~fkooman/vpn-documentation

acd941413fe182ec7475307e881358fdf546b360 — François Kooman 4 hours ago c370e79 v3
fix tls docs
1 files changed, 23 insertions(+), 20 deletions(-)

M MULTI_NODE.md
M MULTI_NODE.md => MULTI_NODE.md +23 -20
@@ 234,7 234,7 @@ client(s) under "Connections" in the portal when connected.

## TLS

**NOTE**: these instructions are for Fedora, not yet for Debian!
**NOTE**: these instructions are for Debian, not for Fedora!

When everything works properly using HTTP, you SHOULD switch to HTTPS for
communication between controller and node(s). Without TLS there is no


@@ 256,36 256,39 @@ $ vpn-ca -client  -name vpn-daemon-client
```

Copy `ca.crt`, `node-X.vpn.example.org.crt` and `node-X.vpn.example.org.key` to
the respective node(s). Store them in `/etc/vpn-daemon` as `ca.crt`, 
`server.crt` and `server.key`. Make sure they can be read by the `vpn-daemon` 
process:
the respective node(s). Store them in the following locations (note the 
`private` folder for the key):

```bash
$ sudo -s
$ cd /etc/vpn-daemon
$ chmod 0640 *
$ chgrp vpn-daemon *
```
| File                         | Location                                 |
| ---------------------------- | ---------------------------------------- |
| `ca.crt`                     | `/etc/ssl/vpn-daemon/ca.crt`             | 
| `node-X.vpn.example.org.crt` | `/etc/ssl/vpn-daemon/server.crt`         |
| `node-X.vpn.example.org.key` | `/etc/ssl/vpn-daemon/private/server.key` |

Modify `/etc/sysconfig/vpn-daemon` and enable the `CREDENTIALS_DIRECTORY` 
option:
Now, enable [System and Service Credentials](https://systemd.io/CREDENTIALS/)
by writing the following content to 
`/etc/systemd/system/vpn-daemon.service.d/credentials.conf`:

```
CREDENTIALS_DIRECTORY=/etc/vpn-daemon
[Service]
LoadCredential=ca.crt:/etc/ssl/vpn-daemon/ca.crt
LoadCredential=server.crt:/etc/ssl/vpn-daemon/server.crt
LoadCredential=server.key:/etc/ssl/vpn-daemon/private/server.key
```

Now restart `vpn-daemon`:
Make sure to reload the `systemd` daemon and restart `vpn-daemon`:

```bash
$ sudo systemctl daemon-reload
$ sudo systemctl restart vpn-daemon
```

Repeat this on all your nodes.

On your controller(s) you copy the `ca.crt`, `vpn-daemon-client.crt` and 
`vpn-daemon-client.key` to `/etc/vpn-user-portal/vpn-daemon` and modify the
`nodeUrl` option(s) in the profile configuration in 
`/etc/vpn-user-portal/config.php` to `https://`.
`vpn-daemon-client.key` to `/etc/vpn-user-portal/keys/vpn-daemon` and modify 
the `nodeUrl` option(s) in the profile configuration in 
`/etc/vpn-user-portal/config.php` to use `https://` instead of `http://`.

Viewing the portal "Info" page should show your node(s) as green and have the 
lock icon visible. Now you are all good!


@@ 301,8 304,8 @@ to verify the TLS connection can be established:

```bash
$ curl \
    --cacert /etc/vpn-user-portal/vpn-daemon/ca.crt \
    --cert /etc/vpn-user-portal/vpn-daemon/vpn-daemon-client.crt \
    --key /etc/vpn-user-portal/vpn-daemon/vpn-daemon-client.key \
    --cacert /etc/vpn-user-portal/keys/vpn-daemon/ca.crt \
    --cert /etc/vpn-user-portal/vpn-daemon/keys/vpn-daemon-client.crt \
    --key /etc/vpn-user-portal/vpn-daemon/keys/vpn-daemon-client.key \
    https://node-a.vpn.example.org:41194/i/node 
```