summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorrebortg <github@ghlr.de>2021-09-13 19:46:32 +0200
committerrebortg <github@ghlr.de>2021-09-13 19:46:32 +0200
commitdf1ada3aed08021bb53ef1343dce3820f70dc714 (patch)
tree5fe2fcb69fd070182f1f9e8a9e65738b0dd4ff2b
parente8bd02d5f8018698f656ce7a176157efdaac8c60 (diff)
parent42d629a15fad93dcde96e30bad1167916f689406 (diff)
downloadvyos-documentation-df1ada3aed08021bb53ef1343dce3820f70dc714.tar.gz
vyos-documentation-df1ada3aed08021bb53ef1343dce3820f70dc714.zip
Merge branch 'master' of github.com:vyos/vyos-documentation
-rw-r--r--docs/configuration/interfaces/openvpn.rst33
-rw-r--r--docs/configuration/pki/index.rst8
2 files changed, 27 insertions, 14 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index 62273ca0..02c5a797 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -34,8 +34,9 @@ In the VyOS CLI, a key point often overlooked is that rather than being
configured using the `set vpn` stanza, OpenVPN is configured as a network
interface using `set interfaces openvpn`.
-Site-To-Site
-============
+************
+Site-to-Site
+************
.. figure:: /_static/images/openvpn_site2site_diagram.jpg
@@ -85,7 +86,7 @@ Local Configuration:
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
- set interfaces openvpn vtun1 local-address '10.255.1.1'
+ set interfaces openvpn vtun1 local-address '10.255.1.1'
set interfaces openvpn vtun1 remote-address '10.255.1.2'
Local Configuration - Annotated:
@@ -132,11 +133,10 @@ Remote Configuration - Annotated:
set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface
-*******************
Firewall Exceptions
-*******************
+===================
-For the WireGuard traffic to pass through the WAN interface, you must create a
+For the OpenVPN traffic to pass through the WAN interface, you must create a
firewall exception.
.. code-block:: none
@@ -248,8 +248,9 @@ to each tunnel. Another option is to dedicate a port number to each tunnel
OpenVPN status can be verified using the `show openvpn` operational commands.
See the built-in help for a complete list of options.
+******
Server
-======
+******
Multi-client server is the most popular OpenVPN mode on routers. It always uses
x.509 authentication and therefore requires a PKI setup. Refer this section
@@ -325,7 +326,7 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves:
set protocols static route 10.23.0.0/20 interface vtun10
Generate X.509 Certificate and Keys
------------------------------------
+===================================
OpenVPN ships with a set of scripts called Easy-RSA that can generate the
appropriate files needed for an OpenVPN setup using X.509 certificates.
@@ -538,8 +539,9 @@ example:
}
}
+******
Client
-======
+******
VyOS can not only act as an OpenVPN site-to-site or server for multiple clients.
You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client
@@ -552,8 +554,11 @@ using their CN attribute in the SSL certificate.
.. _openvpn:client_server:
-Server
-------
+Configuration
+=============
+
+Server Side
+-----------
.. code-block:: none
@@ -578,8 +583,8 @@ Server
.. _openvpn:client_client:
-Client
-------
+Client Side
+-----------
.. code-block:: none
@@ -641,7 +646,7 @@ The following commands let you check tunnel status.
.. opcmd:: show openvpn site-to-site
- Use this command to check the tunnel status for OpenVPN site-to-site
+ Use this command to check the tunnel status for OpenVPN site-to-site
interfaces.
diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst
index cd47e43f..09794308 100644
--- a/docs/configuration/pki/index.rst
+++ b/docs/configuration/pki/index.rst
@@ -268,6 +268,10 @@ also to display them.
R3 CN=R3,O=Let's Encrypt,C=US CN=ISRG Root X1 2020-09-04 00:00:00 2025-09-15 16:00:00 No DST_Root_CA_X3
vyos_rw CN=VyOS RW CA,O=VyOS,L=Some-City,ST=Some-State,C=GB CN=VyOS RW CA 2021-07-05 13:46:03 2026-07-04 13:46:03 Yes N/A
+.. opcmd:: show pki ca <name>
+
+ Show only information for specified Certificate Authority.
+
.. opcmd:: show pki certificates
Show a list of installed certificates
@@ -281,6 +285,10 @@ also to display them.
ac2 Server CN=ac2.vyos.net CN=R3 2021-07-05 07:29:59 2021-10-03 07:29:58 No Yes Yes (R3)
rw_server Server CN=VyOS RW CN=VyOS RW CA 2021-07-05 13:48:02 2022-07-05 13:48:02 No Yes Yes (vyos_rw)
+.. opcmd:: show pki certificates <name>
+
+ Show only information for specified certificate.
+
.. opcmd:: show pki crl
Show a list of installed :abbr:`CRLs (Certificate Revocation List)`.