# VPN * [Ref](#ref) * [WireGuard - C](#wireguard---c) * [key](#key) * [wg-quick](#wg-quick) * [forwarding](#forwarding) * [Tailscale](#tailscale) * [Subnet](#subnet) * [Exit Node](#exit-node) * [client](#client) * [zerotier](#zerotier) * [Moons](#moons) * [nebula - go](#nebula---go) * [L2TP](#l2tp) * [v3](#v3) ## Ref * L4: [/nw/proxy/](https://github.com/fzinfz/book/blob/master/nw/proxy/README.md) * OVPN: [OpenWRT](https://github.com/fzinfz/book/blob/master/OpenWrt/VPN/README.md) | [Mikrotik](https://github.com/fzinfz/book/blob/master/nw/mikrotik/README.md#openvpn) ## WireGuard - C * debug: * Network Namespace: * uci: * docker: * auto: ### key ``` wg genkey | tee privatekey | wg pubkey > publickey ``` ``` ./wireguard-vanity-keygen --case-sensitive --limit 1 PRE ``` * optional pre-shared key that is mixed into the public key cryptography, all-zeros if not in use wg genpsk > presharedkey private-key file: ``` [Interface] PostUp = wg set %i private-key /etc/wireguard/%i.key ``` ### wg-quick ``` ls /etc/wireguard/*.conf | grep -Po '(?<=/)\w+(?=.conf)' | xargs -I % sh -c "wg-quick down % ; echo --- ; wg-quick up %" wg ; echo --- ; iptables -L -t nat -v ; echo --- ; iptables -L -v ; sysctl net.ipv4.conf.all.forwarding systemctl enable wg-quick@wgX ``` ### forwarding sever ``` [Interface] PrivateKey = sever Address = 192.168.44.1/24 ListenPort = [Peer] PublicKey = client AllowedIPs = 192.168.44.11/32, 192.168.88.0/24 # ip route | grep wg ``` home gateway ``` [Interface] PrivateKey = client Address = 192.168.44.11/24 PreUp = sysctl -w net.ipv4.conf.all.forwarding=1 PreUp = iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE [Peer] PublicKey = server Endpoint = server:port AllowedIPs = 192.168.44.0/24 PersistentKeepalive = 25 ``` ## Tailscale Free for Personal: ``` curl -fsSL https://tailscale.com/install.sh | sh tailscale status ``` * Console: * relay: * headscale: ### Subnet * Linux: Enable IP forwarding * Web: Edit route settings / Access Controls ### Exit Node ``` tailscale up --advertise-exit-node # enable on WebUI: Edit route settings ``` ``` echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.d/99-tailscale.conf echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.d/99-tailscale.conf sysctl -p /etc/sysctl.d/99-tailscale.conf ``` ``` NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ") ethtool -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off ``` #### client ``` tailscale set --exit-node= ``` ## zerotier ``` curl -s https://install.zerotier.com | sudo bash service zerotier-one status zerotier-cli status zerotier-cli peers # PLANET/LEAF ``` ### Moons Own Roots (a.k.a. Moons): ``` zerotier-cli join ... cd /var/lib/zerotier-one zerotier-idtool initmoon identity.public >> moon.json chown zerotier-one:zerotier-one moon.json ``` ## nebula - go ## L2TP * It is common to carry PPP sessions within an L2TP tunnel. ``` [mikrotik] /interface l2tp-server server set enabled=yes use-ipsec=yes ``` ### v3 appeared as proposed standard RFC 3931 in 2005 * can be regarded as being to MPLS what IP is to ATM --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ferro.pro/nw/vpn.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.