Site-to-site mode with TLS
When TLS is used in site-to-site mode, the vRouter configuration is the same as described in the previous section, except that you must configure TLS-related options instead of the shared-secret-key-file option. As previously discussed, one endpoint takes the passive role and the other takes the active role.
Each endpoint must also have the following files, which are required for the TLS protocol.
- Certificate Authority (CA) certificate file: This file contains the certificate of the CA, which is used to validate the certificate of the other endpoint.
- Host certificate file: This file contains the certificate of the endpoint, which is presented to the other endpoint during the TLS negotiation.
- Host key file: This file contains the private key of the endpoint, which is kept secret from anybody else.
- Certificate revocation list (CRL) file: (Optional) This file contains a list of certificates that have been revoked, which prevent endpoints with these certificates from establishing a VPN tunnel.
- DH parameters file: (Only needed by the passive endpoint) This file contains Diffie Hellman parameters that are required only by the endpoint taking the passive role in the TLS negotiation.
More information about these files is available in the OpenVPN documentation.
The configuration that follows corresponds to the configuration for the example in the previous section. Assume that the necessary files have been generated and distributed to each endpoint and that V1 and V2 are passive and active, respectively.
To configure V1 for a site-to-site VPN with TLS, perform the following steps in configuration mode.
Step | Command |
---|---|
Create the vtun0 configuration node. |
|
Set the local IP address of the VPN tunnel. |
|
Set the OpenVPN mode. |
|
Set the remote IP address of the VPN tunnel. |
|
Specify the physical IP address of the remote host. |
|
Set the role of this endpoint. |
|
Specify the location of the CA certificate file. |
|
Specify the location of the host certificate file. |
|
Specify the location of the CRL parameters file. |
|
Specify the location of the DH file. |
|
Specify the location of the host key file. |
|
Commit the change. |
|
Show the OpenVPN configuration. |
|
Note that the configuration is the same as in the previous section except that the shared-secret-key-file option has been replaced by tls options. The V1 endpoint takes the passive role, so the dh-file option is required. The crl-file option is also specified in this example.
To configure V2 for a site-to-site VPN with TLS, perform the following steps in configuration mode.
Step | Command |
---|---|
Create the vtun0 configuration node. |
|
Set the local IP address of the VPN tunnel. |
|
Set the OpenVPN mode. |
|
Set the remote IP address of the VPN tunnel. |
|
Specify the physical IP address of the remote host. |
|
Set the role of this endpoint. |
|
Specify the location of the CA certificate file. |
|
Specify the location of the host certificate file. |
|
Specify the location of the host key file. |
|
Commit the change. |
|
Show the OpenVPN configuration. |
|
The configuration is the same as in the previous example except that the tls option is specified; the crl-file option is not specified; and, because the V2 endpoint takes the active role, the dh-file option is not needed.