diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/loadbalancing/reverse-proxy.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/nat/nat66.rst | 97 | ||||
| -rw-r--r-- | docs/configuration/pki/index.rst | 44 | ||||
| -rw-r--r-- | docs/configuration/service/dhcp-server.rst | 148 | ||||
| -rw-r--r-- | docs/configuration/service/https.rst | 78 | 
5 files changed, 206 insertions, 163 deletions
| diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst index 04b612f5..19ef3773 100644 --- a/docs/configuration/loadbalancing/reverse-proxy.rst +++ b/docs/configuration/loadbalancing/reverse-proxy.rst @@ -105,7 +105,7 @@ Backend       of the client     * ``round-robin`` Distributes requests in a circular manner,       sequentially sending each request to the next server in line -   * ``least-connection`` Distributes requests tp tje server wotj the fewest  +   * ``least-connection`` Distributes requests to the server with the fewest       active connections  .. cfgcmd:: set load-balancing reverse-proxy backend <name> mode diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst index 66cceb0a..9345e708 100644 --- a/docs/configuration/nat/nat66.rst +++ b/docs/configuration/nat/nat66.rst @@ -137,3 +137,100 @@ R2:    set interfaces bridge br1 member interface eth1    set protocols static route6 ::/0 next-hop fc01::1    set service router-advert interface br1 prefix ::/0 + + +Use the following topology to translate internal user local addresses (``fc::/7``) +to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair. + +.. figure:: /_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png +   :alt: VyOS NAT66 DHCPv6 using a dummy interface + +Configure both routers (a and b) for DHCPv6-PD via dummy interface: + +.. code-block:: none + +  set interfaces dummy dum1 description 'DHCPv6-PD NPT dummy' +  set interfaces bonding bond0 vif 20 dhcpv6-options pd 0 interface dum1 address '0' +  set interfaces bonding bond0 vif 20 dhcpv6-options pd 1 interface dum1 address '0' +  set interfaces bonding bond0 vif 20 dhcpv6-options pd 2 interface dum1 address '0' +  set interfaces bonding bond0 vif 20 dhcpv6-options pd 3 interface dum1 address '0' +  set interfaces bonding bond0 vif 20 dhcpv6-options rapid-commit +  commit + +Get the DHCPv6-PD prefixes from both routers: + +.. code-block:: none + +  trae@cr01a-vyos# run show interfaces dummy dum1 br +  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down +  Interface        IP Address                        S/L  Description +  ---------        ----------                        ---  ----------- +  dum1             2001:db8:123:b008::/64           u/u  DHCPv6-PD NPT dummy +                   2001:db8:123:b00a::/64 +                   2001:db8:123:b00b::/64 +                   2001:db8:123:b009::/64 + +  trae@cr01b-vyos# run show int dummy dum1 brief +  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down +  Interface        IP Address                        S/L  Description +  ---------        ----------                        ---  ----------- +  dum1             2001:db8:123:b00d::/64           u/u  DHCPv6-PD NPT dummy +                   2001:db8:123:b00c::/64 +                   2001:db8:123:b00e::/64 +                   2001:db8:123:b00f::/64 + +Configure the A-side router for NPTv6 using the prefixes above: + +.. code-block:: none + +  set nat66 source rule 10 description 'NPT to VLAN 10' +  set nat66 source rule 10 outbound-interface name 'bond0.20' +  set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64' +  set nat66 source rule 10 translation address '2001:db8:123:b008::/64' +  set nat66 source rule 20 description 'NPT to VLAN 70' +  set nat66 source rule 20 outbound-interface name 'bond0.20' +  set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64' +  set nat66 source rule 20 translation address '2001:db8:123:b009::/64' +  set nat66 source rule 30 description 'NPT to VLAN 200' +  set nat66 source rule 30 outbound-interface name 'bond0.20' +  set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64' +  set nat66 source rule 30 translation address '2001:db8:123:b00a::/64' +  set nat66 source rule 40 description 'NPT to VLAN 240' +  set nat66 source rule 40 outbound-interface name 'bond0.20' +  set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64' +  set nat66 source rule 40 translation address '2001:db8:123:b00b::/64' +  commit + +Configure the B-side router for NPTv6 using the prefixes above: + +.. code-block:: none + +  set nat66 source rule 10 description 'NPT to VLAN 10' +  set nat66 source rule 10 outbound-interface name 'bond0.20' +  set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64' +  set nat66 source rule 10 translation address '2001:db8:123:b00c::/64' +  set nat66 source rule 20 description 'NPT to VLAN 70' +  set nat66 source rule 20 outbound-interface name 'bond0.20' +  set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64' +  set nat66 source rule 20 translation address '2001:db8:123:b00d::/64' +  set nat66 source rule 30 description 'NPT to VLAN 200' +  set nat66 source rule 30 outbound-interface name 'bond0.20' +  set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64' +  set nat66 source rule 30 translation address '2001:db8:123:b00e::/64' +  set nat66 source rule 40 description 'NPT to VLAN 240' +  set nat66 source rule 40 outbound-interface name 'bond0.20' +  set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64' +  set nat66 source rule 40 translation address '2001:db8:123:b00f::/64' +  commit + +Verify that connections are hitting the rule on both sides: + +.. code-block:: none + +  trae@cr01a-vyos# run show nat66 source statistics +  Rule    Packets    Bytes    Interface +  ------  ---------  -------  ----------- +  10      1          104      bond0.20 +  20      1          104      bond0.20 +  30      8093       669445   bond0.20 +  40      2446       216912   bond0.20 diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index 66ad84a3..1fea13ac 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-09-01 +:lastproofread: 2024-01-05  .. include:: /_include/need_improvement.txt @@ -248,6 +248,44 @@ certificates used by services on this router.    If CA is present, this certificate will be included in generated CRLs +ACME +^^^^ + +The VyOS PKI subsystem can also be used to automatically retrieve Certificates +using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol. + +.. cfgcmd:: set pki certificate <name> acme domain-name <name> + +  Domain names to apply, multiple domain-names can be specified. + +  This is a mandatory option + +.. cfgcmd:: set pki certificate <name> acme email <address> + +  Email used for registration and recovery contact. + +  This is a mandatory option + +.. cfgcmd:: set pki certificate <name> acme listen-address <address> + +  The address the server listens to during http-01 challenge + +.. cfgcmd:: set pki certificate <name> acme rsa-key-size <2048 | 3072 | 4096> + +  Size of the RSA key. + +  This options defaults to 2048 + +.. cfgcmd:: set pki certificate <name> acme url <url> + +  ACME Directory Resource URI. + +  This defaults to https://acme-v02.api.letsencrypt.org/directory + +  .. note:: During initial deployment we recommend using the staging API +    of LetsEncrypt to prevent and blacklisting of your system. The API +    endpoint is https://acme-staging-v02.api.letsencrypt.org/directory +  Operation  ========= @@ -292,3 +330,7 @@ also to display them.  .. opcmd:: show pki crl    Show a list of installed :abbr:`CRLs (Certificate Revocation List)`. + +.. opcmd:: renew certbot + +  Manually trigger certificate renewal. This will be done twice a day. diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 0cc10feb..c51a0aff 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -4,7 +4,7 @@  DHCP Server  ########### -VyOS uses ISC DHCP server for both IPv4 and IPv6 address assignment. +VyOS uses Kea DHCP server for both IPv4 and IPv6 address assignment.  ***********  IPv4 server @@ -26,12 +26,7 @@ Configuration     Create DNS record per client lease, by adding clients to /etc/hosts file.     Entry will have format: `<shared-network-name>_<hostname>.<domain-name>` -.. cfgcmd:: set service dhcp-server host-decl-name - -   Will drop `<shared-network-name>_` from client DNS record, using only the -   host declaration name and domain: `<hostname>.<domain-name>` - -.. cfgcmd:: set service dhcp-server shared-network-name <name> domain-name <domain-name> +.. cfgcmd:: set service dhcp-server shared-network-name <name> option domain-name <domain-name>     The domain-name parameter should be the domain name that will be appended to     the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP @@ -40,7 +35,7 @@ Configuration     This is the configuration parameter for the entire shared network definition.     All subnets will inherit this configuration item if not specified locally. -.. cfgcmd:: set service dhcp-server shared-network-name <name> domain-search <domain-name> +.. cfgcmd:: set service dhcp-server shared-network-name <name> option domain-search <domain-name>     The domain-name parameter should be the domain name used when completing DNS     request where no full FQDN is passed. This option can be given multiple times @@ -49,7 +44,7 @@ Configuration     This is the configuration parameter for the entire shared network definition.     All subnets will inherit this configuration item if not specified locally. -.. cfgcmd:: set service dhcp-server shared-network-name <name> name-server <address> +.. cfgcmd:: set service dhcp-server shared-network-name <name> option name-server <address>     Inform client that the DNS server can be found at `<address>`. @@ -58,21 +53,6 @@ Configuration     Multiple DNS servers can be defined. -.. cfgcmd:: set service dhcp-server shared-network-name <name> ping-check - -   When the DHCP server is considering dynamically allocating an IP address to a -   client, it first sends an ICMP Echo request (a ping) to the address being -   assigned. It waits for a second, and if no ICMP Echo response has been heard, -   it assigns the address. - -   If a response is heard, the lease is abandoned, and the server does not -   respond to the client. The lease will remain abandoned for a minimum of -   abandon-lease-time seconds (defaults to 24 hours). - -   If there are no free addresses but there are abandoned IP addresses, the -   DHCP server will attempt to reclaim an abandoned IP address regardless of the -   value of abandon-lease-time. -  .. cfgcmd:: set service dhcp-server listen-address <address>     This configuration parameter lets the DHCP server to listen for DHCP  @@ -91,14 +71,20 @@ Individual Client Subnet     network.  .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> -   default-router <address> +   subnet-id <id> + +   This configuration parameter is required and must be unique to each subnet. +   It is required to map subnets to lease file entries. + +.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> +   option default-router <address>     This is a configuration parameter for the `<subnet>`, saying that as part of     the response, tell the client that the default gateway can be reached at     `<address>`.  .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> -   name-server <address> +   option name-server <address>     This is a configuration parameter for the subnet, saying that as part of the     response, tell the client that the DNS server can be found at `<address>`. @@ -133,40 +119,19 @@ Individual Client Subnet     This option can be specified multiple times.  .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> -   domain-name <domain-name> +   option domain-name <domain-name>     The domain-name parameter should be the domain name that will be appended to     the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP     Option 015).  .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> -   domain-search <domain-name> +   option domain-search <domain-name>     The domain-name parameter should be the domain name used when completing DNS     request where no full FQDN is passed. This option can be given multiple times     if you need multiple search domains (DHCP Option 119). -.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> -   ping-check - -   When the DHCP server is considering dynamically allocating an IP address to a -   client, it first sends an ICMP Echo request (a ping) to the address being -   assigned. It waits for a second, and if no ICMP Echo response has been heard, -   it assigns the address. - -   If a response is heard, the lease is abandoned, and the server does not -   respond to the client. The lease will remain abandoned for a minimum of -   abandon-lease-time seconds (defaults to 24 hours). - -   If a there are no free addresses but there are abandoned IP addresses, the -   DHCP server will attempt to reclaim an abandoned IP address regardless of the -   value of abandon-lease-time. - -.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> -   enable-failover - -   Enable DHCP failover configuration for this address pool. -  Failover  -------- @@ -238,6 +203,7 @@ inside the subnet definition but can be outside of the range statement.  .. code-block:: none +  set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 subnet-id 1    set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 ip-address 192.168.1.100    set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac-address aa:bb:11:22:33:00 @@ -251,6 +217,7 @@ The configuration will look as follows:             ip-address 192.168.1.100             mac-address aa:bb:11:22:33:00         } +       subnet-id 1     }  Options @@ -391,32 +358,6 @@ Options  Multi: can be specified multiple times. -Raw Parameters -============== - -Raw parameters can be passed to shared-network-name, subnet and static-mapping: - -.. code-block:: none - -  set service dhcp-server shared-network-name <name> shared-network-parameters -     <text>       Additional shared-network parameters for DHCP server. -  set service dhcp-server shared-network-name <name> subnet <subnet> subnet-parameters -     <text>       Additional subnet parameters for DHCP server. -  set service dhcp-server shared-network-name <name> subnet <subnet> static-mapping <description> static-mapping-parameters -     <text>       Additional static-mapping parameters for DHCP server. -                  Will be placed inside the "host" block of the mapping. - -These parameters are passed as-is to isc-dhcp's dhcpd.conf under the -configuration node they are defined in. They are not validated so an error in -the raw parameters won't be caught by vyos's scripts and will cause dhcpd to -fail to start. Always verify that the parameters are correct before committing -the configuration. Refer to isc-dhcp's dhcpd.conf manual for more information: -https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf - -Quotes can be used inside parameter values by replacing all quote characters -with the string ``"``. They will be replaced with literal quote characters -when generating dhcpd.conf. -  Example  ======= @@ -439,12 +380,12 @@ Common configuration, valid for both primary and secondary node.  .. code-block:: none -  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 default-router '192.0.2.254' -  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 name-server '192.0.2.254' -  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 domain-name 'vyos.net' +  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option default-router '192.0.2.254' +  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option name-server '192.0.2.254' +  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option domain-name 'vyos.net'    set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.0.2.10'    set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.0.2.250' -  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 enable-failover +  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 subnet-id '1'  **Primary** @@ -467,47 +408,6 @@ Common configuration, valid for both primary and secondary node.  .. _dhcp-server:v4_example_raw: -Raw Parameters --------------- - -* Override static-mapping's name-server with a custom one that will be sent only -  to this host. -* An option that takes a quoted string is set by replacing all quote characters -  with the string ``"`` inside the static-mapping-parameters value. -  The resulting line in dhcpd.conf will be -  ``option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";``. - - -.. code-block:: none - -  set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option domain-name-servers 192.0.2.11, 192.0.2.12;" -  set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";" - -Option 43 for UniFI -------------------- - -* These parameters need to be part of the DHCP global options. -  They stay unchanged. - - -.. code-block:: none - - set service dhcp-server global-parameters 'option space ubnt;' - set service dhcp-server global-parameters 'option ubnt.unifi-address code 1 = ip-address;' - set service dhcp-server global-parameters 'class "ubnt" {' - set service dhcp-server global-parameters 'match if substring (option vendor-class-identifier, 0, 4) = "ubnt";' - set service dhcp-server global-parameters 'option vendor-class-identifier "ubnt";' - set service dhcp-server global-parameters 'vendor-option-space ubnt;' - set service dhcp-server global-parameters '}' - -* Now we add the option to the scope, adapt to your setup - - -.. code-block:: none - - set service dhcp-server shared-network-name example-scope subnet 10.1.1.0/24 subnet-parameters 'option ubnt.unifi-address 172.16.1.10;' - -  Operation Mode  ============== @@ -614,6 +514,12 @@ Configuration     Clients receiving advertise messages from multiple servers choose the server     with the highest preference value. The range for this value is ``0...255``. +.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet <subnet> +   subnet-id <id> + +   This configuration parameter is required and must be unique to each subnet. +   It is required to map subnets to lease file entries. +  .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet     <prefix> lease-time {default | maximum | minimum} @@ -690,6 +596,7 @@ server. The following example describes a common scenario.    set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 address-range start 2001:db8::100 stop 2001:db8::199    set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 name-server 2001:db8::ffff +  set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 subnet-id 1  The configuration will look as follows: @@ -704,6 +611,7 @@ The configuration will look as follows:                  }               }               name-server 2001:db8::ffff +             subnet-id 1            }        } diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index eb2e30eb..973c5355 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -1,7 +1,7 @@  .. _http-api:  ######## -HTTP-API +HTTP API  ########  VyOS provide an HTTP API. You can use it to execute op-mode commands, @@ -13,75 +13,71 @@ Please take a look at the :ref:`vyosapi` page for an detailed how-to.  Configuration  ************* -.. cfgcmd:: set service https api keys id <name> key <apikey> +.. cfgcmd:: set service https allow-client address <address> -   Set a named api key. Every key has the same, full permissions -   on the system. +   Only allow certain IP addresses or prefixes to access the https +   webserver. -.. cfgcmd:: set service https api debug +.. cfgcmd:: set service https certificates ca-certificate <name> -   To enable debug messages. Available via :opcmd:`show log` or -   :opcmd:`monitor log` +   Use CA certificate from PKI subsystem -.. cfgcmd:: set service https api strict +.. cfgcmd:: set service https certificates certificate <name> -   Enforce strict path checking +   Use certificate from PKI subsystem -.. cfgcmd:: set service https virtual-host <vhost> listen-address -            <ipv4 or ipv6 address> +.. cfgcmd:: set service https certificates dh-params <name> -   Address to listen for HTTPS requests +   Use :abbr:`DH (Diffie–Hellman)` parameters from PKI subsystem. +   Must be at least 2048 bits in length. -.. cfgcmd:: set service https virtual-host <vhost> port <1-65535> +.. cfgcmd:: set service https listen-address <address> -   Port to listen for HTTPS requests; default 443 +   Webserver should only listen on specified IP address -.. cfgcmd:: set service https virtual-host <vhost> server-name <text> +.. cfgcmd:: set service https port <number> -   Server names for virtual hosts it can be exact, wildcard or regex. +   Webserver should listen on specified port. -.. cfgcmd:: set service https api-restrict virtual-host <vhost> +   Default: 443 -   By default, nginx exposes the local API on all virtual servers. -   Use this to restrict nginx to one or more virtual hosts. +.. cfgcmd:: set service https enable-http-redirect -.. cfgcmd:: set service https certificates certbot domain-name <text> +   Enable automatic redirect from http to https. -   Domain name(s) for which to obtain certificate +.. cfgcmd:: set service https tls-version <1.2 | 1.3> -.. cfgcmd:: set service https certificates certbot email +   Select TLS version used. -   Email address to associate with certificate +   This defaults to both 1.2 and 1.3. -.. cfgcmd:: set service https certificates system-generated-certificate +.. cfgcmd:: set service https vrf <name> -   Use an automatically generated self-signed certificate +   Start Webserver in given  VRF. -.. cfgcmd:: set service https certificates system-generated-certificate -   lifetime <days> +API +=== -   Lifetime in days; default is 365 +.. cfgcmd:: set service https api keys id <name> key <apikey> +   Set a named api key. Every key has the same, full permissions +   on the system. -********************* -Example Configuration -********************* +.. cfgcmd:: set service https api debug -Set an API-KEY is the minimal configuration to get a working API Endpoint. +   To enable debug messages. Available via :opcmd:`show log` or +   :opcmd:`monitor log` -.. code-block:: none +.. cfgcmd:: set service https api strict -   set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY +   Enforce strict path checking +********************* +Example Configuration +********************* -To use this full configuration we asume a public accessible hostname. +Set an API-KEY is the minimal configuration to get a working API Endpoint.  .. code-block:: none     set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY -   set service https certificates certbot domain-name rtr01.example.com -   set service https certificates certbot email mail@example.com -   set service https virtual-host rtr01 listen-address 198.51.100.2 -   set service https virtual-host rtr01 port 11443 -   set service https virtual-host rtr01 server-name rtr01.example.com -   set service https api-restrict virtual-host rtr01 | 
