potatovpn

Client Installation

Simply download the installer from Releases and run it! Follow the prompts to complete installation.

Server

Prerequisites

You must have the following packages installed on your system:

sudo apt install -y wireguard stunnel4 haproxy certbot

Installation

1. Set up the repository:

   git clone https://github.com/redisnotbluedev/potatovpn
   cd potatovpn/server
   cp .env.example .env
   nano .env
   python3 -m venv venv
   source venv/bin/activate
   pip install -r requirements.txt
   

2. Add a Match User block to /etc/ssh/sshd_config:

   Match User vpn_*
    ForceCommand /bin/false
    AllowTcpForwarding yes
    X11Forwarding no
    AllowAgentForwarding no
    PermitTTY no
   

   sudo systemctl restart sshd
   

3. Generate WireGuard keys:

   wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key && sudo chmod 600 /etc/wireguard/server_private.key
   

4. Write /etc/wireguard/wg.conf:

   [Interface]
   PrivateKey = <contents of /etc/wireguard/server_private.key>
   Address = 10.0.0.1/24
   ListenPort = 51820
   PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
   

5. Enable WireGuard and IP forwarding:

   sudo systemctl enable --now wg-quick@wg
   echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf && sudo sysctl -p
   

6. Get a Let’s Encrypt cert for your domain:

   sudo certbot certonly --standalone -d <your domain>
   

7. Generate a self-signed cert for the VPN tunnels:

   sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/stunnel/potatovpn.key -out /etc/stunnel/potatovpn.pem -days 3650 -nodes -subj "/CN=potatovpn"
   

8. Write /etc/stunnel/potatovpn.conf: ```ini foreground = yes

[wg] accept = 127.0.0.1:51821 connect = 127.0.0.1:51820 cert = /etc/stunnel/potatovpn.pem key = /etc/stunnel/potatovpn.key

[ssh] accept = 127.0.0.1:2223 connect = 127.0.0.1:22 cert = /etc/stunnel/potatovpn.pem key = /etc/stunnel/potatovpn.key

[api] accept = 127.0.0.1:8889 connect = 127.0.0.1:8888 cert = /etc/letsencrypt/live//fullchain.pem key = /etc/letsencrypt/live//privkey.pem

```sh
sudo systemctl enable --now stunnel@potatovpn

1. Write /etc/haproxy/haproxy.cfg: ``` defaults timeout connect 5s timeout client 30s timeout server 30s

frontend tls bind *:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } use_backend wg if { req_ssl_sni -i } use_backend ssh if { req_ssl_sni -i } default_backend web

backend wg mode tcp server wg 127.0.0.1:51821

backend ssh mode tcp server ssh 127.0.0.1:2223

backend web mode tcp server api 127.0.0.1:8889

```sh
sudo systemctl enable --now haproxy

1. Create the systemd service for the API at /etc/systemd/system/potatovpn-api.service: (optional) ```ini [Unit] Description=PotatoVPN API After=network.target

[Service] WorkingDirectory=/home//potatovpn ExecStart=/home//potatovpn/venv/bin/uvicorn app:app --host 127.0.0.1 --port 8888 Restart=always

[Install] WantedBy=multi-user.target

```sh
sudo systemctl daemon-reload
sudo systemctl enable --now potatovpn-api