How to configure point-to-point VPN and linuxvpn on Linux

Source: Internet
Author: User
Tags superuser permission

How to configure point-to-point VPN and linuxvpn on Linux

A Traditional VPN (such as OpenVPN and PPTP) is composed of a VPN Server and one or more clients connected to this server. When any two VPN clients communicate with each other, the VPN Server needs to relay the VPN data traffic between them. The problem with such a central radiation VPN topology is that when the number of connected clients increases, the VPN Server can easily become a performance bottleneck. In a sense, the centralized VPN Server also becomes a single point of failure source, that is, when the VPN Server fails, the whole VPN will not be accessible by any VPN Client.

Point-to-Point VPN (also known as P2P VPN) is another VPN model, which can solve these problems in traditional server-client-based VPN. A P2P VPN no longer has a central VPN Server. Any node with a public IP Address can direct other nodes to the VPN. After connecting to a VPN, each node can directly communicate with any other node in the VPN without passing through an intermediate server node. Of course, if any node fails, the remaining nodes in the VPN will not be affected. Latency, bandwidth, and VPN scalability in nodes are naturally improved. This is ideal when you want to use VPN for multiplayer games or share files with many friends.

There are already several open-source P2P VPN implementations, such as Tinc, peerVPN, and n2n. In this tutorial, I will show you how to configure point-to-point VPN with n2n in Linux.

N2n is an open-source (GPLv3) software that allows you to build an encrypted 2/3-layer point-to-point VPN between users. The VPN built by n2n is "NAT-friendly". That is to say, two users behind different NAT routers can directly communicate with each other through VPN. N2n supports symmetric NAT, which is the most restrictive type in NAT. Therefore, the VPN data traffic of n2n is encapsulated by UDP.

An n2n VPN consists of two types of nodes: edge nodes and super nodes. An edge node is a computer connected to a VPN, which may be behind a NAT router. A super node is a computer with a public IP address. It will help the edge nodes behind NAT to perform initial communication. To create a P2P VPN in a user, we need at least one super node.

Preparations

In this tutorial, I will create a P2P VPN with three nodes: A super node and two edge nodes. The only requirement is that edge nodes need to be able to ping the IP addresses of super-level nodes, and whether they are after the NAT router is irrelevant.

Install n2n on Linux

To build a P2P VPN with n2n, you need to install n2n on each node, including the super node.

Due to its streamlined dependency requirements, n2n can be easily compiled on most Linux platforms.

Install n2n On Debian-based systems:

 
 
  1. $ sudo apt-get install subversion build-essential libssl-dev
  2. $ svn co https://svn.ntop.org/svn/ntop/trunk/n2n
  3. $ cd n2n/n2n_v2
  4. $ make
  5. $ sudo make install

Install n2n on a Red Hat-based system:

 
 
  1. $ sudo yum install subversion gcc-c++ openssl-devel
  2. $ svn co https://svn.ntop.org/svn/ntop/trunk/n2n
  3. $ cd n2n/n2n_v2
  4. $ make
  5. $ sudo make install
Configure a P2P VPN with n2n

As mentioned above, we need at least one super node, which will act as an initialized boot server. Assume that the IP address of this super node is 1.1.1.1.

Super node:

Run the following command on a computer that acts as a super node. "-L <port>" specifies the listening port of the super node. The root permission is not required to run supernode.

 
 
  1. $ supernode -l 5000
Edge node:

On each edge node, use the following command to connect to a P2P VPN. The edge daemon will run in the background.

Edge node #1:

 
 
  1. $ sudo edge -d edge0 -a 10.0.0.10 -c mynetwork -u 1000 -g 1000 -k password -l 1.1.1.1:5000 -m ae:e0:4f:e7:47:5b

Edge node #2:

 
 
  1. $ sudo edge -d edge0 -a 10.0.0.11 -c mynetwork -u 1000 -g 1000 -k password -l 1.1.1.1:5000 -m ae:e0:4f:e7:47:5c

The following are some explanations of the command line:

  • The "-d <Interface Name>" option specifies the name of the TAP interface created by the edge command.
  • The "-a <IP address>" option (static) specifies the IP address of the VPN allocated to the TAP interface. If you want to use DHCP, You need to configure a DHCP server on one of the edge nodes and use the "-a dhcp: 0.0.0.0" option instead.
  • The "-c <Group Name>" option specifies the name of the VPN group (up to 16 bytes ). This option can be used to create multiple VPNs in the same group of nodes.
  • The "-u" and "-g" options are used to drop the root permission after creating a TAP interface. The edge daemon runs as the specified user/group ID.
  • The-k <key> option specifies a key encrypted by twofish. If you want to hide the key from the command line, you can use the N2N_KEY environment variable.
  • The "-l <IP Address: Port>" option specifies the IP address and port number of the super node listener. For redundancy, you can specify A maximum of two super nodes (for example,-l <super node A>-l <super node B> ).
  • "-M" assigns a static MAC address to the TAP interface. If this parameter is not used, the edge command randomly generates a MAC address. In fact, it is strongly recommended to force a static MAC address for a VPN interface. Otherwise, for example, when you restart the edge daemon on a node, the ARP cache of other nodes will be contaminated by the newly generated MAC address, they will not be able to send data to this node until the contaminated ARP records are eliminated.

So far, you should be able to ping the other edge node with the vpn ip address from one edge node.

Troubleshooting
  1. The following error is returned when you call the edge daemon.

    N2n [4405]: ERROR: ioctl () [Operation not permitted] [-1]

Note that the edge daemon requires the superuser permission to create a TAP interface. Therefore, you must use the root permission for execution or set SUID for the edge command. After that, you can always use the "-u" and "-g" options to revoke root permissions.

Summary

N2n can be a free VPN solution for you. You can easily configure a super node, whether using your own home network or purchasing a VPS instance with public access from the cloud host provider. You no longer need to put sensitive creden and keys in the hands of a third-party VPN provider, using n2n, you can configure your own low-latency, high-bandwidth, and scalable P2P VPN among your friends.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.