diff options
Diffstat (limited to 'docs/vpn')
| -rw-r--r-- | docs/vpn/index.rst | 2 | ||||
| -rw-r--r-- | docs/vpn/openvpn.rst | 8 | ||||
| -rw-r--r-- | docs/vpn/site2site_ipsec.rst | 2 | ||||
| -rw-r--r-- | docs/vpn/wireguard.rst | 4 |
4 files changed, 9 insertions, 7 deletions
diff --git a/docs/vpn/index.rst b/docs/vpn/index.rst index 9bab2b0c..055a2d5c 100644 --- a/docs/vpn/index.rst +++ b/docs/vpn/index.rst @@ -5,7 +5,7 @@ VPN === -This chapter descriptes the available VPN services provided by VyOS. +This chapter describes the available VPN services provided by VyOS. .. toctree:: :hidden: diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index e252d016..7e468c7b 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -160,7 +160,7 @@ OpenVPN Server Multi-client server is the most popular OpenVPN mode on routers. It always uses x.509 authentication and therefore requires a PKI setup. This guide assumes you have already setup a PKI and have a CA certificate, a server certificate and -key, a certificate revokation list, a Diffie-Hellman key exchange parameters +key, a certificate revocation list, a Diffie-Hellman key exchange parameters file. You do not need client certificates and keys for the server setup. In this example we will use the most complicated case: a setup where each @@ -235,11 +235,11 @@ OpenLDAP ======== Enterprise installations usually ship a kind of directory service which is used -to have a single password store for all employes. VyOS and OpenVPN support using +to have a single password store for all employees. VyOS and OpenVPN support using LDAP/AD as single user backend. Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is -shiped with every VyOS installation. A dedicated configuration file is required. +shipped with every VyOS installation. A dedicated configuration file is required. It is best practise to store it in ``/config`` to survive image updates .. code-block:: sh @@ -306,7 +306,7 @@ Despite the fact that AD is a superset of LDAP </Group> </Authorization> -If you only wan't to check if the user account is enabled and can authenticate +If you only want to check if the user account is enabled and can authenticate (against the primary group) the following snipped is sufficient: .. code-block:: sh diff --git a/docs/vpn/site2site_ipsec.rst b/docs/vpn/site2site_ipsec.rst index 41115f8c..ac410d52 100644 --- a/docs/vpn/site2site_ipsec.rst +++ b/docs/vpn/site2site_ipsec.rst @@ -41,7 +41,7 @@ Each site-to-site peer has the next options: * ``cert-file`` - certificate file, which will be used for authenticating local router on remote peer; - * ``crl-file`` - file with the Certificate Revocation List. Using to check if a certificate for the remote peer is valid or revocated; + * ``crl-file`` - file with the Certificate Revocation List. Using to check if a certificate for the remote peer is valid or revoked; * ``key`` - a private key, which will be used for authenticating local router on remote peer: diff --git a/docs/vpn/wireguard.rst b/docs/vpn/wireguard.rst index a2f45913..a9d27330 100644 --- a/docs/vpn/wireguard.rst +++ b/docs/vpn/wireguard.rst @@ -42,7 +42,7 @@ Named keypairs can be used on a interface basis, if configured. If multiple wireguard interfaces are being configured, each can have their own keypairs. -The commands below will generate 2 keypairs, which are not releated +The commands below will generate 2 keypairs, which are not related to each other. .. code-block:: sh @@ -79,6 +79,8 @@ below is always the public key from your peer, not your local one. set interfaces wireguard wg01 port '12345' set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01 +.. note:: The `endpoint` must be an IP and not a fully qualified domain name (FQDN). Using a FQDN will result in unexpected behavior. + The last step is to define an interface route for 10.2.0.0/24 to get through the wireguard interface `wg01`. Multiple IPs or networks can be defined and routed, the last check is allowed-ips which either prevents or allows the |