diff options
-rw-r--r-- | docs/configuration/vpn/dmvpn.rst | 17 | ||||
-rw-r--r-- | docs/configuration/vpn/l2tp.rst | 17 | ||||
-rw-r--r-- | docs/configuration/vpn/pptp.rst | 30 |
3 files changed, 45 insertions, 19 deletions
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index e6487292..66587b17 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -1,3 +1,5 @@ +:lastproofread: 2020-07-15 + .. _vpn-dmvpn: DMVPN @@ -7,7 +9,7 @@ DMVPN DMVPN is a dynamic VPN technology originally developed by Cisco. While their implementation was somewhat proprietary, the underlying technologies are -actually standards based. The three technologies are: +actually standard based. The three technologies are: * **NHRP** - NBMA Next Hop Resolution Protocol RFC2332_ * **mGRE** - Multipoint Generic Routing Encapsulation / mGRE RFC1702_ @@ -34,9 +36,11 @@ Baseline Configuration: #. Create nhrp (`protocols nhrp`) #. Create ipsec vpn (optional, but recommended for security) (`vpn ipsec`) -The tunnel will be set to mGRE if for encapsulation `gre` is set, and no +The tunnel will be set to mGRE if `gre` is set for encapsulation, and no `remote-ip` is set. If the public ip is provided by DHCP the tunnel `local-ip` -can be set to "0.0.0.0". If you do set the `remote-ip` directive at any point, the interface will need to be `delete`'d from the config and recreated without the `remote-ip` config ever being set. +can be set to "0.0.0.0". If you do set the `remote-ip` directive at any point, +the interface will need to be `deleted` from the config and recreated without +the `remote-ip` config ever being set. .. figure:: /_static/images/vpn_dmvpn_topology01.png :scale: 40 % @@ -164,7 +168,12 @@ HUB Example Configuration: HUB on AWS Configuration Specifics ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Setting this up on AWS will require a "Custom Protocol Rule" for protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the EC2 instance. This has been tested as working for the offical AMI image on the AWS Marketplace. (Locate the correct VPC and security group by navigating through the details pane below your EC2 instance in the AWS console) +Setting this up on AWS will require a "Custom Protocol Rule" for protocol +number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and +secondly on the security group network ACL attached to the EC2 instance. This +has been tested as working for the offical AMI image on the AWS Marketplace. +(Locate the correct VPC and security group by navigating through the details +pane below your EC2 instance in the AWS console) SPOKE Configuration ^^^^^^^^^^^^^^^^^^^ diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index 64223475..cd14cdda 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -1,3 +1,5 @@ +:lastproofread: 2021-07-15 + .. _l2tp: L2TP over IPsec @@ -60,6 +62,8 @@ will need to add the appropriate source NAT rules to your configuration. set nat source rule 110 source address '192.168.255.0/24' set nat source rule 110 translation address masquerade +.. stop_vyoslinter + To be able to resolve when connected to the VPN, the following DNS rules are needed as well. @@ -71,6 +75,8 @@ needed as well. .. note:: Those are the `Google public DNS`_ servers. You can also use the public available servers from Quad9_ (9.9.9.9) or Cloudflare_ (1.1.1.1). +.. start_vyoslinter + Established sessions can be viewed using the **show vpn remote-access** operational command. @@ -85,7 +91,7 @@ operational command. RADIUS authentication ^^^^^^^^^^^^^^^^^^^^^ -The above configuration made use of local accounts on the VyOS router for +The above configuration uses local accounts on the VyOS router for authenticating L2TP/IPSec clients. In bigger environments usually something like RADIUS_ (FreeRADIUS_ or Microsoft `Network Policy Server`_, NPS) is used. @@ -95,6 +101,8 @@ VyOS supports either `local` or `radius` user authentication: set vpn l2tp remote-access authentication mode <local|radius> +.. stop_vyoslinter + In addition one or more RADIUS_ servers can be configured to server for user authentication. This is done using the `radius server` and `radius server key` nodes: @@ -104,9 +112,9 @@ nodes: set vpn l2tp remote-access authentication radius server 1.1.1.1 key 'foo' set vpn l2tp remote-access authentication radius server 2.2.2.2 key 'foo' -.. note:: Some RADIUS_ severs make use of an access control list who is allowed - to query the server. Please configure your VyOS router in the allowed client - list. +.. note:: Some RADIUS_ severs make use of an access control list which is + allowed to query the server. Please configure your VyOS router in the + allowed client list. RADIUS source address ********************* @@ -122,6 +130,7 @@ single source IP e.g. the loopback interface. Above command will use `3.3.3.3` as source IPv4 address for all RADIUS queries on this NAS. +.. start_vyoslinter .. _`Google Public DNS`: https://developers.google.com/speed/public-dns .. _Quad9: https://quad9.net diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst index 72b3feb0..24ee3264 100644 --- a/docs/configuration/vpn/pptp.rst +++ b/docs/configuration/vpn/pptp.rst @@ -1,13 +1,19 @@ +:lastproofread: 2021-07-15 + .. _pptp: PPTP-Server ----------- -The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility. -PPTP has many well known security issues and you should use one of the many other new VPN implementations. +The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only +for backwards compatibility. PPTP has many well known security issues and you +should use one of the many other new VPN implementations. -As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption. -If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1. +As per default and if not otherwise defined, mschap-v2 is being used for +authentication and mppe 128-bit (stateless) for encryption. If no +gateway-address is set within the configuration, the lowest IP out of the /24 +client-ip-pool is being used. For instance, in the example below it would be +192.168.0.1. server example ^^^^^^^^^^^^^^ @@ -17,15 +23,15 @@ server example set vpn pptp remote-access authentication local-users username test password 'test' set vpn pptp remote-access authentication mode 'local' set vpn pptp remote-access client-ip-pool start '192.168.0.10' - set vpn pptp remote-access client-ip-pool stop '192.168.0.15' - set vpn pptp remote-access gateway-address '10.100.100.1' + set vpn pptp remote-access client-ip-pool stop '192.168.0.15' set vpn pptp remote-access outside-address '10.1.1.120' client example (debian 9) ^^^^^^^^^^^^^^^^^^^^^^^^^ -Install the client software via apt and execute pptpsetup to generate the configuration. +Install the client software via apt and execute pptpsetup to generate the +configuration. .. code-block:: none @@ -41,7 +47,9 @@ All tunnel sessions can be checked via: .. code-block:: none - run sh pptp-server sessions - ifname | username | calling-sid | ip | type | comp | state | uptime - --------+----------+-------------+--------------+------+------+--------+---------- - ppp0 | test | 10.1.1.99 | 192.168.0.10 | pptp | mppe | active | 00:00:58 + run show vpn remote-access + Active remote access VPN sessions: + + User Proto Iface Tunnel IP TX byte RX byte Time + ---- ----- ----- --------- ------- ------- ---- + test PPTP pptp0 192.168.0.10 288 66 00h00m07s |