diff options
Diffstat (limited to 'docs/vpn')
| -rw-r--r-- | docs/vpn/dmvpn.rst | 335 | ||||
| -rw-r--r-- | docs/vpn/index.rst | 18 | ||||
| -rw-r--r-- | docs/vpn/ipsec.rst | 192 | ||||
| -rw-r--r-- | docs/vpn/l2tp.rst | 235 | ||||
| -rw-r--r-- | docs/vpn/openconnect.rst | 95 | ||||
| -rw-r--r-- | docs/vpn/openvpn.rst | 584 | ||||
| -rw-r--r-- | docs/vpn/pptp.rst | 47 | ||||
| -rw-r--r-- | docs/vpn/site2site_ipsec.rst | 298 | ||||
| -rw-r--r-- | docs/vpn/sstp.rst | 347 | ||||
| -rw-r--r-- | docs/vpn/wireguard.rst | 265 |
10 files changed, 0 insertions, 2416 deletions
diff --git a/docs/vpn/dmvpn.rst b/docs/vpn/dmvpn.rst deleted file mode 100644 index 662165a9..00000000 --- a/docs/vpn/dmvpn.rst +++ /dev/null @@ -1,335 +0,0 @@ -.. _vpn-dmvpn: - -##### -DMVPN -##### - -:abbr:`DMVPN (Dynamic Multipoint Virtual Private Network)` is a dynamic -:abbr:`VPN (Virtual Private Network)` technology originally developed by Cisco. -While their implementation was somewhat proprietary, the underlying -technologies are actually standards based. The three technologies are: - -* :abbr:`NHRP (Next Hop Resolution Protocol)` :rfc:`2332` -* :abbr:`mGRE (Multipoint Generic Routing Encapsulation)` :rfc:`1702` -* :abbr:`IPSec (IP Security)` - too many RFCs to list, but start with :rfc:`4301` - -NHRP provides the dynamic tunnel endpoint discovery mechanism (endpoint -registration, and endpoint discovery/lookup), mGRE provides the tunnel -encapsulation itself, and the IPSec protocols handle the key exchange, and -crypto mechanism. - -In short, DMVPN provides the capability for creating a dynamic-mesh VPN -network without having to pre-configure (static) all possible tunnel end-point -peers. - -.. note:: DMVPN only automates the tunnel endpoint discovery and setup. A - complete solution also incorporates the use of a routing protocol. BGP is - particularly well suited for use with DMVPN. - -.. figure:: ../_static/images/vpn_dmvpn_topology01.png - :scale: 40 % - :alt: Baseline DMVPN topology - - Baseline DMVPN topology - -************* -Configuration -************* - -* Please refer to the :ref:`tunnel-interface` documentation for the individual - tunnel related options. - -* Please refer to the :ref:`ipsec` documentation for the individual IPSec - related options. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> cisco-authentication <secret> - - Enables Cisco style authentication on NHRP packets. This embeds the secret - plaintext password to the outgoing NHRP packets. Incoming NHRP packets on - this interface are discarded unless the secret password is present. Maximum - length of the secret is 8 characters. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> dynamic-map <address> - nbma-domain-name <fqdn> - - Specifies that the :abbr:`NBMA (Non-broadcast multiple-access network)` - addresses of the next hop servers are defined in the domain name - nbma-domain-name. For each A record opennhrp creates a dynamic NHS entry. - - Each dynamic NHS will get a peer entry with the configured network address - and the discovered NBMA address. - - The first registration request is sent to the protocol broadcast address, and - the server's real protocol address is dynamically detected from the first - registration reply. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> holding-time <timeout> - - Specifies the holding time for NHRP Registration Requests and Resolution - Replies sent from this interface or shortcut-target. The holdtime is specified - in seconds and defaults to two hours. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> map cisco - - If the statically mapped peer is running Cisco IOS, specify the cisco keyword. - It is used to fix statically the Registration Request ID so that a matching - Purge Request can be sent if NBMA address has changed. This is to work around - broken IOS which requires Purge Request ID to match the original Registration - Request ID. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> map nbma-address <address> - - Creates static peer mapping of protocol-address to :abbr:`NBMA (Non-broadcast - multiple-access network)` address. - - If the IP prefix mask is present, it directs opennhrp to use this peer as a - next hop server when sending Resolution Requests matching this subnet. - - This is also known as the HUBs IP address or FQDN. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> map register - - The optional parameter register specifies that Registration Request should be - sent to this peer on startup. - - This option is required when running a DMVPN spoke. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> multicast <dynamic | nhs> - - Determines how opennhrp daemon should soft switch the multicast traffic. - Currently, multicast traffic is captured by opennhrp daemon using a packet - socket, and resent back to proper destinations. This means that multicast - packet sending is CPU intensive. - - Specfying nhs makes all multicast packets to be repeated to each statically - configured next hop. - - Synamic instructs to forward to all peers which we have a direct connection - with. Alternatively, you can specify the directive multiple times for each - protocol-address the multicast traffic should be sent to. - - .. warning:: It is very easy to misconfigure multicast repeating if you have - multiple NHSes. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> non-caching - - Disables caching of peer information from forwarded NHRP Resolution Reply - packets. This can be used to reduce memory consumption on big NBMA subnets. - - .. note:: Currently does not do much as caching is not implemented. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> redirect - - Enable sending of Cisco style NHRP Traffic Indication packets. If this is - enabled and opennhrp detects a forwarded packet, it will send a message to - the original sender of the packet instructing it to create a direct connection - with the destination. This is basically a protocol independent equivalent of - ICMP redirect. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut - - Enable creation of shortcut routes. - - A received NHRP Traffic Indication will trigger the resolution and - establishment of a shortcut route. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut-destination - - This instructs opennhrp to reply with authorative answers on NHRP Resolution - Requests destinied to addresses in this interface (instead of forwarding the - packets). This effectively allows the creation of shortcut routes to subnets - located on the interface. - - When specified, this should be the only keyword for the interface. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut-target <address> - - Defines an off-NBMA network prefix for which the GRE interface will act as a - gateway. This an alternative to defining local interfaces with - shortcut-destination flag. - -.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut-target <address> - holding-time <timeout> - - Specifies the holding time for NHRP Registration Requests and Resolution - Replies sent from this interface or shortcut-target. The holdtime is specified - in seconds and defaults to two hours. - -******* -Example -******* - - -This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as -multiple spoke sites. The lab was build using :abbr:`EVE-NG (Emulated Virtual -Environment NG)`. - -.. figure:: /_static/images/blueprint-dmvpn.png - :alt: DMVPN network - - DMVPN example network - -Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29. - -The below referenced IP address `192.0.2.1` is used as example address -representing a global unicast address under which the HUB can be contacted by -each and every individual spoke. - -Configuration -============= - -Hub ---- - -.. code-block:: none - - set interfaces ethernet eth0 address 192.0.2.1/24 - - set interfaces tunnel tun100 address '172.16.253.134/29' - set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 local-ip '192.0.2.1' - set interfaces tunnel tun100 multicast 'enable' - set interfaces tunnel tun100 parameters ip key '1' - - set protocols nhrp tunnel tun100 cisco-authentication 'secret' - set protocols nhrp tunnel tun100 holding-time '300' - set protocols nhrp tunnel tun100 multicast 'dynamic' - set protocols nhrp tunnel tun100 redirect - set protocols nhrp tunnel tun100 shortcut - - set vpn ipsec esp-group ESP-HUB compression 'disable' - set vpn ipsec esp-group ESP-HUB lifetime '1800' - set vpn ipsec esp-group ESP-HUB mode 'transport' - set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' - set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' - set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' - set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' - set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' - set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' - set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' - set vpn ipsec ike-group IKE-HUB lifetime '3600' - set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' - set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' - set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' - set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' - - set vpn ipsec ipsec-interfaces interface 'eth0' - - set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' - set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' - set vpn ipsec profile NHRPVPN bind tunnel 'tun100' - set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' - set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' - -.. note:: Setting this up on AWS will require a "Custom Protocol Rule" for - protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC - Network ACL, and secondly on the security group network ACL attached to the - EC2 instance. This has been tested as working for the official AMI image on - the AWS Marketplace. (Locate the correct VPC and security group by navigating - through the details pane below your EC2 instance in the AWS console). - -Spoke ------ - -The individual spoke configurations only differ in the local IP address on the -``tun10`` interface. See the above diagram for the individual IP addresses. - -spoke01-spoke04 -^^^^^^^^^^^^^^^ - -.. code-block:: none - - crypto keyring DMVPN - pre-shared-key address 192.0.2.1 key secret - ! - crypto isakmp policy 10 - encr aes 256 - authentication pre-share - group 2 - crypto isakmp invalid-spi-recovery - crypto isakmp keepalive 30 30 periodic - crypto isakmp profile DMVPN - keyring DMVPN - match identity address 192.0.2.1 255.255.255.255 - ! - crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac - mode transport - ! - crypto ipsec profile DMVPN - set security-association idle-time 720 - set transform-set DMVPN-AES256 - set isakmp-profile DMVPN - ! - interface Tunnel10 - ! individual spoke tunnel IP must change - ip address 172.16.253.129 255.255.255.248 - no ip redirects - ip nhrp authentication secret - ip nhrp map 172.16.253.134 192.0.2.1 - ip nhrp map multicast 192.0.2.1 - ip nhrp network-id 1 - ip nhrp holdtime 600 - ip nhrp nhs 172.16.253.134 - ip nhrp registration timeout 75 - tunnel source FastEthernet0/0 - tunnel mode gre multipoint - tunnel key 1 - ! - interface FastEthernet0/0 - ip address dhcp - duplex half - - -spoke05 -^^^^^^^ - -VyOS can also run in DMVPN spoke mode. - -.. code-block:: none - - set interfaces ethernet eth0 address 'dhcp' - - set interfaces tunnel tun100 address '172.16.253.133/29' - set interfaces tunnel tun100 local-ip 0.0.0.0 - set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 multicast 'enable' - set interfaces tunnel tun100 parameters ip key '1' - - set protocols nhrp tunnel tun100 cisco-authentication 'secret' - set protocols nhrp tunnel tun100 holding-time '300' - set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '192.0.2.1' - set protocols nhrp tunnel tun100 map 172.16.253.134/29 register - set protocols nhrp tunnel tun100 multicast 'nhs' - set protocols nhrp tunnel tun100 redirect - set protocols nhrp tunnel tun100 shortcut - - set vpn ipsec esp-group ESP-HUB compression 'disable' - set vpn ipsec esp-group ESP-HUB lifetime '1800' - set vpn ipsec esp-group ESP-HUB mode 'transport' - set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' - set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' - set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' - set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' - set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' - set vpn ipsec ike-group IKE-HUB close-action 'none' - set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' - set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' - set vpn ipsec ike-group IKE-HUB lifetime '3600' - set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' - set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' - set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' - set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' - - set vpn ipsec ipsec-interfaces interface 'eth0' - - set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' - set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' - set vpn ipsec profile NHRPVPN bind tunnel 'tun100' - set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' - set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' - - diff --git a/docs/vpn/index.rst b/docs/vpn/index.rst deleted file mode 100644 index c208b3c0..00000000 --- a/docs/vpn/index.rst +++ /dev/null @@ -1,18 +0,0 @@ -.. _vpn: - -### -VPN -### - -.. toctree:: - :maxdepth: 2 - - dmvpn - ipsec - l2tp - openconnect - openvpn - pptp - site2site_ipsec - sstp - wireguard diff --git a/docs/vpn/ipsec.rst b/docs/vpn/ipsec.rst deleted file mode 100644 index 647f3753..00000000 --- a/docs/vpn/ipsec.rst +++ /dev/null @@ -1,192 +0,0 @@ -.. _ipsec: - -##### -IPsec -##### - -:abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec, -SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way -to protect the traffic inside a tunnel. - -An advantage of this scheme is that you get a real interface with its own -address, which makes it easier to setup static routes or use dynamic routing -protocols without having to modify IPsec policies. The other advantage is that -it greatly simplifies router to router communication, which can be tricky with -plain IPsec because the external outgoing address of the router usually doesn't -match the IPsec policy of typical site-to-site setup and you need to add special -configuration for it, or adjust the source address for outgoing traffic of your -applications. GRE/IPsec has no such problem and is completely transparent for -the applications. - -GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme -easy to implement between VyOS and virtually any other router. - -For simplicity we'll assume that the protocol is GRE, it's not hard to guess -what needs to be changed to make it work with a different protocol. We assume -that IPsec will use pre-shared secret authentication and will use AES128/SHA1 -for the cipher and hash. Adjust this as necessary. - -.. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000 - adapters have known issues with GRE processing. - -************************* -IPsec policy matching GRE -************************* - -The first and arguably cleaner option is to make your IPsec policy match GRE -packets between external addresses of your routers. This is the best option if -both routers have static external addresses. - -Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, -and the RIGHT router is 203.0.113.45 - -On the LEFT: - -.. code-block:: none - - # GRE tunnel - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 local-ip 192.0.2.10 - set interfaces tunnel tun0 remote-ip 203.0.113.45 - set interfaces tunnel tun0 address 10.10.10.1/30 - - ## IPsec - set vpn ipsec ipsec-interfaces interface eth0 - - # IKE group - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' - set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' - - # ESP group - set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128' - set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' - - # IPsec tunnel - set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret - set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY - - set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup - - set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10 - - # This will match all GRE traffic to the peer - set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre - -On the RIGHT, setup by analogy and swap local and remote addresses. - - -Source tunnel from loopbacks -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The scheme above doesn't work when one of the routers has a dynamic external -address though. The classic workaround for this is to setup an address on a -loopback interface and use it as a source address for the GRE tunnel, then setup -an IPsec policy to match those loopback addresses. - -We assume that the LEFT router has static 192.0.2.10 address on eth0, and the -RIGHT router has a dynamic address on eth0. - -**Setting up the GRE tunnel** - -On the LEFT: - -.. code-block:: none - - set interfaces loopback lo address 192.168.99.1/32 - - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 address 10.10.10.1/30 - set interfaces tunnel tun0 local-ip 192.168.99.1 - set interfaces tunnel tun0 remote-ip 192.168.99.2 - -On the RIGHT: - -.. code-block:: none - - set interfaces loopback lo address 192.168.99.2/32 - - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 address 10.10.10.2/30 - set interfaces tunnel tun0 local-ip 192.168.99.2 - set interfaces tunnel tun0 remote-ip 192.168.99.1 - -**Setting up IPSec** - -However, now you need to make IPsec work with dynamic address on one side. The -tricky part is that pre-shared secret authentication doesn't work with dynamic -address, so we'll have to use RSA keys. - -First, on both routers run the operational command "generate vpn rsa-key bits -2048". You may choose different length than 2048 of course. - -.. code-block:: none - - vyos@left# run generate vpn rsa-key bits 2048 - Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key - - Your new local RSA key has been generated - The public portion of the key is: - - 0sAQO2335[long string here] - -Then on the opposite router, add the RSA key to your config. - -.. code-block:: none - - set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE - -Now you are ready to setup IPsec. You'll need to use an ID instead of address -for the peer on the dynamic side. - -On the LEFT (static address): - -.. code-block:: none - - set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT> - - set vpn ipsec ipsec-interfaces interface eth0 - - set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 - set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 - set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - - set vpn ipsec site-to-site peer @RIGHT authentication mode rsa - set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT - set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup - set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup - set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 - set vpn ipsec site-to-site peer @RIGHT connection-type respond - set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote - - -On the RIGHT (dynamic address): - -.. code-block:: none - - set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT> - - set vpn ipsec ipsec-interfaces interface eth0 - - set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 - set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 - set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - - set vpn ipsec site-to-site peer 192.0.2.10 authentication id @RIGHT - set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa - set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa-key-name LEFT - set vpn ipsec site-to-site peer 192.0.2.10 remote-id @LEFT - set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate - set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup - set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 192.0.2.10 local-address any - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote diff --git a/docs/vpn/l2tp.rst b/docs/vpn/l2tp.rst deleted file mode 100644 index 0d8dde08..00000000 --- a/docs/vpn/l2tp.rst +++ /dev/null @@ -1,235 +0,0 @@ -.. _l2tp: - -L2TP ----- - -VyOS utilizes accel-ppp_ to provide L2TP server functionality. It can be used -with local authentication or a connected RADIUS server. - -L2TP over IPsec -=============== - -Example for configuring a simple L2TP over IPsec VPN for remote access (works -with native Windows and Mac VPN clients): - -.. code-block:: none - - set vpn ipsec ipsec-interfaces interface eth0 - set vpn ipsec nat-traversal enable - set vpn ipsec nat-networks allowed-network 0.0.0.0/0 - - set vpn l2tp remote-access outside-address 192.0.2.2 - set vpn l2tp remote-access client-ip-pool start 192.168.255.2 - set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 - set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret - set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret> - set vpn l2tp remote-access authentication mode local - set vpn l2tp remote-access authentication local-users username test password 'test' - -In the example above an external IP of 192.0.2.2 is assumed. - -If a local firewall policy is in place on your external interface you will need -to allow the ports below: - -* UDP port 500 (IKE) -* IP protocol number 50 (ESP) -* UDP port 1701 for IPsec - -As well as the below to allow NAT-traversal (when NAT is detected by the -VPN client, ESP is encapsulated in UDP for NAT-traversal): - -* UDP port 4500 (NAT-T) - -Example: - -.. code-block:: none - - set firewall name OUTSIDE-LOCAL rule 40 action 'accept' - set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp' - set firewall name OUTSIDE-LOCAL rule 41 action 'accept' - set firewall name OUTSIDE-LOCAL rule 41 destination port '500' - set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp' - set firewall name OUTSIDE-LOCAL rule 42 action 'accept' - set firewall name OUTSIDE-LOCAL rule 42 destination port '4500' - set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp' - set firewall name OUTSIDE-LOCAL rule 43 action 'accept' - set firewall name OUTSIDE-LOCAL rule 43 destination port '1701' - set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec' - set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp' - -To allow VPN-clients access via your external address, a NAT rule is required: - - -.. code-block:: none - - set nat source rule 110 outbound-interface 'eth0' - set nat source rule 110 source address '192.168.255.0/24' - set nat source rule 110 translation address masquerade - - -VPN-clients will request configuration parameters, optionally you can DNS -parameter to the client. - -.. code-block:: none - - set vpn l2tp remote-access dns-servers server-1 '8.8.8.8' - set vpn l2tp remote-access dns-servers server-2 '8.8.4.4' - -.. note:: Those are the `Google public DNS`_ servers, but you can choose - any public available servers, like Quad9_ (9.9.9.9), Cloudflare_ (1.1.1.1) - or OpenNIC_. - -Established sessions can be viewed using the **show vpn remote-access** -operational command, or **show l2tp-server sessions** - -.. code-block:: none - - vyos@vyos:~$ show vpn remote-access - ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime - --------+----------+--------------+---------------+------------+------+------+--------+---------- - ppp0 | vyos | 192.168.0.36 | 192.168.255.1 | | l2tp | | active | 00:06:13 - - -LNS (L2TP Network Server) -========================= - -LNS are often used to connect to a LAC (L2TP Access Concentrator). - -Below is an example to configure a LNS: - -.. code-block:: none - - set vpn l2tp remote-access outside-address 192.0.2.2 - set vpn l2tp remote-access client-ip-pool start 192.168.255.2 - set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 - set vpn l2tp remote-access lns shared-secret 'secret' - set vpn l2tp remote-access ccp-disable - set vpn l2tp remote-access authentication mode local - set vpn l2tp remote-access authentication local-users username test password 'test' - -The example above uses 192.0.2.2 as external IP address. A LAC normally -requires an authentication password, which is set in the example configuration -to ``lns shared-secret 'secret'``. This setup requires the Compression Control -Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` -accomplishes that. - - -Bandwidth Shaping -================= - -Bandwidth rate limits can be set for local users or via RADIUS based attributes. - -Bandwidth Shaping for local users -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The rate-limit is set in kbit/sec. - -.. code-block:: none - - set vpn l2tp remote-access outside-address 192.0.2.2 - set vpn l2tp remote-access client-ip-pool start 192.168.255.2 - set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 - set vpn l2tp remote-access authentication mode local - set vpn l2tp remote-access authentication local-users username test password test - set vpn l2tp remote-access authentication local-users username test rate-limit download 20480 - set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240 - - vyos@vyos:~$ show vpn remote-access - ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime - -------+----------+--------------+---------------+-------------+------+------+--------+----------- - ppp0 | test | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp | | active | 00:06:30 - -RADIUS authentication -====================== - -To enable RADIUS based authentication, the authentication mode needs to be -changed within the configuration. Previous settings like the local users, still -exists within the configuration, however they are not used if the mode has been -changed from local to radius. Once changed back to local, it will use all local -accounts again. - -.. code-block:: none - - set vpn l2tp remote-access authentication mode <local|radius> - -Since the RADIUS server would be a single point of failure, multiple RADIUS -servers can be setup and will be used subsequentially. - -.. code-block:: none - - set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo' - set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo' - -.. note:: Some RADIUS_ severs use an access control list which allows or denies - queries, make sure to add your VyOS router to the allowed client list. - -RADIUS source address -^^^^^^^^^^^^^^^^^^^^^ - -If you are using OSPF as IGP always the closets interface connected to the RADIUS -server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a -single source IP e.g. the loopback interface. - -.. code-block:: none - - set vpn l2tp remote-access authentication radius source-address 10.0.0.3 - -Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries -on this NAS. - -.. note:: The ``source-address`` must be configured on one of VyOS interface. - Best proctice would be a loopback or dummy interface. - -RADIUS bandwidth shaping attribute -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enabled. - -.. code-block:: none - - set vpn l2tp remote-access authentication radius rate-limit enable - -The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also -redefine it. - -.. code-block:: none - - set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed - -.. note:: If you set a custom RADIUS attribute you must define it on both - dictionaries at RADIUS server and client, which is the vyos router in our - example. - -The RADIUS dictionaries in VyOS are located at ``/usr/share/accel-ppp/radius/`` - -RADIUS advanced features -^^^^^^^^^^^^^^^^^^^^^^^^ - -Received RADIUS attributes have a higher priority than parameters defined within -the CLI configuration, refer to the explanation below. - -Allocation clients ip addresses by RADIUS -***************************************** - -If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP -address will be allocated to the client and the option ip-pool within the CLI -config is being ignored. - -Renaming clients interfaces by RADIUS -************************************* - -If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be -renamed. - -.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 - characters, otherwise the interface won't be renamed. - - -.. _`Google Public DNS`: https://developers.google.com/speed/public-dns -.. _Quad9: https://quad9.net -.. _CloudFlare: https://blog.cloudflare.com/announcing-1111 -.. _OpenNIC: https://www.opennic.org/ -.. _RADIUS: https://en.wikipedia.org/wiki/RADIUS -.. _FreeRADIUS: https://freeradius.org -.. _`Network Policy Server`: https://en.wikipedia.org/wiki/Network_Policy_Server -.. _accel-ppp: https://accel-ppp.org/ diff --git a/docs/vpn/openconnect.rst b/docs/vpn/openconnect.rst deleted file mode 100644 index a409ed9d..00000000 --- a/docs/vpn/openconnect.rst +++ /dev/null @@ -1,95 +0,0 @@ -.. _vpn-openconnect: - -########### -OpenConnect -########### - -OpenConnect-compatible server feature is available from this release. -Openconnect VPN supports SSL connection and offers full network access. SSL VPN -network extension connects the end-user system to the corporate network with -access controls based only on network layer information, such as destination IP -address and port number. So, it provides safe communication for all types of -device traffic across public networks and private networks, also encrypts the -traffic with SSL protocol. - -The remote user will use the openconnect client to connect to the router and -will receive an IP address from a VPN pool, allowing full access to the network. - -.. note:: All certificates should be stored on VyOS under /config/auth. If - certificates are not stored in the /config directory they will not be - migrated during a software update. - -************* -Configuration -************* - -SSL Certificates -================ - -We need to generate the certificate which authenticates users who attempt to -access the network resource through the SSL VPN tunnels. The following command -will create a self signed certificates and will be stored in the file path -`/config/auth`. - -.. code-block:: none - - openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt - openssl req -new -x509 -key /config/auth/server.key -out /config/auth/ca.crt - -We can also create the certificates using Cerbort which is an easy-to-use client -that fetches a certificate from Let's Encrypt an open certificate authority -launched by the EFF, Mozilla, and others and deploys it to a web server. - -.. code-block:: none - - sudo certbot certonly --standalone --preferred-challenges http -d <domain name> - -Server Configuration -==================== - -.. code-block:: none - - set vpn openconnect authentication local-users username <user> password <pass> - set vpn openconnect authentication mode <local|radius> - set vpn opneconnect network-settings client-ip-settings subnet <subnet> - set vpn openconnect network-settings name-server <address> - set vpn openconnect network-settings name-server <address> - set vpn openconnect ssl ca-cert-file <file> - set vpn openconnect ssl cert-file <file> - set vpn openconnect ssl key-file <file> - - -******* -Example -******* - -Use local user name "user4" with password "SecretPassword" -Client IP addresses will be provided from pool 100.64.0.0/24 -The Gateway IP Address must be in one of the routerĀ“s interfaces. - -.. code-block:: none - - set vpn openconnect authentication local-users username user4 password 'SecretPassword' - set vpn openconnect authentication mode 'local' - set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24' - set vpn openconnect network-settings name-server '1.1.1.1' - set vpn openconnect network-settings name-server '8.8.8.8' - set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem' - set vpn openconnect ssl cert-file '/config/auth/cert.pem' - set vpn openconnect ssl key-file '/config/auth/privkey.pem' - - -************ -Verification -************ - -.. code-block:: none - - - vyos@RTR1:~$ show openconnect-server sessions - - interface username ip remote IP RX TX state uptime - ----------- ---------- ------------ ------------- -------- -------- --------- -------- - sslvpn0 user4 100.64.0.105 xx.xxx.49.253 127.3 KB 160.0 KB connected 12m:28s - -.. note:: It is compatible with Cisco (R) AnyConnect (R) clients. diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst deleted file mode 100644 index c6934335..00000000 --- a/docs/vpn/openvpn.rst +++ /dev/null @@ -1,584 +0,0 @@ -.. _openvpn: - -####### -OpenVPN -####### - -Traditionally hardware routers implement IPsec exclusively due to relative -ease of implementing it in hardware and insufficient CPU power for doing -encryption in software. Since VyOS is a software router, this is less of a -concern. OpenVPN has been widely used on UNIX platform for a long time and is -a popular option for remote access VPN, though it's also capable of -site-to-site connections. - -Advantages of OpenVPN are: - -* It uses a single TCP or UDP connection and does not rely on packet source - addresses, so it will work even through a double NAT: perfect for public - hotspots and such - -* It's easy to setup and offers very flexible split tunneling - -* There's a variety of client GUI frontends for any platform - -Disadvantages are: - -* It's slower than IPsec due to higher protocol overhead and the fact it runs - in user mode while IPsec, on Linux, is in kernel mode - -* None of the operating systems have client software installed by default - -In the VyOS CLI, a key point often overlooked is that rather than being -configured using the `set vpn` stanza, OpenVPN is configured as a network -interface using `set interfaces openvpn`. - -Site-To-Site -============ - -While many are aware of OpenVPN as a Client VPN solution, it is often -overlooked as a site-to-site VPN solution due to lack of support for this mode -in many router platforms. - -Site-to-site mode supports x.509 but doesn't require it and can also work with -static keys, which is simpler in many cases. In this example, we'll configure -a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key. - -First, one of the systems generate the key using the operational command -``generate openvpn key <filename>``. This will generate a key with the name -provided in the ``/config/auth/`` directory. Once generated, you will need to -copy this key to the remote router. - -In our example, we used the filename ``openvpn-1.key`` which we will reference -in our configuration. - -* The public IP address of the local side of the VPN will be 198.51.100.10 -* The remote will be 203.0.113.11 -* The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote. -* OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, - while TCP will work better for lossy connections; generally UDP is preferred - when possible. -* The official port for OpenVPN is 1194, which we reserve for client VPN; we - will use 1195 for site-to-site VPN. -* The ``persistent-tunnel`` directive will allow us to configure tunnel-related - attributes, such as firewall policy as we would on any normal network - interface. -* If known, the IP of the remote router can be configured using the - ``remote-host`` directive; if unknown, it can be omitted. We will assume a - dynamic IP for our remote router. - -Local Configuration: - -.. code-block:: none - - set interfaces openvpn vtun1 mode site-to-site - set interfaces openvpn vtun1 protocol udp - set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 local-host '198.51.100.10' - set interfaces openvpn vtun1 local-port '1195' - set interfaces openvpn vtun1 remote-port '1195' - set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' - set interfaces openvpn vtun1 local-address '10.255.1.1' - set interfaces openvpn vtun1 remote-address '10.255.1.2' - -Remote Configuration: - -.. code-block:: none - - set interfaces openvpn vtun1 mode site-to-site - set interfaces openvpn vtun1 protocol udp - set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 remote-host '198.51.100.10' - set interfaces openvpn vtun1 local-port '1195' - set interfaces openvpn vtun1 remote-port '1195' - set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' - set interfaces openvpn vtun1 local-address '10.255.1.2' - set interfaces openvpn vtun1 remote-address '10.255.1.1' - -The configurations above will default to using 256-bit AES in GCM mode -for encryption (if both sides supports NCP) and SHA-1 for HMAC authentication. -SHA-1 is considered weak, but other hashing algorithms are available, as are -encryption algorithms: - -For Encryption: - -This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or -OpenVPN version < 2.4.0. - -.. code-block:: none - - vyos@vyos# set interfaces openvpn vtun1 encryption cipher - Possible completions: - des DES algorithm - 3des DES algorithm with triple encryption - bf128 Blowfish algorithm with 128-bit key - bf256 Blowfish algorithm with 256-bit key - aes128 AES algorithm with 128-bit key CBC - aes128gcm AES algorithm with 128-bit key GCM - aes192 AES algorithm with 192-bit key CBC - aes192gcm AES algorithm with 192-bit key GCM - aes256 AES algorithm with 256-bit key CBC - aes256gcm AES algorithm with 256-bit key GCM - -This sets the accepted ciphers to use when version => 2.4.0 and NCP is -enabled (which is default). Default NCP cipher for versions >= 2.4.0 is -aes256gcm. The first cipher in this list is what server pushes to clients. - -.. code-block:: none - - vyos@vyos# set int open vtun0 encryption ncp-ciphers - Possible completions: - des DES algorithm - 3des DES algorithm with triple encryption - aes128 AES algorithm with 128-bit key CBC - aes128gcm AES algorithm with 128-bit key GCM - aes192 AES algorithm with 192-bit key CBC - aes192gcm AES algorithm with 192-bit key GCM - aes256 AES algorithm with 256-bit key CBC - aes256gcm AES algorithm with 256-bit key GCM - -For Hashing: - -.. code-block:: none - - vyos@vyos# set interfaces openvpn vtun1 hash - Possible completions: - md5 MD5 algorithm - sha1 SHA-1 algorithm - sha256 SHA-256 algorithm - sha512 SHA-512 algorithm - -If you change the default encryption and hashing algorithms, be sure that the -local and remote ends have matching configurations, otherwise the tunnel will -not come up. - -Static routes can be configured referencing the tunnel interface; for example, -the local router will use a network of 10.0.0.0/16, while the remote has a -network of 10.1.0.0/16: - -Local Configuration: - -.. code-block:: none - - set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1 - -Remote Configuration: - -.. code-block:: none - - set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1 - -Firewall policy can also be applied to the tunnel interface for `local`, `in`, -and `out` directions and function identically to ethernet interfaces. - -If making use of multiple tunnels, OpenVPN must have a way to distinguish -between different tunnels aside from the pre-shared-key. This is either by -referencing IP address or port number. One option is to dedicate a public IP -to each tunnel. Another option is to dedicate a port number to each tunnel -(e.g. 1195,1196,1197...). - -OpenVPN status can be verified using the `show openvpn` operational commands. -See the built-in help for a complete list of options. - -Server -====== - -Multi-client server is the most popular OpenVPN mode on routers. It always uses -x.509 authentication and therefore requires a PKI setup. Refer this section -**Generate X.509 Certificate and Keys** to generate a CA certificate, -a server certificate and key, a certificate revocation list, a Diffie-Hellman -key exchange parameters file. You do not need client certificates and keys for the server setup. - -In this example we will use the most complicated case: a setup where each -client is a router that has its own subnet (think HQ and branch offices), since -simpler setups are subsets of it. - -Suppose you want to use 10.23.1.0/24 network for client tunnel endpoints and -all client subnets belong to 10.23.0.0/20. All clients need access to the -192.168.0.0/16 network. - -First we need to specify the basic settings. 1194/UDP is the default. The -``persistent-tunnel`` option is recommended, it prevents the TUN/TAP device from -closing on connection resets or daemon reloads. - -.. note:: Using **openvpn-option -reneg-sec** can be tricky. This option is - used to renegotiate data channel after n seconds. When used at both server - and client, the lower value will trigger the renegotiation. If you set it to - 0 on one side of the connection (to disable it), the chosen value on the - other side will determine when the renegotiation will occur. - -.. code-block:: none - - set interfaces openvpn vtun10 mode server - set interfaces openvpn vtun10 local-port 1194 - set interfaces openvpn vtun10 persistent-tunnel - set interfaces openvpn vtun10 protocol udp - -Then we need to specify the location of the cryptographic materials. Suppose -you keep the files in `/config/auth/openvpn` - -.. code-block:: none - - set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt - set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt - set interfaces openvpn vtun10 tls key-file /config/auth/openvpn/server.key - set interfaces openvpn vtun10 tls crl-file /config/auth/openvpn/crl.pem - set interfaces openvpn vtun10 tls dh-file /config/auth/openvpn/dh2048.pem - -Now we need to specify the server network settings. In all cases we need to -specify the subnet for client tunnel endpoints. Since we want clients to access -a specific network behind out router, we will use a push-route option for -installing that route on clients. - -.. code-block:: none - - set interfaces openvpn vtun10 server push-route 192.168.0.0/16 - set interfaces openvpn vtun10 server subnet 10.23.1.0/24 - -Since it's a HQ and branch offices setup, we will want all clients to have -fixed addresses and we will route traffic to specific subnets through them. We -need configuration for each client to achieve this. - -.. note:: Clients are identified by the CN field of their x.509 certificates, - in this example the CN is ``client0``: - -.. code-block:: none - - set interfaces openvpn vtun10 server client client0 ip 10.23.1.10 - set interfaces openvpn vtun10 server client client0 subnet 10.23.2.0/25 - -OpenVPN **will not** automatically create routes in the kernel for client -subnets when they connect and will only use client-subnet association -internally, so we need to create a route to the 10.23.0.0/20 network ourselves: - -.. code-block:: none - - set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10 - -Generate X.509 Certificate and Keys ------------------------------------ - -OpenVPN ships with a set of scripts called Easy-RSA that can generate the -appropriate files needed for an OpenVPN setup using X.509 certificates. -Easy-RSA comes installed by default on VyOS routers. - -Copy the Easy-RSA scripts to a new directory to modify the values. - -.. code-block:: none - - cp -r /usr/share/easy-rsa/ /config/my-easy-rsa-config - cd /config/my-easy-rsa-config - -To ensure the consistent use of values when generating the PKI, set default -values to be used by the PKI generating scripts. Rename the vars.example filename -to vars - -.. code-block:: none - - mv vars.example vars - -Following is the instance of the file after editing. You may also change other values in -the file at your discretion/need, though for most cases the defaults should be just fine. -(do not leave any of these parameters blank) - -.. code-block:: none - - set_var EASYRSA_DN "org" - set_var EASYRSA_REQ_COUNTRY "US" - set_var EASYRSA_REQ_PROVINCE "California" - set_var EASYRSA_REQ_CITY "San Francisco" - set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" - set_var EASYRSA_REQ_EMAIL "me@example.net" - set_var EASYRSA_REQ_OU "My Organizational Unit" - set_var EASYRSA_KEY_SIZE 2048 - - -init-pki option will create a new pki directory or will delete any previously generated -certificates stored in that folder. The term 'central' is used to refer server and -'branch' for client - -.. note:: Remember the āCA Key Passphraseā prompted in build-ca command, - as it will be asked in signing the server/client certificate. - -.. code-block:: none - - vyos@vyos:/config/my-easy-rsa-config$./easyrsa init-pki - vyos@vyos:/config/my-easy-rsa-config$./easyrsa build-ca - vyos@vyos:/config/my-easy-rsa-config$./easyrsa gen-req central nopass - vyos@vyos:/config/my-easy-rsa-config$./easyrsa sign-req server central - vyos@vyos:/config/my-easy-rsa-config$./easyrsa gen-dh - vyos@vyos:/config/my-easy-rsa-config$./easyrsa build-client-full branch1 nopass - -To generate a certificate revocation list for any client, execute these commands: - -.. code-block:: none - - vyos@vyos:/config/my-easy-rsa-config$./easyrsa revoke client1 - vyos@vyos:/config/my-easy-rsa-config$ ./easyrsa gen-crl - -Copy the files to /config/auth/ovpn/ to use in OpenVPN tunnel creation - -.. code-block:: none - - vyos@vyos:/config/my-easy-rsa-config$ sudo mkdir /config/auth/ovpn - vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/ca.crt /config/auth/ovpn - vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/dh.pem /config/auth/ovpn - vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/private/central.key /config/auth/ovpn - vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/issued/central.crt /config/auth/ovpn - vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/crl.pem /config/auth/ovpn - -Additionally, each client needs a copy of ca.crt and its own client key and cert files. -The files are plaintext so they may be copied either manually, -or through a remote file transfer tool like scp. Whichever method you use, -the files need to end up in the proper location on each router. -For example, Branch 1's router might have the following files: - -.. code-block:: none - - vyos@branch1-rtr:$ ls /config/auth/ovpn - ca.crt branch1.crt branch1.key - -Client Authentication -===================== - -LDAP ----- - -Enterprise installations usually ship a kind of directory service which is used -to have a single password store for all employees. VyOS and OpenVPN support using -LDAP/AD as single user backend. - -Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is -shipped with every VyOS installation. A dedicated configuration file is required. -It is best practise to store it in ``/config`` to survive image updates - -.. code-block:: none - - set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config" - -The required config file may look like: - -.. code-block:: none - - <LDAP> - # LDAP server URL - URL ldap://ldap.example.com - # Bind DN (If your LDAP server doesn't support anonymous binds) - BindDN cn=LDAPUser,dc=example,dc=com - # Bind Password password - Password S3cr3t - # Network timeout (in seconds) - Timeout 15 - </LDAP> - - <Authorization> - # Base DN - BaseDN "ou=people,dc=example,dc=com" - # User Search Filter - SearchFilter "(&(uid=%u)(objectClass=shadowAccount))" - # Require Group Membership - allow all users - RequireGroup false - </Authorization> - -Active Directory -^^^^^^^^^^^^^^^^ - -Despite the fact that AD is a superset of LDAP - -.. code-block:: none - - <LDAP> - # LDAP server URL - URL ldap://dc01.example.com - # Bind DN (If your LDAP server doesnāt support anonymous binds) - BindDN CN=LDAPUser,DC=example,DC=com - # Bind Password - Password mysecretpassword - # Network timeout (in seconds) - Timeout 15 - # Enable Start TLS - TLSEnable no - # Follow LDAP Referrals (anonymously) - FollowReferrals no - </LDAP> - - <Authorization> - # Base DN - BaseDN "DC=example,DC=com" - # User Search Filter, user must be a member of the VPN AD group - SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))" - # Require Group Membership - RequireGroup false # already handled by SearchFilter - <Group> - BaseDN "OU=Groups,DC=example,DC=com" - SearchFilter "(|(cn=VPN))" - MemberAttribute memberOf - </Group> - </Authorization> - -If you only want to check if the user account is enabled and can authenticate -(against the primary group) the following snipped is sufficient: - -.. code-block:: none - - <LDAP> - URL ldap://dc01.example.com - BindDN CN=SA_OPENVPN,OU=ServiceAccounts,DC=example,DC=com - Password ThisIsTopSecret - Timeout 15 - TLSEnable no - FollowReferrals no - </LDAP> - - <Authorization> - BaseDN "DC=example,DC=com" - SearchFilter "sAMAccountName=%u" - RequireGroup false - </Authorization> - -A complete LDAP auth OpenVPN configuration could look like the following example: - -.. code-block:: none - - vyos@vyos# show interfaces openvpn - openvpn vtun0 { - mode server - openvpn-option "--tun-mtu 1500 --fragment 1300 --mssfix" - openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config" - openvpn-option "--push redirect-gateway" - openvpn-option --duplicate-cn - openvpn-option --client-cert-not-required - openvpn-option --comp-lzo - openvpn-option --persist-key - openvpn-option --persist-tun - server { - domain-name example.com - max-connections 5 - name-server 1.1.1.1 - name-server 9.9.9.9 - subnet 172.18.100.128/29 - } - tls { - ca-cert-file /config/auth/ca.crt - cert-file /config/auth/server.crt - dh-file /config/auth/dh1024.pem - key-file /config/auth/server.key - } - } - -Client -====== - -VyOS can not only act as an OpenVPN site-to-site or Server for multiple clients. -You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client -connecting to a VyOS OpenVPN server or any other OpenVPN server. - -Given the following example we have one VyOS router acting as OpenVPN server -and another VyOS router acting as OpenVPN client. The Server also pushes a -static client IP address to the OpenVPN client. Remember, clients are identified -using their CN attribute in the SSL certificate. - -Server ------- - -.. code-block:: none - - set interfaces openvpn vtun10 encryption cipher 'aes256' - set interfaces openvpn vtun10 hash 'sha512' - set interfaces openvpn vtun10 local-host '172.18.201.10' - set interfaces openvpn vtun10 local-port '1194' - set interfaces openvpn vtun10 mode 'server' - set interfaces openvpn vtun10 persistent-tunnel - set interfaces openvpn vtun10 protocol 'udp' - set interfaces openvpn vtun10 server client client1 ip '10.10.0.10' - set interfaces openvpn vtun10 server domain-name 'vyos.net' - set interfaces openvpn vtun10 server max-connections '250' - set interfaces openvpn vtun10 server name-server '172.16.254.30' - set interfaces openvpn vtun10 server subnet '10.10.0.0/24' - set interfaces openvpn vtun10 server topology 'subnet' - set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ca.crt' - set interfaces openvpn vtun10 tls cert-file '/config/auth/server.crt' - set interfaces openvpn vtun10 tls dh-file '/config/auth/dh.pem' - set interfaces openvpn vtun10 tls key-file '/config/auth/server.key' - set interfaces openvpn vtun10 use-lzo-compression - -Client ------- - -.. code-block:: none - - set interfaces openvpn vtun10 encryption cipher 'aes256' - set interfaces openvpn vtun10 hash 'sha512' - set interfaces openvpn vtun10 mode 'client' - set interfaces openvpn vtun10 persistent-tunnel - set interfaces openvpn vtun10 protocol 'udp' - set interfaces openvpn vtun10 remote-host '172.18.201.10' - set interfaces openvpn vtun10 remote-port '1194' - set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ca.crt' - set interfaces openvpn vtun10 tls cert-file '/config/auth/client1.crt' - set interfaces openvpn vtun10 tls key-file '/config/auth/client1.key' - set interfaces openvpn vtun10 use-lzo-compression - -Options -======= - -We do not have CLI nodes for every single OpenVPN options. If an option is -missing, a feature request should be opened at Phabricator_ so all users can -benefit from it (see :ref:`issues_features`). - -If you are a hacker or want to try on your own we support passing raw OpenVPN -options to OpenVPN. - -.. cfgcmd:: set interfaces openvpn vtun10 openvpn-option 'persistent-key' - -Will add ``persistent-key`` at the end of the generated OpenVPN configuration. -Please use this only as last resort - things might break and OpenVPN won't start -if you pass invalid options/syntax. - -.. cfgcmd:: set interfaces openvpn vtun10 openvpn-option 'push "keepalive 1 10"' - -Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file. - -.. note:: Sometimes option lines in the generated OpenVPN configurarion require - quotes. This is done through a hack on our config generator. You can pass - quotes using the ``"`` statement. - - -Troubleshooting -=============== - -VyOS provides some operational commands on OpenVPN. - -Check status ------------- - -The following commands let you check tunnel status. - -.. opcmd:: show openvpn client - - Use this command to check the tunnel status for OpenVPN client interfaces. - -.. opcmd:: show openvpn server - - Use this command to check the tunnel status for OpenVPN server interfaces. - -.. opcmd:: show openvpn site-to-site - - Use this command to check the tunnel status for OpenVPN site-to-site interfaces. - - -Reset OpenVPN -------------- - -The following commands let you reset OpenVPN. - -.. opcmd:: reset openvpn client <text> - - Use this command to reset specified OpenVPN client. - -.. opcmd:: reset openvpn interface <interface> - - Uset this command to reset the OpenVPN process on a specific interface. - - - -.. include:: ../common-references.rst diff --git a/docs/vpn/pptp.rst b/docs/vpn/pptp.rst deleted file mode 100644 index 72b3feb0..00000000 --- a/docs/vpn/pptp.rst +++ /dev/null @@ -1,47 +0,0 @@ -.. _pptp: - -PPTP-Server ------------ - -The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility. -PPTP has many well known security issues and you should use one of the many other new VPN implementations. - -As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption. -If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1. - -server example -^^^^^^^^^^^^^^ - -.. code-block:: none - - set vpn pptp remote-access authentication local-users username test password 'test' - set vpn pptp remote-access authentication mode 'local' - set vpn pptp remote-access client-ip-pool start '192.168.0.10' - set vpn pptp remote-access client-ip-pool stop '192.168.0.15' - set vpn pptp remote-access gateway-address '10.100.100.1' - set vpn pptp remote-access outside-address '10.1.1.120' - - -client example (debian 9) -^^^^^^^^^^^^^^^^^^^^^^^^^ - -Install the client software via apt and execute pptpsetup to generate the configuration. - - -.. code-block:: none - - apt-get install pptp-linux - pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --encrypt - pon TESTTUNNEL - -The command pon TESTUNNEL establishes the PPTP tunnel to the remote system. - - -All tunnel sessions can be checked via: - -.. code-block:: none - - run sh pptp-server sessions - ifname | username | calling-sid | ip | type | comp | state | uptime - --------+----------+-------------+--------------+------+------+--------+---------- - ppp0 | test | 10.1.1.99 | 192.168.0.10 | pptp | mppe | active | 00:00:58 diff --git a/docs/vpn/site2site_ipsec.rst b/docs/vpn/site2site_ipsec.rst deleted file mode 100644 index 08ccc648..00000000 --- a/docs/vpn/site2site_ipsec.rst +++ /dev/null @@ -1,298 +0,0 @@ -.. _size2site_ipsec: - -Site-to-Site -============ - -Site-to-site mode provides a way to add remote peers, which could be configured to exchange encrypted information between them and VyOS itself or connected/routed networks. - -To configure site-to-site connection you need to add peers with the ``set vpn ipsec site-to-site`` command. - -You can identify a remote peer with: - -* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used when a peer has a public static IP address; -* Hostname. This mode is similar to IP address, only you define DNS name instead of an IP. Could be used when a peer has a public IP address and DNS name, but an IP address could be changed from time to time; -* Remote ID of the peer. In this mode, there is no predefined remote address nor DNS name of the peer. This mode is useful when a peer doesn't have a publicly available IP address (NAT between it and VyOS), or IP address could be changed. - -Each site-to-site peer has the next options: - -* ``authentication`` - configure authentication between VyOS and a remote peer. Suboptions: - - * ``id`` - ID for the local VyOS router. If defined, during the authentication it will be send to remote peer; - - * ``mode`` - mode for authentication between VyOS and remote peer: - - * ``pre-shared-secret`` - use predefined shared secret phrase, must be the same for local and remote side; - - * ``rsa`` - use simple shared RSA key. The key must be defined in the ``set vpn rsa-keys`` section; - - * ``x509`` - use certificates infrastructure for authentication. - - * ``pre-shared-secret`` - predefined shared secret. Used if configured ``mode pre-shared-secret``; - - * ``remote-id`` - define an ID for remote peer, instead of using peer name or address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used; - - * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined in the ``set vpn rsa-keys`` section; - - * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when ``id`` is defined; - - * ``x509`` - options for x509 authentication mode: - - * ``ca-cert-file`` - CA certificate file. Using for authenticating remote peer; - - * ``cert-file`` - certificate file, which will be used for authenticating local router on remote peer; - - * ``crl-file`` - file with the Certificate Revocation List. Using to check if a certificate for the remote peer is valid or revoked; - - * ``key`` - a private key, which will be used for authenticating local router on remote peer: - - * ``file`` - path to the key file; - - * ``password`` - passphrase private key, if needed. - -* ``connection-type`` - how to handle this connection process. Possible variants: - - * ``initiate`` - do initial connection to remote peer immediately after configuring and after boot. In this mode the connection will not be restarted in case of disconnection, therefore should be used only together with DPD or another session tracking methods; - - * ``respond`` - do not try to initiate a connection to a remote peer. In this mode, the IPSec session will be established only after initiation from a remote peer. Could be useful when there is no direct connectivity to the peer due to firewall or NAT in the middle of the local and remote side. - -* ``default-esp-group`` - ESP group to use by default for traffic encryption. Might be overwritten by individual settings for tunnel or VTI interface binding; - -* ``description`` - description for this peer; - -* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec connection with this peer, instead of ``local-address``; - -* ``force-encapsulation`` - force encapsulation of ESP into UDP datagrams. Useful in case if between local and remote side is firewall or NAT, which not allows passing plain ESP packets between them; - -* ``ike-group`` - IKE group to use for key exchanges; - -* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process. Can be used only with IKEv2: - - * ``yes`` - create a new IKE_SA from the scratch and try to recreate all IPsec SAs; - - * ``no`` - rekey without uninstalling the IPsec SAs; - - * ``inherit`` - use default behavior for the used IKE group. - -* ``local-address`` - local IP address for IPSec connection with this peer. If defined ``any``, then an IP address which configured on interface with default route will be used; - -* ``tunnel`` - define criteria for traffic to be matched for encrypting and send it to a peer: - - * ``disable`` - disable this tunnel; - - * ``esp-group`` - define ESP group for encrypt traffic, defined by this tunnel; - - * ``local`` - define a local source for match traffic, which should be encrypted and send to this peer: - - * ``port`` - define port. Have effect only when used together with ``prefix``; - - * ``prefix`` - IP network at local side. - - * ``protocol`` - define the protocol for match traffic, which should be encrypted and send to this peer; - - * ``remote`` - define the remote destination for match traffic, which should be encrypted and send to this peer: - - * ``port`` - define port. Have effect only when used together with ``prefix``; - - * ``prefix`` - IP network at remote side. - -* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will be send to VTI interface will be encrypted and send to this peer. Using VTI makes IPSec configuration much flexible and easier in complex situation, and allows to dynamically add/delete remote networks, reachable via a peer, as in this mode router don't need to create additional SA/policy for each remote network: - - * ``bind`` - select a VTI interface to bind to this peer; - - * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface. - -Examples: ------------------- - -IKEv1 -^^^^^ - -Example: - -* WAN interface on `eth1` -* left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually - there is no client or server roles) -* left local_ip: `198.51.100.3` # server side WAN IP -* right subnet: `10.0.0.0/24` site2,remote office side -* right local_ip: `203.0.113.2` # remote office side WAN IP - -.. code-block:: none - - # server config - set vpn ipsec esp-group office-srv-esp compression 'disable' - set vpn ipsec esp-group office-srv-esp lifetime '1800' - set vpn ipsec esp-group office-srv-esp mode 'tunnel' - set vpn ipsec esp-group office-srv-esp pfs 'enable' - set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256' - set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1' - set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no' - set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1' - set vpn ipsec ike-group office-srv-ike lifetime '3600' - set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' - set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' - set vpn ipsec ipsec-interfaces interface 'eth1' - set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'SomePreSharedKey' - set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'office-srv-ike' - set vpn ipsec site-to-site peer 203.0.113.2 local-address '198.51.100.3' - set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-nat-networks 'disable' - set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-public-networks 'disable' - set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 esp-group 'office-srv-esp' - set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 local prefix '192.168.0.0/24' - set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 remote prefix '10.0.0.0/21' - - # remote office config - set vpn ipsec esp-group office-srv-esp compression 'disable' - set vpn ipsec esp-group office-srv-esp lifetime '1800' - set vpn ipsec esp-group office-srv-esp mode 'tunnel' - set vpn ipsec esp-group office-srv-esp pfs 'enable' - set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256' - set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1' - set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no' - set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1' - set vpn ipsec ike-group office-srv-ike lifetime '3600' - set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' - set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' - set vpn ipsec ipsec-interfaces interface 'eth1' - set vpn ipsec site-to-site peer 198.51.100.3 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 198.51.100.3 authentication pre-shared-secret 'SomePreSharedKey' - set vpn ipsec site-to-site peer 198.51.100.3 ike-group 'office-srv-ike' - set vpn ipsec site-to-site peer 198.51.100.3 local-address '203.0.113.2' - set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-nat-networks 'disable' - set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-public-networks 'disable' - set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 esp-group 'office-srv-esp' - set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 local prefix '10.0.0.0/21' - set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 remote prefix '192.168.0.0/24' - -Show status of new setup: - -.. code-block:: none - - vyos@srv-gw0:~$ show vpn ike sa - Peer ID / IP Local ID / IP - ------------ ------------- - 203.0.113.2 198.51.100.3 - State Encrypt Hash D-H Grp NAT-T A-Time L-Time - ----- ------- ---- ------- ----- ------ ------ - up aes256 sha1 5 no 734 3600 - - vyos@srv-gw0:~$ show vpn ipsec sa - Peer ID / IP Local ID / IP - ------------ ------------- - 203.0.113.2 198.51.100.3 - Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto - ------ ----- ------------- ------- ---- ----- ------ ------ ----- - 0 up 7.5M/230.6K aes256 sha1 no 567 1800 all - -If there is SNAT rules on eth1, need to add exclude rule - -.. code-block:: none - - # server side - set nat source rule 10 destination address '10.0.0.0/24' - set nat source rule 10 'exclude' - set nat source rule 10 outbound-interface 'eth1' - set nat source rule 10 source address '192.168.0.0/24' - - # remote office side - set nat source rule 10 destination address '192.168.0.0/24' - set nat source rule 10 'exclude' - set nat source rule 10 outbound-interface 'eth1' - set nat source rule 10 source address '10.0.0.0/24' - -To allow traffic to pass through to clients, you need to add the following -rules. (if you used the default configuration at the top of this page) - -.. code-block:: none - - # server side - set firewall name OUTSIDE-LOCAL rule 32 action 'accept' - set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24' - - # remote office side - set firewall name OUTSIDE-LOCAL rule 32 action 'accept' - set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24' - -IKEv2 -^^^^^ - -Imagine the following topology - -.. figure:: ../_static/images/vpn_s2s_ikev2.png - :scale: 50 % - :alt: IPSec IKEv2 site2site VPN - - IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio) - - -.. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021` - gives you additional information for using /31 subnets on point-to-point - links. - -**left** - -.. code-block:: none - - set interfaces vti vti10 address '10.0.0.2/31' - - set vpn ipsec esp-group ESP_DEFAULT compression 'disable' - set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' - set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' - set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' - set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' - set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' - set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' - set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' - set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' - set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable' - set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' - set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' - set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ipsec-interfaces interface 'eth0.201' - set vpn ipsec site-to-site peer 172.18.202.10 authentication id '172.18.201.10' - set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey' - set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10' - set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate' - set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT' - set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10' - set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10' - set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT' - -**right** - -.. code-block:: none - - set interfaces vti vti10 address '10.0.0.3/31' - - set vpn ipsec esp-group ESP_DEFAULT compression 'disable' - set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' - set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' - set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' - set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' - set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' - set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' - set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' - set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' - set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable' - set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' - set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' - set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ipsec-interfaces interface 'eth0.202' - set vpn ipsec site-to-site peer 172.18.201.10 authentication id '172.18.202.10' - set vpn ipsec site-to-site peer 172.18.201.10 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 172.18.201.10 authentication pre-shared-secret 'secretkey' - set vpn ipsec site-to-site peer 172.18.201.10 authentication remote-id '172.18.201.10' - set vpn ipsec site-to-site peer 172.18.201.10 connection-type 'initiate' - set vpn ipsec site-to-site peer 172.18.201.10 ike-group 'IKEv2_DEFAULT' - set vpn ipsec site-to-site peer 172.18.201.10 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10' - set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10' - set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT' diff --git a/docs/vpn/sstp.rst b/docs/vpn/sstp.rst deleted file mode 100644 index e5567cb6..00000000 --- a/docs/vpn/sstp.rst +++ /dev/null @@ -1,347 +0,0 @@ -.. _sstp: - -#### -SSTP -#### - -:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VPN -(Virtual Private Network)` tunnel that provides a mechanism to transport PPP -traffic through an SSL/TLS channel. SSL/TLS provides transport-level security -with key negotiation, encryption and traffic integrity checking. The use of -SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls -and proxy servers except for authenticated web proxies. - -SSTP is available for Linux, BSD, and Windows. - -VyOS utilizes accel-ppp_ to provide SSTP server functionality. We support both -local and RADIUS authentication. - -As SSTP provides PPP via a SSL/TLS channel the use of either publically signed -certificates as well as a private PKI is required. - -.. note:: All certificates should be stored on VyOS under ``/config/auth``. If - certificates are not stored in the ``/config`` directory they will not be - migrated during a software update. - -Certificates -============ - -Self Signed CA --------------- - -To generate the CA, the server private key and certificates the following -commands can be used. - -.. code-block:: none - - vyos@vyos:~$ mkdir -p /config/user-data/sstp - vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt - - Generating a 4096 bit RSA private key - .........................++ - ...............................................................++ - writing new private key to 'server.key' - [...] - Country Name (2 letter code) [AU]: - State or Province Name (full name) [Some-State]: - Locality Name (eg, city) []: - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []: - Email Address []: - - vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt - [...] - Country Name (2 letter code) [AU]: - State or Province Name (full name) [Some-State]: - Locality Name (eg, city) []: - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []: - Email Address []: - - -Configuration -============= - -.. cfgcmd:: set vpn sstp authentication local-users username <user> password <pass> - - Create `<user>` for local authentication on this system. The users password - will be set to `<pass>`. - -.. cfgcmd:: set vpn sstp authentication local-users username <user> disable - - Disable `<user>` account. - -.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip <address> - - Assign static IP address to `<user>` account. - -.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit download <bandwidth> - - Download bandwidth limit in kbit/s for `<user>`. - -.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit upload <bandwidth> - - Upload bandwidth limit in kbit/s for `<user>`. - -.. cfgcmd:: set vpn sstp authentication protocols <pap | chap | mschap | mschap-v2> - - Require the peer to authenticate itself using one of the following protocols: - pap, chap, mschap, mschap-v2. - -.. cfgcmd:: set vpn sstp authentication mode <local | radius> - - Set authentication backend. The configured authentication backend is used - for all queries. - - * **radius**: All authentication queries are handled by a configured RADIUS - server. - * **local**: All authentication queries are handled locally. - - -.. cfgcmd:: set vpn sstp gateway-address <gateway> - - Specifies single `<gateway>` IP address to be used as local address of PPP - interfaces. - - -.. cfgcmd:: set vpn sstp client-ip-pool subnet <subnet> - - Use `<subnet>` as the IP pool for all connecting clients. - - -.. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits> - - Use this comand to set the IPv6 address pool from which an SSTP client - will get an IPv6 prefix of your defined length (mask) to terminate the - SSTP endpoint at their side. The mask length can be set from 48 to 128 - bit long, the default value is 64. - - -.. cfgcmd:: set vpn sstp client-ipv6-pool delegate <address> delegation-prefix <number-of-bits> - - Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on - SSTP. You will have to set your IPv6 pool and the length of the - delegation prefix. From the defined IPv6 pool you will be handing out - networks of the defined length (delegation-prefix). The length of the - delegation prefix can be set from 32 to 64 bit long. - - -.. cfgcmd:: set vpn sstp name-server <address> - - Connected client should use `<address>` as their DNS server. This - command accepts both IPv4 and IPv6 addresses. Up to two nameservers - can be configured for IPv4, up to three for IPv6. - -Maximum number of IPv4 nameservers - -SSL Certificates ----------------- - -.. cfgcmd:: set vpn sstp ssl ca-cert-file <file> - - Path to `<file>` pointing to the certificate authority certificate. - -.. cfgcmd:: set vpn sstp ssl cert-file <file> - - Path to `<file>` pointing to the servers certificate (public portion). - -.. cfgcmd:: set vpn sstp ssl key-file <file> - - Path to `<file>` pointing to the servers certificate (private portion). - -PPP Settings ------------- - -.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number> - - Defines the maximum `<number>` of unanswered echo requests. Upon reaching the - value `<number>`, the session will be reset. - -.. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval> - - If this option is specified and is greater than 0, then the PPP module will - send LCP pings of the echo request every `<interval>` seconds. - -.. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout - - Specifies timeout in seconds to wait for any peer activity. If this option - specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" - is not used. - -.. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny> - - Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation - preference. - - * **require** - ask client for mppe, if it rejects drop connection - * **prefer** - ask client for mppe, if it rejects don't fail - * **deny** - deny mppe - - Default behavior - don't ask client for mppe, but allow it if client wants. - Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy - attribute. - - -RADIUS ------- - -Server -^^^^^^ - -.. cfgcmd:: set vpn sstp authentication radius server <server> port <port> - - Configure RADIUS `<server>` and its required port for authentication requests. - -.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret> - - Configure RADIUS `<server>` and its required shared `<secret>` for - communicating with the RADIUS server. - -.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time> - - Mark RADIUS server as offline for this given `<time>` in seconds. - -.. cfgcmd:: set vpn sstp authentication radius server <server> disable - - Temporary disable this RADIUS server. - -Options -^^^^^^^ - -.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout> - - Timeout to wait reply for Interim-Update packets. (default 3 seconds) - -.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address> - - Specifies IP address for Dynamic Authorization Extension server (DM/CoA) - -.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port> - - Port for Dynamic Authorization Extension server (DM/CoA) - -.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret> - - Secret for Dynamic Authorization Extension server (DM/CoA) - -.. cfgcmd:: set vpn sstp authentication radius max-try <number> - - Maximum number of tries to send Access-Request/Accounting-Request queries - -.. cfgcmd:: set vpn sstp authentication radius timeout <timeout> - - Timeout to wait response from server (seconds) - -.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier> - - Value to send to RADIUS server in NAS-Identifier attribute and to be matched - in DM/CoA requests. - -.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address> - - Value to send to RADIUS server in NAS-IP-Address attribute and to be matched - in DM/CoA requests. Also DM/CoA server will bind to that address. - -.. cfgcmd:: set vpn sstp authentication radius source-address <address> - - Source IPv4 address used in all RADIUS server queires. - -.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute> - - Specifies which RADIUS server attribute contains the rate limit information. - The default attribute is `Filter-Id`. - -.. cfgcmd:: set vpn sstp authentication radius rate-limit enable - - Enables bandwidth shaping via RADIUS. - -.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor - - Specifies the vendor dictionary, dictionary needs to be in - /usr/share/accel-ppp/radius. - - -Example -======= - -* Use local user `foo` with password `bar` -* Client IP addresses will be provided from pool `192.0.2.0/25` - -.. code-block:: none - - set vpn sstp authentication local-users username vyos password vyos - set vpn sstp authentication mode local - set vpn sstp gateway-address 192.0.2.254 - set vpn sstp client-ip-pool subnet 192.0.2.0/25 - set vpn sstp name-server 10.0.0.1 - set vpn sstp name-server 10.0.0.2 - set vpn sstp ssl ca-cert-file /config/auth/ca.crt - set vpn sstp ssl cert-file /config/auth/server.crt - set vpn sstp ssl key-file /config/auth/server.key - -Testing SSTP -============ - -Once you have setup your SSTP server there comes the time to do some basic -testing. The Linux client used for testing is called sstpc_. sstpc_ requires a -PPP configuration/peer file. - -The following PPP configuration tests MSCHAP-v2: - -.. code-block:: none - - $ cat /etc/ppp/peers/vyos - usepeerdns - #require-mppe - #require-pap - require-mschap-v2 - noauth - lock - refuse-pap - refuse-eap - refuse-chap - refuse-mschap - #refuse-mschap-v2 - nobsdcomp - nodeflate - debug - - -You can now "dial" the peer with the follwoing command: ``sstpc --log-level 4 ---log-stderr --user vyos --password vyos vpn.example.com -- call vyos``. - -A connection attempt will be shown as: - -.. code-block:: none - - $ sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos - - Mar 22 13:29:12 sstpc[12344]: Resolved vpn.example.com to 192.0.2.1 - Mar 22 13:29:12 sstpc[12344]: Connected to vpn.example.com - Mar 22 13:29:12 sstpc[12344]: Sending Connect-Request Message - Mar 22 13:29:12 sstpc[12344]: SEND SSTP CRTL PKT(14) - Mar 22 13:29:12 sstpc[12344]: TYPE(1): CONNECT REQUEST, ATTR(1): - Mar 22 13:29:12 sstpc[12344]: ENCAP PROTO(1): 6 - Mar 22 13:29:12 sstpc[12344]: RECV SSTP CRTL PKT(48) - Mar 22 13:29:12 sstpc[12344]: TYPE(2): CONNECT ACK, ATTR(1): - Mar 22 13:29:12 sstpc[12344]: CRYPTO BIND REQ(4): 40 - Mar 22 13:29:12 sstpc[12344]: Started PPP Link Negotiation - Mar 22 13:29:15 sstpc[12344]: Sending Connected Message - Mar 22 13:29:15 sstpc[12344]: SEND SSTP CRTL PKT(112) - Mar 22 13:29:15 sstpc[12344]: TYPE(4): CONNECTED, ATTR(1): - Mar 22 13:29:15 sstpc[12344]: CRYPTO BIND(3): 104 - Mar 22 13:29:15 sstpc[12344]: Connection Established - - $ ip addr show ppp0 - 164: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1452 qdisc fq_codel state UNKNOWN group default qlen 3 - link/ppp promiscuity 0 - inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0 - valid_lft forever preferred_lft forever - - - -.. _sstpc: https://github.com/reliablehosting/sstp-client - -.. include:: ../common-references.rst diff --git a/docs/vpn/wireguard.rst b/docs/vpn/wireguard.rst deleted file mode 100644 index 3580fac3..00000000 --- a/docs/vpn/wireguard.rst +++ /dev/null @@ -1,265 +0,0 @@ -.. _wireguard: - -######### -WireGuard -######### - -WireGuard is an extremely simple yet fast and modern VPN that utilizes -state-of-the-art cryptography. See https://www.wireguard.com for more -information. - -Configuration -============= - -WireGuard requires the generation of a keypair, a private key which will -decrypt incoming traffic and a public key, which the peer(s) will use to -encrypt traffic. - -Generate keypair ----------------- - -.. opcmd:: generate wireguard default-keypair - - It generates the keypair, that is its public and private part and stores - it within VyOS. It will be used per default on any configured WireGuard - interface, even if multiple interfaces are being configured. - -.. opcmd:: show wireguard keypairs pubkey default - - It shows the public key which needs to be shared with your peer(s). Your - peer will encrypt all traffic to your system using this public key. - - .. code-block:: none - - vyos@vyos:~$ show wireguard keypairs pubkey default - hW17UxY7zeydJNPIyo3UtGnBHkzTK/NeBOrDSIU9Tx0= - - -Generate named keypair ----------------------- - -Named keypairs can be used on a interface basis, if configured. If -multiple WireGuard interfaces are being configured, each can have their -own keypairs. - -The commands below will generate 2 keypairs, which are not related to -each other. - -.. code-block:: none - - vyos@vyos:~$ generate wireguard named-keypairs KP01 - vyos@vyos:~$ generate wireguard named-keypairs KP02 - - -Interface configuration ------------------------ - -The next step is to configure your local side as well as the policy -based trusted destination addresses. If you only initiate a connection, -the listen port and address/port is optional, if you however act as a server -and endpoints initiate the connections to your system, you need to -define a port your clients can connect to, otherwise it's randomly -chosen and may make it difficult with firewall rules, since the port may -be a different one when you reboot your system. - -You will also need the public key of your peer as well as the network(s) -you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The -public key below is always the public key from your peer, not your local -one. - -**local side** - -.. code-block:: none - - set interfaces wireguard wg01 address '10.1.0.1/24' - set interfaces wireguard wg01 description 'VPN-to-wg02' - set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.2.0.0/24' - set interfaces wireguard wg01 peer to-wg02 address '192.168.0.142' - set interfaces wireguard wg01 peer to-wg02 port '12345' - set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI=' - set interfaces wireguard wg01 port '12345' - set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01 - -The last step is to define an interface route for 10.2.0.0/24 to get -through the WireGuard interface `wg01`. Multiple IPs or networks can be -defined and routed, the last check is allowed-ips which either prevents -or allows the traffic. - -.. note:: You can not assign the same allowed-ips statement to multiple - WireGuard peers. This a a design decission. For more information please - check the `WireGuard mailing list`_. - - -To use a named key on an interface, the option private-key needs to be -set. - -.. code-block:: none - - set interfaces wireguard wg01 private-key KP01 - set interfaces wireguard wg02 private-key KP02 - -The command ``run show wireguard keypairs pubkey KP01`` will then show -the public key, which needs to be shared with the peer. - - -**remote side** - -.. code-block:: none - - set interfaces wireguard wg01 address '10.2.0.1/24' - set interfaces wireguard wg01 description 'VPN-to-wg01' - set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.1.0.0/24' - set interfaces wireguard wg01 peer to-wg02 address '192.168.0.124' - set interfaces wireguard wg01 peer to-wg02 port '12345' - set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=' - set interfaces wireguard wg01 port '12345' - set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01 - -Assure that your firewall rules allow the traffic, in which case you -have a working VPN using WireGuard - -.. code-block:: none - - wg01# ping 10.2.0.1 - PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data. - 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=1.16 ms - 64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.77 ms - - wg02# ping 10.1.0.1 - PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data. - 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=4.40 ms - 64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms - -An additional layer of symmetric-key crypto can be used on top of the -asymmetric crypto, which is optional. - -.. code-block:: none - - wg01# run generate wireguard preshared-key - rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc= - -Copy the key, as it is not stored on the local file system. Make sure -you distribute that key in a safe manner, it's a symmetric key, so only -you and your peer should have knowledge of its content. - -.. code-block:: none - - wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' - wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' - -Road Warrior Example --------------------- - -With WireGuard, a Road Warrior VPN config is similar to a site-to-site -VPN. It just lacks the ``address`` and ``port`` statements. - -In the following example, the IPs for the remote clients are defined in -the peers. This would allow the peers to interact with one another. - -.. code-block:: none - - wireguard wg0 { - address 10.172.24.1/24 - address 2001:DB8:470:22::1/64 - description RoadWarrior - peer MacBook { - allowed-ips 10.172.24.30/32 - allowed-ips 2001:DB8:470:22::30/128 - persistent-keepalive 15 - pubkey F5MbW7ye7DsoxdOaixjdrudshjjxN5UdNV+pGFHqehc= - } - peer iPhone { - allowed-ips 10.172.24.20/32 - allowed-ips 2001:DB8:470:22::30/128 - persistent-keepalive 15 - pubkey BknHcLFo8nOo8Dwq2CjaC/TedchKQ0ebxC7GYn7Al00= - } - port 2224 - } - -The following is the config for the iPhone peer above. It's important to -note that the ``AllowedIPs`` setting directs all IPv4 and IPv6 traffic -through the connection. - -.. code-block:: none - - [Interface] - PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf= - Address = 10.172.24.20/24, 2001:DB8:470:22::20/64 - DNS = 10.0.0.53, 10.0.0.54 - - [Peer] - PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc= - AllowedIPs = 0.0.0.0/0, ::/0 - Endpoint = 192.0.2.1:2224 - PersistentKeepalive = 25 - - -This MacBook peer is doing split-tunneling, where only the subnets local -to the server go over the connection. - -.. code-block:: none - - [Interface] - PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go= - Address = 10.172.24.30/24, 2001:DB8:470:22::30/64 - - [Peer] - PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc= - AllowedIPs = 10.172.24.30/24, 2001:DB8:470:22::/64 - Endpoint = 192.0.2.1:2224 - PersistentKeepalive = 25 - - -Operational commands -==================== - -**Show interface status** - -.. code-block:: none - - vyos@wg01# run show interfaces wireguard wg01 - interface: wg1 - description: VPN-to-wg01 - address: 10.2.0.1/24 - public key: RIbtUTCfgzNjnLNPQ/asldkfjhaERDFl2H/xUfbyjc= - private key: (hidden) - listening port: 53665 - peer: to-wg02 - public key: u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk= - latest handshake: 0:01:20 - status: active - endpoint: 192.168.0.124:12345 - allowed ips: 10.2.0.0/24 - transfer: 42 GB received, 487 MB sent - persistent keepalive: every 15 seconds - RX: - bytes packets errors dropped overrun mcast - 45252407916 31192260 0 244493 0 0 - TX: - bytes packets errors dropped carrier collisions - 511649780 5129601 24465 0 0 0 - -**Show public key of the default key** - -.. code-block:: none - - vyos@wg01# run show wireguard keypair pubkey default - FAXCPb6EbTlSH5200J5zTopt9AYXneBthAySPBLbZwM= - -**Show public key of a named key** - -.. code-block:: none - - vyos@wg01# run show wireguard keypair pubkey KP01 - HUtsu198toEnm1poGoRTyqkUKfKUdyh54f45dtcahDM= - - -**Delete wireguard keypairs** - -.. code-block:: none - - vyos@wg01# wireguard keypair default - - -.. _`WireGuard mailing list`: https://lists.zx2c4.com/pipermail/wireguard/2018-December/003704.html |