Three single nodes should be connected via a secure VPN.
node3 have fixed addresses but
node2 has a dynamic address that changes regularly.
To be able to set up the VPN, at least one node needs to have a be reachable by an unchanging address of hostname. This is normally not the case with common DSL uplinks (they change addresses every day). Please see Dynamic DNS for a solution.
The actual VpnCloud setup is pretty simple.
A new network config in
/etc/vpncloud has to be created on each node. There is an example file in
/etc/vpncloud/example.net.disabled that explains all the parameters.
$> sudo cp /etc/vpncloud/example.net.disabled /etc/vpncloud/mynet.net
Now that file has to edited to change a few values:
$> sudo nano /etc/vpncloud/mynet.net
The following values have to be modified:
peers: This is a list of all peers that this node should connect to. Only unchanging addresses can be used here.
shared_key: This is a shared password for all nodes that secures the communication. It must be the same on all nodes and of course it should be a strong password.
ifconfig $IFNAME 10.0.0.X/24 mtu 1400where
Xis different for every node. It is good idea to use incrementing numbers here and to track the assigned numbers and nodes in a list.
This leads to the following configuration files:
peers: - node3.example.com shared_key: "mysupersecretkey" ifup: "ifconfig $IFNAME 10.0.0.1/24 mtu 1400"
peers: - node1.example.com - node3.example.com shared_key: "mysupersecretkey" ifup: "ifconfig $IFNAME 10.0.0.2/24 mtu 1400"
peers: - node1.example.com shared_key: "mysupersecretkey" ifup: "ifconfig $IFNAME 10.0.0.3/24 mtu 1400"
After the config file has been set up correctly, VpnCloud needs to be started:
$> sudo service vpncloud@mynet start
If you want to, you can associate names with the nodes. Please note that this procedure has to be done on all nodes.
Testing the network
When everything has been setup properly, the connection can be checked using the
$node1> ping 10.0.0.2 $node2> ping 10.0.0.3 $node3> ping 10.0.0.1
- crypto: This setting defines the used encryption method. Options are
chacha20(the default) and
aes256. Both are pretty secure but
aes256is only supported on newer CPUs (check support with
vpncloud -V). If all nodes support
aes256the method can be changed and might bring some speed improvements.
- magic: This setting can be changed to hide the protocol header and make VpnCloud undetectable. This setting must be the same on all nodes.