diff options
Diffstat (limited to 'docs/configuration')
-rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index b2559c95..d4ef47b0 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -1,3 +1,5 @@ +:lastproofread: 2021-07-30 + .. _openvpn: ####### @@ -43,7 +45,7 @@ Site-to-site mode supports x.509 but doesn't require it and can also work with static keys, which is simpler in many cases. In this example, we'll configure a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key. -First, one one of the systems generate the key using the operational command +First, one of the system generates the key using the operational command ``generate openvpn key <filename>``. This will generate a key with the name provided in the `/config/auth/` directory. Once generated, you will need to copy this key to the remote router. @@ -94,7 +96,7 @@ Remote Configuration: set interfaces openvpn vtun1 local-address '10.255.1.2' set interfaces openvpn vtun1 remote-address '10.255.1.1' -The configurations above will default to using 128-bit Blowfish in CBC mode +The above configurations will by default use 128-bit Blowfish in CBC mode for encryption and SHA-1 for HMAC authentication. These are both considered weak, but a number of other encryption and hashing algorithms are available: @@ -177,7 +179,11 @@ First we need to specify the basic settings. 1194/UDP is the default. The closing on connection resets or daemon reloads. -.. note:: Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used at both server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur. +.. note:: Using **openvpn-option -reneg-sec** can be tricky. This option is + used to renegotiate data channel after n seconds. When used at both server + and client, the lower value will trigger the renegotiation. If you set it + to 0 on one side of the connection (to disable it), the chosen value on the + other side will determine when the renegotiation will occur. .. code-block:: none @@ -200,7 +206,7 @@ you keep the files in `/config/auth/openvpn` Now we need to specify the server network settings. In all cases we need to specify the subnet for client tunnel endpoints. Since we want clients to access -a specific network behind out router, we will use a push-route option for +a specific network behind our router, we will use a push-route option for installing that route on clients. .. code-block:: none @@ -236,12 +242,13 @@ OpenLDAP -------- Enterprise installations usually ship a kind of directory service which is used -to have a single password store for all employees. VyOS and OpenVPN support using -LDAP/AD as single user backend. +to have a single password store for all employees. VyOS and OpenVPN support +using LDAP/AD as single user backend. Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is -shipped with every VyOS installation. A dedicated configuration file is required. -It is best practise to store it in ``/config`` to survive image updates +shipped with every VyOS installation. A dedicated configuration file is +required. It is best practise to store it in ``/config`` to survive image +updates .. code-block:: none @@ -327,7 +334,10 @@ If you only want to check if the user account is enabled and can authenticate RequireGroup false </Authorization> -A complete LDAP auth OpenVPN configuration could look like the following example: +A complete LDAP auth OpenVPN configuration could look like the following +example: + +.. stop_vyoslinter .. code-block:: none @@ -357,10 +367,13 @@ A complete LDAP auth OpenVPN configuration could look like the following example } } +.. start_vyoslinter + OpenVPN Client ############## -VyOS can not only act as an OpenVPN site-to-site or Server for multiple clients. +VyOS can not only act as an OpenVPN site-to-site but also as a Server for +multiple clients. You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client connecting to a VyOS OpenVPN server or any other OpenVPN server. @@ -463,6 +476,6 @@ The following commands let you reset OpenVPN. .. opcmd:: reset openvpn interface <interface> - Uset this command to reset the OpenVPN process on a specific interface. + Use this command to reset the OpenVPN process on a specific interface. |