nocci/mvpg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
mvpg/docs/PROVIDERS.md
nocci 58d70409b5 New branch
2025-08-10 15:34:34 +02:00

339 lines
6.4 KiB
Markdown
Raw Blame History

# VPN Provider Configuration Guide
## Overview
The VPN Gateway supports three types of providers:
1. **Mullvad VPN** - Commercial VPN service
2. **Custom WireGuard** - Your own VPN server
3. **Import Config** - Existing WireGuard configurations
## Mullvad VPN
### Setup
1. Get a Mullvad account at https://mullvad.net
2. Note your 16-digit account number
3. During installation, select "Mullvad" and enter your account number
### Features
- Automatic server list updates
- 40+ countries available
- Built-in DNS leak protection
- No logging policy
### Server Selection
Servers are organized by:
- **Country** (Sweden, Germany, USA, etc.)
- **City** (Stockholm, Berlin, New York, etc.)
- **Server** (se-sto-wg-001, de-ber-wg-002, etc.)
### Configuration
The system automatically:
- Fetches current server list
- Generates WireGuard keys
- Configures DNS (100.64.0.1)
- Sets up kill switch
## Custom WireGuard Server
### Prerequisites
You need:
- A VPS or dedicated server
- WireGuard installed on the server
- Server public key
- Open port (usually 51820)
### Server Setup (VPS Side)
#### 1. Install WireGuard
```bash
# Ubuntu/Debian
sudo apt update
sudo apt install wireguard
# CentOS/RHEL
sudo yum install wireguard-tools
```
#### 2. Generate Keys
```bash
cd /etc/wireguard
wg genkey | tee server_private.key | wg pubkey > server_public.key
```
#### 3. Configure Server
```bash
cat > /etc/wireguard/wg0.conf << EOF
[Interface]
PrivateKey = $(cat server_private.key)
Address = 10.0.0.1/24
ListenPort = 51820
# Enable IP forwarding
PostUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# Peer (VPN Gateway)
[Peer]
PublicKey = <GATEWAY_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32
EOF
```
#### 4. Start WireGuard
```bash
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
```
### Gateway Setup (Client Side)
During installation, provide:
- **Endpoint**: Your server's IP:Port (e.g., 1.2.3.4:51820)
- **Server Public Key**: From server_public.key
- **Client IP**: Usually 10.0.0.2/32
- **DNS**: 1.1.1.1,1.0.0.1 or your preferred DNS
### Adding Multiple Servers
Via WebUI:
1. Go to "Custom Server" tab
2. Click "Add New Server"
3. Fill in server details
4. Save configuration
Via API:
```bash
curl -X POST http://gateway-ip/api/custom/add \
-H "Content-Type: application/json" \
-d '{
"name": "my-vps-us",
"endpoint": "us.example.com:51820",
"public_key": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=",
"location": "United States"
}'
```
## Import Existing Configuration
### Supported Formats
- Standard WireGuard .conf files
- Configs from any WireGuard provider
- Custom peer configurations
### Import Methods
#### Via WebUI
1. Select "Import Config" tab
2. Choose file or paste configuration
3. Provide a name for the config
4. Click "Import"
#### Via CLI
```bash
# Copy config to gateway
scp myconfig.conf root@gateway-ip:/tmp/
# Import via API
curl -X POST http://gateway-ip/api/import \
-H "Content-Type: application/json" \
-d '{
"name": "imported-config",
"config": "'"$(cat /tmp/myconfig.conf)"'"
}'
```
### Automatic Modifications
The system automatically:
- Adds killswitch rules if missing
- Preserves original settings
- Validates configuration syntax
### Example Configuration
```ini
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.8.0.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 0.0.0.0/0
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25
```
## Provider Switching
### Via WebUI
1. Click on provider tabs
2. System automatically switches backend
3. Previous provider settings are preserved
### Via API
```bash
# Switch to Mullvad
curl -X POST http://gateway-ip/api/provider/mullvad
# Switch to Custom
curl -X POST http://gateway-ip/api/provider/custom
# Switch to Imported
curl -X POST http://gateway-ip/api/provider/imported
```
## Advanced Configuration
### Split Tunneling
For custom servers, modify AllowedIPs:
```ini
# Route only specific subnets through VPN
AllowedIPs = 10.0.0.0/8, 192.168.0.0/16
# Route everything except local network
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
```
### Multiple Peers (Failover)
```ini
[Peer]
# Primary server
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 0.0.0.0/0
Endpoint = primary.example.com:51820
[Peer]
# Backup server
PublicKey = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy=
AllowedIPs = 0.0.0.0/0
Endpoint = backup.example.com:51820
```
### Custom DNS
Modify DNS in the configuration:
```ini
# CloudFlare
DNS = 1.1.1.1, 1.0.0.1
# Quad9
DNS = 9.9.9.9, 149.112.112.112
# Custom/Local
DNS = 192.168.1.1
```
## Performance Optimization
### MTU Settings
For optimal performance:
```ini
[Interface]
MTU = 1420 # Default, works for most connections
# MTU = 1380 # For problematic connections
# MTU = 1280 # Maximum compatibility
```
### Persistent Keepalive
Adjust based on your needs:
```ini
# For stable connections
PersistentKeepalive = 25
# For NAT/firewall traversal
PersistentKeepalive = 10
# Disable for on-demand
# PersistentKeepalive = 0
```
## Troubleshooting Providers
### Mullvad Issues
```bash
# Check account status
curl https://api.mullvad.net/www/accounts/<account-number>/
# Test server connectivity
ping -c 1 <server-ip>
# Verify WireGuard keys
wg show wg0 public-key
```
### Custom Server Issues
```bash
# Test connectivity
nc -zv <server-ip> 51820
# Check server logs (on VPS)
sudo journalctl -u wg-quick@wg0 -f
# Verify keys match
echo "<public-key>" | base64 -d | wc -c # Should be 32
```
### Import Issues
```bash
# Validate config syntax
wg-quick strip /path/to/config.conf
# Test config manually
sudo wg-quick up /tmp/test.conf
sudo wg-quick down /tmp/test.conf
```
## Security Considerations
### Key Management
- Never share private keys
- Rotate keys periodically
- Use unique keys per device/gateway
### Server Hardening
For custom servers:
```bash
# Firewall rules
ufw allow 51820/udp
ufw allow from 10.0.0.0/24
# Disable password auth
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
# Enable automatic updates
apt install unattended-upgrades
```
### Monitoring
```bash
# Connection status
wg show
# Traffic statistics
wg show wg0 transfer
# Active connections
netstat -tunlp | grep 51820
```
Reference in a new issue View git blame Copy permalink