---
title: Building a VPN with an AMPRNet BGP allocation
description: A quick guide on using your shiny new AMPRNet allocation
date: 2023-07-07
draft: false
extra:
auto_center_images: true
excerpt: A guide on setting up a VPS, announcing a prefix over BGP, and using it as a VPN server
discuss:
reddit: https://www.reddit.com/r/ewpratten/comments/14tdltu/building_a_vpn_with_an_amprnet_bgp_allocation/
hacker_news: https://news.ycombinator.com/item?id=36635146
uses:
- mermaid
aliases: []
---
One of the most common emails I receive from readers of this website generally starts with:
```text
Subject: I got an AMPRNet allocation. How do I use it for a VPN?
```
I generally answer with an off-the-top-of-my-head guide on how to get started, but I figured it was about time to write a proper guide on how to use an AMPRNet BGP allocation to set up a simple VPN server.
This post is aimed at *licensed amateur radio operators* who are wanting to get some [AMPRNet](https://en.wikipedia.org/wiki/AMPRNet) IPs for large-ish-scale use (for example, providing static IPs to club members). If you are just looking for one or two static addresses, BGP likely isn't for you. I'd recommend reading the wiki entries on [setting up a Linux gateway](https://wiki.ampr.org/wiki/Setting_up_a_gateway_on_Linux) instead.
## Prerequisites
Following this guide requires a few things:
- AMPRNet membership
- A BGP allocation (a `/24` or larger block of addresses)
- Some money (~$5 USD/mo)
- Basic Linux knowledge
Through the process of getting your BGP allocation, you will have also received a *Letter Of Authorization* (LOA) for your IP block. This document will be important later on.
**Important note for people that don't have an ASN**
During the BGP allocation request process, you'll be asked for "Network Service Provider (NSP) details". If you don't hold an [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)), you'll need to use these details for this guide:
```text
name: The Constant Company, LLC
ASN: AS20473
NOC email: network@constant.com
NOC telephone: +1-973-849-0500
Postal address: 319 Clematis St. Suite 900, West Palm Beach FL, USA
```
## Bringing up your VPN server
This guide will set up a VPN network in roughly the following configuration:
graph LR
Internet --- Vultr[Vultr's Network]
Vultr ---|BGP| VPS[Your Server]
VPS ---|VPN| Client1((Client 1))
VPS ---|VPN| Client2((Client 2))
VPS ---|VPN| Client3((Client 3))
I, and many other hams, choose to use [Vultr](https://www.vultr.com/?ref=8932365) as a server host for this purpose because they offer a free [bring your own IP](https://www.vultr.com/features/bgp/?ref=8932365) service.
People with more complex networks or more networking experience may choose to co-locate their own hardware somewhere and use a "real" transit provider, but those people also probably shouldn't need this guide in the first place.
### Enabling BGP support on your Vultr account
By default, Vultr accounts do not have BGP service enabled. This must be done via the [BGP setup form](https://my.vultr.com/bgp/setup/?ref=8932365).
In this form, you'll need to provide the following information:
- Use a `private` AS number unless you have your own from an RIR
- No need to provide a `BGP password` if asked
- Prefixes: Whatever your AMPRNet allocation is
- Usage: Some sort of description of what you're doing with your allocation
- Routes: Default route is fine
- Attach the LOA your received from the AMPRNet allocation process
This process opens a ticket with Vultr support. They will review your request and enable BGP on your account. This process can take a few days.
### Setting up your server
Now the fun begins. [Create a new deployment](https://my.vultr.com/deploy/?ref=8932365), and choose the following options:
- **Choose Server**: Cloud Compute
- **CPU & Storage Technology**: Intel Regular Performance
- **Server Location**: Whatever is closest to you
- **Server Image**: Debian
- **Server Size**: Any size is OK. I personally like using the $5/mo option
- **Auto Backups**: Not required, but OK to enable if you'd like
## Configuring BGP
*For this section, you'll need to head to the **BGP** tab in your new server's settings and note the information presented to you.*
SSH in to your new server as `root` to get started. Default account credentials are shown on the **Overview** page of your server's settings.
By default, your server does not know how to communicate using the BGP protocol. To get it "talking" with the Vultr routers, you'll need to install a software package called Bird.
```sh
apt update
apt install bird2
```
Bird uses a configuration file stored at `/etc/bird/bird.conf`. Its default contents are useless to us, so we can wipe it out and start fresh.
```sh
rm /etc/bird/bird.conf
touch /etc/bird/bird.conf
```
Before editing, you need to know the IPv4 address that was assigned to your server by Vultr. Obtain this by running the following command and noting the first address of the `enp1s0` interface.
```sh
ip -br a
```
Running this on my test server presented the following response:
```text
root@ampr-test:~# ip -br a
lo UNKNOWN 127.0.0.1/8 ::1/128
enp1s0 UP 100.68.4.196/18 2001:19f0:1000:23e6:5400:4ff:fe7f:e894/64 fe80::5400:4ff:fe7f:e894/64
```
So I'd use `100.68.4.196` as my server's IPv4 address.
With all our information gathered, It's time to configure Bird.
### Configuring Bird
Open `/etc/bird/bird.conf` in your favorite text editor and add the following contents. Remember to replace marked sections with your own information gathered from previous steps.
```conf
router id ; # Replace with your server's IPv4 address
protocol device {}
protocol direct {
ipv4;
interface "vpn";
}
protocol bgp vultr {
local as ; # Replace with the "Instance ASN" from the BGP tab
neighbor as ; # Replace with the "Vultr IPv4" and "Vultr ASN" from the BGP tab
multihop 2;
password ""; # Replace with the "BGP Password" from the BGP tab
graceful restart;
ipv4 {
import none;
export where net ~ [ ]; # Replace with your AMPRNet prefix (including the prefix length (for example /24))
};
}
```
Now, save that file, and run the following command to reconfigure Bird:
```sh
birdc c
```
Waiting a few seconds then running `birdc s p` should list Vultr as `Established`.
## Bringing up your VPN
Now that your server is communicating with Vultr, its time to set up the VPN. For this, we will be using [WireGuard](https://www.wireguard.com/). Install with:
```sh
apt install wireguard-tools
```
Firstly, you will need to generate a private key for your server. This can be done with the following command:
```sh
wg genkey
```
Keep note of the result, then start configuring WireGuard by editing `/etc/wireguard/vpn.conf`.
```ini
[Interface]
PrivateKey = # Use the value you just generated
Address = # Use the first host address in your AMPRNet prefix, and include a prefix length (for example /24)
ListenPort = 51820
PostUp = sysctl -w net.ipv4.conf.all.forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
```
The process for adding new clients to this file is exactly the same as any other standard wireguard deployment. For example, if your prefix was `44.0.0.0/24`, a new client definition might look like this:
```ini
[Peer]
PublicKey =
AllowedIPs = 44.0.0.2/32
PersistentKeepalive = 25 # Use this if the client is behind a NAT
```
On the client side, configuration is nearly the same as a standard WireGuard deployment **except** the `AllowedIPs` block for the server must be `0.0.0.0/0`. An example client configuration might look like this:
```ini
[Interface]
PrivateKey =
Address = 44.0.0.2/24
[Peer]
PublicKey =
AllowedIPs = 0.0.0.0/0
Endpoint = :51820
PersistentKeepalive = 25 # Use this if the client is behind a NAT
```
With the server configured, start WireGuard with:
```sh
ufw allow 51820/udp
systemctl enable wg-quick@vpn
systemctl start wg-quick@vpn
```
## Verify it works
Once everything is configured and running, you can use Bird to check that the prefix is being advertised to Vultr.
```sh
birdc show route export vultr
```
Your AMPRNet prefix should be listed in the output.
You can also head to [bgp.tools](https://bgp.tools) and search your prefix to see how its being advertised to the world from Vultr's routers.