diff options
Diffstat (limited to 'docs/vpn/openvpn.rst')
| -rw-r--r-- | docs/vpn/openvpn.rst | 46 |
1 files changed, 21 insertions, 25 deletions
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index 63949184..1a9ee9cf 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -1,7 +1,8 @@ .. _openvpn: +####### OpenVPN -------- +####### Traditionally hardware routers implement IPsec exclusively due to relative ease of implementing it in hardware and insufficient CPU power for doing @@ -31,8 +32,8 @@ In the VyOS CLI, a key point often overlooked is that rather than being configured using the `set vpn` stanza, OpenVPN is configured as a network interface using `set interfaces openvpn`. -OpenVPN Site-To-Site -^^^^^^^^^^^^^^^^^^^^ +Site-To-Site +============ While many are aware of OpenVPN as a Client VPN solution, it is often overlooked as a site-to-site VPN solution due to lack of support for this mode @@ -178,8 +179,8 @@ to each tunnel. Another option is to dedicate a port number to each tunnel OpenVPN status can be verified using the `show openvpn` operational commands. See the built-in help for a complete list of options. -OpenVPN Server -^^^^^^^^^^^^^^ +Server +====== Multi-client server is the most popular OpenVPN mode on routers. It always uses x.509 authentication and therefore requires a PKI setup. This guide assumes you @@ -255,10 +256,10 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves: Client Authentication -********************* +--------------------- -OpenLDAP -======== +LDAP +**** Enterprise installations usually ship a kind of directory service which is used to have a single password store for all employees. VyOS and OpenVPN support using @@ -297,7 +298,7 @@ The required config file may look like: </Authorization> Active Directory -================ +**************** Despite the fact that AD is a superset of LDAP @@ -382,8 +383,8 @@ A complete LDAP auth OpenVPN configuration could look like the following example } } -OpenVPN Client -^^^^^^^^^^^^^^ +Client +====== VyOS can not only act as an OpenVPN site-to-site or Server for multiple clients. You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client @@ -394,9 +395,8 @@ and another VyOS router acting as OpenVPN client. The Server also pushes a static client IP address to the OpenVPN client. Remember, clients are identified using their CN attribute in the SSL certificate. - Server -****** +------ .. code-block:: sh @@ -420,7 +420,7 @@ Server set interfaces openvpn vtun10 use-lzo-compression Client -****** +------ .. code-block:: sh @@ -437,7 +437,7 @@ Client set interfaces openvpn vtun10 use-lzo-compression Options -^^^^^^^ +======= We do not have CLI nodes for every single OpenVPN options. If an option is missing, a feature request should be opened at https://phabricator.vyos.net so @@ -446,20 +446,16 @@ all users can benefit from it. If you are a hacker or want to try on your own we support passing raw OpenVPN options to OpenVPN. -.. code-block:: sh - - set interfaces openvpn vtun10 openvpn-option 'persistent-key' +.. cfcmd:: set interfaces openvpn vtun10 openvpn-option 'persistent-key' Will add ``persistent-key`` at the end of the generated OpenVPN configuration. Please use this only as last resort - things might break and OpenVPN won't start if you pass invalid options/syntax. -Sometimes option lines in the generated OpenVPN configurarion require quotes. -This is done through a hack on our config generator. You can pass Quotes using -the ``"`` statement. - -.. code-block:: sh - - set interfaces openvpn vtun10 openvpn-option 'push "keepalive 1 10"' +.. cfcmd:: set interfaces openvpn vtun10 openvpn-option 'push "keepalive 1 10"' Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file. + +.. note:: Sometimes option lines in the generated OpenVPN configurarion require + quotes. This is done through a hack on our config generator. You can pass + quotes using the ``"`` statement. |