diff options
author | rebortg <github@ghlr.de> | 2021-09-13 19:46:32 +0200 |
---|---|---|
committer | rebortg <github@ghlr.de> | 2021-09-13 19:46:32 +0200 |
commit | df1ada3aed08021bb53ef1343dce3820f70dc714 (patch) | |
tree | 5fe2fcb69fd070182f1f9e8a9e65738b0dd4ff2b | |
parent | e8bd02d5f8018698f656ce7a176157efdaac8c60 (diff) | |
parent | 42d629a15fad93dcde96e30bad1167916f689406 (diff) | |
download | vyos-documentation-df1ada3aed08021bb53ef1343dce3820f70dc714.tar.gz vyos-documentation-df1ada3aed08021bb53ef1343dce3820f70dc714.zip |
Merge branch 'master' of github.com:vyos/vyos-documentation
-rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 33 | ||||
-rw-r--r-- | docs/configuration/pki/index.rst | 8 |
2 files changed, 27 insertions, 14 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 62273ca0..02c5a797 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -34,8 +34,9 @@ In the VyOS CLI, a key point often overlooked is that rather than being configured using the `set vpn` stanza, OpenVPN is configured as a network interface using `set interfaces openvpn`. -Site-To-Site -============ +************ +Site-to-Site +************ .. figure:: /_static/images/openvpn_site2site_diagram.jpg @@ -85,7 +86,7 @@ Local Configuration: set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 remote-port '1195' set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' - set interfaces openvpn vtun1 local-address '10.255.1.1' + set interfaces openvpn vtun1 local-address '10.255.1.1' set interfaces openvpn vtun1 remote-address '10.255.1.2' Local Configuration - Annotated: @@ -132,11 +133,10 @@ Remote Configuration - Annotated: set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface -******************* Firewall Exceptions -******************* +=================== -For the WireGuard traffic to pass through the WAN interface, you must create a +For the OpenVPN traffic to pass through the WAN interface, you must create a firewall exception. .. code-block:: none @@ -248,8 +248,9 @@ to each tunnel. Another option is to dedicate a port number to each tunnel OpenVPN status can be verified using the `show openvpn` operational commands. See the built-in help for a complete list of options. +****** Server -====== +****** Multi-client server is the most popular OpenVPN mode on routers. It always uses x.509 authentication and therefore requires a PKI setup. Refer this section @@ -325,7 +326,7 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves: set protocols static route 10.23.0.0/20 interface vtun10 Generate X.509 Certificate and Keys ------------------------------------ +=================================== OpenVPN ships with a set of scripts called Easy-RSA that can generate the appropriate files needed for an OpenVPN setup using X.509 certificates. @@ -538,8 +539,9 @@ example: } } +****** Client -====== +****** VyOS can not only act as an OpenVPN site-to-site or server for multiple clients. You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client @@ -552,8 +554,11 @@ using their CN attribute in the SSL certificate. .. _openvpn:client_server: -Server ------- +Configuration +============= + +Server Side +----------- .. code-block:: none @@ -578,8 +583,8 @@ Server .. _openvpn:client_client: -Client ------- +Client Side +----------- .. code-block:: none @@ -641,7 +646,7 @@ The following commands let you check tunnel status. .. opcmd:: show openvpn site-to-site - Use this command to check the tunnel status for OpenVPN site-to-site + Use this command to check the tunnel status for OpenVPN site-to-site interfaces. diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index cd47e43f..09794308 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -268,6 +268,10 @@ also to display them. R3 CN=R3,O=Let's Encrypt,C=US CN=ISRG Root X1 2020-09-04 00:00:00 2025-09-15 16:00:00 No DST_Root_CA_X3 vyos_rw CN=VyOS RW CA,O=VyOS,L=Some-City,ST=Some-State,C=GB CN=VyOS RW CA 2021-07-05 13:46:03 2026-07-04 13:46:03 Yes N/A +.. opcmd:: show pki ca <name> + + Show only information for specified Certificate Authority. + .. opcmd:: show pki certificates Show a list of installed certificates @@ -281,6 +285,10 @@ also to display them. ac2 Server CN=ac2.vyos.net CN=R3 2021-07-05 07:29:59 2021-10-03 07:29:58 No Yes Yes (R3) rw_server Server CN=VyOS RW CN=VyOS RW CA 2021-07-05 13:48:02 2022-07-05 13:48:02 No Yes Yes (vyos_rw) +.. opcmd:: show pki certificates <name> + + Show only information for specified certificate. + .. opcmd:: show pki crl Show a list of installed :abbr:`CRLs (Certificate Revocation List)`. |