diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-04-15 12:39:08 +0300 |
|---|---|---|
| committer | Yuriy Andamasov <yuriy@vyos.io> | 2026-04-15 12:39:08 +0300 |
| commit | 1802518c053bde050074d85a137ffe672ec99e53 (patch) | |
| tree | c964bba1226ceceac324e7377728da2d1145758d /docs/configuration/interfaces | |
| parent | 2ff3232cac2278f22624a0a2e8daf2280b14912c (diff) | |
| parent | f0402b1a08c393c6f12896e2d27c339030f030b2 (diff) | |
| download | vyos-documentation-1802518c053bde050074d85a137ffe672ec99e53.tar.gz vyos-documentation-1802518c053bde050074d85a137ffe672ec99e53.zip | |
merge: resolve CLAUDE.md conflict, keep current branch version
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Diffstat (limited to 'docs/configuration/interfaces')
| -rw-r--r-- | docs/configuration/interfaces/openvpn-examples.rst | 87 | ||||
| -rw-r--r-- | docs/configuration/interfaces/tunnel.rst | 3 | ||||
| -rw-r--r-- | docs/configuration/interfaces/vti.rst | 101 | ||||
| -rw-r--r-- | docs/configuration/interfaces/wireless.rst | 145 | ||||
| -rw-r--r-- | docs/configuration/interfaces/wwan.rst | 74 |
5 files changed, 277 insertions, 133 deletions
diff --git a/docs/configuration/interfaces/openvpn-examples.rst b/docs/configuration/interfaces/openvpn-examples.rst index bba04d9c..6e746e46 100644 --- a/docs/configuration/interfaces/openvpn-examples.rst +++ b/docs/configuration/interfaces/openvpn-examples.rst @@ -1,6 +1,10 @@ +############ Site-to-site -============ +############ + +.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd + directives for command coverage tracking. OpenVPN is popular for client-server setups, but its site-to-site mode is less common and often not supported by router appliances. Despite limited support, @@ -29,9 +33,9 @@ In both cases, we will use the following settings: * The ``persistent-tunnel`` directive allows us to configure tunnel-related attributes, such as firewall policy, as we would on any standard network interface. -* If known, the remote router's IP address can be configured using the - ``remote-host`` directive. If unknown, it can be omitted. We assume the remote - router has a dynamic IP address. +* If known, the remote router's IP address can be configured using the + ``remote-host`` directive. If unknown, it can be omitted. We assume + the remote router has a dynamic IP address. .. figure:: /_static/images/openvpn_site2site_diagram.* @@ -51,6 +55,8 @@ Elliptic Curve (EC) type. In configuration mode, run the following command: certificate to the configuration session's ``pki`` subtree. Review and commit the changes. +.. stop_vyoslinter + .. code-block:: none vyos@vyos# run generate pki certificate self-signed install openvpn-local @@ -82,16 +88,21 @@ the changes. vyos@vyos# commit +.. start_vyoslinter You do **not** need to copy the certificate to the other router. Instead, retrieve its SHA-256 fingerprint. Since OpenVPN currently supports only SHA-256 fingerprints, use the following command: +.. stop_vyoslinter + .. code-block:: none vyos@vyos# run show pki certificate openvpn-local fingerprint sha256 5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79 +.. start_vyoslinter + .. note:: Certificate names are arbitrary. While ``openvpn-local`` and ``openvpn-remote`` are used here, you may choose any names. @@ -102,6 +113,8 @@ Set up site-to-site OpenVPN Local configuration: +.. stop_vyoslinter + .. code-block:: none Configure the tunnel: @@ -134,6 +147,8 @@ Remote configuration: set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256 on the local router set interfaces openvpn vtun1 tls role passive +.. start_vyoslinter + Set up pre-shared keys ---------------------- @@ -146,6 +161,8 @@ First, generate a key by running ``run generate pki openvpn shared-secret install <name>`` in configuration mode. You can use any name; in this example, we use ``s2s``. +.. stop_vyoslinter + .. code-block:: none vyos@local# run generate pki openvpn shared-secret install s2s @@ -163,6 +180,8 @@ we use ``s2s``. vyos@local# commit [edit] +.. start_vyoslinter + Next, install the key on the remote router: .. code-block:: none @@ -181,6 +200,8 @@ Set up firewall exceptions To allow OpenVPN traffic to pass through the WAN interface, create a firewall exception: +.. stop_vyoslinter + .. code-block:: none set firewall ipv4 name OUTSIDE_LOCAL rule 10 action 'accept' @@ -193,6 +214,8 @@ exception: set firewall ipv4 name OUTSIDE_LOCAL rule 20 log set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol 'udp' +.. start_vyoslinter + Apply the OUTSIDE_LOCAL firewall group to the WAN interface and to the input filter for traffic destined for the router itself: @@ -229,6 +252,8 @@ unique ports to each tunnel. Verify OpenVPN status using the show openvpn operational commands. +.. stop_vyoslinter + .. code-block:: none vyos@vyos:~$ show openvpn site-to-site @@ -239,6 +264,7 @@ Verify OpenVPN status using the show openvpn operational commands. ----------- ----------------- ----------- ------------ ---------- ---------- ----------------- N/A 10.110.12.54:1195 N/A N/A 504.0 B 656.0 B N/A +.. start_vyoslinter Server-client ============= @@ -262,6 +288,8 @@ session's PKI subtree. Certificate Authority (CA): +.. stop_vyoslinter + .. code-block:: none vyos@vyos# run generate pki ca install ca-1 @@ -363,6 +391,8 @@ Client certificate: set pki certificate client1 certificate 'MIIDrjCCApagAwIBAgIUPvtffeYTdoOiHxu++wdrjHwwVX4wDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2MTExMTQxMDlaFw0yNjA2MTExMTQxMDlaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB2NsaWVudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9H6E6gm0PfXO1n/WoA9xlg89/bnScLmfztVDn1uyNn8epE6zAi2GWBhtj4ixLllIwLdkJ7L2mF3yUZtA1Q0oYbGIqTbnaZ37JydCygVGnlLT7UX9zfRfS3KebCIvIte7OyCmnUfVfFzdIsp+4LI3S2wX/9Vyn4UBAR8QQNbezRB3XPMk9gzULnuLhmEDP6GVcPq7RzGXoXUMqsCxfEOJBjej0y4ANKH07HGVVrfVRiY+zlGkM4TFjVuZKnEA0BO6dhOA0E+7gsIXsC06UzzatkjsyWHpb2/DOECIifBoYej9DITu8VxyyZmgaINHEn2gGb0LRHO7rvQapc+XZ2z9DAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQnUyqEzG+AqZzsdSud5MDqsOxiXTAfBgNVHSMEGDAWgBQAb2W+vsDMn/Li9j9eVbFeu77qbTANBgkqhkiG9w0BAQsFAAOCAQEAplItvZpoX/joG3QREu9tHVKwDTmXB2lwUM5G8iKPgd6D6oOILZMe2KuvWt12dcdEzUCGfJwJJ8M8R2WD0OmcLdFqvM/8UM1hYzUP2BCnFCLtElVD+b4wMlQNpdHqNbdckw8J4MLQlhUgu9rZAZ0XjWCprr+U50bX++vYRw7Un3Ds6ETEvjflm5WAPb2e0V1hhISPl8K+VXO7RAwxy0DHcDuR+YaD+hnNgMsJV3/QwA17Iy8x86RpOgqmesbt0U7e9Rmo81aVgiy/V4OCV7u6bPX03fmZNS8UwwJuRUlxkjO+epHNYB2cnOcjSkUxaIJ9Hv3tMWHQEtbVZsNYSOZozw==' set pki certificate client1 private key 'MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC9H6E6gm0PfXO1n/WoA9xlg89/bnScLmfztVDn1uyNn8epE6zAi2GWBhtj4ixLllIwLdkJ7L2mF3yUZtA1Q0oYbGIqTbnaZ37JydCygVGnlLT7UX9zfRfS3KebCIvIte7OyCmnUfVfFzdIsp+4LI3S2wX/9Vyn4UBAR8QQNbezRB3XPMk9gzULnuLhmEDP6GVcPq7RzGXoXUMqsCxfEOJBjej0y4ANKH07HGVVrfVRiY+zlGkM4TFjVuZKnEA0BO6dhOA0E+7gsIXsC06UzzatkjsyWHpb2/DOECIifBoYej9DITu8VxyyZmgaINHEn2gGb0LRHO7rvQapc+XZ2z9DAgMBAAECggEAPS/Fhtt5k2BgFivZW3FcVc+OS0keGwV8hkFsGoXTZIKEIzSFWIn/mX0CUY90C0Rn9MRwiqB4PwssOAsHY6QQjdRK8irRbVK8l2ZeydHC7DfVUdXtKR0YnxTaePML3nTV/TqPF14Rx6EINtHrkLeBbu2DhGsKfhoHIoTVbvUiKLHa2TkGJOkhvjsyMSPKzUXa1AzLmu+UBIhRYpEPHj0SQUUJJnKgIb7mTR2fhJScHcKwsrPq6S8OpChvsYZ6zatgrTFz9tuhD4IjL7NBiYP45BwGaLIaQjph8yAJwwHWoOP+TTj5WYflkW6Uu8F9gC0ve6dPGPNEi2TUdirvAe4LYQKBgQD0UfAPm6tQg8pdkvfMBvYc21fk8zqmgcA4OtvDi60aXuv5jI5+faISvOG2JLuFhKIDOb5ZerzGvkN+LvWgzr9H7YdGZNNtwKgpS/MGqcuuHncTxWBAwYgKhf26a/tqFZRNurJ6GowxDiAcQEc1mWnmdngRa+dvvCwNbXvGVqfVEQKBgQDGKi447TqD76QfvRPn/fRSjM+QE1duk+XorEJ0HHIha5HV9kCrZdV/olGRjDLwPJO6JW7iE2FUsS9SsIrccFE/9P2ZUqfYP2wL5vNO5kAmoLLUl0gwqg1WnBTPJfXeKReTj2uGmOdEuuMPXpL/49hDuPViiE2Q4MGe2Z+oEYN/EwKBgHfQMuTEl2e9qaDn8OM6SrluC5V4fjunh6dLnfgwaCx1fk1702lOnQuJWzsiml9o4raoO6PP4AGqzphz2PsKSJ2ya1NnIJRDFXRjDYQoAn2Z7RViBsja36chfINObxXgDUFtHBdrK3LnFXIlR4aOfHOLh2grvWx7IDNZjIiAeH+xAoGAJlmFZnjqiRv4bDgAQTZRcSRVCvHjSsAOj0++8I+MutEBgSHN9B2aCsBT/tHeDcX7ZNvXsKLFhElh+iO2S+DkqHb2GRT47I2hkFAaqBtBMPiKgz/ftaNDP46nLEuRYHQdXu4zhfHTV+a/CHtqAWGLuddyjaYJNM96SQ6eqjzxcMcCgYAzdxOF2e27hIgo2ttjsROMGqW0/0r/HsKGKPnao7xHQNCAswTnBT+QGugPCe0NXjuxbySP7V1GeWMWF+WV5khtteWerT1/ELAC48NSDpaMxVa4GP8Q/0w6+ZyJty3UGbCYQzZZue81dU+42LUIaVJ4NAc2tYj3jD780udasawS6w==' +.. start_vyoslinter + Manually copy the CA, client certificate, and Diffie-Hellman key to the client device, then commit them before configuring the OpenVPN interface. @@ -408,7 +438,8 @@ connection resets or daemon reloads. Clients are identified by the CN attribute in their SSL certificates. To grant clients access to a specific network behind the router, use the -push-route option to automatically install the appropriate route on each client. +push-route option to automatically install the appropriate route on +each client. .. code-block:: none @@ -448,6 +479,8 @@ Verification Check the tunnel status: +.. stop_vyoslinter + .. code-block:: none vyos@vyos:~$ show openvpn server @@ -456,9 +489,9 @@ Check the tunnel status: Client CN Remote Host Tunnel IP Local Host TX bytes RX bytes Connected Since ----------- ------------------ ----------- ---------------- ---------- ---------- ------------------- - client1 172.110.12.54:33166 10.23.1.10 172.18.201.10:1194 3.4 KB 3.4 KB 2024-06-11 12:07:25 - + client1 172.16.12.54:33166 10.23.1.10 172.18.201.10:1194 3.4 KB 3.4 KB 2024-06-11 12:07:25 +.. start_vyoslinter Server bridge ============= @@ -525,10 +558,14 @@ configuration file. **Best practice:** Store the configuration file in the ``/config`` directory to ensure it is preserved after image updates. +.. stop_vyoslinter + .. code-block:: none set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config" +.. start_vyoslinter + A sample configuration file is shown below: .. code-block:: none @@ -558,6 +595,8 @@ Active Directory A sample configuration file is shown below: +.. stop_vyoslinter + .. code-block:: none <LDAP> @@ -589,8 +628,11 @@ A sample configuration file is shown below: </Group> </Authorization> -If you only want to check that the user account is enabled and can authenticate -(against the primary group), the following snippet is sufficient: +.. start_vyoslinter + +If you only want to check that the user account is enabled and can +authenticate (against the primary group), the following snippet is +sufficient: .. code-block:: none @@ -609,8 +651,10 @@ If you only want to check that the user account is enabled and can authenticate RequireGroup false </Authorization> -A complete example of an LDAP authentication configuration for OpenVPN is shown -below: +A complete example of an LDAP authentication configuration for OpenVPN +is shown below: + +.. stop_vyoslinter .. code-block:: none @@ -639,7 +683,14 @@ below: } } -For a detailed example, refer to :doc:`OpenVPN with LDAP</configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP>`. +.. start_vyoslinter + +.. stop_vyoslinter + +For a detailed example, refer to +:doc:`OpenVPN with LDAP</configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP>`. + +.. start_vyoslinter Multi-factor authentication =========================== @@ -671,6 +722,8 @@ To display authentication information, use the following command: Example: +.. stop_vyoslinter + .. code-block:: none vyos@vyos:~$ sh interfaces openvpn vtun20 user user1 mfa qrcode @@ -694,6 +747,8 @@ Example: █████████████████████████████████████ █████████████████████████████████████ +.. start_vyoslinter + Scan the QR code to add the user account to Google Authenticator. On the client side, use the generated OTP as the password. @@ -714,6 +769,8 @@ username and password. Server configuration -------------------- +.. stop_vyoslinter + .. code-block:: none set interfaces openvpn vtun10 local-port '1194' @@ -730,6 +787,8 @@ Server configuration set interfaces openvpn vtun10 tls certificate 'srv-1' set interfaces openvpn vtun10 tls dh-params 'dh-1' +.. start_vyoslinter + The /config/auth/check_user.sh example includes two test users: .. code-block:: none @@ -753,10 +812,14 @@ Client configuration Storing the client certificate locally lets you generate the OpenVPN client configuration file. Use the following command: +.. stop_vyoslinter + .. code-block:: none vyos@vyos:~$ generate openvpn client-config interface vtun10 ca ca-1 certificate client1 +.. start_vyoslinter + Copy the output and save it as a .ovpn file. Add the ``auth-user-pass`` directive to the file. This instructs the OpenVPN client to prompt the user for a username and password, which are then sent to the server over the TLS diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst index 27c47a91..f1376cdf 100644 --- a/docs/configuration/interfaces/tunnel.rst +++ b/docs/configuration/interfaces/tunnel.rst @@ -2,8 +2,9 @@ .. _tunnel-interface: +###### Tunnel -====== +###### Tunnel interfaces are virtual links that transmit encapsulated traffic between private networks or hosts across public infrastructure, such as the Internet. diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index 1704b9d1..e45c17d9 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -1,17 +1,92 @@ .. _vti-interface: ############################## -VTI - Virtual Tunnel Interface +VTI (virtual tunnel interface) ############################## -Set Virtual Tunnel Interface +:abbr:`VTIs (virtual tunnel interfaces)` let you create secure, encrypted +tunnels between private networks or hosts across public infrastructure, such as +the Internet. They operate alongside an underlying IPsec tunnel, which handles +encapsulation and encryption, while VTIs function exclusively as routing +interfaces. + +************* +Configuration +************* + +Common interface configuration +============================== + +.. cmdinclude:: /_include/interface-address.txt + :var0: vti + :var1: vti0 + +.. cmdinclude:: /_include/interface-description.txt + :var0: vti + :var1: vti0 + +.. cmdinclude:: /_include/interface-disable.txt + :var0: vti + :var1: vti0 + +.. cmdinclude:: /_include/interface-ip.txt + :var0: vti + :var1: vti0 + +.. cmdinclude:: /_include/interface-ipv6.txt + :var0: vti + :var1: vti0 + +.. cmdinclude:: /_include/interface-mtu.txt + :var0: vti + :var1: vti0 + +.. cfgcmd:: set interfaces vti <interface> mirror egress <monitor-interface> + + Configure mirroring of outgoing traffic from the specified VTI to the + designated monitor interface. + +.. cfgcmd:: set interfaces vti <interface> mirror ingress <monitor-interface> + + Configure mirroring of incoming traffic from the specified VTI to the + designated monitor interface. + +.. cfgcmd:: set interfaces vti <interface> redirect <interface> + + Enable redirection of incoming packets to the specified interface. + +.. cmdinclude:: /_include/interface-vrf.txt + :var0: vti + :var1: vti0 + +********* +Operation +********* + +.. opcmd:: show interfaces vti <vtiX> + + Show the operational status and traffic statistics for the specified VTI. + +.. opcmd:: show interfaces vti <vtiX> brief + + Show a brief operational status summary for the specified VTI. + + +******* +Example +******* + +**Configure a VTI** + +Assign IPv4 and IPv6 addresses to the VTI, along with a brief description: .. code-block:: none set interfaces vti vti0 address 192.168.2.249/30 set interfaces vti vti0 address 2001:db8:2::249/64 + set interfaces vti vti0 description "Description" -Results in: +Resulting configuration: .. code-block:: none @@ -22,19 +97,19 @@ Results in: description "Description" } -.. warning:: When using site-to-site IPsec with VTI interfaces, - be sure to disable route autoinstall +.. warning:: When configuring site-to-site IPsec with VTIs, ensure that route + autoinstall is disabled. .. code-block:: none set vpn ipsec options disable-route-autoinstall -More details about the IPsec and VTI issue and option disable-route-autoinstall -https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july +For more information about the IPsec and VTI issue, as well as the +``disable-route-autoinstall`` option, see: +https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july. -The root cause of the problem is that for VTI tunnels to work, their traffic -selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even -though actual routing decision is made according to netfilter marks. Unless -route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a -default route through the VTI peer address, which makes all traffic routed -to nowhere.
\ No newline at end of file +The root cause of the problem is that VTI tunnels require their traffic +selectors to be set to ``0.0.0.0/0`` for traffic to match the tunnel, even +though routing decisions are based on netfilter marks. Unless route insertion +is explicitly disabled, strongSWAN incorrectly inserts a default route through +the VTI peer address, causing all traffic to be misrouted. diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index e6a29f9a..728783b2 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -1,17 +1,14 @@ -:lastproofread: 2024-07-04 +:lastproofread: 2026-03-23 .. _wireless-interface: -######################## -WLAN/WIFI - Wireless LAN -######################## +#################### +Wireless LAN / Wi-Fi +#################### -The :abbr:`WLAN (Wireless LAN)` interface provides 802.11 (a/b/g/n/ac) wireless -support (commonly referred to as Wi-Fi) by means of compatible hardware. If -your hardware supports it, VyOS supports multiple logical wireless interfaces -per physical device. - -There are three modes of operation for a wireless interface: +:abbr:`WLAN (Wireless LAN)` interfaces provide 802.11 (a/b/g/n/ac) wireless +connectivity, referred to as Wi-Fi, and operate in one of the following +modes: * :abbr:`WAP (Wireless Access-Point)` mode provides network access to connecting stations if the physical hardware supports acting as a WAP @@ -22,7 +19,7 @@ There are three modes of operation for a wireless interface: * Monitor mode lets the system passively monitor wireless traffic If the system detects an unconfigured wireless device, it will be automatically -added the configuration tree, specifying any detected settings (for example, +added to the configuration tree, specifying any detected settings (for example, its MAC address) and configured to run in monitor mode. ************* @@ -36,7 +33,7 @@ Common interface configuration :var0: wireless :var1: wlan0 -System Wide configuration +System-wide configuration ========================= .. cfgcmd:: set system wireless country-code <cc> @@ -45,24 +42,20 @@ System Wide configuration to indicate country in which device is operating. This can limit available channels and transmit power. - .. note:: This option is mandatory in Access-Point mode. + .. note:: This option is mandatory in ``access-point`` mode. Wireless options ================ -.. cfgcmd:: set system wireless country-code <cc> - - Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed - to indicate country in which the box is operating. This can limit available - channels and transmit power. - - .. note:: This option is mandatory in Access-Point mode. - .. cfgcmd:: set interfaces wireless <interface> channel <number> - Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n/ax) channels range from - 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 177. - On 6GHz (802.11 ax) channels range from 1 to 233. + Configure the IEEE 802.11 wireless radio channel for the interface. + Channel allocation depends on the frequency band: + + * **2.4 GHz** (802.11b/g/n/ax): Channels range from 1 to 14. + * **5 GHz** (802.11a/h/j/n/ac/ax): Channels range from 34 to 177. + * **6 GHz** (802.11ax): Channels range from 1 to 233. + * **Automatic channel selection:** 0. .. cfgcmd:: set interfaces wireless <interface> disable-broadcast-ssid @@ -84,7 +77,7 @@ Wireless options By default, this bridging is allowed. -.. cfgcmd:: set interfaces wireless <interface> max-stations +.. cfgcmd:: set interfaces wireless <interface> max-stations <count> Maximum number of stations allowed in station table. New stations will be rejected after the station table is full. IEEE 802.11 has a limit of 2007 @@ -144,9 +137,9 @@ Wireless options Wireless device type for this interface - * ``access-point`` - Access-point forwards packets between other nodes - * ``station`` - Connects to another access point - * ``monitor`` - Passively monitor all packets on the frequency/channel + * ``access-point``: Forwards packets between other nodes. + * ``station``: Connects to another :abbr:`AP (Access Point)`. + * ``monitor``: Passively monitors all packets on the frequency/channel. .. cmdinclude:: /_include/interface-per-client-thread.txt :var0: wireless @@ -164,7 +157,8 @@ PPDU HT (High Throughput) capabilities (802.11n) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - Configuring HT mode options is required when using 802.11n or 802.11ax at 2.4GHz. + Configuring HT mode options is required when using 802.11n or + 802.11ax at 2.4GHz. .. cfgcmd:: set interfaces wireless <interface> capabilities ht 40mhz-incapable @@ -185,12 +179,9 @@ HT (High Throughput) capabilities (802.11n) * ``ht40+`` - Both 20 MHz and 40 MHz with secondary channel above the primary channel - .. note:: There are limits on which channels can be used with HT40- and HT40+. - Following table shows the channels that may be available for HT40- and HT40+ - use per IEEE 802.11n Annex J: - - Depending on the location, not all of these channels may be available for - use! + .. note:: Channel availability for HT40- and HT40+ is limited. The following + table lists channels permitted for HT40- and HT40+ according to IEEE + 802.11n Annex J. Channel availability may vary by location. .. code-block:: none @@ -199,7 +190,7 @@ HT (High Throughput) capabilities (802.11n) 5 GHz 40,48,56,64 36,44,52,60 .. note:: 40 MHz channels may switch their primary and secondary channels if - needed or creation of 40 MHz channel maybe rejected based on overlapping + needed or creation of 40 MHz channel may be rejected based on overlapping BSSes. These changes are done automatically when hostapd is setting up the 40 MHz channel. @@ -250,7 +241,11 @@ HT (High Throughput) capabilities (802.11n) VHT (Very High Throughput) capabilities (802.11ac) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. cfgcmd:: set interfaces wireless <interface> capabilities vht antenna-count +.. stop_vyoslinter + +.. cfgcmd:: set interfaces wireless <interface> capabilities vht antenna-count <count> + +.. start_vyoslinter Number of antennas on this card @@ -352,7 +347,7 @@ HE (High Efficiency) capabilities (802.11ax) single user beamformer * ``single-user-beamformee`` - Support for operation as single user beamformee - * ``multi-user-beamformer`` - Support for operation as single + * ``multi-user-beamformer`` - Support for operation as multi user beamformer .. cfgcmd:: set interfaces wireless <interface> @@ -394,7 +389,7 @@ HE (High Efficiency) capabilities (802.11ax) .. cfgcmd:: set interfaces wireless <interface> capabilities he coding-scheme <number> - This setting configures Spacial Stream and Modulation Coding Scheme + This setting configures Spatial Stream and Modulation Coding Scheme settings for HE mode (HE-MCS). It is usually not needed to set this explicitly, but it might help with some WiFi adapters. @@ -417,10 +412,10 @@ default physical device (``phy0``) is used. set system wireless country-code de set interfaces wireless wlan0 type station set interfaces wireless wlan0 address dhcp - set interfaces wireless wlan0 ssid Test + set interfaces wireless wlan0 ssid 'TEST' set interfaces wireless wlan0 security wpa passphrase '12345678' -Resulting in +Resulting configuration: .. code-block:: none @@ -445,7 +440,7 @@ Security ======== :abbr:`WPA (Wi-Fi Protected Access)`, WPA2 Enterprise and WPA3 Enterprise in -combination with 802.1x based authentication can be used to authenticate +combination with 802.1X based authentication can be used to authenticate users or computers in a domain. The wireless client (supplicant) authenticates against the RADIUS server @@ -472,7 +467,7 @@ The WAP in this example has the following characteristics: set interfaces wireless wlan0 type access-point set interfaces wireless wlan0 channel 1 set interfaces wireless wlan0 mode n - set interfaces wireless wlan0 ssid 'TEST' + set interfaces wireless wlan0 ssid 'Enterprise-TEST' set interfaces wireless wlan0 security wpa mode wpa2 set interfaces wireless wlan0 security wpa cipher CCMP set interfaces wireless wlan0 security wpa radius server 192.168.3.10 key 'VyOSPassword' @@ -480,7 +475,7 @@ The WAP in this example has the following characteristics: .. start_vyoslinter -Resulting in +Resulting configuration: .. code-block:: none @@ -546,7 +541,7 @@ about all wireless interfaces. .. opcmd:: show interfaces wireless detail -Use this command to view operational status and details wireless-specific +Show the operational status and detailed wireless-specific information about all wireless interfaces. .. stop_vyoslinter @@ -688,7 +683,7 @@ The WAP in this example has the following characteristics: set interfaces wireless wlan0 security wpa cipher CCMP set interfaces wireless wlan0 security wpa passphrase '12345678' -Resulting in +Resulting configuration: .. code-block:: none @@ -715,28 +710,29 @@ Resulting in } } -To get it to work as an access point with this configuration you will need -to set up a DHCP server to work with that network. You can - of course - also -bridge the Wireless interface with any configured bridge -(:ref:`bridge-interface`) on the system. +To enable access point functionality, configure a DHCP server for this +interface's network, or add the interface to an existing local bridge +(see :ref:`bridge-interface` for details). -WiFi-6(e) - 802.11ax -==================== +Wi-Fi 6/6E (802.11ax) +===================== -The following examples will show valid configurations for WiFi-6 (2.4GHz) -and WiFi-6e (6GHz) Access-Points with the following characteristics: +The following examples configure Wi-Fi 6 (2.4 GHz) and Wi-Fi 6E (6 GHz) +:abbr:`APs (Access Points)` with the following parameters: -* Network ID (SSID) ``test.ax`` -* WPA passphrase ``super-dooper-secure-passphrase`` -* Use 802.11ax protocol -* Wireless channel ``11`` for 2.4GHz -* Wireless channel ``5`` for 6GHz +* Network ID (SSID): ``test.ax`` +* WPA passphrase: ``super-dooper-secure-passphrase`` +* Protocol: 802.11ax +* Wireless channel for 2.4 GHz: ``11`` +* Wireless channel for 6 GHz: ``5`` -Example Configuration: WiFi-6 at 2.4GHz ---------------------------------------- +Example configuration: Wi-Fi 6 at 2.4 GHz +------------------------------------------ -You may expect real throughputs around 10MBytes/s or higher in crowded areas. +You may expect real throughput around 10 MB/s or higher in crowded areas. + +.. stop_vyoslinter .. code-block:: none @@ -768,7 +764,9 @@ You may expect real throughputs around 10MBytes/s or higher in crowded areas. set interfaces wireless wlan0 type access-point commit -Resulting in +.. start_vyoslinter + +Resulting configuration: .. code-block:: none @@ -824,14 +822,16 @@ Resulting in } } -Example Configuration: WiFi-6e at 6GHz --------------------------------------- +Example configuration: Wi-Fi 6E at 6 GHz +----------------------------------------- -You may expect real throughputs around 50MBytes/s to 150MBytes/s, -depending on obstructions by walls, water, metal or other materials -with high electro-magnetic dampening at 6GHz. Best results are achieved +You may expect real throughput between 50 MB/s and 150 MB/s, depending on +obstructions from walls, water, metal, or other materials +with high electromagnetic damping at 6 GHz. Best results are achieved with the AP being in the same room and in line-of-sight. +.. stop_vyoslinter + .. code-block:: none set system wireless country-code de @@ -841,7 +841,7 @@ with the AP being in the same room and in line-of-sight. set interfaces wireless wlan0 capabilities he beamform single-user-beamformer set interfaces wireless wlan0 capabilities he bss-color 13 set interfaces wireless wlan0 capabilities he channel-set-width 134 - set interfaces wireless wlan0 capabilities he capabilities he center-channel-freq freq-1 15 + set interfaces wireless wlan0 capabilities he center-channel-freq freq-1 15 set interfaces wireless wlan0 channel 5 set interfaces wireless wlan0 description "802.11ax 6GHz" set interfaces wireless wlan0 mode ax @@ -858,7 +858,9 @@ with the AP being in the same room and in line-of-sight. set interfaces wireless wlan0 stationary-ap commit -Resulting in +.. start_vyoslinter + +Resulting configuration: .. code-block:: none @@ -913,8 +915,7 @@ Resulting in Intel AX200 =========== -The Intel AX200 card does not work out of the box in AP mode, see -https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can +The Intel AX200 card does not work out of the box in AP mode. You can still put this card into AP mode using the following configuration: .. stop_vyoslinter diff --git a/docs/configuration/interfaces/wwan.rst b/docs/configuration/interfaces/wwan.rst index b4b6a9ce..7ab3ac74 100644 --- a/docs/configuration/interfaces/wwan.rst +++ b/docs/configuration/interfaces/wwan.rst @@ -1,15 +1,15 @@ -:lastproofread: 2024-07-04 +:lastproofread: 2026-03-30 .. _wwan-interface: -################################# -WWAN - Wireless Wide-Area-Network -################################# +#### +WWAN +#### -The Wireless Wide-Area-Network interface provides access (through a wireless -modem/wwan) to wireless networks provided by various cellular providers. +:abbr:`WWAN (Wireless Wide Area Network)` interfaces provide access to cellular +networks via a cellular modem or card. -VyOS uses the `interfaces wwan` subsystem for configuration. +Configure these interfaces under the ``interfaces wwan`` node. ************* Configuration @@ -64,14 +64,18 @@ Common interface configuration :var0: wwan :var1: wwan0 -WirelessModem (WWAN) options -============================ +WWAN options +============ .. cfgcmd:: set interfaces wwan <interface> apn <apn> - Every WWAN connection requires an :abbr:`APN (Access Point Name)` which is - used by the client to dial into the ISPs network. This is a mandatory - parameter. Contact your Service Provider for correct APN. + **Configure the** :abbr:`APN (Access Point Name)` **for the WWAN connection.** + + Every WWAN connection requires an :abbr:`APN (Access Point Name)` to connect to + the cellular network. + + This parameter is mandatory. Contact your service provider for the correct + :abbr:`APN (Access Point Name)`. ********* @@ -80,7 +84,8 @@ Operation .. opcmd:: show interfaces wwan <interface> - Show detailed information on given `<interface>` + Show the operational status and traffic statistics for the specified WWAN + interface. .. code-block:: none @@ -99,7 +104,7 @@ Operation .. opcmd:: show interfaces wwan <interface> summary - Show detailed information summary on given `<interface>` + Show WWAN module hardware characteristics and connection information. .. code-block:: none @@ -166,7 +171,7 @@ Operation .. opcmd:: show interfaces wwan <interface> capabilities - Show WWAN module hardware capabilities. + Show WWAN module radio capabilities. .. code-block:: none @@ -181,7 +186,7 @@ Operation .. opcmd:: show interfaces wwan <interface> firmware - Show WWAN module firmware. + Show WWAN module firmware information. .. code-block:: none @@ -208,7 +213,7 @@ Operation .. opcmd:: show interfaces wwan <interface> imsi - Show WWAN module IMSI. + Show the IMSI of the associated SIM card. .. code-block:: none @@ -226,7 +231,7 @@ Operation .. opcmd:: show interfaces wwan <interface> msisdn - Show WWAN module MSISDN. + Show the MSISDN of the associated SIM card. .. code-block:: none @@ -244,7 +249,7 @@ Operation .. opcmd:: show interfaces wwan <interface> signal - Show WWAN module signal strength. + Show signal information for the cellular connection. .. code-block:: none @@ -293,20 +298,20 @@ Operation Example ******* -The following example is based on a Sierra Wireless MC7710 miniPCIe card (only -the form factor in reality it runs UBS) and Deutsche Telekom as ISP. The card -is assembled into a :ref:`pc-engines-apu4`. +The following example shows how to configure a cellular connection using a +Sierra Wireless MC7710 miniPCIe card that operates over USB despite its form +factor. The card is installed in a :ref:`pc-engines-apu4`. .. code-block:: none set interfaces wwan wwan0 apn 'internet.telekom' set interfaces wwan wwan0 address 'dhcp' -***************** -Supported Modules -***************** +****************** +Supported hardware +****************** -The following hardware modules have been tested successfully in an +The following WWAN modules have been successfully tested with a :ref:`pc-engines-apu4` board: * Sierra Wireless AirPrime MC7304 miniPCIe card (LTE) @@ -318,19 +323,18 @@ The following hardware modules have been tested successfully in an * HP LT4120 Snapdragon X5 LTE *************** -Firmware Update +Firmware update *************** -All available WWAN cards have a built-in, reprogrammable firmware. Most vendors -provide regular updates to firmware used in the baseband chip. +WWAN modules include reprogrammable firmware, and most vendors regularly +provide updates for it. -As VyOS makes use of the QMI interface to connect to the WWAN modem cards, the -firmware can be reprogrammed. +Since VyOS communicates with these devices via the QMI interface, you can +update firmware directly within the system using the ``qmi-firmware-update`` +utility. -To update the firmware, VyOS also ships the `qmi-firmware-update` binary. To -upgrade the firmware of an e.g. Sierra Wireless MC7710 module to the firmware -provided in the file ``9999999_9999999_9200_03.05.14.00_00_generic_000.000_001_SPKG_MC.cwe`` -use the following command: +The following example shows how to update the firmware for a Sierra Wireless +MC7710 module using the provided .cwe file. .. code-block:: bash |
