Note: This page refers to VpnCloud version 1.x and has not yet been adapted to version 2.x.
Two single nodes should be connected via a secure VPN to a third node and its private network. The private network uses addresses in the range
192.168.1.0/24 and the subnet
192.168.254.0/24 is currently unused.
To be able to set up the VPN, the gateway node needs to have a be reachable by an unchanging address of hostname. This is normally not the case with common DSL uplinks (they change addresses every day). Please see Dynamic DNS for a solution.
A new network config in
/etc/vpncloud has to be created on each node.
There is an example file in
/etc/vpncloud/example.net.disabled that explains all the parameters.
$> sudo cp /etc/vpncloud/example.net.disabled /etc/vpncloud/mynet.net
Now that file has to edited to change a few values:
$> sudo nano /etc/vpncloud/mynet.net
The following values have to be modified:
peers: This is a list of all peers that this node should connect to. Only unchanging addresses can be used here. The gateway should be listed here for all nodes.
shared_key: This is a shared password for all nodes that secures the communication. It must be the same on all nodes and of course it should be a strong password.
device_type: We need to set this to
tunin our scenario.
subnets: The subnets claimed by this node.
ifup: This is the startup command for configuring the interface.
Here are the full configuration files for the nodes:
peers: - gateway.example.com device_type: tun shared_key: "mysupersecretkey" subnets: - 192.168.254.1/32 ifup: "ifconfig $IFNAME 192.168.254.1/16 mtu 1400; route add 192.168.1.0/24 via $IFNAME"
peers: - gateway.example.com device_type: tun shared_key: "mysupersecretkey" subnets: - 192.168.254.2/32 ifup: "ifconfig $IFNAME 192.168.254.2/16 mtu 1400; route add 192.168.1.0/24 via $IFNAME"
peers:  device_type: tun shared_key: "mysupersecretkey" subnets: - 192.168.254.0/24 ifup: "ifconfig $IFNAME 192.168.254.254/24 mtu 1400; sysctl -w net.ipv4.ip_forward=1"
Setting up routing
With this configuration, all packets from the clients reach the private network via the gateway but all the nodes in the private network need to know that packets to the clients need to be sent via the gateway.
This can either be done by adding a route to each nodes in the network:
$> route add 192.168.254.0/24 via 192.168.1.20
Alternatively a single such route can be added to the router (e.g. Fritz!Box) in the private network.
After the config file has been set up correctly, VpnCloud needs to be started:
$> sudo service vpncloud@mynet start
If you want to, you can associate names with the nodes. Please note that this procedure has to be done on all nodes.
Testing the network
When everything has been setup properly, the connection can be checked using the
$node1> ping 192.168.254.254 #check connection to gateway $node1> ping 192.168.1.20 #check private network $node1> ping 192.168.1.1 #check connection to node on private network
- crypto: This setting defines the used encryption method. Options are
chacha20(the default) and
aes256. Both are pretty secure but
aes256is only supported on newer CPUs (check support with
vpncloud -V). If all nodes support
aes256the method can be changed and might bring some speed improvements.
- magic: This setting can be changed to hide the protocol header and make VpnCloud undetectable. This setting must be the same on all nodes.