The ungleich VPN infrastructure » History » Revision 14

« Previous | Revision 14/31 (diff) | Next »
Nico Schottelius, 02/02/2019 08:27 AM

The ungleich VPN infrastructure


This document is IN PRODUCTION.

Security of IPv6 vs. NAT

A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.

Wireguard VPN on

  • Server:
  • Port: 51820
  • Requires a public key
  • Client network: 2a0a:e5c1:100::/40
  • Client network size: /48

How to add a new customer connection

  • Get the public key of the customer
  • Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file
  • Let the customer know their network

Sample clustomer client configuration

  • Install wireguard
  • Create your private key: umask 077; wg genkey > privkey
  • Get your public key: wg pubkey < privkey
    • You need to send this pubkey to ungleich
  • You will get your network definition after we have received your public key
  • Create /etc/wireguard/wg0.conf
ListenPort = 51280

PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
Endpoint =
AllowedIPs = ::/0

How to setup the VPN (the easy way)

Once you have created the configuration, you can simply call

wg-quick up wg0

And to stop the VPN, you can use

wg-quick down wg0

How to setup the VPN (the manual way)

Commands for setting it up


ip link add dev wg0 type wireguard

# Replace with your range
ip addr add $MY_NET dev wg0

# Add routing
ip route add 2a0a:e5c1::/32 dev wg0
ip route add ::/0 via 2a0a:e5c1:100::1

# Configure the interface
wg setconf wg0 /etc/wireguard/wg0.conf

# Bring it up
ip link set wg0 up

How to debug

  • wg show # Show configuration
  • ping 2a0a:e5c1:100::1 # Try to ping the gateway

Sample server configuration

This is just for reference - as a client you don't need this configuration


ListenPort = 51820

# Nico, 2019-01-23
PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8=
AllowedIPs = 2a0a:e5c1:101::/48

# Customer networks below
# ...

Sample server rc.local:

ip link add dev wg0 type wireguard
ip addr add 2a0a:e5c1:100::1/40 dev wg0
wg setconf wg0 /etc/wireguard/wg0.conf
ip link set wg0 up

OpenVPN on

  • Server:
  • Port: 1195
  • Requires a certificate
  • Address range: 2a0a:e5c0:3::/48
    • Client networks are /64

Updated by Nico Schottelius about 5 years ago · 14 revisions