Browse code
doc: run rst2* with --strict to catch warnings
Basically -Werror for docutils.
Fix all issues raised by this. The following issue
classes were reported:
Possible title underline, too short for the title.
Treating it as ordinary text because it's so short.
(:: at the start of the line directly below text,
either add empty line of merge into : on previous line)
Enumerated list start value not ordinal-1
(error in numbering)
Change-Id: Id3b0f7be4602f70115c60e6ddb89f6ed58e94e64
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230331132429.601635-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26567.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fafb05f6f3a7a1b46c278961ec8d2d8970f01096)
Frank Lichtenheld authored on 2023/03/31 22:24:29Showing 5 changed files
- doc/Makefile.am
- doc/man-sections/connection-profiles.rst
- doc/man-sections/example-fingerprint.rst
- doc/man-sections/examples.rst
- doc/man-sections/virtual-routing-and-forwarding.rst
| ... | ... |
@@ -68,19 +68,21 @@ openvpn-examples.5 openvpn-examples.5.html: $(openvpn_examples_sections) |
| 68 | 68 |
|
| 69 | 69 |
SUFFIXES = .8.rst .8 .8.html .5.rst .5 .5.html |
| 70 | 70 |
|
| 71 |
+RST_FLAGS = --strict |
|
| 72 |
+ |
|
| 71 | 73 |
MAINTAINERCLEANFILES = \ |
| 72 | 74 |
$(srcdir)/Makefile.in |
| 73 | 75 |
|
| 74 | 76 |
.8.rst.8 .5.rst.5 : |
| 75 | 77 |
if HAVE_PYDOCUTILS |
| 76 |
- $(RST2MAN) $< > $@ |
|
| 78 |
+ $(RST2MAN) $(RST_FLAGS) $< > $@ |
|
| 77 | 79 |
else |
| 78 | 80 |
@echo "Missing python-docutils - skipping man page generation ($@)" |
| 79 | 81 |
endif |
| 80 | 82 |
|
| 81 | 83 |
.8.rst.8.html .5.rst.5.html : |
| 82 | 84 |
if HAVE_PYDOCUTILS |
| 83 |
- $(RST2HTML) $< > $@ |
|
| 85 |
+ $(RST2HTML) $(RST_FLAGS) $< > $@ |
|
| 84 | 86 |
else |
| 85 | 87 |
@echo "Missing python-docutils - skipping html page generation ($@)" |
| 86 | 88 |
endif |
| ... | ... |
@@ -34,8 +34,7 @@ Server setup |
| 34 | 34 |
SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff |
| 35 | 35 |
|
| 36 | 36 |
|
| 37 |
-3. Write a server configuration (`server.conf`): |
|
| 38 |
-:: |
|
| 37 |
+4. Write a server configuration (`server.conf`):: |
|
| 39 | 38 |
|
| 40 | 39 |
# The server certificate we created in step 1 |
| 41 | 40 |
cert server.crt |
| ... | ... |
@@ -65,9 +64,9 @@ Server setup |
| 65 | 65 |
# Ping every 60s, restart if no data received for 5 minutes |
| 66 | 66 |
keepalive 60 300 |
| 67 | 67 |
|
| 68 |
-4. Add at least one client as described in the client section. |
|
| 68 |
+5. Add at least one client as described in the client section. |
|
| 69 | 69 |
|
| 70 |
-5. Start the server. |
|
| 70 |
+6. Start the server. |
|
| 71 | 71 |
- On systemd based distributions move `server.crt`, `server.key` and |
| 72 | 72 |
`server.conf` to :code:`/etc/openvpn/server` and start it via systemctl |
| 73 | 73 |
|
| ... | ... |
@@ -63,27 +63,23 @@ you will get a weird feedback loop. |
| 63 | 63 |
Example 1: A simple tunnel without security (not recommended) |
| 64 | 64 |
------------------------------------------------------------- |
| 65 | 65 |
|
| 66 |
-On bob: |
|
| 67 |
-:: |
|
| 66 |
+On bob:: |
|
| 68 | 67 |
|
| 69 | 68 |
openvpn --remote alice.example.com --dev tun1 \ |
| 70 | 69 |
--ifconfig 10.4.0.1 10.4.0.2 --verb 9 |
| 71 | 70 |
|
| 72 |
-On alice: |
|
| 73 |
-:: |
|
| 71 |
+On alice:: |
|
| 74 | 72 |
|
| 75 | 73 |
openvpn --remote bob.example.com --dev tun1 \ |
| 76 | 74 |
--ifconfig 10.4.0.2 10.4.0.1 --verb 9 |
| 77 | 75 |
|
| 78 | 76 |
Now verify the tunnel is working by pinging across the tunnel. |
| 79 | 77 |
|
| 80 |
-On bob: |
|
| 81 |
-:: |
|
| 78 |
+On bob:: |
|
| 82 | 79 |
|
| 83 | 80 |
ping 10.4.0.2 |
| 84 | 81 |
|
| 85 |
-On alice: |
|
| 86 |
-:: |
|
| 82 |
+On alice:: |
|
| 87 | 83 |
|
| 88 | 84 |
ping 10.4.0.1 |
| 89 | 85 |
|
| ... | ... |
@@ -96,13 +92,13 @@ Example 2: A tunnel with self-signed certificates and fingerprint |
| 96 | 96 |
----------------------------------------------------------------- |
| 97 | 97 |
|
| 98 | 98 |
First build a self-signed certificate on bob and display its fingerprint. |
| 99 |
+ |
|
| 99 | 100 |
:: |
| 100 | 101 |
|
| 101 | 102 |
openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout bob.pem -out bob.pem -nodes -sha256 -days 3650 -subj '/CN=bob' |
| 102 | 103 |
openssl x509 -noout -sha256 -fingerprint -in bob.pem |
| 103 | 104 |
|
| 104 |
-and the same on alice: |
|
| 105 |
-:: |
|
| 105 |
+and the same on alice:: |
|
| 106 | 106 |
|
| 107 | 107 |
openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout alice.pem -out alice.pem -nodes -sha256 -days 3650 -subj '/CN=alice' |
| 108 | 108 |
openssl x509 -noout -sha256 -fingerprint -in alice.pem |
| ... | ... |
@@ -113,30 +109,26 @@ that contain both self-signed certificate and key and show the fingerprint of th |
| 113 | 113 |
Transfer the fingerprints over a secure medium such as by using |
| 114 | 114 |
the ``scp``\(1) or ``ssh``\(1) program. |
| 115 | 115 |
|
| 116 |
-On bob: |
|
| 117 |
-:: |
|
| 116 |
+On bob:: |
|
| 118 | 117 |
|
| 119 | 118 |
openvpn --ifconfig 10.4.0.1 10.4.0.2 --tls-server --dev tun --dh none \ |
| 120 | 119 |
--cert bob.pem --key bob.pem --cipher AES-256-GCM \ |
| 121 | 120 |
--peer-fingerprint "$fingerprint_of_alices_cert" |
| 122 | 121 |
|
| 123 |
-On alice: |
|
| 124 |
-:: |
|
| 122 |
+On alice:: |
|
| 125 | 123 |
|
| 126 | 124 |
openvpn --remote bob.example.com --tls-client --dev tun1 \ |
| 127 | 125 |
--ifconfig 10.4.0.2 10.4.0.1 --cipher AES-256-GCM \ |
| 128 |
- --cert alice.pem --key alice.pem |
|
| 126 |
+ --cert alice.pem --key alice.pem \ |
|
| 129 | 127 |
--peer-fingerprint "$fingerprint_of_bobs_cert" |
| 130 | 128 |
|
| 131 | 129 |
Now verify the tunnel is working by pinging across the tunnel. |
| 132 | 130 |
|
| 133 |
-On bob: |
|
| 134 |
-:: |
|
| 131 |
+On bob:: |
|
| 135 | 132 |
|
| 136 | 133 |
ping 10.4.0.2 |
| 137 | 134 |
|
| 138 |
-On alice: |
|
| 139 |
-:: |
|
| 135 |
+On alice:: |
|
| 140 | 136 |
|
| 141 | 137 |
ping 10.4.0.1 |
| 142 | 138 |
|
| ... | ... |
@@ -170,8 +162,7 @@ For Diffie Hellman parameters you can use the included file |
| 170 | 170 |
and keys included in the OpenVPN distribution are totally |
| 171 | 171 |
insecure and should be used for testing only. |
| 172 | 172 |
|
| 173 |
-On bob: |
|
| 174 |
-:: |
|
| 173 |
+On bob:: |
|
| 175 | 174 |
|
| 176 | 175 |
openvpn --remote alice.example.com --dev tun1 \ |
| 177 | 176 |
--ifconfig 10.4.0.1 10.4.0.2 \ |
| ... | ... |
@@ -179,8 +170,7 @@ On bob: |
| 179 | 179 |
--cert client.crt --key client.key \ |
| 180 | 180 |
--reneg-sec 60 --verb 5 |
| 181 | 181 |
|
| 182 |
-On alice: |
|
| 183 |
-:: |
|
| 182 |
+On alice:: |
|
| 184 | 183 |
|
| 185 | 184 |
openvpn --remote bob.example.com --dev tun1 \ |
| 186 | 185 |
--ifconfig 10.4.0.2 10.4.0.1 \ |
| ... | ... |
@@ -190,13 +180,11 @@ On alice: |
| 190 | 190 |
|
| 191 | 191 |
Now verify the tunnel is working by pinging across the tunnel. |
| 192 | 192 |
|
| 193 |
-On bob: |
|
| 194 |
-:: |
|
| 193 |
+On bob:: |
|
| 195 | 194 |
|
| 196 | 195 |
ping 10.4.0.2 |
| 197 | 196 |
|
| 198 |
-On alice: |
|
| 199 |
-:: |
|
| 197 |
+On alice:: |
|
| 200 | 198 |
|
| 201 | 199 |
ping 10.4.0.1 |
| 202 | 200 |
|
| ... | ... |
@@ -221,8 +209,7 @@ networks. We will assume that bob's private subnet is *10.0.0.0/24* and |
| 221 | 221 |
alice's is *10.0.1.0/24*. |
| 222 | 222 |
|
| 223 | 223 |
First, ensure that IP forwarding is enabled on both peers. On Linux, |
| 224 |
-enable routing: |
|
| 225 |
-:: |
|
| 224 |
+enable routing:: |
|
| 226 | 225 |
|
| 227 | 226 |
echo 1 > /proc/sys/net/ipv4/ip_forward |
| 228 | 227 |
|
| ... | ... |
@@ -235,13 +222,11 @@ systems guide on how to configure the firewall. You typically want to |
| 235 | 235 |
allow traffic coming from and going to the tun/tap adapter OpenVPN is |
| 236 | 236 |
configured to use. |
| 237 | 237 |
|
| 238 |
-On bob: |
|
| 239 |
-:: |
|
| 238 |
+On bob:: |
|
| 240 | 239 |
|
| 241 | 240 |
route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2 |
| 242 | 241 |
|
| 243 |
-On alice: |
|
| 244 |
-:: |
|
| 242 |
+On alice:: |
|
| 245 | 243 |
|
| 246 | 244 |
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1 |
| 247 | 245 |
|
| ... | ... |
@@ -23,11 +23,13 @@ VRF setup with iproute2 |
| 23 | 23 |
``````````````````````` |
| 24 | 24 |
|
| 25 | 25 |
Create VRF :code:`vrf_external` and map it to routing table :code:`1023` |
| 26 |
+ |
|
| 26 | 27 |
:: |
| 27 | 28 |
|
| 28 | 29 |
ip link add vrf_external type vrf table 1023 |
| 29 | 30 |
|
| 30 | 31 |
Move :code:`eth0` into :code:`vrf_external` |
| 32 |
+ |
|
| 31 | 33 |
:: |
| 32 | 34 |
|
| 33 | 35 |
ip link set master vrf_external dev eth0 |
| ... | ... |
@@ -42,8 +44,7 @@ VRF setup with ifupdown |
| 42 | 42 |
For Debian based Distributions :code:`ifupdown2` provides an almost drop-in |
| 43 | 43 |
replacement for :code:`ifupdown` including VRFs and other features. |
| 44 | 44 |
A configuration for an interface :code:`eth0` being part of VRF |
| 45 |
-code:`vrf_external` could look like this: |
|
| 46 |
-:: |
|
| 45 |
+code:`vrf_external` could look like this:: |
|
| 47 | 46 |
|
| 48 | 47 |
auto eth0 |
| 49 | 48 |
iface eth0 |
| ... | ... |
@@ -61,6 +62,7 @@ code:`vrf_external` could look like this: |
| 61 | 61 |
OpenVPN configuration |
| 62 | 62 |
````````````````````` |
| 63 | 63 |
The OpenVPN configuration needs to contain this line: |
| 64 |
+ |
|
| 64 | 65 |
:: |
| 65 | 66 |
|
| 66 | 67 |
bind-dev vrf_external |