Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Generating the client bundle

The following example shows how configure the generation of the SSL-VPN client bundle after using the interfaces openvpn commands.

Table 1. Configuring the generation of the client bundle
Step Command

Configure the OpenVPN tunnel interface for authentication.

See Authentication of the client bundle.

vyatta@vyatta# set interfaces openvpn vtunX auth ...

Configure the path to the file that contains the TLS CA certificate, which is part of the client bundle.

vyatta@vyatta# set interfaces openvpn vtunX tls ca-cert-file filename_of_the_TLS_CA_certificate 

Configure the SSL-VPN server address to use for the client bundle.

vyatta@vyatta# set interfaces openvpn vtunX local-host SSL-VPN_server_address

Configure the SSL-VPN server port to use for the client bundle.

vyatta@vyatta# set interfaces openvpn vtunX local-port SSL-VPN_server_port

Configure the client certificate on the SSL-VPN server: client bundles do not use TLS client certificates for authentication—they are not required on the SSL-VPN connection.

vyatta@vyatta# set interfaces openvpn vtunX client-cert-not-required

Set a description for the name of the SSL-VPN endpoint.

vyatta@vyatta# set interfaces openvpn vtunX description SSL-VPN_endpoint_name_for_end_user

The client-cert-not-required keyword must be set to allow SSL-VPN clients to connect without a TLS client certificate that is specific to an end user. Even if client certificates were created, they are not included in any SSL-VPN client bundles.

The description serves as the identifier for various objects. In non-OpenVPN interfaces, the description serves as the network interface alias and is shown in the administration web interface that appears in the dashboard overview.

In the context of the SSL-VPN client bundle, the description is also used in the following cases:

  • The Service-User Web Portal and is presented to the end user as the name of the SSL-VPN instance or endpoint
  • Name of the SSL-VPN client as the profile name that is inside the Ciena SSL-VPN client
  • Tunnelblick
  • The Linux Network Manager applets
  • File names of client bundles
Note: Tip: use an end-user friendly name to distinguish between potential different SSL-VPN endpoints or vRouter instances, for example: ACME HQ, ACME EMEA, and so on. Setting the description to ACME HQ results in client bundle files, which the user has to download, with names like ACME HQ v1.exe, ACME HQ v1.zip, and so forth.

In addition to the mandatory settings, settings that are shown in the following example influence the configuration of the client bundle.

The following example shows how to configure additional settings for the client bundle.

Table 2. Configuring the generation of the client bundle

Step

Command

Configure the system for the hash algorithm.

vyatta@vyatta# set interfaces openvpn vtunX hash hash_algorithm

Configure the system for an encryption method.

vyatta@vyatta# set interfaces openvpn vtunX encryption encryption_method

Configure the system for a transport protocol.

vyatta@vyatta# set interfaces openvpn vtunX protocol transport_protocol_to_use

When optional settings or mandatory settings are changed, a new version of the SSL-VPN client bundles is generated during the next configuration commit.

To enable client bundle configuration, you must specify for which operating systems the bundles needs to be set.

By default, no client bundle is generated if no operating system is explicitly configured.

The following example shows how to create on commit all three operating systems client bundles.

Table 3. Configuring the operating systems

Step

Command

Configure OS X as the target operating system for which to create a client-bundle.

vyatta@vyatta# set interfaces openvpn vtunX client-bundle osx

Generate the client bundle, which consists of a standard OpenVPN-formatted configuration file.

vyatta@vyatta# set interfaces openvpn vtunX client-bundle generic

Configure Linux as the target operating system for which to create a client-bundle.

vyatta@vyatta# set interfaces openvpn vtunX client-bundle linux