diff options
Diffstat (limited to 'docs/configuration/interfaces/openvpn.rst')
-rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 105 |
1 files changed, 86 insertions, 19 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 877b5d60..62273ca0 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -37,6 +37,8 @@ interface using `set interfaces openvpn`. Site-To-Site ============ +.. figure:: /_static/images/openvpn_site2site_diagram.jpg + While many are aware of OpenVPN as a Client VPN solution, it is often overlooked as a site-to-site VPN solution due to lack of support for this mode in many router platforms. @@ -53,9 +55,12 @@ copy this key to the remote router. In our example, we used the filename ``openvpn-1.key`` which we will reference in our configuration. -* The public IP address of the local side of the VPN will be 198.51.100.10 -* The remote will be 203.0.113.11 +* The public IP address of the local side of the VPN will be 198.51.100.10. +* The public IP address of the remote side of the VPN will be 203.0.113.11. * The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote. +* The local site will have a subnet of 10.0.0.0/16. +* The remote site will have a subnet of 10.1.0.0/16. +* Static Routing or other dynamic routing protocols can be used over the vtun interface * OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, while TCP will work better for lossy connections; generally UDP is preferred when possible. @@ -68,6 +73,7 @@ in our configuration. ``remote-host`` directive; if unknown, it can be omitted. We will assume a dynamic IP for our remote router. + Local Configuration: .. code-block:: none @@ -75,13 +81,28 @@ Local Configuration: set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 local-host '198.51.100.10' + set interfaces openvpn vtun1 remote-host '203.0.113.11 set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 remote-port '1195' set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' - set interfaces openvpn vtun1 local-address '10.255.1.1' + set interfaces openvpn vtun1 local-address '10.255.1.1' set interfaces openvpn vtun1 remote-address '10.255.1.2' +Local Configuration - Annotated: + +.. code-block:: none + + set interfaces openvpn vtun1 mode site-to-site + set interfaces openvpn vtun1 protocol udp + set interfaces openvpn vtun1 persistent-tunnel + set interfaces openvpn vtun1 remote-host '203.0.113.11' # Pub IP of other site + set interfaces openvpn vtun1 local-port '1195' + set interfaces openvpn vtun1 remote-port '1195' + set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' + set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface + set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface + + Remote Configuration: .. code-block:: none @@ -96,6 +117,67 @@ Remote Configuration: set interfaces openvpn vtun1 local-address '10.255.1.2' set interfaces openvpn vtun1 remote-address '10.255.1.1' +Remote Configuration - Annotated: + +.. code-block:: none + + set interfaces openvpn vtun1 mode site-to-site + set interfaces openvpn vtun1 protocol udp + set interfaces openvpn vtun1 persistent-tunnel + set interfaces openvpn vtun1 remote-host '198.51.100.10' # Pub IP of other site + set interfaces openvpn vtun1 local-port '1195' + set interfaces openvpn vtun1 remote-port '1195' + set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' + set interfaces openvpn vtun1 local-address '10.255.1.2' # Local IP of vtun interface + set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface + + +******************* +Firewall Exceptions +******************* + +For the WireGuard traffic to pass through the WAN interface, you must create a +firewall exception. + +.. code-block:: none + + set firewall name OUTSIDE_LOCAL rule 10 action accept + set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related' + set firewall name OUTSIDE_LOCAL rule 10 state established enable + set firewall name OUTSIDE_LOCAL rule 10 state related enable + set firewall name OUTSIDE_LOCAL rule 20 action accept + set firewall name OUTSIDE_LOCAL rule 20 description OpenVPN_IN + set firewall name OUTSIDE_LOCAL rule 20 destination port 1195 + set firewall name OUTSIDE_LOCAL rule 20 log enable + set firewall name OUTSIDE_LOCAL rule 20 protocol udp + set firewall name OUTSIDE_LOCAL rule 20 source + +You should also ensure that the OUTISDE_LOCAL firewall group is applied to the +WAN interface and a direction (local). + +.. code-block:: none + + set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL' + + +Static Routing: + +Static routes can be configured referencing the tunnel interface; for example, +the local router will use a network of 10.0.0.0/16, while the remote has a +network of 10.1.0.0/16: + +Local Configuration: + +.. code-block:: none + + set protocols static route 10.1.0.0/16 interface vtun1 + +Remote Configuration: + +.. code-block:: none + + set protocols static route 10.0.0.0/16 interface vtun1 + The configurations above will default to using 256-bit AES in GCM mode for encryption (if both sides support NCP) and SHA-1 for HMAC authentication. SHA-1 is considered weak, but other hashing algorithms are available, as are @@ -153,21 +235,6 @@ If you change the default encryption and hashing algorithms, be sure that the local and remote ends have matching configurations, otherwise the tunnel will not come up. -Static routes can be configured referencing the tunnel interface; for example, -the local router will use a network of 10.0.0.0/16, while the remote has a -network of 10.1.0.0/16: - -Local Configuration: - -.. code-block:: none - - set protocols static route 10.1.0.0/16 interface vtun1 - -Remote Configuration: - -.. code-block:: none - - set protocols static route 10.0.0.0/16 interface vtun1 Firewall policy can also be applied to the tunnel interface for `local`, `in`, and `out` directions and functions identically to ethernet interfaces. |