Forked from hiroyuki-sato/gist:67f9577e027cbb00a98f
Last active
December 20, 2018 21:24
-
-
Save laetrid/583e32ba73e8b4413905 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Creating keys | |
# | |
cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2 | |
# Edit vars | |
vi /config/easy-rsa2/vars | |
cd /config/easy-rsa2/ | |
source ./vars | |
# Clear old | |
./clean-all | |
# Build keys | |
./build-ca | |
./build-dh | |
./build-key-server vyos-1 | |
# For tls-auth | |
/usr/sbin/openvpn --genkey --secret ta.key | |
mv ta.key keys/ | |
# Copy keys to /config/auth/ | |
cp /config/easy-rsa2/keys/ca.crt /config/auth/ | |
cp /config/easy-rsa2/keys/dh1024.pem /config/auth/ | |
cp /config/easy-rsa2/keys/vyos-1.key /config/auth/ | |
cp /config/easy-rsa2/keys/vyos-1.crt /config/auth/ | |
cp /config/easy-rsa2/keys/ta.key /config/auth/ | |
#Build key for second site, and copy them | |
./build-key vyos-2 | |
scp keys/vyos-2.* user@vyos-2:/config/auth/ | |
scp keys/ta.key user@vyos-2:/config/auth/ | |
# After all /config/auth/ should look like: | |
# | |
# vyos-1 files in /config/auth/ | |
# ca.crt | |
# vyos-1.key | |
# vyos-1.crt | |
# dh1024.pem | |
# ta.key | |
# | |
# vyos-2 files in /config/auth/ | |
# ca.crt | |
# vyos-2.key | |
# vyos-2.crt | |
# ta.key | |
# VyOS Config | |
# vyos-1 (role passive - hub) | |
set ethernet eth1 address '1.1.1.1/24' | |
set openvpn vtun0 description 'OpenVPN site2site' | |
set openvpn vtun0 encryption 'aes256' | |
set openvpn vtun0 hash 'sha512' | |
set openvpn vtun0 local-address 172.16.0.1 subnet-mask '255.255.255.252' | |
set openvpn vtun0 local-host '1.1.1.1' | |
set openvpn vtun0 mode 'site-to-site' | |
set openvpn vtun0 openvpn-option 'tls-auth /config/auth/ta.key 0' | |
set openvpn vtun0 remote-address '172.16.0.2' | |
set openvpn vtun0 remote-host '1.1.1.2' | |
set openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt' | |
set openvpn vtun0 tls cert-file '/config/auth/vyos-1.crt' | |
# dh is required only on passive (hub) | |
set openvpn vtun0 tls dh-file '/config/auth/dh1024.pem' | |
set openvpn vtun0 tls key-file '/config/auth/vyos-1.key' | |
set openvpn vtun0 tls role 'passive' | |
# vyos-2 (role active - spoke) | |
set ethernet eth1 address '1.1.1.2/24' | |
set openvpn vtun0 description 'OpenVPN site2site' | |
set openvpn vtun0 encryption 'aes256' | |
set openvpn vtun0 hash 'sha512' | |
set openvpn vtun0 local-address 172.16.0.2 subnet-mask '255.255.255.252' | |
set openvpn vtun0 local-host '1.1.1.2' | |
set openvpn vtun0 mode 'site-to-site' | |
set openvpn vtun0 openvpn-option 'tls-auth /config/auth/ta.key 1' | |
set openvpn vtun0 remote-address '172.16.0.1' | |
set openvpn vtun0 remote-host '1.1.1.1' | |
set openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt' | |
set openvpn vtun0 tls cert-file '/config/auth/vyos-2.crt' | |
set openvpn vtun0 tls key-file '/config/auth/vyos-2.key' | |
set openvpn vtun0 tls role 'active' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment