diff options
| author | Robert Göhler <github@ghlr.de> | 2021-08-03 21:06:07 +0200 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-08-03 21:06:07 +0200 | 
| commit | 073fada067df858d14911b65acc531eece4ac7c3 (patch) | |
| tree | 57df22902fd92515cf2bb864582ede266bff72bd | |
| parent | 63b280caebbbde735e2ad32543b01c73c82f242a (diff) | |
| parent | 78f67b5feb2284f1f9988c6e62a3521c10b2c087 (diff) | |
| download | vyos-documentation-073fada067df858d14911b65acc531eece4ac7c3.tar.gz vyos-documentation-073fada067df858d14911b65acc531eece4ac7c3.zip | |
Merge pull request #588 from usman-umer/equuleus
Added instructions for firewall exception for equuleus branch
| -rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 27 | 
1 files changed, 27 insertions, 0 deletions
| diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 644906e1..82dd26dd 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -130,6 +130,33 @@ Remote Configuration - Annotated:    set interfaces openvpn vtun1 local-address '10.255.1.2'                          # Local IP of vtun interface    set interfaces openvpn vtun1 remote-address '10.255.1.1'                         # Remote IP of vtun interface +******************* +Firewall Exceptions +******************* + +For the OpenVPN traffic to pass through the WAN interface, you must create a +firewall exception. + +.. code-block:: none + +    set firewall name OUTSIDE_LOCAL rule 10 action accept +    set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related' +    set firewall name OUTSIDE_LOCAL rule 10 state established enable +    set firewall name OUTSIDE_LOCAL rule 10 state related enable +    set firewall name OUTSIDE_LOCAL rule 20 action accept +    set firewall name OUTSIDE_LOCAL rule 20 description OpenVPN_IN +    set firewall name OUTSIDE_LOCAL rule 20 destination port 1195 +    set firewall name OUTSIDE_LOCAL rule 20 log enable +    set firewall name OUTSIDE_LOCAL rule 20 protocol udp +    set firewall name OUTSIDE_LOCAL rule 20 source + +You should also ensure that the OUTISDE_LOCAL firewall group is applied to the +WAN interface and a direction (local). + +.. code-block:: none + +    set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL' +  Static Routing:  Static routes can be configured referencing the tunnel interface; for example, | 
