Logo Peer-to-peer VPN

Connect multiple nodes

This tutorial will demonstrate how VpnCloud can be used to connect multiple nodes, so that each node can reach all other nodes even when one or both nodes are behind a NAT gateway.

You can use this setup if you have multiple computers where some of them are behind NAT gateways and some have dynamic IP addresses and you want those computers to be able to communicate nonetheless.

You can also use this setup if you have a set of servers at different locations (e.g. different hosting providers) and you want to create a secure overlay network spanning those different network locations in order to connect those servers.

Initial peer addresses

Whenever a node starts up, it needs to find out the addresses of the other nodes. VpnCloud uses a peer exchange, so that nodes tell each other the addresses of the other nodes. That means that a node only needs to know the address of a single other node in oder to join the VPN network (however, the more known peer on startup, the better). There are several ways to achieve this:

Static node addresses

The easiest way, is a node with a well-known static address that is not behind a NAT router. This is often the case when you have a server running at a hosting provider but is very rare for consumer Internet providers.

Dynamic DNS

Another option, is to register a dynamic DNS name for your node (most DSL routers support this) and make sure, that the VpnCloud software is reachable (e.g. by registering a static port forwarding in your DSL router). Of course, this node can only be used as an entry point to the network if it is online. If you do not have a computer on the network, that is online 24/7, you can register DNS names and setup port forwardings for all of your nodes, so that all of them can be contacted.

To use DynDNS, you need to find a DynDNS provider (there are free ones), register an account with it and setup a dynamic DNS name. Finally, your router needs to be configured to update the DNS entry each time the dynamic IP changes. Most consumer routers support this feature and the bigger DynDNS providers have good documentation on how to setup the most popular routers.

Beacons

The final option that VpnCloud offers, is the beacon feature. This feature allows your nodes to exchange their addresses via public storage locations like Dropbox, Github Gists or even Twitter. This option is not as reliable as the other options as the address information can be outdated. This tutorial does not cover this option, please read the article about it for more information.

Configuration options

Since this tutorial aims for simplicity, it will mostly work with the defaults for configuration options. The following minimal options are necessary.

You need a common IP range for all of your nodes. The most important thing about this IP range, is that is should be free, i.e. unused outside of the VPN. The most common choices for this IP range are the private IP ranges 10.X.Y.Z and 192.168.X.Y. However, NAT gateways and virtualization software commonly use parts of 192.168.X.Y so that an arbitrary part of 10.X.Y.Z like 10.67.89.X might be the best choice.

Your network needs a common password. This password should obviously be secure as it is the key to your VPN. You can use any string as password. If you want to create a random password, you can call vpncloud --genkey (this actually creates key pairs but the keys also make good passwords as they are random). There is also an advanced encryption mode, that uses key pairs and trusted keys instead of a common password, but this tutorials keeps it simple.

Setting up VpnCloud on the nodes

Create a network config file in /etc/vpncloud and give it a name for your network.

$> sudo nano /etc/vpncloud/mynet.net

and put the following content in it (see /etc/vpncloud/example.net.disabled for all options):

ip: 10.67.89.1
crypto:
  password: mysecretpassword
peers:
  - mynode.dyndns.provider.com
  - 12.34.56.78

Obviously you need to fill in your own information instead of the example data:

Note that there are spaces before password: and the entries of the peers: list.

Next, you need to start the VpnCloud network and enable it to automatically start:

$> sudo service vpncloud@mynet start
$> sudo systemctl enable vpncloud@mynet

The mynet in those commands needs to be the same as the filename in /etc/vpncloud (minus the .net extension).

Using the VPN

Once all nodes have been configured and started as described you can use your VPN. You should be able to ping other nodes by their IP:

$> ping 10.67.89.1

and connect to them via SSH (assuming an SSH server is installed and enabled at the destination):

$> ssh 10.67.89.1

Depending on the software installed on the destination, you should be able to do the following:

Naming hosts

Tired of remembering which peer is 10.67.89.1 and which one is 10.67.89.2? You can give them names.

Just edit /etc/hosts

$> sudo nano /etc/hosts

and add lines for all peers like this:

10.67.89.1 mynode1.mynet
10.67.89.2 mynode2.mynet

Make sure to not mess up the other entries in that file, they are important.

Debugging problems with the VPN

Here are some commands and things to check in order to debug your setup.

  1. This will tell you whether VpnCloud is running and will show some log entries that might contain an error message:

    $> service vpncloud@mynet status
    
  2. Check the log file at /var/log/vpncloud.mynet.log. If you see repeated errors or warnings this might be the reason for your problems. Also this file will contain a history of peers coming and going.

  3. Ping peers to see if you have a working connection to them:

    $> ping 10.67.89.1
    
  4. Look at the VpnCloud statistics at /var/log/vpncloud.myndet.stats.