Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Remote access mode

The following figure illustrates a typical remote access VPN setup in which one OpenVPN endpoint acts as the server. Remote users run OpenVPN as clients to connect to the server and establish VPN tunnels.

Figure 1. Remote access mode

Note that OpenVPN requires TLS in remote access mode, and the server takes the passive role while the clients are active. Therefore, it is not necessary to specify the tls role option when operating in this mode. In the preceding figure, assuming that V1 is the server and V2 is a client, the configuration for V1 is shown below.

To configure V1 for remote access with TLS, perform the following steps in configuration mode. The example has the following characteristics.

  • The mode option specifies that this endpoint operates in server mode.
  • The server subnet option indicates that the tunnel IP address of the client is allocated from the 192.168.200.0/24 subnet and that the tunnel IP address of the server (that is, the address of vtun0 on the server) is 192.168.200.1.
  • The remote-host option is not set because the clients are actively contacting the server.
Table 1. V1 OpenVPN configuration: remote access with TLS (server)
Step Command

Create the vtun0 configuration node.

vyatta@V1# set interfaces openvpn vtun0

Set the OpenVPN mode.

vyatta@V1# set interfaces openvpn vtun0 mode server

Set the subnet for the OpenVPN tunnel.

vyatta@V1# set interfaces openvpn vtun0 server subnet 192.168.200.0/24

Specify the location of the CA certificate file.

vyatta@V1# set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt

Specify the location of the host certificate file.

vyatta@V1# set interfaces openvpn vtun0 tls cert-file /config/auth/V1.crt

Specify the location of the CRL parameters file.

vyatta@V1# set interfaces openvpn vtun0 tls crl-file /config/auth/crl.pem

Specify the location of the DH file.

vyatta@V1# set interfaces openvpn vtun0 tls dh-file /config/auth/dh1024.pem

Specify the location of the host key file.

vyatta@V1# set interfaces openvpn vtun0 tls key-file /config/auth/V1.key

Commit the change.

vyatta@V1# commit

Show the OpenVPN configuration.

vyatta@V1# show interfaces openvpn vtun0
 mode server
 server {
    subnet 192.168.200.0/24
 }
 tls {
    ca-cert-file /config/auth/ca.crt
    cert-file /config/auth/V1.crt
    crl-file /config/auth/cr1.pem
    dh-file /config/auth/dh1024.pem
    key-file /config/auth/V1.key
 }

To configure V2 for remote access with TLS, perform the following steps in configuration mode. This example has the following characteristics.

  • V2 is in client mode and so it needs to actively contact the server; therefore, the remote-host option is needed to indicate the location of the server.
  • When the tunnel is established, the tunnel IP address of V2 (that is, the address of vtun0 on V2) is assigned by V1 from the 192.168.200.0/24 subnet.
Table 2. V2 OpenVPN configuration: remote access with TLS (client)
Step Command

Create the vtun0 configuration node.

vyatta@V2# set interfaces openvpn vtun0

Set the OpenVPN mode.

vyatta@V2# set interfaces openvpn vtun0 mode client

Specify the physical IP address of the remote host.

vyatta@V2# set interfaces openvpn vtun0 remote-host 12.34.56.78

Specify the location of the CA certificate file.

vyatta@V2# set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt

Specify the location of the host certificate file.

vyatta@V2# set interfaces openvpn vtun0 tls cert-file /config/auth/V2.crt

Specify the location of the host key file.

vyatta@V2# set interfaces openvpn vtun0 tls key-file /config/auth/V2.key

Commit the change.

vyatta@V2# commit

Show the OpenVPN configuration.

vyatta@V2# show interfaces openvpn vtun0
 mode client
 remote-host 12.34.56.78
 tls {
    ca-cert-file /config/auth/ca.crt
    cert-file /config/auth/V2.crt
    key-file /config/auth/V2.key
 }