konduit/konduit-public
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
10def914abb33b8ab512365a81a7e556b06bd782
konduit-public/docs/server-quickstart.md
E. Kaparulin 10def914ab Update examples
2026-06-09 08:30:41 +03:00

111 lines
3.0 KiB
Markdown
Raw Blame History

# Konduit Server Quickstart
## 1. Prerequisites
### IP Forwarding
```bash
sudo sysctl -w net.ipv4.ip_forward=1
# Persist: add 'net.ipv4.ip_forward=1' to /etc/sysctl.conf
```
### Capabilities
Konduit needs permission to create TUN devices and bind privileged ports without running as root.
```bash
sudo setcap cap_net_admin,cap_net_bind_service=+ep ./konduit-server
sudo setcap cap_net_admin=+ep ./konduit
```
## 2. Bootstrap
Konduit derives its identity key from a **mantra** (secret phrase) using Argon2id. Keep the mantra safe — it lets you recover the same identity if the config file is lost.
**Standard (konduit binds on 443):**
```bash
echo "your secret mantra phrase here" | ./konduit-ctl bootstrap -l vpn.example.com:443 -p -
```
**Behind a reverse proxy (HAProxy on 443, konduit on 8443):**
```bash
echo "your secret mantra phrase here" | ./konduit-ctl bootstrap -l vpn.example.com:8443 --public-port 443 -p -
```
`--public-port` sets the port written into client configs, so they connect to 443 even though konduit listens on 8443. See [stealth-setup.md](stealth-setup.md) for the full HAProxy configuration.
## 3. Add a Client
```bash
./konduit-ctl add-client my-laptop
```
Creates `my-laptop.client.toml` and appends the peer to `server.toml`. Transfer the `.client.toml` to the client device, or scan the QR payload with the mobile app.
## 4. TUN Interface Name
Set a fixed TUN interface name so firewall rules are stable:
```toml
# server.toml
[network]
tun_name = "konduit0"
```
Without this, konduit picks the first available `tunN`, which shifts if other VPN interfaces exist.
## 5. Run
```bash
./konduit-server --config server.toml
```
For persistent operation, use the provided systemd units in [docs/systemd/](systemd/). Copy `konduit-server.service` to `/etc/systemd/system/`, then:
```bash
sudo systemctl daemon-reload
sudo systemctl enable --now konduit-server
```
## 6. NAT / Masquerade
VPN clients send packets with source IP `10.10.0.x`. Masquerade rewrites this to the server's public IP so internet hosts can reply.
### firewalld (RHEL, Fedora, recent Ubuntu)
```bash
# Trust the VPN interface
sudo firewall-cmd --zone=trusted --add-interface=konduit0 --permanent
# Enable masquerade on the public zone
sudo firewall-cmd --zone=public --add-masquerade --permanent
sudo firewall-cmd --reload
```
> **Important:** `iptables` commands are silently ignored on firewalld systems. Always use `firewall-cmd`.
### iptables (Debian/Ubuntu without firewalld)
```bash
IFACE=$(ip route get 1.1.1.1 | awk '{print $5; exit}')
sudo iptables -t nat -I POSTROUTING 1 -s 10.10.0.0/24 -o $IFACE -j MASQUERADE
sudo iptables -I FORWARD 1 -i konduit0 -o $IFACE -j ACCEPT
sudo iptables -I FORWARD 2 -i $IFACE -o konduit0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Persist
sudo apt install iptables-persistent && sudo netfilter-persistent save
```
## 7. Verify
```bash
# Should return your website (camouflage) not an error
curl -sk https://your-server/
# Check konduit logs
journalctl -u konduit-server -f
```
Reference in New Issue View Git Blame Copy Permalink