diff options
Diffstat (limited to 'docs/configuration/interfaces')
-rw-r--r-- | docs/configuration/interfaces/bonding.rst | 4 | ||||
-rw-r--r-- | docs/configuration/interfaces/ethernet.rst | 4 | ||||
-rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 48 | ||||
-rw-r--r-- | docs/configuration/interfaces/pppoe.rst | 4 | ||||
-rw-r--r-- | docs/configuration/interfaces/tunnel.rst | 8 | ||||
-rw-r--r-- | docs/configuration/interfaces/vxlan.rst | 4 | ||||
-rw-r--r-- | docs/configuration/interfaces/wireguard.rst | 4 | ||||
-rw-r--r-- | docs/configuration/interfaces/wireless.rst | 49 |
8 files changed, 81 insertions, 44 deletions
diff --git a/docs/configuration/interfaces/bonding.rst b/docs/configuration/interfaces/bonding.rst index 547594e5..84f00132 100644 --- a/docs/configuration/interfaces/bonding.rst +++ b/docs/configuration/interfaces/bonding.rst @@ -352,8 +352,8 @@ interfaces from VyOS to a Juniper EX Switch system. Aruba/HP ======== -For a headstart you can use the below example on how to build a bond,port-channel -with two interfaces from VyOS to a Aruba/HP 2510G switch. +For a headstart you can use the below example on how to build a +bond,port-channel with two interfaces from VyOS to a Aruba/HP 2510G switch. .. code-block:: none diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst index 562aeabc..b4151dd2 100644 --- a/docs/configuration/interfaces/ethernet.rst +++ b/docs/configuration/interfaces/ethernet.rst @@ -123,6 +123,8 @@ Operation TX: bytes packets errors dropped carrier collisions 5601460 62595 0 0 0 0 +.. stop_vyoslinter + .. opcmd:: show interfaces ethernet <interface> physical Show information about physical `<interface>` @@ -162,6 +164,8 @@ Operation supports-register-dump: yes supports-priv-flags: no +.. start_vyoslinter + .. opcmd:: show interfaces ethernet <interface> physical offload Show available offloading functions on given `<interface>` diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index f503ae84..0e4e9d74 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -186,7 +186,8 @@ Multi-client server is the most popular OpenVPN mode on routers. It always uses x.509 authentication and therefore requires a PKI setup. Refer this section **Generate X.509 Certificate and Keys** to generate a CA certificate, a server certificate and key, a certificate revocation list, a Diffie-Hellman -key exchange parameters file. You do not need client certificates and keys for the server setup. +key exchange parameters file. You do not need client certificates and keys for +the server setup. In this example we will use the most complicated case: a setup where each client is a router that has its own subnet (think HQ and branch offices), since @@ -269,16 +270,16 @@ Copy the Easy-RSA scripts to a new directory to modify the values. cd /config/my-easy-rsa-config To ensure the consistent use of values when generating the PKI, set default -values to be used by the PKI generating scripts. Rename the vars.example filename -to vars +values to be used by the PKI generating scripts. Rename the vars.example +filename to vars .. code-block:: none mv vars.example vars -Following is the instance of the file after editing. You may also change other values in -the file at your discretion/need, though for most cases the defaults should be just fine. -(do not leave any of these parameters blank) +Following is the instance of the file after editing. You may also change other +values in the file at your discretion/need, though for most cases the defaults +should be just fine. (do not leave any of these parameters blank) .. code-block:: none @@ -292,9 +293,9 @@ the file at your discretion/need, though for most cases the defaults should be j set_var EASYRSA_KEY_SIZE 2048 -init-pki option will create a new pki directory or will delete any previously generated -certificates stored in that folder. The term 'central' is used to refer server and -'branch' for client +init-pki option will create a new pki directory or will delete any previously +generated certificates stored in that folder. The term 'central' is used to +refer server and 'branch' for client .. note:: Remember the “CA Key Passphrase” prompted in build-ca command, as it will be asked in signing the server/client certificate. @@ -308,7 +309,8 @@ certificates stored in that folder. The term 'central' is used to refer server a vyos@vyos:/config/my-easy-rsa-config$./easyrsa gen-dh vyos@vyos:/config/my-easy-rsa-config$./easyrsa build-client-full branch1 nopass -To generate a certificate revocation list for any client, execute these commands: +To generate a certificate revocation list for any client, execute these +commands: .. code-block:: none @@ -326,8 +328,8 @@ Copy the files to /config/auth/ovpn/ to use in OpenVPN tunnel creation vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/issued/central.crt /config/auth/ovpn vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/crl.pem /config/auth/ovpn -Additionally, each client needs a copy of ca.crt and its own client key and cert files. -The files are plaintext so they may be copied either manually, +Additionally, each client needs a copy of ca.crt and its own client key and +cert files. The files are plaintext so they may be copied either manually, or through a remote file transfer tool like scp. Whichever method you use, the files need to end up in the proper location on each router. For example, Branch 1's router might have the following files: @@ -344,12 +346,13 @@ LDAP ---- Enterprise installations usually ship a kind of directory service which is used -to have a single password store for all employees. VyOS and OpenVPN support using -LDAP/AD as single user backend. +to have a single password store for all employees. VyOS and OpenVPN support +using LDAP/AD as single user backend. Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is -shipped with every VyOS installation. A dedicated configuration file is required. -It is best practise to store it in ``/config`` to survive image updates +shipped with every VyOS installation. A dedicated configuration file is +required. It is best practise to store it in ``/config`` to survive image +updates .. code-block:: none @@ -435,7 +438,8 @@ If you only want to check if the user account is enabled and can authenticate RequireGroup false </Authorization> -A complete LDAP auth OpenVPN configuration could look like the following example: +A complete LDAP auth OpenVPN configuration could look like the following +example: .. code-block:: none @@ -453,8 +457,8 @@ A complete LDAP auth OpenVPN configuration could look like the following example server { domain-name example.com max-connections 5 - name-server 1.1.1.1 - name-server 9.9.9.9 + name-server 203.0.113.0.10 + name-server 198.51.100.3 subnet 172.18.100.128/29 } tls { @@ -534,7 +538,8 @@ Will add ``persistent-key`` at the end of the generated OpenVPN configuration. Please use this only as last resort - things might break and OpenVPN won't start if you pass invalid options/syntax. -.. cfgcmd:: set interfaces openvpn vtun10 openvpn-option 'push "keepalive 1 10"' +.. cfgcmd:: set interfaces openvpn vtun10 openvpn-option + 'push "keepalive 1 10"' Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file. @@ -563,7 +568,8 @@ The following commands let you check tunnel status. .. opcmd:: show openvpn site-to-site - Use this command to check the tunnel status for OpenVPN site-to-site interfaces. + Use this command to check the tunnel status for OpenVPN site-to-site + interfaces. Reset OpenVPN diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index 393c71ed..9d10b91f 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -287,10 +287,14 @@ which is the default VLAN for Deutsche Telekom: IPv6 DHCPv6-PD Example ---------------------- +.. stop_vyoslinter + The following configuration will assign a /64 prefix out of a /56 delegation to eth0. The IPv6 address assigned to eth0 will be <prefix>::ffff/64. If you do not know the prefix size delegated to you, start with sla-len 0. +.. start_vyoslinter + .. code-block:: none set interfaces pppoe pppoe0 authentication user vyos diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst index 7b1502f8..b1e86edf 100644 --- a/docs/configuration/interfaces/tunnel.rst +++ b/docs/configuration/interfaces/tunnel.rst @@ -93,7 +93,8 @@ An example: set interfaces tunnel tun0 remote-ip 192.0.2.20 set interfaces tunnel tun0 address 2001:db8:bb::1/64 -A full example of a Tunnelbroker.net config can be found at :ref:`here <examples-tunnelbroker-ipv6>`. +A full example of a Tunnelbroker.net config can be found at +:ref:`here <examples-tunnelbroker-ipv6>`. Generic Routing Encapsulation (GRE) ----------------------------------- @@ -135,7 +136,10 @@ ip otherwise it would have to be configured as well. Tunnel keys ^^^^^^^^^^^ -GRE is also the only classic protocol that allows creating multiple tunnels with the same source and destination due to its support for tunnel keys. Despite its name, this feature has nothing to do with security: it's simply an identifier that allows routers to tell one tunnel from another. +GRE is also the only classic protocol that allows creating multiple tunnels +with the same source and destination due to its support for tunnel keys. +Despite its name, this feature has nothing to do with security: it's simply +an identifier that allows routers to tell one tunnel from another. An example: diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst index 95f8de35..ca25d21e 100644 --- a/docs/configuration/interfaces/vxlan.rst +++ b/docs/configuration/interfaces/vxlan.rst @@ -240,8 +240,8 @@ advertised. set interfaces bridge br241 member interface 'eth1.241' set interfaces bridge br241 member interface 'vxlan241' -Binds eth1.241 and vxlan241 to each other by making them both member interfaces of -the same bridge. +Binds eth1.241 and vxlan241 to each other by making them both member +interfaces of the same bridge. .. code-block:: none diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index 3580fac3..c4dfbee7 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -262,4 +262,8 @@ Operational commands vyos@wg01# wireguard keypair default +.. stop_vyoslinter + .. _`WireGuard mailing list`: https://lists.zx2c4.com/pipermail/wireguard/2018-December/003704.html + +.. start_vyoslinter
\ No newline at end of file diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index fca285eb..097d7c49 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -111,7 +111,8 @@ Wireless options SSID to be used in IEEE 802.11 management frames -.. cfgcmd:: set interfaces wireless <interface> type <access-point | station | monitor> +.. cfgcmd:: set interfaces wireless <interface> type + <access-point | station | monitor> Wireless device type for this interface @@ -137,7 +138,8 @@ HT (High Throughput) capabilities (802.11n) WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD] -.. cfgcmd:: set interfaces wireless <interface> capabilities ht channel-set-width <ht20 | ht40+ | ht40-> +.. cfgcmd:: set interfaces wireless <interface> capabilities ht + channel-set-width <ht20 | ht40+ | ht40-> Supported channel width set. @@ -150,7 +152,8 @@ HT (High Throughput) capabilities (802.11n) Following table shows the channels that may be available for HT40- and HT40+ use per IEEE 802.11n Annex J: - Depending on the location, not all of these channels may be available for use! + Depending on the location, not all of these channels may be available for + use! .. code-block:: none @@ -163,7 +166,8 @@ HT (High Throughput) capabilities (802.11n) BSSes. These changes are done automatically when hostapd is setting up the 40 MHz channel. -.. cfgcmd:: set interfaces wireless <interface> capabilities ht delayed-block-ack +.. cfgcmd:: set interfaces wireless <interface> capabilities ht + delayed-block-ack Enable HT-delayed Block Ack ``[DELAYED-BA]`` @@ -183,15 +187,18 @@ HT (High Throughput) capabilities (802.11n) Enable L-SIG TXOP protection capability -.. cfgcmd:: set interfaces wireless <interface> capabilities ht max-amsdu <3839 | 7935> +.. cfgcmd:: set interfaces wireless <interface> capabilities ht max-amsdu + <3839 | 7935> Maximum A-MSDU length 3839 (default) or 7935 octets -.. cfgcmd:: set interfaces wireless <interface> capabilities ht short-gi <20 | 40> +.. cfgcmd:: set interfaces wireless <interface> capabilities ht + short-gi <20 | 40> Short GI capabilities for 20 and 40 MHz -.. cfgcmd:: set interfaces wireless <interface> capabilities ht smps <static | dynamic> +.. cfgcmd:: set interfaces wireless <interface> capabilities ht + smps <static | dynamic> Spatial Multiplexing Power Save (SMPS) settings @@ -210,7 +217,8 @@ VHT (Very High Throughput) capabilities (802.11ac) Number of antennas on this card -.. cfgcmd:: set interfaces wireless <interface> capabilities vht antenna-pattern-fixed +.. cfgcmd:: set interfaces wireless <interface> capabilities vht + antenna-pattern-fixed Set if antenna pattern does not change during the lifetime of an association @@ -225,15 +233,19 @@ VHT (Very High Throughput) capabilities (802.11ac) * ``multi-user-beamformer`` - Support for operation as single user beamformer * ``multi-user-beamformee`` - Support for operation as single user beamformer -.. cfgcmd:: set interfaces wireless <interface> capabilities vht center-channel-freq <freq-1 | freq-2> <number> +.. cfgcmd:: set interfaces wireless <interface> capabilities vht + center-channel-freq <freq-1 | freq-2> <number> - VHT operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes) + VHT operating channel center frequency - center freq 1 + (for use with 80, 80+80 and 160 modes) - VHT operating channel center frequency - center freq 2 (for use with the 80+80 mode) + VHT operating channel center frequency - center freq 2 + (for use with the 80+80 mode) <number> must be from 34 - 173. For 80 MHz channels it should be channel + 6. -.. cfgcmd:: set interfaces wireless <interface> capabilities vht channel-set-width <0 | 1 | 2 | 3> +.. cfgcmd:: set interfaces wireless <interface> capabilities vht + channel-set-width <0 | 1 | 2 | 3> * ``0`` - 20 or 40 MHz channel width (default) * ``1`` - 80 MHz channel width @@ -248,15 +260,18 @@ VHT (Very High Throughput) capabilities (802.11ac) VHT link adaptation capabilities -.. cfgcmd:: set interfaces wireless <interface> capabilities vht max-mpdu <value> +.. cfgcmd:: set interfaces wireless <interface> capabilities vht + max-mpdu <value> Increase Maximum MPDU length to 7991 or 11454 octets (default 3895 octets) -.. cfgcmd:: set interfaces wireless <interface> capabilities vht max-mpdu-exp <value> +.. cfgcmd:: set interfaces wireless <interface> capabilities vht + max-mpdu-exp <value> Set the maximum length of A-MPDU pre-EOF padding that the station can receive -.. cfgcmd:: set interfaces wireless <interface> capabilities vht short-gi <80 | 160> +.. cfgcmd:: set interfaces wireless <interface> capabilities vht + short-gi <80 | 160> Short GI capabilities @@ -440,8 +455,8 @@ information about all wireless interfaces. .. opcmd:: show interfaces wireless <wlanX> -This command shows both status and statistics on the specified wireless interface. -The wireless interface identifier can range from wlan0 to wlan999. +This command shows both status and statistics on the specified wireless +interface. The wireless interface identifier can range from wlan0 to wlan999. .. code-block:: none |