Building a VPN with an AMPRNet BGP allocation

One of the most common emails I receive from readers of this website generally starts with:

Subject: I got an AMPRNet allocation. How do I use it for a VPN?

I generally answer with an off-the-top-of-my-head guide on how to get started, but I figured it was about time to write a proper guide on how to use an AMPRNet BGP allocation to set up a simple VPN server.

This post is aimed at licensed amateur radio operators who are wanting to get some AMPRNet IPs for large-ish-scale use (for example, providing static IPs to club members). If you are just looking for one or two static addresses, BGP likely isn't for you. I'd recommend reading the wiki entries on setting up a Linux gateway instead.

Prerequisites

Following this guide requires a few things:

AMPRNet membership
A BGP allocation (a /24 or larger block of addresses)
Some money (~$5 USD/mo)
Basic Linux knowledge

Through the process of getting your BGP allocation, you will have also received a Letter Of Authorization (LOA) for your IP block. This document will be important later on.

Important note for people that don't have an ASN

During the BGP allocation request process, you'll be asked for "Network Service Provider (NSP) details". If you don't hold an ASN, you'll need to use these details for this guide:

name: The Constant Company, LLC
ASN: AS20473
NOC email: [email protected]
NOC telephone: +1-973-849-0500
Postal address: 319 Clematis St. Suite 900, West Palm Beach FL, USA

Bringing up your VPN server

This guide will set up a VPN network in roughly the following configuration:

graph LR Internet --- Vultr[Vultr's Network] Vultr ---|BGP| VPS[Your Server] VPS ---|VPN| Client1((Client 1)) VPS ---|VPN| Client2((Client 2)) VPS ---|VPN| Client3((Client 3))

I, and many other hams, choose to use Vultr as a server host for this purpose because they offer a free bring your own IP service.

People with more complex networks or more networking experience may choose to co-locate their own hardware somewhere and use a "real" transit provider, but those people also probably shouldn't need this guide in the first place.

Enabling BGP support on your Vultr account

By default, Vultr accounts do not have BGP service enabled. This must be done via the BGP setup form.

In this form, you'll need to provide the following information:

Use a private AS number unless you have your own from an RIR
No need to provide a BGP password if asked
Prefixes: Whatever your AMPRNet allocation is
Usage: Some sort of description of what you're doing with your allocation
Routes: Default route is fine
Attach the LOA your received from the AMPRNet allocation process

This process opens a ticket with Vultr support. They will review your request and enable BGP on your account. This process can take a few days.

Setting up your server

Now the fun begins. Create a new deployment, and choose the following options:

Choose Server: Cloud Compute
CPU & Storage Technology: Intel Regular Performance
Server Location: Whatever is closest to you
Server Image: Debian
Server Size: Any size is OK. I personally like using the $5/mo option
Auto Backups: Not required, but OK to enable if you'd like

Configuring BGP

For this section, you'll need to head to the BGP tab in your new server's settings and note the information presented to you.

SSH in to your new server as root to get started. Default account credentials are shown on the Overview page of your server's settings.

By default, your server does not know how to communicate using the BGP protocol. To get it "talking" with the Vultr routers, you'll need to install a software package called Bird.

apt update
apt install bird2

Bird uses a configuration file stored at /etc/bird/bird.conf. Its default contents are useless to us, so we can wipe it out and start fresh.

rm /etc/bird/bird.conf
touch /etc/bird/bird.conf

Before editing, you need to know the IPv4 address that was assigned to your server by Vultr. Obtain this by running the following command and noting the first address of the enp1s0 interface.

ip -br a

Running this on my test server presented the following response:

root@ampr-test:~# ip -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128 
enp1s0           UP             100.68.4.196/18 2001:19f0:1000:23e6:5400:4ff:fe7f:e894/64 fe80::5400:4ff:fe7f:e894/64

So I'd use 100.68.4.196 as my server's IPv4 address.

With all our information gathered, It's time to configure Bird.

Configuring Bird

Open /etc/bird/bird.conf in your favorite text editor and add the following contents. Remember to replace marked sections with your own information gathered from previous steps.

router id <server_ipv4>; # Replace with your server's IPv4 address
protocol device {}

protocol direct {
  ipv4;
  interface "vpn";
}

protocol bgp vultr {
  local as <your_asn>; # Replace with the "Instance ASN" from the BGP tab
  neighbor <vultr_ipv4> as <vultr_asn>; # Replace with the "Vultr IPv4" and "Vultr ASN" from the BGP tab
  multihop 2;
  password "<vultr_bgp_password>"; # Replace with the "BGP Password" from the BGP tab
  graceful restart;
  ipv4 {
    import none;
    export where net ~ [ <your_amprnet_prefix> ]; # Replace with your AMPRNet prefix (including the prefix length (for example /24))
  };
}

Now, save that file, and run the following command to reconfigure Bird:

birdc c

Waiting a few seconds then running birdc s p should list Vultr as Established.

Bringing up your VPN

Now that your server is communicating with Vultr, its time to set up the VPN. For this, we will be using WireGuard. Install with:

apt install wireguard-tools

Firstly, you will need to generate a private key for your server. This can be done with the following command:

wg genkey

Keep note of the result, then start configuring WireGuard by editing /etc/wireguard/vpn.conf.

[Interface]
PrivateKey = <server_private_key> # Use the value you just generated
Address = <first_addr_of_ampr_prefix> # Use the first host address in your AMPRNet prefix, and include a prefix length (for example /24)
ListenPort = 51820

PostUp = sysctl -w net.ipv4.conf.all.forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT

The process for adding new clients to this file is exactly the same as any other standard wireguard deployment. For example, if your prefix was 44.0.0.0/24, a new client definition might look like this:

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 44.0.0.2/32
PersistentKeepalive = 25 # Use this if the client is behind a NAT

On the client side, configuration is nearly the same as a standard WireGuard deployment except the AllowedIPs block for the server must be 0.0.0.0/0. An example client configuration might look like this:

[Interface]
PrivateKey = <client_private_key>
Address = 44.0.0.2/24

[Peer]
PublicKey = <server_public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server_ipv4>:51820
PersistentKeepalive = 25 # Use this if the client is behind a NAT

With the server configured, start WireGuard with:

ufw allow 51820/udp
systemctl enable wg-quick@vpn
systemctl start wg-quick@vpn

Verify it works

Once everything is configured and running, you can use Bird to check that the prefix is being advertised to Vultr.

birdc show route export vultr

Your AMPRNet prefix should be listed in the output.

You can also head to bgp.tools and search your prefix to see how its being advertised to the world from Vultr's routers.