Constellation VPN

Introduction

Constellation is a VPN module that allow you to remotely connect to your server. It is based on Nebula, and is a very powerful tool to secure your server. Typically, you would have to open/forward ports to your servers to connect to it remotely. With Constellation, you can connect to your server without opening any ports, and without any risk of being hacked. It is also very easy to setup, and can be used to connect to multiple servers at once.

Interface

When going to the Constellation page, you first need to enable the VPN. Once done, you should see this:

Constellation

Here's a breakdown:

  1. This allows you to restart the internal VPN service (Nebula). This is useful when you change the config, or if the VPN is not working properly.
  2. The logs of the service, for debugging purposes
  3. Output the config used by the VPN, also useful for debugging
  4. Completely destroys your network. If you plan on doing significant work, you can start anew
  5. Enable / Disable the network
  6. This allows this server to relay request. By default Constellation will try to establish P2P connections between different nodes of our Constellation. Sometime, this is not possible, for example if you are behind certain types of NAT. In this case, you can enable this option, and the server will relay the request for you. This will increase latency, but will allow you to connect to your nodes.
  7. Make the server private. By default it is "public": it means that Constellation will assume that the IP/hostname of this server is accessible from the internet. If that's not the case (for example a home server behind CGNAT) then you can enable this option (see later on how to create a public node).
  8. This is the hostname to your network. Do not forget to add a DNS A entry for it in your domain
  9. In case this is not your main server (either a public server or just a side server), you can connect it to another Cosmos' Constellation network by uploading the constellation.yml file there
  10. This is the list of nodes/devices in your network. You can add nodes by clicking on the "Add Node" button. You can also remove nodes by clicking on the "Remove" button.

Create a Device

In order to connect to your network, you need to create a device. To do so, click on the "Add Node" button. You should see this:

Constellation

  1. This allows you to choose whether the new device is a lighthouse or not. See the next section for more info about lighthouses. If you select it, you will be able to set the hostname of the lighthouse and whether or not it can relay request (see above).
  2. The owner of the device, useful for permissions and management
  3. The name of the device
  4. The IP of the device. By default it will automatically select the next available IP in the network. You can change it if you want, but make sure it is not already taken.
  5. (Optional) The public key of the device. You probably don't need to change it, but if you want to use a specific key, you can do so. That option was only added because of the Nebula mobile app, which requires a specific key to work.

Once you are done, click on "Add" and your device will be able to connect. You will see a screen with a QR Code and a file to download. You can use either of them to connect to your network. It is advisable to use the QR Code on your mobile and the file on your computer.

Client

In order to connect to your network, you need to download the client. You can do so by clicking on the "Download" button. You can find the applications for your platform here

On Linux, the client needs a chmod +x resources/* after unzipping.

Lighthouses and Relaying

Constellation uses a P2P protocol to connect to your devices. This means that your devices will try to connect to each other directly. However, this is not always possible. For example, if you are behind a CGNAT, you will not be able to connect to your devices. In this case, you can use a lighthouse. A lighthouse is a device that is publicly accessible, and that will relay the request for you. You can think of it as some kind of "guide" for your requests.

By default the traffic will not go through the lighthouse, but if the direct connection fails, it will relay the traffic, assuming you enabled the relay option.

CGNAT and various multi-server setups

The power of this technology lies in its Mesh VPN capabilities. Even if your main server at home is behind a CGNAT, you can still connect to it from anywhere in the world. You can also connect multiple servers together, and they will be able to communicate with each other. For example, you can have a server at home, and a server in the cloud, and they will be able to communicate with each other in a secured, encrypted tunnel.

In order to achieve this: * Create a Constellation network in your main server * Create a lighthouse type of device * Download the config file, and upload it to your secondary server * Add devices on your main server to connect

A simple $5 DigitalOcean droplet can be used as a lighthouse, and you can connect to your home server from anywhere securely. It is also important as of 0.10 that you create the lighthouses before connecting the clients (this will be further improved in the future).

Do not use a firewall to isolate the private server completely, as it will block even the traffic that "respond" to outbound traffic. Instead, use the firewall to block inbound traffic on your public IP, for all port except 4242.

Gateway proxies

Additionally to being a lighthouse, your public server can be used as a gateway to your private assets. Either a secured gateway (within Constellation) or a gateway accepting outside connection. In order to do so, please refer to the URLs section, the part about chaining proxies.

Securing your containers

One appeal of Constellation is the integration to the reverse proxy and the ability to secure your URLs.

Doing so is extremely easy. In your URL management screen, an option called "Restrict to Constellation network" is available. If you enable it, then only devices connected to your network will be able to access this URL. This is useful to expose private URLs to your network.

DNS and Constellation

Constellation has its own internal DNS server. This means that you can use Constellation as an alternative to PiHole and Adguard. You can add ads block lists, and also add your own custom DNS records. This is useful to expose private URLs to your network.

The Constellation private DNS is also integrated to your reverse proxy: Whenever you connect to your constellation, it will overwrite all your URL to use your constellation IPs instead of your public IP. This way, all your connections will be secured through your VPN tunnel.

You can setup your DNS entries in the DNS tab of the constellation page.

P2P and Meshing

Since Constellation is a P2P meshing VPN, it also means that your devices can connect to each other directly. This is useful if you want for example to share some samba shares between your devices, or even play LAN games. Always remember to use the Constellation IP of your devices when doing so, in order for the connection to work.

Tunneling

When creating a URL, you have an option to tunnel the connection through your constellation network. This is useful if you want to expose a private URL to the public, or if you want to expose your home server to the public, but still want to secure it through strong encryption and gateway proxies.

Once you have your two Cosmos instances connected, you can create a URL on your private server, and tunnel it through your public server.

Common setup: Home server behind CGNAT with lighthouse

This is a common setup for people who want to connect to their home server from anywhere in the world. This is also useful if you have multiple servers and want to connect them together. Finally it will also allow you to expose services hosted on your home server to the public, while hiding your home server IP.

Setup

  1. Create a Constellation network on your home server

Create a Constellation network on your home server. Make sure you set your home server as private!

Setup

  1. Create a lighthouse on a public server

Assuming you have ordered a small (you really don't need much) server from your favourite provider (Digital Ocean works well), create a Device on your home server for this lighthouse. Do not edit the "Constelltion IP" field. But edit the "public hostname" field to be the IP of your public server. Also enable the relay option.

Setup

  1. Upload the config to your public server

After setting up another basic Cosmos instance on your VPS, go to the Constellation page, and upload the config file you downloaded from your home server (at the top of the page you see an upload button). This will connect your public server to your home server.

  1. Create a device on your phones and computers

Create devices for each of your phones and computers you want to connect to your server. You can use the QR code to connect your phone, and the file to connect your computer.

Setup

Now you are done! If you go outside and enable 5g on your phone, you should be able to connect to your home server even thought you are not home. The connection will be secured, and you will be able to access all your services with the same domain name as if you were at home.

  1. (Optional) Expose services

If you want to expose services on your home server to the public, you can do so by creating URLs and tunneling them through your public server. This way, you can expose services without exposing your home server IP.

First, create a URL on your home server as if you were simply exposing it to your network. Then, edit the URL and enable the "Tunnel through Constellation" option, and select your public server as the gateway. In the hostname field, set the public hostname that you want to use. It should either be the IP of your public server (with a free port) or a domain name that points to your public server.

Setup

Then you can access your service from anywhere in the world using that hostname, and it will be secured through your VPN tunnel.

Troubleshoots

Basic information

If you have trouble connecting to your network, here are some basic information to check:

  • The VPN is running on the 192.168.201.xxx range, your home server should have the ip 192.168.201.1, while other devices will have an IP as shown in the Constellation tab
  • The VPN is using the port 4242, and the Internal DNS is using :53. Make sure that this port is open on your server, and that it is not blocked by your firewall
  • The VPN and its DNS are using the UDP protocol. Make sure that your firewall is not blocking UDP traffic
  • You have logs available specific to the VPN in each clients/server's Constellation tab. If you have trouble connecting, you can check the logs to see what is going wrong. You should ideally see "Handshake Received" in the logs of the VPN, indicating that the connection was successful to this particular node.
  • If you are using a lighthouse, keep in mind that nodes might take up to 2 minutes to connect to the lighthouse. If you are using a lighthouse, make sure that the lighthouse is connected to the network before connecting the clients.

### I cannot connect to Constellation

If the app struggle to establish a connection:

  • if you have never been able to connect, make sure that the port 4242 is open on your server / firewall and that the UDP protocol is allowed. If it is, consider resetting the VPN service completely and resyncing your devices

  • if you were able to connect before, but now you can't, see if anything changed in your setup. If not, consider restarting (not resetting) the VPN service on both your lighthouses and home server (can be done easily in the Constellation tab). Also consider restarting the client apps on your devices.

I can connect to Constellation, but I cannot access Internet

This usually means that while Constellation is working, the DNS is not. This can be due to a misconfiguration in the DNS settings, firewalls, or a clash with another DNS server.

  • Check the Cosmos master server logs for any errors related to the DNS
  • Check your firewall settings to make sure that the DNS port is open (in UDP)
  • Check that there isn't another DNS server running on the same port. If you are using Linux, you usually have either systemd-resolved or dnsmasq running. You can disable them by running sudo systemctl stop systemd-resolved and sudo systemctl disable systemd-resolved for systemd-resolved, and sudo systemctl stop dnsmasq and sudo systemctl disable dnsmasq for dnsmasq. You can also change the port of the DNS in the Constellation tab, but you will need to restart the VPN service for the changes to take effect.

I can connect to Constellation, how do I access my services?

Constellation have a system that automatically remap DNS to point to your server. That includes hostnames for devices names, but also all the URLs you have created in your server.

If you access jellyfin.myserver.com, it will automatically point to the constellation IP of your server. This is useful to secure your connection, without having to remember two set of URLs.

If you are using IPs to connect to your server, consider switching to *.local domain (added in 0.16.0) - but ultimately you can access your server with 192.168.201.1:{port} (the master IP is always 192.168.201.1).

DNS and Constellation

As mentioned earlier, if you are using a DESKTOP Distro, you might have a DNS server running on your machine. This can cause conflicts with the DNS server of Constellation. You can either disable the DNS server on your machine, or change the port of the DNS server in the Constellation tab. You will need to restart the VPN service for the changes to take effect.

  1. Stop the DNS server on your machine

If you are using systemd-resolved, you can stop it by running sudo systemctl stop systemd-resolved and sudo systemctl disable systemd-resolved. If you are using dnsmasq, you can stop it by running sudo systemctl stop dnsmasq and sudo systemctl disable dnsmasq.

  1. Ubuntu and other systemd-resolved based systems needs to have a new DNS server

If you are runnign a systemd-resolved, the OS will continue to try to resolve the DNS server you just stopped, so we need to fix that.

First of, rm the symlink to /etc/resolv.conf: sudo rm /etc/resolv.conf

Then, create a new /etc/resolv.conf file with the following content:

For Google DNS:

nameserver 8.8.8.8
nameserver 8.8.4.4

For Cloudflare DNS:

nameserver 1.1.1.1
nameserver 1.0.0.1

(those are the public DNS of Google and Cloudflare, they are recommended to use as they are fast and reliable)

  1. Test DNS Resolution
dig example.com
ping google.com