summaryrefslogtreecommitdiff
path: root/docs/configuration/interfaces/openvpn.rst
diff options
context:
space:
mode:
authorusman-umer <unumer@hotmail.com>2021-07-31 20:06:24 +0100
committerusman-umer <unumer@hotmail.com>2021-07-31 20:06:24 +0100
commitb4e43503bfbcf7c561a82c85163123569895af08 (patch)
treeb3009c63a74b07112c6e900452e38c00dc971e90 /docs/configuration/interfaces/openvpn.rst
parent54afd51b3a01c7282dbff16b0f9bddab3dce4051 (diff)
downloadvyos-documentation-b4e43503bfbcf7c561a82c85163123569895af08.tar.gz
vyos-documentation-b4e43503bfbcf7c561a82c85163123569895af08.zip
added instructions for firewall exception for equuleus branch
Diffstat (limited to 'docs/configuration/interfaces/openvpn.rst')
-rw-r--r--docs/configuration/interfaces/openvpn.rst27
1 files changed, 27 insertions, 0 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index 644906e1..9fb26933 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -130,6 +130,33 @@ Remote Configuration - Annotated:
set interfaces openvpn vtun1 local-address '10.255.1.2' # Local IP of vtun interface
set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface
+*******************
+Firewall Exceptions
+*******************
+
+For the WireGuard traffic to pass through the WAN interface, you must create a
+firewall exception.
+
+.. code-block:: none
+
+ set firewall name OUTSIDE_LOCAL rule 10 action accept
+ set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related'
+ set firewall name OUTSIDE_LOCAL rule 10 state established enable
+ set firewall name OUTSIDE_LOCAL rule 10 state related enable
+ set firewall name OUTSIDE_LOCAL rule 20 action accept
+ set firewall name OUTSIDE_LOCAL rule 20 description OpenVPN_IN
+ set firewall name OUTSIDE_LOCAL rule 20 destination port 1195
+ set firewall name OUTSIDE_LOCAL rule 20 log enable
+ set firewall name OUTSIDE_LOCAL rule 20 protocol udp
+ set firewall name OUTSIDE_LOCAL rule 20 source
+
+You should also ensure that the OUTISDE_LOCAL firewall group is applied to the
+WAN interface and a direction (local).
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
+
Static Routing:
Static routes can be configured referencing the tunnel interface; for example,