zrok VPN Guide
zrok VPN backend allows for simple host-to-host VPN setup.
Operating System Requirements
zrok VPN requires elevated privileges to manage network devices.
Windows
On Windows, you must run zrok VPN commands as an administrator and install Wintun by placing wintun.dll (download link) in the same directory as the zrok.exe executable.
Linux
On Linux, the simplest way to grant the necessary privileges is to run zrok VPN commands as root. You can enable a separate environment for root by also running zrok enable as the root user, or you can prefix the commands like sudo -E to allow zrok running as root to use the zrok environment owned by the current user. The minimum privilege is runing zrok VPN commands and the ip command with the NET_ADMIN kernel capability. The zrok-share.service unit has a commented example to grant NET_ADMIN as an Ambient Capability.
macOS
On macOS, you must run zrok VPN commands as root. You can prefix the zrok command with sudo -E to allow zrok running as root to use the zrok environment owned by the current user.
Start the VPN Server
VPN is shared through the vpn backend of zrok command.
eugene@hermes $ sudo -E zrok share private --headless --backend-mode vpn
[   0.542]    INFO sdk-golang/ziti.(*listenerManager).createSessionWithBackoff: {session token=[589d443c-f59d-4fc8-8c48-76609b7fb402]} new service session
[   0.705]    INFO main.(*sharePrivateCommand).run: allow other to access your share with the following command:
zrok access private 3rq7torslq3n
[   0.705]    INFO zrok/endpoints/vpn.(*Backend).Run: started

sudo or equivalent invocation is required because VPN mode needs to create a virtual network device (tun)
-E option allows zrok to find your zrok configuration files (in your $HOME/.zrok)
By default vpn backend uses subnet 10.122.0.0/16 and assigns 10.122.0.1 to the host that stared VPN share.
Example output from ifconfig:
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 16384
        inet 10.122.0.1  netmask 255.255.0.0  destination 10.122.0.1
        inet6 fe80::705f:24e4:dcfc:a6b2  prefixlen 64  scopeid 0x20<link>
        inet6 fd00:7a72:6f6b::1  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 27  bytes 3236 (3.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
Default IP/subnet setting can be overridden by adding <target> parameter:
sudo -E zrok share private --headless --backend-mode vpn 192.168.42.12/24
Create a Persistent VPN Share Name
As with all backend modes, you can create a private share using a custom share token.
In v2.0, use the --share-token flag to create a VPN share with a custom name:
eugene@hermes $ sudo -E zrok share private --backend-mode vpn --share-token my-vpn --headless
[   0.542]    INFO sdk-golang/ziti.(*listenerManager).createSessionWithBackoff: {session token=[589d443c-f59d-4fc8-8c48-76609b7fb402]} new service session
[   0.705]    INFO main.(*sharePrivateCommand).run: allow other to access your share with the following command:
zrok access private my-vpn
[   0.705]    INFO zrok/endpoints/vpn.(*Backend).Run: started
The share token my-vpn will persist across share restarts. When using the zrok agent, shares with --share-token automatically restart after abnormal exit or agent restart.
In zrok v1.x, you would use zrok reserve private --backend-mode vpn followed by zrok share reserved <token>. The v2.0 approach with --share-token provides the same persistence with a simpler workflow.
Access the VPN Share
Use the share token (either the randomly generated one or your custom --share-token) to access the VPN:
eugene@calculon % sudo -E zrok access private --headless my-vpn
[   0.201]    INFO main.(*accessPrivateCommand).run: allocated frontend '50B5hloP1s1X'
[   0.662]    INFO main.(*accessPrivateCommand).run: access the zrok share at the following endpoint: VPN:
[   0.662]    INFO main.(*accessPrivateCommand).run: 10.122.0.1 -> CONNECTED Welcome to zrok VPN
[   0.662]    INFO zrok/endpoints/vpn.(*Frontend).Run: connected:Welcome to zrok VPN
zrok creates a virtual network device, i.e., a "tun" interface, when you run zrok access.
Example output from ifconfig run on a VPN client device:
utun5: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet 10.122.0.3 --> 10.122.0.1 netmask 0xff000000
        inet6 fe80::ce08:faff:fe8a:7b25%utun5 prefixlen 64 scopeid 0x14
        nd6 options=201<PERFORMNUD,DAD>
At this point a VPN tunnel is active between your server and client.
In the example above server is hermes(10.122.0.1) and client is calculon(10.122.0.3).
All devices in the VPN can access one another by IP address.
eugene@calculon ~ % ssh eugene@10.122.0.1
Welcome to Ubuntu 23.10 (GNU/Linux 6.5.0-27-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
0 updates can be applied immediately.
Last login: Tue Apr 16 09:27:13 2024 from 127.0.0.1
eugene@hermes:~$ who am i
eugene   pts/8        2024-04-16 10:04 (10.122.0.3)
eugene@hermes:~$
You can also make a reverse(server-to-client) connection:
eugene@hermes:~$ ssh 10.122.0.3
Last login: Tue Apr 16 09:57:28 2024
eugene@calculon ~ % who am i
eugene           ttys008      Apr 16 10:06 (10.122.0.1)