Using Zerops VPN
At Zerops, security is our core priority. We ensure everything stays within a private network with zero exposure to the internet. Unlike typical consumer VPNs that focus on changing your public IP address, our WireGuard VPN implementation is specifically designed to give you secure access to your project's services.
Prerequisites
Before getting started, ensure you have:
- WireGuard installed on your system
- zCLI (serves as the WireGuard client)
- A Zerops project with at least one service
Usage
You can interact with services within your project and even establish SSH connection to your services after connecting to project through VPN.
Start VPN
Connects to the Zerops VPN.
Flags:
--auto-disconnect
- Automatically disconnect from VPN if already connected--help
- Display help for the vpn up command--mtu int
- Set custom MTU value for Wireguard interface (default: 1420)-P, --project-id string
- Required when you have access to multiple projects
To connect to a specific project without using the interactive mode, use the project ID from your Zerops dashboard:
First-time zcli vpn up
usage requires installing the Zerops VPN daemon.
Confirm with y
when prompted (administrator privileges may be required).
Upon connection, you'll have secure access to your project's private network with the following characteristics:
- All services are accessible via their hostnames
- Only one project connection is possible at a time (new connections automatically close existing ones)
- The VPN daemon maintains connection stability with automatic reconnection
- Environment variables are not available through VPN connections
Stop VPN
Disconnects from the Zerops VPN.
Flags:
--help
- Display help for the vpn down command
Troubleshooting
1. Interface Already Exists
Problem: When running zcli vpn up
, you get an error like:
Solution: Reset the VPN connection by running:
2. Hostname Resolution
Problem: Even with VPN successfully connected, hostname resolution fails with errors like:
- The issue is known to happen rarely on Windows
Solution: Append .zerops
to the hostname, even when VPN shows as connected:
In the Advanced TCP/IP Settings dialog, navigate to the DNS tab and confirm that "zerops" appears in the "Append these DNS suffixes (in order)" list. If missing, add it using the Add button.
3. WSL2 VPN Connection
Problem: VPN not running in WSL2
Solution: This might occur because systemd
is not running in WSL2 by default. To fix:
- Run
sudo -e /etc/wsl.conf
- Add
system=true
to[boot]
section - Comment out the first line
LABEL=cloudimg-rootfs / ext4 defaults 0 1
- In
cmd.exe/PowerShell
runwsl --shutdown
to restart WSL2
4. VPN Connection Conflicts
Problem: When another VPN connection is active concurrently with Zerops VPN, users may experience degraded network performance or connection timeouts due to packet fragmentation issues.
Solution: Run the VPN with a reduced MTU (Maximum Transmission Unit) size:
This resolves packet size conflicts that can occur when multiple VPN connections are active simultaneously.
Enhanced Security with WireGuard
Zerops uses WireGuard to create secure VPN tunnel connections to your project's private network. This provides enhanced security compared to traditional SSH connections.
WireGuard eliminates the need for passwords or IP address management that SSH typically requires. As a free, lightweight, open-source communication protocol, WireGuard employs advanced cryptography to establish secure connections.
The system creates encrypted tunnels using UDP for traffic transmission and relies on public/private key pairs for user authorization.
Each Zerops project runs a WireGuard server, while the zCLI (Zerops Command Line Interface) functions as a WireGuard client. This architecture enables authorized users to securely interact with their Zerops projects through the command line interface.