diff options
authorKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2020-04-23 17:12:29 +0300
committerKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2020-04-23 17:13:54 +0300
commit062a63edac2dbf0ba098dce98a82d331e0ff47dd (patch)
parentae96f310077191b50c5bb52d39c3ef4f0c2fa552 (diff)
README: CA backup
1 files changed, 54 insertions, 7 deletions
diff --git a/README.md b/README.md
index 3a46116..1f8e5f4 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
This guide explains how to set up a Dynamic Multipoint VPN using `setup-dmvpn`.
-## Certificate Authority
+## Setting Up the Certificate Authority
Install the Certificate Authority (CA) tool on a secure host:
@@ -100,7 +100,7 @@ private key, and the root certificate. The password is embedded in the file
name. The file should be renamed when using out-of-band delivery for the
-## Setting Up a CRL Distribution Point
+## <a name="crl"></a>Setting Up a CRL Distribution Point
In this example, the CA host serves also as the master CRL distribution point.
In addition, there may be other distribution points which periodically mirror
@@ -157,9 +157,6 @@ The hub is now operational and its firewall has been set up. Firewall for IPv6
(`ip6tables`) is set up by `setup-dmvpn` only if IPv6 addresses are defined for
the VPN. (`setup-firewall` sets it up if IPv6 is enabled in the kernel.)
-Due to an unresolved issue, you may have to reboot the host if VPN tunnels are
-not established within a reasonable time.
## Setting Up a Site VPNc (Spoke)
Install the `dmvpn` package on the host to be configured as a DMVPN spoke. It
@@ -177,5 +174,55 @@ prompted. The password is deduced from the file name unless renamed.
The spoke is now operational. Firewall rules are updated automatically if they
are managed using `awall`.
-Due to an unresolved issue, you may have to reboot the host if VPN tunnels are
-not established within a reasonable time.
+## Backing Up the CA
+It may be a good idea to back up the configuration and the state of
+the CA. This section describes one way to do so.
+If you are using a firewall, allow outgoing SSH connections to the
+backup host. If you set it up with `setup-firewall`, you can do this by
+enabling the `adp-ssh-client` policy. This will allow SSH connections
+to any host, though.
+<pre>awall enable adp-ssh-client
+awall activate
+Generate an SSH key pair on the CA host:
+Append the generated public key to the list of the authorized keys on
+the backup host. Install `rsync` on the backup host:
+<pre>apk add rsync
+Install `in-sync` on the CA host:
+<pre>apk add in-sync
+Configure the backup host as the target in the CA host's
+Start the synchronization service on the CA host:
+<pre>rc-update add in-sync
+rc-service in-sync start
+### Disaster Recovery
+In case the original CA host is lost, you may convert the backup host
+to a new CA host by installing the CA tool:
+<pre>apk add dmvpn-ca
+If the CA host was serving as the master CRL distribution point, you
+need to [set up that function](#crl) as well.