{"id":13509955,"url":"https://github.com/skx/simple-vpn","last_synced_at":"2025-04-07T07:17:29.981Z","repository":{"id":144201827,"uuid":"158441083","full_name":"skx/simple-vpn","owner":"skx","description":"A simple VPN allowing mesh-like communication between nodes, over websockets","archived":false,"fork":false,"pushed_at":"2023-10-09T07:04:38.000Z","size":68,"stargazers_count":286,"open_issues_count":2,"forks_count":47,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-03-31T06:02:22.455Z","etag":null,"topics":["golang","linux","linux-app","mesh","networking","privacy","route","vpn","websockets"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/skx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null},"funding":{"github":"skx","custom":"https://steve.fi/donate/"}},"created_at":"2018-11-20T19:30:15.000Z","updated_at":"2025-03-25T14:26:33.000Z","dependencies_parsed_at":"2024-01-07T22:49:28.975Z","dependency_job_id":"435691e4-c205-4b82-a1b0-fc5af36b1403","html_url":"https://github.com/skx/simple-vpn","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skx%2Fsimple-vpn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skx%2Fsimple-vpn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skx%2Fsimple-vpn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skx%2Fsimple-vpn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/skx","download_url":"https://codeload.github.com/skx/simple-vpn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247608160,"owners_count":20965953,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","linux","linux-app","mesh","networking","privacy","route","vpn","websockets"],"created_at":"2024-08-01T02:01:18.618Z","updated_at":"2025-04-07T07:17:29.951Z","avatar_url":"https://github.com/skx.png","language":"Go","funding_links":["https://github.com/sponsors/skx","https://steve.fi/donate/"],"categories":["Go","\u003ca id=\"d62a971d37c69db9f3b9187318c3921a\"\u003e\u003c/a\u003e工具","vpn"],"sub_categories":["\u003ca id=\"8ea8f890cf767c3801b5e7951fca3570\"\u003e\u003c/a\u003e公网访问局域网"],"readme":"[![Go Report Card](https://goreportcard.com/badge/github.com/skx/simple-vpn)](https://goreportcard.com/report/github.com/skx/simple-vpn)\n[![license](https://img.shields.io/github/license/skx/simple-vpn.svg)](https://github.com/skx/simple-vpn/blob/master/LICENSE)\n[![Release](https://img.shields.io/github/release/skx/simple-vpn.svg)](https://github.com/skx/simple-vpn/releases/latest)\n\n* [Simple-VPN](#simple-vpn)\n* [Installation](#installation)\n  * [Source Installation go \u0026lt;=  1.11](#source-installation-go---111)\n  * [Source installation go  \u0026gt;= 1.12](#source-installation-go---112)\n* [Encryption \u0026amp; Overhead](#encryption--overhead)\n* [VPN-Server Setup](#vpn-server-setup)\n* [VPN-Client Setup](#vpn-client-setup)\n* [Advanced Configuration](#advanced-configuration)\n* [Github Setup](#github-setup)\n\n# Simple-VPN\n\nThis project is a VPN-server, written in golang, using websockets as a transport.  The idea is that multiple-nodes each connect to a central VPN-server, and once connected they can talk to _each other_ securely, regardless of their location.\n\nThe following image illustrates the expected setup:\n\n* Three hosts each connect to the central VPN host.\n* Once they're connected each of those hosts can then talk to the other machines which are also connected.\n  * (Their private traffic is routed to the central hub, from there sent back out.)\n\n![Screenshot](_media/vpn.png)\n\nWhile it is possible to use this software to mask your laptop's IP while traveling, instead showing the IP of the VPN-server as being the source of connections that is __not__ the expected use-case.  (Nor is it documented!)\n\nIt should be noted that the VPN-server will become a single point of failure if you're using it to join (say) a database-host located at Hetzner with a number of webserver-nodes split between Linode and Digital Ocean, but being a simple service, easy to deploy, it should be trivial to spin up a replacement in a hurry.\n\n\n## Installation\n\nThere are two ways to install this project from source, which depend on the version of the [go](https://golang.org/) version you're using.\n\nAlternatively you can download the latest release from our [releases page](https://github.com/skx/simple-vpn/releases/) if you're running upon AMD64-GNU/Linux host.  (Unfortunately we use `CGO`, and the water-library, which makes our code non-portable for now.)\n\n\n### Source Installation go \u003c=  1.11\n\nIf you're using `go` before 1.11 then the following command should fetch/update the projectl and install it upon your system:\n\n     $ go get -u github.com/skx/simple-vpn\n\n### Source installation go  \u003e= 1.12\n\nIf you're using a more recent version of `go` (which is _highly_ recommended), you need to clone to a directory which is not present upon your `GOPATH`:\n\n    git clone https://github.com/skx/simple-vpn\n    cd simple-vpn\n    go install\n\n\n\n\n\n## Encryption \u0026 Overhead\n\nThe VPN-server __does not__ implement any kind of encryption itself, nor does it handle access-control beyond the use of a shared-secret.  Is this insane?  Actually no.\n\nThe expectation is that you'll host the VPN-server behind an nginx/apache proxy and you'll add TLS there (i.e. Let's Encrypt).  Providing all the clients connect to the server over a TLS/SSL-protected socket then things are secure:\n\n* The use of TLS prevents traffic from being sniffed.\n  * This means that the connections made from one host, to another, over their private network will be unreadable to hosts in the same location.\n* The use of a shared-secret prevents rogue agents from connecting to your VPN-server.\n  * This means a user cannot join your private network and attempt to sniff traffic that way.\n\nI believe this solution is \"secure enough\", but if you have concerns you can ensure that all the traffic you send over it uses TLS itself, for example database-connections can use TLS, etc.\n\nBecause traffic routed between two nodes on their private IP addresses has to be routed via the VPN-server expect to see [approximately 50% overhead](https://github.com/skx/simple-vpn/issues/9).\n\n\n\n## VPN-Server Setup\n\nConfiguring a VPN server requires two things:\n\n* The `simple-vpn` binary to be running in server-mode..\n  * This requires the use of a simple configuration-file.\n* Your webserver to proxy (websocket) requests to it.\n  * You __must__ ensure that your webserver uses TLS to avoid sniffing.\n\nA minimal configuration file for using `simple-vpn` in server-mode looks like this:\n\n* [etc/server.cfg](etc/server.cfg)\n\nWith your configuration-file you can now launch the VPN-server like so:\n\n     # simple-vpn server ./server.cfg\n\nTo proxy traffic to this server, via `nginx`, you could have a configuration file like this:\n\n    server {\n        server_name vpn.example.com;\n        listen [::]:443  default ipv6only=off ssl;\n\n        ssl on;\n        ssl_certificate      /etc/lets.encrypt/ssl/vpn.example.com.full;\n        ssl_certificate_key  /etc/lets.encrypt/ssl/vpn.example.com.key;\n        ssl_dhparam          /etc/nginx/ssl/dhparam.pem;\n\n        ssl_prefer_server_ciphers on;\n        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';\n        add_header Strict-Transport-Security \"max-age=31536000\";\n\n        proxy_buffering    off;\n        proxy_buffer_size  128k;\n        proxy_buffers 100  128k;\n\n        ## VPN server ..\n        location /vpn {\n\n           proxy_set_header      X-Forwarded-For $remote_addr;\n           proxy_pass            http://127.0.0.1:9000;\n           proxy_http_version    1.1;\n           proxy_set_header      Upgrade $http_upgrade;\n           proxy_set_header      Connection \"upgrade\";\n           proxy_read_timeout    86400;\n           proxy_connect_timeout 43200000;\n\n           tcp_nodelay on;\n       }\n    }\n\n* You don't need to dedicate a complete virtual host to the VPN-server, a single \"location\" is sufficient.\n  * In this example we've chosen https://vpn.example.com/vpn to pass through to `simple-vpn`.\n\n\n## VPN-Client Setup\n\nInstall the binary upon the client hosts you wish to link, and launch them with the name of a configuration-file:\n\n    # simple-vpn client client.cfg\n\nThere is a sample client configuration file here:\n\n* [etc/client.cfg](etc/client.cfg)\n\nThe configuration file has two mandatory settings:\n\n* `key`\n  * Specifies the shared key with which to authenticate.\n* `vpn`\n  * Specifies the VPN end-point to connect to.\n\n\n\n## Advanced Configuration\n\nThe server will assign each client which connects the next unused IP address from the range it is configured to serve.\n\nBecause each client identifies itself with the hostname of the local system it is possible to map static IP addresses to any remote host, which is useful if you wish to setup DNS entries, etc.\n\nTo setup a static IP see the commented-out sections in the [server.cfg](etc/server.cfg) file.\n\n\n## Github Setup\n\nThis repository is configured to run tests upon every commit, and when\npull-requests are created/updated.  The testing is carried out via\n[.github/run-tests.sh](.github/run-tests.sh) which is used by the\n[github-action-tester](https://github.com/skx/github-action-tester) action.\n\nReleases are automated in a similar fashion via [.github/build](.github/build),\nand the [github-action-publish-binaries](https://github.com/skx/github-action-publish-binaries) action.\n\n\nSteve\n--\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskx%2Fsimple-vpn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fskx%2Fsimple-vpn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskx%2Fsimple-vpn/lists"}