aboutsummaryrefslogtreecommitdiffstats
path: root/README.md
blob: 97c8c62e4662f5344546f70dd2ab27b467829e21 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
# setup-dmvpn

This guide explains how to set up a Dynamic Multipoint VPN using `setup-dmvpn`.

## Certificate Authority

Install the Certificate Authority (CA) tool on a secure host:

<pre>apk add dmvpn-ca
</pre>

Configure the CA by editing `/etc/dmvpn-ca.conf`. In this example, the following
configuration is used:

<pre>hub:
  hosts:
  - hubs.example.com
  subnets:
  - '10.0.0.0/8'
  - '172.18.0.0/16'
  - 'fd00::/32'

crl:
  dist-point: 'http://crl.example.com/dmvpn-ca.crl'
  lifetime: 1800
  renewal: 1200
</pre>

The `hosts` attribute specifies the IPv4 addresses of the hubs or DNS name(s)
resolving to those. In this example, it is assumed that resolution of
`hubs.example.com` yields an A record for each hub.

The `subnets` attribute is a list of subnets used in the VPN. This should
include the address ranges of all sites and the GRE tunnel addresses. In this
example, the following IP address scheme is used:

The `crl` object should be left out unless the CRL distribution point will be
configured.

<table>
<tr><td></td><th>IPv4</td><th>IPv6</th></tr>
<tr><td>Hub GRE address</td><td>172.18.0.&lt;hub id&gt;</td><td>fd00::&lt;hub id&gt;</td></tr>
<tr><td>Site VPNc GRE address</td><td>172.18.&lt;site id&gt;.&lt;vpnc id&gt;</td><td>fd00::&lt;site id&gt;:&lt;vpnc id&gt;</td></tr>
<tr><td>Site subnet</td><td>10.&lt;site id&gt;.0.0/16</td><td>fd00:0:&lt;site id&gt;::/48</td></tr>
</table>

IPv6 addresses can be left undefined if only IPv4 is used in the VPN.

After setting up the CA configuration, generate the root key and certificate:

<pre>dmvpn-ca root-cert generate
</pre>

Create the configuration for hubs and sites. In this example, there are two
hubs and two sites. Each site has two VPN concentrators (VPNcs) for redundancy.

<pre>dmvpn-ca hub create
dmvpn-ca gre-addr add 172.18.0.1 hub 1
dmvpn-ca gre-addr add fd00::1 hub 1

dmvpn-ca hub create
dmvpn-ca gre-addr add 172.18.0.2 hub 2
dmvpn-ca gre-addr add fd00::2 hub 2

dmvpn-ca site add FIN
dmvpn-ca subnet add 10.1.0.0/16 site FIN
dmvpn-ca subnet add fd00:0:1::/48 site FIN
dmvpn-ca vpnc create site FIN
dmvpn-ca gre-addr add 172.18.1.1 site FIN vpnc 1
dmvpn-ca gre-addr add fd00::1:1 site FIN vpnc 1
dmvpn-ca vpnc create site FIN
dmvpn-ca gre-addr add 172.18.1.2 site FIN vpnc 2
dmvpn-ca gre-addr add fd00::1:2 site FIN vpnc 2

dmvpn-ca site add SWE
dmvpn-ca subnet add 10.2.0.0/16 site SWE
dmvpn-ca subnet add fd00:0:2::/48 site SWE
dmvpn-ca vpnc create site SWE
dmvpn-ca gre-addr add 172.18.2.1 site SWE vpnc 1
dmvpn-ca gre-addr add fd00::2:1 site SWE vpnc 1
dmvpn-ca vpnc create site SWE
dmvpn-ca gre-addr add 172.18.2.2 site SWE vpnc 2
dmvpn-ca gre-addr add fd00::2:2 site SWE vpnc 2
</pre>

Finally, generate the keys and certificates for the hubs and VPNcs:

<pre>dmvpn-ca cert generate
</pre>

This commands generates a PFX file for each hub and VPNc, for example:

<pre># ls
FIN_1.9D6JLGHlLmTG4bVR.pfx  SWE_1.caN3yapMTpZbIVP4.pfx  _1.hy62AqLIUJcFuT1U.pfx
FIN_2.fXbw4HwqkLXlIbtk.pfx  SWE_2.0BElySor2L8fm6e2.pfx  _2.cDLUvB8XALBkD2vP.pfx
</pre>

The encrypted file contains the individual certificate, the corresponding
private key, and the root certificate. The password is embedded in the file
name. The file should be renamed when using out-of-band delivery for the
password.

## Setting Up CRL Distribution Point

In this example, the CA host serves also as the CRL distribution point. It is
assumed that `crl.example.com` resolves to the IP address of that host.

Execute the following commands on the CA host to set up CRL distribution:

<pre>apk add dmvpn-crl-dp
dmvpn-crl-update
rc-update add lighttpd
rc-service lighttpd start
</pre>

## Setting Up a Hub

*Warning*: This procedure will automatically set up the `iptables` firewall
using `awall`. If you require any additional rules, such as allowing SSH access
to the host, you should configure those first. The easiest way to do so is to
use the `setup-firewall` utility:

<pre>apk add awall-policies
setup-firewall
</pre>

Install the `dmvpn` package on the host to be configured as a DMVPN hub. It is
assumed that the network configuration of the host is already in place.

<pre>apk add dmvpn
</pre>

Execute the setup tool using the hub's PFX file, answering the questions
prompted. The password is deduced from the file name unless renamed. Enter the
prefix lengths that uniquely identify the site. The default values are valid
for this example. The prefix length may vary among the sites, in which case the
maximum length should be given.

<pre>setup-dmvpn &lt;pfx file&gt;
</pre>

The hub is now operational and its firewall has been set up. Firewall for IPv6
(`ip6tables`) is set up by `setup-dmvpn` only if IPv6 addresses are defined for
the VPN. (`setup-firewall` sets it up if IPv6 is enabled in the kernel.)

Due to an unresolved issue, you may have to reboot the host if VPN tunnels are
not established within a reasonable time.

## Setting Up a Site VPNc (Spoke)

Install the `dmvpn` package on the host to be configured as a DMVPN spoke. It
is assumed that the host is already configured as a router to the site subnet.

<pre>apk add dmvpn
</pre>

Execute the setup tool using the spoke's PFX file, answering the questions
prompted. The password is deduced from the file name unless renamed.

<pre>setup-dmvpn &lt;pfx file&gt;
</pre>

The spoke is now operational. Firewall rules are updated automatically if they
are managed using `awall`.

Due to an unresolved issue, you may have to reboot the host if VPN tunnels are
not established within a reasonable time.