Background<\/h2>\n\n\n\n
The implementation was originally intended to help a friend who lived in China and who struggled with his commercial VPN that only tunneled IPv4 and did not block IPv6. He often experienced blockages when he tried to access social media sites as his system would prefer IPv6 over IPv4 and so the connection would not run through his VPN. However, due to [6<\/a>], openvpn<\/a> alone is no longer suited to circumvent censorship in China [7<\/a>]. WireGuard<\/a> might still work in geographies where openvpn<\/a> is blocked, however.<\/p>\n\n\n\n In order to use the approach described here, you should:<\/p>\n\n\n\n The graph below shows the setup on my machine caipirinha.spdns.org with 5 VPN services (blue, green color) that will be described in this blog post. The machine has also 3 VPN clients configured which are mapped to a commercial service (ocker color), but this will not be topic of this blog post.<\/p>\n\n\n\n Let us now look at some details of the network setup:<\/p>\n\n\n\n When everything has been set up correctly, the Linux server should get various IP addresses, and among them various IPv6 addresses:<\/p>\n\n\n\n An example is shown here:<\/p>\n\n\n\n Routing for IPv4 and IPv6 needs to be enabled on the Linux server. I personally also decided to switch off the privacy extensions on the Linux server, but that is a personal matter of taste:<\/p>\n\n\n\n For the openVPN server and clients, we need a certification authority and we ultimately need to create signed certificates and keys. This can be done with the help of the package easy-rsa<\/strong> that is available for various platforms [22<\/a>] and often is part of Linux distributions, too. Documentation and hands-on examples are given in [20<\/a>] and [21<\/a>].<\/p>\n\n\n\n We start with the initialization of a Public Key Infrastructure<\/a> (PKI) and the creation of a Certificate Authority<\/a> (CA) followed by the creation of a Certificate Revocation List<\/a> (CRL)<\/p>\n\n\n\n The next step is the creation of a key pair for the server. The public key will be signed by the CA and thus become our server certificate. Furthermore, we create Diffie-Hellman<\/a> parameters for the server (not needed if you create elliptic keys). All this can be done by:<\/p>\n\n\n\n In this example, the server certificate is valid for some 3652 days (10 years), the certificate is named caipirinha.spdns.org.crt<\/strong>, and the private key which must remain on the server is named caipirinha.spdns.org.key<\/strong>.<\/p>\n\n\n\n Now, we can create client certificates in a similar way. In the example, the client certificates will have a validity of 5 years only:<\/p>\n\n\n\n I chose not to use passwords for the private key in order to facilitate the handling. Furthermore, I went for the easy way and created all certificates and keys on one system only. If you intend to deploy a professional solution, you have to keep cyber-security in mind and you may therefore want to exercise more caution and separate the certificate authority on a secured system from the creation of server and client key pairs as it has been advised in [20<\/a>].<\/p>\n\n\n\n Before we go into details of the configuration, we must distinguish 3 concepts of VPNs:<\/p>\n\n\n\n The following configurations will create 4 different VPNs based on 2 concepts above.<\/p>\n\n\n\n We shall now look at some configuration parameters and their meaning:<\/p>\n\n\n\n The generation of client configuration files is explained in [11<\/a>], and there are numerous guidelines in the internet. Therefore, I just want to give 2 examples and briefly point out some useful considerations.<\/p>\n\n\n\n The following points proved to be useful for me:<\/p>\n\n\n\n Different network conditions might require tweaking one or the other parameters of the openvpn<\/a> service. [8<\/a>], [9<\/a>], [10<\/a>] contain some indications, especially with respect to different hardware and network conditions.<\/p>\n\n\n\n As mentioned above, the client-config-dir<\/strong> directive can be used to refer to a folder that contains configurations for dedicated devices. An example is the file \/etc\/openvpn\/conf-1194\/Gabriel-SM960F<\/strong>. It contains the content:<\/p>\n\n\n\n This file makse the device with the client certificate named gabriel-SM-N960F<\/strong> always receive the same IP addresses, namely 192.168.10.251<\/strong> (IPv4) and fd01:0:0:a:0:0:1:fb<\/strong> (IPv6). The name of the file must exactly match the VPN client’s common name (CN) that was defined when the client certificate was created [5<\/a>].<\/p>\n\n\n\n WireGuard<\/a> is a new and promising VPN protocol [15<\/a>] which is not yet as widespread as openvpn<\/a>; it may therefore “escape” censorship authorities easier than openvpn<\/a> which can be detected by statistical analysis [16<\/a>]. The setup of the server is described in [12<\/a>], [13<\/a>], a more complex configuration is described in [19<\/a>]. A big advantage of WireGuard<\/a> is also that the code base is very lean, and hence performance on any given platform is higher than with openvpn<\/a>.<\/p>\n\n\n\n I personally find it unusual that you have to list the clients in the server configuration file rather than just having a general server configuration where any number of allowed clients can connect to. On my Linux server caipirinha.spdns.org, the WireGuard<\/a> server configuration contains of 3 files:<\/p>\n\n\n\n Similar to the openvpn<\/a> configurations described above, I spent a dedicated IPv4 and IPv6 subnet for the WireGuard<\/a> server, in this case 192.168.14.0\/24<\/strong> and fd01:0:0:e::\/64<\/strong>. The configuration file \/etc\/wireguard\/wg0.conf<\/strong> is easy to understand and contains important parameters that shall be discussed below:<\/p>\n\n\n\n The section [Interface]<\/strong> describes the server setup:<\/p>\n\n\n\n Each section [Peer]<\/strong> lists a possible client configuration. If you want to enable 10 clients on your server, you therefore need 10 such sections.<\/p>\n\n\n\n WireGuard<\/a> clients exist for all major operating systems. I would like to show a Windows 10 configuration that I set up on one of my notebooks according to [14<\/a>].<\/p>\n\n\n\n As we can see, I also named the respective network interface on the client wg0<\/strong>, but you can use any other name, too. The detailed configuration of the only client connection is also easy to understand:<\/p>\n\n\n\n The section [Interface]<\/strong> describes the client setup:<\/p>\n\n\n\nPreconditions<\/h2>\n\n\n\n
\n
Description and Usage<\/h2>\n\n\n\n
![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/VPN-Diagramm-1-1024x576.jpg\")
Home Network Setup<\/h3>\n\n\n\n
\n
![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/IPv6-Setup-des-Routers-1024x494.jpg\")
\n
caipirinha:~ # ifconfig eth0<\/strong>\neth0: flags=4163 mtu 1500\ninet 192.168.2.3 netmask 255.255.255.0 broadcast 192.168.2.255\ninet6 2001:16b8:306c:c700:76d4:35ff:fe5c:d2c3 prefixlen 64 scopeid 0x0\ninet6 fe80::76d4:35ff:fe5c:d2c3 prefixlen 64 scopeid 0x20\ninet6 fd00::2:76d4:35ff:fe5c:d2c3 prefixlen 64 scopeid 0x0\n...<\/code><\/pre>\n\n\n\nEnabling Routing<\/h3>\n\n\n\n
# Enable \"loose\" reverse path filtering and prohibit icmp redirects\nsysctl -w net.ipv4.conf.all.rp_filter=2\nsysctl -w net.ipv4.conf.all.send_redirects=0\nsysctl -w net.ipv4.conf.eth0.send_redirects=0\nsysctl -w net.ipv4.icmp_errors_use_inbound_ifaddr=1\n\n# Enable IPv6 routing, but keep SLAAC for eth0\nsysctl -w net.ipv6.conf.eth0.accept_ra=2\nsysctl -w net.ipv6.conf.all.forwarding=1\n\n# Switch off the privacy extensions\nsysctl -w net.ipv6.conf.eth0.use_tempaddr=0<\/code><\/pre>\n\n\n\nOpenVPN Key Management with Easy-RSA<\/h3>\n\n\n\n
easyrsa init-pki\neasyrsa build-ca nopass\neasyrsa gen-crl<\/code><\/pre>\n\n\n\neasyrsa --days=3652 build-server-full caipirinha.spdns.org nopass\neasyrsa gen-dh<\/code><\/pre>\n\n\n\neasyrsa --days=1825 build-client-full gabriel-SM-G991B nopass\neasyrsa --days=1825 build-client-full gabriel-SM-N960F nopass\neasyrsa --days=1825 build-client-full gabriel-SM-N915FY nopass\neasyrsa --days=1825 build-client-full gabriel-SM-T580 nopass\n...<\/code><\/pre>\n\n\n\nOpenVPN Server Configuration<\/h3>\n\n\n\n
\n
\n
\n
UDP-based VPN, full tunneling<\/h4>\n\n\n\n
# Konfigurationsdatei f\u00fcr den openVPN-Server auf CAIPIRINHA (UDP:1194)\n\nca \/root\/pki\/ca.crt\ncert \/etc\/openvpn\/caipirinha.spdns.org.crt\nclient-config-dir \/etc\/openvpn\/conf-1194\ncrl-verify \/root\/pki\/crl.pem\ndev tun4\ndh \/root\/pki\/dh.pem\nhand-window 90\nifconfig 192.168.10.1 255.255.255.0\nifconfig-pool 192.168.10.2 192.168.10.239 255.255.255.0\nifconfig-ipv6 fd01:0:0:a::1 fd00::2:3681:c4ff:fecb:5780\nifconfig-ipv6-pool fd01:0:0:a::2\/112\nifconfig-pool-persist \/etc\/openvpn\/ip-pool-1194.txt\nkeepalive 20 80\nkey \/etc\/openvpn\/caipirinha.spdns.org.key\nlog \/var\/log\/openvpn-1194.log\nmode server\npersist-key\npersist-tun\nport 1194\nproto udp6\nreneg-sec 86400\nscript-security 2\nstatus \/var\/run\/openvpn\/status-1194\ntls-server\ntopology subnet\nup \/etc\/openvpn\/start_vpn.sh\nverb 1\nwritepid \/var\/run\/openvpn\/server-1194.pid\n\n# Topologie des VPN und Default-Gateway\npush \"topology subnet\"\npush \"route-gateway 192.168.10.1\"\npush \"redirect-gateway def1 bypass-dhcp\"\npush \"tun-ipv6\"\npush \"route-ipv6 2000::\/3\"\n# DNS-Server\npush \"dhcp-option DNS 8.8.8.8\"\npush \"dhcp-option DNS 8.8.4.4\"<\/code><\/pre>\n\n\n\nUDP-based VPN, split tunneling<\/h4>\n\n\n\n
# Konfigurationsdatei f\u00fcr den openVPN-Server auf CAIPIRINHA (UDP:4396)\n\nca \/root\/pki\/ca.crt\ncert \/etc\/openvpn\/caipirinha.spdns.org.crt\nclient-config-dir \/etc\/openvpn\/conf-4396\ncrl-verify \/root\/pki\/crl.pem\ndev tun7\ndh \/root\/pki\/dh.pem\nhand-window 90\nifconfig 192.168.13.1 255.255.255.0\nifconfig-pool 192.168.13.2 192.168.13.239 255.255.255.0\nifconfig-ipv6 fd01:0:0:d::1 fd00::2:3681:c4ff:fecb:5780\nifconfig-ipv6-pool fd01:0:0:d::2\/112\nifconfig-pool-persist \/etc\/openvpn\/ip-pool-4396.txt\nkeepalive 20 80\nkey \/etc\/openvpn\/caipirinha.spdns.org.key\nlog \/var\/log\/openvpn-4396.log\nmode server\npersist-key\npersist-tun\nport 4396\nproto udp6\nreneg-sec 86400\nscript-security 2\nstatus \/var\/run\/openvpn\/status-4396\ntls-server\ntopology subnet\nup \/etc\/openvpn\/start_vpn.sh\nverb 1\nwritepid \/var\/run\/openvpn\/server-4396.pid\n\n# Topologie des VPN und Default-Gateway\npush \"topology subnet\"\npush \"route-gateway 192.168.13.1\"\npush \"tun-ipv6\"\npush \"route-ipv6 2000::\/3\"\n# Routen zum internen Netzwerk setzen\npush \"route 192.168.2.0 255.255.255.0\"<\/code><\/pre>\n\n\n\nTCP-based VPN, full tunneling<\/h4>\n\n\n\n
# Konfigurationsdatei f\u00fcr den openVPN-Server auf CAIPIRINHA (TCP:8080)\n\nca \/root\/pki\/ca.crt\ncert \/etc\/openvpn\/caipirinha.spdns.org.crt\nclient-config-dir \/etc\/openvpn\/conf-8080\ncrl-verify \/root\/pki\/crl.pem\ndev tun5\ndh \/root\/pki\/dh.pem\nhand-window 90\nifconfig 192.168.11.1 255.255.255.0\nifconfig-pool 192.168.11.2 192.168.11.239 255.255.255.0\nifconfig-ipv6 fd01:0:0:b::1 fd00::2:3681:c4ff:fecb:5780\nifconfig-ipv6-pool fd01:0:0:b::2\/112\nifconfig-pool-persist \/etc\/openvpn\/ip-pool-8080.txt\nkeepalive 20 80\nkey \/etc\/openvpn\/caipirinha.spdns.org.key\nlog \/var\/log\/openvpn-8080.log\nmode server\npersist-key\npersist-tun\nport 8080\nproto tcp6-server\nreneg-sec 86400\nscript-security 2\nstatus \/var\/run\/openvpn\/status-8080\ntls-server\ntopology subnet\nup \/etc\/openvpn\/start_vpn.sh\nverb 1\nwritepid \/var\/run\/openvpn\/server-8080.pid\n\n# Topologie des VPN und Default-Gateway\npush \"topology subnet\"\npush \"route-gateway 192.168.11.1\"\npush \"redirect-gateway def1 bypass-dhcp\"\npush \"tun-ipv6\"\npush \"route-ipv6 2000::\/3\"\n# DNS-Server\npush \"dhcp-option DNS 8.8.8.8\"\npush \"dhcp-option DNS 8.8.4.4\"<\/code><\/pre>\n\n\n\nTCP-based VPN, split tunneling<\/h4>\n\n\n\n
# Konfigurationsdatei f\u00fcr den openVPN-Server auf CAIPIRINHA (TCP:8081)\n\nca \/root\/pki\/ca.crt\ncert \/etc\/openvpn\/caipirinha.spdns.org.crt\nclient-config-dir \/etc\/openvpn\/conf-8081\ncrl-verify \/root\/pki\/crl.pem\ndev tun6\ndh \/root\/pki\/dh.pem\nhand-window 90\nifconfig 192.168.12.1 255.255.255.0\nifconfig-pool 192.168.12.2 192.168.12.239 255.255.255.0\nifconfig-ipv6 fd01:0:0:c::1 fd00::2:3681:c4ff:fecb:5780\nifconfig-ipv6-pool fd01:0:0:c::2\/112\nifconfig-pool-persist \/etc\/openvpn\/ip-pool-8081.txt\nkeepalive 20 80\nkey \/etc\/openvpn\/caipirinha.spdns.org.key\nlog \/var\/log\/openvpn-8081.log\nmode server\npersist-key\npersist-tun\nport 8081\nproto tcp6-server\nreneg-sec 86400\nscript-security 2\nstatus \/var\/run\/openvpn\/status-8081\ntls-server\ntopology subnet\nup \/etc\/openvpn\/start_vpn.sh\nverb 1\nwritepid \/var\/run\/openvpn\/server-8081.pid\n\n# Topologie des VPN und Default-Gateway\npush \"topology subnet\"\npush \"route-gateway 192.168.12.1\"\npush \"tun-ipv6\"\npush \"route-ipv6 fd00:0:0:2::\/64\"\n# Routen zum internen Netzwerk setzen\npush \"route 192.168.2.0 255.255.255.0\"<\/code><\/pre>\n\n\n\n\n
OpenVPN Client Configuration<\/h3>\n\n\n\n
UDP-based VPN, full tunneling<\/h4>\n\n\n\n
# Konfigurationsdatei f\u00fcr den openVPN-Client auf ...\n\nclient\ndev tun\nexplicit-exit-notify\nhand-window 90\nkeepalive 10 60\nnobind\npersist-key\npersist-tun\nproto udp\nremote caipirinha.spdns.org 1194\nremote-cert-tls server\nreneg-sec 86400\nscript-security 2\nverb 1\n\n<ca>\n-----BEGIN CERTIFICATE-----\nMIIE2D...NNmlTg=\n-----END CERTIFICATE-----\n<\/ca>\n\n<cert>\n-----BEGIN CERTIFICATE-----\nMIIFJj...nbuzbI=\n-----END CERTIFICATE-----\n<\/cert>\n\n<key>\n-----BEGIN PRIVATE KEY-----\nMIIEvA...QcO+Q==\n-----END PRIVATE KEY-----\n<\/key><\/code><\/pre>\n\n\n\nTCP-based VPN, full tunneling<\/h4>\n\n\n\n
# Konfigurationsdatei f\u00fcr den openVPN-Client auf ...\n\nclient\ndev tun\nhand-window 90\nkeepalive 10 60\nnobind\npersist-key\npersist-tun\nproto tcp\nremote caipirinha.spdns.org 8080\nremote-cert-tls server\nreneg-sec 86400\nscript-security 2\nverb 1\n\n<ca>\n-----BEGIN CERTIFICATE-----\nMIIE2D...NNmlTg=\n-----END CERTIFICATE-----\n<\/ca>\n\n<cert>\n-----BEGIN CERTIFICATE-----\nMIIFJj...nbuzbI=\n-----END CERTIFICATE-----\n<\/cert>\n\n<key>\n-----BEGIN PRIVATE KEY-----\nMIIEvA...QcO+Q==\n-----END PRIVATE KEY-----\n<\/key><\/code><\/pre>\n\n\n\n\n
Further Improvements (OpenVPN)<\/h3>\n\n\n\n
Dedicated Configurations<\/h4>\n\n\n\n
# Spezielle Konfigurationsdatei f\u00fcr Gabriels Galaxy Note 9 (gabriel-SM-N960F)\n#\n\nifconfig-push 192.168.10.251 255.255.255.0\nifconfig-ipv6-push fd01:0:0:a:0:0:1:fb\/111 fd01:0:0:a::1<\/code><\/pre>\n\n\n\nWireGuard Server Configuration<\/h3>\n\n\n\n
\n
[Interface]\nAddress = 192.168.14.1\/24,fd01:0:0:e::1\/64\nListenPort = 44576\nPrivateKey = SHo...\n\n[Peer]\nPublicKey = pjp2PEboXA4RJhVoybXKuicNkz4XDZaW+c9yLtJq1gE=\nAllowedIPs = 192.168.14.2\/32,fd01:0:0:e::2\/128\nPersistentKeepalive = 30\n...\n[Peer]\nPublicKey = fcEcFYQ6cOqe7H9L2PvkM78mkKottJLnKwiqp4WO91s=\nAllowedIPs = 192.168.14.7\/32,fd01:0:0:e::7\/128\nPersistentKeepalive = 30\n...<\/code><\/pre>\n\n\n\n\n
\n
WireGuard Client Configuration<\/h3>\n\n\n\n
![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/WireGuard-Windows-Client.jpg\")
[Interface]\nPrivateKey = 2B2...\nAddress = 192.168.14.7\/32, fd01:0:0:e::7\/128\nDNS = 192.168.14.1, fd01:0:0:e::1\n\n[Peer]\nPublicKey = GvgCag5cvRaE18YUkAd+q\/NSOb54JYvXhylm1oz8OxI=\nAllowedIPs = 0.0.0.0\/0, ::\/0\nEndpoint = caipirinha.spdns.org:44576<\/code><\/pre>\n\n\n\n