laetrid/VyOS_OpenVPN

## VyOS_OpenVPN
# Creating keys
#
cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2

# Edit vars
vi /config/easy-rsa2/vars

cd /config/easy-rsa2/
source ./vars

# Clear old
./clean-all

# Build keys
./build-ca
./build-dh
./build-key-server vyos-1

# For tls-auth
/usr/sbin/openvpn --genkey --secret ta.key
mv ta.key keys/

# Copy keys to /config/auth/
cp /config/easy-rsa2/keys/ca.crt /config/auth/
cp /config/easy-rsa2/keys/dh1024.pem /config/auth/
cp /config/easy-rsa2/keys/vyos-1.key /config/auth/
cp /config/easy-rsa2/keys/vyos-1.crt /config/auth/
cp /config/easy-rsa2/keys/ta.key /config/auth/

#Build key for second site, and copy them
./build-key vyos-2
scp keys/vyos-2.* user@vyos-2:/config/auth/
scp keys/ta.key user@vyos-2:/config/auth/

# After all /config/auth/ should look like:
#
# vyos-1 files in /config/auth/
# ca.crt
# vyos-1.key
# vyos-1.crt
# dh1024.pem
# ta.key
#
# vyos-2 files in /config/auth/
# ca.crt
# vyos-2.key
# vyos-2.crt
# ta.key


# VyOS Config

# vyos-1 (role passive - hub)

set ethernet eth1 address '1.1.1.1/24'

set openvpn vtun0 description 'OpenVPN site2site'
set openvpn vtun0 encryption 'aes256'
set openvpn vtun0 hash 'sha512'
set openvpn vtun0 local-address 172.16.0.1 subnet-mask '255.255.255.252'
set openvpn vtun0 local-host '1.1.1.1'
set openvpn vtun0 mode 'site-to-site'
set openvpn vtun0 openvpn-option 'tls-auth /config/auth/ta.key 0'
set openvpn vtun0 remote-address '172.16.0.2'
set openvpn vtun0 remote-host '1.1.1.2'
set openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt'
set openvpn vtun0 tls cert-file '/config/auth/vyos-1.crt'
# dh is required only on passive (hub)
set openvpn vtun0 tls dh-file '/config/auth/dh1024.pem'
set openvpn vtun0 tls key-file '/config/auth/vyos-1.key'
set openvpn vtun0 tls role 'passive'

# vyos-2 (role active - spoke)

set ethernet eth1 address '1.1.1.2/24'

set openvpn vtun0 description 'OpenVPN site2site'
set openvpn vtun0 encryption 'aes256'
set openvpn vtun0 hash 'sha512'
set openvpn vtun0 local-address 172.16.0.2 subnet-mask '255.255.255.252'
set openvpn vtun0 local-host '1.1.1.2'
set openvpn vtun0 mode 'site-to-site'
set openvpn vtun0 openvpn-option 'tls-auth /config/auth/ta.key 1'
set openvpn vtun0 remote-address '172.16.0.1'
set openvpn vtun0 remote-host '1.1.1.1'
set openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt'
set openvpn vtun0 tls cert-file '/config/auth/vyos-2.crt'
set openvpn vtun0 tls key-file '/config/auth/vyos-2.key'
set openvpn vtun0 tls role 'active'
	# Creating keys
	#
	cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2

	# Edit vars
	vi /config/easy-rsa2/vars

	cd /config/easy-rsa2/
	source ./vars

	# Clear old
	./clean-all

	# Build keys
	./build-ca
	./build-dh
	./build-key-server vyos-1

	# For tls-auth
	/usr/sbin/openvpn --genkey --secret ta.key
	mv ta.key keys/

	# Copy keys to /config/auth/
	cp /config/easy-rsa2/keys/ca.crt /config/auth/
	cp /config/easy-rsa2/keys/dh1024.pem /config/auth/
	cp /config/easy-rsa2/keys/vyos-1.key /config/auth/
	cp /config/easy-rsa2/keys/vyos-1.crt /config/auth/
	cp /config/easy-rsa2/keys/ta.key /config/auth/

	#Build key for second site, and copy them
	./build-key vyos-2
	scp keys/vyos-2.* user@vyos-2:/config/auth/
	scp keys/ta.key user@vyos-2:/config/auth/

	# After all /config/auth/ should look like:
	#
	# vyos-1 files in /config/auth/
	# ca.crt
	# vyos-1.key
	# vyos-1.crt
	# dh1024.pem
	# ta.key
	#
	# vyos-2 files in /config/auth/
	# ca.crt
	# vyos-2.key
	# vyos-2.crt
	# ta.key



	# VyOS Config

	# vyos-1 (role passive - hub)

	set ethernet eth1 address '1.1.1.1/24'

	set openvpn vtun0 description 'OpenVPN site2site'
	set openvpn vtun0 encryption 'aes256'
	set openvpn vtun0 hash 'sha512'
	set openvpn vtun0 local-address 172.16.0.1 subnet-mask '255.255.255.252'
	set openvpn vtun0 local-host '1.1.1.1'
	set openvpn vtun0 mode 'site-to-site'
	set openvpn vtun0 openvpn-option 'tls-auth /config/auth/ta.key 0'
	set openvpn vtun0 remote-address '172.16.0.2'
	set openvpn vtun0 remote-host '1.1.1.2'
	set openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt'
	set openvpn vtun0 tls cert-file '/config/auth/vyos-1.crt'
	# dh is required only on passive (hub)
	set openvpn vtun0 tls dh-file '/config/auth/dh1024.pem'
	set openvpn vtun0 tls key-file '/config/auth/vyos-1.key'
	set openvpn vtun0 tls role 'passive'

	# vyos-2 (role active - spoke)

	set ethernet eth1 address '1.1.1.2/24'

	set openvpn vtun0 description 'OpenVPN site2site'
	set openvpn vtun0 encryption 'aes256'
	set openvpn vtun0 hash 'sha512'
	set openvpn vtun0 local-address 172.16.0.2 subnet-mask '255.255.255.252'
	set openvpn vtun0 local-host '1.1.1.2'
	set openvpn vtun0 mode 'site-to-site'
	set openvpn vtun0 openvpn-option 'tls-auth /config/auth/ta.key 1'
	set openvpn vtun0 remote-address '172.16.0.1'
	set openvpn vtun0 remote-host '1.1.1.1'
	set openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt'
	set openvpn vtun0 tls cert-file '/config/auth/vyos-2.crt'
	set openvpn vtun0 tls key-file '/config/auth/vyos-2.key'
	set openvpn vtun0 tls role 'active'