diff options
author | usman-umer <unumer@hotmail.com> | 2021-07-31 19:35:53 +0100 |
---|---|---|
committer | usman-umer <unumer@hotmail.com> | 2021-07-31 19:35:53 +0100 |
commit | c9dd310466f46949ff5618deb60a4fe44af084f2 (patch) | |
tree | 6a896238ba6a5cf558f74f3e095a31d00c07cf33 /docs/configuration/interfaces/openvpn.rst | |
parent | 95fa7a84a179f43ef57ab78f08f4da3165901505 (diff) | |
download | vyos-documentation-c9dd310466f46949ff5618deb60a4fe44af084f2.tar.gz vyos-documentation-c9dd310466f46949ff5618deb60a4fe44af084f2.zip |
added diagram & annotated commands for openvpn server
Diffstat (limited to 'docs/configuration/interfaces/openvpn.rst')
-rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 76 |
1 files changed, 57 insertions, 19 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 877b5d60..a0802c27 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -37,6 +37,8 @@ interface using `set interfaces openvpn`. Site-To-Site ============ +.. figure:: /_static/images/openvpn_site2site_diagram.jpg + While many are aware of OpenVPN as a Client VPN solution, it is often overlooked as a site-to-site VPN solution due to lack of support for this mode in many router platforms. @@ -53,9 +55,12 @@ copy this key to the remote router. In our example, we used the filename ``openvpn-1.key`` which we will reference in our configuration. -* The public IP address of the local side of the VPN will be 198.51.100.10 -* The remote will be 203.0.113.11 +* The public IP address of the local side of the VPN will be 198.51.100.10. +* The public IP address of the remote side of the VPN will be 203.0.113.11. * The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote. +* The local site will have a subnet of 10.0.0.0/16. +* The remote site will have a subnet of 10.1.0.0/16. +* Static Routing or other dynamic routing protocols can be used over the vtun interface * OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, while TCP will work better for lossy connections; generally UDP is preferred when possible. @@ -68,6 +73,7 @@ in our configuration. ``remote-host`` directive; if unknown, it can be omitted. We will assume a dynamic IP for our remote router. + Local Configuration: .. code-block:: none @@ -75,13 +81,28 @@ Local Configuration: set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 local-host '198.51.100.10' + set interfaces openvpn vtun1 remote-host '203.0.113.11 set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 remote-port '1195' set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' - set interfaces openvpn vtun1 local-address '10.255.1.1' + set interfaces openvpn vtun1 local-address '10.255.1.1' set interfaces openvpn vtun1 remote-address '10.255.1.2' +Local Configuration - Annotated: + +.. code-block:: none + + set interfaces openvpn vtun1 mode site-to-site + set interfaces openvpn vtun1 protocol udp + set interfaces openvpn vtun1 persistent-tunnel + set interfaces openvpn vtun1 remote-host '203.0.113.11' # Pub IP of other site + set interfaces openvpn vtun1 local-port '1195' + set interfaces openvpn vtun1 remote-port '1195' + set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' + set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface + set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface + + Remote Configuration: .. code-block:: none @@ -96,6 +117,38 @@ Remote Configuration: set interfaces openvpn vtun1 local-address '10.255.1.2' set interfaces openvpn vtun1 remote-address '10.255.1.1' +Remote Configuration - Annotated: + +.. code-block:: none + + set interfaces openvpn vtun1 mode site-to-site + set interfaces openvpn vtun1 protocol udp + set interfaces openvpn vtun1 persistent-tunnel + set interfaces openvpn vtun1 remote-host '198.51.100.10' # Pub IP of other site + set interfaces openvpn vtun1 local-port '1195' + set interfaces openvpn vtun1 remote-port '1195' + set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' + set interfaces openvpn vtun1 local-address '10.255.1.2' # Local IP of vtun interface + set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface + +Static Routing: + +Static routes can be configured referencing the tunnel interface; for example, +the local router will use a network of 10.0.0.0/16, while the remote has a +network of 10.1.0.0/16: + +Local Configuration: + +.. code-block:: none + + set protocols static route 10.1.0.0/16 interface vtun1 + +Remote Configuration: + +.. code-block:: none + + set protocols static route 10.0.0.0/16 interface vtun1 + The configurations above will default to using 256-bit AES in GCM mode for encryption (if both sides support NCP) and SHA-1 for HMAC authentication. SHA-1 is considered weak, but other hashing algorithms are available, as are @@ -153,21 +206,6 @@ If you change the default encryption and hashing algorithms, be sure that the local and remote ends have matching configurations, otherwise the tunnel will not come up. -Static routes can be configured referencing the tunnel interface; for example, -the local router will use a network of 10.0.0.0/16, while the remote has a -network of 10.1.0.0/16: - -Local Configuration: - -.. code-block:: none - - set protocols static route 10.1.0.0/16 interface vtun1 - -Remote Configuration: - -.. code-block:: none - - set protocols static route 10.0.0.0/16 interface vtun1 Firewall policy can also be applied to the tunnel interface for `local`, `in`, and `out` directions and functions identically to ethernet interfaces. |