summaryrefslogtreecommitdiff
path: root/docs/vpn/openvpn.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/vpn/openvpn.rst')
-rw-r--r--docs/vpn/openvpn.rst38
1 files changed, 19 insertions, 19 deletions
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst
index 764c991c..ce7dcc44 100644
--- a/docs/vpn/openvpn.rst
+++ b/docs/vpn/openvpn.rst
@@ -67,7 +67,7 @@ in our configuration.
Local Configuration:
-.. code-block:: console
+.. code-block:: none
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
@@ -81,7 +81,7 @@ Local Configuration:
Remote Configuration:
-.. code-block:: console
+.. code-block:: none
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
@@ -99,7 +99,7 @@ weak, but a number of other encryption and hashing algorithms are available:
For Encryption:
-.. code-block:: console
+.. code-block:: none
vyos@vyos# set interfaces openvpn vtun1 encryption
Possible completions:
@@ -113,7 +113,7 @@ For Encryption:
For Hashing:
-.. code-block:: console
+.. code-block:: none
vyos@vyos# set interfaces openvpn vtun1 hash
Possible completions:
@@ -132,13 +132,13 @@ network of 10.1.0.0/16:
Local Configuration:
-.. code-block:: console
+.. code-block:: none
set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1
Remote Configuration:
-.. code-block:: console
+.. code-block:: none
set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1
@@ -179,7 +179,7 @@ closing on connection resets or daemon reloads.
.. note:: Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used at both server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur.
-.. code-block:: console
+.. code-block:: none
set interfaces openvpn vtun10 mode server
set interfaces openvpn vtun10 local-port 1194
@@ -189,7 +189,7 @@ closing on connection resets or daemon reloads.
Then we need to specify the location of the cryptographic materials. Suppose
you keep the files in `/config/auth/openvpn`
-.. code-block:: console
+.. code-block:: none
set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt
set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt
@@ -202,7 +202,7 @@ specify the subnet for client tunnel endpoints. Since we want clients to access
a specific network behind out router, we will use a push-route option for
installing that route on clients.
-.. code-block:: console
+.. code-block:: none
set interfaces openvpn vtun10 server push-route 192.168.0.0/16
set interfaces openvpn vtun10 server subnet 10.23.1.0/24
@@ -214,7 +214,7 @@ need configuration for each client to achieve this.
.. note:: Clients are identified by the CN field of their x.509 certificates,
in this example the CN is ``client0``:
-.. code-block:: console
+.. code-block:: none
set interfaces openvpn vtun10 server client client0 ip 10.23.1.10
set interfaces openvpn vtun10 server client client0 subnet 10.23.2.0/25
@@ -223,7 +223,7 @@ OpenVPN **will not** automatically create routes in the kernel for client
subnets when they connect and will only use client-subnet association
internally, so we need to create a route to the 10.23.0.0/20 network ourselves:
-.. code-block:: console
+.. code-block:: none
set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10
@@ -242,13 +242,13 @@ Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is
shipped with every VyOS installation. A dedicated configuration file is required.
It is best practise to store it in ``/config`` to survive image updates
-.. code-block:: console
+.. code-block:: none
set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config"
The required config file may look like:
-.. code-block:: console
+.. code-block:: none
<LDAP>
# LDAP server URL
@@ -275,7 +275,7 @@ Active Directory
Despite the fact that AD is a superset of LDAP
-.. code-block:: console
+.. code-block:: none
<LDAP>
# LDAP server URL
@@ -309,7 +309,7 @@ Despite the fact that AD is a superset of LDAP
If you only want to check if the user account is enabled and can authenticate
(against the primary group) the following snipped is sufficient:
-.. code-block:: console
+.. code-block:: none
<LDAP>
URL ldap://dc01.example.com
@@ -328,7 +328,7 @@ If you only want to check if the user account is enabled and can authenticate
A complete LDAP auth OpenVPN configuration could look like the following example:
-.. code-block:: console
+.. code-block:: none
vyos@vyos# show interfaces openvpn
openvpn vtun0 {
@@ -372,7 +372,7 @@ using their CN attribute in the SSL certificate.
Server
******
-.. code-block:: console
+.. code-block:: none
set interfaces openvpn vtun10 encryption 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
@@ -396,7 +396,7 @@ Server
Client
******
-.. code-block:: console
+.. code-block:: none
set interfaces openvpn vtun10 encryption 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
@@ -420,7 +420,7 @@ all users can benefit from it.
If you are a hacker or want to try on your own we support passing raw OpenVPN
options to OpenVPN.
-.. code-block:: console
+.. code-block:: none
set interfaces openvpn vtun10 openvpn-option 'persistent-key'