summaryrefslogtreecommitdiff
path: root/docs/vpn/openvpn.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/vpn/openvpn.rst')
-rw-r--r--docs/vpn/openvpn.rst98
1 files changed, 87 insertions, 11 deletions
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst
index 29104199..7e468c7b 100644
--- a/docs/vpn/openvpn.rst
+++ b/docs/vpn/openvpn.rst
@@ -160,7 +160,7 @@ OpenVPN Server
Multi-client server is the most popular OpenVPN mode on routers. It always uses
x.509 authentication and therefore requires a PKI setup. This guide assumes you
have already setup a PKI and have a CA certificate, a server certificate and
-key, a certificate revokation list, a Diffie-Hellman key exchange parameters
+key, a certificate revocation list, a Diffie-Hellman key exchange parameters
file. You do not need client certificates and keys for the server setup.
In this example we will use the most complicated case: a setup where each
@@ -227,15 +227,19 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves:
set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10
-LDAP Authentication
-*******************
+
+Client Authentication
+*********************
+
+OpenLDAP
+========
Enterprise installations usually ship a kind of directory service which is used
-to have a single password store for all employes. VyOS and OpenVPN support using
+to have a single password store for all employees. VyOS and OpenVPN support using
LDAP/AD as single user backend.
Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is
-shiped with every VyOS installation. A dedicated configuration file is required.
+shipped with every VyOS installation. A dedicated configuration file is required.
It is best practise to store it in ``/config`` to survive image updates
.. code-block:: sh
@@ -267,7 +271,7 @@ The required config file may look like:
</Authorization>
Active Directory
-****************
+================
Despite the fact that AD is a superset of LDAP
@@ -302,22 +306,22 @@ Despite the fact that AD is a superset of LDAP
</Group>
</Authorization>
-If you only wan't to check if the user account is enabled and can authenticate
+If you only want to check if the user account is enabled and can authenticate
(against the primary group) the following snipped is sufficient:
.. code-block:: sh
<LDAP>
- URL ldap://ds0001.gefoekom.de
- BindDN CN=SA_OPENVPN,OU=ServiceAccounts,OU=GS,OU=GeFoekoM,DC=gefoekom,DC=de
- Password g7LjfjmlPhhHnvmal75hbfdknms-44
+ URL ldap://dc01.example.com
+ BindDN CN=SA_OPENVPN,OU=ServiceAccounts,DC=example,DC=com
+ Password ThisIsTopSecret
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>
<Authorization>
- BaseDN "OU=GeFoekoM,DC=gefoekom,DC=de"
+ BaseDN "DC=example,DC=com"
SearchFilter "sAMAccountName=%u"
RequireGroup false
</Authorization>
@@ -351,3 +355,75 @@ A complete LDAP auth OpenVPN configuration could look like the following example
key-file /config/auth/server.key
}
}
+
+OpenVPN Client
+^^^^^^^^^^^^^^
+
+VyOS can not only act as an OpenVPN site-to-site or Server for multiple clients.
+You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client
+connecting to a VyOS OpenVPN server or any other OpenVPN server.
+
+Given the following example we have one VyOS router acting as OpenVPN server
+and another VyOS router acting as OpenVPN client. The Server also pushes a
+static client IP address to the OpenVPN client. Remember, clients are identified
+using their CN attribute in the SSL certificate.
+
+
+Server
+******
+
+.. code-block:: sh
+
+ set interfaces openvpn vtun10 encryption 'aes256'
+ set interfaces openvpn vtun10 hash 'sha512'
+ set interfaces openvpn vtun10 local-host '172.18.201.10'
+ set interfaces openvpn vtun10 local-port '1194'
+ set interfaces openvpn vtun10 mode 'server'
+ set interfaces openvpn vtun10 persistent-tunnel
+ set interfaces openvpn vtun10 protocol 'udp'
+ set interfaces openvpn vtun10 server client client1 ip '10.10.0.10'
+ set interfaces openvpn vtun10 server domain-name 'vyos.net'
+ set interfaces openvpn vtun10 server max-connections '250'
+ set interfaces openvpn vtun10 server name-server '172.16.254.30'
+ set interfaces openvpn vtun10 server subnet '10.10.0.0/24'
+ set interfaces openvpn vtun10 server topology 'subnet'
+ set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ca.crt'
+ set interfaces openvpn vtun10 tls cert-file '/config/auth/server.crt'
+ set interfaces openvpn vtun10 tls dh-file '/config/auth/dh.pem'
+ set interfaces openvpn vtun10 tls key-file '/config/auth/server.key'
+ set interfaces openvpn vtun10 use-lzo-compression
+
+Client
+******
+
+.. code-block:: sh
+
+ set interfaces openvpn vtun10 encryption 'aes256'
+ set interfaces openvpn vtun10 hash 'sha512'
+ set interfaces openvpn vtun10 mode 'client'
+ set interfaces openvpn vtun10 persistent-tunnel
+ set interfaces openvpn vtun10 protocol 'udp'
+ set interfaces openvpn vtun10 remote-host '172.18.201.10'
+ set interfaces openvpn vtun10 remote-port '1194'
+ set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ca.crt'
+ set interfaces openvpn vtun10 tls cert-file '/config/auth/client1.crt'
+ set interfaces openvpn vtun10 tls key-file '/config/auth/client1.key'
+ set interfaces openvpn vtun10 use-lzo-compression
+
+Options
+^^^^^^^
+
+We do not have CLI nodes for every single OpenVPN options. If an option is
+missing, a feature request should be opened at https://phabricator.vyos.net so
+all users can benefit from it.
+
+If you are a hacker or want to try on your own we support passing raw OpenVPN
+options to OpenVPN.
+
+.. code-block:: sh
+
+ set interfaces openvpn vtun10 openvpn-option 'persistent-key'
+
+Will add `persistent-key` at the end of the generated OpenVPN configuration.
+Please use this only as last resort - things might break and OpenVPN won't start
+if you pass invalid options/syntax.