summaryrefslogtreecommitdiff
path: root/docs/vpn/openvpn.rst
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2019-11-27 17:20:36 +0100
committerChristian Poessinger <christian@poessinger.com>2019-11-27 17:20:38 +0100
commit6aa3cbb611f74bdf8e44d5527f5138f3122a7497 (patch)
tree009a1fe9447bdd980d5017d49f102e7ccdace03b /docs/vpn/openvpn.rst
parent76bbe2744d7184ee50626d9d7b65f21dad1c7e99 (diff)
downloadvyos-documentation-6aa3cbb611f74bdf8e44d5527f5138f3122a7497.tar.gz
vyos-documentation-6aa3cbb611f74bdf8e44d5527f5138f3122a7497.zip
Refactor "code-block:: sh" to "code-block:: console"
This will add proper new-lines into the rendered PDF. Before if it has been a long line, not all content was preserved in the PDF.
Diffstat (limited to 'docs/vpn/openvpn.rst')
-rw-r--r--docs/vpn/openvpn.rst38
1 files changed, 19 insertions, 19 deletions
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst
index 491e6e6d..2e4388ed 100644
--- a/docs/vpn/openvpn.rst
+++ b/docs/vpn/openvpn.rst
@@ -68,7 +68,7 @@ in our configuration.
Local Configuration:
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
@@ -82,7 +82,7 @@ Local Configuration:
Remote Configuration:
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
@@ -104,7 +104,7 @@ For Encryption:
This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or
OpenVPN version < 2.4.0.
-.. code-block:: sh
+.. code-block:: console
vyos@vyos# set interfaces openvpn vtun1 encryption cipher
Possible completions:
@@ -123,7 +123,7 @@ This sets the accepted ciphers to use when version => 2.4.0 and NCP is
enabled (which is default). Default NCP cipher for versions >= 2.4.0 is
aes256gcm. The first cipher in this list is what server pushes to clients.
-.. code-block:: sh
+.. code-block:: console
vyos@vyos# set int open vtun0 encryption ncp-ciphers
Possible completions:
@@ -138,7 +138,7 @@ aes256gcm. The first cipher in this list is what server pushes to clients.
For Hashing:
-.. code-block:: sh
+.. code-block:: console
vyos@vyos# set interfaces openvpn vtun1 hash
Possible completions:
@@ -157,13 +157,13 @@ network of 10.1.0.0/16:
Local Configuration:
-.. code-block:: sh
+.. code-block:: console
set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1
Remote Configuration:
-.. code-block:: sh
+.. code-block:: console
set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1
@@ -206,7 +206,7 @@ closing on connection resets or daemon reloads.
0 on one side of the connection (to disable it), the chosen value on the
other side will determine when the renegotiation will occur.
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun10 mode server
set interfaces openvpn vtun10 local-port 1194
@@ -216,7 +216,7 @@ closing on connection resets or daemon reloads.
Then we need to specify the location of the cryptographic materials. Suppose
you keep the files in `/config/auth/openvpn`
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt
set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt
@@ -229,7 +229,7 @@ specify the subnet for client tunnel endpoints. Since we want clients to access
a specific network behind out router, we will use a push-route option for
installing that route on clients.
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun10 server push-route 192.168.0.0/16
set interfaces openvpn vtun10 server subnet 10.23.1.0/24
@@ -241,7 +241,7 @@ need configuration for each client to achieve this.
.. note:: Clients are identified by the CN field of their x.509 certificates,
in this example the CN is ``client0``:
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun10 server client client0 ip 10.23.1.10
set interfaces openvpn vtun10 server client client0 subnet 10.23.2.0/25
@@ -250,7 +250,7 @@ OpenVPN **will not** automatically create routes in the kernel for client
subnets when they connect and will only use client-subnet association
internally, so we need to create a route to the 10.23.0.0/20 network ourselves:
-.. code-block:: sh
+.. code-block:: console
set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10
@@ -269,13 +269,13 @@ Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is
shipped with every VyOS installation. A dedicated configuration file is required.
It is best practise to store it in ``/config`` to survive image updates
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config"
The required config file may look like:
-.. code-block:: sh
+.. code-block:: console
<LDAP>
# LDAP server URL
@@ -302,7 +302,7 @@ Active Directory
Despite the fact that AD is a superset of LDAP
-.. code-block:: sh
+.. code-block:: console
<LDAP>
# LDAP server URL
@@ -336,7 +336,7 @@ Despite the fact that AD is a superset of LDAP
If you only want to check if the user account is enabled and can authenticate
(against the primary group) the following snipped is sufficient:
-.. code-block:: sh
+.. code-block:: console
<LDAP>
URL ldap://dc01.example.com
@@ -355,7 +355,7 @@ If you only want to check if the user account is enabled and can authenticate
A complete LDAP auth OpenVPN configuration could look like the following example:
-.. code-block:: sh
+.. code-block:: console
vyos@vyos# show interfaces openvpn
openvpn vtun0 {
@@ -398,7 +398,7 @@ using their CN attribute in the SSL certificate.
Server
------
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
@@ -422,7 +422,7 @@ Server
Client
------
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'