"use strict";(self.webpackChunkwebsite=self.webpackChunkwebsite||[]).push([[8156],{8697:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>c,contentTitle:()=>t,default:()=>h,frontMatter:()=>i,metadata:()=>a,toc:()=>d});var r=s(5893),o=s(1151);const i={sidebar_label:"VPN"},t="zrok VPN Guide",a={id:"guides/vpn/vpn",title:"zrok VPN Guide",description:"zrok VPN backend allows for simple host-to-host VPN setup.",source:"@site/../docs/guides/vpn/vpn.md",sourceDirName:"guides/vpn",slug:"/guides/vpn/",permalink:"/docs/guides/vpn/",draft:!1,unlisted:!1,editUrl:"https://github.com/openziti/zrok/blob/main/docs/../docs/guides/vpn/vpn.md",tags:[],version:"current",frontMatter:{sidebar_label:"VPN"},sidebar:"tutorialSidebar",previous:{title:"The Drives CLI",permalink:"/docs/guides/drives/cli"}},c={},d=[{value:"Starting VPN server",id:"starting-vpn-server",level:2},{value:"VPN share reservation",id:"vpn-share-reservation",level:2},{value:"Accessing VPN share",id:"accessing-vpn-share",level:2}];function l(e){const n={code:"code",h1:"h1",h2:"h2",img:"img",p:"p",pre:"pre",...(0,o.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.h1,{id:"zrok-vpn-guide",children:"zrok VPN Guide"}),"\n",(0,r.jsx)(n.p,{children:"zrok VPN backend allows for simple host-to-host VPN setup."}),"\n",(0,r.jsx)(n.h2,{id:"starting-vpn-server",children:"Starting VPN server"}),"\n",(0,r.jsxs)(n.p,{children:["VPN is shared through the ",(0,r.jsx)(n.code,{children:"vpn"})," backend of ",(0,r.jsx)(n.code,{children:"zrok"})," command."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"eugene@hermes $ sudo -E zrok share private --headless --backend-mode vpn\n[   0.542]    INFO sdk-golang/ziti.(*listenerManager).createSessionWithBackoff: {session token=[589d443c-f59d-4fc8-8c48-76609b7fb402]} new service session\n[   0.705]    INFO main.(*sharePrivateCommand).run: allow other to access your share with the following command:\nzrok access private 3rq7torslq3n\n[   0.705]    INFO zrok/endpoints/vpn.(*Backend).Run: started\n"})}),"\n",(0,r.jsx)(n.p,{children:(0,r.jsx)(n.img,{alt:"VPN share",src:s(4283).Z+"",width:"1626",height:"1314"})}),"\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"sudo"})," or equivalent invocation is required because VPN mode needs to create a virtual network device (",(0,r.jsx)(n.code,{children:"tun"}),")\n",(0,r.jsx)(n.code,{children:"-E"})," option allows ",(0,r.jsx)(n.code,{children:"zrok"})," to find your zrok configuration files (in your ",(0,r.jsx)(n.code,{children:"$HOME/.zrok"}),")"]}),"\n",(0,r.jsxs)(n.p,{children:["By default ",(0,r.jsx)(n.code,{children:"vpn"})," backend uses subnet ",(0,r.jsx)(n.code,{children:"10.122.0.0/16"})," and assigns ",(0,r.jsx)(n.code,{children:"10.122.0.1"})," to the host that stared VPN share."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"$ ifconfig\ntun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 16384\n        inet 10.122.0.1  netmask 255.255.0.0  destination 10.122.0.1\n        inet6 fe80::705f:24e4:dcfc:a6b2  prefixlen 64  scopeid 0x20<link>\n        inet6 fd00:7a72:6f6b::1  prefixlen 64  scopeid 0x0<global>\n        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)\n        RX packets 0  bytes 0 (0.0 B)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 27  bytes 3236 (3.2 KB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n"})}),"\n",(0,r.jsxs)(n.p,{children:["Default IP/subnet setting can be overridden by adding ",(0,r.jsx)(n.code,{children:"<target>"})," parameter:"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"$ sudo -E zrok share private --headless --backend-mode vpn 192.168.42.12/24\n"})}),"\n",(0,r.jsx)(n.h2,{id:"vpn-share-reservation",children:"VPN share reservation"}),"\n",(0,r.jsx)(n.p,{children:"Share reservation works the same as with other backend types:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"eugene@hermes $ zrok reserve private -b vpn\n[   0.297]    INFO main.(*reserveCommand).run: your reserved share token is 'k77y2cl7jmjl'\n\neugene@hermes $ sudo -E zrok share reserved k77y2cl7jmjl --headless\n[   0.211]    INFO main.(*shareReservedCommand).run: sharing target: '10.122.0.1/16'\n[   0.211]    INFO main.(*shareReservedCommand).run: using existing backend proxy endpoint: 10.122.0.1/16\n[   0.463]    INFO sdk-golang/ziti.(*listenerManager).createSessionWithBackoff: {session token=[22c5708d-e2f2-41aa-a507-454055f8bfcc]} new service session\n[   0.641]    INFO main.(*shareReservedCommand).run: use this command to access your zrok share: 'zrok access private k77y2cl7jmjl'\n[\n\n"})}),"\n",(0,r.jsx)(n.h2,{id:"accessing-vpn-share",children:"Accessing VPN share"}),"\n",(0,r.jsx)(n.p,{children:"Accessing a VPN share works similar to other backends."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"eugene@calculon % sudo -E zrok access private --headless k77y2cl7jmjl\n[   0.201]    INFO main.(*accessPrivateCommand).run: allocated frontend '50B5hloP1s1X'\n[   0.662]    INFO main.(*accessPrivateCommand).run: access the zrok share at the following endpoint: VPN:\n[   0.662]    INFO main.(*accessPrivateCommand).run: 10.122.0.1 -> CONNECTED Welcome to zrok VPN\n[   0.662]    INFO zrok/endpoints/vpn.(*Frontend).Run: connected:Welcome to zrok VPN\n"})}),"\n",(0,r.jsxs)(n.p,{children:["Starting ",(0,r.jsx)(n.code,{children:"zrok access"})," to a VPN share creates virtual network device/interface:"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"eugene@calculon ~ % ifconfig \n...\nutun5: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500\n        inet 10.122.0.3 --\x3e 10.122.0.1 netmask 0xff000000\n        inet6 fe80::ce08:faff:fe8a:7b25%utun5 prefixlen 64 scopeid 0x14\n        nd6 options=201<PERFORMNUD,DAD>\n...\n"})}),"\n",(0,r.jsxs)(n.p,{children:["At this point a VPN tunnel is active between your server and client.\nIn the example above server is ",(0,r.jsx)(n.code,{children:"hermes(10.122.0.1)"})," and client is ",(0,r.jsx)(n.code,{children:"calculon(10.122.0.3)"}),".\nYou can access server from client by using assigned IP address."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"eugene@calculon ~ % ssh eugene@10.122.0.1\nWelcome to Ubuntu 23.10 (GNU/Linux 6.5.0-27-generic x86_64)\n\n * Documentation:  https://help.ubuntu.com\n * Management:     https://landscape.canonical.com\n * Support:        https://ubuntu.com/pro\n\n0 updates can be applied immediately.\n\nLast login: Tue Apr 16 09:27:13 2024 from 127.0.0.1\n\neugene@hermes:~$ who am i\neugene   pts/8        2024-04-16 10:04 (10.122.0.3)\n\neugene@hermes:~$\n"})}),"\n",(0,r.jsx)(n.p,{children:"You can also make a reverse(server-to-client) connection:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"eugene@hermes:~$ ssh 10.122.0.3\nThe authenticity of host '10.122.0.3 (10.122.0.3)' can't be established.\n<..snip..>\nWarning: Permanently added '10.122.0.3' (ED25519) to the list of known hosts.\n(eugene@10.122.0.3) Password:\nLast login: Tue Apr 16 09:57:28 2024\neugene@calculon ~ % who am i\neugene           ttys008      Apr 16 10:06 (10.122.0.1)\neugene@calculon ~ %\n"})})]})}function h(e={}){const{wrapper:n}={...(0,o.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(l,{...e})}):l(e)}},4283:(e,n,s)=>{s.d(n,{Z:()=>r});const r=s.p+"assets/images/vpn-share-077094eabd79a2e072ee4c40f8e0fd31.png"},1151:(e,n,s)=>{s.d(n,{Z:()=>a,a:()=>t});var r=s(7294);const o={},i=r.createContext(o);function t(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(o):e.components||o:t(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]);