summaryrefslogtreecommitdiff
path: root/docs/configuration/interfaces
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-04-15 12:39:08 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-04-15 12:39:08 +0300
commit1802518c053bde050074d85a137ffe672ec99e53 (patch)
treec964bba1226ceceac324e7377728da2d1145758d /docs/configuration/interfaces
parent2ff3232cac2278f22624a0a2e8daf2280b14912c (diff)
parentf0402b1a08c393c6f12896e2d27c339030f030b2 (diff)
downloadvyos-documentation-1802518c053bde050074d85a137ffe672ec99e53.tar.gz
vyos-documentation-1802518c053bde050074d85a137ffe672ec99e53.zip
merge: resolve CLAUDE.md conflict, keep current branch version
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Diffstat (limited to 'docs/configuration/interfaces')
-rw-r--r--docs/configuration/interfaces/openvpn-examples.rst87
-rw-r--r--docs/configuration/interfaces/tunnel.rst3
-rw-r--r--docs/configuration/interfaces/vti.rst101
-rw-r--r--docs/configuration/interfaces/wireless.rst145
-rw-r--r--docs/configuration/interfaces/wwan.rst74
5 files changed, 277 insertions, 133 deletions
diff --git a/docs/configuration/interfaces/openvpn-examples.rst b/docs/configuration/interfaces/openvpn-examples.rst
index bba04d9c..6e746e46 100644
--- a/docs/configuration/interfaces/openvpn-examples.rst
+++ b/docs/configuration/interfaces/openvpn-examples.rst
@@ -1,6 +1,10 @@
+############
Site-to-site
-============
+############
+
+.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd
+ directives for command coverage tracking.
OpenVPN is popular for client-server setups, but its site-to-site mode is less
common and often not supported by router appliances. Despite limited support,
@@ -29,9 +33,9 @@ In both cases, we will use the following settings:
* The ``persistent-tunnel`` directive allows us to configure tunnel-related
attributes, such as firewall policy, as we would on any standard network
interface.
-* If known, the remote router's IP address can be configured using the
- ``remote-host`` directive. If unknown, it can be omitted. We assume the remote
- router has a dynamic IP address.
+* If known, the remote router's IP address can be configured using the
+ ``remote-host`` directive. If unknown, it can be omitted. We assume
+ the remote router has a dynamic IP address.
.. figure:: /_static/images/openvpn_site2site_diagram.*
@@ -51,6 +55,8 @@ Elliptic Curve (EC) type. In configuration mode, run the following command:
certificate to the configuration session's ``pki`` subtree. Review and commit
the changes.
+.. stop_vyoslinter
+
.. code-block:: none
vyos@vyos# run generate pki certificate self-signed install openvpn-local
@@ -82,16 +88,21 @@ the changes.
vyos@vyos# commit
+.. start_vyoslinter
You do **not** need to copy the certificate to the other router. Instead,
retrieve its SHA-256 fingerprint. Since OpenVPN currently supports only SHA-256
fingerprints, use the following command:
+.. stop_vyoslinter
+
.. code-block:: none
vyos@vyos# run show pki certificate openvpn-local fingerprint sha256
5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79
+.. start_vyoslinter
+
.. note:: Certificate names are arbitrary. While ``openvpn-local`` and
``openvpn-remote`` are used here, you may choose any names.
@@ -102,6 +113,8 @@ Set up site-to-site OpenVPN
Local configuration:
+.. stop_vyoslinter
+
.. code-block:: none
Configure the tunnel:
@@ -134,6 +147,8 @@ Remote configuration:
set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256 on the local router
set interfaces openvpn vtun1 tls role passive
+.. start_vyoslinter
+
Set up pre-shared keys
----------------------
@@ -146,6 +161,8 @@ First, generate a key by running ``run generate pki openvpn shared-secret
install <name>`` in configuration mode. You can use any name; in this example,
we use ``s2s``.
+.. stop_vyoslinter
+
.. code-block:: none
vyos@local# run generate pki openvpn shared-secret install s2s
@@ -163,6 +180,8 @@ we use ``s2s``.
vyos@local# commit
[edit]
+.. start_vyoslinter
+
Next, install the key on the remote router:
.. code-block:: none
@@ -181,6 +200,8 @@ Set up firewall exceptions
To allow OpenVPN traffic to pass through the WAN interface, create a firewall
exception:
+.. stop_vyoslinter
+
.. code-block:: none
set firewall ipv4 name OUTSIDE_LOCAL rule 10 action 'accept'
@@ -193,6 +214,8 @@ exception:
set firewall ipv4 name OUTSIDE_LOCAL rule 20 log
set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol 'udp'
+.. start_vyoslinter
+
Apply the OUTSIDE_LOCAL firewall group to the WAN interface and to the input
filter for traffic destined for the router itself:
@@ -229,6 +252,8 @@ unique ports to each tunnel.
Verify OpenVPN status using the show openvpn operational commands.
+.. stop_vyoslinter
+
.. code-block:: none
vyos@vyos:~$ show openvpn site-to-site
@@ -239,6 +264,7 @@ Verify OpenVPN status using the show openvpn operational commands.
----------- ----------------- ----------- ------------ ---------- ---------- -----------------
N/A 10.110.12.54:1195 N/A N/A 504.0 B 656.0 B N/A
+.. start_vyoslinter
Server-client
=============
@@ -262,6 +288,8 @@ session's PKI subtree.
Certificate Authority (CA):
+.. stop_vyoslinter
+
.. code-block:: none
vyos@vyos# run generate pki ca install ca-1
@@ -363,6 +391,8 @@ Client certificate:
set pki certificate client1 certificate 'MIIDrjCCApagAwIBAgIUPvtffeYTdoOiHxu++wdrjHwwVX4wDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2MTExMTQxMDlaFw0yNjA2MTExMTQxMDlaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB2NsaWVudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9H6E6gm0PfXO1n/WoA9xlg89/bnScLmfztVDn1uyNn8epE6zAi2GWBhtj4ixLllIwLdkJ7L2mF3yUZtA1Q0oYbGIqTbnaZ37JydCygVGnlLT7UX9zfRfS3KebCIvIte7OyCmnUfVfFzdIsp+4LI3S2wX/9Vyn4UBAR8QQNbezRB3XPMk9gzULnuLhmEDP6GVcPq7RzGXoXUMqsCxfEOJBjej0y4ANKH07HGVVrfVRiY+zlGkM4TFjVuZKnEA0BO6dhOA0E+7gsIXsC06UzzatkjsyWHpb2/DOECIifBoYej9DITu8VxyyZmgaINHEn2gGb0LRHO7rvQapc+XZ2z9DAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQnUyqEzG+AqZzsdSud5MDqsOxiXTAfBgNVHSMEGDAWgBQAb2W+vsDMn/Li9j9eVbFeu77qbTANBgkqhkiG9w0BAQsFAAOCAQEAplItvZpoX/joG3QREu9tHVKwDTmXB2lwUM5G8iKPgd6D6oOILZMe2KuvWt12dcdEzUCGfJwJJ8M8R2WD0OmcLdFqvM/8UM1hYzUP2BCnFCLtElVD+b4wMlQNpdHqNbdckw8J4MLQlhUgu9rZAZ0XjWCprr+U50bX++vYRw7Un3Ds6ETEvjflm5WAPb2e0V1hhISPl8K+VXO7RAwxy0DHcDuR+YaD+hnNgMsJV3/QwA17Iy8x86RpOgqmesbt0U7e9Rmo81aVgiy/V4OCV7u6bPX03fmZNS8UwwJuRUlxkjO+epHNYB2cnOcjSkUxaIJ9Hv3tMWHQEtbVZsNYSOZozw=='
set pki certificate client1 private key 'MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC9H6E6gm0PfXO1n/WoA9xlg89/bnScLmfztVDn1uyNn8epE6zAi2GWBhtj4ixLllIwLdkJ7L2mF3yUZtA1Q0oYbGIqTbnaZ37JydCygVGnlLT7UX9zfRfS3KebCIvIte7OyCmnUfVfFzdIsp+4LI3S2wX/9Vyn4UBAR8QQNbezRB3XPMk9gzULnuLhmEDP6GVcPq7RzGXoXUMqsCxfEOJBjej0y4ANKH07HGVVrfVRiY+zlGkM4TFjVuZKnEA0BO6dhOA0E+7gsIXsC06UzzatkjsyWHpb2/DOECIifBoYej9DITu8VxyyZmgaINHEn2gGb0LRHO7rvQapc+XZ2z9DAgMBAAECggEAPS/Fhtt5k2BgFivZW3FcVc+OS0keGwV8hkFsGoXTZIKEIzSFWIn/mX0CUY90C0Rn9MRwiqB4PwssOAsHY6QQjdRK8irRbVK8l2ZeydHC7DfVUdXtKR0YnxTaePML3nTV/TqPF14Rx6EINtHrkLeBbu2DhGsKfhoHIoTVbvUiKLHa2TkGJOkhvjsyMSPKzUXa1AzLmu+UBIhRYpEPHj0SQUUJJnKgIb7mTR2fhJScHcKwsrPq6S8OpChvsYZ6zatgrTFz9tuhD4IjL7NBiYP45BwGaLIaQjph8yAJwwHWoOP+TTj5WYflkW6Uu8F9gC0ve6dPGPNEi2TUdirvAe4LYQKBgQD0UfAPm6tQg8pdkvfMBvYc21fk8zqmgcA4OtvDi60aXuv5jI5+faISvOG2JLuFhKIDOb5ZerzGvkN+LvWgzr9H7YdGZNNtwKgpS/MGqcuuHncTxWBAwYgKhf26a/tqFZRNurJ6GowxDiAcQEc1mWnmdngRa+dvvCwNbXvGVqfVEQKBgQDGKi447TqD76QfvRPn/fRSjM+QE1duk+XorEJ0HHIha5HV9kCrZdV/olGRjDLwPJO6JW7iE2FUsS9SsIrccFE/9P2ZUqfYP2wL5vNO5kAmoLLUl0gwqg1WnBTPJfXeKReTj2uGmOdEuuMPXpL/49hDuPViiE2Q4MGe2Z+oEYN/EwKBgHfQMuTEl2e9qaDn8OM6SrluC5V4fjunh6dLnfgwaCx1fk1702lOnQuJWzsiml9o4raoO6PP4AGqzphz2PsKSJ2ya1NnIJRDFXRjDYQoAn2Z7RViBsja36chfINObxXgDUFtHBdrK3LnFXIlR4aOfHOLh2grvWx7IDNZjIiAeH+xAoGAJlmFZnjqiRv4bDgAQTZRcSRVCvHjSsAOj0++8I+MutEBgSHN9B2aCsBT/tHeDcX7ZNvXsKLFhElh+iO2S+DkqHb2GRT47I2hkFAaqBtBMPiKgz/ftaNDP46nLEuRYHQdXu4zhfHTV+a/CHtqAWGLuddyjaYJNM96SQ6eqjzxcMcCgYAzdxOF2e27hIgo2ttjsROMGqW0/0r/HsKGKPnao7xHQNCAswTnBT+QGugPCe0NXjuxbySP7V1GeWMWF+WV5khtteWerT1/ELAC48NSDpaMxVa4GP8Q/0w6+ZyJty3UGbCYQzZZue81dU+42LUIaVJ4NAc2tYj3jD780udasawS6w=='
+.. start_vyoslinter
+
Manually copy the CA, client certificate, and Diffie-Hellman key to the client
device, then commit them before configuring the OpenVPN interface.
@@ -408,7 +438,8 @@ connection resets or daemon reloads. Clients are identified by the CN attribute
in their SSL certificates.
To grant clients access to a specific network behind the router, use the
-push-route option to automatically install the appropriate route on each client.
+push-route option to automatically install the appropriate route on
+each client.
.. code-block:: none
@@ -448,6 +479,8 @@ Verification
Check the tunnel status:
+.. stop_vyoslinter
+
.. code-block:: none
vyos@vyos:~$ show openvpn server
@@ -456,9 +489,9 @@ Check the tunnel status:
Client CN Remote Host Tunnel IP Local Host TX bytes RX bytes Connected Since
----------- ------------------ ----------- ---------------- ---------- ---------- -------------------
- client1 172.110.12.54:33166 10.23.1.10 172.18.201.10:1194 3.4 KB 3.4 KB 2024-06-11 12:07:25
-
+ client1 172.16.12.54:33166 10.23.1.10 172.18.201.10:1194 3.4 KB 3.4 KB 2024-06-11 12:07:25
+.. start_vyoslinter
Server bridge
=============
@@ -525,10 +558,14 @@ configuration file.
**Best practice:** Store the configuration file in the ``/config`` directory
to ensure it is preserved after image updates.
+.. stop_vyoslinter
+
.. code-block:: none
set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config"
+.. start_vyoslinter
+
A sample configuration file is shown below:
.. code-block:: none
@@ -558,6 +595,8 @@ Active Directory
A sample configuration file is shown below:
+.. stop_vyoslinter
+
.. code-block:: none
<LDAP>
@@ -589,8 +628,11 @@ A sample configuration file is shown below:
</Group>
</Authorization>
-If you only want to check that the user account is enabled and can authenticate
-(against the primary group), the following snippet is sufficient:
+.. start_vyoslinter
+
+If you only want to check that the user account is enabled and can
+authenticate (against the primary group), the following snippet is
+sufficient:
.. code-block:: none
@@ -609,8 +651,10 @@ If you only want to check that the user account is enabled and can authenticate
RequireGroup false
</Authorization>
-A complete example of an LDAP authentication configuration for OpenVPN is shown
-below:
+A complete example of an LDAP authentication configuration for OpenVPN
+is shown below:
+
+.. stop_vyoslinter
.. code-block:: none
@@ -639,7 +683,14 @@ below:
}
}
-For a detailed example, refer to :doc:`OpenVPN with LDAP</configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP>`.
+.. start_vyoslinter
+
+.. stop_vyoslinter
+
+For a detailed example, refer to
+:doc:`OpenVPN with LDAP</configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP>`.
+
+.. start_vyoslinter
Multi-factor authentication
===========================
@@ -671,6 +722,8 @@ To display authentication information, use the following command:
Example:
+.. stop_vyoslinter
+
.. code-block:: none
vyos@vyos:~$ sh interfaces openvpn vtun20 user user1 mfa qrcode
@@ -694,6 +747,8 @@ Example:
█████████████████████████████████████
█████████████████████████████████████
+.. start_vyoslinter
+
Scan the QR code to add the user account to Google Authenticator. On the client
side, use the generated OTP as the password.
@@ -714,6 +769,8 @@ username and password.
Server configuration
--------------------
+.. stop_vyoslinter
+
.. code-block:: none
set interfaces openvpn vtun10 local-port '1194'
@@ -730,6 +787,8 @@ Server configuration
set interfaces openvpn vtun10 tls certificate 'srv-1'
set interfaces openvpn vtun10 tls dh-params 'dh-1'
+.. start_vyoslinter
+
The /config/auth/check_user.sh example includes two test users:
.. code-block:: none
@@ -753,10 +812,14 @@ Client configuration
Storing the client certificate locally lets you generate the OpenVPN client
configuration file. Use the following command:
+.. stop_vyoslinter
+
.. code-block:: none
vyos@vyos:~$ generate openvpn client-config interface vtun10 ca ca-1 certificate client1
+.. start_vyoslinter
+
Copy the output and save it as a .ovpn file. Add the ``auth-user-pass``
directive to the file. This instructs the OpenVPN client to prompt the user
for a username and password, which are then sent to the server over the TLS
diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst
index 27c47a91..f1376cdf 100644
--- a/docs/configuration/interfaces/tunnel.rst
+++ b/docs/configuration/interfaces/tunnel.rst
@@ -2,8 +2,9 @@
.. _tunnel-interface:
+######
Tunnel
-======
+######
Tunnel interfaces are virtual links that transmit encapsulated traffic between
private networks or hosts across public infrastructure, such as the Internet.
diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst
index 1704b9d1..e45c17d9 100644
--- a/docs/configuration/interfaces/vti.rst
+++ b/docs/configuration/interfaces/vti.rst
@@ -1,17 +1,92 @@
.. _vti-interface:
##############################
-VTI - Virtual Tunnel Interface
+VTI (virtual tunnel interface)
##############################
-Set Virtual Tunnel Interface
+:abbr:`VTIs (virtual tunnel interfaces)` let you create secure, encrypted
+tunnels between private networks or hosts across public infrastructure, such as
+the Internet. They operate alongside an underlying IPsec tunnel, which handles
+encapsulation and encryption, while VTIs function exclusively as routing
+interfaces.
+
+*************
+Configuration
+*************
+
+Common interface configuration
+==============================
+
+.. cmdinclude:: /_include/interface-address.txt
+ :var0: vti
+ :var1: vti0
+
+.. cmdinclude:: /_include/interface-description.txt
+ :var0: vti
+ :var1: vti0
+
+.. cmdinclude:: /_include/interface-disable.txt
+ :var0: vti
+ :var1: vti0
+
+.. cmdinclude:: /_include/interface-ip.txt
+ :var0: vti
+ :var1: vti0
+
+.. cmdinclude:: /_include/interface-ipv6.txt
+ :var0: vti
+ :var1: vti0
+
+.. cmdinclude:: /_include/interface-mtu.txt
+ :var0: vti
+ :var1: vti0
+
+.. cfgcmd:: set interfaces vti <interface> mirror egress <monitor-interface>
+
+ Configure mirroring of outgoing traffic from the specified VTI to the
+ designated monitor interface.
+
+.. cfgcmd:: set interfaces vti <interface> mirror ingress <monitor-interface>
+
+ Configure mirroring of incoming traffic from the specified VTI to the
+ designated monitor interface.
+
+.. cfgcmd:: set interfaces vti <interface> redirect <interface>
+
+ Enable redirection of incoming packets to the specified interface.
+
+.. cmdinclude:: /_include/interface-vrf.txt
+ :var0: vti
+ :var1: vti0
+
+*********
+Operation
+*********
+
+.. opcmd:: show interfaces vti <vtiX>
+
+ Show the operational status and traffic statistics for the specified VTI.
+
+.. opcmd:: show interfaces vti <vtiX> brief
+
+ Show a brief operational status summary for the specified VTI.
+
+
+*******
+Example
+*******
+
+**Configure a VTI**
+
+Assign IPv4 and IPv6 addresses to the VTI, along with a brief description:
.. code-block:: none
set interfaces vti vti0 address 192.168.2.249/30
set interfaces vti vti0 address 2001:db8:2::249/64
+ set interfaces vti vti0 description "Description"
-Results in:
+Resulting configuration:
.. code-block:: none
@@ -22,19 +97,19 @@ Results in:
description "Description"
}
-.. warning:: When using site-to-site IPsec with VTI interfaces,
- be sure to disable route autoinstall
+.. warning:: When configuring site-to-site IPsec with VTIs, ensure that route
+ autoinstall is disabled.
.. code-block:: none
set vpn ipsec options disable-route-autoinstall
-More details about the IPsec and VTI issue and option disable-route-autoinstall
-https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
+For more information about the IPsec and VTI issue, as well as the
+``disable-route-autoinstall`` option, see:
+https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july.
-The root cause of the problem is that for VTI tunnels to work, their traffic
-selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even
-though actual routing decision is made according to netfilter marks. Unless
-route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a
-default route through the VTI peer address, which makes all traffic routed
-to nowhere. \ No newline at end of file
+The root cause of the problem is that VTI tunnels require their traffic
+selectors to be set to ``0.0.0.0/0`` for traffic to match the tunnel, even
+though routing decisions are based on netfilter marks. Unless route insertion
+is explicitly disabled, strongSWAN incorrectly inserts a default route through
+the VTI peer address, causing all traffic to be misrouted.
diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst
index e6a29f9a..728783b2 100644
--- a/docs/configuration/interfaces/wireless.rst
+++ b/docs/configuration/interfaces/wireless.rst
@@ -1,17 +1,14 @@
-:lastproofread: 2024-07-04
+:lastproofread: 2026-03-23
.. _wireless-interface:
-########################
-WLAN/WIFI - Wireless LAN
-########################
+####################
+Wireless LAN / Wi-Fi
+####################
-The :abbr:`WLAN (Wireless LAN)` interface provides 802.11 (a/b/g/n/ac) wireless
-support (commonly referred to as Wi-Fi) by means of compatible hardware. If
-your hardware supports it, VyOS supports multiple logical wireless interfaces
-per physical device.
-
-There are three modes of operation for a wireless interface:
+:abbr:`WLAN (Wireless LAN)` interfaces provide 802.11 (a/b/g/n/ac) wireless
+connectivity, referred to as Wi-Fi, and operate in one of the following
+modes:
* :abbr:`WAP (Wireless Access-Point)` mode provides network access to connecting
stations if the physical hardware supports acting as a WAP
@@ -22,7 +19,7 @@ There are three modes of operation for a wireless interface:
* Monitor mode lets the system passively monitor wireless traffic
If the system detects an unconfigured wireless device, it will be automatically
-added the configuration tree, specifying any detected settings (for example,
+added to the configuration tree, specifying any detected settings (for example,
its MAC address) and configured to run in monitor mode.
*************
@@ -36,7 +33,7 @@ Common interface configuration
:var0: wireless
:var1: wlan0
-System Wide configuration
+System-wide configuration
=========================
.. cfgcmd:: set system wireless country-code <cc>
@@ -45,24 +42,20 @@ System Wide configuration
to indicate country in which device is operating. This can limit available
channels and transmit power.
- .. note:: This option is mandatory in Access-Point mode.
+ .. note:: This option is mandatory in ``access-point`` mode.
Wireless options
================
-.. cfgcmd:: set system wireless country-code <cc>
-
- Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed
- to indicate country in which the box is operating. This can limit available
- channels and transmit power.
-
- .. note:: This option is mandatory in Access-Point mode.
-
.. cfgcmd:: set interfaces wireless <interface> channel <number>
- Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n/ax) channels range from
- 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 177.
- On 6GHz (802.11 ax) channels range from 1 to 233.
+ Configure the IEEE 802.11 wireless radio channel for the interface.
+ Channel allocation depends on the frequency band:
+
+ * **2.4 GHz** (802.11b/g/n/ax): Channels range from 1 to 14.
+ * **5 GHz** (802.11a/h/j/n/ac/ax): Channels range from 34 to 177.
+ * **6 GHz** (802.11ax): Channels range from 1 to 233.
+ * **Automatic channel selection:** 0.
.. cfgcmd:: set interfaces wireless <interface> disable-broadcast-ssid
@@ -84,7 +77,7 @@ Wireless options
By default, this bridging is allowed.
-.. cfgcmd:: set interfaces wireless <interface> max-stations
+.. cfgcmd:: set interfaces wireless <interface> max-stations <count>
Maximum number of stations allowed in station table. New stations will be
rejected after the station table is full. IEEE 802.11 has a limit of 2007
@@ -144,9 +137,9 @@ Wireless options
Wireless device type for this interface
- * ``access-point`` - Access-point forwards packets between other nodes
- * ``station`` - Connects to another access point
- * ``monitor`` - Passively monitor all packets on the frequency/channel
+ * ``access-point``: Forwards packets between other nodes.
+ * ``station``: Connects to another :abbr:`AP (Access Point)`.
+ * ``monitor``: Passively monitors all packets on the frequency/channel.
.. cmdinclude:: /_include/interface-per-client-thread.txt
:var0: wireless
@@ -164,7 +157,8 @@ PPDU
HT (High Throughput) capabilities (802.11n)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Configuring HT mode options is required when using 802.11n or 802.11ax at 2.4GHz.
+ Configuring HT mode options is required when using 802.11n or
+ 802.11ax at 2.4GHz.
.. cfgcmd:: set interfaces wireless <interface> capabilities ht 40mhz-incapable
@@ -185,12 +179,9 @@ HT (High Throughput) capabilities (802.11n)
* ``ht40+`` - Both 20 MHz and 40 MHz with secondary channel above the primary
channel
- .. note:: There are limits on which channels can be used with HT40- and HT40+.
- Following table shows the channels that may be available for HT40- and HT40+
- use per IEEE 802.11n Annex J:
-
- Depending on the location, not all of these channels may be available for
- use!
+ .. note:: Channel availability for HT40- and HT40+ is limited. The following
+ table lists channels permitted for HT40- and HT40+ according to IEEE
+ 802.11n Annex J. Channel availability may vary by location.
.. code-block:: none
@@ -199,7 +190,7 @@ HT (High Throughput) capabilities (802.11n)
5 GHz 40,48,56,64 36,44,52,60
.. note:: 40 MHz channels may switch their primary and secondary channels if
- needed or creation of 40 MHz channel maybe rejected based on overlapping
+ needed or creation of 40 MHz channel may be rejected based on overlapping
BSSes. These changes are done automatically when hostapd is setting up the
40 MHz channel.
@@ -250,7 +241,11 @@ HT (High Throughput) capabilities (802.11n)
VHT (Very High Throughput) capabilities (802.11ac)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-.. cfgcmd:: set interfaces wireless <interface> capabilities vht antenna-count
+.. stop_vyoslinter
+
+.. cfgcmd:: set interfaces wireless <interface> capabilities vht antenna-count <count>
+
+.. start_vyoslinter
Number of antennas on this card
@@ -352,7 +347,7 @@ HE (High Efficiency) capabilities (802.11ax)
single user beamformer
* ``single-user-beamformee`` - Support for operation as
single user beamformee
- * ``multi-user-beamformer`` - Support for operation as single
+ * ``multi-user-beamformer`` - Support for operation as multi
user beamformer
.. cfgcmd:: set interfaces wireless <interface>
@@ -394,7 +389,7 @@ HE (High Efficiency) capabilities (802.11ax)
.. cfgcmd:: set interfaces wireless <interface>
capabilities he coding-scheme <number>
- This setting configures Spacial Stream and Modulation Coding Scheme
+ This setting configures Spatial Stream and Modulation Coding Scheme
settings for HE mode (HE-MCS). It is usually not needed to set this
explicitly, but it might help with some WiFi adapters.
@@ -417,10 +412,10 @@ default physical device (``phy0``) is used.
set system wireless country-code de
set interfaces wireless wlan0 type station
set interfaces wireless wlan0 address dhcp
- set interfaces wireless wlan0 ssid Test
+ set interfaces wireless wlan0 ssid 'TEST'
set interfaces wireless wlan0 security wpa passphrase '12345678'
-Resulting in
+Resulting configuration:
.. code-block:: none
@@ -445,7 +440,7 @@ Security
========
:abbr:`WPA (Wi-Fi Protected Access)`, WPA2 Enterprise and WPA3 Enterprise in
-combination with 802.1x based authentication can be used to authenticate
+combination with 802.1X based authentication can be used to authenticate
users or computers in a domain.
The wireless client (supplicant) authenticates against the RADIUS server
@@ -472,7 +467,7 @@ The WAP in this example has the following characteristics:
set interfaces wireless wlan0 type access-point
set interfaces wireless wlan0 channel 1
set interfaces wireless wlan0 mode n
- set interfaces wireless wlan0 ssid 'TEST'
+ set interfaces wireless wlan0 ssid 'Enterprise-TEST'
set interfaces wireless wlan0 security wpa mode wpa2
set interfaces wireless wlan0 security wpa cipher CCMP
set interfaces wireless wlan0 security wpa radius server 192.168.3.10 key 'VyOSPassword'
@@ -480,7 +475,7 @@ The WAP in this example has the following characteristics:
.. start_vyoslinter
-Resulting in
+Resulting configuration:
.. code-block:: none
@@ -546,7 +541,7 @@ about all wireless interfaces.
.. opcmd:: show interfaces wireless detail
-Use this command to view operational status and details wireless-specific
+Show the operational status and detailed wireless-specific
information about all wireless interfaces.
.. stop_vyoslinter
@@ -688,7 +683,7 @@ The WAP in this example has the following characteristics:
set interfaces wireless wlan0 security wpa cipher CCMP
set interfaces wireless wlan0 security wpa passphrase '12345678'
-Resulting in
+Resulting configuration:
.. code-block:: none
@@ -715,28 +710,29 @@ Resulting in
}
}
-To get it to work as an access point with this configuration you will need
-to set up a DHCP server to work with that network. You can - of course - also
-bridge the Wireless interface with any configured bridge
-(:ref:`bridge-interface`) on the system.
+To enable access point functionality, configure a DHCP server for this
+interface's network, or add the interface to an existing local bridge
+(see :ref:`bridge-interface` for details).
-WiFi-6(e) - 802.11ax
-====================
+Wi-Fi 6/6E (802.11ax)
+=====================
-The following examples will show valid configurations for WiFi-6 (2.4GHz)
-and WiFi-6e (6GHz) Access-Points with the following characteristics:
+The following examples configure Wi-Fi 6 (2.4 GHz) and Wi-Fi 6E (6 GHz)
+:abbr:`APs (Access Points)` with the following parameters:
-* Network ID (SSID) ``test.ax``
-* WPA passphrase ``super-dooper-secure-passphrase``
-* Use 802.11ax protocol
-* Wireless channel ``11`` for 2.4GHz
-* Wireless channel ``5`` for 6GHz
+* Network ID (SSID): ``test.ax``
+* WPA passphrase: ``super-dooper-secure-passphrase``
+* Protocol: 802.11ax
+* Wireless channel for 2.4 GHz: ``11``
+* Wireless channel for 6 GHz: ``5``
-Example Configuration: WiFi-6 at 2.4GHz
----------------------------------------
+Example configuration: Wi-Fi 6 at 2.4 GHz
+------------------------------------------
-You may expect real throughputs around 10MBytes/s or higher in crowded areas.
+You may expect real throughput around 10 MB/s or higher in crowded areas.
+
+.. stop_vyoslinter
.. code-block:: none
@@ -768,7 +764,9 @@ You may expect real throughputs around 10MBytes/s or higher in crowded areas.
set interfaces wireless wlan0 type access-point
commit
-Resulting in
+.. start_vyoslinter
+
+Resulting configuration:
.. code-block:: none
@@ -824,14 +822,16 @@ Resulting in
}
}
-Example Configuration: WiFi-6e at 6GHz
---------------------------------------
+Example configuration: Wi-Fi 6E at 6 GHz
+-----------------------------------------
-You may expect real throughputs around 50MBytes/s to 150MBytes/s,
-depending on obstructions by walls, water, metal or other materials
-with high electro-magnetic dampening at 6GHz. Best results are achieved
+You may expect real throughput between 50 MB/s and 150 MB/s, depending on
+obstructions from walls, water, metal, or other materials
+with high electromagnetic damping at 6 GHz. Best results are achieved
with the AP being in the same room and in line-of-sight.
+.. stop_vyoslinter
+
.. code-block:: none
set system wireless country-code de
@@ -841,7 +841,7 @@ with the AP being in the same room and in line-of-sight.
set interfaces wireless wlan0 capabilities he beamform single-user-beamformer
set interfaces wireless wlan0 capabilities he bss-color 13
set interfaces wireless wlan0 capabilities he channel-set-width 134
- set interfaces wireless wlan0 capabilities he capabilities he center-channel-freq freq-1 15
+ set interfaces wireless wlan0 capabilities he center-channel-freq freq-1 15
set interfaces wireless wlan0 channel 5
set interfaces wireless wlan0 description "802.11ax 6GHz"
set interfaces wireless wlan0 mode ax
@@ -858,7 +858,9 @@ with the AP being in the same room and in line-of-sight.
set interfaces wireless wlan0 stationary-ap
commit
-Resulting in
+.. start_vyoslinter
+
+Resulting configuration:
.. code-block:: none
@@ -913,8 +915,7 @@ Resulting in
Intel AX200
===========
-The Intel AX200 card does not work out of the box in AP mode, see
-https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can
+The Intel AX200 card does not work out of the box in AP mode. You can
still put this card into AP mode using the following configuration:
.. stop_vyoslinter
diff --git a/docs/configuration/interfaces/wwan.rst b/docs/configuration/interfaces/wwan.rst
index b4b6a9ce..7ab3ac74 100644
--- a/docs/configuration/interfaces/wwan.rst
+++ b/docs/configuration/interfaces/wwan.rst
@@ -1,15 +1,15 @@
-:lastproofread: 2024-07-04
+:lastproofread: 2026-03-30
.. _wwan-interface:
-#################################
-WWAN - Wireless Wide-Area-Network
-#################################
+####
+WWAN
+####
-The Wireless Wide-Area-Network interface provides access (through a wireless
-modem/wwan) to wireless networks provided by various cellular providers.
+:abbr:`WWAN (Wireless Wide Area Network)` interfaces provide access to cellular
+networks via a cellular modem or card.
-VyOS uses the `interfaces wwan` subsystem for configuration.
+Configure these interfaces under the ``interfaces wwan`` node.
*************
Configuration
@@ -64,14 +64,18 @@ Common interface configuration
:var0: wwan
:var1: wwan0
-WirelessModem (WWAN) options
-============================
+WWAN options
+============
.. cfgcmd:: set interfaces wwan <interface> apn <apn>
- Every WWAN connection requires an :abbr:`APN (Access Point Name)` which is
- used by the client to dial into the ISPs network. This is a mandatory
- parameter. Contact your Service Provider for correct APN.
+ **Configure the** :abbr:`APN (Access Point Name)` **for the WWAN connection.**
+
+ Every WWAN connection requires an :abbr:`APN (Access Point Name)` to connect to
+ the cellular network.
+
+ This parameter is mandatory. Contact your service provider for the correct
+ :abbr:`APN (Access Point Name)`.
*********
@@ -80,7 +84,8 @@ Operation
.. opcmd:: show interfaces wwan <interface>
- Show detailed information on given `<interface>`
+ Show the operational status and traffic statistics for the specified WWAN
+ interface.
.. code-block:: none
@@ -99,7 +104,7 @@ Operation
.. opcmd:: show interfaces wwan <interface> summary
- Show detailed information summary on given `<interface>`
+ Show WWAN module hardware characteristics and connection information.
.. code-block:: none
@@ -166,7 +171,7 @@ Operation
.. opcmd:: show interfaces wwan <interface> capabilities
- Show WWAN module hardware capabilities.
+ Show WWAN module radio capabilities.
.. code-block:: none
@@ -181,7 +186,7 @@ Operation
.. opcmd:: show interfaces wwan <interface> firmware
- Show WWAN module firmware.
+ Show WWAN module firmware information.
.. code-block:: none
@@ -208,7 +213,7 @@ Operation
.. opcmd:: show interfaces wwan <interface> imsi
- Show WWAN module IMSI.
+ Show the IMSI of the associated SIM card.
.. code-block:: none
@@ -226,7 +231,7 @@ Operation
.. opcmd:: show interfaces wwan <interface> msisdn
- Show WWAN module MSISDN.
+ Show the MSISDN of the associated SIM card.
.. code-block:: none
@@ -244,7 +249,7 @@ Operation
.. opcmd:: show interfaces wwan <interface> signal
- Show WWAN module signal strength.
+ Show signal information for the cellular connection.
.. code-block:: none
@@ -293,20 +298,20 @@ Operation
Example
*******
-The following example is based on a Sierra Wireless MC7710 miniPCIe card (only
-the form factor in reality it runs UBS) and Deutsche Telekom as ISP. The card
-is assembled into a :ref:`pc-engines-apu4`.
+The following example shows how to configure a cellular connection using a
+Sierra Wireless MC7710 miniPCIe card that operates over USB despite its form
+factor. The card is installed in a :ref:`pc-engines-apu4`.
.. code-block:: none
set interfaces wwan wwan0 apn 'internet.telekom'
set interfaces wwan wwan0 address 'dhcp'
-*****************
-Supported Modules
-*****************
+******************
+Supported hardware
+******************
-The following hardware modules have been tested successfully in an
+The following WWAN modules have been successfully tested with a
:ref:`pc-engines-apu4` board:
* Sierra Wireless AirPrime MC7304 miniPCIe card (LTE)
@@ -318,19 +323,18 @@ The following hardware modules have been tested successfully in an
* HP LT4120 Snapdragon X5 LTE
***************
-Firmware Update
+Firmware update
***************
-All available WWAN cards have a built-in, reprogrammable firmware. Most vendors
-provide regular updates to firmware used in the baseband chip.
+WWAN modules include reprogrammable firmware, and most vendors regularly
+provide updates for it.
-As VyOS makes use of the QMI interface to connect to the WWAN modem cards, the
-firmware can be reprogrammed.
+Since VyOS communicates with these devices via the QMI interface, you can
+update firmware directly within the system using the ``qmi-firmware-update``
+utility.
-To update the firmware, VyOS also ships the `qmi-firmware-update` binary. To
-upgrade the firmware of an e.g. Sierra Wireless MC7710 module to the firmware
-provided in the file ``9999999_9999999_9200_03.05.14.00_00_generic_000.000_001_SPKG_MC.cwe``
-use the following command:
+The following example shows how to update the firmware for a Sierra Wireless
+MC7710 module using the provided .cwe file.
.. code-block:: bash