VPN

The Collectu Hub provides a secure WireGuard VPN server, allowing you to safely connect to your devices from anywhere.

Info
WireGuard is a modern, high-performance VPN solution that is simple to configure and highly secure. It uses state-of-the-art cryptography and minimal code, making it faster and safer than traditional VPN protocols.

Concept

Every user and every organization has its own interface on the Collectu VPN server.

The Collectu VPN server does not forward traffic to other IPs then the one in the interface (e.g. 10.11.12.0/24).

Installation

  1. Install the WireGuard client on your device: https://www.wireguard.com/install/
  2. Log in to your Collectu Hub profile and navigate to VPN.
  3. Set a name and click Create Peer.
  4. Download the generated configuration file (.conf) or scan the QR code (for mobile devices).
  5. Import the configuration into your WireGuard client and activate the VPN connection.
Security
  • Keep your WireGuard client up to date to receive security patches.
  • Never share your VPN configuration file or private keys with anyone.
  • Disconnect from the VPN when not in use to reduce your attack surface.
  • Use unique peer configurations for each device - do not reuse keys.
  • Regularly audit active peers and remove unused configurations from the Collectu Hub.

Windows Configuration Guide

Info
Replace the IP 10.11.12.0/24 with your actual VPN interface subnet when configuring firewall and connection settings. You can find your subnet in the Collectu Hub under VPN settings.

Enable ICMP (Ping) for VPN Subnet

Allowing ICMP traffic enables ping requests for network troubleshooting and connectivity verification within the VPN subnet.

The following commands enable inbound ICMPv4 echo requests (ping) specifically for your VPN subnet. Run these commands in PowerShell as Administrator:

English: Set-NetFirewallRule -DisplayName "File and Printer Sharing (Echo Request - ICMPv4-In)" -Profile Any -Enabled True -RemoteAddress 10.11.12.0/24

German: Set-NetFirewallRule -DisplayName "Datei- und Druckerfreigabe (Echoanforderung - ICMPv4 eingehend)" -Profile Any -Enabled True -RemoteAddress 10.11.12.0/24

Windows Remote Desktop Connection

These commands restrict Remote Desktop Protocol (RDP) access exclusively to devices connected through the VPN, significantly enhancing security by preventing unauthorized access from the public internet.

Enable all firewall rules in the "Remote Desktop" group for the VPN subnet 10.11.12.0/24. Only devices within this IP range will be able to establish RDP connections:

English: Set-NetFirewallRule -DisplayGroup "Remote Desktop" -Enabled True -Profile Any -RemoteAddress 10.11.12.0/24

German: Set-NetFirewallRule -DisplayGroup "Remotedesktop" -Enabled True -Profile Any -RemoteAddress 10.11.12.0/24

Set Network Profile and Start Remote Desktop Service

The following commands configure the network profile as Private (required for local network firewall rules) and ensure that the Remote Desktop service is running.

Step 1: List all network interfaces to identify your VPN interface name: Get-NetConnectionProfile

Step 2: Set the VPN interface to Private network profile (replace peer-1 with your actual VPN interface name from Step 1): Set-NetConnectionProfile -InterfaceAlias "peer-1" -NetworkCategory Private

Enable Remote Desktop via Registry

These registry modifications ensure that Remote Desktop is enabled at the system level, which is necessary even if it was previously disabled through Windows Settings.

Check the current Remote Desktop status (1 = disabled, 0 = enabled): Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections

Enable Remote Desktop by setting the registry value to 0: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 0

Restart the Remote Desktop service to apply all changes: Start-Service -Name TermService

Verify the Remote Desktop service is running: Get-Service -Name TermService

After applying these settings, your Windows device will accept Remote Desktop connections only from devices connected via the VPN subnet, while all other connection attempts will be blocked by the firewall.

Testing VPN Connection

You can test your VPN connection using ping and traceroute commands from your client device:

  • Test connectivity to the VPN gateway (replace 10.11.12.1 with your actual gateway IP) or any other connected device: ping 10.11.12.1

  • Verify the routing path through the VPN.

    Windows: tracert 10.11.12.1

    Linux/macOS: traceroute 10.11.12.1

    Expected result: The trace should show a direct path through your WireGuard interface.

  • Shows active WireGuard interfaces and peer handshake status. wg show

Info
Remember to add the Collectu Core ports to your inbound firewall if you want to access Collectu Core from another device.
Previous
Templating
Next
Introduction