
Jump to navigation Jump to search
30,710 bytes added ,  7 months ago
no edit summary
Line 1: Line 1: −
[[Category:How to]]
[[Category:Node Configuration]]
{{Infobox PTTLink
| image = Cyber-security-4072712 1920.jpg
| caption = VPN Security
| category = How to
{{ Note|'''This document is a work in progress and is still being updated by the author.''' }}
{{ Note|'''This document is a work in progress and is still being updated by the author.''' }}
<div style="float:right">__TOC__</div>
The following contains information on how to setup a Virtual Private Network (VPN) connection using various popular software packages and hardware devices.  
= VPN =
The following contains information on how to setup a Virtual Private Network (VPN) connection using various popular packages.  
== IPSEC ==
== IPSEC ==
Information on how to setup IPSEC tunnels.
Information on how to setup IPSEC tunnels.
=== strongSwan to strongSwan ===
Use the following config for a strongSwan<ref>strongSwan Official Site []</ref> to strongSwan configuration.  Make sure the left and right IP addresses are updated to match each system.  You can use the same ipsec.secrets file on both systems without changing the IP address order, although I recommend changing it to having the local IP on the left and the remote on the right as shown below.
  conn <name>
            auto=route        # can also be start
            left=<your local IP>
            right=<remote IP of Mikrotik system>
            dpdaction=clear  # can also be restart
    <your local IP> <remote IP of Mikrotik system> :  PSK "<Put your preshared key here>"
=== strongSwan to MikroTik ===
=== strongSwan to MikroTik ===
Use the following configurations to connect a system running stongSwan<ref>strongSwan Official Site []</ref> to a MikroTik<ref>MikroTik Official Site []</ref> device using IPSEC.
Use the following configurations to connect a system running strongSwan to a MikroTik<ref>MikroTik Official Site []</ref> device using IPSEC.
==== strongSwan config ====
==== strongSwan config ====
The following configuration will work on FreeBSD or Linux systems with strongSwan installed.
The following configuration will work on FreeBSD or Linux systems with strongSwan installed.
''Note:  You can use this config to connect two non-MikroTik systems as well.  Just replicate the config below for each system you wish to connect.''
Line 44: Line 71:     
==== MikroTik Config ====
==== MikroTik Config ====
{{go to top}}
The following config is best done from the terminal on a MikroTik device.
The following config is best done from the terminal on a MikroTik device.
   Line 203: Line 230: : PSK "cisco" : PSK "cisco" : PSK "cisco" : PSK "cisco"
== PPTP ==
{{go to top}}
==Persistent SSH Tunnels==
The following is how to create a persistent SSH Tunnel between two systems.  This is handy if you want to secure data flowing across networks, or even setup a tunnel without messing with VPN configuration.
===Create User/Generate SSH key===
First you will create the user you will use for the tunnel.  This will allow you to forward non-privileged ports over 1024.
''Note:  This user does not have a password assigned or a shell.  This will prevent user logins to the system.''
useradd -m -s /bin/false autossh
Now switch to the user and generate an SSH key:
su -s /bin/bash autossh
cd ~
ssh-keygen -b 4096
''Note:  Leave password blank''
Once done, exit back to your normal user shell
===Copy public key to target system===
You will need to copy '''''''''' file from '''''/home/autossh/.ssh/''''' to the '''''authorized_keys''''' file on the remote system you want to connect to for the tunnel.
''Note:  It is recommended that you also create a normal user on the remote system and not use root.''
===Install autossh===
You will need to install the autossh program on the system that will initiate the SSH tunnel.  Autossh automatically restarts the SSH tunnel when it exits.
apt-get install autossh
===Setup script===
Copy the following script, making the necessary changes as specified between the <> and place on the system that will initiate the tunnel (here we will save it as /opt/
su -s /bin/sh autossh -c 'autossh -M 0 -N -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure=yes" -f -T -R localhost:<target port>:<local IP or localhost>:<local port> <user>@<domain>'
{| class="wikitable"
! Parameter !! Description
|  localhost || localhost or IP address on target system
|  <target port> || port on target system
|  <local IP or localhost> || localhost or IP address on system initiating tunnel
|  <local port> || port on system initiating tunnel
|  <user@domain> || username and domain to use when SSHing to target system
An example of this command is:
su -s /bin/sh autossh -c 'autossh -M 0 -N -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure=yes" -f -T -R localhost:3306:localhost:3306'
This would allow the target (remote) system to access the local (system initiating the SSH tunnel) system's MySQL server over the tunnel. 
You can also use -L to change the direction of the port forwarding from Remote to Local and have the initiating system forward data over the tunnel the the remote.
===Make script executable===
Make sure you mark the script as executable with:
chmod +x /opt/
===Tunnel at startup===
To have the tunnel up when the system restarts, choose one of the following methods
Add a line to /etc/rc.local that calls the script.
# Start AutoSSH tunnel at boot
''Note:  You may have to enable rc.local on Ubuntu and Debian based systems via systemd.  Refer to your distributions documentation for information on how to enable it.''
To have the script start at boot with systemd, create the following file and add it to /etc/systemd/system/ssh-tunnel.service
Description=AutoSSH Tunnel at boot
=====Enable service=====
To enable the service to run via systemd run:
systemctl enable ssh-tunnel.service
== GRE Tunnel ==
{{go to top}}
GRE Tunnels
===Public/Private VM tunnel===
GRE tunnels are useful for connecting a VM in a private/home network to the internet via a public server/VM.  The following information will connect Server A (public server) to Server B (private server), and allow requests to Server B to be passed to Server A's resources for use on the Internet.
'''IP addresses'''
* Server A will have a public IP of and the GRE interface will be assigned
* Server B will have a private IP of, a public IP of and the GRE interface will be assigned
* Ports 22, 80 and 443 will be forwarded over the GRE tunnel
=====Server A (Public)=====
Copy the following to /etc/
<syntaxhighlight lang="bash">
ip tunnel add gre1 mode gre local remote ttl 255
ip add add dev gre1
ip link set gre1 up
iptables -t nat -A POSTROUTING -s ! -o gre+ -j SNAT --to-source
iptables -A FORWARD -d -m state --state NEW.ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d -m state --state NEW.ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -d -p tcp -m tcp --dport 22 -j DNAT --to-destination
iptables -t nat -A PREROUTING -d -p tcp -m tcp --dport 80 -j DNAT --to-destination
iptables -t nat -A PREROUTING -d -p tcp -m tcp --dport 443 -j DNAT --to-destination
=====Server B (Private)=====
* Add the following to /etc/iproute2/rt_tables<syntaxhighlight lang="text">
100 GRE</syntaxhighlight>
* Copy the following to /etc/
<syntaxhighlight lang="bash">
iptunnel add gre1 mode gre local remote ttl 255
ip addr add dev gre1
ip link set gre1 up
ip rule add from table GRE
ip route add default via table GRE
==L2TP Ethernet Pseudowires==
{{go to top}}
The following configuration will setup L2TPv3 between two Cisco Routers - R1 and R2.
====R1 - Router Config====
pseudowire-class test
encapsulation l2tpv3
ip local interface Loopback0
ip pmtu
ip tos value 10
interface Loopback0
ip address
interface FastEthernet0/0.1
encapsulation dot1Q 5
xconnect 1 encapsulation l2tpv3 pw-class test
interface FastEthernet0/0.2
encapsulation dot1Q 2
xconnect 2 encapsulation l2tpv3 pw-class test
====R2 - Router Config====
pseudowire-class test
encapsulation l2tpv3
ip local interface Loopback0
ip pmtu
ip tos value 10
interface Loopback0
ip address
interface FastEthernet0/1.1
encapsulation dot1Q 5
xconnect 1 encapsulation l2tpv3 pw-class test
interface FastEthernet0/1.2
encapsulation dot1Q 2
xconnect 2 encapsulation l2tpv3 pw-class test
Create an L2TP ethernet pseudowires connection using the Linux kernel's L2TP drivers along with the ip utility.
Note:  This setup does not have any security.  You will need to route it over IPSEC to create a secure connection.
In this example we use separate systems to establish the tunnels across the Gateway (which represents the Internet). 
{| class="wikitable" style="text-align: center; width: 35%"
|+ L2TP Tunnel Topology
! System
! Network
| Gateway
| eth1:; eth2:
| Tunnel1
| eth1/l2tpeth0 (bridged); eth1: No IP configured; eth2:
| Tunnel2
| eth1/l2tpeth0 (bridged); eth1: No IP configured; eth2:
*Enable IP forwarding on Gateway, '''Tunnel1''' and '''Tunnel2''' systems by running this command on each:
  # echo 1 > /proc/sys/net/ipv4/ip_forward
*Establish L3 connectivity between '''Tunnel1''' and '''Tunnel2''' systems:
On '''Tunnel1''' run:
# ip route add via
On '''Tunnel2''' run:
# ip route add via
Check to make sure both sides can ping each other:
#tunnel1:~# ping -c1
PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=63 time=1.03 ms
#tunnel2:~# ping -c1
PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=63 time=1.20 ms
*Load L2TPv3 ethernet pseudowire module on '''Tunnel1''' and '''Tunnel2''' systems:
# modprobe l2tp_eth
*Configure l2tp interface on '''Tunnel1''':
# ip l2tp add tunnel tunnel_id 1000 peer_tunnel_id 2000 encap udp local remote udp_sport 6000 udp_dport 5000
# ip l2tp add session tunnel_id 1000 session_id 3000 peer_session_id 4000
*Check configuration of tunnel on '''Tunnel1''' system:
# ip l2tp show tunnel
Tunnel 1000, encap UDP
  From to
  Peer tunnel 2000
  UDP source / dest ports: 6000/5000
  UDP checksum: disabled
# ip l2tp show session
Session 3000 in tunnel 1000
  Peer session 4000, tunnel 2000
  interface name: l2tpeth0
  offset 0, peer offset 0
*Configure l2tp interface on '''Tunnel2''':
# ip l2tp add tunnel tunnel_id 2000 peer_tunnel_id 1000 encap udp local remote udp_sport 5000 udp_dport 6000
# ip l2tp add session tunnel_id 2000 session_id 4000 peer_session_id 3000
*Check configuration of tunnel on '''Tunnel2''' system:
# ip l2tp show tunnel
Tunnel 2000, encap UDP
  From to
  Peer tunnel 1000
  UDP source / dest ports: 5000/6000
  UDP checksum: disabled
# ip l2tp show session
Session 4000 in tunnel 2000
  Peer session 3000, tunnel 1000
  interface name: l2tpeth0
  offset 0, peer offset 0
*Check MTU of newly created interfaces
# ip a s dev l2tpeth0
l2tpeth0: <BROADCAST,MULTICAST> mtu 1488 qdisc noop state DOWN qlen 1000
    link/ether 1a:8f:6e:04:3f:a3 brd ff:ff:ff:ff:ff:ff
*Adjust MTU and enforce MSS on eth1 on both '''Tunnel1''' and '''Tunnel2''' systems to prevent fragmentation that can cause issues:
# ip link set eth1 mtu 1446
# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1406:1536 -j TCPMSS --set-mss 1406
*Install bridge-utils on '''Tunnel1''' and '''Tunnel2''' systems:
# apt-get install bridge-utils
*Bridge the L2TP interface to eth1 on both the '''Tunnel1''' and '''Tunnel2''' systems so that is can communicate over the network:
# brctl addbr l2tp
# brctl addif l2tp eth1 l2tpeth0
*Check bridge configuration on '''Tunnel1''' and '''Tunnel2''' systems:
# brctl show
bridge name         bridge id     STP enabled     interfaces
l2tp         8000.1a8f6e043fa3  no             eth1 l2tpeth0
*Turn up the new l2tpeth0 interface on '''Tunnel1''' and '''Tunnel2''' systems so that it can be used:
# ip l set dev l2tpeth0 up
# ip l set dev l2tp up
Assuming you've done everything correctly here, you should now be able to use the '''Tunnel1''' and '''Tunnel2''' systems to send traffic over the same subnet on each side.
*Using the setup above, assume you have two additional systems setup.
**Computer1 is connected to Tunnel1.  No gateway set (not needed for an L2 link).
**Computer1 has eth1 configured with
**Computer2 is connected to Tunnel2.  No gateway set (not needed for an L2 link).
**Computer 2 has eth1 configured wtih
*Do a ping test to make sure Computer1 can talk to Computer2 through the l2tp link:
# ping -c5
64 bytes from icmp_req=1 ttl=64 time=3.85 ms
64 bytes from icmp_req=2 ttl=64 time=1.93 ms
64 bytes from icmp_req=3 ttl=64 time=1.91 ms
64 bytes from icmp_req=4 ttl=64 time=1.87 ms
64 bytes from icmp_req=5 ttl=64 time=1.89 ms
*Successful output means that Computer1 can talk to Computer2 over the l2tp link since you're created a L2 link between each system.  Both computers act as if they are on the same local network segment, unaware of the L2TP connection over the Gateway via the Tunnels.
The path that data will travel is:
Computer1 -> Tunnel1 -> Gateway -> Tunnel2 -> Computer2
Computer1 <- Tunnel1 <- Gateway -< Tunnel2 -< Computer2
===Between Cisco and Linux===
{{go to top}}
You can use L2TPv3 between Cisco and Linux utilizing the following script from Leif Sawyer.
*Script repository:
*Direct download link:
This script will bring up the Linux side of the connection and generate the Cisco side config.
*Edit the variables '''TUNNEL_ID''', '''SESSION_ID''', '''LOCAL''', and '''REMOTE''' to values that are suitable for your environment.
*Start the tunnel with ''' start'''
*Stop the tunnel with ''' stop'''
*Restart the tunnel with ''' restart'''
*Generate Cisco config with ''' config'''
  # (c) 2020 Leif Sawyer
  # License: GPL 3.0 (see
  # Permanent home:
  # Direct download:
  # using l2tpV3 between linux and cisco is sometimes weird.
  # this script is how I get the linux side up.
  # This will also auto-generate the cisco-side config.
  IPV=$(ip -V | sed 's/.*-ss//')
  if [ ${IPV:-0} -lt 130716 ]
  echo "Please install a newer version of iproute2 ( 3.10 or (>= 2013-07-16))"
  echo "  from"
  modules() {
    for module in l2tp_core l2tp_netlink l2tp_eth l2tp_ip
  modprobe $i
  tunnel_up() {
  ip l2tp add tunnel remote ${REMOTE} local ${LOCAL} tunnel_id $TUNNEL_ID peer_tunnel_id $REMOTE_TUNNEL_ID encap ip
  ip l2tp add session tunnel_id $TUNNEL_ID session_id $SESSION_ID peer_session_id $REMOTE_SESSION_ID l2spec_type none
  ip link set l2tpeth0 up mtu 1488
  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1448:1536 -j TCPMSS --set-mss 1448
  tunnel_down() {
  iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1448:1536 -j TCPMSS --set-mss 1448
  ip link set l2tpeth0 down
  ip l2tp del session tunnel_id $TUNNEL_ID session_id $SESSION_ID
  ip l2tp del tunnel tunnel_id $TUNNEL_ID
  cisco_config() {
  cat <<EOF
  ! Global config
      pseudowire-class Linux-L2TP
  encapsulation l2tpv3
  interworking ethernet
  protocol none
  ip local interface $REMOTE
  ip pmtu
  ip tos value 41
  ip ttl 100
  ! Interface config
      interface \$L2interface
  xconnect $LOCAL $REMOTE_TUNNEL_ID encapsulation l2tpv3 manual pw-class Linux-L2TP
  case $1 in
  start|up) tunnel_up
  stop|down) tunnel_down
  restart|reload) stop; start
  config|cisco|cisco-config) cisco_config
  *) echo "$0  (start|up || stop|down || restart|reload || config|cisco|cisco-config)"
== OpenVPN ==
== OpenVPN ==
Information on OpenVPN is available from<ref>OpenVPN Official Site []</ref>
{{go to top}}
Information on OpenVPN is available from<ref>OpenVPN Official Site []</ref>
=== Road Warrior Install ===
=== Road Warrior Install ===
Line 216: Line 693:  
     wget -O && bash
     wget -O && bash
*You can run it again to add/remove users or completely uninstall OpenVPN
*Example install using the defaults (installed on Ubuntu 20.04.2 LTS VM):
  Welcome to this OpenVPN road warrior installer!
  Which protocol should OpenVPN use?
      1) UDP (recommended)
      2) TCP
  Protocol [1]:
  What port should OpenVPN listen to?
  Port [1194]:
  Select a DNS server for the clients:
      1) Current system resolvers
      2) Google
      4) OpenDNS
      5) Quad9
      6) AdGuard
  DNS server [1]:
  Enter a name for the first client:
  Name [client]:
  OpenVPN installation is ready to begin.
  Press any key to continue...
  Get:1 focal-security InRelease [114 kB]
  Hit:2 focal InRelease
  Get:3 focal-updates InRelease [114 kB]
  Get:4 focal-backports InRelease [101 kB]
  Fetched 328 kB in 1s (488 kB/s) 
  Reading package lists... Done
  Reading package lists... Done
  Building dependency tree     
  Reading state information... Done
  ca-certificates is already the newest version (20210119~20.04.1).
  openssl is already the newest version (1.1.1f-1ubuntu2.4).
  Suggested packages:
    resolvconf openvpn-systemd-resolved easy-rsa
  The following NEW packages will be installed:
  0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  Need to get 0 B/477 kB of archives.
  After this operation, 1,188 kB of additional disk space will be used.
  Preconfiguring packages ...
  Selecting previously unselected package openvpn.
  (Reading database ... 109259 files and directories currently installed.)
  Preparing to unpack .../openvpn_2.4.7-1ubuntu2.20.04.2_amd64.deb ...
  Unpacking openvpn (2.4.7-1ubuntu2.20.04.2) ...
  Setting up openvpn (2.4.7-1ubuntu2.20.04.2) ...
    * Restarting virtual private network daemon.                      [ OK ]
  Created symlink /etc/systemd/system/ → /lib/systemd/system/openvpn.service.
  Processing triggers for man-db (2.9.1-1) ...
  Processing triggers for systemd (245.4-4ubuntu3.7) ...
  init-pki complete; you may now create a CA or requests.
  Your newly created PKI dir is: /etc/openvpn/server/easy-rsa/pki
  Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
  Generating RSA private key, 2048 bit long modulus (2 primes)
  e is 65537 (0x010001)
  Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
  Generating a RSA private key
  writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-2749.6tj7Mb/tmp.fSqcnR'
  Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-2749.6tj7Mb/tmp.TS5dnM
  Check that the request matches the signature
  Signature ok
  The Subject's Distinguished Name is as follows
  commonName            :ASN.1 12:'server'
  Certificate is to be certified until Jul 10 05:27:40 2031 GMT (3650 days)
  Write out database with 1 new entries
  Data Base Updated
  Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
  Generating a RSA private key
  writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-2824.Fx4J3A/tmp.tlGKns'
  Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-2824.Fx4J3A/tmp.dVVyTl
  Check that the request matches the signature
  Signature ok
  The Subject's Distinguished Name is as follows
  commonName            :ASN.1 12:'client'
  Certificate is to be certified until Jul 10 05:27:40 2031 GMT (3650 days)
  Write out database with 1 new entries
  Data Base Updated
  Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
  Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-2880.kL0wa3/tmp.uyyWGn
  An updated CRL has been created.
  CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem
  Created symlink /etc/systemd/system/ → /etc/systemd/system/openvpn-iptables.service.
  Created symlink /etc/systemd/system/ → /lib/systemd/system/openvpn-server@.service.
  The client configuration is available in: /root/client.ovpn
  New clients can be added by running this script again.
==== Add a user ====
To add a new user, run the script again and select option '''1 - Add a new client'''
  # bash
  OpenVPN is already installed.
  Select an option:
      1) Add a new client
      2) Revoke an existing client
      3) Remove OpenVPN
      4) Exit
  Option: 1
*You will be prompted for a name, in this example we use client2
  Provide a name for the client:
  Name: client2
  Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
  Generating a RSA private key
  writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-4310.cmbMtC/tmp.MMKA2C'
  Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-4310.cmbMtC/tmp.l84eev
  Check that the request matches the signature
  Signature ok
  The Subject's Distinguished Name is as follows
  commonName            :ASN.1 12:'client2'
  Certificate is to be certified until Jul 10 05:41:10 2031 GMT (3650 days)
  Write out database with 1 new entries
  Data Base Updated
  client2 added. Configuration available in: /root/client2.ovpn
*Copy the configuration file above to your client to use it with OpenVPN
==== Remove a user ====
To add a remove a user, run the script again and select option '''2 - Revoke an existing client'''
  # bash
  OpenVPN is already installed.
  Select an option:
      1) Add a new client
      2) Revoke an existing client
      3) Remove OpenVPN
      4) Exit
  Option: 2
*You will be presented with a list of configured users to remove.  We will choose client2 for this example.
  Select the client to revoke:
        1) client
        2) client2
  Client: 2
  Confirm client2 revocation? [y/N]: Y
  Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
  Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-4407.i66z91/tmp.iS3gWM
  Revoking Certificate 05D02E0DF2A242398233588721BB75E0.
  Data Base Updated
  Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
  Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-4444.LpkzMp/tmp.03Azaw
  An updated CRL has been created.
  CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem
  client2 revoked!
==== Uninstall ====
*To uninstall, run the script again and select option '''3 - Remove OpenVPN'''
  Confirm OpenVPN removal? [y/N]:
*When prompted answer Y to start the removal
  Removed /etc/systemd/system/
  Removed /etc/systemd/system/
  Reading package lists... Done
  Building dependency tree     
  Reading state information... Done
  The following package was automatically installed and is no longer required:
  Use 'apt autoremove' to remove it.
  The following packages will be REMOVED:
  0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
  After this operation, 1,188 kB disk space will be freed.
  (Reading database ... 109344 files and directories currently installed.)
  Removing openvpn (2.4.7-1ubuntu2.20.04.2) ...
  Processing triggers for man-db (2.9.1-1) ...
  (Reading database ... 109265 files and directories currently installed.)
  Purging configuration files for openvpn (2.4.7-1ubuntu2.20.04.2) ...
  Processing triggers for systemd (245.4-4ubuntu3.7) ...
  OpenVPN removed!
== TINC ==
== TINC ==
{{go to top}}
Tinc is an open-source, self-routing, mesh networking protocol, used for compressed, encrypted, virtual private networks.
Tinc is an open-source, self-routing, mesh networking protocol, used for compressed, encrypted, virtual private networks.
   Line 261: Line 947:  
     └── NoMoreSecrets
     └── NoMoreSecrets
         ├── hosts
         ├── hosts
         │   ├── server1
         │  ├── server1
         │   ├── server2
         │  ├── server2
         │   └── server3
         │  └── server3
         ├── rsa_key.priv
         ├── rsa_key.priv
         ├── tinc.conf
         ├── tinc.conf
Line 269: Line 955:  
         └── tinc-up
         └── tinc-up
==== FreeBSD Note ====
FreeBSD will use the '''/usr/local/etc/tinc''' directory structure instead of the Linux '''/etc/tinc''' as shown above.  Adjust the paths below accordingly.  Additionally, the '''tinc-up''' and '''tinc-down''' files will differ. See the section below the '''Server 3''' example for notes on these differences.
====Individual node setup and configuration====
====Individual node setup and configuration====
Line 365: Line 1,054:  
     ip addr del dev $INTERFACE
     ip addr del dev $INTERFACE
     ip link set $INTERFACE down
     ip link set $INTERFACE down
====== FreeBSD Note ======
The '''tinc-up''' and '''tinc-down''' files will differ from those listed above as follows:
* /usr/local/etc/tinc/NoMoreSecrets/tinc-up:
    ifconfig "$INTERFACE" up
    ifconfig "$INTERFACE" inet netmask
    route add -net
Note:  Substitute '''route add -host <remote tinc ip> <local tinc ip>''' in place of the last line above for a two node setup
* /usr/local/etc/tinc/NoMoreSecrets/tinc-down:
    ifconfig "$INTERFACE" destroy
=====Create keypair=====
=====Create keypair=====
Line 390: Line 1,095:     
=====Start tinc=====
=====Start tinc=====
* On all servers enable and start tinc
* On all servers enable and start tinc
     systemctl enable tinc@NoMoreSecrets
     systemctl enable tinc@NoMoreSecrets
     systemctl start tinc@NoMoreSecrets
     systemctl start tinc@NoMoreSecrets
You will need to ensure that tincd is properly configured on '''/etc/rc.conf''' before you attempt to start it:
*Add the following to your /etc/rc.conf:
  tincd_flags="-d 2 -L"
*Start tinc with:
  service tincd start
Once tinc is up and running on all three servers you should be able to communicate over the network.  
Once tinc is up and running on all three servers you should be able to communicate over the network.  
Line 454: Line 1,171:     
Calling tinc with -k or --kill option will cause it to automatically unregister itself.
Calling tinc with -k or --kill option will cause it to automatically unregister itself.
== SOCAT ==
SOCAT can be used to create a simple virtual network between two hosts using UDP and TUN devices. 
'''Note: It is possible to use TCP for this as well, but without the nodelay option it might cause problems.  You can also replace UDP with DTLS to add security to the connection.'''
*IP addresses used in this example:
{| class="wikitable" style="text-align: center; width: 35%"
! Host
! Address
! Mask
| Physical server address
| N/A
| Physical client address
| N/A
| N/A
| TUN device on server
| TUN device on client
Note: UDP connections will use PORT 11443.
=== Create TUN devices ===
*TUN Server<syntaxhighlight lang="text">
socat -d -d UDP-LISTEN:11443,reuseaddr TUN:,up</syntaxhighlight>
*TUN Client<syntaxhighlight lang="text">
socat UDP: TUN:,up</syntaxhighlight>
Executing these two commands will result in a connection being established from the client to the server via TUN devices.
=== Troubleshooting ===
The following are common errors that you may encounter when using SOCAT to create a VPN.
*Missing TUN/TAP Support<syntaxhighlight lang="text">
... E unknown device/address "tun"</syntaxhighlight>
The SOCAT binary probably does not provide TUN/TAP support.  Reasons include not using Linux and using an older version of SOCAT.
*Missing Kernel Support<syntaxhighlight lang="text">
,,, E open("/dev/net/tun", 02, 0666): No such file or directory</syntaxhighlight>
This incidates that your kernel does not have TUN/TAP support compiled in.
*TUN Cloning Device Permissions<syntaxhighlight lang="text">
... E open("/dev/net/tun", 02, 0666): Permission denied</syntaxhighlight>
This indicates that you do not have sufficient permission to read or write to the TUN cloning device.  Check the device's permssions and ownership.
== SoftEther ==
== SoftEther ==
{{go to top}}
SoftEther VPN is an Open-Source Free Cross-platform Multi-protocol VPN Program, that is an academic project from the University of Tsukuba in Japan.
SoftEther VPN is an Open-Source Free Cross-platform Multi-protocol VPN Program, that is an academic project from the University of Tsukuba in Japan.
   Line 685: Line 1,459:     
== WireGuard ==
== WireGuard ==
{{go to top}}
WireGuard can be downloaded from<ref>WireGuard Offical Site []</ref>
WireGuard can be downloaded from<ref>WireGuard Offical Site []</ref>
=== Road Warrior Install ===
=== Road Warrior Install ===
Line 696: Line 1,471:     
*You can run it again to add/remove users or completely uninstall WireGuard
*You can run it again to add/remove users or completely uninstall WireGuard
=== Mikrotik Wireguard Road Warrior Config ===
From:<ref>Mikrotik Forums - MikroTik Wireguard server with Road Warrior clients []</ref>
The following information will show you how to setup a Mikrotik Wireguard server with Road Warrior clients.
==== Network topology ====
The network used in this examples is  A Mikrotik device will be the server and client can be any device running the Wireguard software.
{| class="wikitable" style="text-align: center; width: 35%"
! System
! IP Address
| Wireguard server
| Wireguard client(s)
| 192.168.66.[2-254]
==== Mikrotik Configuration ====
<syntaxhighlight lang="text">
# a private and public key will be automatically generated when adding the wireguard interface
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
# the first client added here is ipv4 only
add allowed-address= interface=wireguard1 public-key="*** replace-with-public-key-of-first-client ***"
# this client is dual stack - public IPv6 should be used - replace 2001:db8:cafe:beef: with one of your /64 prefixes.
add allowed-address=,2001:db8:cafe:beef::3/128 interface=wireguard1 public-key="*** replace-with-public-key-of-second-client-dual-stack ***"
/ip address
add address= interface=wireguard1 network=
/ipv6 address
add address=2001:db8:cafe:beef::1/64 interface=wireguard1
==== Client configuration ====
<syntaxhighlight lang="text">
Interface: (whatever name you want to specify)
Public key: the client should automatically generate this - add this to the server above replacing "replace-with-public-key-of-second-client-dual-stack"
Addresses:,2001:db8:cafe:beef::3/64          (note these are different subnet masks than in the server config)
DNS servers: as desired - if you want to use the wireguard server for dns, specify
Public key - get the public key from the wireguard interface on the Mikrotik device and place here
Endpoint - mydyndns.whatever:13231
Allowed IPs:, ::/0
This client configuration will result in all traffic being forwarded via the Mikrotik Wireguard server.  You will need to ensure:
*Create an input chain firewall rule to allow UDP traffic in on port 13231
<syntaxhighlight lang="text">
/ip firewall filter add action=accept chain=input comment="Allow Wireguard" dst-port=13231 protocol=udp
*Ensure the Mikrotik firewall is allowing traffic from and that you are NATing this traffic.  If your device is based off the default Mikrotik config and using the LAN interface list, you can add the Wireguard interface to this list to allow traffic through and NATing it as it leaves your network.  Otherwise, you will need to modify your configuration accordingly.
==== Get/Set Wireguard Peers ====
*Get Mikrotik Wireguard peers list
<syntaxhighlight lang="text">
/interface wireguard peers print
*Set Mikrotik Wireguard peers list
<syntaxhighlight lang="text">
/interface wireguard peers set <ID> allowed-addresses=whatever,whateverelse
== VPNC ==
== VPNC ==
{{go to top}}
VPNC <ref>VPNC Project Homepage []</ref> is an open-source VPN client.
VPNC <ref>VPNC Project Homepage []</ref> is an open-source VPN client.
   Line 798: Line 1,642:     
== Other ==
== Other ==
{{go to top}}
Any other information that doesn't fit elsewhere.
Any other information that doesn't fit elsewhere.
   Line 827: Line 1,672:     
== Linux ==
== Linux ==
{{go to top}}
The following script can be used to setup a basic firewall on a Linux based system using iptables.  
The following script can be used to setup a basic firewall on a Linux based system using iptables.  

Navigation menu