> For the complete documentation index, see [llms.txt](https://documentation.hak5.org/packet-squirrel-mark-ii/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://documentation.hak5.org/packet-squirrel-mark-ii/advanced-payloads/vpn-configuration.md). # VPN configuration ## Wireguard [Wireguard](https://www.wireguard.com/) is a modern VPN architecture with clients most operating systems. It is typically simpler to configure than other VPN solutions, and offers exceptional speeds and performance. This makes it the preferred choice for VPN networking on embedded devices like the Packet Squirrel. ### Requirements Using a Packet Squirrel as a Wireguard client of course requires a Wireguard server on a public IP address reachable by the Packet Squirrel network. For more information about configuring a Wireguard server, we recommend the [official Wireguard documentation](https://www.wireguard.com/quickstart/) and third-party documentation like the [Digital Ocean tutorial](https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04) on Wireguard. Some commercial VPN services may also offer Wireguard options. ### Configuring Wireguard Configuring the Packet Squirrel to be a Wireguard VPN client can be done via the `WIREGUARD` command. This command simplifies the process and works with the `uci` and `NETMODE` commands. The `WIREGUARD` command is configured by several environment variables, and should be configured before `NETMODE` is called. ### Configuration options
VariableConfiguration
WG_KEYWireguard client private key (generated by wg genkey)
WG_ADDRWireguard client IPv4 address
WG_ADDR6Wireguard client IPv6 address (optional)
WG_PUBWireguard server public key
WG_PSKWireguard server pre-shared key (optional)
WG_SERVWireguard server address
WG_PORTWireguard server port
### Example use The `WIREGUARD` command should be called in a payload before the `NETMODE` command, for example: ```bash #!/bin/bash # Title: Wireguard # Description: Example Wireguard configuration # First, we define all the environment variables. Use the 'export' # command to make them available to the WIREGUARD command. # Set the private key of this client, generated by 'wg genkey'. The # server must be configured with the public key for this client! export WG_KEY="0NdX+uzkgPs5gu0inDxhtQsMG9MmAcFxc5DHQL1nTn4=" # Set the IPv4 address of this endpoint. This is the private address # inside the VPN export WG_ADDR="10.10.10.42" # Set the IPv6 (if any) of this endpoint. This is the private address # inside the VPN. For IPv4 only, don't provide a WG_ADDR6 export WG_ADDR6="2001:0db8:85a3:0000:0000:8a2e:0370:7334" # Set the wireguard SERVER public key. This must match your server public key! export WG_PUB="NDYEu47emGG4ei5iCwotBNaA27ZI9ss+e7yTmpCRIUU=" # Set the wireguard server PSK. This is an additional security measure on # top of the key exchange. If you have no psk, don't define a WG_PSK. export WG_PSK="wexnHUPDZXFwx2FXi55t/Hrh/grvUxiwKkMzGbskA3E=" # Set the wireguard server address export WG_SERV="1.2.3.4" # Set the wireguard server port export WG_PORT="12345" # Run the WIREGUARD command to generate the config WIREGUARD # Set the network mode NETMODE BRIDGE # Start the SSH server SSH_START # Do other payload activity... ``` ## OpenVPN [OpenVPN](https://openvpn.net) is another common VPN system with support for essentially all operating systems. It typically is slightly slower (about 50% the speed of Wireguard) but is well supported and documented. ### Requirements Using a Packet Squirrel as an OpenVPN client of course requires an OpenVPN server on a public IP address reachable by the Packet Squirrel network. For more information about configuring an OpenVPN server, we recommend the [OpenVPN community installation guides](https://openvpn.net/community-resources/), and the [Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04) configuration guide. Some commercial VPN services may also offer OpenVPN options. You will need an OpenVPN configuration file including the embedded certificates to configure the Packet Squirrel OpenVPN client. ### Configuring OpenVPN OpenVPN on the Packet Squirrel is configured by placing the OpenVPN configuration in `/tmp/openvpn.conf` and starting the OpenVPN service. This should be done **after** the `NETMODE` command; the OpenVPN client must be able to contact the server! ```bash #!/bin/bash # Title: OpenVPN Example # # Description: Demonstrate running the Packet Squirrel as an OpenVPN appliance. # Clients will receive an IP address from the Packet Squirrel via NETMODE NAT # (DHCP Server), and their Internet traffic will be tunneled through the # configured DHCP server. Include the contents of your .ovpn file below. LED SETUP NETMODE NAT # This will copy the openvpn.conf file out of the payload into # /tmp/openvpn.conf cat < /tmp/openvpn.conf # Replace this line with the multi-line contents of your .ovpn config file. EOF # This will launch the openvpn service service openvpn start SSH_START LED ATTACK ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://documentation.hak5.org/packet-squirrel-mark-ii/advanced-payloads/vpn-configuration.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.