fastd

Start fastd with a specific configuration file

$ fastd [[-c|--config]] [path/to/fastd.conf]

$ fastd [[-m|--mode]] [tap] [[-M|--mtu]] [1400] [[-c|--config]] [path/to/fastd.conf]

$ fastd --verify-config [[-c|--config]] [path/to/fastd.conf]

$ fastd --generate-key

$ fastd --show-key [[-c|--config]] [path/to/fastd.conf]

$ fastd [[-v|--version]]

fastd [options]

-c config_file, --config config_file
    Specifies the path to the main configuration file. This is usually required.

-d, --daemon
    Runs fastd in daemon mode, detaching from the controlling terminal.

-p pid_file, --pid-file pid_file
    Writes the daemon's process ID (PID) to the specified file.

-u user, --user user
    Drops privileges to the specified user after initialization. Requires running as root initially.

-g group, --group group
    Drops privileges to the specified group after initialization. Often used with --user.

-s socket_path, --status-socket socket_path
    Creates a Unix domain socket at the given path for status queries and control.

-L level, --log-level level
    Sets the verbosity level for logging. Possible values include error, warn, info, debug, and verbose.

-v, --version
    Displays version information for fastd and exits.

-h, --help
    Shows a brief help message with available command-line options and exits.

fastd is a user-space VPN daemon designed for creating fast, secure, and low-overhead encrypted tunnels between network nodes. It excels in scenarios requiring high performance, such as mesh VPN networks, IoT deployments, or embedded systems. fastd primarily uses UDP as a transport protocol and supports modern cryptographic algorithms like Curve25519 for key exchange and Poly1305 for authentication, ensuring strong security. It can operate over tap (Layer 2 Ethernet) or tun (Layer 3 IP) devices, allowing for flexible network configurations, including both IPv4 and IPv6.

Unlike some more feature-rich VPN solutions, fastd focuses purely on establishing the secure, encrypted tunnel, leaving higher-level network configurations (like routing or firewall rules) to be managed separately by the system. Its modular design and emphasis on cryptographic agility make it a robust choice for building decentralized and resilient network infrastructures.

fastd requires careful configuration, particularly concerning its network interfaces (tap or tun devices) and peer definitions. While it provides the secure tunnel, managing IP addressing, routing, and firewall rules for the virtual network interface must be handled separately using standard Linux networking tools (e.g., ip command or network manager services). For dynamic peer discovery or complex mesh networks, external scripts or services might be needed to update the fastd configuration or interact with its status socket.

fastd's primary mode of operation is driven by its configuration file (typically /etc/fastd/fastd.conf or within /etc/fastd/ includes). This file defines virtually all aspects of its behavior, including the listening address, interface type (tap/tun), peer public keys, shared secrets, cryptographic methods, and various scripting hooks. A correct and secure configuration is crucial for its proper functioning.

fastd distinguishes itself by relying on modern and robust cryptographic primitives. It primarily uses Curve25519 for elliptic curve Diffie-Hellman key exchange, which provides forward secrecy, and Poly1305 for message authentication codes (MACs), often combined with AES or ChaCha20 for encryption. This choice of algorithms contributes to its speed and security profile.

fastd was developed by the Freifunk community, a grassroots initiative for building decentralized wireless networks. It emerged as a response to the need for a more performant, lightweight, and cryptographically modern VPN solution compared to existing options like OpenVPN, which could be resource-intensive for embedded devices and high-speed mesh links. Its development began in the early 2010s, with a focus on low latency and efficient use of system resources, making it ideal for the infrastructure of community-driven mesh VPNs.

openvpn(8), ip(8), tunctl(8), systemd(1)