1
0
Fork 0
mirror of https://github.com/Luzifer/vault-openvpn.git synced 2024-12-25 06:11:21 +00:00

Adjust wording and formatting

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2018-05-27 10:21:08 +02:00
parent 86a9864b56
commit 3bd30a693c
Signed by: luzifer
GPG key ID: DC2729FDD34BE99E

View file

@ -60,8 +60,8 @@ The configurations generated by this tool will not need multiple files but inclu
After you've set up your folder (you also could use one of the example configurations in the [`example` folder](https://github.com/Luzifer/vault-openvpn/tree/master/example) of this repository) you can issue your servers configuration:
```bash
# vault-openvpn --auto-revoke --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io
```console
$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io
server 10.231.0.0 255.255.255.0
route 10.231.0.0 255.255.255.0
@ -70,8 +70,8 @@ route 10.231.0.0 255.255.255.0
And also you can generate client configurations:
```bash
# vault-openvpn --auto-revoke --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io
```console
$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io
remote myserver.com 1194 udp
[...]
@ -79,8 +79,8 @@ remote myserver.com 1194 udp
In case someone needs to get removed from your OpenVPN there is also a revoke:
```bash
# vault-openvpn --auto-revoke --pki-mountpoint luzifer_io revoke baduser.openvpn.luzifer.io
```console
$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io revoke baduser.openvpn.luzifer.io
[...]
2016/07/25 15:06:58 Found certificate 33:e1:0c:85:36:a5:c2:6b:05:85:f5:aa:9f:3b:f3:3a:a2:e0:ae:b0 with CN baduser.openvpn.luzifer.io
2016/07/25 15:06:58 Revoked certificate 33:e1:0c:85:36:a5:c2:6b:05:85:f5:aa:9f:3b:f3:3a:a2:e0:ae:b0
@ -89,31 +89,31 @@ In case someone needs to get removed from your OpenVPN there is also a revoke:
To have revokes being executed by OpenVPN you need to periodically update the CRL file OpenVPN reads. For my solution see the `living-example` in the `example` folder.
## Using Tls Auth
OpenVPN highly recommends using TLS Authentication hardening, see https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN#TLSAuthentication
## Using TLS authentication
OpenVPN highly recommends using TLS authentication hardening, see [GettingStartedwithOVPN](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN#TLSAuthentication).
This requires the use of a pre-shared key, if you want to use it you will first need to generate tls auth key and then upload it to vault.
This requires the use of a pre-shared key: If you want to use it, you will first need to generate a TLS authentication key and then upload it into vault:
```bash
openvpn --genkey --secret openvpn.key
vault kv put secret/ovpn key=@openvpn.key
```console
$ openvpn --genkey --secret openvpn.key
$ vault kv put secret/ovpn key=@openvpn.key
```
In the above example we call the secret "ovpn" but you can call it anything you want, so long as its a known value.
The key must be placed into both the client and server configurations and must match, edit both config templates to include a section as shown below
In the above example we call the secret "ovpn" but you can call it anything you want, as long as it is a known value.
The key must be placed into both the client and server configurations and must match. Edit both config templates to include a section as shown below:
```
<tls-auth>
{{ .TlsAuth }}
{{ .TLSAuth }}
</tls-auth>
```
Now run vault-openvpn passing in the name of the secret that holds our key, e.g.
```bash
```console
# for the server config
vault-openvpn --auto-revoke --ovpn-key ovpn --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io
$ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io
# and for the client config
vault-openvpn --auto-revoke --ovpn-key ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io
# for the client config
$ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io
```