summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2021-08-01 18:18:14 +0700
committerGitHub <noreply@github.com>2021-08-01 18:18:14 +0700
commit740074af7aa370c63b1f4e9617dbf251a9610a37 (patch)
tree55f919804470674f1f629fece7382becabe11672 /docs/configuration
parent7fe53c9d60cb29890e71735acf882e96cb83a36b (diff)
parent9eb90286c0ca7712e1f55812a5affb18facd8293 (diff)
downloadvyos-documentation-740074af7aa370c63b1f4e9617dbf251a9610a37.tar.gz
vyos-documentation-740074af7aa370c63b1f4e9617dbf251a9610a37.zip
Merge pull request #585 from srividya0208/proof-reading
grammar correction
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/interfaces/openvpn.rst35
1 files changed, 24 insertions, 11 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index b2559c95..d4ef47b0 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-07-30
+
.. _openvpn:
#######
@@ -43,7 +45,7 @@ Site-to-site mode supports x.509 but doesn't require it and can also work with
static keys, which is simpler in many cases. In this example, we'll configure
a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key.
-First, one one of the systems generate the key using the operational command
+First, one of the system generates the key using the operational command
``generate openvpn key <filename>``. This will generate a key with the name
provided in the `/config/auth/` directory. Once generated, you will need to
copy this key to the remote router.
@@ -94,7 +96,7 @@ Remote Configuration:
set interfaces openvpn vtun1 local-address '10.255.1.2'
set interfaces openvpn vtun1 remote-address '10.255.1.1'
-The configurations above will default to using 128-bit Blowfish in CBC mode
+The above configurations will by default use 128-bit Blowfish in CBC mode
for encryption and SHA-1 for HMAC authentication. These are both considered
weak, but a number of other encryption and hashing algorithms are available:
@@ -177,7 +179,11 @@ First we need to specify the basic settings. 1194/UDP is the default. The
closing on connection resets or daemon reloads.
-.. note:: Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used at both server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur.
+.. note:: Using **openvpn-option -reneg-sec** can be tricky. This option is
+ used to renegotiate data channel after n seconds. When used at both server
+ and client, the lower value will trigger the renegotiation. If you set it
+ to 0 on one side of the connection (to disable it), the chosen value on the
+ other side will determine when the renegotiation will occur.
.. code-block:: none
@@ -200,7 +206,7 @@ you keep the files in `/config/auth/openvpn`
Now we need to specify the server network settings. In all cases we need to
specify the subnet for client tunnel endpoints. Since we want clients to access
-a specific network behind out router, we will use a push-route option for
+a specific network behind our router, we will use a push-route option for
installing that route on clients.
.. code-block:: none
@@ -236,12 +242,13 @@ OpenLDAP
--------
Enterprise installations usually ship a kind of directory service which is used
-to have a single password store for all employees. VyOS and OpenVPN support using
-LDAP/AD as single user backend.
+to have a single password store for all employees. VyOS and OpenVPN support
+using LDAP/AD as single user backend.
Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is
-shipped with every VyOS installation. A dedicated configuration file is required.
-It is best practise to store it in ``/config`` to survive image updates
+shipped with every VyOS installation. A dedicated configuration file is
+required. It is best practise to store it in ``/config`` to survive image
+updates
.. code-block:: none
@@ -327,7 +334,10 @@ If you only want to check if the user account is enabled and can authenticate
RequireGroup false
</Authorization>
-A complete LDAP auth OpenVPN configuration could look like the following example:
+A complete LDAP auth OpenVPN configuration could look like the following
+example:
+
+.. stop_vyoslinter
.. code-block:: none
@@ -357,10 +367,13 @@ A complete LDAP auth OpenVPN configuration could look like the following example
}
}
+.. start_vyoslinter
+
OpenVPN Client
##############
-VyOS can not only act as an OpenVPN site-to-site or Server for multiple clients.
+VyOS can not only act as an OpenVPN site-to-site but also as a Server for
+multiple clients.
You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client
connecting to a VyOS OpenVPN server or any other OpenVPN server.
@@ -463,6 +476,6 @@ The following commands let you reset OpenVPN.
.. opcmd:: reset openvpn interface <interface>
- Uset this command to reset the OpenVPN process on a specific interface.
+ Use this command to reset the OpenVPN process on a specific interface.