summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/configuration/interfaces/openvpn.rst30
1 files changed, 19 insertions, 11 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index eab1517e..6bfc0b9d 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -48,8 +48,9 @@ Site-to-site mode supports x.509 but doesn't require it and can also work with
static keys, which is simpler in many cases. In this example, we'll configure
a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key.
-First, one of the systems generate the key using the `generate pki openvpn shared-secret <https://docs.vyos.io/en/latest/configuration/pki/index.html#openvpn>`_ command.
-Once generated, you will need to install this key on the local system, then copy and install this key to the remote router.
+First, one of the systems generate the key using the :ref:`generate pki openvpn shared-secret<configuration/pki:pki>`
+command. Once generated, you will need to install this key on the local system,
+then copy and install this key to the remote router.
In our example, we used the key name ``openvpn-1`` which we will reference
in our configuration.
@@ -96,10 +97,14 @@ Local Configuration - Annotated:
.. code-block:: none
- run generate pki openvpn shared-secret install openvpn-1 # Locally genearated OpenVPN shared secret. The generated secret is the output to the console.
+ run generate pki openvpn shared-secret install openvpn-1 # Locally genearated OpenVPN shared secret.
+ The generated secret is the output to
+ the console.
Configure mode commands to install OpenVPN key:
- set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Generated secret displayed in the output to the console.
- set pki openvpn shared-secret openvpn-1 version '1' # Generated secret displayed in the output to the console.
+ set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Generated secret displayed in the output to
+ the console.
+ set pki openvpn shared-secret openvpn-1 version '1' # Generated secret displayed in the output to
+ the console.
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
@@ -133,7 +138,8 @@ Remote Configuration - Annotated:
.. code-block:: none
- set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Locally genearated OpenVPN shared secret (from the Local Configuration Block).
+ set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Locally genearated OpenVPN shared secret
+ (from the Local Configuration Block).
set pki openvpn shared-secret openvpn-1 version '1'
set interfaces openvpn vtun1 mode site-to-site
@@ -268,7 +274,7 @@ Server
Multi-client server is the most popular OpenVPN mode on routers. It always uses
x.509 authentication and therefore requires a PKI setup. Refer this topic
-`PKI <https://docs.vyos.io/en/latest/configuration/pki/index.html#pki>`_ to generate a CA certificate,
+:ref:`configuration/pki:pki` to generate a CA certificate,
a server certificate and key, a certificate revocation list, a Diffie-Hellman
key exchange parameters file. You do not need client certificates and keys for
the server setup.
@@ -302,17 +308,18 @@ Then we need to generate, add and specify the names of the cryptographic materia
.. code-block:: none
- run generate pki ca install ca-1 # Follow the instructions to generate CA cert
+ run generate pki ca install ca-1 # Follow the instructions to generate CA cert.
Configure mode commands to install:
set pki ca ca-1 certificate 'generated_cert_string'
set pki ca ca-1 private key 'generated_private_key'
- run generate pki certificate sign ca-1 install srv-1 # Follow the instructions to generate server cert
+ run generate pki certificate sign ca-1 install srv-1 # Follow the instructions to generate server cert.
Configure mode commands to install:
set pki certificate srv-1 certificate 'generated_server_cert'
set pki certificate srv-1 private key 'generated_private_key'
- run generate pki dh install dh-1 # Follow the instructions to generate set of Diffie-Hellman parameters
+ run generate pki dh install dh-1 # Follow the instructions to generate set of
+ Diffie-Hellman parameters.
Generating parameters...
Configure mode commands to install DH parameters:
set pki dh dh-1 parameters 'generated_dh_params_set'
@@ -361,7 +368,8 @@ HQ's router requires the following steps to generate crypto materials for the Br
.. code-block:: none
- run generate pki certificate sign ca-1 install branch-1 # Follow the instructions to generate client cert for Branch 1
+ run generate pki certificate sign ca-1 install branch-1 # Follow the instructions to generate client
+ cert for Branch 1
Configure mode commands to install:
Branch 1's router might have the following lines: