diff options
| author | LiudmylaNad <l.nadolina@vyos.io> | 2026-03-17 21:34:48 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-03-17 20:34:48 +0000 |
| commit | 7845fc35eab98429f2852a1e5d3113323e1d6025 (patch) | |
| tree | 415f8f905f01336e2ef27a1bdf4834480d06a46e | |
| parent | 4b1b16e87f7f615ed3254cfa97955b16df156ddc (diff) | |
| download | vyos-documentation-7845fc35eab98429f2852a1e5d3113323e1d6025.tar.gz vyos-documentation-7845fc35eab98429f2852a1e5d3113323e1d6025.zip | |
DOC: Proofread openvpn-examples.rst (#1779)
* DOC: Proofread openvpn-examples.rst
* Apply suggestions from code review
Co-authored-by: Daniil Baturin <daniil@baturin.org>
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
| -rw-r--r-- | docs/configuration/interfaces/openvpn-examples.rst | 357 |
1 files changed, 184 insertions, 173 deletions
diff --git a/docs/configuration/interfaces/openvpn-examples.rst b/docs/configuration/interfaces/openvpn-examples.rst index c380e7a8..46409975 100644 --- a/docs/configuration/interfaces/openvpn-examples.rst +++ b/docs/configuration/interfaces/openvpn-examples.rst @@ -1,54 +1,55 @@ -Site-to-Site +Site-to-site ============ -OpenVPN is popular for client-server setups, but its site-to-site mode -remains a relatively obscure feature, and many router appliances -still don't support it. However, it's very useful for quickly setting up -tunnels between routers. +OpenVPN is popular for client-server setups, but its site-to-site mode is less +common and often not supported by router appliances. Despite limited support, +it is effective for quickly establishing tunnels between routers. -As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or +As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or x.509 certificates. -The pre-shared key mode is deprecated and will be removed from future OpenVPN -versions, so VyOS will have to remove support for that option as well. The -reason is that using pre-shared keys is significantly less secure than using TLS. +Pre-shared key mode is now deprecated and will be removed from future OpenVPN +versions. VyOS will also discontinue support for this option because pre-shared +keys are significantly less secure than TLS. -We'll configure OpenVPN using self-signed certificates, and then discuss the +We will configure OpenVPN with self-signed certificates, and then discuss the legacy pre-shared key mode. In both cases, we will use the following settings: -* The public IP address of the local side of the VPN will be 198.51.100.10. -* The public IP address of the remote side of the VPN will be 203.0.113.11. -* The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote. -* The local site will have a subnet of 10.0.0.0/16. -* The remote site will have a subnet of 10.1.0.0/16. -* The official port for OpenVPN is 1194, which we reserve for client VPN; we - will use 1195 for site-to-site VPN. -* The ``persistent-tunnel`` directive will allow us to configure tunnel-related - attributes, such as firewall policy as we would on any normal network +* The public IP address of the local VPN endpoint is 198.51.100.10. +* The public IP address of the remote VPN endpoint is 203.0.113.11. +* The tunnel uses 10.255.1.1 for the local IP address and 10.255.1.2 for the + remote IP address. +* The local site has a subnet of 10.0.0.0/16. +* The remote site has a subnet of 10.1.0.0/16. +* The official OpenVPN port 1194 is reserved for client VPN. For site-to-site + VPN, port 1195 is used. +* The ``persistent-tunnel`` directive allows us to configure tunnel-related + attributes, such as firewall policy, as we would on any standard network interface. -* If known, the IP of the remote router can be configured using the - ``remote-host`` directive; if unknown, it can be omitted. We will assume a - dynamic IP for our remote router. +* If known, the remote router's IP address can be configured using the + ``remote-host`` directive. If unknown, it can be omitted. We assume the remote + router has a dynamic IP address. -.. figure:: /_static/images/openvpn_site2site_diagram.jpg -Setting up certificates ------------------------ +.. figure:: /_static/images/openvpn_site2site_diagram.jpg -Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose -of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity, -compared to server setups that need to support multiple clients. +Set up site-to-site certificates +-------------------------------- -However, since VyOS 1.4, it is possible to verify self-signed certificates using -certificate fingerprints. +Deploying a complete Public Key Infrastructure (PKI) with a Certificate +Authority (CA) would overcomplicate site-to-site OpenVPN setups, which are +primarily designed for simplicity. To keep their configuration simple without +compromising security, VyOS 1.4 and later lets you verify self-signed +certificates using certificate fingerprints. -On both sides, you need to generate a self-signed certificate, preferrably using the "ec" (elliptic curve) type. -You can generate them by executing command ``run generate pki certificate self-signed install <name>`` in the configuration mode. -Once the command is complete, it will add the certificate to the configuration session, to the ``pki`` subtree. -You can then review the proposed changes and commit them. +Generate a self-signed certificate on each router, preferably using the +Elliptic Curve (EC) type. In configuration mode, run the following command: +``run generate pki certificate self-signed install <name>``. This adds the +certificate to the configuration session's ``pki`` subtree. Review and commit +the changes. .. code-block:: none @@ -81,22 +82,25 @@ You can then review the proposed changes and commit them. vyos@vyos# commit -You do **not** need to copy the certificate to the other router. Instead, you need to retrieve its SHA-256 fingerprint. -OpenVPN only supports SHA-256 fingerprints at the moment, so you need to use the following command: + +You do **not** need to copy the certificate to the other router. Instead, +retrieve its SHA-256 fingerprint. Since OpenVPN currently supports only SHA-256 +fingerprints, use the following command: .. code-block:: none vyos@vyos# run show pki certificate openvpn-local fingerprint sha256 5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79 -Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote' but they can be arbitrary. +.. note:: Certificate names are arbitrary. While ``openvpn-local`` and + ``openvpn-remote`` are used here, you may choose any names. Repeat the procedure on the other router. -Setting up OpenVPN ------------------- +Set up site-to-site OpenVPN +--------------------------- -Local Configuration: +Local configuration: .. code-block:: none @@ -111,10 +115,10 @@ Local Configuration: set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface set interfaces openvpn vtun1 tls certificate 'openvpn-local' # The self-signed certificate - set interfaces openvpn vtun1 tls peer-fingerprint <remote cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256 on the remote router + set interfaces openvpn vtun1 tls peer-fingerprint <remote cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256' on the remote router set interfaces openvpn vtun1 tls role active -Remote Configuration: +Remote configuration: .. code-block:: none @@ -130,17 +134,17 @@ Remote Configuration: set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256 on the local router set interfaces openvpn vtun1 tls role passive -Pre-shared keys ---------------- +Set up pre-shared keys +---------------------- -Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use -pre-shared keys. That option is still available but it is deprecated and will -be removed in the future. However, if you need to set up a tunnel to an older -VyOS version or a system with older OpenVPN, you need to still need to know how -to use it. +Before VyOS 1.4, site-to-site OpenVPN without PKI required pre-shared keys. +This option is still available but is deprecated and will be removed in future +releases. If you need to set up a tunnel to an older VyOS version or a system +with older OpenVPN, you still need to use pre-shared keys. -First, you need to generate a key by running ``run generate pki openvpn shared-secret install <name>`` from configuration mode. -You can use any name, we will use ``s2s``. +First, generate a key by running ``run generate pki openvpn shared-secret +install <name>`` in configuration mode. You can use any name; in this example, +we use ``s2s``. .. code-block:: none @@ -159,23 +163,23 @@ You can use any name, we will use ``s2s``. vyos@local# commit [edit] -Then you need to install the key on the remote router: +Next, install the key on the remote router: .. code-block:: none vyos@remote# set pki openvpn shared-secret s2s key <generated key string> -Then you need to set the key in your OpenVPN interface settings: +Finally, configure the key in your OpenVPN interface settings: .. code-block:: none set interfaces openvpn vtun1 shared-secret-key s2s -Firewall Exceptions -------------------- +Set up firewall exceptions +-------------------------- -For the OpenVPN traffic to pass through the WAN interface, you must create a -firewall exception. +To allow OpenVPN traffic to pass through the WAN interface, create a firewall +exception: .. code-block:: none @@ -189,8 +193,8 @@ firewall exception. set firewall ipv4 name OUTSIDE_LOCAL rule 20 log set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol 'udp' -You should also ensure that the OUTISDE_LOCAL firewall group is applied to the -WAN interface and applied to input filter where traffic destined for the router itself +Apply the OUTSIDE_LOCAL firewall group to the WAN interface and to the input +filter for traffic destined for the router itself: .. code-block:: none @@ -198,30 +202,32 @@ WAN interface and applied to input filter where traffic destined for the router set firewall ipv4 input filter rule 10 inbound-interface name eth0 set firewall ipv4 input filter rule 10 jump-target OUTSIDE_LOCAL -Static Routing: +Static routing: -Static routes can be configured referencing the tunnel interface; for example, -the local router will use a network of 10.0.0.0/16, while the remote has a -network of 10.1.0.0/16: +Configure static routes by referencing the tunnel interface. For example, if +the local router's network is ``10.0.0.0/16`` and the remote router's network +is ``10.1.0.0/16``, define the routes as follows: -Local Configuration: +Local configuration: .. code-block:: none set protocols static route 10.1.0.0/16 interface vtun1 -Remote Configuration: +Remote configuration: .. code-block:: none set protocols static route 10.0.0.0/16 interface vtun1 -Firewall policy can also be applied to the tunnel interface for input, output and forward directions and functions identically to ethernet interfaces. +As with standard Ethernet interfaces, you can apply firewall policies to the +tunnel interface for input, output, and forward directions. -If you are making use of multiple tunnels, OpenVPN must have a way to distinguish between different tunnels aside from the pre-shared-key. This is done either by referencing IP addresses or port numbers. -One option is to dedicate a public IP to each tunnel. Another option is to dedicate a port number to each tunnel (e.g. 1195,1196,1197…). +If you use multiple tunnels, OpenVPN must distinguish between them beyond just +the pre-shared key. To achieve this, assign either unique IP addresses or +unique ports to each tunnel. -OpenVPN status can be verified using the show openvpn operational commands. +Verify OpenVPN status using the show openvpn operational commands. .. code-block:: none @@ -234,28 +240,27 @@ OpenVPN status can be verified using the show openvpn operational commands. N/A 10.110.12.54:1195 N/A N/A 504.0 B 656.0 B N/A -Server-Client +Server-client ============= -OpenVPN’s server-client mode is a configuration setup where server device acts -as a central hub that multiple other machines (the clients) connect to securely -route their traffic or access a private network. -Multi-client server is the most popular OpenVPN mode on routers. +In OpenVPN’s server-client mode, the server acts as a central hub, allowing +multiple clients to connect and securely route their traffic or access a +private network. Multi-client server is the most popular OpenVPN mode for +routers. +Set up server-client certificates +--------------------------------- -Setting up certificates ------------------------ +Server-client mode always uses x.509 authentication and therefore requires a +PKI setup. The PKI utility now simplifies the creation of Certificate +Authorities (CAs), server and client certificates, and Diffie-Hellman keys +directly in VyOS using configuration or operational mode commands. -Client-Server always uses x.509 authentication and therefore requires a PKI setup. -The PKI utility now simplifies the creation of Certificate Authorities (CAs), -server and client certificates, and Diffie-Hellman keys directly from the VyOS -using configuration or operational mode commands. +On the server, generate all certificates by running the following commands in +configuration mode. The certificates will be added to the configuration +session's PKI subtree. -Usually on server side, you can generate all certificates by executing these -commands in the configuration mode. Once the command is complete, it will add -the certificate to the configuration session, to the ``pki`` subtree. - -Certificate Authority (CA) +Certificate Authority (CA): .. code-block:: none @@ -285,7 +290,7 @@ Certificate Authority (CA) vyos@vyos# commit -Server Certificate +Server certificate: .. code-block:: none @@ -318,7 +323,7 @@ Server Certificate vyos@vyos# commit -DH Key +Diffie-Hellman key: .. code-block:: none @@ -336,7 +341,7 @@ DH Key [edit] vyos@vyos# commit -Client Certificate +Client certificate: .. code-block:: none @@ -358,23 +363,23 @@ Client Certificate set pki certificate client1 certificate 'MIIDrjCCApagAwIBAgIUPvtffeYTdoOiHxu++wdrjHwwVX4wDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2MTExMTQxMDlaFw0yNjA2MTExMTQxMDlaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB2NsaWVudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9H6E6gm0PfXO1n/WoA9xlg89/bnScLmfztVDn1uyNn8epE6zAi2GWBhtj4ixLllIwLdkJ7L2mF3yUZtA1Q0oYbGIqTbnaZ37JydCygVGnlLT7UX9zfRfS3KebCIvIte7OyCmnUfVfFzdIsp+4LI3S2wX/9Vyn4UBAR8QQNbezRB3XPMk9gzULnuLhmEDP6GVcPq7RzGXoXUMqsCxfEOJBjej0y4ANKH07HGVVrfVRiY+zlGkM4TFjVuZKnEA0BO6dhOA0E+7gsIXsC06UzzatkjsyWHpb2/DOECIifBoYej9DITu8VxyyZmgaINHEn2gGb0LRHO7rvQapc+XZ2z9DAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQnUyqEzG+AqZzsdSud5MDqsOxiXTAfBgNVHSMEGDAWgBQAb2W+vsDMn/Li9j9eVbFeu77qbTANBgkqhkiG9w0BAQsFAAOCAQEAplItvZpoX/joG3QREu9tHVKwDTmXB2lwUM5G8iKPgd6D6oOILZMe2KuvWt12dcdEzUCGfJwJJ8M8R2WD0OmcLdFqvM/8UM1hYzUP2BCnFCLtElVD+b4wMlQNpdHqNbdckw8J4MLQlhUgu9rZAZ0XjWCprr+U50bX++vYRw7Un3Ds6ETEvjflm5WAPb2e0V1hhISPl8K+VXO7RAwxy0DHcDuR+YaD+hnNgMsJV3/QwA17Iy8x86RpOgqmesbt0U7e9Rmo81aVgiy/V4OCV7u6bPX03fmZNS8UwwJuRUlxkjO+epHNYB2cnOcjSkUxaIJ9Hv3tMWHQEtbVZsNYSOZozw==' set pki certificate client1 private key 'MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC9H6E6gm0PfXO1n/WoA9xlg89/bnScLmfztVDn1uyNn8epE6zAi2GWBhtj4ixLllIwLdkJ7L2mF3yUZtA1Q0oYbGIqTbnaZ37JydCygVGnlLT7UX9zfRfS3KebCIvIte7OyCmnUfVfFzdIsp+4LI3S2wX/9Vyn4UBAR8QQNbezRB3XPMk9gzULnuLhmEDP6GVcPq7RzGXoXUMqsCxfEOJBjej0y4ANKH07HGVVrfVRiY+zlGkM4TFjVuZKnEA0BO6dhOA0E+7gsIXsC06UzzatkjsyWHpb2/DOECIifBoYej9DITu8VxyyZmgaINHEn2gGb0LRHO7rvQapc+XZ2z9DAgMBAAECggEAPS/Fhtt5k2BgFivZW3FcVc+OS0keGwV8hkFsGoXTZIKEIzSFWIn/mX0CUY90C0Rn9MRwiqB4PwssOAsHY6QQjdRK8irRbVK8l2ZeydHC7DfVUdXtKR0YnxTaePML3nTV/TqPF14Rx6EINtHrkLeBbu2DhGsKfhoHIoTVbvUiKLHa2TkGJOkhvjsyMSPKzUXa1AzLmu+UBIhRYpEPHj0SQUUJJnKgIb7mTR2fhJScHcKwsrPq6S8OpChvsYZ6zatgrTFz9tuhD4IjL7NBiYP45BwGaLIaQjph8yAJwwHWoOP+TTj5WYflkW6Uu8F9gC0ve6dPGPNEi2TUdirvAe4LYQKBgQD0UfAPm6tQg8pdkvfMBvYc21fk8zqmgcA4OtvDi60aXuv5jI5+faISvOG2JLuFhKIDOb5ZerzGvkN+LvWgzr9H7YdGZNNtwKgpS/MGqcuuHncTxWBAwYgKhf26a/tqFZRNurJ6GowxDiAcQEc1mWnmdngRa+dvvCwNbXvGVqfVEQKBgQDGKi447TqD76QfvRPn/fRSjM+QE1duk+XorEJ0HHIha5HV9kCrZdV/olGRjDLwPJO6JW7iE2FUsS9SsIrccFE/9P2ZUqfYP2wL5vNO5kAmoLLUl0gwqg1WnBTPJfXeKReTj2uGmOdEuuMPXpL/49hDuPViiE2Q4MGe2Z+oEYN/EwKBgHfQMuTEl2e9qaDn8OM6SrluC5V4fjunh6dLnfgwaCx1fk1702lOnQuJWzsiml9o4raoO6PP4AGqzphz2PsKSJ2ya1NnIJRDFXRjDYQoAn2Z7RViBsja36chfINObxXgDUFtHBdrK3LnFXIlR4aOfHOLh2grvWx7IDNZjIiAeH+xAoGAJlmFZnjqiRv4bDgAQTZRcSRVCvHjSsAOj0++8I+MutEBgSHN9B2aCsBT/tHeDcX7ZNvXsKLFhElh+iO2S+DkqHb2GRT47I2hkFAaqBtBMPiKgz/ftaNDP46nLEuRYHQdXu4zhfHTV+a/CHtqAWGLuddyjaYJNM96SQ6eqjzxcMcCgYAzdxOF2e27hIgo2ttjsROMGqW0/0r/HsKGKPnao7xHQNCAswTnBT+QGugPCe0NXjuxbySP7V1GeWMWF+WV5khtteWerT1/ELAC48NSDpaMxVa4GP8Q/0w6+ZyJty3UGbCYQzZZue81dU+42LUIaVJ4NAc2tYj3jD780udasawS6w==' -Remember to copy the CA and client certificate/key manually to the client side -and commit before using under the openvpn interface configuration +Manually copy the CA, client certificate, and Diffie-Hellman key to the client +device, then commit them before configuring the OpenVPN interface. -Refer this topic :ref:`configuration/pki/index:pki` for more options. +For more options, refer to :ref:`configuration/pki/index:pki`. -Setting up OpenVPN ------------------- +Set up server-client OpenVPN +---------------------------- -In this example we will use the most complicated case: a setup where each client -is a router that has its own subnet (think HQ and branch offices), since simpler -setups are subsets of it. +The following example demonstrates the most complicated scenario: each client +acts as a router with its own subnet (e.g., an HQ and multiple branch offices). +Simpler setups are subsets of it. -Suppose you want to use 10.23.1.0/24 network for client tunnel endpoints and all -client subnets belong to 10.23.0.0/20. All clients need access to the +In this scenario, the 10.23.1.0/24 network is used for client tunnel endpoints, +and all client subnets belong to 10.23.0.0/20. Each client needs access to the 192.168.0.0/16 network. -Server Configuration: +Server configuration: .. code-block:: none @@ -392,38 +397,39 @@ Server Configuration: set interfaces openvpn vtun10 server name-server '172.16.254.30' set interfaces openvpn vtun10 server subnet '10.23.1.0/24' set interfaces openvpn vtun10 server topology 'subnet' - set interfaces openvpn vtun10 tls ca-cert ca-1 + set interfaces openvpn vtun10 tls ca-certificate ca-1 set interfaces openvpn vtun10 tls certificate srv-1 set interfaces openvpn vtun10 tls dh-params dh-1 -The configurations above uses 1194/UDP default port, 256-bit AES for -encryption, SHA-512 for HMAC authentication and the persistent-tunnel option -which is recommended, as it prevents the TUN/TAP device from closing on connection resets or daemon reloads. -Remember, clients are identified using their CN attribute in the SSL certificate. +The configuration above uses the default 1194/UDP port, 256-bit AES encryption, +SHA-512 for HMAC authentication, and the persistent-tunnel option. +Persistent-tunnel is recommended as it keeps the TUN/TAP device active during +connection resets or daemon reloads. Clients are identified by the CN attribute +in their SSL certificates. -To allow clients to access a specific network behind the router, we'll use the -push-route option to automatically install the appropriate route on each client. +To grant clients access to a specific network behind the router, use the +push-route option to automatically install the appropriate route on each client. .. code-block:: none set interfaces openvpn vtun10 server push-route 192.168.0.0/16 -OpenVPN will not automatically create routes in the kernel for client subnets -when they connect and will only use client-subnet association internally, so we -need to create a route to the 10.23.0.0/20 network ourselves: +OpenVPN does not automatically create kernel routes for client subnets when +clients connect; it only uses client-subnet association internally. Therefore, +you must manually create a route to the 10.23.0.0/20 network: .. code-block:: none set protocols static route 10.23.0.0/20 interface vtun10 -Client ------- +Set up OpenVPN client +--------------------- -VyOS can not only act as an OpenVPN site-to-site or server for multiple clients -but you can also configure any VyOS OpenVPN interface as an OpenVPN client that -connects to a VyOS OpenVPN server or any other OpenVPN server. +VyOS can operate not only as an OpenVPN site-to-site peer or a server for +multiple clients, but also as an OpenVPN client. Any VyOS OpenVPN interface +can be configured to connect to another VyOS or third-party OpenVPN server. -Client Configuration: +Client configuration: .. code-block:: none @@ -434,11 +440,11 @@ Client Configuration: set interfaces openvpn vtun10 protocol 'udp' set interfaces openvpn vtun10 remote-host '172.18.201.10' set interfaces openvpn vtun10 remote-port '1194' - set interfaces openvpn vtun10 tls ca-cert ca-1 + set interfaces openvpn vtun10 tls ca-certificate ca-1 set interfaces openvpn vtun10 tls certificate client1 -Output ------- +Verification +------------ Check the tunnel status: @@ -454,17 +460,18 @@ Check the tunnel status: -Server Bridge +Server bridge ============= -In Ethernet bridging configurations, OpenVPN's server mode can be set as a -'bridge' where the VPN tunnel encapsulates entire Ethernet frames -(up to 1514 bytes) instead of just IP packets (up to 1500 bytes). This setup -allows clients to transmit Layer 2 frames through the OpenVPN tunnel. Below, -we outline a basic configuration to achieve this: +In Ethernet bridging configurations, an OpenVPN interface operating in server +mode with the device type set to TAP can be added to a bridge. By encapsulating +entire Ethernet frames (up to 1514 bytes) rather than just IP packets (up to +1500 bytes), this setup enables clients to transmit Layer 2 frames through the +OpenVPN tunnel. +The following is a basic configuration example: -Server Side: +Server side: .. code-block:: none @@ -472,7 +479,7 @@ Server Side: set interfaces bridge br10 member interface vtun10 set interfaces openvpn vtun10 device-type 'tap' set interfaces openvpn vtun10 encryption data-ciphers 'aes192' - set interfaces openvpn vtun10 hash 'sha256'' + set interfaces openvpn vtun10 hash 'sha256' set interfaces openvpn vtun10 local-host '172.18.201.10' set interfaces openvpn vtun10 local-port '1194' set interfaces openvpn vtun10 mode 'server' @@ -483,15 +490,15 @@ Server Side: set interfaces openvpn vtun10 server topology 'subnet' set interfaces openvpn vtun10 tls ca-certificate 'ca-1' set interfaces openvpn vtun10 tls certificate 'srv-1' - set interfaces openvpn vtun10 tls dh-params 'srv-1' + set interfaces openvpn vtun10 tls dh-params 'dh-1' -Client Side : +Client side: .. code-block:: none set interfaces openvpn vtun10 device-type 'tap' set interfaces openvpn vtun10 encryption data-ciphers 'aes192' - set interfaces openvpn vtun10 hash 'sha256'' + set interfaces openvpn vtun10 hash 'sha256' set interfaces openvpn vtun10 mode 'client' set interfaces openvpn vtun10 protocol 'udp' set interfaces openvpn vtun10 remote-host '172.18.201.10' @@ -501,26 +508,28 @@ Client Side : -Server LDAP Authentication +Server LDAP authentication ========================== LDAP ---- -Enterprise installations usually ship a kind of directory service which is used -to have a single password store for all employees. VyOS and OpenVPN support -using LDAP/AD as single user backend. +Enterprise installations usually include a directory service to centralize +employee password management. VyOS and OpenVPN support using LDAP and Active +Directory as a single user backend. + +Authentication is performed by the ``openvpn-auth-ldap.so`` plugin, included +with every VyOS installation. To use it, you must create a dedicated +configuration file. -Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is -shipped with every VyOS installation. A dedicated configuration file is -required. It is best practise to store it in ``/config`` to survive image -updates +**Best practice:** Store the configuration file in the ``/config`` directory +to ensure it is preserved after image updates. .. code-block:: none set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config" -The required config file may look like this: +A sample configuration file is shown below: .. code-block:: none @@ -547,7 +556,7 @@ The required config file may look like this: Active Directory ^^^^^^^^^^^^^^^^ -Despite the fact that AD is a superset of LDAP +A sample configuration file is shown below: .. code-block:: none @@ -580,8 +589,8 @@ Despite the fact that AD is a superset of LDAP </Group> </Authorization> -If you only want to check if the user account is enabled and can authenticate -(against the primary group) the following snipped is sufficient: +If you only want to check that the user account is enabled and can authenticate +(against the primary group), the following snippet is sufficient: .. code-block:: none @@ -600,8 +609,8 @@ If you only want to check if the user account is enabled and can authenticate RequireGroup false </Authorization> -A complete LDAP auth OpenVPN configuration could look like the following -example: +A complete example of an LDAP authentication configuration for OpenVPN is shown +below: .. code-block:: none @@ -630,14 +639,14 @@ example: } } -For detailed example, refer this topic :doc:`OpenVPN with LDAP</configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP>` +For a detailed example, refer to :doc:`OpenVPN with LDAP</configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP>`. -Multi-factor Authentication +Multi-factor authentication =========================== -VyOS supports multi-factor authentication (MFA) or two-factor authentication -using Time-based One-Time Password (TOTP). Compatible with Google Authenticator -software token, other software tokens. +VyOS supports multi-factor authentication (MFA) or two-factor authentication +using Time-based One-Time Passwords (TOTP). It is compatible with Google +Authenticator and other software tokens. Server side ----------- @@ -656,10 +665,11 @@ Server side set interfaces openvpn vtun20 tls certificate 'openvpn_vtun20' set interfaces openvpn vtun20 tls dh-params 'dh-pem' -For every client in the openvpn server configuration a totp secret is created. -To display the authentication information, use the command ``show interfaces openvpn vtun20 user user1 mfa qrcode`` +A TOTP secret is created for each client in the OpenVPN server configuration. +To display authentication information, use the following command: +``show interfaces openvpn vtun20 user user1 mfa qrcode``. -An example: +Example: .. code-block:: none @@ -684,24 +694,25 @@ An example: █████████████████████████████████████ █████████████████████████████████████ -Use the QR code to add the user account in Google authenticator application and -on client side, use the OTP number as password. +Scan the QR code to add the user account to Google Authenticator. On the client +side, use the generated OTP as the password. -Authentication with Username/Password +Authentication with username/password ===================================== -OpenVPN server allows to securely obtain a username and password from a connecting -client, and to use that information as a basis for authenticating the client. +An OpenVPN server can securely obtain a username and password from a connecting +client and use this information for authentication. -First, configure the server to use an authentication plugin, which may be a -script. The OpenVPN server will call the plugin every time a client tries to -connect, passing it the username/password entered on the client +First, configure the server to use an authentication plugin or script. The +server calls this plugin every time a client tries to connect, passing it the +client's credentials. -In this exammple, the ``--auth-user-pass-verify`` directive is used with the -via-env method and a specified script path to validate the username and password provided by the client. +In the following example, the ``--auth-user-pass-verify`` directive is used +with the via-env method and a specified script path to validate the client's +username and password. -Server ------- +Server configuration +-------------------- .. code-block:: none @@ -719,7 +730,7 @@ Server set interfaces openvpn vtun10 tls certificate 'srv-1' set interfaces openvpn vtun10 tls dh-params 'dh-1' -Example of /config/auth/check_user.sh, includes two testing users: +The /config/auth/check_user.sh example includes two test users: .. code-block:: none @@ -736,20 +747,20 @@ Example of /config/auth/check_user.sh, includes two testing users: exit 1 fi -Client ------- +Client configuration +-------------------- -One advantage of having the client certificate stored locally is the ability to create the client configuration. -Use this command: +Storing the client certificate locally lets you generate the OpenVPN client +configuration file. Use the following command: .. code-block:: none vyos@vyos:~$ generate openvpn client-config interface vtun10 ca ca-1 certificate client1 -Save the output to a file, and add the ``auth-user-pass`` directive to the client -configuration. It will direct the OpenVPN client to query the user for a -username/password, passing it on to the server over the secure TLS channel. -You can use this file to import to any clients. +Copy the output and save it as a .ovpn file. Add the ``auth-user-pass`` +directive to the file. This instructs the OpenVPN client to prompt the user +for a username and password, which are then sent to the server over the TLS +channel. You can now import this file into any OpenVPN client application. .. code-block:: none @@ -852,4 +863,4 @@ You can use this file to import to any clients. </key> -Login using the username and password, once prompted in the dialog. +When prompted, log in with the username and password. |
