summaryrefslogtreecommitdiff
path: root/docs/configuration/interfaces
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/interfaces')
-rw-r--r--docs/configuration/interfaces/bonding.rst7
-rw-r--r--docs/configuration/interfaces/ethernet.rst38
-rw-r--r--docs/configuration/interfaces/l2tpv3.rst2
-rw-r--r--docs/configuration/interfaces/macsec.rst49
-rw-r--r--docs/configuration/interfaces/openvpn.rst247
-rw-r--r--docs/configuration/interfaces/pppoe.rst17
-rw-r--r--docs/configuration/interfaces/virtual-ethernet.rst15
-rw-r--r--docs/configuration/interfaces/vxlan.rst61
-rw-r--r--docs/configuration/interfaces/wireguard.rst32
-rw-r--r--docs/configuration/interfaces/wireless.rst15
10 files changed, 337 insertions, 146 deletions
diff --git a/docs/configuration/interfaces/bonding.rst b/docs/configuration/interfaces/bonding.rst
index 3d30f1a5..3c8ebd0d 100644
--- a/docs/configuration/interfaces/bonding.rst
+++ b/docs/configuration/interfaces/bonding.rst
@@ -271,13 +271,6 @@ Bond options
The maximum number of targets that can be specified is 16. The default value
is no IP address.
-Offloading
-----------
-
-.. cmdinclude:: /_include/interface-xdp.txt
- :var0: bondinging
- :var1: bond0
-
VLAN
====
diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst
index 76f02d6d..bbf52112 100644
--- a/docs/configuration/interfaces/ethernet.rst
+++ b/docs/configuration/interfaces/ethernet.rst
@@ -53,21 +53,6 @@ Ethernet options
VyOS default will be `auto`.
-.. cfgcmd:: set interfaces ethernet <interface> mirror <interface>
-
- Use this command to mirror the inbound traffic from one Ethernet interface to
- another interface. This feature is typically used to provide a copy of traffic
- inbound on one interface to a system running a monitoring or IPS application
- on another interface. The benefit of mirroring the traffic is that the
- application is isolated from the source traffic and so application processing
- does not affect the traffic or the system performance.
-
- Example:
-
- .. code-block:: none
-
- set interfaces ethernet eth0 mirror eth1
-
Offloading
----------
@@ -289,26 +274,3 @@ Operation
.. stop_vyoslinter
-.. opcmd:: show interfaces ethernet <interface> xdp
-
- Display XDP forwarding statistics
-
- .. code-block:: none
-
- vyos@vyos:~$ show interfaces ethernet eth1 xdp
-
- Collecting stats from BPF map
- - BPF map (bpf_map_type:6) id:176 name:xdp_stats_map key_size:4 value_size:16 max_entries:5
- XDP-action
- XDP_ABORTED 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:0.250340
- XDP_DROP 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:0.250317
- XDP_PASS 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:0.250314
- XDP_TX 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:0.250313
- XDP_REDIRECT 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:0.250313
-
- XDP-action
- XDP_ABORTED 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000410
- XDP_DROP 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000414
- XDP_PASS 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000414
- XDP_TX 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000414
- XDP_REDIRECT 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000414
diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst
index 897e38dc..4fa47199 100644
--- a/docs/configuration/interfaces/l2tpv3.rst
+++ b/docs/configuration/interfaces/l2tpv3.rst
@@ -24,7 +24,7 @@ not be re-engineered in or on top of L2TPv3 in later products.
The protocol overhead of L2TPv3 is also significantly bigger than MPLS.
-L2TPv3 is described in :rfc:`3921`.
+L2TPv3 is described in :rfc:`3931`.
*************
Configuration
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst
index 60877d73..0c0c052b 100644
--- a/docs/configuration/interfaces/macsec.rst
+++ b/docs/configuration/interfaces/macsec.rst
@@ -44,6 +44,30 @@ MACsec options
A physical interface is required to connect this MACsec instance to. Traffic
leaving this interface will now be authenticated/encrypted.
+Static Keys
+-----------
+Static :abbr:`SAK (Secure Authentication Key)` mode can be configured manually on each
+device wishing to use MACsec. Keys must be set statically on all devices for traffic
+to flow properly. Key rotation is dependent on the administrator updating all keys
+manually across connected devices. Static SAK mode can not be used with MKA.
+
+.. cfgcmd:: set interfaces macsec <interface> security static key <key>
+
+ Set the device's transmit (TX) key. This key must be a hex string that is 16-bytes
+ (GCM-AES-128) or 32-bytes (GCM-AES-256).
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> mac <mac address>
+
+ Set the peer's MAC address
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> key <key>
+
+ Set the peer's key used to receive (RX) traffic
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> disable
+
+ Disable the peer configuration
+
Key Management
--------------
@@ -188,3 +212,28 @@ the unencrypted but authenticated content.
0x0070: 3031 3233 3435 3637 87d5 eed3 3a39 d52b 01234567....:9.+
0x0080: a282 c842 5254 ef28 ...BRT.(
+**R1 Static Key**
+
+.. code-block:: none
+
+ set interfaces macsec macsec1 address '192.0.2.1/24'
+ set interfaces macsec macsec1 address '2001:db8::1/64'
+ set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+ set interfaces macsec macsec1 security encrypt
+ set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+ set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:02
+ set interfaces macsec macsec1 security static peer R2 key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+ set interfaces macsec macsec1 source-interface 'eth1'
+
+**R2 Static Key**
+
+.. code-block:: none
+
+ set interfaces macsec macsec1 address '192.0.2.2/24'
+ set interfaces macsec macsec1 address '2001:db8::2/64'
+ set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+ set interfaces macsec macsec1 security encrypt
+ set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+ set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01
+ set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+ set interfaces macsec macsec1 source-interface 'eth1' \ No newline at end of file
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index 5850591c..d92ac080 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -40,30 +40,27 @@ Site-to-Site
.. figure:: /_static/images/openvpn_site2site_diagram.jpg
-While many are aware of OpenVPN as a Client VPN solution, it is often
-overlooked as a site-to-site VPN solution due to lack of support for this mode
-in many router platforms.
+OpenVPN is popular for client-server setups, but its site-to-site mode
+remains a relatively obscure feature, and many router appliances
+still don't support it. However, it's very useful for quickly setting up
+tunnels between routers.
-Site-to-site mode supports x.509 but doesn't require it and can also work with
-static keys, which is simpler in many cases. In this example, we'll configure
-a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key.
+As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or x.509 certificates.
-First, one of the systems generate the key using the :ref:`generate pki openvpn shared-secret<configuration/pki/index:pki>`
-command. Once generated, you will need to install this key on the local system,
-then copy and install this key to the remote router.
+The pre-shared key mode is deprecated and will be removed from future OpenVPN versions,
+so VyOS will have to remove support for that option as well. The reason is that using pre-shared keys
+is significantly less secure than using TLS.
-In our example, we used the key name ``openvpn-1`` which we will reference
-in our configuration.
+We'll configure OpenVPN using self-signed certificates, and then discuss the legacy
+pre-shared key mode.
+
+In both cases, we will use the following settings:
* The public IP address of the local side of the VPN will be 198.51.100.10.
* The public IP address of the remote side of the VPN will be 203.0.113.11.
* The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote.
* The local site will have a subnet of 10.0.0.0/16.
* The remote site will have a subnet of 10.1.0.0/16.
-* Static Routing or other dynamic routing protocols can be used over the vtun interface
-* OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency,
- while TCP will work better for lossy connections; generally UDP is preferred
- when possible.
* The official port for OpenVPN is 1194, which we reserve for client VPN; we
will use 1195 for site-to-site VPN.
* The ``persistent-tunnel`` directive will allow us to configure tunnel-related
@@ -73,85 +70,140 @@ in our configuration.
``remote-host`` directive; if unknown, it can be omitted. We will assume a
dynamic IP for our remote router.
+Setting up certificates
+=======================
-Local Configuration:
+Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose
+of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity,
+compared to server setups that need to support multiple clients.
-.. code-block:: none
+However, since VyOS 1.4, it is possible to verify self-signed certificates using
+certificate fingerprints.
- run generate pki openvpn shared-secret install openvpn-1
- Configure mode commands to install OpenVPN key:
- set pki openvpn shared-secret openvpn-1 key 'generated_key_string'
- set pki openvpn shared-secret openvpn-1 version '1'
-
- set interfaces openvpn vtun1 mode site-to-site
- set interfaces openvpn vtun1 protocol udp
- set interfaces openvpn vtun1 persistent-tunnel
- set interfaces openvpn vtun1 remote-host '203.0.113.11'
- set interfaces openvpn vtun1 local-port '1195'
- set interfaces openvpn vtun1 remote-port '1195'
- set interfaces openvpn vtun1 shared-secret-key openvpn-1
- set interfaces openvpn vtun1 local-address '10.255.1.1'
- set interfaces openvpn vtun1 remote-address '10.255.1.2'
+On both sides, you need to generate a self-signed certificate, preferrably using the "ec" (elliptic curve) type.
+You can generate them by executing command ``run generate pki certificate self-signed install <name>`` in the configuration mode.
+Once the command is complete, it will add the certificate to the configuration session, to the ``pki`` subtree.
+You can then review the proposed changes and commit them.
-Local Configuration - Annotated:
+.. code-block:: none
+
+ vyos@vyos# run generate pki certificate self-signed install openvpn-local
+ Enter private key type: [rsa, dsa, ec] (Default: rsa) ec
+ Enter private key bits: (Default: 256)
+ Enter country code: (Default: GB)
+ Enter state: (Default: Some-State)
+ Enter locality: (Default: Some-City)
+ Enter organization name: (Default: VyOS)
+ Enter common name: (Default: vyos.io)
+ Do you want to configure Subject Alternative Names? [y/N]
+ Enter how many days certificate will be valid: (Default: 365)
+ Enter certificate type: (client, server) (Default: server)
+ Note: If you plan to use the generated key on this router, do not encrypt the private key.
+ Do you want to encrypt the private key with a passphrase? [y/N]
+ 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
+ [edit]
+
+ vyos@vyos# compare
+ [pki]
+ + certificate openvpn-local {
+ + certificate "MIICJTCCAcugAwIBAgIUMXLfRNJ5iOjk/ uAZqUe4phW8MdgwCgYIKoZIzj0EAwIwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA5MDcyMTQzMTNaFw0yNDA5MDYyMTQzMTNaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMWo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUBrAxRdFppdG/UBRdo7qNyHutaTQwHwYDVR0jBBgwFoAUBrAxRdFppdG/UBRdo7qNyHutaTQwCgYIKoZIzj0EAwIDSAAwRQIhAI2+8C92z9wTcTWkQ/goRxs10EBC+h78O+vgo9k97z5iAiBSeqfaVr5taQTS31+McGTAK3cYWNTg0DlOBI8aKO2oRg=="
+ + private {
+ + key "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtOeEb0dMb5P/2Exi09WWvk6Cvz0oOBoDuP68ZimS2LShRANCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMW"
+ + }
+ + }
+
+ [edit]
+
+ vyos@vyos# commit
+
+You do **not** need to copy the certificate to the other router. Instead, you need to retrieve its SHA-256 fingerprint.
+OpenVPN only supports SHA-256 fingerprints at the moment, so you need to use the following command:
.. code-block:: none
- run generate pki openvpn shared-secret install openvpn-1 # Locally genearated OpenVPN shared secret.
- The generated secret is the output to
- the console.
- Configure mode commands to install OpenVPN key:
- set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Generated secret displayed in the output to
- the console.
- set pki openvpn shared-secret openvpn-1 version '1' # Generated secret displayed in the output to
- the console.
+ vyos@vyos# run show pki certificate openvpn-local fingerprint sha256
+ 5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79
- set interfaces openvpn vtun1 mode site-to-site
- set interfaces openvpn vtun1 protocol udp
- set interfaces openvpn vtun1 persistent-tunnel
- set interfaces openvpn vtun1 remote-host '203.0.113.11' # Pub IP of other site
- set interfaces openvpn vtun1 local-port '1195'
- set interfaces openvpn vtun1 remote-port '1195'
- set interfaces openvpn vtun1 shared-secret-key openvpn-1 # Locally generated secret name
- set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface
- set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface
+Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote' but they can be arbitrary.
+Repeat the procedure on the other router.
-Remote Configuration:
+Setting up OpenVPN
+==================
+
+Local Configuration:
.. code-block:: none
- set pki openvpn shared-secret openvpn-1 key 'generated_key_string'
- set pki openvpn shared-secret openvpn-1 version '1'
+ Configure the tunnel:
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 persistent-tunnel
- set interfaces openvpn vtun1 remote-host '198.51.100.10'
+ set interfaces openvpn vtun1 remote-host '203.0.113.11' # Public IP of the other side
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
- set interfaces openvpn vtun1 shared-secret-key openvpn-1
- set interfaces openvpn vtun1 local-address '10.255.1.2'
- set interfaces openvpn vtun1 remote-address '10.255.1.1'
+ set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface
+ set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface
+ set interfaces openvpn vtun1 tls certificate 'openvpn-local' # The self-signed certificate
+ set interfaces openvpn vtun1 tls peer-fingerprint <remote cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256
+ on the remote rout
-Remote Configuration - Annotated:
+Remote Configuration:
.. code-block:: none
- set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Locally genearated OpenVPN shared secret
- (from the Local Configuration Block).
- set pki openvpn shared-secret openvpn-1 version '1'
-
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 remote-host '198.51.100.10' # Pub IP of other site
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
- set interfaces openvpn vtun1 shared-secret-key openvpn-1 # Locally generated secret name
set interfaces openvpn vtun1 local-address '10.255.1.2' # Local IP of vtun interface
set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface
+ set interfaces openvpn vtun1 tls certificate 'openvpn-remote' # The self-signed certificate
+ set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256
+ on the local router
+
+Pre-shared keys
+===============
+
+Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys.
+That option is still available but it is deprecated and will be removed in the future.
+However, if you need to set up a tunnel to an older VyOS version or a system with older OpenVPN,
+you need to still need to know how to use it.
+
+First, you need to generate a key by running ``run generate pki openvpn shared-secret install <name>`` from configuration mode.
+You can use any name, we will use ``s2s``.
+
+.. code-block:: none
+
+ vyos@local# run generate pki openvpn shared-secret install s2s
+ 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
+ [edit]
+ vyos@local# compare
+ [pki openvpn shared-secret]
+ + s2s {
+ + key "7c73046a9da91e874d31c7ad894a32688cda054bde157c64270f28eceebc0bb2f44dbb70335fad45148b0456aaa78cb34a34c0958eeed4f75e75fd99ff519ef940f7029a316c436d2366a2b0fb8ea1d1c792a65f67d10a461af83ef4530adc25d1c872de6d9c7d5f338223d1f3b66dc3311bbbddc0e05228c47b91c817c721aadc7ed18f0662df52ad14f898904372679e3d9697d062b0869d12de47ceb2e626fa12e1926a3119be37dd29c9b0ad81997230f4038926900d5edb78522d2940cfe207f8e2b948e0d459fa137ebb18064ac5982b28dd1899020b4f2b082a20d5d4eb65710fbb1e62b5e061df39620267eab429d3eedd9a1ae85957457c8e4655f3"
+ + version "1"
+ + }
+ [edit]
+
+ vyos@local# commit
+ [edit]
+
+Then you need to install the key on the remote router:
+
+.. code-block:: none
+
+ vyos@remote# set pki openvpn shared-secret s2s key <generated key string>
+
+Then you need to set the key in your OpenVPN interface settings:
+
+.. code-block:: none
+
+ set interfaces openvpn vtun1 shared-secret-key s2s
Firewall Exceptions
===================
@@ -304,8 +356,8 @@ closing on connection resets or daemon reloads.
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol udp
-Then we need to generate, add and specify the names of the cryptographic materials.
-Each of the install command should be applied to the configuration and commited
+Then we need to generate, add and specify the names of the cryptographic materials.
+Each of the install command should be applied to the configuration and commited
before using under the openvpn interface configuration.
.. code-block:: none
@@ -314,18 +366,18 @@ before using under the openvpn interface configuration.
Configure mode commands to install:
set pki ca ca-1 certificate 'generated_cert_string'
set pki ca ca-1 private key 'generated_private_key'
-
+
run generate pki certificate sign ca-1 install srv-1 # Follow the instructions to generate server cert.
Configure mode commands to install:
set pki certificate srv-1 certificate 'generated_server_cert'
set pki certificate srv-1 private key 'generated_private_key'
-
- run generate pki dh install dh-1 # Follow the instructions to generate set of
+
+ run generate pki dh install dh-1 # Follow the instructions to generate set of
Diffie-Hellman parameters.
Generating parameters...
Configure mode commands to install DH parameters:
set pki dh dh-1 parameters 'generated_dh_params_set'
-
+
set interfaces openvpn vtun10 tls ca-certificate ca-1
set interfaces openvpn vtun10 tls certificate srv-1
set interfaces openvpn vtun10 tls dh-params dh-1
@@ -361,18 +413,18 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves:
set protocols static route 10.23.0.0/20 interface vtun10
Additionally, each client needs a copy of ca cert and its own client key and
-cert files. The files are plaintext so they may be copied either manually from the CLI.
-Client key and cert files should be signed with the proper ca cert and generated on the
-server side.
+cert files. The files are plaintext so they may be copied either manually from the CLI.
+Client key and cert files should be signed with the proper ca cert and generated on the
+server side.
HQ's router requires the following steps to generate crypto materials for the Branch 1:
.. code-block:: none
-
- run generate pki certificate sign ca-1 install branch-1 # Follow the instructions to generate client
+
+ run generate pki certificate sign ca-1 install branch-1 # Follow the instructions to generate client
cert for Branch 1
Configure mode commands to install:
-
+
Branch 1's router might have the following lines:
.. code-block:: none
@@ -380,7 +432,7 @@ Branch 1's router might have the following lines:
set pki ca ca-1 certificate 'generated_cert_string' # CA cert generated on HQ router
set pki certificate branch-1 certificate 'generated_branch_cert' # Client cert generated and signed on HQ router
set pki certificate branch-1 private key 'generated_private_key' # Client cert key generated on HQ router
-
+
set interfaces openvpn vtun10 tls ca-cert ca-1
set interfaces openvpn vtun10 tls certificate branch-1
@@ -513,6 +565,7 @@ example:
}
}
+
******
Client
******
@@ -600,6 +653,50 @@ Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file.
quotes using the ``&quot;`` statement.
+**********************************
+OpenVPN Data Channel Offload (DCO)
+**********************************
+
+OpenVPN Data Channel Offload (DCO) enables significant performance enhancement
+in encrypted OpenVPN data processing. By minimizing context switching for each
+packet, DCO effectively reduces overhead. This optimization is achieved by
+keeping most data handling tasks within the kernel, avoiding frequent switches
+between kernel and user space for encryption and packet handling.
+
+As a result, the processing of each packet becomes more efficient, potentially
+leveraging hardware encryption offloading support available in the kernel.
+
+.. note:: OpenVPN DCO is not full OpenVPN features supported , is currently
+ considered experimental. Furthermore, there are certain OpenVPN features and
+ use cases that remain incompatible with DCO. To get a comprehensive
+ understanding of the limitations associated with DCO, refer to the list of
+ known limitations in the documentation.
+
+ https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features
+
+
+Enabling OpenVPN DCO
+====================
+
+DCO support is a per-tunnel option and it is not automatically enabled by
+default for new or upgraded tunnels. Existing tunnels will continue to function
+as they have in the past.
+
+DCO can be enabled for both new and existing tunnels,VyOS adds an option in each
+tunnel configuration where we can enable this function .The current best
+practice is to create a new tunnel with DCO to minimize the chance of problems
+with existing clients.
+
+.. cfgcmd:: set interfaces openvpn <name> offload dco
+
+ Enable OpenVPN Data Channel Offload feature by loading the appropriate kernel
+ module.
+
+ Disabled by default - no kernel module loaded.
+
+ .. note:: Enable this feature causes an interface reset.
+
+
Troubleshooting
===============
diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst
index 74a43bb5..b37e95a2 100644
--- a/docs/configuration/interfaces/pppoe.rst
+++ b/docs/configuration/interfaces/pppoe.rst
@@ -143,6 +143,19 @@ PPPoE options
set interfaces pppoe pppoe0 default-route-distance 220
+.. cfgcmd:: set interfaces pppoe <interface> mru <mru>
+
+ Set the :abbr:`MRU (Maximum Receive Unit)` to `mru`. PPPd will ask the peer to
+ send packets of no more than `mru` bytes. The value of `mru` must be between 128
+ and 16384.
+
+ A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256
+ bytes of data).
+
+ The default is 1492.
+
+ .. note:: When using the IPv6 protocol, MRU must be at least 1280 bytes.
+
.. cfgcmd:: set interfaces pppoe <interface> idle-timeout <time>
Use this command to set the idle timeout interval to be used with on-demand
@@ -245,8 +258,8 @@ IPv6
.. note:: This command was introduced in VyOS 1.4 - it was previously called:
``set firewall options interface <name> adjust-mss <value>``
- .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in
- 1452 bytes on a 1492 byte MTU.
+ .. hint:: MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in
+ 1432 bytes on a 1492 byte MTU.
Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to
automatically set the proper value.
diff --git a/docs/configuration/interfaces/virtual-ethernet.rst b/docs/configuration/interfaces/virtual-ethernet.rst
index a6988318..3324feb6 100644
--- a/docs/configuration/interfaces/virtual-ethernet.rst
+++ b/docs/configuration/interfaces/virtual-ethernet.rst
@@ -26,6 +26,21 @@ Common interface configuration
.. cmdinclude:: /_include/interface-description.txt
:var0: virtual-ethernet
:var1: veth0
+VLAN
+====
+
+Regular VLANs (802.1q)
+----------------------
+.. cmdinclude:: /_include/interface-vlan-8021q.txt
+ :var0: virtual-ethernet
+ :var1: veth0
+
+QinQ (802.1ad)
+--------------
+
+.. cmdinclude:: /_include/interface-vlan-8021ad.txt
+ :var0: virtual-ethernet
+ :var1: veth0
.. cmdinclude:: /_include/interface-disable.txt
:var0: virtual-ethernet
diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst
index 86568686..af00fdec 100644
--- a/docs/configuration/interfaces/vxlan.rst
+++ b/docs/configuration/interfaces/vxlan.rst
@@ -67,15 +67,36 @@ VXLAN specific options
Source IP address used for VXLAN underlay. This is mandatory when using VXLAN
via L2VPN/EVPN.
-.. cfgcmd:: set interfaces vxlan <interface> external
+.. cfgcmd:: set interfaces vxlan <interface> gpe
+
+ Enables the Generic Protocol extension (VXLAN-GPE). Currently, this is only
+ supported together with the external keyword.
+
+.. cfgcmd:: set interfaces vxlan <interface> parameters external
Specifies whether an external control plane (e.g. BGP L2VPN/EVPN) or the
internal FDB should be used.
-.. cfgcmd:: set interfaces vxlan <interface> gpe
+.. cfgcmd:: set interfaces vxlan <interface> parameters neighbor-suppress
- Eenables the Generic Protocol extension (VXLAN-GPE). Currently, this is only
- supported together with the external keyword.
+ In order to minimize the flooding of ARP and ND messages in the VXLAN network,
+ EVPN includes provisions :rfc:`7432#section-10` that allow participating VTEPs
+ to suppress such messages in case they know the MAC-IP binding and can reply
+ on behalf of the remote host.
+
+.. cfgcmd:: set interfaces vxlan <interface> parameters nolearning
+
+ Specifies if unknown source link layer addresses and IP addresses are entered
+ into the VXLAN device forwarding database.
+
+.. cfgcmd:: set interfaces vxlan <interface> parameters vni-filter
+
+ Specifies whether the VXLAN device is capable of vni filtering.
+
+ Only works with a VXLAN device with external flag set.
+
+ .. note:: The device can only receive packets with VNIs configured in
+ the VNI filtering table.
Unicast
^^^^^^^
@@ -132,6 +153,36 @@ For optimal scalability, Multicast shouldn't be used at all, but instead use BGP
to signal all connected devices between leaves. Unfortunately, VyOS does not yet
support this.
+Single VXLAN device (SVD)
+=========================
+
+FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when
+working with the Linux kernel. In this new way, the mapping of a VLAN to a
+:abbr:`VNI (VXLAN Network Identifier (or VXLAN Segment ID))` is configured
+against a container VXLAN interface which is referred to as a
+:abbr:`SVD (Single VXLAN device)`.
+
+Multiple VLAN to VNI mappings can be configured against the same SVD. This
+allows for a significant scaling of the number of VNIs since a separate VXLAN
+interface is no longer required for each VNI.
+
+.. cfgcmd:: set interfaces vxlan <interface> vlan-to-vni <vlan> vni <vni>
+
+ Maps the VNI to the specified VLAN id. The VLAN can then be consumed by
+ a bridge.
+
+ Sample configuration of SVD with VLAN to VNI mappings is shown below.
+
+ .. code-block:: none
+
+ set interfaces bridge br0 member interface vxlan0
+ set interfaces vxlan vxlan0 parameters external
+ set interfaces vxlan vxlan0 source-interface 'dum0'
+ set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010'
+ set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011'
+ set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030'
+ set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031'
+
Example
-------
@@ -252,7 +303,7 @@ advertised.
set interfaces bridge br241 member interface 'eth1.241'
set interfaces bridge br241 member interface 'vxlan241'
-Binds eth1.241 and vxlan241 to each other by making them both member
+Binds eth1.241 and vxlan241 to each other by making them both member
interfaces of the same bridge.
.. code-block:: none
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index 18a888df..885720e1 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -183,6 +183,10 @@ traffic.
The command :opcmd:`show interfaces wireguard wg01 public-key` will then show the
public key, which needs to be shared with the peer.
+.. cmdinclude:: /_include/interface-per-client-thread.txt
+ :var0: wireguard
+ :var1: wg01
+
**remote side - commands**
.. code-block:: none
@@ -194,6 +198,7 @@ traffic.
set interfaces wireguard wg01 peer to-wg01 port '51820'
set interfaces wireguard wg01 peer to-wg01 public-key 'EKY0dxRrSD98QHjfHOK13mZ5PJ7hnddRZt5woB3szyw='
set interfaces wireguard wg01 port '51820'
+ set interfaces wireguard wg01 private-key 'OLTQY3HuK5qWDgVs6fJR093SwPgOmCKkDI1+vJLGoFU='
set protocols static route 192.168.1.0/24 interface wg01
@@ -206,18 +211,18 @@ firewall exception.
.. code-block:: none
- set firewall name OUTSIDE_LOCAL rule 10 action accept
- set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related'
- set firewall name OUTSIDE_LOCAL rule 10 state established enable
- set firewall name OUTSIDE_LOCAL rule 10 state related enable
- set firewall name OUTSIDE_LOCAL rule 20 action accept
- set firewall name OUTSIDE_LOCAL rule 20 description WireGuard_IN
- set firewall name OUTSIDE_LOCAL rule 20 destination port 51820
- set firewall name OUTSIDE_LOCAL rule 20 log enable
- set firewall name OUTSIDE_LOCAL rule 20 protocol udp
- set firewall name OUTSIDE_LOCAL rule 20 source
-
-You should also ensure that the OUTISDE_LOCAL firewall group is applied to the
+ set firewall ipv4 name OUTSIDE_LOCAL rule 10 action accept
+ set firewall ipv4 name OUTSIDE_LOCAL rule 10 description 'Allow established/related'
+ set firewall ipv4 name OUTSIDE_LOCAL rule 10 state established enable
+ set firewall ipv4 name OUTSIDE_LOCAL rule 10 state related enable
+ set firewall ipv4 name OUTSIDE_LOCAL rule 20 action accept
+ set firewall ipv4 name OUTSIDE_LOCAL rule 20 description WireGuard_IN
+ set firewall ipv4 name OUTSIDE_LOCAL rule 20 destination port 51820
+ set firewall ipv4 name OUTSIDE_LOCAL rule 20 log enable
+ set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol udp
+ set firewall ipv4 name OUTSIDE_LOCAL rule 20 source
+
+You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the
WAN interface and a direction (local).
.. code-block:: none
@@ -291,6 +296,7 @@ value needs to be lower than the UDP timeout.
pubkey BknHcLFo8nOo8Dwq2CjaC/TedchKQ0ebxC7GYn7Al00=
}
port 2224
+ private-key OLTQY3HuK5qWDgVs6fJR093SwPgOmCKkDI1+vJLGoFU=
}
The following is the config for the iPhone peer above. It's important to
@@ -407,7 +413,7 @@ the VyOS CLI.
into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become
the peer name in the snippet.
- In addition you will specifiy the IP address or FQDN for the client where it
+ In addition you will specify the IP address or FQDN for the client where it
will connect to. The address parameter can be used up to two times and is used
to assign the clients specific IPv4 (/32) or IPv6 (/128) address.
diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst
index f45101b5..df153763 100644
--- a/docs/configuration/interfaces/wireless.rst
+++ b/docs/configuration/interfaces/wireless.rst
@@ -122,6 +122,10 @@ Wireless options
* ``station`` - Connects to another access point
* ``monitor`` - Passively monitor all packets on the frequency/channel
+.. cmdinclude:: /_include/interface-per-client-thread.txt
+ :var0: wireless
+ :var1: wlan0
+
PPDU
----
@@ -304,6 +308,7 @@ default physical device (``phy0``) is used.
set interfaces wireless wlan0 type station
set interfaces wireless wlan0 address dhcp
+ set interfaces wireless wlan0 country-code de
set interfaces wireless wlan0 ssid Test
set interfaces wireless wlan0 security wpa passphrase '12345678'
@@ -315,6 +320,7 @@ Resulting in
[...]
wireless wlan0 {
address dhcp
+ country-code de
security {
wpa {
passphrase "12345678"
@@ -350,6 +356,7 @@ The WAP in this example has the following characteristics:
.. code-block:: none
set interfaces wireless wlan0 address '192.168.2.1/24'
+ set interfaces wireless wlan0 country-code de
set interfaces wireless wlan0 type access-point
set interfaces wireless wlan0 channel 1
set interfaces wireless wlan0 mode n
@@ -367,6 +374,7 @@ Resulting in
[...]
wireless wlan0 {
address 192.168.2.1/24
+ country-code de
channel 1
mode n
security {
@@ -385,11 +393,6 @@ Resulting in
type access-point
}
}
- system {
- [...]
- wifi-regulatory-domain DE
- }
-
VLAN
====
@@ -559,6 +562,7 @@ The WAP in this example has the following characteristics:
set interfaces wireless wlan0 security wpa mode wpa2
set interfaces wireless wlan0 security wpa cipher CCMP
set interfaces wireless wlan0 security wpa passphrase '12345678'
+ set interfaces wireless wlan0 country-code de
Resulting in
@@ -569,6 +573,7 @@ Resulting in
wireless wlan0 {
address 192.168.2.1/24
channel 1
+ country-code de
mode n
security {
wpa {
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-27 22:17:53 +0000