Expose a VPN Server
Using Border0, running an authenticated VPN service for your users is easy. This allows clients to connect to your VPN Socket, making your (private) IP network available via this VPN.
An example use case may be a scenario with an AWS VPC with private Subnets. Using this VPN socket, you can easily spin up a VPN server on that private VPC, allowing clients authorized by your Border0 policy to connect to these private subnets over an encrypted TLS tunnel.
1 - Create and connect VPN socket
The first step is to create a socket for this new VPN server. The VPN server is built on top of a TLS socket.
border0 socket create --type tls --name myvpn
Example:
$ border0 socket create --type tls --name myvpn
┌──────────────────────────────────────┬───────┬───────────────────────────────┬─────────┬──────┬─────────────┐
│ SOCKET ID │ NAME │ DNS NAME │ PORT(S) │ TYPE │ DESCRIPTION │
├──────────────────────────────────────┼───────┼───────────────────────────────┼─────────┼──────┼─────────────┤
│ b11d0c10-fc86-43a9-8ed4-42a83beaeea0 │ myvpn │ myvpn-border0-demo.border0.io │ 22129 │ tls │ │
└──────────────────────────────────────┴───────┴───────────────────────────────┴─────────┴──────┴─────────────┘
Policies:
┌─────────────┬────────────────────┬───────────────────┐
│ POLICY NAME │ POLICY DESCRIPTION │ ORGANIZATION WIDE │
├─────────────┼────────────────────┼───────────────────┤
│ default │ │ Yes │
└─────────────┴────────────────────┴───────────────────┘
After the socket has been created, it's time to connect it to the Border0 infrastructure and start the VPN server. We'll also provide the --route
flag, instructing the VPN server to let clients that connect to the VPN know what routes to install. sudo border0 socket connect vpn myvpn --route 192.168.42.0/24
Note you'll likely need to enable IP forwarding and NAT on the VPN server. On a typical linux machine this can be achieved like this
sudo sysctl net.ipv4.ip_forward=1
# Note replace eth0 as needed
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo or root credentials
The VPN server will create a new TUN interface on your server, which requires root credentials.
$ sudo border0 socket connect vpn myvpn --route 192.168.42.0/24
Password:
Welcome to Border0.com
myvpn - tls://myvpn-border0-demo.border0.io
=======================================================
Logs
=======================================================
Now that your VPN server is running and ready for connections, it's time to test.
2 - Connecting to your VPN
To start, make sure you're logged in as a client to your border0 organization: sudo border0 client login --org <orgname>
. Make sure to replace the orgname with your Border0 organization name.
Now we can connect to your new VPN service.
Run sudo border0 client vpn
and pick your newly created vpn service from the list.
$ sudo border0 client vpn
? choose a host: myvpn-border0-demo.border0.io []
{"level":"info","ts":"2023-08-03T15:58:52-07:00","msg":"Created TUN interface","interface_name":"utun6"}
{"level":"info","ts":"2023-08-03T15:58:52-07:00","msg":"Received control message","control_message":{"client_ip":"10.42.0.189","server_ip":"10.42.0.1","subnet_size":22,"routes":["192.168.42.0/24"]}}
You're now connected to the VPN. A new network interface was created and as can be seen in the output, the VPN server provided the client with an IP address and one or more routes to install.
In the example above, we can see the server provided us with the IP address 10.42.0.189/22
; it told us the VPN server is 10.42.0.1
, and we can reach the network 192.168.42.0/24
via the VPN server (10.42.0.1
).
3 - Testing your VPN
The first step is to test and see if you can ping the VPN server from the client like this:
$ ping 10.42.0.1
PING 10.42.0.1 (10.42.0.1): 56 data bytes
64 bytes from 10.42.0.1: icmp_seq=0 ttl=64 time=76.133 ms
64 bytes from 10.42.0.1: icmp_seq=1 ttl=64 time=120.387 ms
We can also double-check to see if the routes were installed correctly. On Linux or Mac, we can use netstat
like this:
$ netstat -rn | grep 192.168.42
192.168.42 utun6 USc utun6
4 - Advanced usage
We have a few additional things we can configure on the _VPN server _we started in step 2.
The border0 socket connect vpn
command is used to start the VPN server and has a few additional flags.
$ sudo border0 socket connect vpn --help
Connect a VPN socket (TLS under-the-hood)
Usage:
border0 socket connect vpn [flags]
Flags:
-h, --help help for vpn
--route strings Routes to advertise to clients
--vpn-subnet string Ip range used to allocate to vpn clients (default "10.42.0.0/22")
Using the --route
flag indicates what routes should be pushed down to VPN clients. You may repeat this flag multiple times if you have multiple routes you'd like to make available to your VPN clients.
Using the --vpn-subnet
flag, the VPN administrator can control what IP range to use as a range to allocate IP addresses from to connecting clients. The first IP is always reserved for the VPN server. Think of this as your DHCP range for VPN clients. The default range is 10.42.0.0/22
.
Example
$ sudo border0 socket connect vpn myvpn --vpn-subnet 192.168.10.0/24 --route 10.10.10.0/24 --route 172.16.0.0/20
Welcome to Border0.com
myvpn - tls://myvpn-border0-demo.border0.io
=======================================================
Logs
=======================================================
{"level":"info","ts":"2023-08-03T16:15:52-07:00","msg":"Started VPN server","interface":"utun5","server_ip":"192.168.10.1"," vpn_subnet ":"192.168.10.0/24"}
Updated 5 months ago