
||||
unchanging address of hostname. This is normally not the case with common
|
||||
DSL uplinks (they change addresses every day). Please see [[Dynamic DNS]] for
|
||||
a solution.
|
||||
|
||||
|
||||
## Setup
|
||||
A new network config in `/etc/vpncloud` has to be created on each node.
|
||||
There is an example file in `/etc/vpncloud/example.net.disabled` that explains all the parameters.
|
||||
|
||||
$> sudo cp /etc/vpncloud/example.net.disabled /etc/vpncloud/mynet.net
|
||||
|
||||
Now that file has to edited to change a few values:
|
||||
|
||||
$> sudo nano /etc/vpncloud/mynet.net
|
||||
|
||||
The following values have to be modified:
|
||||
|
||||
- **peers**: This is a list of all peers that this node should connect to.
|
||||
Only unchanging addresses can be used here. The gateway should be listed here for all nodes.
|
||||
|
||||
- **shared_key**: This is a shared password for all nodes that secures the
|
||||
communication. It must be the same on all nodes and of course it should be a
|
||||
strong password.
|
||||
|
||||
- **device_type**: We need to set this to `tun` in our scenario.
|
||||
|
||||
- **subnets**: The subnets claimed by this node.
|
||||
|
||||
- **ifup**: This is the startup command for configuring the interface.
|
||||
|
||||
Here are the full configuration files for the nodes:
|
||||
|
||||
#### Node1
|
||||
peers:
|
||||
- gateway.example.com
|
||||
device_type: tun
|
||||
shared_key: "mysupersecretkey"
|
||||
subnets:
|
||||
- 192.168.254.1/32
|
||||
ifup: "ifconfig $IFNAME 192.168.254.1/16 mtu 1400; route add 192.168.1.0/24 via $IFNAME"
|
||||
|
||||
#### Node2
|
||||
peers:
|
||||
- gateway.example.com
|
||||
device_type: tun
|
||||
shared_key: "mysupersecretkey"
|
||||
subnets:
|
||||
- 192.168.254.2/32
|
||||
ifup: "ifconfig $IFNAME 192.168.254.2/16 mtu 1400; route add 192.168.1.0/24 via $IFNAME"
|
||||
|
||||
#### Gateway
|
||||
peers: []
|
||||
device_type: tun
|
||||
shared_key: "mysupersecretkey"
|
||||
subnets:
|
||||
- 192.168.254.0/24
|
||||
ifup: "ifconfig $IFNAME 192.168.254.254/24 mtu 1400; sysctl -w net.ipv4.ip_forward=1"
|
||||
|
||||
|
||||
### Setting up routing
|
||||
With this configuration, all packets from the clients reach the private network via the gateway but all the nodes in the private network need to know that packets to the clients need to be sent via the gateway.
|
||||
|
||||
This can either be done by adding a route to each nodes in the network:
|
||||
|
||||
$> route add 192.168.254.0/24 via 192.168.1.20
|
||||
|
||||
Alternatively a single such route can be added to the router (e.g. Fritz!Box) in the private network.
|
||||
|
||||
|
||||
After the config file has been set up correctly, VpnCloud needs to be started:
|
||||
|
||||
$> sudo service vpncloud@mynet start
|
||||
|
||||
If you want to, you can [[associate names with the nodes|Naming Hosts]]. Please note that this procedure has to be done on all nodes.
|
||||
|
||||
|
||||
## Testing the network
|
||||
When everything has been setup properly, the connection can be checked using the
|
||||
`ping` command:
|
||||
|
||||
$node1> ping 192.168.254.254 #check connection to gateway
|
||||
$node1> ping 192.168.1.20 #check private network
|
||||
$node1> ping 192.168.1.1 #check connection to node on private network
|
||||
|
||||
|
||||
## Advanced settings
|
||||
- **crypto**: This setting defines the used encryption method. Options are `chacha20` (the default) and `aes256`. Both are pretty secure but `aes256` is only supported on newer CPUs (check support with `vpncloud -V`). If all nodes support `aes256` the method can be changed and might bring some speed improvements.
|
||||
- **magic**: This setting can be changed to hide the protocol header and make VpnCloud undetectable. This setting must be the same on all nodes.
|
||||
Please see https://vpncloud.ddswd.de/usage/tutorial-dial-in/
|
Loading…
Reference in New Issue