User Tools

Site Tools


Sidebar






newpage

linux:network:vpn

VPN

openVPN

TBD

Headscale / Tailscale

Headscale is the open source variant of Tailscale.

Install it on your Server: https://headscale.net/running-headscale-linux/

Proxy it via nginx to get httpS. Nginx Example Config:

map $http_upgrade $connection_upgrade {                                                                                                                                                   
  default      keep-alive;                                                                                                                                                              
  'websocket'  upgrade;                                                                                                                                                                 
  ''           close;                                                                                                                                                                   
}                                                                                                                                                                                         
                                                                                                                                                                                        
server {                                                                                                                                                                                  
  listen 80;                                                                                                                                                                            
  listen [::]:80;                                                                                                                                                                       
                                                                                                                                                                                        
  listen 443      ssl http2;                                                                                                                                                            
  listen [::]:443 ssl http2;                                                                                                                                                            
                                                                                                                                                                                        
  server_name <YOUR DOMAIN>;                                                                                                                                                      
                                                                                                                                                                                        
  ssl_certificate /etc/letsencrypt/live/<YOUR DOMAIN>/fullchain.pem;                                                                                                              
  ssl_certificate_key /etc/letsencrypt/live/<YOUR DOMAIN>/privkey.pem;                                                                                                            
  ssl_protocols TLSv1.2 TLSv1.3;                                                                                                                                                        
                                                                                                                                                                                        
  location / {                                                                                                                                                                          
      proxy_pass https://<HEADSCALE SERVER IP>:8080;                                                                                                                                           
      proxy_http_version 1.1;                                                                                                                                                           
      proxy_set_header Upgrade $http_upgrade;                                                                                                                                           
      proxy_set_header Connection $connection_upgrade;                                                                                                                                  
      proxy_set_header Host $server_name;                                                                                                                                               
      proxy_redirect http:// https://;                                                                                                                                                  
      proxy_buffering off;                                                                                                                                                              
      proxy_set_header X-Real-IP $remote_addr;                                                                                                                                          
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;                                                                                                                      
      proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;                                                                                                                       
      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;                                                                                                
  }                                                                                                                                                                                     
}  

Install Tailscale Client on your Clients: https://tailscale.com/download/linux

Then run:

tailscale up --login-server https://<YOUR DOMAIN>

which will give you the server Add command in the browser. Mission complete :)

tinc

apt install tinc net-tools

Generate keys:

tincd -n <netname> -K8192

Setup tinc.conf, tinc-up, tinc-down

Configure the /hosts/<hostname> file like:

Address = <myip>
Port = 55555
Subnet = 10.5.0.xxx

Copy the generated hosts/<hostname> file to *all* other servers and get the other host files

Start tinc:

tincd -n <netname> 

For debugging, do not detach:

tincd -n <netname> -D

Enable at boot via systemd

systemctl enable tinc@vpnname
linux/network/vpn.txt · Last modified: 2024/01/18 20:59 by tkilla