diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/_static/images/gowin-01.png | bin | 0 -> 355723 bytes | |||
| -rw-r--r-- | docs/_static/images/gowin-02.png | bin | 0 -> 2613833 bytes | |||
| -rw-r--r-- | docs/_static/images/gowin-03.png | bin | 0 -> 2268530 bytes | |||
| -rw-r--r-- | docs/_static/images/gowin-04.png | bin | 0 -> 2165023 bytes | |||
| -rw-r--r-- | docs/automation/terraform/terraformAWS.rst | 8 | ||||
| -rw-r--r-- | docs/automation/terraform/terraformGoogle.rst | 26 | ||||
| -rw-r--r-- | docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/firewall/groups.rst | 1 | ||||
| -rw-r--r-- | docs/configuration/firewall/zone.rst | 3 | ||||
| -rw-r--r-- | docs/configuration/interfaces/wwan.rst | 1 | ||||
| -rw-r--r-- | docs/configuration/pki/index.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/vpn/dmvpn.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 66 | ||||
| -rw-r--r-- | docs/configuration/vpn/l2tp.rst | 111 | ||||
| -rw-r--r-- | docs/configuration/vpn/openconnect.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/vpn/sstp.rst | 113 | ||||
| -rw-r--r-- | docs/documentation.rst | 2 | ||||
| -rw-r--r-- | docs/installation/vyos-on-baremetal.rst | 257 |
18 files changed, 442 insertions, 156 deletions
diff --git a/docs/_static/images/gowin-01.png b/docs/_static/images/gowin-01.png Binary files differnew file mode 100644 index 00000000..403ce52a --- /dev/null +++ b/docs/_static/images/gowin-01.png diff --git a/docs/_static/images/gowin-02.png b/docs/_static/images/gowin-02.png Binary files differnew file mode 100644 index 00000000..413f2948 --- /dev/null +++ b/docs/_static/images/gowin-02.png diff --git a/docs/_static/images/gowin-03.png b/docs/_static/images/gowin-03.png Binary files differnew file mode 100644 index 00000000..fbdbb142 --- /dev/null +++ b/docs/_static/images/gowin-03.png diff --git a/docs/_static/images/gowin-04.png b/docs/_static/images/gowin-04.png Binary files differnew file mode 100644 index 00000000..c68b8731 --- /dev/null +++ b/docs/_static/images/gowin-04.png diff --git a/docs/automation/terraform/terraformAWS.rst b/docs/automation/terraform/terraformAWS.rst index c705d55e..e068377d 100644 --- a/docs/automation/terraform/terraformAWS.rst +++ b/docs/automation/terraform/terraformAWS.rst @@ -26,16 +26,16 @@ Step by step: AWS - 1 Create an account with AWS and get your "access_key", "secret key" +1 Create an account with AWS and get your "access_key", "secret key" - 2 Create a key pair_ and download your .pem key +2 Create a key pair_ and download your .pem key .. image:: /_static/images/keypairs.png :width: 50% :align: center :alt: Network Topology Diagram - 3 Create a security group_ for the new VyOS instance and open all traffic +3 Create a security group_ for the new VyOS instance and open all traffic .. image:: /_static/images/sg.png :width: 50% @@ -263,7 +263,7 @@ If you need to delete the instance please type the command: Troubleshooting --------------- - 1 Ansible doesn't connect via SSH to your AWS instance: you have to check that your SSH key has copied into the path /root/aws/. +1 Ansible doesn't connect via SSH to your AWS instance: you have to check that your SSH key has copied into the path /root/aws/. Also, increase the time in the file instance.yml from 300 sec to 500 sec or more. (It depends on your location). Make sure that you have opened access to the instance in the security group. diff --git a/docs/automation/terraform/terraformGoogle.rst b/docs/automation/terraform/terraformGoogle.rst index 7cdd1211..01009be3 100644 --- a/docs/automation/terraform/terraformGoogle.rst +++ b/docs/automation/terraform/terraformGoogle.rst @@ -19,14 +19,14 @@ Step by step: google cloud - 1 Create an account with google cloud and a new project +1 Create an account with google cloud and a new project .. image:: /_static/images/project.png :width: 50% :align: center :alt: Network Topology Diagram - 2 Create a service aacount and download your key (.JSON) +2 Create a service aacount and download your key (.JSON) .. image:: /_static/images/service.png :width: 50% @@ -49,19 +49,19 @@ The .JSON file download automaticly after creating and will look like: Terraform - 1 Create an UNIX or Windows instance +1 Create an UNIX or Windows instance - 2 Download and install Terraform +2 Download and install Terraform - 3 Create the folder for example /root/google +3 Create the folder for example /root/google .. code-block:: none mkdir /root/google - 4 Copy all files into your Terraform project "/root/google" (vyos.tf, var.tf, terraform.tfvars, .JSON), more detailed see `Structure of files Terrafom for google cloud`_ +4 Copy all files into your Terraform project "/root/google" (vyos.tf, var.tf, terraform.tfvars, .JSON), more detailed see `Structure of files Terrafom for google cloud`_ - 5 Type the commands : +5 Type the commands : .. code-block:: none @@ -73,13 +73,13 @@ Terraform Ansible - 1 Create an UNIX instance whenever you want (local, cloud, and so on) +1 Create an UNIX instance whenever you want (local, cloud, and so on) - 2 Download and install Ansible +2 Download and install Ansible - 3 Create the folder for example /root/google/ +3 Create the folder for example /root/google/ - 4 Copy all files into your Ansible project "/root/google/" (ansible.cfg, instance.yml, mykey.json and "all"), more detailed see `Structure of files Ansible for google cloud`_ +4 Copy all files into your Ansible project "/root/google/" (ansible.cfg, instance.yml, mykey.json and "all"), more detailed see `Structure of files Ansible for google cloud`_ mykey.json you have to get using step 2 of the google cloud @@ -341,10 +341,10 @@ If you need to delete the instance please type the command: Troubleshooting --------------- - 1 Increase the time in the file instance.yml from 300 sec to 500 sec or more. (It depends on your location). +1 Increase the time in the file instance.yml from 300 sec to 500 sec or more. (It depends on your location). Make sure that you have opened access to the instance in the security group. - 2 Terraform doesn't connect via SSH to your Ansible instance: you have to check the correct login and password in the part of the file VyOS.tf +2 Terraform doesn't connect via SSH to your Ansible instance: you have to check the correct login and password in the part of the file VyOS.tf .. code-block:: none diff --git a/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst b/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst index 5bfcb642..0f7c9daf 100644 --- a/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst +++ b/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst @@ -207,7 +207,7 @@ Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default, Firewall ======== -Finally, don't forget the :ref:`firewall`. The usage is identical, except for +Finally, don't forget the :ref:`Firewall<configuration/firewall/index:Firewall>`. The usage is identical, except for instead of `set firewall name NAME`, you would use `set firewall ipv6-name NAME`. diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst index fa32b98e..b7364154 100644 --- a/docs/configuration/firewall/groups.rst +++ b/docs/configuration/firewall/groups.rst @@ -231,6 +231,7 @@ As any other firewall group, dynamic firewall groups can be used in firewall rules as matching options. For example: .. code-block:: none + set firewall ipv4 input filter rule 10 source group dynamic-address-group FOO set firewall ipv4 input filter rule 10 destination group dynamic-address-group BAR diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 73ce0a4d..0e659247 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -17,9 +17,6 @@ Overview Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ - chapter. The legacy firewall is still available for versions before - 1.4-rolling-202308040557 and can be found in the - :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` chapter. In this section there's useful information on all firewall configuration that diff --git a/docs/configuration/interfaces/wwan.rst b/docs/configuration/interfaces/wwan.rst index 00f927bb..b4b6a9ce 100644 --- a/docs/configuration/interfaces/wwan.rst +++ b/docs/configuration/interfaces/wwan.rst @@ -315,6 +315,7 @@ The following hardware modules have been tested successfully in an * Sierra Wireless AirPrime MC7710 miniPCIe card (LTE) * Huawei ME909u-521 miniPCIe card (LTE) * Huawei ME909s-120 miniPCIe card (LTE) +* HP LT4120 Snapdragon X5 LTE *************** Firmware Update diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index 0ead198f..cad80f25 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -370,7 +370,7 @@ Examples ======== Create a CA chain and leaf certificates -------------------------------------- +--------------------------------------- This configuration generates & installs into the VyOS PKI system a root certificate authority, alongside two intermediary certificate authorities for diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index 7a4b81f7..21df8cfd 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -162,7 +162,7 @@ Example This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as -multiple spoke sites. The lab was build using :abbr:`EVE-NG (Emulated Virtual +multiple spoke sites. The lab was built using :abbr:`EVE-NG (Emulated Virtual Environment NG)`. .. figure:: /_static/images/blueprint-dmvpn.png diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index c1ec645f..5e44312d 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -13,10 +13,10 @@ address, which makes it easier to setup static routes or use dynamic routing protocols without having to modify IPsec policies. The other advantage is that it greatly simplifies router to router communication, which can be tricky with plain IPsec because the external outgoing address of the router usually doesn't -match the IPsec policy of typical site-to-site setup and you need to add special -configuration for it, or adjust the source address for outgoing traffic of your -applications. GRE/IPsec has no such problem and is completely transparent for -the applications. +match the IPsec policy of a typical site-to-site setup and you would need to +add special configuration for it, or adjust the source address of the outgoing +traffic of your applications. GRE/IPsec has no such problem and is completely +transparent for applications. GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme easy to implement between VyOS and virtually any other router. @@ -32,6 +32,7 @@ for the cipher and hash. Adjust this as necessary. ************************************** IKE (Internet Key Exchange) Attributes ************************************** + IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security @@ -157,19 +158,38 @@ VyOS ESP group has the next options: * ``hash`` hash algorithm (default sha1). + * ``disable-rekey`` Do not locally initiate a re-key of the SA, remote + peer must re-key before expiration. + *********************************************** Options (Global IPsec settings) Attributes *********************************************** * ``options`` - * ``disable-route-autoinstall`` Do not automatically install routes to remote networks; - - * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation; - - * ``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface; - - * ``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy. + * ``disable-route-autoinstall`` Do not automatically install routes to remote + networks; + + * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco + FlexVPN vendor ID payload (IKEv2 only), which is required in order to make + Cisco brand devices allow negotiating a local traffic selector (from + strongSwan's point of view) that is not the assigned virtual IP address if + such an address is requested by strongSwan. Sending the Cisco FlexVPN + vendor ID prevents the peer from narrowing the initiator's local traffic + selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 + instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco + template but should also work for GRE encapsulation; + + * ``interface`` Interface Name to use. The name of the interface on which + virtual IP addresses should be installed. If not specified the addresses + will be installed on the outbound interface; + + * ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma + separated list of virtual IPs to request in IKEv2 configuration payloads or + IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an + arbitrary address, specific addresses may be defined. The responder may + return a different address, or none at all. Define the ``virtual-address`` + option to configure the IP address in a site-to-site hierarchy. ************************* IPsec policy matching GRE @@ -226,7 +246,7 @@ On the RIGHT, setup by analogy and swap local and remote addresses. Source tunnel from dummy interface -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +================================== The scheme above doesn't work when one of the routers has a dynamic external address though. The classic workaround for this is to setup an address on a @@ -372,8 +392,8 @@ IKEv2 IPSec road-warriors remote-access VPN ******************************************* Internet Key Exchange version 2, IKEv2 for short, is a request/response -protocol developed by both Cisco and Microsoft. It is used to establish -and secure IPv4/IPv6 connections, be it a site-to-site VPN or from a +protocol developed by both Cisco and Microsoft. It is used to establish and +secure IPv4/IPv6 connections, be it a site-to-site VPN or from a road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint, or remote-access/road-warrior mode, secures the server-side with another layer by using an x509 signed server certificate. @@ -396,11 +416,11 @@ This example uses CACert as certificate authority. set pki ca CAcert_Class_3_Root certificate 'MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAChiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoGCysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5vcmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGqeSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6HhLSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QUqGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k50cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfqi5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUECokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87cSvOK6eB1kdGKLA8ymXxZp8=' set pki ca CAcert_Signing_Authority certificate 'MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42yfk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jcG8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4kepKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43qlaegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQQUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivUfslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8wggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTADAQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TANBgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0qIh1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtjaJQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad94SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9ivmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/hJCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmxXdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eNaQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVrGwc=' -After you obtained your server certificate you can import it from a file -on the local filesystem, or paste it into the CLI. Please note that -when entering the certificate manually you need to strip the -``-----BEGIN KEY-----`` and ``-----END KEY-----`` tags. Also, the certificate -or key needs to be presented in a single line without line breaks (``\n``). +After you obtain your server certificate you can import it from a file on the +local filesystem, or paste it into the CLI. Please note that when entering the +certificate manually you need to strip the ``-----BEGIN KEY-----`` and +``-----END KEY-----`` tags. Also, the certificate or key needs to be presented +in a single line without line breaks (``\n``). To import it from the filesystem use: @@ -440,7 +460,7 @@ Every connection/remote-access pool we configure also needs a pool where we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some -DNS nameservers down to our clients used on their connection. +DNS nameservers down for our clients to use with their connection. .. code-block:: @@ -450,8 +470,8 @@ DNS nameservers down to our clients used on their connection. set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64' VyOS supports multiple IKEv2 remote-access connections. Every connection can -have its dedicated IKE/ESP ciphers, certificates or local listen address for -e.g. inbound load balancing. +have its own dedicated IKE/ESP ciphers, certificates or local listen address +for e.g. inbound load balancing. We configure a new connection named ``rw`` for road-warrior, that identifies itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate @@ -624,7 +644,7 @@ Operation Mode .. opcmd:: reset vpn ipsec site-to-site all - Reset all site-to-site IPSec VPN sessions. It terminates all active + Reset all site-to-site IPSec VPN sessions. It terminates all active child_sa and reinitiates the connection. .. opcmd:: reset vpn ipsec site-to-site peer <name> diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index b64c91a9..a0f5fb1b 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -148,15 +148,15 @@ For example: RADIUS source address ===================== -If you are using OSPF as IGP, always the closest interface connected to the -RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests -to a single source IP e.g. the loopback interface. +If you are using OSPF as your IGP, use the interface connected closest to the +RADIUS server. You can bind all outgoing RADIUS requests to a single source IP +e.g. the loopback interface. .. cfgcmd:: set vpn l2tp remote-access authentication radius source-address <address> Source IPv4 address used in all RADIUS server queires. -.. note:: The ``source-address`` must be configured on one of VyOS interface. +.. note:: The ``source-address`` must be configured to that of an interface. Best practice would be a loopback or dummy interface. RADIUS advanced options @@ -218,7 +218,7 @@ RADIUS advanced options The default attribute is `Filter-Id`. .. note:: If you set a custom RADIUS attribute you must define it on both - dictionaries at RADIUS server and client. + dictionaries on the RADIUS server and client. .. cfgcmd:: set vpn l2tp remote-access authentication radius rate-limit enable @@ -226,7 +226,7 @@ RADIUS advanced options .. cfgcmd:: set vpn l2tp remote-access authentication radius rate-limit vendor - Specifies the vendor dictionary, dictionary needs to be in + Specifies the vendor dictionary. This dictionary needs to be present in /usr/share/accel-ppp/radius. Received RADIUS attributes have a higher priority than parameters defined within @@ -236,25 +236,28 @@ Allocation clients ip addresses by RADIUS ========================================= If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP -address will be allocated to the client and the option ``default-pool`` within the CLI -config is being ignored. +address will be allocated to the client and the option ``default-pool`` within +the CLI config will be ignored. -If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated -from a predefined IP pool whose name equals the attribute value. +If the RADIUS server sends the attribute ``Framed-Pool``, then the IP address +will be allocated from a predefined IP pool whose name equals the attribute +value. -If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address -will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, the +IPv6 address will be allocated from a predefined IPv6 pool ``prefix`` whose +name equals the attribute value. -If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 -delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` -whose name equals the attribute value. +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, an +IPv6 delegation prefix will be allocated from a predefined IPv6 pool +``delegate`` whose name equals the attribute value. .. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in RFC6911. If they are not defined in your RADIUS server, add new dictionary_. -User interface can be put to VRF context via RADIUS Access-Accept packet, or change -it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. -Define it in your RADIUS server. +The client's interface can be put into a VRF context via a RADIUS Access-Accept +packet, or changed via RADIUS CoA. ``Accel-VRF-Name`` is used for these +purposes. This is a custom `ACCEL-PPP attribute`_. Define it in your RADIUS +server. Renaming clients interfaces by RADIUS ===================================== @@ -296,19 +299,19 @@ IPv6 .. cfgcmd:: set vpn l2tp remote-access client-ipv6-pool <IPv6-POOL-NAME> prefix <address> mask <number-of-bits> - Use this comand to set the IPv6 address pool from which an l2tp client - will get an IPv6 prefix of your defined length (mask) to terminate the - l2tp endpoint at their side. The mask length can be set from 48 to 128 - bit long, the default value is 64. + Use this comand to set the IPv6 address pool from which an l2tp client will + get an IPv6 prefix of your defined length (mask) to terminate the l2tp + endpoint at their side. The mask length can be set between 48 and 128 bits + long, the default value is 64. .. cfgcmd:: set vpn l2tp remote-access client-ipv6-pool <IPv6-POOL-NAME> delegate <address> delegation-prefix <number-of-bits> - Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on - l2tp. You will have to set your IPv6 pool and the length of the - delegation prefix. From the defined IPv6 pool you will be handing out - networks of the defined length (delegation-prefix). The length of the - delegation prefix can be set from 32 to 64 bit long. + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on l2tp. + You will have to set your IPv6 pool and the length of the delegation + prefix. From the defined IPv6 pool you will be handing out networks of the + defined length (delegation-prefix). The length of the delegation prefix can + be between 32 and 64 bits long. .. cfgcmd:: set vpn l2tp remote-access default-ipv6-pool <IPv6-POOL-NAME> @@ -325,19 +328,19 @@ IPv6 Advanced Options ===================== .. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6-accept-peer-interface-id - Accept peer interface identifier. By default is not defined. + Accept peer interface identifier. By default this is not defined. .. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6-interface-id <random | x:x:x:x> - Specifies fixed or random interface identifier for IPv6. - By default is fixed. + Specifies if a fixed or random interface identifier is used for IPv6. The + default is fixed. * **random** - Random interface identifier for IPv6 * **x:x:x:x** - Specify interface identifier for IPv6 .. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6-interface-id <random | x:x:x:x> - Specifies peer interface identifier for IPv6. By default is fixed. + Specifies the peer interface identifier for IPv6. The default is fixed. * **random** - Random interface identifier for IPv6 * **x:x:x:x** - Specify interface identifier for IPv6 @@ -350,19 +353,19 @@ Scripting .. cfgcmd:: set vpn l2tp remote-access extended-scripts on-change <path_to_script> - Script to run when session interface changed by RADIUS CoA handling + Script to run when the session interface is changed by RADIUS CoA handling .. cfgcmd:: set vpn l2tp remote-access extended-scripts on-down <path_to_script> - Script to run when session interface going to terminate + Script to run when the session interface is about to terminate .. cfgcmd:: set vpn l2tp remote-access extended-scripts on-pre-up <path_to_script> - Script to run before session interface comes up + Script to run before the session interface comes up .. cfgcmd:: set vpn l2tp remote-access extended-scripts on-up <path_to_script> - Script to run when session interface is completely configured and started + Script to run when the session interface is completely configured and started **************** Advanced Options @@ -378,17 +381,17 @@ Authentication Advanced Options .. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> static-ip <address> - Assign static IP address to `<user>` account. + Assign a static IP address to `<user>` account. .. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> rate-limit download <bandwidth> - Download bandwidth limit in kbit/s for `<user>`. + Rate limit the download bandwidth for `<user>` to `<bandwidth>` kbit/s. .. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> rate-limit upload <bandwidth> - Upload bandwidth limit in kbit/s for `<user>`. + Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s .. cfgcmd:: set vpn l2tp remote-access authentication protocols <pap | chap | mschap | mschap-v2> @@ -413,10 +416,10 @@ PPP Advanced Options .. cfgcmd:: set vpn l2tp remote-access ppp-options interface-cache <number> - Specifies number of interfaces to keep in cache. It means that don’t - destroy interface after corresponding session is destroyed, instead - place it to cache and use it later for new sessions repeatedly. - This should reduce kernel-level interface creation/deletion rate lack. + Specifies number of interfaces to cache. This prevents interfaces from being + removed once the corresponding session is destroyed. Instead, interfaces are + cached for later use in new sessions. This should reduce the kernel-level + interface creation/deletion rate. Default value is **0**. .. cfgcmd:: set vpn l2tp remote-access ppp-options ipv4 <require | prefer | allow | deny> @@ -436,19 +439,20 @@ PPP Advanced Options .. cfgcmd:: set vpn l2tp remote-access ppp-options lcp-echo-interval <interval> If this option is specified and is greater than 0, then the PPP module will - send LCP pings of the echo request every `<interval>` seconds. + send LCP echo requests every `<interval>` seconds. Default value is **30**. .. cfgcmd:: set vpn l2tp remote-access ppp-options lcp-echo-timeout - Specifies timeout in seconds to wait for any peer activity. If this option + Specifies timeout in seconds to wait for any peer activity. If this option is specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. Default value is **0**. .. cfgcmd:: set vpn l2tp remote-access ppp-options min-mtu <number> - Defines minimum acceptable MTU. If client will try to negotiate less then - specified MTU then it will be NAKed or disconnected if rejects greater MTU. + Defines the minimum acceptable MTU. If a client tries to negotiate an MTU + lower than this it will be NAKed, and disconnected if it rejects a greater + MTU. Default value is **100**. .. cfgcmd:: set vpn l2tp remote-access ppp-options mppe <require | prefer | deny> @@ -460,9 +464,10 @@ PPP Advanced Options * **prefer** - ask client for mppe, if it rejects don't fail. (Default value) * **deny** - deny mppe - Default behavior - don't ask client for mppe, but allow it if client wants. - Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy - attribute. + Default behavior - don't ask the client for mppe, but allow it if the client + wants. + Please note that RADIUS may override this option with the + MS-MPPE-Encryption-Policy attribute. .. cfgcmd:: set vpn l2tp remote-access ppp-options mru <number> @@ -481,7 +486,7 @@ Global Advanced options .. cfgcmd:: set vpn l2tp remote-access limits connection-limit <value> - Acceptable rate of connections (e.g. 1/min, 60/sec) + Maximum accepted connection rate (e.g. 1/min, 60/sec) .. cfgcmd:: set vpn l2tp remote-access limits timeout <value> @@ -497,9 +502,9 @@ Global Advanced options .. cfgcmd:: set vpn l2tp remote-access name-server <address> - Connected client should use `<address>` as their DNS server. This - command accepts both IPv4 and IPv6 addresses. Up to two nameservers - can be configured for IPv4, up to three for IPv6. + Connected clients should use `<address>` as their DNS server. This command + accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured + for IPv4, up to three for IPv6. .. cfgcmd:: set vpn l2tp remote-access shaper fwmark <1-2147483647> diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst index 845d9196..09d0574d 100644 --- a/docs/configuration/vpn/openconnect.rst +++ b/docs/configuration/vpn/openconnect.rst @@ -4,7 +4,7 @@ OpenConnect ########### -OpenConnect-compatible server feature is available from this release. +OpenConnect-compatible server feature has been available since Equuleus (1.3). Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP @@ -32,7 +32,7 @@ will create a self signed certificates and will be stored in configuration: run generate pki ca install <CA name> run generate pki certificate sign <CA name> install <Server name> -We can also create the certificates using Cerbort which is an easy-to-use +We can also create the certificates using Certbot which is an easy-to-use client that fetches a certificate from Let's Encrypt an open certificate authority launched by the EFF, Mozilla, and others and deploys it to a web server. diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index cd064162..e750cdcf 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -16,8 +16,8 @@ SSTP is available for Linux, BSD, and Windows. VyOS utilizes accel-ppp_ to provide SSTP server functionality. We support both local and RADIUS authentication. -As SSTP provides PPP via a SSL/TLS channel the use of either publically signed -certificates as well as a private PKI is required. +As SSTP provides PPP via a SSL/TLS channel the use of either publicly signed +certificates or private PKI is required. *********************** Configuring SSTP Server @@ -92,8 +92,8 @@ Configuring RADIUS authentication ********************************* To enable RADIUS based authentication, the authentication mode needs to be -changed within the configuration. Previous settings like the local users, still -exists within the configuration, however they are not used if the mode has been +changed within the configuration. Previous settings like the local users still +exist within the configuration, however they are not used if the mode has been changed from local to radius. Once changed back to local, it will use all local accounts again. @@ -121,15 +121,15 @@ For example: RADIUS source address ===================== -If you are using OSPF as IGP, always the closest interface connected to the -RADIUS server is used. You can bind all outgoing RADIUS requests -to a single source IP e.g. the loopback interface. +If you are using OSPF as your IGP, use the interface connected closest to the +RADIUS server. You can bind all outgoing RADIUS requests to a single source IP +e.g. the loopback interface. .. cfgcmd:: set vpn sstp authentication radius source-address <address> Source IPv4 address used in all RADIUS server queires. -.. note:: The ``source-address`` must be configured on one of VyOS interface. +.. note:: The ``source-address`` must be configured to that of an interface. Best practice would be a loopback or dummy interface. RADIUS advanced options @@ -191,7 +191,7 @@ RADIUS advanced options The default attribute is `Filter-Id`. .. note:: If you set a custom RADIUS attribute you must define it on both - dictionaries at RADIUS server and client. + dictionaries on the RADIUS server and client. .. cfgcmd:: set vpn sstp authentication radius rate-limit enable @@ -199,7 +199,7 @@ RADIUS advanced options .. cfgcmd:: set vpn sstp authentication radius rate-limit vendor - Specifies the vendor dictionary, dictionary needs to be in + Specifies the vendor dictionary, This dictionary needs to be present in /usr/share/accel-ppp/radius. Received RADIUS attributes have a higher priority than parameters defined within @@ -209,25 +209,28 @@ Allocation clients ip addresses by RADIUS ========================================= If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP -address will be allocated to the client and the option ``default-pool`` within the CLI -config is being ignored. +address will be allocated to the client and the option ``default-pool`` within +the CLI config will being ignored. -If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated -from a predefined IP pool whose name equals the attribute value. +If the RADIUS server sends the attribute ``Framed-Pool``, then the IP address +will be allocated from a predefined IP pool whose name equals the attribute +value. -If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address -will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, the +IPv6 address will be allocated from a predefined IPv6 pool ``prefix`` whose +name equals the attribute value. -If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 -delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, an +IPv6 delegation prefix will be allocated from a predefined IPv6 pool ``delegate`` whose name equals the attribute value. .. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in RFC6911. If they are not defined in your RADIUS server, add new dictionary_. -User interface can be put to VRF context via RADIUS Access-Accept packet, or change -it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. -Define it in your RADIUS server. +The client's interface can be put into a VRF context via a RADIUS Access-Accept +packet, or changed via RADIUS CoA. ``Accel-VRF-Name`` is used for these +purposes. This is a custom `ACCEL-PPP attribute`_. Define it in your RADIUS +server. Renaming clients interfaces by RADIUS ===================================== @@ -254,19 +257,19 @@ IPv6 .. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address> mask <number-of-bits> - Use this comand to set the IPv6 address pool from which an SSTP client - will get an IPv6 prefix of your defined length (mask) to terminate the - SSTP endpoint at their side. The mask length can be set from 48 to 128 - bit long, the default value is 64. + Use this comand to set the IPv6 address pool from which an SSTP client will + get an IPv6 prefix of your defined length (mask) to terminate the SSTP + endpoint at their side. The mask length can be set between 48 and 128 bits + long, the default value is 64. .. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address> delegation-prefix <number-of-bits> - Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on - SSTP. You will have to set your IPv6 pool and the length of the - delegation prefix. From the defined IPv6 pool you will be handing out - networks of the defined length (delegation-prefix). The length of the - delegation prefix can be set from 32 to 64 bit long. + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You + will have to set your IPv6 pool and the length of the delegation prefix. From + the defined IPv6 pool you will be handing out networks of the defined length + (delegation-prefix). The length of the delegation prefix can be set between + 32 and 64 bits long. .. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME> @@ -283,19 +286,19 @@ IPv6 Advanced Options ===================== .. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id - Accept peer interface identifier. By default is not defined. + Accept peer interface identifier. By default this is not defined. .. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x> - Specifies fixed or random interface identifier for IPv6. - By default is fixed. + Specifies if a fixed or random interface identifier is used for IPv6. The + default is fixed. * **random** - Random interface identifier for IPv6 * **x:x:x:x** - Specify interface identifier for IPv6 .. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x> - Specifies peer interface identifier for IPv6. By default is fixed. + Specifies the peer interface identifier for IPv6. The default is fixed. * **random** - Random interface identifier for IPv6 * **x:x:x:x** - Specify interface identifier for IPv6 @@ -308,19 +311,19 @@ Scripting .. cfgcmd:: set vpn sstp extended-scripts on-change <path_to_script> - Script to run when session interface changed by RADIUS CoA handling + Script to run when the session interface is changed by RADIUS CoA handling .. cfgcmd:: set vpn sstp extended-scripts on-down <path_to_script> - Script to run when session interface going to terminate + Script to run when the session interface about to terminate .. cfgcmd:: set vpn sstp extended-scripts on-pre-up <path_to_script> - Script to run before session interface comes up + Script to run before the session interface comes up .. cfgcmd:: set vpn sstp extended-scripts on-up <path_to_script> - Script to run when session interface is completely configured and started + Script to run when the session interface is completely configured and started **************** Advanced Options @@ -336,17 +339,17 @@ Authentication Advanced Options .. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip <address> - Assign static IP address to `<user>` account. + Assign a static IP address to `<user>` account. .. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit download <bandwidth> - Download bandwidth limit in kbit/s for `<user>`. + Rate limit the download bandwidth for `<user>` to `<bandwidth>` kbit/s. .. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit upload <bandwidth> - Upload bandwidth limit in kbit/s for `<user>`. + Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s. .. cfgcmd:: set vpn sstp authentication protocols <pap | chap | mschap | mschap-v2> @@ -371,10 +374,10 @@ PPP Advanced Options .. cfgcmd:: set vpn sstp ppp-options interface-cache <number> - Specifies number of interfaces to keep in cache. It means that don’t - destroy interface after corresponding session is destroyed, instead - place it to cache and use it later for new sessions repeatedly. - This should reduce kernel-level interface creation/deletion rate lack. + Specifies number of interfaces to cache. This prevents interfaces from being + removed once the corresponding session is destroyed. Instead, interfaces are + cached for later use in new sessions. This should reduce the kernel-level + interface creation/deletion rate. Default value is **0**. .. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny> @@ -394,19 +397,20 @@ PPP Advanced Options .. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval> If this option is specified and is greater than 0, then the PPP module will - send LCP pings of the echo request every `<interval>` seconds. + send LCP echo requests every `<interval>` seconds. Default value is **30**. .. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout - Specifies timeout in seconds to wait for any peer activity. If this option + Specifies timeout in seconds to wait for any peer activity. If this option is specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. Default value is **0**. .. cfgcmd:: set vpn sstp ppp-options min-mtu <number> - Defines minimum acceptable MTU. If client will try to negotiate less then - specified MTU then it will be NAKed or disconnected if rejects greater MTU. + Defines the minimum acceptable MTU. If a client tries to negotiate an MTU + lower than this it will be NAKed, and disconnected if it rejects a greater + MTU. Default value is **100**. .. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny> @@ -418,7 +422,8 @@ PPP Advanced Options * **prefer** - ask client for mppe, if it rejects don't fail. (Default value) * **deny** - deny mppe - Default behavior - don't ask client for mppe, but allow it if client wants. + Default behavior - don't ask the client for mppe, but allow it if the client + wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute. @@ -439,7 +444,7 @@ Global Advanced options .. cfgcmd:: set vpn sstp limits connection-limit <value> - Acceptable rate of connections (e.g. 1/min, 60/sec) + Maximum accepted connection rate (e.g. 1/min, 60/sec) .. cfgcmd:: set vpn sstp limits timeout <value> @@ -455,9 +460,9 @@ Global Advanced options .. cfgcmd:: set vpn sstp name-server <address> - Connected client should use `<address>` as their DNS server. This - command accepts both IPv4 and IPv6 addresses. Up to two nameservers - can be configured for IPv4, up to three for IPv6. + Connected clients should use `<address>` as their DNS server. This command + accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured + for IPv4, up to three for IPv6. .. cfgcmd:: set vpn sstp shaper fwmark <1-2147483647> diff --git a/docs/documentation.rst b/docs/documentation.rst index 79365c0d..62624c5a 100644 --- a/docs/documentation.rst +++ b/docs/documentation.rst @@ -124,7 +124,7 @@ Style Guide =========== Formatting and Sphinxmarkup --------------------------- +--------------------------- TOC Level ^^^^^^^^^^ diff --git a/docs/installation/vyos-on-baremetal.rst b/docs/installation/vyos-on-baremetal.rst index 367e6df1..7d843521 100644 --- a/docs/installation/vyos-on-baremetal.rst +++ b/docs/installation/vyos-on-baremetal.rst @@ -419,3 +419,260 @@ I connected the key to one black USB port on the back and powered on. The first VyOS screen has some readability issues. Press :kbd:`Enter` to continue. Then VyOS should boot and you can perform the ``install image`` + +.. _gowin_gw-fn-1ur1-10g: + +Gowin GW-FN-1UR1-10G +==================== + +A platform utilizing an Intel Alder Lake-N100 CPU with 6M cache, TDP 6W. +Onboard LPDDR5 16GB RAM and 128GB eMMC (can be used for image installation). + +The appliance comes with 2 * 2.5GbE Intel I226-V and 3 * 1GbE Intel I210 +where one supports IEEE802.3at PoE+ (Typical 30W). + +In addition there is a Mellanox ConnectX-3 2* 10GbE SFP+ NIC available. + +**NOTE:** This is the entry level platform. Other derivates exists with +i3-N305 CPU and 2x 25GbE! + +Shopping Cart +------------- + +* 1x Gowin GW-FN-1UR1-10G +* 2x 128GB M.2 NVMe SSDs + +Optional (WiFi + WWAN) +---------------------- + +* 1x MediaTek 7921E M.2 NGFF WIFI module (not tested as this currently leads to a Kernel crash) +* 1x HP LT4120 Snapdragon X5 LTE WWAN module + +Pictures +-------- + +.. figure:: ../_static/images/gowin-01.png + +.. figure:: ../_static/images/gowin-02.png + +.. figure:: ../_static/images/gowin-03.png + +.. figure:: ../_static/images/gowin-04.png + +Cooling +------- + +The device itself is passivly cooled, whereas the power supply has an active fan. +Even if the main processor is powered off, the power supply fan is operating and +the entire chassis draws 7.5W. During operation the chassis drew arround 38W. + +BIOS Settings +------------- + +No settings needed to be altered, everything worked out of the box! + +Installation +------------ + +The system provides a regular RS232 console port using 115200,8n1 setting which +is sufficient to install VyOS from a USB pendrive. + +First Boot +---------- + +Please note that there is a weirdness on the network interface mapping. +The interface <-> MAC mapping is going upwards but the NICs are placed +somehow swapped on the mainboard/MACs programmed in a swapped order. + +See interface description for more detailed mapping. + +.. code-block:: none + + vyos@vyos:~$ show interfaces + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address MAC VRF MTU S/L Description + ----------- -------------- ----------------- ------- ----- ----- ------------- + eth0 - 00:f0:cb:00:00:99 default 1500 u/D Intel I226-V - Front eth2 + eth1 - 00:f0:cb:00:00:9a default 1500 u/D Intel I226-V - Front eth1 + eth2 - 00:f0:cb:00:00:9b default 1500 u/D Intel I210 - Front eth4 + eth3 - 00:f0:cb:00:00:9c default 1500 u/D Intel I210 - Front eth3 + eth4 - 00:f0:cb:00:00:9d default 1500 u/D Intel I210 - Front POE + eth5 - 00:02:c9:00:00:30 default 1500 u/D Mellanox ConnectX-3 - SFP2 + eth6 - 00:02:c9:00:00:31 default 1500 u/D Mellanox ConnectX-3 - SFP1 + lo 127.0.0.1/8 00:00:00:00:00:00 default 65536 u/u + ::1/128 + wwan0 - d2:39:76:8e:05:12 default 1500 A/D + +VyOS 1.4 (sagitta) +^^^^^^^^^^^^^^^^^^ + +Connect serial port to a PC through a USB <-> RJ45 console cable. Set terminal emulator +to 115200 8N1. You can also perform the installation using VGA or HDMI ports. + +In this example I choose to install VyOS as RAID-1 on both NVMe drives. However, a previous +installation on the 128GB eMMC storage worked without any issues, too. + +.. code-block:: none + + Welcome to VyOS - vyos ttyS0 + + vyos login: + +Perform Image installation using `install image` CLI command. This installation uses two 128GB NVMe +disks setup as RAID1. + +.. code-block:: none + + Welcome to VyOS! + + ┌── ┐ + . VyOS 1.4.0 + └ ──┘ sagitta + + * Support portal: https://support.vyos.io + * Documentation: https://docs.vyos.io/en/sagitta + * Project news: https://blog.vyos.io + * Bug reports: https://vyos.dev + + You can change this banner using "set system login banner post-login" command. + + VyOS is a free software distribution that includes multiple components, + you can check individual component licenses under /usr/share/doc/*/copyright + Use of this pre-built image is governed by the EULA you can find in + /usr/share/vyos/EULA + + vyos@vyos:~$ install image + + Welcome to VyOS installation! + This command will install VyOS to your permanent storage. + Would you like to continue? [y/N] y + + What would you like to name this image? (Default: 1.4.0) + + Please enter a password for the "vyos" user: + Please confirm password for the "vyos" user: + + What console should be used by default? (K: KVM, S: Serial)? (Default: S) + + Probing disks + 4 disk(s) found + Would you like to configure RAID-1 mirroring? [Y/n] y + + The following disks were found: + /dev/sda (14.4 GB) + /dev/mmcblk0 (116.5 GB) + Would you like to configure RAID-1 mirroring on them? [Y/n] n + + Would you like to choose two disks for RAID-1 mirroring? [Y/n] y + Disks available: + 1: /dev/sda (14.4 GB) + 2: /dev/mmcblk0 (116.5 GB) + 3: /dev/nvme1n1 (119.2 GB) + 4: /dev/nvme0n1 (119.2 GB) + Select first disk: 3 + + Remaining disks: + 1: /dev/sda (14.4 GB) + 2: /dev/mmcblk0 (116.5 GB) + 3: /dev/nvme0n1 (119.2 GB) + Select second disk: 3 + + Installation will delete all data on both drives. Continue? [y/N] y + + Searching for data from previous installations + No previous installation found + Creating partitions on /dev/nvme1n1 + Creating partition table... + Creating partitions on /dev/nvme0n1 + Creating partition table... + Creating RAID array + Updating initramfs + Creating filesystem on RAID array + The following config files are available for boot: + 1: /opt/vyatta/etc/config/config.boot + 2: /opt/vyatta/etc/config.boot.default + + Which file would you like as boot config? (Default: 1) + Creating temporary directories + Mounting new partitions + Creating a configuration file + Copying system image files + Installing GRUB configuration files + Installing GRUB to the drives + Cleaning up + Unmounting target filesystems + Removing temporary files + The image installed successfully; please reboot now. + +Hardware +-------- + +.. code-block:: none + + vyos@vyos:~$ lspci + 00:00.0 Host bridge: Intel Corporation Device 461c + 00:02.0 VGA compatible controller: Intel Corporation Alder Lake-N [UHD Graphics] + 00:0a.0 Signal processing controller: Intel Corporation Platform Monitoring Technology (rev 01) + 00:0d.0 USB controller: Intel Corporation Device 464e + 00:14.0 USB controller: Intel Corporation Device 54ed + 00:14.2 RAM memory: Intel Corporation Device 54ef + 00:15.0 Serial bus controller: Intel Corporation Device 54e8 + 00:16.0 Communication controller: Intel Corporation Device 54e0 + 00:1a.0 SD Host controller: Intel Corporation Device 54c4 + 00:1c.0 PCI bridge: Intel Corporation Device 54b8 + 00:1c.2 PCI bridge: Intel Corporation Device 54ba + 00:1c.3 PCI bridge: Intel Corporation Device 54bb + 00:1c.6 PCI bridge: Intel Corporation Device 54be + 00:1d.0 PCI bridge: Intel Corporation Device 54b0 + 00:1f.0 ISA bridge: Intel Corporation Device 5481 + 00:1f.4 SMBus: Intel Corporation Device 54a3 + 00:1f.5 Serial bus controller: Intel Corporation Device 54a4 + 01:00.0 PCI bridge: ASMedia Technology Inc. Device 1806 (rev 01) + 02:00.0 PCI bridge: ASMedia Technology Inc. Device 1806 (rev 01) + 02:02.0 PCI bridge: ASMedia Technology Inc. Device 1806 (rev 01) + 02:06.0 PCI bridge: ASMedia Technology Inc. Device 1806 (rev 01) + 02:0e.0 PCI bridge: ASMedia Technology Inc. Device 1806 (rev 01) + 03:00.0 Ethernet controller: Intel Corporation Ethernet Controller I226-V (rev 04) + 04:00.0 Ethernet controller: Intel Corporation Ethernet Controller I226-V (rev 04) + 05:00.0 Network controller: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter + 06:00.0 SATA controller: ASMedia Technology Inc. Device 0622 (rev 01) + 07:00.0 PCI bridge: ASMedia Technology Inc. Device 1806 (rev 01) + 08:00.0 PCI bridge: ASMedia Technology Inc. Device 1806 (rev 01) + 08:02.0 PCI bridge: ASMedia Technology Inc. Device 1806 (rev 01) + 08:06.0 PCI bridge: ASMedia Technology Inc. Device 1806 (rev 01) + 08:0e.0 PCI bridge: ASMedia Technology Inc. Device 1806 (rev 01) + 09:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network Connection (rev 03) + 0a:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network Connection (rev 03) + 0b:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network Connection (rev 03) + 0d:00.0 Non-Volatile memory controller: Device 1ed0:2283 + 0f:00.0 Non-Volatile memory controller: Device 1ed0:2283 + 11:00.0 Ethernet controller: Mellanox Technologies MT27500 Family [ConnectX-3] + +.. code-block:: none + + vyos@vyos:~$ lsusb + Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub + Bus 003 Device 005: ID 0e8d:c616 MediaTek Inc. Wireless_Device + Bus 003 Device 003: ID 413c:2113 Dell Computer Corp. KB216 Wired Keyboard + Bus 003 Device 004: ID 03f0:9d1d HP, Inc HP lt4120 Snapdragon X5 LTE + Bus 003 Device 002: ID 05e3:0610 Genesys Logic, Inc. Hub + Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub + Bus 002 Device 002: ID 05e3:0620 Genesys Logic, Inc. GL3523 Hub + Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub + Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub + +WWAN +^^^^ + +The LTE module can be enabled as simple as this config snippet: + +.. code-block:: none + + interfaces { + wwan wwan0 { + address "dhcp" + apn "YOUR-APN-GOES-HERE" + } + } + +For more information please refer to chapter: :ref:`wwan-interface` |
