I’m planing to install eduvpn as a personal VPN solution.
I also want to separate the VPN functionality (“vpn-daemon“, hostname “eduvpn-node1″) from the management web frontend (controller or “vpn-user-portal“, hostname “eduvpn-portal”).
| Hostname: eduvpn-node1 Software packages: | Hostname: eduvpn-portal Software packages: |
| vpn-server-node | vpn-user-portal |
| vpn-daemon | vpn-ca |
| vpn-maint-scripts |
Adding software repository
So we start by configuring the required software repos (on both machines, here’s the new APT822 version):
eduvpn-portal # cat /etc/apt/sources.list.d/eduvpn.sources
Types: deb
URIs: https://repo.eduvpn.org/v3/deb
Suites: noble
Components: main
Architectures: amd64
# s. https://codeberg.org/eduVPN/deploy/raw/branch/v3/resources/repo+v3@eduvpn.org.asc
Signed-By:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEYoKbBhYJKwYBBAHaRw8BAQdAYqEfYQm8BFK1dC7dFbOQRoV+q47cB9i0gur8
z9Dg4820MGVkdVZQTiAzLnggUmVwbyBTaWduaW5nIEtleSA8cmVwbyt2M0BlZHV2
cG4ub3JnPoiZBBMWCgBBFiEE9nEMqvu0eoo+yRgAYp1+4rY93nMFAmKCmwYCGwMF
CRLMAwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQYp1+4rY93nPy0QEA
2hsMIdl4M/rYC/xWjwlJMPdYhRumcsB4LPvpFCynV80A/iezye1QS+HbFvWLe35f
2fCzZPEXcfBj62wfeP3j+9EE
=3C81
-----END PGP PUBLIC KEY BLOCK-----Basic installation
As the provided eduvpn maintenance scripts use some hard-coded defaults (like “wg0“), instead of taking the config from /etc/default/vpn-daemon) I need to do some things manually (which fortunately is not that complex as I’m not interested in configuring openvpn, only wireguard).
So we start by installing the basic packages on the user portal machine:
eduvpn-portal # apt update
eduvpn-portal # apt install -y vpn-user-portalAdd user with password and add it to admin list:
eduvpn-portal # sudo -u www-data vpn-user-portal-account --add vpn --password test1234
linux # vi /etc/vpn-user-portal/config.php
<...>
'adminUserIdList' => ['vpn'],
<...>Generate keys for host eduvpn-node1:
eduvpn-portal # /usr/libexec/vpn-user-portal/generate-secrets --node 1This will generate /etc/vpn-user-portal/keys/node.1.key
Create CA and certificates
The vpn-ca script will create files in the current directory if not specified otherwise. We’ll create long term (25 years according to eduvpn docs) certificates for both the CA and the client/server certificates. We’ll also limit the valid names to “*.mydomain.de”:
eduvpn-portal # cd /etc/vpn-user-portal/keys/ca
eduvpn-portal # VALIDTILL=$(date -d "+25 years" +%FT%T%:z)
eduvpn-portal # vpn-ca -init-ca -name "EduVPN Root CA" -domain-constraint ".mydomain.de" -not-after "${VALIDTILL}"
eduvpn-portal # vpn-ca -server -name "eduvpn-node1.mydomain.de" -out-crt server.crt -out-key server.key -not-after CA
eduvpn-portal # vpn-ca -client -name "eduvpn-portal.mydomain.de" -out-crt ../vpn-daemon/vpn-daemon-client.crt -out-key ../vpn-daemon/vpn-daemon-client.key -not-after CA
eduvpn-portal # cp ca.crt ../vpn-daemon/ca.crtThere’s server things to know/keep in mind here:
This first certificate is the server-side certificate for our vpn node (vpn-daemon on eduvpn-node1).
The second certificate is for client usage on/by the eduvpn portal to connect to the vpn-daemon (e.g. to check for connectivity between those two).
We’ll later copy the created ca/server files to their final destination on eduvpn-node1. However first we need to make sure the software required is installed on the vpn node (eduvpn-node1)
Installing VPN node
Now let’s install software on eduvpn-node1:
eduvpn-node1 # apt install vpn-server-node vpn-daemon vpn-maint-scriptsThen let’s create a basic configuration of the vpn-daemon:
eduvpn-node1 # cat /etc/default/vpn-daemon
LISTEN=:41194
WG_DEVICE=wg1
CREDENTIALS_DIRECTORY=/etc/vpn-daemon
Copy ca.crt, server.crt and server.key from portal node to eduvpn-node1:/etc/vpn-daemon/ (or whatever path you set with CREDENTIALS_DIRECTORY) and make sure to get the permissions right:
eduvpn-node1 # chown vpn-daemon:vpn-daemon /etc/vpn-daemon/*
eduvpn-node1 # systemctl restart vpn-daemonCheck certificates
On the user-portal server:
eduvpn-portal # curl --cacert /etc/vpn-user-portal/keys/vpn-daemon/ca.crt --cert /etc/vpn-user-portal/keys/vpn-daemon/vpn-daemon-client.crt --key /etc/vpn-user-portal/keys/vpn-daemon/vpn-daemon-client.key https://eduvpn-node1.mydomain.de:41194/i/node
{"rel_load_average":[0,0,0],"load_average":[0,0,0],"cpu_count":2,"node_uptime":806520,"maintenance_mode":false}Make sure to use the correct paths for ca and certificate files on both machines, otherwise you will not be able to establish a secure connection!
vpn-maint-apply-changes would call /usr/libexec/vpn-server-node/server-config to create a wireguard config in /etc/wireguard/wg0.conf:
eduvpn-node1 # cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.43.43.1/24,fd43::1/64
ListenPort = 51820
PrivateKey = <private key here>So its fairly basic.
More information can be found here: