Connect multiple nodes
This tutorial will demonstrate how VpnCloud can be used to connect multiple nodes, so that each node can reach all other nodes even when one or both nodes are behind a NAT gateway.
You can use this setup if you have multiple computers where some of them are behind NAT gateways and some have dynamic IP addresses and you want those computers to be able to communicate nonetheless.
You can also use this setup if you have a set of servers at different locations (e.g. different hosting providers) and you want to create a secure overlay network spanning those different network locations in order to connect those servers.
Initial peer addresses
Whenever a node starts up, it needs to find out the addresses of the other nodes. VpnCloud uses a peer exchange, so that nodes tell each other the addresses of the other nodes. That means that a node only needs to know the address of a single other node in oder to join the VPN network (however, the more known peer on startup, the better). There are several ways to achieve this:
Static node addresses
The easiest way, is a node with a well-known static address that is not behind a NAT router. This is often the case when you have a server running at a hosting provider but is very rare for consumer Internet providers.
Another option, is to register a dynamic DNS name for your node (most DSL routers support this) and make sure, that the VpnCloud software is reachable (e.g. by registering a static port forwarding in your DSL router). Of course, this node can only be used as an entry point to the network if it is online. If you do not have a computer on the network, that is online 24/7, you can register DNS names and setup port forwardings for all of your nodes, so that all of them can be contacted.
To use DynDNS, you need to find a DynDNS provider (there are free ones), register an account with it and setup a dynamic DNS name. Finally, your router needs to be configured to update the DNS entry each time the dynamic IP changes. Most consumer routers support this feature and the bigger DynDNS providers have good documentation on how to setup the most popular routers.
The final option that VpnCloud offers, is the beacon feature. This feature allows your nodes to exchange their addresses via public storage locations like Dropbox, Github Gists or even Twitter. This option is not as reliable as the other options as the address information can be outdated. This tutorial does not cover this option, please read the article about it for more information.
Since this tutorial aims for simplicity, it will mostly work with the defaults for configuration options. The following minimal options are necessary.
You need a common IP range for all of your nodes. The most important thing about this IP range, is that it should be free, i.e. unused outside of the VPN. The most common choices for this IP range are the private IP ranges
192.168.X.Y. However, NAT gateways and virtualization software commonly use parts of
192.168.X.Y so that an arbitrary part of
10.67.89.X might be the best choice.
Your network needs a common password. This password should obviously be secure as it is the key to your VPN. You can use any string as password. If you want to create a random password, you can call
vpncloud --genkey (this actually creates key pairs but the keys also make good passwords as they are random). There is also an advanced encryption mode, that uses key pairs and trusted keys instead of a common password, but this tutorials keeps it simple.
Setting up VpnCloud on the nodes
Create a new network config with the interactive wizard using the following command:
$> sudo vpncloud config
The wizard will ask some basic questions that you have to answer:
- First you have to select the option
New networkin order to create a new network.
- Next, give your network a name. Use a simple name with lower case letters and without spaces.
Simple (minimal options)as configuration mode.
Peer addressesenter a list of the public addresses of all peers with static addresses or DynDNS names here. You can add IP addresses as well as DynDNS hostnames. Put commas
,between different addresses.
- Enter and confirm a secure password.
Virtual IP addressenter an IP from your chosen IP range. Make sure that each node gets is own unique address, e.g. by counting up the number in the last place (
- If all is correct, finish ans save the configuration.
Next, you need to start the VpnCloud network and enable it to automatically start:
$> sudo service vpncloud@mynet start $> sudo systemctl enable vpncloud@mynet
mynet in those commands needs to be the same as the network name you chose in the first step.
Here is an example:
Using the VPN
Once all nodes have been configured and started as described you can use your VPN. You should be able to ping other nodes by their IP:
$> ping 10.67.89.1
and connect to them via SSH (assuming an SSH server is installed and enabled at the destination):
$> ssh 10.67.89.1
Depending on the software installed on the destination, you should be able to do the following:
- Start graphical applications using
- Access your files on the remote computer by entering
sftp://10.67.89.1as location in your file manager (most of them support
- Access other computers on that network by using the peer as a jump host, i.e. log on to your peer and there run another
sshto connect to the other computer.
- Access services on the remote network via SSH port forwarding, e.g.
ssh -L 80:fritz.box:80 10.67.89.1
Tired of remembering which peer is
10.67.89.1 and which one is
10.67.89.2? You can give them names.
$> sudo nano /etc/hosts
and add lines for all peers like this:
10.67.89.1 mynode1.mynet 10.67.89.2 mynode2.mynet
Make sure to not mess up the other entries in that file, they are important.
Debugging problems with the VPN
Here are some commands and things to check in order to debug your setup.
This will tell you whether VpnCloud is running and will show some log entries that might contain an error message:
$> service vpncloud@mynet status
Check the log file at
/var/log/vpncloud.mynet.log. If you see repeated errors or warnings this might be the reason for your problems. Also this file will contain a history of peers coming and going.
Check your interface configuration to see if the
vpncloudNinterface exists and has a correct address and prefix configuration (e.g.
inet addr 10.67.89.1/24):
$> ip addr show
Check your routing table to check that your chosen private address region (e.g.
10.67.89.0/24) is routed via your vpncloud device (
$> ip route show
Ping peers to see if you have a working connection to them:
$> ping 10.67.89.1
Look at the VpnCloud statistics at
peers:list will contain all current connections.
forwarding_table:will contain all known VPN addresses and to which node they belong.
payload_traffic:you can see how much traffic is flowing to the peers and the addresses within the VPN.
- The values under
dropped_payload_trafficmight indicate problems, however even nodes that work normally can have some packets listed here.