summaryrefslogtreecommitdiff
path: root/docs/vpn
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2019-11-27 17:20:36 +0100
committerChristian Poessinger <christian@poessinger.com>2019-11-27 17:20:38 +0100
commit6aa3cbb611f74bdf8e44d5527f5138f3122a7497 (patch)
tree009a1fe9447bdd980d5017d49f102e7ccdace03b /docs/vpn
parent76bbe2744d7184ee50626d9d7b65f21dad1c7e99 (diff)
downloadvyos-documentation-6aa3cbb611f74bdf8e44d5527f5138f3122a7497.tar.gz
vyos-documentation-6aa3cbb611f74bdf8e44d5527f5138f3122a7497.zip
Refactor "code-block:: sh" to "code-block:: console"
This will add proper new-lines into the rendered PDF. Before if it has been a long line, not all content was preserved in the PDF.
Diffstat (limited to 'docs/vpn')
-rw-r--r--docs/vpn/dmvpn.rst12
-rw-r--r--docs/vpn/gre-ipsec.rst14
-rw-r--r--docs/vpn/l2tp.rst24
-rw-r--r--docs/vpn/openvpn.rst38
-rw-r--r--docs/vpn/pptp.rst6
-rw-r--r--docs/vpn/site2site_ipsec.rst12
-rw-r--r--docs/vpn/wireguard.rst32
7 files changed, 69 insertions, 69 deletions
diff --git a/docs/vpn/dmvpn.rst b/docs/vpn/dmvpn.rst
index 03bc48ed..3715e5de 100644
--- a/docs/vpn/dmvpn.rst
+++ b/docs/vpn/dmvpn.rst
@@ -47,7 +47,7 @@ can be set to "0.0.0.0". If you do set the `remote-ip` directive at any point, t
HUB Configuration
^^^^^^^^^^^^^^^^^
-.. code-block:: sh
+.. code-block:: console
interfaces
tunnel <tunN> {
@@ -119,7 +119,7 @@ HUB Configuration
HUB Example Configuration:
-.. code-block:: sh
+.. code-block:: console
set interfaces ethernet eth0 address '198.51.100.41/30'
set interfaces ethernet eth1 address '192.168.1.1/24'
@@ -171,7 +171,7 @@ SPOKE Configuration
SPOKE1 Configuration:
-.. code-block:: sh
+.. code-block:: console
interfaces
tunnel <tunN> {
@@ -248,7 +248,7 @@ SPOKE1 Configuration:
SPOKE1 Example Configuration
-.. code-block:: sh
+.. code-block:: console
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.2.1/24'
@@ -294,7 +294,7 @@ SPOKE1 Example Configuration
SPOKE2 Configuration
-.. code-block:: sh
+.. code-block:: console
interfaces
tunnel <tunN> {
@@ -371,7 +371,7 @@ SPOKE2 Configuration
SPOKE2 Example Configuration
-.. code-block:: sh
+.. code-block:: console
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.3.1/24'
diff --git a/docs/vpn/gre-ipsec.rst b/docs/vpn/gre-ipsec.rst
index f7ee84ab..3ca36b9f 100644
--- a/docs/vpn/gre-ipsec.rst
+++ b/docs/vpn/gre-ipsec.rst
@@ -40,7 +40,7 @@ and the RIGHT router is 203.0.113.45
On the LEFT:
-.. code-block:: sh
+.. code-block:: console
# GRE tunnel
set interfaces tunnel tun0 encapsulation gre
@@ -90,7 +90,7 @@ RIGHT router has a dynamic address on eth0.
On the LEFT:
-.. code-block:: sh
+.. code-block:: console
set interfaces loopback lo address 192.168.99.1/32
@@ -101,7 +101,7 @@ On the LEFT:
On the RIGHT:
-.. code-block:: sh
+.. code-block:: console
set interfaces loopback lo address 192.168.99.2/32
@@ -119,7 +119,7 @@ address, so we'll have to use RSA keys.
First, on both routers run the operational command "generate vpn rsa-key bits
2048". You may choose different length than 2048 of course.
-.. code-block:: sh
+.. code-block:: console
vyos@left# run generate vpn rsa-key bits 2048
Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
@@ -131,7 +131,7 @@ First, on both routers run the operational command "generate vpn rsa-key bits
Then on the opposite router, add the RSA key to your config.
-.. code-block:: sh
+.. code-block:: console
set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE
@@ -140,7 +140,7 @@ for the peer on the dynamic side.
On the LEFT (static address):
-.. code-block:: sh
+.. code-block:: console
set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT>
@@ -165,7 +165,7 @@ On the LEFT (static address):
On the RIGHT (dynamic address):
-.. code-block:: sh
+.. code-block:: console
set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT>
diff --git a/docs/vpn/l2tp.rst b/docs/vpn/l2tp.rst
index dd4a399b..2878babb 100644
--- a/docs/vpn/l2tp.rst
+++ b/docs/vpn/l2tp.rst
@@ -12,7 +12,7 @@ L2TP over IPsec
Example for configuring a simple L2TP over IPsec VPN for remote access (works
with native Windows and Mac VPN clients):
-.. code-block:: sh
+.. code-block:: console
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
@@ -43,7 +43,7 @@ As well as the below to allow NAT-traversal:
Example:
-.. code-block:: sh
+.. code-block:: console
set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp'
@@ -61,7 +61,7 @@ Example:
To allow VPN-clients access via your external address, a NAT rule is required:
-.. code-block:: sh
+.. code-block:: console
set nat source rule 110 outbound-interface 'eth0'
set nat source rule 110 source address '192.168.255.0/24'
@@ -71,7 +71,7 @@ To allow VPN-clients access via your external address, a NAT rule is required:
VPN-clients will request configuration parameters, optionally you can DNS
parameter to the client.
-.. code-block:: sh
+.. code-block:: console
set vpn l2tp remote-access dns-servers server-1 '8.8.8.8'
set vpn l2tp remote-access dns-servers server-2 '8.8.4.4'
@@ -82,7 +82,7 @@ parameter to the client.
Established sessions can be viewed using the **show vpn remote-access**
operational command, or **show l2tp-server sessions**
-.. code-block:: sh
+.. code-block:: console
vyos@vyos:~$ show vpn remote-access
ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime
@@ -97,7 +97,7 @@ LNS are often used to connect to a LAC (L2TP Access Concentrator).
Below is an example to configure a LNS:
-.. code-block:: sh
+.. code-block:: console
set vpn l2tp remote-access outside-address 192.0.2.2
set vpn l2tp remote-access outside-nexthop 192.168.255.1
@@ -126,7 +126,7 @@ Bandwidth Shaping for local users
The rate-limit is set in kbit/sec.
-.. code-block:: sh
+.. code-block:: console
set vpn l2tp remote-access outside-address 192.0.2.2
set vpn l2tp remote-access outside-nexthop 192.168.255.1
@@ -151,14 +151,14 @@ exists within the configuration, however they are not used if the mode has been
changed from local to radius. Once changed back to local, it will use all local
accounts again.
-.. code-block:: sh
+.. code-block:: console
set vpn l2tp remote-access authentication mode <local|radius>
Since the RADIUS server would be a single point of failure, multiple RADIUS
servers can be setup and will be used subsequentially.
-.. code-block:: sh
+.. code-block:: console
set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'
set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo'
@@ -173,7 +173,7 @@ If you are using OSPF as IGP always the closets interface connected to the RADIU
server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a
single source IP e.g. the loopback interface.
-.. code-block:: sh
+.. code-block:: console
set vpn l2tp remote-access authentication radius source-address 10.0.0.3
@@ -188,14 +188,14 @@ RADIUS bandwidth shaping attribute
To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enabled.
-.. code-block:: sh
+.. code-block:: console
set vpn l2tp remote-access authentication radius rate-limit enable
The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also
redefine it.
-.. code-block:: sh
+.. code-block:: console
set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst
index 491e6e6d..2e4388ed 100644
--- a/docs/vpn/openvpn.rst
+++ b/docs/vpn/openvpn.rst
@@ -68,7 +68,7 @@ in our configuration.
Local Configuration:
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
@@ -82,7 +82,7 @@ Local Configuration:
Remote Configuration:
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
@@ -104,7 +104,7 @@ For Encryption:
This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or
OpenVPN version < 2.4.0.
-.. code-block:: sh
+.. code-block:: console
vyos@vyos# set interfaces openvpn vtun1 encryption cipher
Possible completions:
@@ -123,7 +123,7 @@ This sets the accepted ciphers to use when version => 2.4.0 and NCP is
enabled (which is default). Default NCP cipher for versions >= 2.4.0 is
aes256gcm. The first cipher in this list is what server pushes to clients.
-.. code-block:: sh
+.. code-block:: console
vyos@vyos# set int open vtun0 encryption ncp-ciphers
Possible completions:
@@ -138,7 +138,7 @@ aes256gcm. The first cipher in this list is what server pushes to clients.
For Hashing:
-.. code-block:: sh
+.. code-block:: console
vyos@vyos# set interfaces openvpn vtun1 hash
Possible completions:
@@ -157,13 +157,13 @@ network of 10.1.0.0/16:
Local Configuration:
-.. code-block:: sh
+.. code-block:: console
set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1
Remote Configuration:
-.. code-block:: sh
+.. code-block:: console
set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1
@@ -206,7 +206,7 @@ closing on connection resets or daemon reloads.
0 on one side of the connection (to disable it), the chosen value on the
other side will determine when the renegotiation will occur.
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun10 mode server
set interfaces openvpn vtun10 local-port 1194
@@ -216,7 +216,7 @@ closing on connection resets or daemon reloads.
Then we need to specify the location of the cryptographic materials. Suppose
you keep the files in `/config/auth/openvpn`
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt
set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt
@@ -229,7 +229,7 @@ specify the subnet for client tunnel endpoints. Since we want clients to access
a specific network behind out router, we will use a push-route option for
installing that route on clients.
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun10 server push-route 192.168.0.0/16
set interfaces openvpn vtun10 server subnet 10.23.1.0/24
@@ -241,7 +241,7 @@ need configuration for each client to achieve this.
.. note:: Clients are identified by the CN field of their x.509 certificates,
in this example the CN is ``client0``:
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun10 server client client0 ip 10.23.1.10
set interfaces openvpn vtun10 server client client0 subnet 10.23.2.0/25
@@ -250,7 +250,7 @@ OpenVPN **will not** automatically create routes in the kernel for client
subnets when they connect and will only use client-subnet association
internally, so we need to create a route to the 10.23.0.0/20 network ourselves:
-.. code-block:: sh
+.. code-block:: console
set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10
@@ -269,13 +269,13 @@ Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is
shipped with every VyOS installation. A dedicated configuration file is required.
It is best practise to store it in ``/config`` to survive image updates
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config"
The required config file may look like:
-.. code-block:: sh
+.. code-block:: console
<LDAP>
# LDAP server URL
@@ -302,7 +302,7 @@ Active Directory
Despite the fact that AD is a superset of LDAP
-.. code-block:: sh
+.. code-block:: console
<LDAP>
# LDAP server URL
@@ -336,7 +336,7 @@ Despite the fact that AD is a superset of LDAP
If you only want to check if the user account is enabled and can authenticate
(against the primary group) the following snipped is sufficient:
-.. code-block:: sh
+.. code-block:: console
<LDAP>
URL ldap://dc01.example.com
@@ -355,7 +355,7 @@ If you only want to check if the user account is enabled and can authenticate
A complete LDAP auth OpenVPN configuration could look like the following example:
-.. code-block:: sh
+.. code-block:: console
vyos@vyos# show interfaces openvpn
openvpn vtun0 {
@@ -398,7 +398,7 @@ using their CN attribute in the SSL certificate.
Server
------
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
@@ -422,7 +422,7 @@ Server
Client
------
-.. code-block:: sh
+.. code-block:: console
set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
diff --git a/docs/vpn/pptp.rst b/docs/vpn/pptp.rst
index ad8a37c4..68ded675 100644
--- a/docs/vpn/pptp.rst
+++ b/docs/vpn/pptp.rst
@@ -12,7 +12,7 @@ If no gateway-address is set within the configuration, the lowest IP out of the
server example
^^^^^^^^^^^^^^
-.. code-block:: sh
+.. code-block:: console
set vpn pptp remote-access authentication local-users username test password 'test'
set vpn pptp remote-access authentication mode 'local'
@@ -28,7 +28,7 @@ client example (debian 9)
Install the client software via apt and execute pptpsetup to generate the configuration.
-.. code-block:: sh
+.. code-block:: console
apt-get install pptp-linux
pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --encrypt
@@ -39,7 +39,7 @@ The command pon TESTUNNEL establishes the PPTP tunnel to the remote system.
All tunnel sessions can be checked via:
-.. code-block:: sh
+.. code-block:: console
run sh pptp-server sessions
ifname | username | calling-sid | ip | type | comp | state | uptime
diff --git a/docs/vpn/site2site_ipsec.rst b/docs/vpn/site2site_ipsec.rst
index 8e0f257b..8414e3bc 100644
--- a/docs/vpn/site2site_ipsec.rst
+++ b/docs/vpn/site2site_ipsec.rst
@@ -116,7 +116,7 @@ Example:
* right subnet: `10.0.0.0/24` site2,remote office side
* right local_ip: `203.0.113.2` # remote office side WAN IP
-.. code-block:: sh
+.. code-block:: console
# server config
set vpn ipsec esp-group office-srv-esp compression 'disable'
@@ -166,7 +166,7 @@ Example:
Show status of new setup:
-.. code-block:: sh
+.. code-block:: console
vyos@srv-gw0:~$ show vpn ike sa
Peer ID / IP Local ID / IP
@@ -186,7 +186,7 @@ Show status of new setup:
If there is SNAT rules on eth1, need to add exclude rule
-.. code-block:: sh
+.. code-block:: console
# server side
set nat source rule 10 destination address '10.0.0.0/24'
@@ -203,7 +203,7 @@ If there is SNAT rules on eth1, need to add exclude rule
To allow traffic to pass through to clients, you need to add the following
rules. (if you used the default configuration at the top of this page)
-.. code-block:: sh
+.. code-block:: console
# server side
set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
@@ -231,7 +231,7 @@ Imagine the following topology
**left**
-.. code-block:: sh
+.. code-block:: console
set interfaces vti vti10 address '10.0.0.2/31'
@@ -265,7 +265,7 @@ Imagine the following topology
**right**
-.. code-block:: sh
+.. code-block:: console
set interfaces vti vti10 address '10.0.0.3/31'
diff --git a/docs/vpn/wireguard.rst b/docs/vpn/wireguard.rst
index b1fb0bdc..2ccf7b57 100644
--- a/docs/vpn/wireguard.rst
+++ b/docs/vpn/wireguard.rst
@@ -21,7 +21,7 @@ within VyOS.
It will be used per default on any configured wireguard interface, even if
multiple interfaces are being configured.
-.. code-block:: sh
+.. code-block:: console
wg01:~$ configure
wg01# run generate wireguard keypair
@@ -29,7 +29,7 @@ multiple interfaces are being configured.
The public key is being shared with your peer(s), your peer will encrypt all
traffic to your system using this public key.
-.. code-block:: sh
+.. code-block:: console
wg01# run show wireguard pubkey
u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=
@@ -45,7 +45,7 @@ their own keypairs.
The commands below will generate 2 keypairs, which are not related
to each other.
-.. code-block:: sh
+.. code-block:: console
wg01:~$ configure
wg01# run generate wireguard named-keypairs KP01
@@ -69,7 +69,7 @@ below is always the public key from your peer, not your local one.
**local side**
-.. code-block:: sh
+.. code-block:: console
set interfaces wireguard wg01 address '10.1.0.1/24'
set interfaces wireguard wg01 description 'VPN-to-wg02'
@@ -89,7 +89,7 @@ traffic.
To use a named key on an interface, the option private-key needs to be set.
-.. code-block:: sh
+.. code-block:: console
set interfaces wireguard wg01 private-key KP01
set interfaces wireguard wg02 private-key KP02
@@ -100,7 +100,7 @@ which needs to be shared with the peer.
**remote side**
-.. code-block:: sh
+.. code-block:: console
set interfaces wireguard wg01 address '10.2.0.1/24'
set interfaces wireguard wg01 description 'VPN-to-wg01'
@@ -113,7 +113,7 @@ which needs to be shared with the peer.
Assure that your firewall rules allow the traffic, in which case you have a
working VPN using wireguard.
-.. code-block:: sh
+.. code-block:: console
wg01# ping 10.2.0.1
PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
@@ -128,7 +128,7 @@ working VPN using wireguard.
An additional layer of symmetric-key crypto can be used on top of the
asymmetric crypto, which is optional.
-.. code-block:: sh
+.. code-block:: console
wg01# run generate wireguard preshared-key
rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=
@@ -137,7 +137,7 @@ Copy the key, as it is not stored on the local file system. Make sure you
distribute that key in a safe manner, it's a symmetric key, so only you and
your peer should have knowledge of its content.
-.. code-block:: sh
+.. code-block:: console
wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
@@ -149,7 +149,7 @@ With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN. It
In the following example, the IPs for the remote clients are defined in the peers. This would allow the peers to interact with one another.
-.. code-block:: sh
+.. code-block:: console
wireguard wg0 {
address 10.172.24.1/24
@@ -173,7 +173,7 @@ In the following example, the IPs for the remote clients are defined in the peer
The following is the config for the iPhone peer above. It's important to note that the ``AllowedIPs`` setting
directs all IPv4 and IPv6 traffic through the connection.
-.. code-block:: sh
+.. code-block:: console
[Interface]
PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf=
@@ -189,7 +189,7 @@ directs all IPv4 and IPv6 traffic through the connection.
This MacBook peer is doing split-tunneling, where only the subnets local to the server go over the connection.
-.. code-block:: sh
+.. code-block:: console
[Interface]
PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go=
@@ -207,7 +207,7 @@ Operational commands
**Show interface status**
-.. code-block:: sh
+.. code-block:: console
vyos@wg01# run show interfaces wireguard wg01
interface: wg1
@@ -233,14 +233,14 @@ Operational commands
**Show public key of the default key**
-.. code-block:: sh
+.. code-block:: console
vyos@wg01# run show wireguard keypair pubkey default
FAXCPb6EbTlSH5200J5zTopt9AYXneBthAySPBLbZwM=
**Show public key of a named key**
-.. code-block:: sh
+.. code-block:: console
vyos@wg01# run show wireguard keypair pubkey KP01
HUtsu198toEnm1poGoRTyqkUKfKUdyh54f45dtcahDM=
@@ -248,7 +248,7 @@ Operational commands
**Delete wireguard keypairs**
-.. code-block:: sh
+.. code-block:: console
vyos@wg01# wireguard keypair default