diff --git a/README.md b/README.md index 8c940fc..98f3acf 100644 --- a/README.md +++ b/README.md @@ -60,8 +60,8 @@ The configurations generated by this tool will not need multiple files but inclu After you've set up your folder (you also could use one of the example configurations in the [`example` folder](https://github.com/Luzifer/vault-openvpn/tree/master/example) of this repository) you can issue your servers configuration: -```bash -# vault-openvpn --auto-revoke --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io +```console +$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io server 10.231.0.0 255.255.255.0 route 10.231.0.0 255.255.255.0 @@ -70,8 +70,8 @@ route 10.231.0.0 255.255.255.0 And also you can generate client configurations: -```bash -# vault-openvpn --auto-revoke --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io +```console +$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io remote myserver.com 1194 udp [...] @@ -79,8 +79,8 @@ remote myserver.com 1194 udp In case someone needs to get removed from your OpenVPN there is also a revoke: -```bash -# vault-openvpn --auto-revoke --pki-mountpoint luzifer_io revoke baduser.openvpn.luzifer.io +```console +$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io revoke baduser.openvpn.luzifer.io [...] 2016/07/25 15:06:58 Found certificate 33:e1:0c:85:36:a5:c2:6b:05:85:f5:aa:9f:3b:f3:3a:a2:e0:ae:b0 with CN baduser.openvpn.luzifer.io 2016/07/25 15:06:58 Revoked certificate 33:e1:0c:85:36:a5:c2:6b:05:85:f5:aa:9f:3b:f3:3a:a2:e0:ae:b0 @@ -89,31 +89,31 @@ In case someone needs to get removed from your OpenVPN there is also a revoke: To have revokes being executed by OpenVPN you need to periodically update the CRL file OpenVPN reads. For my solution see the `living-example` in the `example` folder. -## Using Tls Auth -OpenVPN highly recommends using TLS Authentication hardening, see https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN#TLSAuthentication +## Using TLS authentication +OpenVPN highly recommends using TLS authentication hardening, see [GettingStartedwithOVPN](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN#TLSAuthentication). -This requires the use of a pre-shared key, if you want to use it you will first need to generate tls auth key and then upload it to vault. +This requires the use of a pre-shared key: If you want to use it, you will first need to generate a TLS authentication key and then upload it into vault: -```bash -openvpn --genkey --secret openvpn.key -vault kv put secret/ovpn key=@openvpn.key +```console +$ openvpn --genkey --secret openvpn.key +$ vault kv put secret/ovpn key=@openvpn.key ``` -In the above example we call the secret "ovpn" but you can call it anything you want, so long as its a known value. -The key must be placed into both the client and server configurations and must match, edit both config templates to include a section as shown below +In the above example we call the secret "ovpn" but you can call it anything you want, as long as it is a known value. +The key must be placed into both the client and server configurations and must match. Edit both config templates to include a section as shown below: ``` -{{ .TlsAuth }} +{{ .TLSAuth }} ``` Now run vault-openvpn passing in the name of the secret that holds our key, e.g. -```bash +```console # for the server config -vault-openvpn --auto-revoke --ovpn-key ovpn --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io +$ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io -# and for the client config -vault-openvpn --auto-revoke --ovpn-key ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io +# for the client config +$ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io ```