diff options
| -rw-r--r-- | docs/qos.rst | 20 | ||||
| -rw-r--r-- | docs/system/flow-accounting.rst | 4 | ||||
| -rw-r--r-- | docs/vpn/openvpn.rst | 91 |
3 files changed, 93 insertions, 22 deletions
diff --git a/docs/qos.rst b/docs/qos.rst index 0a58e3f8..c0266461 100644 --- a/docs/qos.rst +++ b/docs/qos.rst @@ -1086,7 +1086,7 @@ parameters. Example ^^^^^^^ -A simple example of Shaper using priorities. It includes examples of matching on addresses and protocols. +A simple example of Shaper using priorities. .. code-block:: none @@ -1111,17 +1111,7 @@ A simple example of Shaper using priorities. It includes examples of matching on set traffic-policy shaper MY-HTB default ceiling '100%' set traffic-policy shaper MY-HTB default priority '7' set traffic-policy shaper MY-HTB default queue-type 'fair-queue' - set traffic-policy shaper MY-HTB class 2 match ack ip tcp ack - set traffic-policy shaper MY-HTB class 2 match dns ip destination port '53' - set traffic-policy shaper MY-HTB class 2 match icmp ip protocol 'icmp' - set traffic-policy shaper MY-HTB class 2 match ssh ip destination port '22' - set traffic-policy shaper MY-HTB class 2 match syn ip tcp syn - set traffic-policy shaper MY-HTB class 2 priority '5' - set traffic-policy shaper MY-HTB class 2 queue-limit '16' - set traffic-policy shaper MY-HTB class 2 queue-type 'fair-queue' - set traffic-policy shaper MY-HTB class 5 bandwidth '10%' - set traffic-policy shaper MY-HTB class 5 burst '15k' - set traffic-policy shaper MY-HTB class 5 ceiling '100%' + .. _ingress-shaping: @@ -1163,7 +1153,7 @@ Once a traffic-policy is created, you can apply it to an interface: .. code-block:: none - set interfaces ethernet eth0 traffic-policy out WAN-OUT + set interfaces etherhet eth0 traffic-policy out WAN-OUT You can only apply one policy per interface and direction, but you can have several policies working at the same time: @@ -1171,8 +1161,8 @@ have several policies working at the same time: .. code-block:: none set interfaces ethernet eth0 traffic-policy in WAN-IN - set interfaces ethernet eth0 traffic-policy out WAN-OUT - set interfaces ethernet eth1 traffic-policy out WAN-OUT + set interfaces etherhet eth0 traffic-policy out WAN-OUT + set interfaces etherhet eth1 traffic-policy out WAN-OUT set interfaces ethernet eth2 traffic-policy out LAN-IN set interfaces ethernet eth2 traffic-policy out LAN-OUT diff --git a/docs/system/flow-accounting.rst b/docs/system/flow-accounting.rst index 64c20dcf..f09c1c9a 100644 --- a/docs/system/flow-accounting.rst +++ b/docs/system/flow-accounting.rst @@ -39,8 +39,8 @@ NetFlow is usually enabled on a per-interface basis to limit load on the router components involved in NetFlow, or to limit the amount of NetFlow records exported. -Configururation -=============== +Configuration +============= In order for flow accounting information to be collected and displayed for an interface, the interface must be configured for flow accounting. diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index cbb89fbe..159366dc 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -183,10 +183,10 @@ Server ====== Multi-client server is the most popular OpenVPN mode on routers. It always uses -x.509 authentication and therefore requires a PKI setup. This guide assumes -`you have already setup a PKI`_ and have a CA certificate, a server certificate and -key, a certificate revocation list, a Diffie-Hellman key exchange parameters -file. You do not need client certificates and keys for the server setup. +x.509 authentication and therefore requires a PKI setup. Refer this section +**Generate X.509 Certificate and Keys** to generate a CA certificate, +a server certificate and key, a certificate revocation list, a Diffie-Hellman +key exchange parameters file. You do not need client certificates and keys for the server setup. In this example we will use the most complicated case: a setup where each client is a router that has its own subnet (think HQ and branch offices), since @@ -254,7 +254,88 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves: set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10 -.. _`you have already setup a PKI`: https://support.vyos.io/en/kb/articles/using-easy-rsa-to-generate-x-509-certificates-and-keys-2 +Generate X.509 Certificate and Keys +*********************************** + +OpenVPN ships with a set of scripts called Easy-RSA that can generate the +appropriate files needed for an OpenVPN setup using X.509 certificates. +Easy-RSA comes installed by default on VyOS routers. + +Copy the Easy-RSA scripts to a new directory to modify the values. + +.. code-block:: none + + cp -r /usr/share/easy-rsa/ /config/my-easy-rsa-config + cd /config/my-easy-rsa-config + +To ensure the consistent use of values when generating the PKI, set default +values to be used by the PKI generating scripts. Rename the vars.example filename +to vars + +.. code-block:: none + + mv vars.example vars + +Following is the instance of the file after editing. You may also change other values in +the file at your discretion/need, though for most cases the defaults should be just fine. +(do not leave any of these parameters blank) + +.. code-block:: none + + set_var EASYRSA_DN "org" + set_var EASYRSA_REQ_COUNTRY "US" + set_var EASYRSA_REQ_PROVINCE "California" + set_var EASYRSA_REQ_CITY "San Francisco" + set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" + set_var EASYRSA_REQ_EMAIL "me@example.net" + set_var EASYRSA_REQ_OU "My Organizational Unit" + set_var EASYRSA_KEY_SIZE 2048 + + +init-pki option will create a new pki directory or will delete any previously generated +certificates stored in that folder. The term 'central' is used to refer server and +'branch' for client + +.. note:: Remember the “CA Key Passphrase” prompted in build-ca command, + as it will be asked in signing the server/client certificate. + +.. code-block:: none + + vyos@vyos:/config/my-easy-rsa-config$./easyrsa init-pki + vyos@vyos:/config/my-easy-rsa-config$./easyrsa build-ca + vyos@vyos:/config/my-easy-rsa-config$./easyrsa gen-req central nopass + vyos@vyos:/config/my-easy-rsa-config$./easyrsa sign-req server central + vyos@vyos:/config/my-easy-rsa-config$./easyrsa gen-dh + vyos@vyos:/config/my-easy-rsa-config$./easyrsa build-client-full branch1 nopass + +To generate a certificate revocation list for any client, execute these commands: + +.. code-block:: none + + vyos@vyos:/config/my-easy-rsa-config$./easyrsa revoke client1 + vyos@vyos:/config/my-easy-rsa-config$ ./easyrsa gen-crl + +Copy the files to /config/auth/ovpn/ to use in OpenVPN tunnel creation + +.. code-block:: none + + vyos@vyos:/config/my-easy-rsa-config$ sudo mkdir /config/auth/ovpn + vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/ca.crt /config/auth/ovpn + vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/dh.pem /config/auth/ovpn + vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/private/central.key /config/auth/ovpn + vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/issued/central.crt /config/auth/ovpn + vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/crl.pem /config/auth/ovpn + +Additionally, each client needs a copy of ca.crt and its own client key and cert files. +The files are plaintext so they may be copied either manually, +or through a remote file transfer tool like scp. Whichever method you use, +the files need to end up in the proper location on each router. +For example, Branch 1's router might have the following files: + +.. code-block:: none + + vyos@branch1-rtr:$ ls /config/auth/ovpn + ca.crt branch1.crt branch1.key Client Authentication --------------------- |