diff options
-rw-r--r-- | docs/configuration/vpn/dmvpn.rst | 17 | ||||
-rw-r--r-- | docs/configuration/vpn/l2tp.rst | 9 | ||||
-rw-r--r-- | docs/configuration/vpn/pptp.rst | 17 |
3 files changed, 32 insertions, 11 deletions
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index e6487292..66587b17 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -1,3 +1,5 @@ +:lastproofread: 2020-07-15 + .. _vpn-dmvpn: DMVPN @@ -7,7 +9,7 @@ DMVPN DMVPN is a dynamic VPN technology originally developed by Cisco. While their implementation was somewhat proprietary, the underlying technologies are -actually standards based. The three technologies are: +actually standard based. The three technologies are: * **NHRP** - NBMA Next Hop Resolution Protocol RFC2332_ * **mGRE** - Multipoint Generic Routing Encapsulation / mGRE RFC1702_ @@ -34,9 +36,11 @@ Baseline Configuration: #. Create nhrp (`protocols nhrp`) #. Create ipsec vpn (optional, but recommended for security) (`vpn ipsec`) -The tunnel will be set to mGRE if for encapsulation `gre` is set, and no +The tunnel will be set to mGRE if `gre` is set for encapsulation, and no `remote-ip` is set. If the public ip is provided by DHCP the tunnel `local-ip` -can be set to "0.0.0.0". If you do set the `remote-ip` directive at any point, the interface will need to be `delete`'d from the config and recreated without the `remote-ip` config ever being set. +can be set to "0.0.0.0". If you do set the `remote-ip` directive at any point, +the interface will need to be `deleted` from the config and recreated without +the `remote-ip` config ever being set. .. figure:: /_static/images/vpn_dmvpn_topology01.png :scale: 40 % @@ -164,7 +168,12 @@ HUB Example Configuration: HUB on AWS Configuration Specifics ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Setting this up on AWS will require a "Custom Protocol Rule" for protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the EC2 instance. This has been tested as working for the offical AMI image on the AWS Marketplace. (Locate the correct VPC and security group by navigating through the details pane below your EC2 instance in the AWS console) +Setting this up on AWS will require a "Custom Protocol Rule" for protocol +number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and +secondly on the security group network ACL attached to the EC2 instance. This +has been tested as working for the offical AMI image on the AWS Marketplace. +(Locate the correct VPC and security group by navigating through the details +pane below your EC2 instance in the AWS console) SPOKE Configuration ^^^^^^^^^^^^^^^^^^^ diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index 8c8cc1dd..cd14cdda 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -1,4 +1,4 @@ -:lastproofread:2021-07-15 +:lastproofread: 2021-07-15 .. _l2tp: @@ -62,6 +62,8 @@ will need to add the appropriate source NAT rules to your configuration. set nat source rule 110 source address '192.168.255.0/24' set nat source rule 110 translation address masquerade +.. stop_vyoslinter + To be able to resolve when connected to the VPN, the following DNS rules are needed as well. @@ -73,6 +75,8 @@ needed as well. .. note:: Those are the `Google public DNS`_ servers. You can also use the public available servers from Quad9_ (9.9.9.9) or Cloudflare_ (1.1.1.1). +.. start_vyoslinter + Established sessions can be viewed using the **show vpn remote-access** operational command. @@ -97,6 +101,8 @@ VyOS supports either `local` or `radius` user authentication: set vpn l2tp remote-access authentication mode <local|radius> +.. stop_vyoslinter + In addition one or more RADIUS_ servers can be configured to server for user authentication. This is done using the `radius server` and `radius server key` nodes: @@ -124,6 +130,7 @@ single source IP e.g. the loopback interface. Above command will use `3.3.3.3` as source IPv4 address for all RADIUS queries on this NAS. +.. start_vyoslinter .. _`Google Public DNS`: https://developers.google.com/speed/public-dns .. _Quad9: https://quad9.net diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst index 076a95b8..24ee3264 100644 --- a/docs/configuration/vpn/pptp.rst +++ b/docs/configuration/vpn/pptp.rst @@ -1,15 +1,19 @@ -:lastproofread:2021-07-15 +:lastproofread: 2021-07-15 .. _pptp: PPTP-Server ----------- -The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility. -PPTP has many well known security issues and you should use one of the many other new VPN implementations. +The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only +for backwards compatibility. PPTP has many well known security issues and you +should use one of the many other new VPN implementations. -As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption. -If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1. +As per default and if not otherwise defined, mschap-v2 is being used for +authentication and mppe 128-bit (stateless) for encryption. If no +gateway-address is set within the configuration, the lowest IP out of the /24 +client-ip-pool is being used. For instance, in the example below it would be +192.168.0.1. server example ^^^^^^^^^^^^^^ @@ -26,7 +30,8 @@ server example client example (debian 9) ^^^^^^^^^^^^^^^^^^^^^^^^^ -Install the client software via apt and execute pptpsetup to generate the configuration. +Install the client software via apt and execute pptpsetup to generate the +configuration. .. code-block:: none |