diff options
| author | rebortg <github@ghlr.de> | 2023-11-24 10:48:09 +0100 |
|---|---|---|
| committer | rebortg <github@ghlr.de> | 2023-11-24 10:48:09 +0100 |
| commit | 5fb241c9ae0f95a3917a90d34c9979f06b965197 (patch) | |
| tree | 7a08969e9162bb64df60af9641278d54a8e14f29 /docs/configuration/interfaces/openvpn.rst | |
| parent | d6d9dbbbef70549bcc4c855486398b97f2aa32cb (diff) | |
| download | vyos-documentation-5fb241c9ae0f95a3917a90d34c9979f06b965197.tar.gz vyos-documentation-5fb241c9ae0f95a3917a90d34c9979f06b965197.zip | |
fix some build warnings
Diffstat (limited to 'docs/configuration/interfaces/openvpn.rst')
| -rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 2160e781..bfa40a7e 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -71,7 +71,7 @@ In both cases, we will use the following settings: dynamic IP for our remote router. Setting up certificates ------------------------ +======================= Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity, @@ -129,7 +129,7 @@ Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote Repeat the procedure on the other router. Setting up OpenVPN ------------------- +================== Local Configuration: @@ -148,6 +148,7 @@ Local Configuration: set interfaces openvpn vtun1 tls certificate 'openvpn-local' # The self-signed certificate set interfaces openvpn vtun1 tls peer-fingerprint <remote cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256 on the remote rout + Remote Configuration: .. code-block:: none @@ -163,8 +164,9 @@ Remote Configuration: set interfaces openvpn vtun1 tls certificate 'openvpn-remote' # The self-signed certificate set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256 on the local router + Pre-shared keys ---------------- +=============== Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys. That option is still available but it is deprecated and will be removed in the future. @@ -200,6 +202,7 @@ Then you need to install the key on the remote router: Then you need to set the key in your OpenVPN interface settings: .. code-block:: none + set interfaces openvpn vtun1 shared-secret-key s2s Firewall Exceptions @@ -433,6 +436,7 @@ Branch 1's router might have the following lines: set interfaces openvpn vtun10 tls ca-cert ca-1 set interfaces openvpn vtun10 tls certificate branch-1 + Client Authentication ===================== |