From dbde2007dd177b7e00ec548337ccd33ae90a29c0 Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Date: Wed, 4 Apr 2018 09:57:45 +0300
Subject: README file

---
 README.md | 137 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 137 insertions(+)
 create mode 100644 README.md

(limited to 'README.md')
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..e1abf07
--- /dev/null
+++ b/README.md
@@ -0,0 +1,137 @@
+# setup-dmvpn
+
+This guide explains how to set up a Dynamic Multipoint VPN using `setup-dmvpn`.
+
+## Certificate Authority
+
+Install the Certificate Authority (CA) tool on a secure host:
+
+<pre>apk add dmvpn-ca
+</pre>
+
+Configure the CA by editing `/etc/dmvpn-ca.conf`. In this example, the following
+configuration is used:
+
+<pre>hub:
+  hosts:
+  - hubs.example.com
+  subnets:
+  - '10.0.0.0/16'
+  - '172.18.0.0/16'
+  - 'fd00::/32'
+</pre>
+
+The `hosts` attribute specifies the IPv4 addresses of the hubs or DNS name(s)
+resolving to those. In this example, it is assumed that resolution of
+`hubs.example.com` yields an A record for each hub.
+
+The `subnets` attribute is a list of subnets used in the VPN. This should
+include the address ranges of all sites and the GRE tunnel addresses. In this
+example, the following IP address scheme is used:
+
+<table>
+<tr><td></td><th>IPv4</td><th>IPv6</th></tr>
+<tr><td>Hub GRE address</td><td>172.18.0.&lt;hub id&gt;</td><td>fd00::&lt;hub id&gt;</td></tr>
+<tr><td>Site VPNc GRE address</td><td>172.18.&lt;site id&gt;.&lt;vpnc id&gt;</td><td>fd00::&lt;site id&gt;:&lt;vpnc id&gt;</td></tr>
+<tr><td>Site subnet</td><td>10.&lt;site id&gt;.0.0/16</td><td>fd00:0:&lt;site id&gt;::/48</td></tr>
+</table>
+
+IPv6 addresses can be left undefined if only IPv4 is used in the VPN.
+
+After setting up the CA configuration, generate the root key and certificate:
+
+<pre>dmvpn-ca root-cert generate
+</pre>
+
+Create the configuration for hubs and sites. In this example, there are two
+hubs and two sites. Each site has two VPN concentrators (VPNcs) for redundancy.
+
+<pre>dmvpn-ca hub create
+dmvpn-ca gre-addr add 172.18.0.1 hub 1
+dmvpn-ca gre-addr add fd00::1 hub 1
+
+dmvpn-ca hub create
+dmvpn-ca gre-addr add 172.18.0.2 hub 2
+dmvpn-ca gre-addr add fd00::2 hub 2
+
+dmvpn-ca site add FIN
+dmvpn-ca subnet add 10.1.0.0/16 site FIN
+dmvpn-ca subnet add fd00:0:1::/48 site FIN
+dmvpn-ca vpnc create site FIN
+dmvpn-ca gre-addr add 172.18.1.1 site FIN vpnc 1
+dmvpn-ca gre-addr add fd00::1:1 site FIN vpnc 1
+dmvpn-ca vpnc create site FIN
+dmvpn-ca gre-addr add 172.18.1.2 site FIN vpnc 2
+dmvpn-ca gre-addr add fd00::1:2 site FIN vpnc 2
+
+dmvpn-ca site add SWE
+dmvpn-ca subnet add 10.2.0.0/16 site SWE
+dmvpn-ca subnet add fd00:0:2::/48 site SWE
+dmvpn-ca vpnc create site SWE
+dmvpn-ca gre-addr add 172.18.2.1 site SWE vpnc 1
+dmvpn-ca gre-addr add fd00::2:1 site SWE vpnc 1
+dmvpn-ca vpnc create site SWE
+dmvpn-ca gre-addr add 172.18.2.2 site SWE vpnc 2
+dmvpn-ca gre-addr add fd00::2:2 site SWE vpnc 2
+</pre>
+
+Finally, generate the keys and certificates for the hubs and VPNcs:
+
+<pre>dmvpn-ca cert generate
+</pre>
+
+This commands generates a PFX file for each hub and VPNc, for example:
+
+<pre># ls
+FIN_1.9D6JLGHlLmTG4bVR.pfx  SWE_1.caN3yapMTpZbIVP4.pfx  _1.hy62AqLIUJcFuT1U.pfx
+FIN_2.fXbw4HwqkLXlIbtk.pfx  SWE_2.0BElySor2L8fm6e2.pfx  _2.cDLUvB8XALBkD2vP.pfx
+</pre>
+
+The encrypted file contains the individual certificate, the corresponding
+private key, and the root certificate. The password is embedded in the file
+name. The file should be renamed when using out-of-band delivery for the
+password.
+
+## Setting Up a Hub
+
+Install the `dmvpn` package on the host to be configured as a DMVPN hub. It is
+assumed that the network configuration of the host is already in place.
+
+<pre>apk add dmvpn
+</pre>
+
+Execute the setup tool using the hub's PFX file, answering the questions
+prompted. The password is deduced from the file name unless renamed. Enter the
+prefix lengths that uniquely identify the site. The default values are valid
+for this example. The prefix length may vary among the sites, in which case the
+maximum length should be given.
+
+<pre>setup-dmvpn &lt;pfx file&gt;
+</pre>
+
+The hub is now operational. The tool sets up the `iptables` firewall
+automatically using `awall`. Firewall for IPv6 (`ip6tables`) is set up only if
+IPv6 addresses are defined for the VPN.
+
+Due to an unresolved issue, you may have to reboot the host if VPN tunnels are
+not established within a reasonable time.
+
+## Setting Up a Site VPNc (Spoke)
+
+Install the `dmvpn` package on the host to be configured as a DMVPN spoke. It
+is assumed that the host is already configured as a router to the site subnet.
+
+<pre>apk add dmvpn
+</pre>
+
+Execute the setup tool using the spoke's PFX file, answering the questions
+prompted. The password is deduced from the file name unless renamed.
+
+<pre>setup-dmvpn &lt;pfx file&gt;
+</pre>
+
+The spoke is now operational. Firewall rules are not set up automatically for
+the spokes.
+
+Due to an unresolved issue, you may have to reboot the host if VPN tunnels are
+not established within a reasonable time.
-- 
cgit v1.2.3


	IPv4	IPv6
Hub GRE address	172.18.0.<hub id>	fd00::<hub id>
Site VPNc GRE address	172.18.<site id>.<vpnc id>	fd00::<site id>:<vpnc id>
Site subnet	10.<site id>.0.0/16	fd00:0:<site id>::/48