Vyos client-to-site VPN with X509


#1

Dear all,
Per asking from some of my friends, today I am gong to share with you the way to configure client-to-site VPN with X.509.

  1. Configure X.509:
    1.1 go to the directory /usr/share/doc/openvpn/examples/easy-rsa/2.0/
    1.2. copy all files and sub-directories to /config/auth
    1.3. go to the directory /config/auth
    1.4. Modify the file ./vars according to your organization/private information
    1.5. set variables with : source ./vars
    1.6 build Diffie-Hellman file with: ./build-dh
    1.7. Build CA with : ./build-ca
    1.8. Build server key: ./build-key-server Name-of-Vyos-box
    1.9. Build client key: ./build-key Name-of-Client
    Now all CA and keys are in /config/auth/keys

  2. Configure VPN server:
    root@DFVN-VPN-GW# show interfaces openvpn vtun0
    description “ABC Company - VPN Remote Access”
    mode server
    openvpn-option “–push route 1.2.3.4 255.255.255.0”
    openvpn-option “–push dhcp-option DNS 5.6.7.8”
    protocol tcp-passive
    server {
    subnet 2.4.6.0/24
    }
    tls {
    ca-cert-file /config/auth/keys/ca.crt
    cert-file /config/auth/keys/Name-of-Vyos-box.crt
    dh-file /config/auth/keys/dh1024.pem
    key-file /config/auth/keys/Name-of-Vyos-box.key
    }

  3. Configure on VPN Client
    3.1 Install OpenVPN client on your Windows box
    3.2 Download 3 files ca.crt, Name-of-Client.crt and Name-of-Client.key from Vyos box to a local folder of your windows box
    3.4 The openVPN client configuration is similar to below:

           client
           dev tun
           proto tcp
           remote your-public-IP 1194
          ca "C:\\CA\\ca.crt"
          cert "C:\\ca\\Name-of-client.crt"
          key "C:\\ca\\Name-of-client.key"
    

Run the OpenVPN Client then connect

Have fun with OpenVPN client-to-site with X.509.