Tutorial: Point-to-point


Point to point scenario

Three single nodes should be connected via a secure VPN. node1 and node3 have fixed addresses but node2 has a dynamic address that changes regularly.


To be able to set up the VPN, at least one node needs to have a be reachable by an unchanging address of hostname. This is normally not the case with common DSL uplinks (they change addresses every day). Please see Dynamic DNS for a solution.


The actual VpnCloud setup is pretty simple.

A new network config in /etc/vpncloud has to be created on each node. There is an example file in /etc/vpncloud/example.net.disabled that explains all the parameters.

$> sudo cp /etc/vpncloud/example.net.disabled /etc/vpncloud/mynet.net

Now that file has to edited to change a few values:

$> sudo nano /etc/vpncloud/mynet.net

The following values have to be modified:

  • peers: This is a list of all peers that this node should connect to. Only unchanging addresses can be used here.

  • shared_key: This is a shared password for all nodes that secures the communication. It must be the same on all nodes and of course it should be a strong password.

  • ifup: ifconfig $IFNAME 10.0.0.X/24 mtu 1400 where X is different for every node. It is good idea to use incrementing numbers here and to track the assigned numbers and nodes in a list.

This leads to the following configuration files:


  - node3.example.com
shared_key: "mysupersecretkey"
ifup: "ifconfig $IFNAME mtu 1400"


  - node1.example.com
  - node3.example.com
shared_key: "mysupersecretkey"
ifup: "ifconfig $IFNAME mtu 1400"


  - node1.example.com
shared_key: "mysupersecretkey"
ifup: "ifconfig $IFNAME mtu 1400"

After the config file has been set up correctly, VpnCloud needs to be started:

$> sudo service vpncloud@mynet start

If you want to, you can associate names with the nodes. Please note that this procedure has to be done on all nodes.

Testing the network

When everything has been setup properly, the connection can be checked using the ping command:

$node1> ping
$node2> ping
$node3> ping

Advanced settings

  • crypto: This setting defines the used encryption method. Options are chacha20 (the default) and aes256. Both are pretty secure but aes256 is only supported on newer CPUs (check support with vpncloud -V). If all nodes support aes256 the method can be changed and might bring some speed improvements.
  • magic: This setting can be changed to hide the protocol header and make VpnCloud undetectable. This setting must be the same on all nodes.