VPN

Cloud OS supports two VPN solutions: WireGuard for lightweight kernel-level tunnels and Pritunl for enterprise-grade VPN management with a full GUI. Both are managed from the VPN page in the dashboard.

Provider Comparison

WireGuard

WireGuard uses the kernel-level WireGuard module for high-performance encrypted tunnels with minimal overhead.

Enabling WireGuard

1. Navigate to VPN from the sidebar
2. Select WireGuard as the provider
3. Click Enable VPN
4. Cloud OS generates server key pairs and configures the WireGuard interface

Adding a Peer

1. Click Add Peer
2. Enter a name for the peer (e.g., “laptop”, “phone”)
3. Cloud OS generates the client configuration automatically
4. Download the .conf file or scan the QR code with the WireGuard mobile app

The generated client configuration includes:

[Interface]
PrivateKey = <auto-generated>
Address = 10.0.0.2/24
DNS = 1.1.1.1
 
[Peer]
PublicKey = <server-public-key>
Endpoint = your-server-ip:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Peer Management

The VPN page shows all configured peers with:

• Name
• Public key (truncated)
• Assigned IP address
• Connection status (connected or last seen timestamp)
• Data transferred (upload and download)

You can disable or remove peers at any time.

QR Code Generation

Each peer configuration can be displayed as a QR code for easy import on mobile devices. Click the QR icon next to any peer to display the scannable code.

Connection Stats

The VPN page displays real-time connection statistics:

• Active peer count
• Total data transferred
• Per-peer bandwidth usage
• Connection duration per peer

Pritunl

Pritunl is an enterprise-grade VPN server that supports both OpenVPN and WireGuard protocols. Cloud OS manages Pritunl as a Docker container and communicates with it via its API.

Enabling Pritunl

1. Navigate to VPN from the sidebar
2. Select Pritunl as the provider
3. Click Enable VPN
4. Cloud OS deploys the Pritunl Docker container and configures the initial organization

Creating Users

1. Go to the Users tab on the VPN page
2. Click Add User
3. Enter a name and optional email
4. Cloud OS provisions the user in Pritunl automatically

Downloading Profiles

Users can download their VPN profile:

• .ovpn file for OpenVPN clients
• WireGuard config for WireGuard clients
• QR code for mobile clients

Key Rotation

For WireGuard, you can rotate the server key pair from VPN > Settings. This invalidates all existing peer configurations, so you will need to redistribute new configs to all peers.

For Pritunl, user credentials can be rotated individually without affecting other users.

IP Address Management

Cloud OS manages the VPN subnet automatically. Each new peer receives the next available IP address from the configured range (default 10.0.0.0/24). You can view and modify IP assignments from the VPN settings page.

Accessing Your Server Remotely

Once connected to the VPN, you can:

• Access the Cloud OS dashboard via its internal IP
• Reach any installed app without exposing it to the public internet
• SSH into the server through the VPN tunnel

Troubleshooting

WireGuard tunnel connects but no traffic flows

Verify that IP forwarding is enabled on the server:

sysctl net.ipv4.ip_forward

The value should be 1. Cloud OS normally sets this automatically. Check the Cloud OS logs for WireGuard configuration errors.

Pritunl container fails to start

Check Docker logs for the Pritunl container:

docker logs quazzar-pritunl

Common issues include port conflicts (UDP 1194 for OpenVPN or UDP 51820 for WireGuard) or insufficient memory.

Cannot access apps through VPN

Verify that your VPN client AllowedIPs includes the server internal network. If you only routed specific subnets, the app internal IP may not be included.

QR code does not scan

Ensure your mobile device camera has a clear view. If the QR code is too small, try zooming in on the browser or downloading the .conf file instead and importing it manually.