summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/_static/images/policy-based-ipsec-and-firewall.pngbin0 -> 42987 bytes
-rw-r--r--docs/configexamples/index.rst1
-rw-r--r--docs/configexamples/policy-based-ipsec-and-firewall.rst281
-rw-r--r--docs/configuration/interfaces/openvpn.rst173
-rw-r--r--docs/configuration/vrf/index.rst42
5 files changed, 432 insertions, 65 deletions
diff --git a/docs/_static/images/policy-based-ipsec-and-firewall.png b/docs/_static/images/policy-based-ipsec-and-firewall.png
new file mode 100644
index 00000000..6e9d43ac
--- /dev/null
+++ b/docs/_static/images/policy-based-ipsec-and-firewall.png
Binary files differ
diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst
index 80083fe1..a0413bfd 100644
--- a/docs/configexamples/index.rst
+++ b/docs/configexamples/index.rst
@@ -21,6 +21,7 @@ This chapter contains various configuration examples:
qos
segment-routing-isis
nmp
+ policy-based-ipsec-and-firewall
Configuration Blueprints (autotest)
diff --git a/docs/configexamples/policy-based-ipsec-and-firewall.rst b/docs/configexamples/policy-based-ipsec-and-firewall.rst
new file mode 100644
index 00000000..1f969453
--- /dev/null
+++ b/docs/configexamples/policy-based-ipsec-and-firewall.rst
@@ -0,0 +1,281 @@
+.. _examples-policy-based-ipsec-and-firewall:
+
+
+Policy-Based Site-to-Site VPN and Firewall Configuration
+--------------------------------------------------------
+
+This guide shows an example policy-based IKEv2 site-to-site VPN between two
+VyOS routers, and firewall configiuration.
+
+For simplicity, configuration and tests are done only using ipv4, and firewall
+configuration in done only on one router.
+
+Network Topology and requirements
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This configuration example and the requirments consists on:
+
+- Two VyOS routers with public IP address.
+
+- 2 private subnets on each site.
+
+- Local subnets should be able to reach internet using source nat.
+
+- Communication between private subnets should be done through ipsec tunnel
+ without nat.
+
+- Configuration of basic firewall in one site, in order to:
+
+ - Protect the router on 'WAN' interface, allowing only ipsec connections
+ and ssh access from trusted ips.
+
+ - Allow access to the router only from trusted networks.
+
+ - Allow dns requests only only for local networks.
+
+ - Allow icmp on all interfaces.
+
+ - Allow all new connections from local subnets.
+
+ - Allow connections from LANs to LANs throught the tunnel.
+
+
+.. image:: /_static/images/policy-based-ipsec-and-firewall.png
+
+
+Configuration
+^^^^^^^^^^^^^
+
+Interface and routing configuration:
+
+.. code-block:: none
+
+ # LEFT router:
+ set interfaces ethernet eth0 address '198.51.100.14/30'
+ set interfaces ethernet eth1 vif 111 address '10.1.11.1/24'
+ set interfaces ethernet eth2 vif 112 address '10.1.12.1/24'
+ set protocols static route 0.0.0.0/0 next-hop 198.51.100.13
+
+ # RIGHT router:
+ set interfaces ethernet eth0 address '192.0.2.130/30'
+ set interfaces ethernet eth1 vif 221 address '10.2.21.1/24'
+ set interfaces ethernet eth2 vif 222 address '10.2.22.1/24'
+
+
+IPSec configuration:
+
+.. code-block:: none
+
+ # LEFT router:
+ set vpn ipsec authentication psk RIGHT id '198.51.100.14'
+ set vpn ipsec authentication psk RIGHT id '192.0.2.130'
+ set vpn ipsec authentication psk RIGHT secret 'p4ssw0rd'
+ set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
+ set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256'
+ set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
+ set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
+ set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
+ set vpn ipsec interface 'eth0'
+ set vpn ipsec site-to-site peer RIGHT authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer RIGHT connection-type 'initiate'
+ set vpn ipsec site-to-site peer RIGHT default-esp-group 'ESP-GROUP'
+ set vpn ipsec site-to-site peer RIGHT ike-group 'IKE-GROUP'
+ set vpn ipsec site-to-site peer RIGHT local-address '198.51.100.14'
+ set vpn ipsec site-to-site peer RIGHT remote-address '192.0.2.130'
+ set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '10.1.11.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '10.2.21.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix '10.1.11.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix '10.2.22.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 2 local prefix '10.1.12.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 2 remote prefix '10.2.21.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 3 local prefix '10.1.12.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 3 remote prefix '10.2.22.0/24'
+
+ # RIGHT router:
+ set vpn ipsec authentication psk LEFT id '192.0.2.130'
+ set vpn ipsec authentication psk LEFT id '198.51.100.14'
+ set vpn ipsec authentication psk LEFT secret 'p4ssw0rd'
+ set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
+ set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256'
+ set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
+ set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
+ set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
+ set vpn ipsec interface 'eth0'
+ set vpn ipsec site-to-site peer LEFT authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer LEFT connection-type 'respond'
+ set vpn ipsec site-to-site peer LEFT default-esp-group 'ESP-GROUP'
+ set vpn ipsec site-to-site peer LEFT ike-group 'IKE-GROUP'
+ set vpn ipsec site-to-site peer LEFT local-address '192.0.2.130'
+ set vpn ipsec site-to-site peer LEFT remote-address '198.51.100.14'
+ set vpn ipsec site-to-site peer LEFT tunnel 0 local prefix '10.2.21.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 0 remote prefix '10.1.11.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix '10.2.22.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix '10.1.11.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 2 local prefix '10.2.21.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 2 remote prefix '10.1.12.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 3 local prefix '10.2.22.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 3 remote prefix '10.1.12.0/24'
+
+Firewall Configuration:
+
+.. code-block:: none
+
+ # Firewall Groups:
+ set firewall group network-group LOCAL-NETS network '10.1.11.0/24'
+ set firewall group network-group LOCAL-NETS network '10.1.12.0/24'
+ set firewall group network-group REMOTE-NETS network '10.2.21.0/24'
+ set firewall group network-group REMOTE-NETS network '10.2.22.0/24'
+ set firewall group network-group TRUSTED network '198.51.100.125/32'
+ set firewall group network-group TRUSTED network '203.0.113.0/24'
+ set firewall group network-group TRUSTED network '10.1.11.0/24'
+ set firewall group network-group TRUSTED network '192.168.70.0/24'
+
+ # Forward traffic: default drop and only allow what is needed
+ set firewall ipv4 forward filter default-action 'drop'
+
+ # Forward traffic: global state policies
+ set firewall ipv4 forward filter rule 1 action 'accept'
+ set firewall ipv4 forward filter rule 1 state established 'enable'
+ set firewall ipv4 forward filter rule 1 state related 'enable'
+ set firewall ipv4 forward filter rule 2 action 'drop'
+ set firewall ipv4 forward filter rule 2 state invalid 'enable'
+
+ # Forward traffic: Accept all connections from local networks
+ set firewall ipv4 forward filter rule 10 action 'accept'
+ set firewall ipv4 forward filter rule 10 source group network-group 'LOCAL-NETS'
+
+ # Forward traffic: accept connections from remote LANs to local LANs
+ set firewall ipv4 forward filter rule 20 action 'accept'
+ set firewall ipv4 forward filter rule 20 destination group network-group 'LOCAL-NETS'
+ set firewall ipv4 forward filter rule 20 source group network-group 'REMOTE-NETS'
+
+ # Input traffic: default drop and only allow what is needed
+ set firewall ipv4 input filter default-action 'drop'
+
+ # Input traffic: global state policies
+ set firewall ipv4 input filter rule 1 action 'accept'
+ set firewall ipv4 input filter rule 1 state established 'enable'
+ set firewall ipv4 input filter rule 1 state related 'enable'
+ set firewall ipv4 input filter rule 2 action 'drop'
+ set firewall ipv4 input filter rule 2 state invalid 'enable'
+
+ # Input traffic: add rules needed for ipsec connection
+ set firewall ipv4 input filter rule 10 action 'accept'
+ set firewall ipv4 input filter rule 10 destination port '500,4500'
+ set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth0'
+ set firewall ipv4 input filter rule 10 protocol 'udp'
+ set firewall ipv4 input filter rule 15 action 'accept'
+ set firewall ipv4 input filter rule 15 inbound-interface interface-name 'eth0'
+ set firewall ipv4 input filter rule 15 protocol 'esp'
+
+ # Input traffic: accept ssh connection from trusted ips
+ set firewall ipv4 input filter rule 20 action 'accept'
+ set firewall ipv4 input filter rule 20 destination port '22'
+ set firewall ipv4 input filter rule 20 protocol 'tcp'
+ set firewall ipv4 input filter rule 20 source group network-group 'TRUSTED'
+
+ # Input traffic: accepd dns requests only from local networks.
+ set firewall ipv4 input filter rule 25 action 'accept'
+ set firewall ipv4 input filter rule 25 destination port '53'
+ set firewall ipv4 input filter rule 25 protocol 'udp'
+ set firewall ipv4 input filter rule 25 source group network-group 'LOCAL-NETS'
+
+ # Input traffic: allow icmp
+ set firewall ipv4 input filter rule 30 action 'accept'
+ set firewall ipv4 input filter rule 30 protocol 'icmp'
+
+And NAT Configuration:
+
+.. code-block:: none
+
+ set nat source rule 10 destination group network-group 'REMOTE-NETS'
+ set nat source rule 10 exclude
+ set nat source rule 10 outbound-interface 'eth0'
+ set nat source rule 10 source group network-group 'LOCAL-NETS'
+ set nat source rule 20 outbound-interface 'eth0'
+ set nat source rule 20 source group network-group 'LOCAL-NETS'
+ set nat source rule 20 translation address 'masquerade'
+
+Checking through op-mode commands
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+After some testing, we can check ipsec status, and counter on every tunnel:
+
+.. code-block:: none
+
+ vyos@LEFT:~$ show vpn ipsec sa
+ Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
+ -------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------------
+ RIGHT-tunnel-0 up 36m24s 840B/840B 10/10 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
+ RIGHT-tunnel-1 up 36m33s 588B/588B 7/7 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
+ RIGHT-tunnel-2 up 35m50s 1K/1K 15/15 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
+ RIGHT-tunnel-3 up 36m54s 2K/2K 32/32 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
+ vyos@LEFT:~$
+
+
+Also, we can check firewall counters:
+
+.. code-block:: none
+
+ vyos@LEFT:~$ show firewall
+ Rulesets Information
+
+ ---------------------------------
+ IPv4 Firewall "forward filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ------------------------------------------------------
+ 1 accept all 681 96545 ct state { established, related } accept
+ 2 drop all 0 0 ct state invalid
+ 10 accept all 360 27205 ip saddr @N_LOCAL-NETS accept
+ 20 accept all 8 648 ip daddr @N_LOCAL-NETS ip saddr @N_REMOTE-NETS accept
+ default drop all
+
+ ---------------------------------
+ IPv4 Firewall "input filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ----------------------------------------------
+ 1 accept all 901 123709 ct state { established, related } accept
+ 2 drop all 0 0 ct state invalid
+ 10 accept udp 0 0 udp dport { 500, 4500 } iifname "eth0" accept
+ 15 accept esp 0 0 meta l4proto esp iifname "eth0" accept
+ 20 accept tcp 1 60 tcp dport 22 ip saddr @N_TRUSTED accept
+ 25 accept udp 0 0 udp dport 53 ip saddr @N_LOCAL-NETS accept
+ 30 accept icmp 0 0 meta l4proto icmp accept
+ default drop all
+
+ vyos@LEFT:~$
+ vyos@LEFT:~$ show firewall statistics
+ Rulesets Statistics
+
+ ---------------------------------
+ IPv4 Firewall "forward filter"
+
+ Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface
+ ------- --------- ------- -------- ----------- ------------- ------------------- --------------------
+ 1 681 96545 accept any any any any
+ 2 0 0 drop any any any any
+ 10 360 27205 accept LOCAL-NETS any any any
+ 20 8 648 accept REMOTE-NETS LOCAL-NETS any any
+ default N/A N/A drop any any any any
+
+ ---------------------------------
+ IPv4 Firewall "input filter"
+
+ Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface
+ ------- --------- ------- -------- ---------- ------------- ------------------- --------------------
+ 1 905 124213 accept any any any any
+ 2 0 0 drop any any any any
+ 10 0 0 accept any any eth0 any
+ 15 0 0 accept any any eth0 any
+ 20 1 60 accept TRUSTED any any any
+ 25 0 0 accept LOCAL-NETS any any any
+ 30 0 0 accept any any any any
+ default N/A N/A drop any any any any
+
+ vyos@LEFT:~$
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index c0019577..2160e781 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -40,30 +40,27 @@ Site-to-Site
.. figure:: /_static/images/openvpn_site2site_diagram.jpg
-While many are aware of OpenVPN as a Client VPN solution, it is often
-overlooked as a site-to-site VPN solution due to lack of support for this mode
-in many router platforms.
+OpenVPN is popular for client-server setups, but its site-to-site mode
+remains a relatively obscure feature, and many router appliances
+still don't support it. However, it's very useful for quickly setting up
+tunnels between routers.
-Site-to-site mode supports x.509 but doesn't require it and can also work with
-static keys, which is simpler in many cases. In this example, we'll configure
-a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key.
+As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or x.509 certificates.
-First, one of the systems generate the key using the :ref:`generate pki openvpn shared-secret<configuration/pki/index:pki>`
-command. Once generated, you will need to install this key on the local system,
-then copy and install this key to the remote router.
+The pre-shared key mode is deprecated and will be removed from future OpenVPN versions,
+so VyOS will have to remove support for that option as well. The reason is that using pre-shared keys
+is significantly less secure than using TLS.
-In our example, we used the key name ``openvpn-1`` which we will reference
-in our configuration.
+We'll configure OpenVPN using self-signed certificates, and then discuss the legacy
+pre-shared key mode.
+
+In both cases, we will use the following settings:
* The public IP address of the local side of the VPN will be 198.51.100.10.
* The public IP address of the remote side of the VPN will be 203.0.113.11.
* The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote.
* The local site will have a subnet of 10.0.0.0/16.
* The remote site will have a subnet of 10.1.0.0/16.
-* Static Routing or other dynamic routing protocols can be used over the vtun interface
-* OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency,
- while TCP will work better for lossy connections; generally UDP is preferred
- when possible.
* The official port for OpenVPN is 1194, which we reserve for client VPN; we
will use 1195 for site-to-site VPN.
* The ``persistent-tunnel`` directive will allow us to configure tunnel-related
@@ -73,85 +70,137 @@ in our configuration.
``remote-host`` directive; if unknown, it can be omitted. We will assume a
dynamic IP for our remote router.
+Setting up certificates
+-----------------------
-Local Configuration:
+Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose
+of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity,
+compared to server setups that need to support multiple clients.
-.. code-block:: none
+However, since VyOS 1.4, it is possible to verify self-signed certificates using
+certificate fingerprints.
- run generate pki openvpn shared-secret install openvpn-1
- Configure mode commands to install OpenVPN key:
- set pki openvpn shared-secret openvpn-1 key 'generated_key_string'
- set pki openvpn shared-secret openvpn-1 version '1'
+On both sides, you need to generate a self-signed certificate, preferrably using the "ec" (elliptic curve) type.
+You can generate them by executing command ``run generate pki certificate self-signed install <name>`` in the configuration mode.
+Once the command is complete, it will add the certificate to the configuration session, to the ``pki`` subtree.
+You can then review the proposed changes and commit them.
- set interfaces openvpn vtun1 mode site-to-site
- set interfaces openvpn vtun1 protocol udp
- set interfaces openvpn vtun1 persistent-tunnel
- set interfaces openvpn vtun1 remote-host '203.0.113.11'
- set interfaces openvpn vtun1 local-port '1195'
- set interfaces openvpn vtun1 remote-port '1195'
- set interfaces openvpn vtun1 shared-secret-key openvpn-1
- set interfaces openvpn vtun1 local-address '10.255.1.1'
- set interfaces openvpn vtun1 remote-address '10.255.1.2'
+.. code-block:: none
-Local Configuration - Annotated:
+ vyos@vyos# run generate pki certificate self-signed install openvpn-local
+ Enter private key type: [rsa, dsa, ec] (Default: rsa) ec
+ Enter private key bits: (Default: 256)
+ Enter country code: (Default: GB)
+ Enter state: (Default: Some-State)
+ Enter locality: (Default: Some-City)
+ Enter organization name: (Default: VyOS)
+ Enter common name: (Default: vyos.io)
+ Do you want to configure Subject Alternative Names? [y/N]
+ Enter how many days certificate will be valid: (Default: 365)
+ Enter certificate type: (client, server) (Default: server)
+ Note: If you plan to use the generated key on this router, do not encrypt the private key.
+ Do you want to encrypt the private key with a passphrase? [y/N]
+ 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
+ [edit]
+
+ vyos@vyos# compare
+ [pki]
+ + certificate openvpn-local {
+ + certificate "MIICJTCCAcugAwIBAgIUMXLfRNJ5iOjk/ uAZqUe4phW8MdgwCgYIKoZIzj0EAwIwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA5MDcyMTQzMTNaFw0yNDA5MDYyMTQzMTNaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMWo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUBrAxRdFppdG/UBRdo7qNyHutaTQwHwYDVR0jBBgwFoAUBrAxRdFppdG/UBRdo7qNyHutaTQwCgYIKoZIzj0EAwIDSAAwRQIhAI2+8C92z9wTcTWkQ/goRxs10EBC+h78O+vgo9k97z5iAiBSeqfaVr5taQTS31+McGTAK3cYWNTg0DlOBI8aKO2oRg=="
+ + private {
+ + key "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtOeEb0dMb5P/2Exi09WWvk6Cvz0oOBoDuP68ZimS2LShRANCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMW"
+ + }
+ + }
+
+ [edit]
+
+ vyos@vyos# commit
+
+You do **not** need to copy the certificate to the other router. Instead, you need to retrieve its SHA-256 fingerprint.
+OpenVPN only supports SHA-256 fingerprints at the moment, so you need to use the following command:
.. code-block:: none
- run generate pki openvpn shared-secret install openvpn-1 # Locally genearated OpenVPN shared secret.
- The generated secret is the output to
- the console.
- Configure mode commands to install OpenVPN key:
- set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Generated secret displayed in the output to
- the console.
- set pki openvpn shared-secret openvpn-1 version '1' # Generated secret displayed in the output to
- the console.
+ vyos@vyos# run show pki certificate openvpn-local fingerprint sha256
+ 5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79
- set interfaces openvpn vtun1 mode site-to-site
- set interfaces openvpn vtun1 protocol udp
- set interfaces openvpn vtun1 persistent-tunnel
- set interfaces openvpn vtun1 remote-host '203.0.113.11' # Pub IP of other site
- set interfaces openvpn vtun1 local-port '1195'
- set interfaces openvpn vtun1 remote-port '1195'
- set interfaces openvpn vtun1 shared-secret-key openvpn-1 # Locally generated secret name
- set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface
- set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface
+Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote' but they can be arbitrary.
+Repeat the procedure on the other router.
-Remote Configuration:
+Setting up OpenVPN
+------------------
+
+Local Configuration:
.. code-block:: none
- set pki openvpn shared-secret openvpn-1 key 'generated_key_string'
- set pki openvpn shared-secret openvpn-1 version '1'
+ Configure the tunnel:
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 persistent-tunnel
- set interfaces openvpn vtun1 remote-host '198.51.100.10'
+ set interfaces openvpn vtun1 remote-host '203.0.113.11' # Public IP of the other side
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
- set interfaces openvpn vtun1 shared-secret-key openvpn-1
- set interfaces openvpn vtun1 local-address '10.255.1.2'
- set interfaces openvpn vtun1 remote-address '10.255.1.1'
-
-Remote Configuration - Annotated:
+ set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface
+ set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface
+ set interfaces openvpn vtun1 tls certificate 'openvpn-local' # The self-signed certificate
+ set interfaces openvpn vtun1 tls peer-fingerprint <remote cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256
+ on the remote rout
+Remote Configuration:
.. code-block:: none
- set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Locally genearated OpenVPN shared secret
- (from the Local Configuration Block).
- set pki openvpn shared-secret openvpn-1 version '1'
-
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 remote-host '198.51.100.10' # Pub IP of other site
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
- set interfaces openvpn vtun1 shared-secret-key openvpn-1 # Locally generated secret name
set interfaces openvpn vtun1 local-address '10.255.1.2' # Local IP of vtun interface
set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface
+ set interfaces openvpn vtun1 tls certificate 'openvpn-remote' # The self-signed certificate
+ set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256
+ on the local router
+Pre-shared keys
+---------------
+
+Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys.
+That option is still available but it is deprecated and will be removed in the future.
+However, if you need to set up a tunnel to an older VyOS version or a system with older OpenVPN,
+you need to still need to know how to use it.
+
+First, you need to generate a key by running ``run generate pki openvpn shared-secret install <name>`` from configuration mode.
+You can use any name, we will use ``s2s``.
+
+.. code-block:: none
+ vyos@local# run generate pki openvpn shared-secret install s2s
+ 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
+ [edit]
+ vyos@local# compare
+ [pki openvpn shared-secret]
+ + s2s {
+ + key "7c73046a9da91e874d31c7ad894a32688cda054bde157c64270f28eceebc0bb2f44dbb70335fad45148b0456aaa78cb34a34c0958eeed4f75e75fd99ff519ef940f7029a316c436d2366a2b0fb8ea1d1c792a65f67d10a461af83ef4530adc25d1c872de6d9c7d5f338223d1f3b66dc3311bbbddc0e05228c47b91c817c721aadc7ed18f0662df52ad14f898904372679e3d9697d062b0869d12de47ceb2e626fa12e1926a3119be37dd29c9b0ad81997230f4038926900d5edb78522d2940cfe207f8e2b948e0d459fa137ebb18064ac5982b28dd1899020b4f2b082a20d5d4eb65710fbb1e62b5e061df39620267eab429d3eedd9a1ae85957457c8e4655f3"
+ + version "1"
+ + }
+
+ [edit]
+
+ vyos@local# commit
+ [edit]
+
+Then you need to install the key on the remote router:
+
+.. code-block:: none
+
+ vyos@remote# set pki openvpn shared-secret s2s key <generated key string>
+
+Then you need to set the key in your OpenVPN interface settings:
+
+.. code-block:: none
+ set interfaces openvpn vtun1 shared-secret-key s2s
Firewall Exceptions
===================
diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst
index a51aca52..dea53321 100644
--- a/docs/configuration/vrf/index.rst
+++ b/docs/configuration/vrf/index.rst
@@ -279,6 +279,42 @@ Configuration
set vrf name red protocols static route 10.0.0.0/24 interface eth1 vrf 'default'
set vrf name red table '2000'
+VRF and NAT
+-----------
+
+Configuration
+^^^^^^^^^^^^^
+
+ .. code-block:: none
+
+ set interfaces ethernet eth0 address '172.16.50.12/24'
+ set interfaces ethernet eth0 vrf 'red'
+
+ set interfaces ethernet eth1 address '192.168.130.100/24'
+ set interfaces ethernet eth1 vrf 'blue'
+
+ set nat destination rule 110 description 'NAT ssh- INSIDE'
+ set nat destination rule 110 destination port '2022'
+ set nat destination rule 110 inbound-interface 'eth0'
+ set nat destination rule 110 protocol 'tcp'
+ set nat destination rule 110 translation address '192.168.130.40'
+
+ set nat source rule 100 outbound-interface 'eth0'
+ set nat source rule 100 protocol 'all'
+ set nat source rule 100 source address '192.168.130.0/24'
+ set nat source rule 100 translation address 'masquerade'
+
+ set service ssh vrf 'red'
+
+ set vrf bind-to-all
+ set vrf name blue protocols static route 0.0.0.0/0 next-hop 172.16.50.1 vrf 'red'
+ set vrf name blue protocols static route 172.16.50.0/24 interface eth0 vrf 'red'
+ set vrf name blue table '1010'
+
+ set vrf name red protocols static route 0.0.0.0/0 next-hop 172.16.50.1
+ set vrf name red protocols static route 192.168.130.0/24 interface eth1 vrf 'blue'
+ set vrf name red table '2020'
+
.. _vrf example operation:
Operation
@@ -427,9 +463,9 @@ address-family.
.. cfgcmd:: set vrf name <name> protocols bgp address-family
<ipv4-unicast|ipv6-unicast> label vpn allocation-mode per-nexthop
- Select how labels are allocated in the given VRF. By default, the per-vrf
- mode is selected, and one label is used for all prefixes from the VRF. The
- per-nexthop will use a unique label for all prefixes that are reachable via
+ Select how labels are allocated in the given VRF. By default, the per-vrf
+ mode is selected, and one label is used for all prefixes from the VRF. The
+ per-nexthop will use a unique label for all prefixes that are reachable via
the same nexthop.
.. cfgcmd:: set vrf name <name> protocols bgp address-family