summaryrefslogtreecommitdiff
path: root/docs/configuration/interfaces
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2021-08-03 21:06:07 +0200
committerGitHub <noreply@github.com>2021-08-03 21:06:07 +0200
commit073fada067df858d14911b65acc531eece4ac7c3 (patch)
tree57df22902fd92515cf2bb864582ede266bff72bd /docs/configuration/interfaces
parent63b280caebbbde735e2ad32543b01c73c82f242a (diff)
parent78f67b5feb2284f1f9988c6e62a3521c10b2c087 (diff)
downloadvyos-documentation-073fada067df858d14911b65acc531eece4ac7c3.tar.gz
vyos-documentation-073fada067df858d14911b65acc531eece4ac7c3.zip
Merge pull request #588 from usman-umer/equuleus
Added instructions for firewall exception for equuleus branch
Diffstat (limited to 'docs/configuration/interfaces')
-rw-r--r--docs/configuration/interfaces/openvpn.rst27
1 files changed, 27 insertions, 0 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index 644906e1..82dd26dd 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -130,6 +130,33 @@ Remote Configuration - Annotated:
set interfaces openvpn vtun1 local-address '10.255.1.2' # Local IP of vtun interface
set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface
+*******************
+Firewall Exceptions
+*******************
+
+For the OpenVPN traffic to pass through the WAN interface, you must create a
+firewall exception.
+
+.. code-block:: none
+
+ set firewall name OUTSIDE_LOCAL rule 10 action accept
+ set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related'
+ set firewall name OUTSIDE_LOCAL rule 10 state established enable
+ set firewall name OUTSIDE_LOCAL rule 10 state related enable
+ set firewall name OUTSIDE_LOCAL rule 20 action accept
+ set firewall name OUTSIDE_LOCAL rule 20 description OpenVPN_IN
+ set firewall name OUTSIDE_LOCAL rule 20 destination port 1195
+ set firewall name OUTSIDE_LOCAL rule 20 log enable
+ set firewall name OUTSIDE_LOCAL rule 20 protocol udp
+ set firewall name OUTSIDE_LOCAL rule 20 source
+
+You should also ensure that the OUTISDE_LOCAL firewall group is applied to the
+WAN interface and a direction (local).
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
+
Static Routing:
Static routes can be configured referencing the tunnel interface; for example,