LinuxCommandLibrary

fastd

Establish secure, encrypted VPN tunnels

TLDR

Start fastd with a specific configuration file

$ fastd [[-c|--config]] [path/to/fastd.conf]
copy

Start a Layer 3 VPN with an MTU of 1400, loading the rest of the configuration parameters from a file
$ fastd [[-m|--mode]] [tap] [[-M|--mtu]] [1400] [[-c|--config]] [path/to/fastd.conf]
copy

Validate a configuration file
$ fastd --verify-config [[-c|--config]] [path/to/fastd.conf]
copy

Generate a new keypair
$ fastd --generate-key
copy

Show the public key to a private key in a configuration file
$ fastd --show-key [[-c|--config]] [path/to/fastd.conf]
copy

Display version
$ fastd [[-v|--version]]
copy

SYNOPSIS

fastd [-c configfile] [-d level] [-f] [-h] [-V] ...

PARAMETERS

-4
    Prefer IPv4 for outgoing connections

-6
    Prefer IPv6 for outgoing connections

-c configfile
    Read configuration from configfile (default: /etc/fastd/fastd.conf)

-d level
    Set log level (0-15, default: 4)

-f
    Run in foreground, don't daemonize

-h
    Print help and exit

-l level
    Set syslog log level (0-7)

-p pidfile
    Write PID to pidfile

-v
    Increase verbosity (incremental)

-V
    Print version and exit

--help
    Print extended help

--config configfile
    Synonym for -c

--daemon
    Explicitly daemonize (default)

DESCRIPTION

fastd is a lightweight, high-performance VPN daemon for Linux, optimized for wireless mesh networks like Freifunk. It provides secure point-to-point or site-to-site tunnels using modern cryptography libraries such as libsodium or Libgcrypt. Key features include fast key exchanges via Noise protocol variants, support for roaming clients, multiple transport backends (UDP, TCP), and flexible peer authentication with public keys or PSK.

Unlike heavier VPN solutions like OpenVPN or IPsec, fastd focuses on speed and low overhead, making it ideal for embedded devices or high-latency links. It creates virtual TUN interfaces, routes traffic securely, and handles peer discovery dynamically. Configuration is declarative via JSON-like files, allowing modular backends for encryption, handshakes, and peers.

Common use cases: mesh VPNs, fastd over BATMAN-adv, or mobile hotspots. It requires root privileges and kernel TUN support.

CAVEATS

Requires root or CAP_NET_ADMIN; needs TUN device (/dev/net/tun); UDP ports must be open; config syntax errors cause silent failure.

CONFIG BASICS

Uses JSON-like config: mode tap/tun, bind any:10000, peers with key "pubkey".

BACKENDS

Supports crypto backends (libsodium, openssl), methods like noise_static for handshakes.

HISTORY

Developed since 2012 by Matthias Schmale for Freifunk mesh networks; active maintenance with v22+ supporting Noise protocols; widely used in community wireless projects.

SEE ALSO

tun(4), ip(8), batctl(8), wg(8)

Copied to clipboard