To become a server, you must be familiar with all technical aspects and terms. Please read documentation to understand it.
You need to fullfill all these prerequisites if you want to setup and run server by yourselves.
There are more options how to run server. From simplest, to most complex. We will work on all these types but not all of them are ready to run now.
This mode is not supported as of now, but we are preparing. This is simplest way how to help LVPN network to grow. You just need small piece of software which runs on server (TLS or HTTTP proxy) which will redirect users to specific provider. We need a lot of these simple gateways in future as an input gates.
We will add instructions later.
When you do not need to manage your own space, you can run gate-only setup. Your node will work as an input point for other users to connect to spaces which you select/allow. We will add instructions later.
Full node means VPN server, daemon, space, gate and provider, all together. This is most complex, but prefered way.
Our Docker compose skeleton is just an example! Do not expect it to run without modification. Edit env file and link docker-compose and env file together
First, install docker and docker-compose on your server.
Then, use our predefined docker-compose directory and update for your needs.
According to your setup, you can disable/enable services within docker-compose file.
Needed for clients to resolve names. Can be arbitary DNS resolver. It is always good idea to use separate DNS server for VPN clients.
This is core mandatory part. There is an TLS logic which allow/disallow clients based on their TLS certificates. All other services are "hidden" behind this proxy.
Container where blockchain data are stored. Every node should host a daemon so entire network will run smoothly.
Tinyproxy instance which is used by users to reach pages. You can tune tinyproxy config and limit, what should be accessible and what should not. You can even use your own proxy server instead of tinyproxy.
Socks proxy for same purpose. You can use other implementation too.
This is container used for basic SSH proxy. SSH is better than TLS because encrypted connection is created only once and all other connections are tunneled inside which is quicker than TLS handshake for every connection. You must setup sshd config so it will accept certificates generated by LVPNS.
LVPNs uses HTTP port 8123 on server which is not encrypted. But communication with manager MUST be encrypted, because all key materials are transported over this channel. Use haproxy or other technologies to offload SSL termination and send HTTP connections to port 8123. Do not expose plain HTTP!
While it is technically possible to use your own certificates, we highly recomend to have valid certificate (like LetsEncrypt) and valid FQDN for manage. You will need this valid URL for VDP construction. Like https://some.where.nice/
LVPNS is used as a termination point only for WireGuard. All other traffic is going thru ssh or proxy container and lvpns just issue all certificates which are needed.
This is server manager. It runs HTTP server with API endpoints and it orchestrate all sessions. Every request for paid session is routed to lvpns where server will generate correct certificate for user with predefined expiration, based on payment. SSH and TLS sessions are authenticated by these certificates.
This container needs NET_ADMIN capabilities because it runs WireGuard server too. Do not forget to add all WireGuard ports with UDP to port mapping if you want to operate WireGuard.
If you want to be automatically connected to other space. So your node will be accessible from other provider too.
This is simple tor container if you want your clients to access .onion network.
Wallet is used as your VPN wallet where all the payments will arive. You need to create and configure wallet first. Easy-provider script can help you. See below.
You can use easy-provider function of docker image to create your first VDP.
mkdir $(pwd)/lvpn-easy
docker run -v $(pwd)/lvpn-easy:/home/lvpn -e EASY_FQDN=some.where.nice -ti limosek/lvpn:dev easy-provider
You will get output like this. Save it for future use. Note that some not-important parts are stripped here.
Generating new provider to /home/lvpn/easy.
You can tune this wizard by setting variables
EASY_FQDN - FQDN or IP of your provider
EASY_CA_CN - CN for generated CA
VPN password: <pass>
VPN RPC password: <pass2>
Private Key (NEVER SHARE THIS!): <provider_privkey>
Public Key: <provider-publickey>
Generated new CA to directory /home/lvpn/easy/ca
lmgmt issue-crt some.where.nice 365
-----BEGIN PRIVATE KEY-----
<KEY for haproxy>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<CRT for haproxy>
-----END CERTIFICATE-----
Generating public/private ecdsa key pair.
Your identification has been saved in /home/lvpn/easy/ssh-user-ca
Your public key has been saved in /home/lvpn/easy/ssh-user-ca.pub
The key fingerprint is:
SHA256:<hash>
Generating public/private ecdsa key pair.
Your identification has been saved in /home/lvpn/easy/ssh-host-ca
Your public key has been saved in /home/lvpn/easy/ssh-host-ca.pub
The key fingerprint is:
SHA256:<hash2>
Signed host key /home/lvpn/easy/ssh-host-ca-cert.pub: id "some.where.nice" serial 0 for some.where.nice valid from 2024-03-02T11:19:00 to 2030-11-30T11:20:34
Do not forget to save /home/lvpn/easy directory!
Generated VDP and provider data will be in directory $(pwd)/lvpn-easy/ . Save this directory and save output of this command! If you loose some credentials later, you cannot recover.
Use our primary VDP definition as a template for creating all your services which you neeed. Save them to lvpns/server/etc/ directiry of your compose directory.
You need to link everything together. Setup haproxy to trust your CA generated and setup SSH to trust your SSH CA generated.
Copy ssh-user-ca.pub to your ssh server container and setup ssh to trust this CA for users.
Your certificate and key is in ca/certs/<FQDN>/
To haproxy needs combined crt and key:
cat ca/certs/\<FQDN\>/\<FQDN\>.pem ca/certs/\<FQDN\>/\<FQDN\>.crt >combined.pem
And CA certificate ca/ca.crt
Use wallet generated by easy provider. There are files vpn-wallet, vpn-wallet.address.txt and vpn-wallet.keys which you can use.
Password and RPC password are listed in easy-provider output.
First, check that all required containers are running.
docker ps
8b96a8a607f1 limosek/lvpn:dev "/entrypoint.sh lvpns" 29 hours ago Up 29 hours
lthn_lvpns_1
aaa3681e86c6 letheanio/blockchain:latest "bash -c 'lethean-wa…" 29 hours ago Up 29 hours 38772/tcp, 38782/tcp, 48772/tcp, 48782/tcp, 0.0.0.0:48773->14660/tcp, 0.0.0.0:48774->14660/tcp, :::48773->14660/tcp, :::48774->14660/tcp lthn_wallet_1
...
You can ispect container logs by
docker logs 8b96a8a607f1
or
journalctl -f
You need to import your new VDP before connecting client. You can either point client to your VDP files (see --providers-dir, --gates-dir, --spaces-dir) or run client, click to Setup button, enter URL from where to fetch VDP and import.
Note that you can fetch your VDP from your lvpns manager at address https://<mannager_host>:<manager_port>/api/vdp. For example, https://manager.your.network/api/vdp