diff options
author | rebortg <github@ghlr.de> | 2020-12-06 21:41:10 +0100 |
---|---|---|
committer | rebortg <github@ghlr.de> | 2020-12-06 21:41:10 +0100 |
commit | ce090a4ced7fccce3fdc70142e22fa0009fae12b (patch) | |
tree | 457f57457c190008eb23e822f8b168c003ff6cd5 /docs/vpn/openconnect.rst | |
parent | b1cb71c71935ad6b0a7d9effe8f4dc4467de2175 (diff) | |
download | vyos-documentation-ce090a4ced7fccce3fdc70142e22fa0009fae12b.tar.gz vyos-documentation-ce090a4ced7fccce3fdc70142e22fa0009fae12b.zip |
arrange examples
Diffstat (limited to 'docs/vpn/openconnect.rst')
-rw-r--r-- | docs/vpn/openconnect.rst | 95 |
1 files changed, 0 insertions, 95 deletions
diff --git a/docs/vpn/openconnect.rst b/docs/vpn/openconnect.rst deleted file mode 100644 index a409ed9d..00000000 --- a/docs/vpn/openconnect.rst +++ /dev/null @@ -1,95 +0,0 @@ -.. _vpn-openconnect: - -########### -OpenConnect -########### - -OpenConnect-compatible server feature is available from this release. -Openconnect VPN supports SSL connection and offers full network access. SSL VPN -network extension connects the end-user system to the corporate network with -access controls based only on network layer information, such as destination IP -address and port number. So, it provides safe communication for all types of -device traffic across public networks and private networks, also encrypts the -traffic with SSL protocol. - -The remote user will use the openconnect client to connect to the router and -will receive an IP address from a VPN pool, allowing full access to the network. - -.. note:: All certificates should be stored on VyOS under /config/auth. If - certificates are not stored in the /config directory they will not be - migrated during a software update. - -************* -Configuration -************* - -SSL Certificates -================ - -We need to generate the certificate which authenticates users who attempt to -access the network resource through the SSL VPN tunnels. The following command -will create a self signed certificates and will be stored in the file path -`/config/auth`. - -.. code-block:: none - - openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt - openssl req -new -x509 -key /config/auth/server.key -out /config/auth/ca.crt - -We can also create the certificates using Cerbort which is an easy-to-use client -that fetches a certificate from Let's Encrypt an open certificate authority -launched by the EFF, Mozilla, and others and deploys it to a web server. - -.. code-block:: none - - sudo certbot certonly --standalone --preferred-challenges http -d <domain name> - -Server Configuration -==================== - -.. code-block:: none - - set vpn openconnect authentication local-users username <user> password <pass> - set vpn openconnect authentication mode <local|radius> - set vpn opneconnect network-settings client-ip-settings subnet <subnet> - set vpn openconnect network-settings name-server <address> - set vpn openconnect network-settings name-server <address> - set vpn openconnect ssl ca-cert-file <file> - set vpn openconnect ssl cert-file <file> - set vpn openconnect ssl key-file <file> - - -******* -Example -******* - -Use local user name "user4" with password "SecretPassword" -Client IP addresses will be provided from pool 100.64.0.0/24 -The Gateway IP Address must be in one of the routerĀ“s interfaces. - -.. code-block:: none - - set vpn openconnect authentication local-users username user4 password 'SecretPassword' - set vpn openconnect authentication mode 'local' - set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24' - set vpn openconnect network-settings name-server '1.1.1.1' - set vpn openconnect network-settings name-server '8.8.8.8' - set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem' - set vpn openconnect ssl cert-file '/config/auth/cert.pem' - set vpn openconnect ssl key-file '/config/auth/privkey.pem' - - -************ -Verification -************ - -.. code-block:: none - - - vyos@RTR1:~$ show openconnect-server sessions - - interface username ip remote IP RX TX state uptime - ----------- ---------- ------------ ------------- -------- -------- --------- -------- - sslvpn0 user4 100.64.0.105 xx.xxx.49.253 127.3 KB 160.0 KB connected 12m:28s - -.. note:: It is compatible with Cisco (R) AnyConnect (R) clients. |