diff options
Diffstat (limited to 'docs/vpn/openvpn.rst')
-rw-r--r-- | docs/vpn/openvpn.rst | 38 |
1 files changed, 19 insertions, 19 deletions
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index 491e6e6d..2e4388ed 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -68,7 +68,7 @@ in our configuration. Local Configuration: -.. code-block:: sh +.. code-block:: console set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp @@ -82,7 +82,7 @@ Local Configuration: Remote Configuration: -.. code-block:: sh +.. code-block:: console set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp @@ -104,7 +104,7 @@ For Encryption: This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or OpenVPN version < 2.4.0. -.. code-block:: sh +.. code-block:: console vyos@vyos# set interfaces openvpn vtun1 encryption cipher Possible completions: @@ -123,7 +123,7 @@ This sets the accepted ciphers to use when version => 2.4.0 and NCP is enabled (which is default). Default NCP cipher for versions >= 2.4.0 is aes256gcm. The first cipher in this list is what server pushes to clients. -.. code-block:: sh +.. code-block:: console vyos@vyos# set int open vtun0 encryption ncp-ciphers Possible completions: @@ -138,7 +138,7 @@ aes256gcm. The first cipher in this list is what server pushes to clients. For Hashing: -.. code-block:: sh +.. code-block:: console vyos@vyos# set interfaces openvpn vtun1 hash Possible completions: @@ -157,13 +157,13 @@ network of 10.1.0.0/16: Local Configuration: -.. code-block:: sh +.. code-block:: console set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1 Remote Configuration: -.. code-block:: sh +.. code-block:: console set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1 @@ -206,7 +206,7 @@ closing on connection resets or daemon reloads. 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur. -.. code-block:: sh +.. code-block:: console set interfaces openvpn vtun10 mode server set interfaces openvpn vtun10 local-port 1194 @@ -216,7 +216,7 @@ closing on connection resets or daemon reloads. Then we need to specify the location of the cryptographic materials. Suppose you keep the files in `/config/auth/openvpn` -.. code-block:: sh +.. code-block:: console set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt @@ -229,7 +229,7 @@ specify the subnet for client tunnel endpoints. Since we want clients to access a specific network behind out router, we will use a push-route option for installing that route on clients. -.. code-block:: sh +.. code-block:: console set interfaces openvpn vtun10 server push-route 192.168.0.0/16 set interfaces openvpn vtun10 server subnet 10.23.1.0/24 @@ -241,7 +241,7 @@ need configuration for each client to achieve this. .. note:: Clients are identified by the CN field of their x.509 certificates, in this example the CN is ``client0``: -.. code-block:: sh +.. code-block:: console set interfaces openvpn vtun10 server client client0 ip 10.23.1.10 set interfaces openvpn vtun10 server client client0 subnet 10.23.2.0/25 @@ -250,7 +250,7 @@ OpenVPN **will not** automatically create routes in the kernel for client subnets when they connect and will only use client-subnet association internally, so we need to create a route to the 10.23.0.0/20 network ourselves: -.. code-block:: sh +.. code-block:: console set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10 @@ -269,13 +269,13 @@ Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is shipped with every VyOS installation. A dedicated configuration file is required. It is best practise to store it in ``/config`` to survive image updates -.. code-block:: sh +.. code-block:: console set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config" The required config file may look like: -.. code-block:: sh +.. code-block:: console <LDAP> # LDAP server URL @@ -302,7 +302,7 @@ Active Directory Despite the fact that AD is a superset of LDAP -.. code-block:: sh +.. code-block:: console <LDAP> # LDAP server URL @@ -336,7 +336,7 @@ Despite the fact that AD is a superset of LDAP If you only want to check if the user account is enabled and can authenticate (against the primary group) the following snipped is sufficient: -.. code-block:: sh +.. code-block:: console <LDAP> URL ldap://dc01.example.com @@ -355,7 +355,7 @@ If you only want to check if the user account is enabled and can authenticate A complete LDAP auth OpenVPN configuration could look like the following example: -.. code-block:: sh +.. code-block:: console vyos@vyos# show interfaces openvpn openvpn vtun0 { @@ -398,7 +398,7 @@ using their CN attribute in the SSL certificate. Server ------ -.. code-block:: sh +.. code-block:: console set interfaces openvpn vtun10 encryption cipher 'aes256' set interfaces openvpn vtun10 hash 'sha512' @@ -422,7 +422,7 @@ Server Client ------ -.. code-block:: sh +.. code-block:: console set interfaces openvpn vtun10 encryption cipher 'aes256' set interfaces openvpn vtun10 hash 'sha512' |