thomaswaldmann / vpngw Goto Github PK

high performance multi-VPN gateway with VLAN support

Shell 100.00%

vpn vpngate openvpn debian cyber wifi vlan unifi hotel

vpngw's Introduction

What is vpngw?

vpngw is a project to build a VPN gateway and intranet setup for (potentially untrusted) users accessing the internet in a secure and private way.

High VPN throughput (>= 100MBit/s) and easy VPN usability were the main goals.

The project is currently mostly documentation and configuration / script examples. So there is nothing you can just install, but it at least will take you less time than me.

Applications

at home: for family, friends, visitors
easy VPN selection by choosing the right LAN / wireless LAN
later, when more stable: small hotels, restaurants, ...

Components

a VPN gateway router
- uses Debian Linux on standard PC/Laptop hardware
- relies on a external modem or router for internet access, does not deal with establishing a internet connection by itself
- establishes one or multiple VPN tunnels to VPN providers
- when using multiple VPNs, offers simple CPU and VPN throughput load distribution
LAN switch and wireless LAN access point
- TP-Link WR-841N(D) with OpenWrt (same HW as often used by Freifunk project)
- multiple wireless LAN networks (SSIDs) on 1 device, each VPN has specific SSID
- multiple LAN ports, each VPN has a specific LAN port
- separation of VPNs is done using VLANs
alternatively, Ubiquiti Access Points (UAP) + optional separate switch
- UAPs have VLAN support and can be centrally managed
- if you need wired ports for the users, use a manageable switch with VLANs

Links

vpngw's People

Contributors

Stargazers

Watchers

vpngw's Issues

ipv6 capable VPN provider pushing v6

cyberghost started pushing v4 and v6 today (previously: only v4).

this breaks openvpn 2.3 if v6 is disabled on all interfaces.
it exits with an error if it can not configure v6 on an interface.
there is no way in openvpn 2.3 to avoid this.

https://community.openvpn.net/openvpn/ticket/849

masquerading for tunX duplicated?

ferm + openvpn up script

debian stretch upgrade

Currently, vpngw is based on Debian 8 "Jessie", but long term it would be good to upgrade it to Debian 9 "Stretch".

I tried it once, but due to some obstacles I kept jessie in the end for now:

interface names are like enp0s25 by default in stretch
that is an annoyance because it depends on the hardware setup
there is a kernel option (grub) to get back "old style" eth0/eth1 interface names, but at the same time it is deprecated, so future looks not good for them
I tried using the new stuff and adding alias names like "wan", "lan", ... - but ran into troubles with vlan not working with that.

So the main open issue is how to set up networking with stretch so that the setup does not depend on hardware-dependant interface names. We don't want to change interface names in a lot of config files when moving to other hardware.

iperf -c fritzbox-ip -p 4711 -u -t 60 -i 10 -b 1000M  # expected:  UDP ~1000Mbit/s
iperf -c fritzbox-ip -p 4711    -t 60 -i 10 -b 1000M  # expected:  TCP ~930Mbit/s

Client: thinkpad x270, i7-6600u, usb3 lan interface rtl8153, debian 10

allow ext. interface hotplugging

in /etc/network/interfaced.d/wan, add:

allow-hotplug eth1

TODO: add to docs

some vpn providers do not provide ipv6
if there is no ipv6 vpn support, there is some danger that ipv6 packets do not go over the vpn, potentially triggering issues that vpngw was designed to avoid
iirc, there currently is no ipv6 configuration at all on vpngw (routing, iptables/ferm)

to enable v6:

get clear about how to do it securely, adapt configuration
how to still support v4-only vpn providers?