diff options
Diffstat (limited to 'docs/configexamples')
6 files changed, 47 insertions, 22 deletions
diff --git a/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst b/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst index e42d3567..6666399d 100644 --- a/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst +++ b/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst @@ -7,9 +7,9 @@ OpenVPN with LDAP | Testdate: 2023-05-11 | Version: 1.4-rolling-202305100734 -This LAB show how to uwe OpenVPN with a Active Directory authentication backend. +This LAB shows how to use OpenVPN with a Active Directory authentication method. -The Topology are consists of: +Topology consists of: * Windows Server 2019 with a running Active Directory * VyOS as a OpenVPN Server * VyOS as Client @@ -20,7 +20,7 @@ The Topology are consists of: Active Directory on Windows server ================================== -The Lab asume a full running Active Directory on the Windows Server. +The lab assumes a full running Active Directory on the Windows Server. Here are some PowerShell commands to quickly add a Test Active Directory. .. code-block:: powershell @@ -36,7 +36,7 @@ Here are some PowerShell commands to quickly add a Test Active Directory. New-ADUser user01 -AccountPassword(Read-Host -AsSecureString "Input Password") -Enabled $true -Configuration VyOS as OpenVPN Server +Configure VyOS as OpenVPN Server ==================================== In this example OpenVPN will be setup with a client certificate and username / password authentication. @@ -53,7 +53,7 @@ Please look :ref:`here <configuration/pki/index:pki>` for more information. Now generate all required certificates on the ovpn-server: -first the PCA +First the CA .. code-block:: none @@ -249,11 +249,27 @@ save the output to a file and import it in nearly all openvpn clients. </key> +Configure VyOS as client +------------------------ + +.. code-block:: none + + set interfaces openvpn vtun10 authentication username 'user01' + set interfaces openvpn vtun10 authentication password '$ecret' + set interfaces openvpn vtun10 encryption cipher 'aes256' + set interfaces openvpn vtun10 hash 'sha512' + set interfaces openvpn vtun10 mode 'client' + set interfaces openvpn vtun10 persistent-tunnel + set interfaces openvpn vtun10 protocol 'udp' + set interfaces openvpn vtun10 remote-host '198.51.100.254' + set interfaces openvpn vtun10 remote-port '1194' + set interfaces openvpn vtun10 tls ca-certificate 'OVPN-CA' + set interfaces openvpn vtun10 tls certificate 'CLIENT' Monitoring ========== -If the client is connect successfully you can check the output with +If the client is connected successfully you can check the status .. code-block:: none diff --git a/docs/configexamples/autotest/tunnelbroker/_include/vyos-wan_tun0.conf b/docs/configexamples/autotest/tunnelbroker/_include/vyos-wan_tun0.conf index 03889ffd..ab70ccc5 100644 --- a/docs/configexamples/autotest/tunnelbroker/_include/vyos-wan_tun0.conf +++ b/docs/configexamples/autotest/tunnelbroker/_include/vyos-wan_tun0.conf @@ -1,8 +1,8 @@ -set interfaces tunnel tun0 address '2001:470:6c:779::2/64' #Tunnelbroker Client IPv6 Address +set interfaces tunnel tun0 address '2001:470:6c:779::2/64' #Tunnelbroker Client IPv6 address set interfaces tunnel tun0 description 'HE.NET IPv6 Tunnel' set interfaces tunnel tun0 encapsulation 'sit' -set interfaces tunnel tun0 remote '216.66.86.114' #Tunnelbroker Server IPv4 Address -set interfaces tunnel tun0 source-address '172.29.129.60' # Tunnelbroker Client IPv4 Address or if there is NAT the current WAN interface address +set interfaces tunnel tun0 remote '216.66.86.114' #Tunnelbroker Server IPv4 address +set interfaces tunnel tun0 source-address '172.29.129.60' # Tunnelbroker Client IPv4 address. See note below set protocols static route6 ::/0 interface tun0 @@ -10,4 +10,4 @@ set interface ethernet eth2 address '2001:470:6d:778::1/64' # Tunnelbroker Route set service router-advert interface eth2 name-server '2001:470:20::2' set service router-advert interface eth2 prefix 2001:470:6d:778::/64 # Tunnelbroker Routed /64 prefix -set system name-server 2001:470:20::2 #Tunnelbroker DNS Server
\ No newline at end of file +set system name-server 2001:470:20::2 #Tunnelbroker DNS Server diff --git a/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst b/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst index 94acbe9a..0f7c9daf 100644 --- a/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst +++ b/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst @@ -48,7 +48,15 @@ Now we are able to setup the tunnel interface. :language: none :lines: 1-5 -Setup the ipv6 default route to the tunnel interface +.. note:: The `source-address` is the Tunnelbroker client IPv4 + address or if there is NAT the current WAN interface address. + + If `source-address` is dynamic, the tunnel will cease working once + the address changes. To avoid having to manually update + `source-address` each time the dynamic IP changes, an address of + '0.0.0.0' can be specified. + +Setup the IPv6 default route to the tunnel interface .. literalinclude:: _include/vyos-wan_tun0.conf :language: none @@ -204,4 +212,5 @@ instead of `set firewall name NAME`, you would use `set firewall ipv6-name NAME`. Similarly, to attach the firewall, you would use `set interfaces ethernet eth0 -firewall in ipv6-name` or `et firewall zone LOCAL from WAN firewall ipv6-name`.
\ No newline at end of file +firewall in ipv6-name` or `set firewall zone LOCAL from WAN firewall +ipv6-name`. diff --git a/docs/configexamples/policy-based-ipsec-and-firewall.rst b/docs/configexamples/policy-based-ipsec-and-firewall.rst index 2337c1ac..8dc07de6 100644 --- a/docs/configexamples/policy-based-ipsec-and-firewall.rst +++ b/docs/configexamples/policy-based-ipsec-and-firewall.rst @@ -13,7 +13,7 @@ configuration is done only on one router. Network Topology and requirements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This configuration example and the requirments consists of: +This configuration example and the requirements consists of: - Two VyOS routers with public IP address. @@ -37,7 +37,7 @@ This configuration example and the requirments consists of: - Allow all new connections from local subnets. - - Allow connections from LANs to LANs throught the tunnel. + - Allow connections from LANs to LANs through the tunnel. .. image:: /_static/images/policy-based-ipsec-and-firewall.png diff --git a/docs/configexamples/wan-load-balancing.rst b/docs/configexamples/wan-load-balancing.rst index ace9a981..0952cfe5 100644 --- a/docs/configexamples/wan-load-balancing.rst +++ b/docs/configexamples/wan-load-balancing.rst @@ -69,7 +69,7 @@ Example 2: Failover based on interface weights This example uses the failover mode. -.. _wan:example2_overwiew: +.. _wan:example2_overview: Overview ^^^^^^^^ @@ -98,7 +98,7 @@ The previous example used the failover command to send traffic through eth1 if eth0 fails. In this example, failover functionality is provided by rule order. -.. _wan:example3_overwiew: +.. _wan:example3_overview: Overview ^^^^^^^^ @@ -129,7 +129,7 @@ traffic. It is assumed for this example that eth1 is connected to a slower connection than eth0 and should prioritize VoIP traffic. -.. _wan:example4_overwiew: +.. _wan:example4_overview: Overview ^^^^^^^^ diff --git a/docs/configexamples/zone-policy.rst b/docs/configexamples/zone-policy.rst index 08db13b9..95648e7a 100644 --- a/docs/configexamples/zone-policy.rst +++ b/docs/configexamples/zone-policy.rst @@ -6,7 +6,7 @@ Zone-Policy example ------------------- .. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall - structure can be found on all vyos instalations, and zone based firewall is + structure can be found on all vyos installations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ @@ -145,7 +145,7 @@ To add logging to the default rule, do: .. code-block:: none - set firewall name <ruleSet> enable-default-log + set firewall name <ruleSet> default-log By default, iptables does not allow traffic for established sessions to @@ -251,7 +251,7 @@ Since we have 4 zones, we need to setup the following rulesets. Dmz-local Even if the two zones will never communicate, it is a good idea to -create the zone-pair-direction rulesets and set enable-default-log. This +create the zone-pair-direction rulesets and set default-log. This will allow you to log attempts to access the networks. Without it, you will never see the connection attempts. @@ -261,7 +261,7 @@ This is an example of the three base rules. name wan-lan { default-action drop - enable-default-log + default-log rule 1 { action accept state { @@ -285,7 +285,7 @@ Here is an example of an IPv6 DMZ-WAN ruleset. ipv6-name dmz-wan-6 { default-action drop - enable-default-log + default-log rule 1 { action accept state { |