summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/configuration/firewall/index.rst6
-rw-r--r--docs/configuration/interfaces/vti.rst19
-rw-r--r--docs/configuration/interfaces/wireguard.rst1
3 files changed, 25 insertions, 1 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index b4a884f0..c5be158f 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -490,6 +490,12 @@ Applying a Rule-Set to a Zone
Before you are able to apply a rule-set to a zone you have to create the zones
first.
+It helps to think of the syntax as: (see below). The 'rule-set' should be
+written from the perspective of: *Source Zone*-to->*Destination Zone*
+
+.. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone>
+ firewall name <rule-set>
+
.. cfgcmd:: set zone-policy zone <name> from <name> firewall name
<rule-set>
.. cfgcmd:: set zone-policy zone <name> from <name> firewall ipv6-name
diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst
index 34842866..1704b9d1 100644
--- a/docs/configuration/interfaces/vti.rst
+++ b/docs/configuration/interfaces/vti.rst
@@ -20,4 +20,21 @@ Results in:
address 192.168.2.249/30
address 2001:db8:2::249/64
description "Description"
- } \ No newline at end of file
+ }
+
+.. warning:: When using site-to-site IPsec with VTI interfaces,
+ be sure to disable route autoinstall
+
+.. code-block:: none
+
+ set vpn ipsec options disable-route-autoinstall
+
+More details about the IPsec and VTI issue and option disable-route-autoinstall
+https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
+
+The root cause of the problem is that for VTI tunnels to work, their traffic
+selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even
+though actual routing decision is made according to netfilter marks. Unless
+route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a
+default route through the VTI peer address, which makes all traffic routed
+to nowhere. \ No newline at end of file
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index df6433c6..1c4b734c 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -151,6 +151,7 @@ below is always the public key from your peer, not your local one.
.. code-block:: none
set interfaces wireguard wg01 address '10.1.0.1/30'
+ set interfaces wireguard wg01 description 'VPN-to-wg02'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24'
set interfaces wireguard wg01 peer to-wg02 address '192.0.2.1'
set interfaces wireguard wg01 peer to-wg02 port '51820'