Multiple VPN Connections¶

This guide explains how to manage multiple VPN connections simultaneously with bnerd.

Overview¶

You can connect to multiple VPN servers at the same time by using different WireGuard interface names. Each connection maintains its own:

Private/public key pair
WireGuard interface (e.g., bnerd0, bnerd1)
Configuration file
Routing table

Method 1: Multiple Config Files (Recommended)¶

Create separate config files for each VPN connection.

Setup¶

Demo EnvironmentProduction

~/.bnerd-demo.yaml:

api-url: http://localhost:3000
token: your-demo-token
org-id: your-org-id
project-id: your-project-id

vpn:
  interface: bnerd0
  server-endpoint: 193.163.206.172:51820
  server-public-key: yW/KAr9t0cYXSRblV1Q/5IhcJlLMmoE2AAeIHnowMVY=
  client-address: 10.8.1.2/32
  allowed-ips: 10.8.1.0/24, 193.163.206.241/32

~/.bnerd-prod.yaml:

api-url: https://api.bnerd.cloud
token: your-prod-token
org-id: your-org-id
project-id: your-project-id

vpn:
  interface: bnerd1
  server-endpoint: 193.163.206.231:51820
  server-public-key: 4qspNnT0RiCHcxqm4EliGrBlQxVFKk0YgW9S1Ta2Zsw=
  client-address: 10.8.0.2/32
  allowed-ips: 10.8.0.0/24, 100.64.0.0/10

Interface names must be unique

Each VPN connection must use a different interface value (e.g., bnerd0, bnerd1).

Usage¶

# Connect to demo VPN
sudo bnerd --config ~/.bnerd-demo.yaml up

# Connect to production VPN
sudo bnerd --config ~/.bnerd-prod.yaml up

# Check status of demo VPN
bnerd --config ~/.bnerd-demo.yaml status

# Disconnect demo VPN
sudo bnerd --config ~/.bnerd-demo.yaml down

# Generate keys for each VPN
bnerd --config ~/.bnerd-demo.yaml up --regenerate-keys
bnerd --config ~/.bnerd-prod.yaml up --regenerate-keys

Method 2: Using --interface Flag¶

Use a single config file but override the interface per connection:

# Default interface (bnerd0)
sudo bnerd up

# Second connection with different interface
sudo bnerd up --interface bnerd1

# Third connection
sudo bnerd up --interface bnerd2

Each interface generates and stores separate keys:

# Show peer info for specific interface
bnerd up --show-peer-info --interface bnerd1

# Disconnect specific interface
sudo bnerd down --interface bnerd1

Key Storage¶

Keys are stored separately per interface:

~/.config/bnerd/wireguard/
  bnerd0.key       # Private key for bnerd0
  bnerd0.conf      # WireGuard config for bnerd0
  bnerd1.key       # Private key for bnerd1
  bnerd1.conf      # WireGuard config for bnerd1

Routing Considerations¶

Allowed IPs must not overlap

Each VPN should route to different networks. Overlapping allowed-ips ranges cause unpredictable routing behavior.

Non-overlapping example:

VPN 1: allowed-ips: 10.8.1.0/24
VPN 2: allowed-ips: 10.8.2.0/24

Check your routes:

ip route show
ip route get 10.8.1.1  # Should show via bnerd0
ip route get 10.8.2.1  # Should show via bnerd1

Shell Aliases¶

Add to your ~/.bashrc or ~/.zshrc for convenience:

alias bnerd-demo='bnerd --config ~/.bnerd-demo.yaml'
alias bnerd-prod='bnerd --config ~/.bnerd-prod.yaml'

Then use:

sudo bnerd-demo up
bnerd-prod status
sudo bnerd-demo down

Troubleshooting¶

Check which VPNs are active:

sudo wg show

Check interface status:

ip addr show bnerd0
ip addr show bnerd1

Disconnect all VPNs:

sudo bnerd --config ~/.bnerd-demo.yaml down
sudo bnerd --config ~/.bnerd-prod.yaml down

Best Practices¶

Use descriptive config filenames: ~/.bnerd-{environment}.yaml
Keep allowed-ips non-overlapping between connections
Use unique client addresses for each VPN
Store configs securely — they contain access tokens (chmod 600)