summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorusman-umer <unumer@hotmail.com>2021-07-31 20:02:30 +0100
committerusman-umer <unumer@hotmail.com>2021-07-31 20:02:30 +0100
commit6ea5a64c0fb75dc000b14c209d108ee16288ee07 (patch)
treeb1e7c405c64522e61e6cc9716f44122ae284aa24
parentc9dd310466f46949ff5618deb60a4fe44af084f2 (diff)
downloadvyos-documentation-6ea5a64c0fb75dc000b14c209d108ee16288ee07.tar.gz
vyos-documentation-6ea5a64c0fb75dc000b14c209d108ee16288ee07.zip
added firewall exception
-rw-r--r--docs/configuration/interfaces/openvpn.rst29
1 files changed, 29 insertions, 0 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index a0802c27..62273ca0 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -131,6 +131,35 @@ Remote Configuration - Annotated:
set interfaces openvpn vtun1 local-address '10.255.1.2' # Local IP of vtun interface
set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface
+
+*******************
+Firewall Exceptions
+*******************
+
+For the WireGuard traffic to pass through the WAN interface, you must create a
+firewall exception.
+
+.. code-block:: none
+
+ set firewall name OUTSIDE_LOCAL rule 10 action accept
+ set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related'
+ set firewall name OUTSIDE_LOCAL rule 10 state established enable
+ set firewall name OUTSIDE_LOCAL rule 10 state related enable
+ set firewall name OUTSIDE_LOCAL rule 20 action accept
+ set firewall name OUTSIDE_LOCAL rule 20 description OpenVPN_IN
+ set firewall name OUTSIDE_LOCAL rule 20 destination port 1195
+ set firewall name OUTSIDE_LOCAL rule 20 log enable
+ set firewall name OUTSIDE_LOCAL rule 20 protocol udp
+ set firewall name OUTSIDE_LOCAL rule 20 source
+
+You should also ensure that the OUTISDE_LOCAL firewall group is applied to the
+WAN interface and a direction (local).
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
+
+
Static Routing:
Static routes can be configured referencing the tunnel interface; for example,