konduit/konduit-public
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
10def914abb33b8ab512365a81a7e556b06bd782
konduit-public/docs/server-quickstart.md
E. Kaparulin 10def914ab Update examples
2026-06-09 08:30:41 +03:00

3.0 KiB
Raw Blame History

Konduit Server Quickstart

1. Prerequisites

IP Forwarding

sudo sysctl -w net.ipv4.ip_forward=1
# Persist: add 'net.ipv4.ip_forward=1' to /etc/sysctl.conf

Capabilities

Konduit needs permission to create TUN devices and bind privileged ports without running as root.

sudo setcap cap_net_admin,cap_net_bind_service=+ep ./konduit-server
sudo setcap cap_net_admin=+ep ./konduit

2. Bootstrap

Konduit derives its identity key from a mantra (secret phrase) using Argon2id. Keep the mantra safe — it lets you recover the same identity if the config file is lost.

Standard (konduit binds on 443):

echo "your secret mantra phrase here" | ./konduit-ctl bootstrap -l vpn.example.com:443 -p -

Behind a reverse proxy (HAProxy on 443, konduit on 8443):

echo "your secret mantra phrase here" | ./konduit-ctl bootstrap -l vpn.example.com:8443 --public-port 443 -p -

--public-port sets the port written into client configs, so they connect to 443 even though konduit listens on 8443. See stealth-setup.md for the full HAProxy configuration.

3. Add a Client

./konduit-ctl add-client my-laptop

Creates my-laptop.client.toml and appends the peer to server.toml. Transfer the .client.toml to the client device, or scan the QR payload with the mobile app.

4. TUN Interface Name

Set a fixed TUN interface name so firewall rules are stable:

# server.toml
[network]
tun_name = "konduit0"

Without this, konduit picks the first available tunN, which shifts if other VPN interfaces exist.

5. Run

./konduit-server --config server.toml

For persistent operation, use the provided systemd units in docs/systemd/. Copy konduit-server.service to /etc/systemd/system/, then:

sudo systemctl daemon-reload
sudo systemctl enable --now konduit-server

6. NAT / Masquerade

VPN clients send packets with source IP 10.10.0.x. Masquerade rewrites this to the server's public IP so internet hosts can reply.

firewalld (RHEL, Fedora, recent Ubuntu)

# Trust the VPN interface
sudo firewall-cmd --zone=trusted --add-interface=konduit0 --permanent

# Enable masquerade on the public zone
sudo firewall-cmd --zone=public --add-masquerade --permanent

sudo firewall-cmd --reload

Important: iptables commands are silently ignored on firewalld systems. Always use firewall-cmd.

iptables (Debian/Ubuntu without firewalld)

IFACE=$(ip route get 1.1.1.1 | awk '{print $5; exit}')
sudo iptables -t nat -I POSTROUTING 1 -s 10.10.0.0/24 -o $IFACE -j MASQUERADE
sudo iptables -I FORWARD 1 -i konduit0 -o $IFACE -j ACCEPT
sudo iptables -I FORWARD 2 -i $IFACE -o konduit0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Persist
sudo apt install iptables-persistent && sudo netfilter-persistent save

7. Verify

# Should return your website (camouflage) not an error
curl -sk https://your-server/

# Check konduit logs
journalctl -u konduit-server -f
Reference in New Issue View Git Blame Copy Permalink