vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

vpn: openconnect: fix TOC

Browse Source
This commit is contained in:
Christian Poessinger 2020-09-13 15:58:10 +02:00
parent 82bcd24b34
commit 7334b4b9ba
3 changed files with 31 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
docs/vpn/anyconnect.rst
View File

@ -1,78 +0,0 @@
.. _vpn-openconnect:
OpenConnect
-----
OpenConnect-compatible server feature is available from this release.
Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. So, it provides safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic with SSL protocol.
The remote user will use the openconnect client to connect to the router and will receive an IP address from a VPN pool, allowing full access to the network.
.. note:: All certificates should be stored on VyOS under /config/auth. If certificates are not stored in the /config directory they will not be migrated during a software update.
Configuration
^^^^^^^^^^
SSL Certificates
----
We need to generate the certificate which authenticates users who attempt to access the network resource through the SSL VPN tunnels.
The following command will create a self signed certificates and will be stored in the file path /config/auth
.. code-block:: none
openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt
openssl req -new -x509 -key /config/auth/server.key -out /config/auth/ca.crt
We can also create the certificates using Cerbort which is an easy-to-use client that fetches a certificate from Lets Encrypt — an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.
.. code-block:: none
sudo certbot certonly --standalone --preferred-challenges http -d <domain name>
Server Configuration
-------------------------
.. code-block:: none
set vpn openconnect authentication local-users username <user> password <pass>
set vpn openconnect authentication mode <local|radius>
set vpn opneconnect network-settings client-ip-settings subnet <subnet>
set vpn openconnect network-settings name-server <address>
set vpn openconnect network-settings name-server <address>
set vpn openconnect ssl ca-cert-file <file>
set vpn openconnect ssl cert-file <file>
set vpn openconnect ssl key-file <file>
Example
----
Use local user name "user4" with password "SecretPassword"
Client IP addresses will be provided from pool 100.64.0.0/24
The Gateway IP Address must be in one of the router´s interfaces.
.. code-block:: none
set vpn openconnect authentication local-users username user4 password 'SecretPassword'
set vpn openconnect authentication mode 'local'
set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24'
set vpn openconnect network-settings name-server '1.1.1.1'
set vpn openconnect network-settings name-server '8.8.8.8'
set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem'
set vpn openconnect ssl cert-file '/config/auth/cert.pem'
set vpn openconnect ssl key-file '/config/auth/privkey.pem'
Verification
----
.. code-block:: none
vyos@RTR1:~$ show openconnect-server sessions
interface username ip remote IP RX TX state uptime
----------- ---------- ------------ ------------- -------- -------- --------- --------
sslvpn0 user4 100.64.0.105 xx.xxx.49.253 127.3 KB 160.0 KB connected 12m:28s

2
docs/vpn/index.rst
View File

@ -15,4 +15,4 @@ VPN
site2site_ipsec site2site_ipsec
sstp sstp
wireguard wireguard
OpenConnect openconnect

45
docs/vpn/openconnect.rst
View File

@ -1,38 +1,51 @@
.. _vpn-openconnect: .. _vpn-openconnect:
###########
OpenConnect OpenConnect
----- ###########
OpenConnect-compatible server feature is available from this release. OpenConnect-compatible server feature is available from this release.
Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. So, it provides safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic with SSL protocol. Openconnect VPN supports SSL connection and offers full network access. SSL VPN
The remote user will use the openconnect client to connect to the router and will receive an IP address from a VPN pool, allowing full access to the network. network extension connects the end-user system to the corporate network with
access controls based only on network layer information, such as destination IP
address and port number. So, it provides safe communication for all types of
device traffic across public networks and private networks, also encrypts the
traffic with SSL protocol.
The remote user will use the openconnect client to connect to the router and
will receive an IP address from a VPN pool, allowing full access to the network.
.. note:: All certificates should be stored on VyOS under /config/auth. If certificates are not stored in the /config directory they will not be migrated during a software update. .. note:: All certificates should be stored on VyOS under /config/auth. If
certificates are not stored in the /config directory they will not be
migrated during a software update.
*************
Configuration Configuration
^^^^^^^^^^ *************
SSL Certificates SSL Certificates
---- ================
We need to generate the certificate which authenticates users who attempt to access the network resource through the SSL VPN tunnels. We need to generate the certificate which authenticates users who attempt to
The following command will create a self signed certificates and will be stored in the file path /config/auth access the network resource through the SSL VPN tunnels. The following command
will create a self signed certificates and will be stored in the file path
`/config/auth`.
.. code-block:: none .. code-block:: none
openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt
openssl req -new -x509 -key /config/auth/server.key -out /config/auth/ca.crt openssl req -new -x509 -key /config/auth/server.key -out /config/auth/ca.crt
We can also create the certificates using Cerbort which is an easy-to-use client that fetches a certificate from Lets Encrypt — an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server. We can also create the certificates using Cerbort which is an easy-to-use client
that fetches a certificate from Let's Encrypt an open certificate authority
launched by the EFF, Mozilla, and others and deploys it to a web server.
.. code-block:: none .. code-block:: none
sudo certbot certonly --standalone --preferred-challenges http -d <domain name> sudo certbot certonly --standalone --preferred-challenges http -d <domain name>
Server Configuration Server Configuration
------------------------- ====================
.. code-block:: none .. code-block:: none
@ -46,8 +59,9 @@ Server Configuration
set vpn openconnect ssl key-file <file> set vpn openconnect ssl key-file <file>
*******
Example Example
---- *******
Use local user name "user4" with password "SecretPassword" Use local user name "user4" with password "SecretPassword"
Client IP addresses will be provided from pool 100.64.0.0/24 Client IP addresses will be provided from pool 100.64.0.0/24
@ -57,7 +71,7 @@ The Gateway IP Address must be in one of the router´s interfaces.
set vpn openconnect authentication local-users username user4 password 'SecretPassword' set vpn openconnect authentication local-users username user4 password 'SecretPassword'
set vpn openconnect authentication mode 'local' set vpn openconnect authentication mode 'local'
set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24' set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24'
set vpn openconnect network-settings name-server '1.1.1.1' set vpn openconnect network-settings name-server '1.1.1.1'
set vpn openconnect network-settings name-server '8.8.8.8' set vpn openconnect network-settings name-server '8.8.8.8'
set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem' set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem'
@ -65,13 +79,14 @@ The Gateway IP Address must be in one of the router´s interfaces.
set vpn openconnect ssl key-file '/config/auth/privkey.pem' set vpn openconnect ssl key-file '/config/auth/privkey.pem'
************
Verification Verification
---- ************
.. code-block:: none .. code-block:: none
vyos@RTR1:~$ show openconnect-server sessions vyos@RTR1:~$ show openconnect-server sessions
interface username ip remote IP RX TX state uptime interface username ip remote IP RX TX state uptime
----------- ---------- ------------ ------------- -------- -------- --------- -------- ----------- ---------- ------------ ------------- -------- -------- --------- --------