diff options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/configuration/vpn/dmvpn.rst | 3 | ||||
-rw-r--r-- | docs/configuration/vpn/openconnect.rst | 4 | ||||
-rw-r--r-- | docs/configuration/vpn/pptp.rst | 15 | ||||
-rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 112 | ||||
-rw-r--r-- | docs/configuration/vpn/sstp.rst | 18 |
5 files changed, 106 insertions, 46 deletions
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index 62c0f002..f902c388 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -11,7 +11,8 @@ technologies are actually standards based. The three technologies are: * :abbr:`NHRP (Next Hop Resolution Protocol)` :rfc:`2332` * :abbr:`mGRE (Multipoint Generic Routing Encapsulation)` :rfc:`1702` -* :abbr:`IPSec (IP Security)` - too many RFCs to list, but start with :rfc:`4301` +* :abbr:`IPSec (IP Security)` - too many RFCs to list, but start with + :rfc:`4301` NHRP provides the dynamic tunnel endpoint discovery mechanism (endpoint registration, and endpoint discovery/lookup), mGRE provides the tunnel diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst index a409ed9d..feb0bab1 100644 --- a/docs/configuration/vpn/openconnect.rst +++ b/docs/configuration/vpn/openconnect.rst @@ -72,8 +72,8 @@ The Gateway IP Address must be in one of the routerĀ“s interfaces. set vpn openconnect authentication local-users username user4 password 'SecretPassword' set vpn openconnect authentication mode 'local' set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24' - set vpn openconnect network-settings name-server '1.1.1.1' - set vpn openconnect network-settings name-server '8.8.8.8' + set vpn openconnect network-settings name-server '10.1.1.1' + set vpn openconnect network-settings name-server '10.1.1.2' set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem' set vpn openconnect ssl cert-file '/config/auth/cert.pem' set vpn openconnect ssl key-file '/config/auth/privkey.pem' diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst index 72b3feb0..12364acb 100644 --- a/docs/configuration/vpn/pptp.rst +++ b/docs/configuration/vpn/pptp.rst @@ -3,11 +3,15 @@ PPTP-Server ----------- -The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility. -PPTP has many well known security issues and you should use one of the many other new VPN implementations. +The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only +for backwards compatibility. PPTP has many well known security issues and you +should use one of the many other new VPN implementations. -As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption. -If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1. +As per default and if not otherwise defined, mschap-v2 is being used for +authentication and mppe 128-bit (stateless) for encryption. If no +gateway-address is set within the configuration, the lowest IP out of the /24 +client-ip-pool is being used. For instance, in the example below it would be +192.168.0.1. server example ^^^^^^^^^^^^^^ @@ -25,7 +29,8 @@ server example client example (debian 9) ^^^^^^^^^^^^^^^^^^^^^^^^^ -Install the client software via apt and execute pptpsetup to generate the configuration. +Install the client software via apt and execute pptpsetup to generate the +configuration. .. code-block:: none diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 97f27b43..e81c5c3b 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -3,103 +3,151 @@ Site-to-Site ============ -Site-to-site mode provides a way to add remote peers, which could be configured to exchange encrypted information between them and VyOS itself or connected/routed networks. +Site-to-site mode provides a way to add remote peers, which could be configured +to exchange encrypted information between them and VyOS itself or +connected/routed networks. -To configure site-to-site connection you need to add peers with the ``set vpn ipsec site-to-site`` command. +To configure site-to-site connection you need to add peers with the +``set vpn ipsec site-to-site`` command. You can identify a remote peer with: -* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used when a peer has a public static IP address; -* Hostname. This mode is similar to IP address, only you define DNS name instead of an IP. Could be used when a peer has a public IP address and DNS name, but an IP address could be changed from time to time; -* Remote ID of the peer. In this mode, there is no predefined remote address nor DNS name of the peer. This mode is useful when a peer doesn't have a publicly available IP address (NAT between it and VyOS), or IP address could be changed. +* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used + when a peer has a public static IP address; +* Hostname. This mode is similar to IP address, only you define DNS name instead + of an IP. Could be used when a peer has a public IP address and DNS name, but + an IP address could be changed from time to time; +* Remote ID of the peer. In this mode, there is no predefined remote address + nor DNS name of the peer. This mode is useful when a peer doesn't have a + publicly available IP address (NAT between it and VyOS), or IP address could + be changed. Each site-to-site peer has the next options: -* ``authentication`` - configure authentication between VyOS and a remote peer. Suboptions: +* ``authentication`` - configure authentication between VyOS and a remote peer. + Suboptions: - * ``id`` - ID for the local VyOS router. If defined, during the authentication it will be send to remote peer; + * ``id`` - ID for the local VyOS router. If defined, during the authentication + it will be send to remote peer; * ``mode`` - mode for authentication between VyOS and remote peer: - * ``pre-shared-secret`` - use predefined shared secret phrase, must be the same for local and remote side; + * ``pre-shared-secret`` - use predefined shared secret phrase, must be the + same for local and remote side; - * ``rsa`` - use simple shared RSA key. The key must be defined in the ``set vpn rsa-keys`` section; + * ``rsa`` - use simple shared RSA key. The key must be defined in the + ``set vpn rsa-keys`` section; * ``x509`` - use certificates infrastructure for authentication. - * ``pre-shared-secret`` - predefined shared secret. Used if configured ``mode pre-shared-secret``; + * ``pre-shared-secret`` - predefined shared secret. Used if configured + ``mode pre-shared-secret``; - * ``remote-id`` - define an ID for remote peer, instead of using peer name or address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used; + * ``remote-id`` - define an ID for remote peer, instead of using peer name or + address. Useful in case if the remote peer is behind NAT or if ``mode x509`` + is used; - * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined in the ``set vpn rsa-keys`` section; + * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined + in the ``set vpn rsa-keys`` section; - * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when ``id`` is defined; + * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when + ``id`` is defined; * ``x509`` - options for x509 authentication mode: - * ``ca-cert-file`` - CA certificate file. Using for authenticating remote peer; + * ``ca-cert-file`` - CA certificate file. Using for authenticating + remote peer; - * ``cert-file`` - certificate file, which will be used for authenticating local router on remote peer; + * ``cert-file`` - certificate file, which will be used for authenticating + local router on remote peer; - * ``crl-file`` - file with the Certificate Revocation List. Using to check if a certificate for the remote peer is valid or revoked; + * ``crl-file`` - file with the Certificate Revocation List. Using to check if + a certificate for the remote peer is valid or revoked; - * ``key`` - a private key, which will be used for authenticating local router on remote peer: + * ``key`` - a private key, which will be used for authenticating local router + on remote peer: * ``file`` - path to the key file; * ``password`` - passphrase private key, if needed. -* ``connection-type`` - how to handle this connection process. Possible variants: +* ``connection-type`` - how to handle this connection process. Possible + variants: - * ``initiate`` - do initial connection to remote peer immediately after configuring and after boot. In this mode the connection will not be restarted in case of disconnection, therefore should be used only together with DPD or another session tracking methods; + * ``initiate`` - do initial connection to remote peer immediately after + configuring and after boot. In this mode the connection will not be restarted + in case of disconnection, therefore should be used only together with DPD or + another session tracking methods; - * ``respond`` - do not try to initiate a connection to a remote peer. In this mode, the IPSec session will be established only after initiation from a remote peer. Could be useful when there is no direct connectivity to the peer due to firewall or NAT in the middle of the local and remote side. + * ``respond`` - do not try to initiate a connection to a remote peer. In this + mode, the IPSec session will be established only after initiation from a + remote peer. Could be useful when there is no direct connectivity to the + peer due to firewall or NAT in the middle of the local and remote side. -* ``default-esp-group`` - ESP group to use by default for traffic encryption. Might be overwritten by individual settings for tunnel or VTI interface binding; +* ``default-esp-group`` - ESP group to use by default for traffic encryption. + Might be overwritten by individual settings for tunnel or VTI interface + binding; * ``description`` - description for this peer; -* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec connection with this peer, instead of ``local-address``; +* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec + connection with this peer, instead of ``local-address``; -* ``force-encapsulation`` - force encapsulation of ESP into UDP datagrams. Useful in case if between local and remote side is firewall or NAT, which not allows passing plain ESP packets between them; +* ``force-encapsulation`` - force encapsulation of ESP into UDP datagrams. + Useful in case if between local and remote side is firewall or NAT, which not + allows passing plain ESP packets between them; * ``ike-group`` - IKE group to use for key exchanges; -* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process. Can be used only with IKEv2: +* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process. + Can be used only with IKEv2: - * ``yes`` - create a new IKE_SA from the scratch and try to recreate all IPsec SAs; + * ``yes`` - create a new IKE_SA from the scratch and try to recreate all + IPsec SAs; * ``no`` - rekey without uninstalling the IPsec SAs; * ``inherit`` - use default behavior for the used IKE group. -* ``local-address`` - local IP address for IPSec connection with this peer. If defined ``any``, then an IP address which configured on interface with default route will be used; +* ``local-address`` - local IP address for IPSec connection with this peer. + If defined ``any``, then an IP address which configured on interface with + default route will be used; -* ``tunnel`` - define criteria for traffic to be matched for encrypting and send it to a peer: +* ``tunnel`` - define criteria for traffic to be matched for encrypting and send + it to a peer: * ``disable`` - disable this tunnel; * ``esp-group`` - define ESP group for encrypt traffic, defined by this tunnel; - * ``local`` - define a local source for match traffic, which should be encrypted and send to this peer: + * ``local`` - define a local source for match traffic, which should be + encrypted and send to this peer: * ``port`` - define port. Have effect only when used together with ``prefix``; * ``prefix`` - IP network at local side. - * ``protocol`` - define the protocol for match traffic, which should be encrypted and send to this peer; + * ``protocol`` - define the protocol for match traffic, which should be + encrypted and send to this peer; - * ``remote`` - define the remote destination for match traffic, which should be encrypted and send to this peer: + * ``remote`` - define the remote destination for match traffic, which should be + encrypted and send to this peer: * ``port`` - define port. Have effect only when used together with ``prefix``; * ``prefix`` - IP network at remote side. -* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will be send to VTI interface will be encrypted and send to this peer. Using VTI makes IPSec configuration much flexible and easier in complex situation, and allows to dynamically add/delete remote networks, reachable via a peer, as in this mode router don't need to create additional SA/policy for each remote network: +* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will + be send to VTI interface will be encrypted and send to this peer. Using VTI + makes IPSec configuration much flexible and easier in complex situation, and + allows to dynamically add/delete remote networks, reachable via a peer, as in + this mode router don't need to create additional SA/policy for each remote + network: * ``bind`` - select a VTI interface to bind to this peer; - * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface. + * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI + interface. Examples: ------------------ diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index dbaa41c0..3600681f 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -64,7 +64,8 @@ commands can be used. Configuration ============= -.. cfgcmd:: set vpn sstp authentication local-users username <user> password <pass> +.. cfgcmd:: set vpn sstp authentication local-users username <user> password + <pass> Create `<user>` for local authentication on this system. The users password will be set to `<pass>`. @@ -73,19 +74,23 @@ Configuration Disable `<user>` account. -.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip <address> +.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip + <address> Assign static IP address to `<user>` account. -.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit download <bandwidth> +.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit + download <bandwidth> Download bandwidth limit in kbit/s for `<user>`. -.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit upload <bandwidth> +.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit + upload <bandwidth> Upload bandwidth limit in kbit/s for `<user>`. -.. cfgcmd:: set vpn sstp authentication protocols <pap | chap | mschap | mschap-v2> +.. cfgcmd:: set vpn sstp authentication protocols + <pap | chap | mschap | mschap-v2> Require the peer to authenticate itself using one of the following protocols: pap, chap, mschap, mschap-v2. @@ -119,7 +124,8 @@ Configuration bit long, the default value is 64. -.. cfgcmd:: set vpn sstp client-ipv6-pool delegate <address> delegation-prefix <number-of-bits> +.. cfgcmd:: set vpn sstp client-ipv6-pool delegate <address> delegation-prefix + <number-of-bits> Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6 pool and the length of the |