From ce090a4ced7fccce3fdc70142e22fa0009fae12b Mon Sep 17 00:00:00 2001
From: rebortg <github@ghlr.de>
Date: Sun, 6 Dec 2020 21:41:10 +0100
Subject: arrange examples

---
 docs/configexamples/azure-vpn-bgp.rst | 130 ++++++++++++++++++++++++++++++++++
 1 file changed, 130 insertions(+)
 create mode 100644 docs/configexamples/azure-vpn-bgp.rst

(limited to 'docs/configexamples/azure-vpn-bgp.rst')

diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst
new file mode 100644
index 00000000..176e0ae0
--- /dev/null
+++ b/docs/configexamples/azure-vpn-bgp.rst
@@ -0,0 +1,130 @@
+.. _examples-azure-vpn-bgp:
+
+Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
+------------------------------------------------------------
+
+This guide shows an example of a route-based IKEv2 site-to-site VPN to
+Azure using VTI and BGP for dynamic routing updates.
+
+For redundant / active-active configurations see `Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec) <https://docs.vyos.io/en/crux/appendix/examples/azure-vpn-dual-bgp.html>`_
+
+Prerequisites
+^^^^^^^^^^^^^
+
+- A pair of Azure VNet Gateways deployed in active-passive
+  configuration with BGP enabled.
+
+- A local network gateway deployed in Azure representing
+  the Vyos device, matching the below Vyos settings except for
+  address space, which only requires the Vyos private IP, in
+  this example 10.10.0.5/32
+
+- A connection resource deployed in Azure linking the
+  Azure VNet gateway and the local network gateway representing
+  the Vyos device.
+
+Example
+^^^^^^^
+
++---------------------------------------+---------------------+
+| WAN Interface                         | eth0                |
++---------------------------------------+---------------------+
+| On-premises address space             | 10.10.0.0/16        |
++---------------------------------------+---------------------+
+| Azure address space                   |  10.0.0.0/16        |
++---------------------------------------+---------------------+
+| Vyos public IP                        | 198.51.100.3        |
++---------------------------------------+---------------------+
+| Vyos private IP                       | 10.10.0.5           |
++---------------------------------------+---------------------+
+| Azure VNet Gateway public IP          |  203.0.113.2        |
++---------------------------------------+---------------------+
+| Azure VNet Gateway BGP IP             |  10.0.0.4           |
++---------------------------------------+---------------------+
+| Pre-shared key                        | ch00s3-4-s3cur3-psk |
++---------------------------------------+---------------------+
+| Vyos ASN                              | 64499               |
++---------------------------------------+---------------------+
+| Azure ASN                             | 65540               |
++---------------------------------------+---------------------+
+
+Vyos configuration
+^^^^^^^^^^^^^^^^^^
+
+- Configure the IKE and ESP settings to match a subset
+  of those supported by Azure:
+
+.. code-block:: none
+
+  set vpn ipsec esp-group AZURE compression 'disable'
+  set vpn ipsec esp-group AZURE lifetime '3600'
+  set vpn ipsec esp-group AZURE mode 'tunnel'
+  set vpn ipsec esp-group AZURE pfs 'dh-group2'
+  set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
+  set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
+
+  set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
+  set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
+  set vpn ipsec ike-group AZURE dead-peer-detection timeout '30'
+  set vpn ipsec ike-group AZURE ikev2-reauth 'yes'
+  set vpn ipsec ike-group AZURE key-exchange 'ikev2'
+  set vpn ipsec ike-group AZURE lifetime '28800'
+  set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
+  set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
+  set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
+
+- Enable IPsec on eth0
+
+.. code-block:: none
+
+  set vpn ipsec ipsec-interfaces interface 'eth0'
+
+- Configure a VTI with a dummy IP address
+
+.. code-block:: none
+
+  set interfaces vti vti1 address '10.10.1.5/32'
+  set interfaces vti vti1 description 'Azure Tunnel'
+
+- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes.
+
+.. code-block:: none
+
+  set firewall options interface vti1 adjust-mss 1350
+
+- Configure the VPN tunnel
+
+.. code-block:: none
+
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
+  set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
+  set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
+  set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
+  set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
+  set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
+  set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
+  set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'
+
+- **Important**: Add an interface route to reach Azure's BGP listener
+
+.. code-block:: none
+
+  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
+
+- Configure your BGP settings
+
+.. code-block:: none
+
+  set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'
+  set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound'
+  set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30'
+  set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10'
+
+- **Important**: Disable connected check \
+
+.. code-block:: none
+
+  set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check
-- 
cgit v1.2.3


From 71c8077efb486f3d13c610bfe038f206f932e48c Mon Sep 17 00:00:00 2001
From: rebortg <github@ghlr.de>
Date: Fri, 11 Dec 2020 22:40:51 +0100
Subject: configexamples: fix lint errors

---
 docs/configexamples/azure-vpn-bgp.rst                |  4 +++-
 .../configexamples/dhcp-relay-through-gre-bridge.rst | 20 ++++++++++----------
 docs/configexamples/tunnelbroker-ipv6.rst            | 13 +++++++++++--
 docs/configexamples/wan-load-balancing.rst           |  4 ++++
 4 files changed, 28 insertions(+), 13 deletions(-)

(limited to 'docs/configexamples/azure-vpn-bgp.rst')

diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst
index 176e0ae0..6f2622b2 100644
--- a/docs/configexamples/azure-vpn-bgp.rst
+++ b/docs/configexamples/azure-vpn-bgp.rst
@@ -6,7 +6,9 @@ Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
 This guide shows an example of a route-based IKEv2 site-to-site VPN to
 Azure using VTI and BGP for dynamic routing updates.
 
-For redundant / active-active configurations see `Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec) <https://docs.vyos.io/en/crux/appendix/examples/azure-vpn-dual-bgp.html>`_
+For redundant / active-active configurations see
+`Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
+<https://docs.vyos.io/en/crux/appendix/examples/azure-vpn-dual-bgp.html>`_
 
 Prerequisites
 ^^^^^^^^^^^^^
diff --git a/docs/configexamples/dhcp-relay-through-gre-bridge.rst b/docs/configexamples/dhcp-relay-through-gre-bridge.rst
index f94eb67f..0db5fa0a 100644
--- a/docs/configexamples/dhcp-relay-through-gre-bridge.rst
+++ b/docs/configexamples/dhcp-relay-through-gre-bridge.rst
@@ -21,18 +21,18 @@ DHCP Server
 .. code-block:: none
 
    set interfaces ethernet eth0 address '10.0.2.1/24'
-   set interfaces loopback lo address '3.3.3.3/24'
+   set interfaces loopback lo address '192.168.3.3/24'
    set interfaces tunnel tun100 address '172.16.0.2/30'
    set interfaces tunnel tun100 encapsulation 'gre-bridge'
    set interfaces tunnel tun100 local-ip '10.0.2.1'
    set interfaces tunnel tun100 remote-ip '192.168.0.1'
-   set protocols ospf area 0 network '3.3.3.0/24'
+   set protocols ospf area 0 network '192.168.3.0/24'
    set protocols ospf area 0 network '10.0.2.0/24'
-   set protocols ospf parameters router-id '3.3.3.3'
+   set protocols ospf parameters router-id '192.168.3.3'
    set protocols static interface-route 10.0.1.2/32 next-hop-interface tun100
    set service dhcp-server shared-network-name asdf authoritative
-   set service dhcp-server shared-network-name asdf subnet 3.3.3.0/24 range 0 start '3.3.3.30'
-   set service dhcp-server shared-network-name asdf subnet 3.3.3.0/24 range 0 stop '3.3.3.40'
+   set service dhcp-server shared-network-name asdf subnet 192.168.3.0/24 range 0 start '192.168.3.30'
+   set service dhcp-server shared-network-name asdf subnet 192.168.3.0/24 range 0 stop '192.168.3.40'
    set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 default-router '10.0.1.2'
    set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 range 0 start '10.0.1.200'
    set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 range 0 stop '10.0.1.210'
@@ -61,17 +61,17 @@ DHCP Relay
 
    set interfaces ethernet eth0 address '10.0.1.2/24'
    set interfaces ethernet eth1 address '192.168.0.1/24'
-   set interfaces loopback lo address '1.1.1.1'
+   set interfaces loopback lo address '10.100.100.1'
    set interfaces tunnel tun100 address '172.16.0.1/30'
    set interfaces tunnel tun100 encapsulation 'gre-bridge'
    set interfaces tunnel tun100 local-ip '192.168.0.1'
    set interfaces tunnel tun100 remote-ip '10.0.2.1'
    set protocols ospf area 0 network '10.0.1.0/24'
    set protocols ospf area 0 network '192.168.0.0/24'
-   set protocols ospf area 0 network '1.1.1.0/24'
-   set protocols ospf parameters router-id '1.1.1.1'
-   set protocols static interface-route 3.3.3.3/32 next-hop-interface tun100
+   set protocols ospf area 0 network '10.100.100.0/24'
+   set protocols ospf parameters router-id '10.100.100.1'
+   set protocols static interface-route 192.168.3.3/32 next-hop-interface tun100
    set service dhcp-relay interface 'eth0'
    set service dhcp-relay interface 'tun100'
-   set service dhcp-relay server '3.3.3.3'
+   set service dhcp-relay server '192.168.3.3'
    
diff --git a/docs/configexamples/tunnelbroker-ipv6.rst b/docs/configexamples/tunnelbroker-ipv6.rst
index 868b225f..b6f1cc07 100644
--- a/docs/configexamples/tunnelbroker-ipv6.rst
+++ b/docs/configexamples/tunnelbroker-ipv6.rst
@@ -1,5 +1,7 @@
 .. _examples-tunnelbroker-ipv6:
 
+.. stop_vyoslinter
+
 #######################
 Tunnelbroker.net (IPv6)
 #######################
@@ -110,7 +112,9 @@ should be replaced with the information from your `Routed /64` tunnel):
   set service router-advert interface eth1 name-server '2001:4860:4860::8844'
   set service router-advert interface eth1 prefix 2001:470:xxxx:xxxx::/64 
 
-Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default, 'valid-lifetime' and 'preferred-lifetime' are set to default values of 30 days and 4 hours respectively.
+Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default,
+'valid-lifetime' and 'preferred-lifetime' are set to default values of
+30 days and 4 hours respectively.
 
 This accomplishes a few things:
 
@@ -155,7 +159,9 @@ So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc:
   set service router-advert interface eth3 name-server '2001:4860:4860::8844'
   set service router-advert interface eth3 prefix 2001:470:xxxx:3::/64
 
-Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default, 'valid-lifetime' and 'preferred-lifetime' are set to default values of 30 days and 4 hours respectively.
+Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default,
+'valid-lifetime' and 'preferred-lifetime' are set to default values of
+30 days and 4 hours respectively.
 
 Firewall
 ========
@@ -167,3 +173,6 @@ NAME`.
 Similarly, to attach the firewall, you would use `set interfaces ethernet eth0
 firewall in ipv6-name` or `set zone-policy zone LOCAL from WAN firewall
 ipv6-name`.
+
+
+.. start_vyoslinter
diff --git a/docs/configexamples/wan-load-balancing.rst b/docs/configexamples/wan-load-balancing.rst
index 7093defe..07974166 100644
--- a/docs/configexamples/wan-load-balancing.rst
+++ b/docs/configexamples/wan-load-balancing.rst
@@ -1,5 +1,7 @@
 .. _wan-load-balancing:
 
+.. stop_vyoslinter # pictures and text have to change
+
 WAN Load Balancer examples
 ==========================
 
@@ -168,3 +170,5 @@ eth+ is used as an alias that refers to all ethernet interfaces:
    set load-balancing wan rule 5 exclude
    set load-balancing wan rule 5 inbound-interface eth+
    set load-balancing wan rule 5 destination address 10.0.0.0/8
+
+.. start_vyoslinter
\ No newline at end of file
-- 
cgit v1.2.3


From 0a4ce825d07126dda7f540eee567ba83bc799514 Mon Sep 17 00:00:00 2001
From: rebortg <github@ghlr.de>
Date: Tue, 26 Jan 2021 20:47:21 +0100
Subject: configexamples: fix internal link in azure vpn bgp example

---
 docs/configexamples/azure-vpn-bgp.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/configexamples/azure-vpn-bgp.rst')

diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst
index 6f2622b2..265e28c7 100644
--- a/docs/configexamples/azure-vpn-bgp.rst
+++ b/docs/configexamples/azure-vpn-bgp.rst
@@ -7,8 +7,8 @@ This guide shows an example of a route-based IKEv2 site-to-site VPN to
 Azure using VTI and BGP for dynamic routing updates.
 
 For redundant / active-active configurations see
-`Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
-<https://docs.vyos.io/en/crux/appendix/examples/azure-vpn-dual-bgp.html>`_
+:ref:`examples-azure-vpn-dual-bgp`
+
 
 Prerequisites
 ^^^^^^^^^^^^^
-- 
cgit v1.2.3


From 0ae01b4a1c6e6376b2db498618c65801a809e826 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Fri, 5 Feb 2021 22:53:53 +0100
Subject: vrf: static: T2450: adjust to new CLI syntax

---
 docs/configexamples/azure-vpn-bgp.rst              |  2 +-
 docs/configexamples/azure-vpn-dual-bgp.rst         |  4 ++--
 .../dhcp-relay-through-gre-bridge.rst              |  4 ++--
 docs/configexamples/tunnelbroker-ipv6.rst          |  2 +-
 docs/configuration/interfaces/openvpn.rst          |  6 ++---
 docs/configuration/interfaces/pppoe.rst            |  4 ++--
 docs/configuration/interfaces/wireguard.rst        |  4 ++--
 docs/configuration/protocols/static.rst            | 12 +++++-----
 docs/configuration/vrf/index.rst                   | 28 +++++++++++-----------
 9 files changed, 33 insertions(+), 33 deletions(-)

(limited to 'docs/configexamples/azure-vpn-bgp.rst')

diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst
index 265e28c7..1d61b3b8 100644
--- a/docs/configexamples/azure-vpn-bgp.rst
+++ b/docs/configexamples/azure-vpn-bgp.rst
@@ -114,7 +114,7 @@ Vyos configuration
 
 .. code-block:: none
 
-  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
+  set protocols static route 10.0.0.4/32 interface vti1
 
 - Configure your BGP settings
 
diff --git a/docs/configexamples/azure-vpn-dual-bgp.rst b/docs/configexamples/azure-vpn-dual-bgp.rst
index 13d4b5a2..0a48156c 100644
--- a/docs/configexamples/azure-vpn-dual-bgp.rst
+++ b/docs/configexamples/azure-vpn-dual-bgp.rst
@@ -129,8 +129,8 @@ Vyos configuration
 
 .. code-block:: none
 
-  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
-  set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2
+  set protocols static route 10.0.0.4/32 interface vti1
+  set protocols static route 10.0.0.5/32 interface vti2
 
 - Configure your BGP settings
 
diff --git a/docs/configexamples/dhcp-relay-through-gre-bridge.rst b/docs/configexamples/dhcp-relay-through-gre-bridge.rst
index 0db5fa0a..afa4d854 100644
--- a/docs/configexamples/dhcp-relay-through-gre-bridge.rst
+++ b/docs/configexamples/dhcp-relay-through-gre-bridge.rst
@@ -29,7 +29,7 @@ DHCP Server
    set protocols ospf area 0 network '192.168.3.0/24'
    set protocols ospf area 0 network '10.0.2.0/24'
    set protocols ospf parameters router-id '192.168.3.3'
-   set protocols static interface-route 10.0.1.2/32 next-hop-interface tun100
+   set protocols static route 10.0.1.2/32 interface tun100
    set service dhcp-server shared-network-name asdf authoritative
    set service dhcp-server shared-network-name asdf subnet 192.168.3.0/24 range 0 start '192.168.3.30'
    set service dhcp-server shared-network-name asdf subnet 192.168.3.0/24 range 0 stop '192.168.3.40'
@@ -70,7 +70,7 @@ DHCP Relay
    set protocols ospf area 0 network '192.168.0.0/24'
    set protocols ospf area 0 network '10.100.100.0/24'
    set protocols ospf parameters router-id '10.100.100.1'
-   set protocols static interface-route 192.168.3.3/32 next-hop-interface tun100
+   set protocols static route 192.168.3.3/32 interface tun100
    set service dhcp-relay interface 'eth0'
    set service dhcp-relay interface 'tun100'
    set service dhcp-relay server '192.168.3.3'
diff --git a/docs/configexamples/tunnelbroker-ipv6.rst b/docs/configexamples/tunnelbroker-ipv6.rst
index b6f1cc07..1df814dc 100644
--- a/docs/configexamples/tunnelbroker-ipv6.rst
+++ b/docs/configexamples/tunnelbroker-ipv6.rst
@@ -35,7 +35,7 @@ tunnel information page.
   set interfaces tunnel tun0 mtu '1472'
   set interfaces tunnel tun0 multicast 'disable'
   set interfaces tunnel tun0 remote-ip Server_IPv4_from_Tunnelbroker  # This is the IP of the Tunnelbroker server
-  set protocols static interface-route6 ::/0 next-hop-interface tun0  # Tell all traffic to go over this tunnel
+  set protocols static route6 ::/0 interface tun0  # Tell all traffic to go over this tunnel
   commit
 
 If your WAN connection is over PPPoE, you may need to set the MTU on the above
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index 2c273b34..8b32743f 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -159,13 +159,13 @@ Local Configuration:
 
 .. code-block:: none
 
-  set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1
+  set protocols static route 10.1.0.0/16 interface vtun1
 
 Remote Configuration:
 
 .. code-block:: none
 
-  set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1
+  set protocols static route 10.0.0.0/16 interface vtun1
 
 Firewall policy can also be applied to the tunnel interface for `local`, `in`,
 and `out` directions and function identically to ethernet interfaces.
@@ -253,7 +253,7 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves:
 
 .. code-block:: none
 
-  set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10
+  set protocols static route 10.23.0.0/20 interface vtun10
 
 Generate X.509 Certificate and Keys
 -----------------------------------
diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst
index 0fdbba42..1bbccc0c 100644
--- a/docs/configuration/interfaces/pppoe.rst
+++ b/docs/configuration/interfaces/pppoe.rst
@@ -130,7 +130,7 @@ PPPoE options
 
 .. note:: In all modes except 'none', all default routes using this interface
    will be removed when the interface is torn down - even manually installed
-   static interface-routes.
+   static routes.
 
 .. cfgcmd:: set interfaces pppoe <interface> idle-timeout <time>
 
@@ -251,7 +251,7 @@ Requirements:
   default gateway you receive from your DSL ISP to the routing table if you
   have no other WAN connections. If you wish to use a dual WAN connection,
   change the ``default-route`` option to ``force``.  You could also install
-  a static interface-route and set the ``default-route`` option to ``none``.
+  a static route and set the ``default-route`` option to ``none``.
 * With the ``name-server`` option set to ``none``, VyOS will ignore the
   nameservers your ISP sens you and thus you can fully rely on the ones you
   have configured statically.
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index c4dfbee7..852ff520 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -78,7 +78,7 @@ one.
   set interfaces wireguard wg01 peer to-wg02 port '12345'
   set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
   set interfaces wireguard wg01 port '12345'
-  set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01
+  set protocols static route 10.2.0.0/24 interface wg01
 
 The last step is to define an interface route for 10.2.0.0/24 to get
 through the WireGuard interface `wg01`. Multiple IPs or networks can be
@@ -113,7 +113,7 @@ the public key, which needs to be shared with the peer.
   set interfaces wireguard wg01 peer to-wg02 port '12345'
   set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='
   set interfaces wireguard wg01 port '12345'
-  set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01
+  set protocols static route 10.1.0.0/24 interface wg01
 
 Assure that your firewall rules allow the traffic, in which case you
 have a working VPN using WireGuard
diff --git a/docs/configuration/protocols/static.rst b/docs/configuration/protocols/static.rst
index 42c0c4b7..723db727 100644
--- a/docs/configuration/protocols/static.rst
+++ b/docs/configuration/protocols/static.rst
@@ -63,19 +63,19 @@ Static Routes
 Interface Routes
 ================
 
-.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface
+.. cfgcmd:: set protocols static route <subnet> interface
    <interface>
 
    Allows you to configure the next-hop interface for an interface-based IPv4
    static route. `<interface>` will be the next-hop interface where trafic is
    routed for the given `<subnet>`.
 
-.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface
+.. cfgcmd:: set protocols static route <subnet> interface
    <interface> disable
 
    Disables interface-based IPv4 static route.
 
-.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface
+.. cfgcmd:: set protocols static route <subnet> interface
    <interface> distance <distance>
 
    Defines next-hop distance for this route, routes with smaller administrative
@@ -83,19 +83,19 @@ Interface Routes
 
    Range is 1 to 255, default is 1.
 
-.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface
+.. cfgcmd:: set protocols static route6 <subnet> interface
    <interface>
 
    Allows you to configure the next-hop interface for an interface-based IPv6
    static route. `<interface>` will be the next-hop interface where trafic is
    routed for the given `<subnet>`.
 
-.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface
+.. cfgcmd:: set protocols static route6 <subnet> interface
    <interface> disable
 
    Disables interface-based IPv6 static route.
 
-.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface
+.. cfgcmd:: set protocols static route6 <subnet> interface
    <interface> distance <distance>
 
    Defines next-hop distance for this route, routes with smaller administrative
diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst
index a311fcc0..244784de 100644
--- a/docs/configuration/vrf/index.rst
+++ b/docs/configuration/vrf/index.rst
@@ -119,7 +119,7 @@ Leaking
 """""""
 
 .. cfgcmd:: set protocols vrf <name> static route <subnet> next-hop <address>
-   next-hop-vrf <default | vrf-name>
+   vrf <default | vrf-name>
 
    Use this command if you have shared services or routes that should be shared
    between multiple VRF instances. This will add an IPv4 route to VRF `<name>`
@@ -127,7 +127,7 @@ Leaking
    a different VRF or leak it into the default VRF.
 
 .. cfgcmd:: set protocols vrf <name> static route6 <subnet> next-hop <address>
-   next-hop-vrf <default | vrf-name>
+   vrf <default | vrf-name>
 
    Use this command if you have shared services or routes that should be shared
    between multiple VRF instances. This will add an IPv6 route to VRF `<name>`
@@ -138,40 +138,40 @@ Leaking
 Interface Routes
 """"""""""""""""
 
-.. cfgcmd:: set protocols vrf <name> static interface-route <subnet>
-   next-hop-interface <interface>
+.. cfgcmd:: set protocols vrf <name> static route <subnet>
+   interface <interface>
 
    Allows you to configure the next-hop interface for an interface-based IPv4
    static route. `<interface>` will be the next-hop interface where trafic is
    routed for the given `<subnet>`.
 
-.. cfgcmd:: set protocols vrf <name> static interface-route <subnet>
-   next-hop-interface <interface> disable
+.. cfgcmd:: set protocols vrf <name> static route <subnet>
+   interface <interface> disable
 
    Disables interface-based IPv4 static route.
 
-.. cfgcmd:: set protocols vrf <name> static interface-route <subnet>
-   next-hop-interface <interface> distance <distance>
+.. cfgcmd:: set protocols vrf <name> static route <subnet>
+   interface <interface> distance <distance>
 
    Defines next-hop distance for this route, routes with smaller administrative
    distance are elected prior those with a higher distance.
 
    Range is 1 to 255, default is 1.
 
-.. cfgcmd:: set protocols vrf <name> static interface-route6 <subnet>
-   next-hop-interface <interface>
+.. cfgcmd:: set protocols vrf <name> static route6 <subnet>
+   interface <interface>
 
    Allows you to configure the next-hop interface for an interface-based IPv6
    static route. `<interface>` will be the next-hop interface where trafic is
    routed for the given `<subnet>`.
 
-.. cfgcmd:: set protocols vrf <name> static interface-route6 <subnet>
-   next-hop-interface <interface> disable
+.. cfgcmd:: set protocols vrf <name> static route6 <subnet>
+   interface <interface> disable
 
    Disables interface-based IPv6 static route.
 
-.. cfgcmd:: set protocols vrf <name> static interface-route6 <subnet>
-   next-hop-interface <interface> distance <distance>
+.. cfgcmd:: set protocols vrf <name> static route6 <subnet>
+   interface <interface> distance <distance>
 
    Defines next-hop distance for this route, routes with smaller administrative
    distance are elected prior those with a higher distance.
-- 
cgit v1.2.3