CollabVPN: Difference between revisions

From Computernewb Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 9: Line 9:
* It is currently hosted on a VPS at [https://www.urdn.com.ua/ Ukrainian Data Network] but there are plans to move it to her own ASN once she is an LIR at RIPE.
* It is currently hosted on a VPS at [https://www.urdn.com.ua/ Ukrainian Data Network] but there are plans to move it to her own ASN once she is an LIR at RIPE.
* WireGuard Endpoint: <code>collabvpn.julias.zone:80</code>
* WireGuard Endpoint: <code>collabvpn.julias.zone:80</code>
* Ports are filtered according to the [https://gitlab.torproject.org/tpo/core/tor/-/blob/release-0.4.6/src/core/or/policies.c#L1901 DEFAULT_EXIT_POLICY] of tor.

==== Used IP-Addresses ====
{| class="wikitable"
{| class="wikitable"
|+
!Used For
!Used For
!Pool
!Pool
Line 28: Line 30:
|-
|-
|IPv4 SRCNAT
|IPv4 SRCNAT
|193.218.118.174:49152-65535
|193.218.118.174
|The NAT uses these ports for outgoing IPv4 connections.
|Used by the NAT for outgoing IPv4 connections.
|-
|-
|IPv4 DSTNAT
|IPv4 DSTNAT
Line 35: Line 37:
|These IPv4 ports can be routed to peers on demand.
|These IPv4 ports can be routed to peers on demand.
|}
|}

=== Tutorials ===

==== Using systemd-networkd ====

# Create a file named <code>/etc/systemd/network/collabvpn.netdev</code>
# Put the following content into it: https://repo.julias.zone/collabvpn/netdev.txt
# Set the file permissions using <code>chown root:systemd-network /etc/systemd/network/collabvpn.netdev; chmod 0640 /etc/systemd/network/collabvpn.netdev</code>
# You can generate a keypair using <code>KEY=`wg genkey`; echo PrivateKey $KEY; echo PublicKey `echo $KEY | wg pubkey`</code>. IMPORTANT: Keep your PrivateKey PRIVATE, as the name states it. DO NOT share it with anyone.
# Put the PrivateKey into the config.
# Send Julia your PublicKey, see below. Wait for her to respond and then continue.
# Create a file named <code>/etc/systemd/network/collabvpn.network</code>
# Put the following content into it https://repo.julias.zone/collabvpn/network.txt
# Fill in your addresses. IMPORTANT: Do not fill in your /64 as your address, fill in your /128. Your /64 is routed over that address and will be unusable if configured improperly.
# Setup a NAT for IPv4, setup a router advertisements for IPv6 and you're good to go.


=== Requesting a Tunnel ===
=== Requesting a Tunnel ===
Line 52: Line 69:
*** Also inbound connections are let in on IPv6 and IPv4.
*** Also inbound connections are let in on IPv6 and IPv4.
*** You can request to have a few IPv4 ports routed to you.
*** You can request to have a few IPv4 ports routed to you.
*** You can request to have subdomains on forkie.dev aswell as RDNS on IPv6.
*** You can request to have subdomains on [https://forkie.dev forkie.dev] aswell as RDNS on IPv6.
*** Hosting WebServers is possible thanks to [https://github.com/AGWA/snid snid]. Simply tell users to host an HTTPS server on 443 with your subdomain and IPv4 connections from for example 192.0.2.0 will show up to come from the IPv6 NAT64 subnet of 64:ff9b:1:fffe:80:ff7f::/96, so it would be 64:ff9b:1:fffe:80:ff7f:192.0.2.0 aka 64:ff9b:1:fffe:80:ff7f:c000:200.
*** Hosting WebServers is possible thanks to [https://github.com/AGWA/snid snid]. Simply tell users to host an HTTPS server on 443 with your subdomain and IPv4 connections from for example 192.0.2.0 will show up to come from the IPv6 NAT64 subnet of 64:ff9b:1:fffe:80:ff7f::/96, so it would be 64:ff9b:1:fffe:80:ff7f:192.0.2.0 aka 64:ff9b:1:fffe:80:ff7f:c000:200.


=== To Do ===
=== To Do ===


*
* Further technical details like blocked ports
* Tutorial using ifupdown/wg-quick and radvd
* Extend tutorial for systemd-networkd to include DHCPv4 server and router advertisements

Latest revision as of 10:52, 7 May 2024

CollabVPN is a VPN provided to users who want to host CollabVMs/UserVMs but don't want to use their existing ISP/NSP as an exit.

It is not affiliated with Computernewb or CollabVM in any way.

This was created by Julia because many commercial VPN providers are not equipping users with enough global IPv6 addresses, resulting in an IPv4-only or IPv4-prefferred network.

Technical details

  • It is currently hosted on a VPS at Ukrainian Data Network but there are plans to move it to her own ASN once she is an LIR at RIPE.
  • WireGuard Endpoint: collabvpn.julias.zone:80
  • Ports are filtered according to the DEFAULT_EXIT_POLICY of tor.

Used IP-Addresses

Used For Pool Description
IPv6 Peers 2a0f:e586:f:2c02::/64 These are assigned to the WireGuard peers and are used to route their /64s
IPv6 Pool 2a0f:e586:f:2c10::/60 This pool contains 16 /64s for assignment to peers. More can be added once necessary.
IPv4 Peers 10.1.1.0/24 This pool contains 254 IPv4 addresses used for NAT purposes assigned to the peers.
IPv4 SRCNAT 193.218.118.174 Used by the NAT for outgoing IPv4 connections.
IPv4 DSTNAT 193.218.118.174:1024-49151 These IPv4 ports can be routed to peers on demand.

Tutorials

Using systemd-networkd

  1. Create a file named /etc/systemd/network/collabvpn.netdev
  2. Put the following content into it: https://repo.julias.zone/collabvpn/netdev.txt
  3. Set the file permissions using chown root:systemd-network /etc/systemd/network/collabvpn.netdev; chmod 0640 /etc/systemd/network/collabvpn.netdev
  4. You can generate a keypair using KEY=`wg genkey`; echo PrivateKey $KEY; echo PublicKey `echo $KEY | wg pubkey`. IMPORTANT: Keep your PrivateKey PRIVATE, as the name states it. DO NOT share it with anyone.
  5. Put the PrivateKey into the config.
  6. Send Julia your PublicKey, see below. Wait for her to respond and then continue.
  7. Create a file named /etc/systemd/network/collabvpn.network
  8. Put the following content into it https://repo.julias.zone/collabvpn/network.txt
  9. Fill in your addresses. IMPORTANT: Do not fill in your /64 as your address, fill in your /128. Your /64 is routed over that address and will be unusable if configured improperly.
  10. Setup a NAT for IPv4, setup a router advertisements for IPv6 and you're good to go.

Requesting a Tunnel

It is possible to request a WireGuard tunnel from Julia (wiki, website) that you can connect to and tunnel your VMs over.

You need to include the following information when requesting a tunnel:

  • Your WireGuard public key
  • Your GPG public key (optional, but nice to have for extra security like WireGuard PSKs). Sign and encrypt it with 0075530C72926390787F472D2CB69D1DB326E875 if you like.
  • How many /64 IPv6 subnets you need, aka how many bridges you want to tunnel.
  • What firewall configuration you want:
    • Restricted
      • Only outbound IPv6 and IPv4 connections are permitted.
      • Inbound connections are filtered and only responses/packets from tracked connections are let in.
      • This is the default unless you explicitly request exposure.
    • Exposed
      • Also inbound connections are let in on IPv6 and IPv4.
      • You can request to have a few IPv4 ports routed to you.
      • You can request to have subdomains on forkie.dev aswell as RDNS on IPv6.
      • Hosting WebServers is possible thanks to snid. Simply tell users to host an HTTPS server on 443 with your subdomain and IPv4 connections from for example 192.0.2.0 will show up to come from the IPv6 NAT64 subnet of 64:ff9b:1:fffe:80:ff7f::/96, so it would be 64:ff9b:1:fffe:80:ff7f:192.0.2.0 aka 64:ff9b:1:fffe:80:ff7f:c000:200.

To Do

  • Tutorial using ifupdown/wg-quick and radvd
  • Extend tutorial for systemd-networkd to include DHCPv4 server and router advertisements