summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/configuration/interfaces/openvpn.rst33
1 files changed, 19 insertions, 14 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index 62273ca0..02c5a797 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -34,8 +34,9 @@ In the VyOS CLI, a key point often overlooked is that rather than being
configured using the `set vpn` stanza, OpenVPN is configured as a network
interface using `set interfaces openvpn`.
-Site-To-Site
-============
+************
+Site-to-Site
+************
.. figure:: /_static/images/openvpn_site2site_diagram.jpg
@@ -85,7 +86,7 @@ Local Configuration:
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
- set interfaces openvpn vtun1 local-address '10.255.1.1'
+ set interfaces openvpn vtun1 local-address '10.255.1.1'
set interfaces openvpn vtun1 remote-address '10.255.1.2'
Local Configuration - Annotated:
@@ -132,11 +133,10 @@ Remote Configuration - Annotated:
set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface
-*******************
Firewall Exceptions
-*******************
+===================
-For the WireGuard traffic to pass through the WAN interface, you must create a
+For the OpenVPN traffic to pass through the WAN interface, you must create a
firewall exception.
.. code-block:: none
@@ -248,8 +248,9 @@ to each tunnel. Another option is to dedicate a port number to each tunnel
OpenVPN status can be verified using the `show openvpn` operational commands.
See the built-in help for a complete list of options.
+******
Server
-======
+******
Multi-client server is the most popular OpenVPN mode on routers. It always uses
x.509 authentication and therefore requires a PKI setup. Refer this section
@@ -325,7 +326,7 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves:
set protocols static route 10.23.0.0/20 interface vtun10
Generate X.509 Certificate and Keys
------------------------------------
+===================================
OpenVPN ships with a set of scripts called Easy-RSA that can generate the
appropriate files needed for an OpenVPN setup using X.509 certificates.
@@ -538,8 +539,9 @@ example:
}
}
+******
Client
-======
+******
VyOS can not only act as an OpenVPN site-to-site or server for multiple clients.
You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client
@@ -552,8 +554,11 @@ using their CN attribute in the SSL certificate.
.. _openvpn:client_server:
-Server
-------
+Configuration
+=============
+
+Server Side
+-----------
.. code-block:: none
@@ -578,8 +583,8 @@ Server
.. _openvpn:client_client:
-Client
-------
+Client Side
+-----------
.. code-block:: none
@@ -641,7 +646,7 @@ The following commands let you check tunnel status.
.. opcmd:: show openvpn site-to-site
- Use this command to check the tunnel status for OpenVPN site-to-site
+ Use this command to check the tunnel status for OpenVPN site-to-site
interfaces.