diff options
author | Daniil Baturin <daniil@vyos.io> | 2021-07-31 21:29:18 +0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-31 21:29:18 +0700 |
commit | 54afd51b3a01c7282dbff16b0f9bddab3dce4051 (patch) | |
tree | 78d67b7e5d9f6dda07f793dab409a09a2e9c08d6 /docs/configuration | |
parent | eb4b1a7afba648c390f84b5a7996b6dc8bc8656f (diff) | |
parent | 174f5ecd05c3b47a627f607fd2a3b4e6db17acdf (diff) | |
download | vyos-documentation-54afd51b3a01c7282dbff16b0f9bddab3dce4051.tar.gz vyos-documentation-54afd51b3a01c7282dbff16b0f9bddab3dce4051.zip |
Merge pull request #586 from usman-umer/equuleus
Updated OpenVPN site2site docs for equuleus branch
Diffstat (limited to 'docs/configuration')
-rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 75 |
1 files changed, 56 insertions, 19 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 778f26c6..644906e1 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -37,6 +37,8 @@ interface using `set interfaces openvpn`. Site-To-Site ============ +.. figure:: /_static/images/openvpn_site2site_diagram.jpg + While many are aware of OpenVPN as a Client VPN solution, it is often overlooked as a site-to-site VPN solution due to lack of support for this mode in many router platforms. @@ -53,9 +55,12 @@ copy this key to the remote router. In our example, we used the filename ``openvpn-1.key`` which we will reference in our configuration. -* The public IP address of the local side of the VPN will be 198.51.100.10 -* The remote will be 203.0.113.11 +* The public IP address of the local side of the VPN will be 198.51.100.10. +* The public IP address of the remote side of the VPN will be 203.0.113.11. * The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote. +* The local site will have a subnet of 10.0.0.0/16. +* The remote site will have a subnet of 10.1.0.0/16. +* Static Routing or other dynamic routing protocols can be used over the vtun interface * OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, while TCP will work better for lossy connections; generally UDP is preferred when possible. @@ -75,13 +80,28 @@ Local Configuration: set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 local-host '198.51.100.10' + set interfaces openvpn vtun1 remote-host '203.0.113.11 set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 remote-port '1195' set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' - set interfaces openvpn vtun1 local-address '10.255.1.1' + set interfaces openvpn vtun1 local-address '10.255.1.1' set interfaces openvpn vtun1 remote-address '10.255.1.2' +Local Configuration - Annotated: + +.. code-block:: none + + set interfaces openvpn vtun1 mode site-to-site + set interfaces openvpn vtun1 protocol udp + set interfaces openvpn vtun1 persistent-tunnel + set interfaces openvpn vtun1 remote-host '203.0.113.11' # Pub IP of other site + set interfaces openvpn vtun1 local-port '1195' + set interfaces openvpn vtun1 remote-port '1195' + set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' + set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface + set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface + + Remote Configuration: .. code-block:: none @@ -96,6 +116,38 @@ Remote Configuration: set interfaces openvpn vtun1 local-address '10.255.1.2' set interfaces openvpn vtun1 remote-address '10.255.1.1' +Remote Configuration - Annotated: + +.. code-block:: none + + set interfaces openvpn vtun1 mode site-to-site + set interfaces openvpn vtun1 protocol udp + set interfaces openvpn vtun1 persistent-tunnel + set interfaces openvpn vtun1 remote-host '198.51.100.10' # Pub IP of other site + set interfaces openvpn vtun1 local-port '1195' + set interfaces openvpn vtun1 remote-port '1195' + set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' + set interfaces openvpn vtun1 local-address '10.255.1.2' # Local IP of vtun interface + set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface + +Static Routing: + +Static routes can be configured referencing the tunnel interface; for example, +the local router will use a network of 10.0.0.0/16, while the remote has a +network of 10.1.0.0/16: + +Local Configuration: + +.. code-block:: none + + set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1 + +Remote Configuration: + +.. code-block:: none + + set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1 + The configurations above will default to using 256-bit AES in GCM mode for encryption (if both sides support NCP) and SHA-1 for HMAC authentication. SHA-1 is considered weak, but other hashing algorithms are available, as are @@ -153,21 +205,6 @@ If you change the default encryption and hashing algorithms, be sure that the local and remote ends have matching configurations, otherwise the tunnel will not come up. -Static routes can be configured referencing the tunnel interface; for example, -the local router will use a network of 10.0.0.0/16, while the remote has a -network of 10.1.0.0/16: - -Local Configuration: - -.. code-block:: none - - set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1 - -Remote Configuration: - -.. code-block:: none - - set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1 Firewall policy can also be applied to the tunnel interface for `local`, `in`, and `out` directions and functions identically to ethernet interfaces. |