diff options
Diffstat (limited to 'docs/configuration/interfaces')
21 files changed, 0 insertions, 7091 deletions
diff --git a/docs/configuration/interfaces/rst-bonding.rst b/docs/configuration/interfaces/rst-bonding.rst deleted file mode 100644 index 7637790c..00000000 --- a/docs/configuration/interfaces/rst-bonding.rst +++ /dev/null @@ -1,767 +0,0 @@ -:lastproofread: 2025-12-09 - -.. _bond-interface: - -####################### -Bond / link aggregation -####################### - -A **bonding interface** aggregates multiple network interfaces into a single -logical interface (referred to as a bond, :abbr:`LAG (Link Aggregation Group)`, -EtherChannel, or port-channel). - -The behavior of a bonding interface depends on the selected mode. Modes provide -either fault tolerance or a combination of load balancing and fault tolerance. -Additionally, the bonding interface can be configured for link integrity -monitoring. - - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-common-with-dhcp.txt - :var0: bonding - :var1: bond0 - -Member interfaces -================= - -.. cfgcmd:: set interfaces bonding <interface> member interface <member> - - **Add an interface to the bonding group.** - - **Example:** - - To configure eth0 and eth1 as members of the bonding interface bond0, execute - the following commands: - -.. code-block:: none - - set interfaces bonding bond0 member interface eth0 - set interfaces bonding bond0 member interface eth1 - -Bond modes -============ - -.. cfgcmd:: set interfaces bonding <interface> mode <802.3ad | active-backup | - broadcast | round-robin | transmit-load-balance | adaptive-load-balance | - xor-hash> - - **Configure the bonding mode on the interface. The default mode is** - ``802.3ad``. - - The available modes are: - - * ``802.3ad`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - IEEE 802.3ad Dynamic Link Aggregation. Groups only member - interfaces with the same speed (e.g., 1 Gbps) and duplex - settings. Member interfaces with different speed and duplex - settings are not included in the active bond. - - Provides load balancing and fault tolerance. Uses the - :abbr:`LACP (Link Aggregation Control Protocol)` to - negotiate the bond with the switch. - * - **Traffic distribution:** - - Traffic is distributed according to the **transmit hash - policy** (default: XOR). - - The bonding driver applies an XOR operation to specific - packet header fields, generating a hash value that maps to - a particular member interface. This ensures the same network - flow is consistently transmitted over the same member - interface. - - The transmit hash policy is configured via the ``hash-policy`` option. - * - **Failover:** - - If a member interface fails, the hash is recalculated to distribute - traffic among the remaining active member interfaces. - - .. note:: Not all transmit hash policies comply with 802.3ad, particularly - section 43.2.4. Using a non-compliant policy may result in out-of-order - packet delivery. - - * ``active-backup`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Provides fault tolerance. Only one member interface is active - at a time. Other member interfaces remain in a standby mode. - * - **Traffic distribution:** - - All traffic (incoming and outgoing) is routed via one active - member interface. - * - **Failover:** - - If the designated member interface fails, all traffic is - routed to another member interface. The bonding driver sends - a Gratuitous ARP to update the peer's MAC address table, - linking the bond's MAC address to another physical port. - - * ``broadcast`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Provides maximum fault tolerance by duplicating traffic. - * - **Traffic distribution:** - - Every packet is duplicated and transmitted on **all** member - interfaces. - * - **Failover:** - - Traffic flow is not interrupted as long as at least one - member interface remains active. - - * ``round-robin`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Provides load balancing and fault tolerance. - * - **Traffic distribution:** - - Packets are transmitted in sequential order across the member - interfaces (e.g., packet 1 > interface A, packet 2 > - interface B, etc.). - * - **Failover:** - - If a member interface fails, the sequence skips the failed - interface and continues with the remaining active members. - - * ``transmit-load-balance`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Provides adaptive transmit load balancing and fault tolerance. - * - **Traffic distribution:** - - **Outgoing:** Distributed across all active member interfaces - based on the current load. - - **Incoming:** Received by a designated member interface - (active receiver). - * - **Failover:** - - If the active receiver fails, another member interface takes - over as the new active receiver. - - * ``adaptive-load-balance`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Provides adaptive transmit load balancing identical to - ``transmit-load-balance``, receive load balancing for IPv4 - traffic, and fault tolerance for both incoming and outgoing - traffic. - * - **Traffic distribution:** - - **Outgoing:** Identical to ``transmit-load-balance``. - - **Incoming:** Distributed based on ARP manipulation. For - both local and remote connections, the bonding driver - intercepts ARP traffic and changes the source MAC address - to the MAC address of the least loaded member interface. - - All traffic from that peer is then routed to the chosen - member interface. - * - **Failover:** - - If a member interface's state changes (fails, recovers, is - added, or excluded), the traffic is redistributed among all - active member interfaces. - - * ``xor-hash``: Provides load balancing and fault tolerance - based on a hash formula. Distributes traffic and handles - failover identically to ``802.3ad``, but operates without - the :abbr:`LACP (Link Aggregation Control Protocol)`. - -.. cfgcmd:: set interfaces bonding <interface> min-links <0-16> - - **Configure how many member interfaces must be active (in the - link-up state) to mark the bonding interface UP (carrier - asserted).** - - This command applies only when the bonding interface is configured - in 802.3ad mode and functions like the Cisco EtherChannel min-links - feature. It ensures that a bonding interface is marked UP (carrier - asserted) only when a specified number of member interfaces are - active (in the link-up state). This helps guarantee a minimum level - of bandwidth for higher-level services (such as clustering) relying - on the bonding interface. - - The default value is 0. This marks the bonding interface UP - (carrier asserted) whenever an active LACP aggregator exists, - regardless of the number of member interfaces in that aggregator. - - .. note:: In 802.3ad mode, a bond cannot be active without at - least one active member interface. Therefore, setting min-links - to 0 or 1 has the same result: the bonding interface is marked - UP (carrier asserted). - -.. cfgcmd:: set interfaces bonding <interface> lacp-rate <slow|fast> - - **Configure the rate at which the bonding interface requests its - link partner to send** - :abbr:`LACPDUs (Link Aggregation Control Protocol Data Units)` - **in 802.3ad mode.** - - This command applies only when the bonding interface is configured - in 802.3ad mode. - - The following options are available: - - * **slow (default):** Requests the link partner to transmit - LACPDUs every 30 seconds. - - * **fast:** Requests the link partner to transmit LACPDUs every - 1 second. - - -.. cfgcmd:: set interfaces bonding <interface> system-mac <mac address> - - **Configure a specific MAC address for the bonding interface.** - - This sets the 802.3ad system MAC address, which is used for - :abbr:`LACPDU (Link Aggregation Control Protocol Data Unit)` - exchanges with the link partner. You can assign a fixed MAC address - or generate a random one for these - :abbr:`LACPDU (Link Aggregation Control Protocol Data Unit)` - exchanges. - - -.. cfgcmd:: set interfaces bonding <interface> hash-policy <policy> - - **Configure which transmit hash policy to use for distributing - traffic across member interfaces.** - - The following policies are available: - - * ``layer2`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Routes all traffic destined for a specific network peer - through the same member interface. The policy is - 802.3ad-compliant. - * - **Hash inputs:** - - Source MAC address, destination MAC address, and Ethernet - packet type ID. - * - **Formula:** - - .. code-block:: none - - hash = source MAC address XOR destination MAC address XOR packet type ID - member interface number = hash modulo member interface count - - * ``layer2+3`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Similar to ``layer2``, routes all traffic destined for a - specific network peer through the same member interface - and is IEEE 802.3ad-compliant. Uses both Layer 2 and - Layer 3 information to provide a more balanced traffic - distribution. - * - **Hash inputs:** - - * Source MAC address, destination MAC address, and - Ethernet packet type ID. - * Source IP address, destination IP address. IPv6 - addresses are first hashed using ``IPv6_addr_hash``. - * - **Formula:** - - .. code-block:: none - - hash = source MAC address XOR destination MAC address XOR packet type ID - hash = hash XOR source IP address XOR destination IP address - hash = hash XOR (hash RSHIFT 16) - hash = hash XOR (hash RSHIFT 8) - member interface number = hash modulo member interface count - - For non-IP traffic, the formula is the same as for ``layer2``. - - * ``layer3+4`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Routes different connections (flows) destined for a - specific network peer through multiple member interfaces, - but ensures each individual flow is routed through only - one member interface. - - .. note:: This policy is not fully 802.3ad-compliant. - When a single TCP or UDP flow contains both fragmented - and unfragmented packets, the algorithm may distribute - them across different member interfaces. This may - result in out-of-order packet delivery, violating the - 802.3ad standard. - * - **Hash inputs:** - - * Source port, destination port (if available). - * Source IP address, destination IP address. IPv6 - addresses are first hashed using ``IPv6_addr_hash``. - * - **Formula:** - - .. code-block:: none - - hash = source port, destination port (as in the header) - hash = hash XOR source IP address XOR destination IP address - hash = hash XOR (hash RSHIFT 16) - hash = hash XOR (hash RSHIFT 8) - member interface number = hash modulo member interface count - - For fragmented TCP or UDP packets and all other IPv4 and - IPv6 traffic, the source and destination port information - is omitted. - - For non-IP traffic, the formula is the same as for ``layer2``. - -.. cfgcmd:: set interfaces bonding <interface> primary <interface> - - **Configure the primary member interface in the bond.** - - The primary member interface remains active as long as it is - operational; alternative member interfaces are used only if it - fails. - - Use this configuration when a specific member interface is - preferred, such as one with higher throughput. - - This command applies only to ``active-backup``, - ``transmit-load-balance``, and ``adaptive-load-balance`` modes. - -.. cfgcmd:: set interfaces bonding <interface> arp-monitor interval <time> - - **Configure the ARP monitoring interval, in seconds, for the - bonding interface.** - - ARP monitoring periodically assesses the health of each member - interface by checking whether it has recently sent or received - traffic (this criterion varies depending on the bonding mode and - the member interface’s state). ARP probes are sent to the IP - addresses specified with the arp-monitor target option. - - When ARP monitoring is used with EtherChannel-compatible modes - (such as ``round-robin`` or ``xor-hash``), the switch should be - configured to distribute traffic across all member interfaces. If - the switch distributes traffic using an XOR-based policy, all ARP - replies will be received on one member interface, causing other - member interfaces to be incorrectly marked as failed. - - Setting this value to 0 disables ARP monitoring. - - The default value is 0. - -.. cfgcmd:: set interfaces bonding <interface> arp-monitor target <address> - - **Configure the IP addresses for ARP monitoring requests.** - - The bonding driver sends ARP requests to these IP addresses to - check the state of member interfaces. - - To enable ARP monitoring, configure at least one IP address (up to - 16 per bonding interface). - - By default, no IP addresses are configured. - -:abbr:`VLAN (Virtual Local Area Network)` -========================================= - -.. cmdinclude:: /_include/interface-vlan-8021q.txt - :var0: bonding - :var1: bond0 - -SPAN port mirroring -=================== - -.. cmdinclude:: ../../_include/interface-mirror.txt - :var0: bonding - :var1: bond1 - :var2: eth3 - -EVPN multihoming ----------------- - -EVPN multihoming (EVPN-MH) is a standards-based solution (RFC 7432, RFC 8365) -that enables Customer Edge (CE) devices, such as servers, to connect to two -or more Provider Edge (PE) devices for redundancy and load balancing. - -EVPN-MH is often used as a modern, standards-based alternative to -:abbr:`MLAG (Multi-Chassis Link Aggregation)` and :abbr:`VTEPs (Virtual -Tunnel Endpoints)`. - -**Ethernet Segment (ES) and Ethernet Segment Identifier (ESI)** - -Physical links that connect a CE device to PE devices are bundled using link -aggregation. This logical bundle is called an Ethernet Segment (ES) and is -uniquely identified by an Ethernet Segment Identifier (ESI) within the -EVPN domain. - -To enable EVPN-MH, configure the same ESI on the bonding interfaces of all -PE devices connected to a single CE device. - -An ESI is configured by specifying either a system MAC address and a local -discriminator, or an Ethernet Segment Identifier Name (ESINAME). - -The following two commands generate a 10-byte Type-3 ESI by combining the -system MAC and local discriminator: - -.. stop_vyoslinter - -.. cfgcmd:: set interfaces bonding <interface> evpn es-id <1-16777215|10-byte ID> -.. cfgcmd:: set interfaces bonding <interface> evpn es-sys-mac <xx:xx:xx:xx:xx:xx> - - Alternatively, assign an ESINAME directly as a 10-byte Type-0 ESI - using the following format: 00:AA:BB:CC:DD:EE:FF:GG:HH:II. - - **BGP-EVPN route usage** - - EVPN-MH uses BGP-EVPN route types 1 and 2 for ES discovery and - MAC-IP synchronization: - - * **Type 1 (EAD-per-ES and EAD-per-EVI)** routes advertise the - locally attached ESs and discover remote ESs in the network. - * **Type 2 (MAC-IP advertisement)** routes are advertised with a - destination ESI, enabling MAC-IP synchronization between ES peers. - -.. stop_vyoslinter - -.. cfgcmd:: set interfaces bonding <interface> evpn es-df-pref <1-65535> - - **Configure the** :abbr:`DF (Designated Forwarder)` **preference (1-65535) for - the interface. A higher value indicates a higher preference to become the** - :abbr:`DF (Designated Forwarder)`. **The** :abbr:`DF (Designated Forwarder)` - **preference is configured per-ES.** - - The DF election process determines which interface in a specific ES forwards - :abbr:`BUM (Broadcast, Unknown Unicast, and Multicast)` traffic from the EVPN - overlay to the connected CE device. EVPN Type-4 (Ethernet Segment) routes are - used to elect the DF, implementing the preference-based election method defined - in RFC 9785. - - Interfaces not elected as the DF drop any BUM traffic from the EVPN overlay - using non-DF filters. Similarly, traffic received from ES peers via the EVPN - overlay is blocked from forwarding to the CE device to maintain split-horizon - filtering with local bias. - -.. start_vyoslinter - -.. cmdinclude:: /_include/interface-evpn-uplink.txt - :var0: bonding - :var1: bond0 - -******* -Example -******* - -The following configuration example applies to all listed third-party vendors. -It creates a bonding interface with two member interfaces, defines VLANs 10 -and 100 on the bonding interface, and assigns an IPv4 address to each VLAN -subinterface. - -.. code-block:: none - - # Create the bonding interface bond0 with 802.3ad LACP - set interfaces bonding bond0 hash-policy 'layer2' - set interfaces bonding bond0 mode '802.3ad' - - # Add the required VLANs and IPv4 addresses on them - set interfaces bonding bond0 vif 10 address 192.168.0.1/24 - set interfaces bonding bond0 vif 100 address 10.10.10.1/24 - - # Add the member interfaces to the bonding interface - set interfaces bonding bond0 member interface eth1 - set interfaces bonding bond0 member interface eth2 - -.. note:: If you are running this configuration in a virtual environment like - EVE-NG, ensure the e1000 driver is chosen for your VyOS NIC. The default - drivers, such as ``virtio-net-pci`` or ``vmxnet3``, are incompatible with - this configuration. Specifically, ICMP messages will not be processed - correctly. - - To check your NIC driver, use the following command: - :opcmd:`show interfaces ethernet eth0 physical | grep -i driver` - -Cisco Catalyst configuration -============================ - -Configure a Cisco Catalyst switch to integrate with a two-member VyOS bonding -interface. - -Assign member interfaces to PortChannel: - -.. code-block:: none - - interface GigabitEthernet1/0/23 - description VyOS eth1 - channel-group 1 mode active - ! - interface GigabitEthernet1/0/24 - description VyOS eth2 - channel-group 1 mode active - ! - -A new interface, ``Port-channel1``, becomes available; all configuration, -such as allowed VLAN interfaces and STP, is applied here. - -.. code-block:: none - - interface Port-channel1 - description LACP Channel for VyOS - switchport trunk encapsulation dot1q - switchport trunk allowed vlan 10,100 - switchport mode trunk - spanning-tree portfast trunk - ! - - -Juniper EX Switch configuration -=============================== - -Configure a Juniper EX Series switch to integrate with a two-member VyOS -bonding interface. - -.. code-block:: none - - # Create aggregated ethernet device with 802.3ad LACP and port speeds of 10gbit/s - set interfaces ae0 aggregated-ether-options link-speed 10g - set interfaces ae0 aggregated-ether-options lacp active - - # Create layer 2 on the aggregated ethernet device with trunking for our VLANs - set interfaces ae0 unit 0 family ethernet-switching port-mode trunk - - # Add the required vlans to the device - set interfaces ae0 unit 0 family ethernet-switching vlan members 10 - set interfaces ae0 unit 0 family ethernet-switching vlan members 100 - - # Add the two interfaces to the aggregated ethernet device, in this setup both - # ports are on the same switch (switch 0, module 1, port 0 and 1) - set interfaces xe-0/1/0 ether-options 802.3ad ae0 - set interfaces xe-0/1/1 ether-options 802.3ad ae0 - - # But this can also be done with multiple switches in a stack, a virtual - # chassis on Juniper (switch 0 and switch 1, module 1, port 0 on both switches) - set interfaces xe-0/1/0 ether-options 802.3ad ae0 - set interfaces xe-1/1/0 ether-options 802.3ad ae0 - -Aruba/HP configuration -====================== - -Configure an Aruba/HP 2510G switch to integrate with a two-member VyOS bonding -interface. - -.. code-block:: none - - # Create trunk with 2 member interfaces (interface 1 and 2) and LACP - trunk 1-2 Trk1 LACP - - # Add the required VLANs to the trunk - vlan 10 tagged Trk1 - vlan 100 tagged Trk1 - -Arista EOS configuration -======================== - -When deploying VyOS in environments with Arista switches, use the following -blueprint as an initial setup to configure an operational LACP port-channel -between the two devices. - -Let's assume the following topology: - -.. figure:: /_static/images/vyos_arista_bond_lacp.* - :alt: VyOS Arista EOS setup - -**R1** - - .. code-block:: none - - interfaces { - bonding bond10 { - hash-policy layer3+4 - member { - interface eth1 - interface eth2 - } - mode 802.3ad - vif 100 { - address 192.0.2.1/30 - address 2001:db8::1/64 - } - } - -**R2** - - .. code-block:: none - - interfaces { - bonding bond10 { - hash-policy layer3+4 - member { - interface eth1 - interface eth2 - } - mode 802.3ad - vif 100 { - address 192.0.2.2/30 - address 2001:db8::2/64 - } - } - -**SW1** - - .. code-block:: none - - ! - vlan 100 - name FOO - ! - interface Port-Channel10 - switchport trunk allowed vlan 100 - switchport mode trunk - spanning-tree portfast - ! - interface Port-Channel20 - switchport mode trunk - no spanning-tree portfast auto - spanning-tree portfast network - ! - interface Ethernet1 - channel-group 10 mode active - ! - interface Ethernet2 - channel-group 10 mode active - ! - interface Ethernet3 - channel-group 20 mode active - ! - interface Ethernet4 - channel-group 20 mode active - ! - -**SW2** - - .. code-block:: none - - ! - vlan 100 - name FOO - ! - interface Port-Channel10 - switchport trunk allowed vlan 100 - switchport mode trunk - spanning-tree portfast - ! - interface Port-Channel20 - switchport mode trunk - no spanning-tree portfast auto - spanning-tree portfast network - ! - interface Ethernet1 - channel-group 10 mode active - ! - interface Ethernet2 - channel-group 10 mode active - ! - interface Ethernet3 - channel-group 20 mode active - ! - interface Ethernet4 - channel-group 20 mode active - ! - -.. note:: When testing this environment in EVE-NG, ensure the e1000 driver - is chosen for your VyOS network interfaces. If the default virtio driver - is used, VyOS will not transmit LACP PDUs, preventing the port-channel - from ever becoming active. - -********* -Operation -********* - -.. opcmd:: show interfaces bonding - - Show brief interface information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces bonding - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - bond0 - u/u my-sw1 int 23 and 24 - bond0.10 192.168.0.1/24 u/u office-net - bond0.100 10.10.10.1/24 u/u management-net - - -.. opcmd:: show interfaces bonding <interface> - - Show detailed interface information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces bonding bond5 - bond5: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 - link/ether 00:50:56:bf:ef:aa brd ff:ff:ff:ff:ff:ff - inet6 fe80::e862:26ff:fe72:2dac/64 scope link tentative - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 0 0 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 0 0 0 0 0 0 - -.. opcmd:: show interfaces bonding <interface> detail - - Show detailed information about the underlying physical links on the given - bonding interface. - - .. code-block:: none - - vyos@vyos:~$ show interfaces bonding bond5 detail - Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) - - Bonding Mode: IEEE 802.3ad Dynamic link aggregation - Transmit Hash Policy: layer2 (0) - MII Status: down - MII Polling Interval (ms): 100 - Up Delay (ms): 0 - Down Delay (ms): 0 - - 802.3ad info - LACP rate: slow - Min links: 0 - Aggregator selection policy (ad_select): stable - - Slave Interface: eth1 - MII Status: down - Speed: Unknown - Duplex: Unknown - Link Failure Count: 0 - Permanent HW addr: 00:50:56:bf:ef:aa - Slave queue ID: 0 - Aggregator ID: 1 - Actor Churn State: churned - Partner Churn State: churned - Actor Churned Count: 1 - Partner Churned Count: 1 - - Slave Interface: eth2 - MII Status: down - Speed: Unknown - Duplex: Unknown - Link Failure Count: 0 - Permanent HW addr: 00:50:56:bf:19:26 - Slave queue ID: 0 - Aggregator ID: 2 - Actor Churn State: churned - Partner Churn State: churned - Actor Churned Count: 1 - Partner Churned Count: 1 diff --git a/docs/configuration/interfaces/rst-bridge.rst b/docs/configuration/interfaces/rst-bridge.rst deleted file mode 100644 index a1710804..00000000 --- a/docs/configuration/interfaces/rst-bridge.rst +++ /dev/null @@ -1,424 +0,0 @@ -:lastproofread: 2025-12-22 - -.. _bridge-interface: - -###### -Bridge -###### - -VyOS bridges connect Ethernet segments by grouping multiple interfaces into a -single bridge interface, which acts as a virtual software switch. Unlike -routers, which forward traffic based on Layer 3 IP addresses, bridges operate -at Layer 2 and forward traffic based on MAC addresses. Operating at Layer 2, -bridges are protocol-agnostic and transparently forward all Ethernet- -encapsulated traffic, whether it is IPv4, IPv6, or specialized industrial -protocols. - -This implementation utilizes the Linux bridge subsystem to support a subset of -the ANSI/IEEE 802.1d standard for transparent bridging and MAC address learning. - -.. note:: :abbr:`STP (Spanning Tree Protocol)` is disabled by default in VyOS - and must be explicitly enabled if required. See :ref:`stp` for details. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-common-with-dhcp.txt - :var0: bridge - :var1: br0 - -Member interfaces -================= - -.. cfgcmd:: set interfaces bridge <interface> member interface <member> - - **Configure an interface as a bridge member.** - - Valid interface types are: :ref:`ethernet-interface`, :ref:`bond-interface`, - :ref:`l2tpv3-interface`, :ref:`openvpn`, :ref:`vxlan-interface`, - :ref:`wireless-interface`, :ref:`tunnel-interface`, and - :ref:`geneve-interface`. - - Use tab completion to list interfaces that can be bridged. - -.. cfgcmd:: set interfaces bridge <interface> member interface <member> - priority <priority> - - **Configure the** :abbr:`STP (Spanning Tree Protocol)` **port priority - for a specific member interface within a bridge.** - - Within the :abbr:`STP (Spanning Tree Protocol)` topology, each member interface - in a bridge operates as a port with an assigned **priority** and **path cost**. - :abbr:`STP (Spanning Tree Protocol)` uses these values to determine the - **lowest-cost path** to the root bridge, maintaining a loop-free topology. - Traffic flows through the path with the lowest path cost, while alternate - paths remain in standby. - - A **lower** priority value means **higher** precedence in path selection. - - :abbr:`STP (Spanning Tree Protocol)` considers the port priority only if - multiple member interfaces have the same path costs. - - -.. cfgcmd:: set interfaces bridge <interface> member interface <member> - cost <cost> - - **Configure the** :abbr:`STP (Spanning Tree Protocol)` **path cost for a - specific member interface within the bridge.** - - Path cost is the primary metric :abbr:`STP (Spanning Tree Protocol)` uses to - determine the path to the root bridge. This value is based on interface - bandwidth; faster interfaces receive lower costs. - - By assigning a lower cost, you give the interface higher precedence during - path selection. - -.. cfgcmd:: set interfaces bridge <interface> member interface <member> - disable-learning - - **Disable MAC address learning for a specific member interface - within a bridge.** - - When learning is disabled, the bridge will not add source MAC addresses - observed on this port to its forwarding database (FDB). Frames destined - to MACs not present in the FDB are then flooded to all bridge ports - rather than unicast-forwarded. - -Bridge options -============== - -Configure how bridge interfaces maintain their :abbr:`FDB (Forwarding Database)` -, react to topology changes, and optimize multicast data streams. - -.. cfgcmd:: set interfaces bridge <interface> aging <time> - - **Configure the MAC address aging time for the bridge.** - - The duration in seconds that a MAC address remains in the bridge’s :abbr:`FDB - (Forwarding Database)` before removal if no traffic is received from that - address. - - The default value is 300 seconds. - -.. cfgcmd:: set interfaces bridge <interface> max-age <time> - - **Configure the** :abbr:`STP (Spanning Tree Protocol)` **max age timer for - the bridge.** - - The duration in seconds that the bridge waits for a :abbr:`BPDU (Bridge - Protocol Data Unit)` from the root bridge. - - If the bridge does not receive a :abbr:`BPDU (Bridge Protocol Data Unit)` - within this period, it recalculates the path to the root bridge or initiates - a new root bridge election. - -.. cfgcmd:: set interfaces bridge <interface> igmp querier - - **Configure the bridge interface to act as the** :abbr:`IGMP (Internet Group - Management Protocol)`/:abbr:`MLD (Multicast Listener Discovery)` **Querier.** - - **When configured:** The bridge interface sends :abbr:`IGMP (Internet Group - Management Protocol)` (IPv4) and :abbr:`MLD (Multicast Listener Discovery)` - (IPv6) general queries to all connected hosts to identify active multicast - listeners. - -.. cfgcmd:: set interfaces bridge <interface> igmp snooping - - **Configure the bridge interface to perform** :abbr:`IGMP (Internet Group - Management Protocol)`/:abbr:`MLD (Multicast Listener Discovery)` - **snooping.** - - **When configured:** The bridge interface monitors :abbr:`IGMP (Internet Group - Management Protocol)` (IPv4) and :abbr:`MLD (Multicast Listener Discovery)` - (IPv6) join requests and restricts multicast traffic forwarding to only active - listeners. This prevents network flooding. - -.. _stp: - -STP configuration ------------------ - -:abbr:`STP (Spanning Tree Protocol)` is a Layer 2 protocol that prevents loops -in Ethernet networks by ensuring only one logical path exists between any two -bridges. This creates a loop-free topology and prevents broadcast storms that -can crash the network. - -By default, :abbr:`STP (Spanning Tree Protocol)` is disabled on bridge interfaces. -To activate loop prevention, you must explicitly enable the protocol and -configure its parameters. - -.. cfgcmd:: set interfaces bridge <interface> stp - - Enable :abbr:`STP (Spanning Tree Protocol)` on the bridge interface. - -.. cfgcmd:: set interfaces bridge <interface> forwarding-delay <delay> - - **Configure the** :abbr:`STP (Spanning Tree Protocol)` **delay, in seconds, - for the bridge interface.** - - This parameter defines how long the bridge interface remains in the listening - and learning states before forwarding traffic. The delay ensures that the - bridge has sufficient time to detect loops (in the listening state) and learn - the MAC addresses of connected devices (in the learning state). - - The default value is 15 seconds. The total time before forwarding begins is - twice this value. - -.. cfgcmd:: set interfaces bridge <interface> hello-time <interval> - - **Configure the** :abbr:`STP (Spanning Tree Protocol)` **Hello advertisement - interval, in seconds.** - - This parameter sets the frequency at which the bridge interface transmits - Hello packets (:abbr:`BPDUs (Bridge Protocol Data Units)`). These packets - originate from the root bridge and are propagated by designated bridges. If - neighbors stop receiving Hello packets, they assume a connection failure and - trigger a topology recalculation. - - The default value is 2 seconds. - -VLAN -==== - -VLAN-aware bridges ------------------- - -.. cfgcmd:: set interfaces bridge <interface> enable-vlan - - **Enable VLAN filtering (also known as VLAN awareness) on the bridge interface.** - - When enabled, the bridge strictly segregates traffic among VLANs configured - on its member interfaces. - - .. note:: - Do not configure **vif 1** on a VLAN-aware bridge. The main bridge - interface acts as VLAN 1 (the default native VLAN) and automatically - handles all untagged traffic. - -.. cfgcmd:: set interfaces bridge <interface> protocol <802.1ad | 802.1q> - - **Configure the VLAN protocol (EtherType) for the bridge interface.** - - The following options are available: - - * ``802.1q`` (default): Sets the EtherType to ``0x8100``. Used for standard - enterprise VLANs. - * ``802.1ad``: Sets the EtherType to ``0x88a8``. Used for QinQ (provider bridging). - -VLAN configuration ------------------- - -.. cmdinclude:: /_include/interface-vlan-8021q.txt - :var0: bridge - :var1: br0 - -.. cfgcmd:: set interfaces bridge <interface> member interface <member> - native-vlan <vlan-id> - - **Configure the native VLAN ID for a specific member interface within a - VLAN-aware bridge.** - - This assigns the specified ``<vlan-id>`` to untagged traffic entering the member - interface. The bridge strips the VLAN tag from outgoing traffic matching this - ID. - - **Example:** - - Set the native VLAN ID to 2 for the member interface ``eth0``: - - .. code-block:: none - - set interfaces bridge br1 member interface eth0 native-vlan 2 - -.. cfgcmd:: set interfaces bridge <interface> member interface <member> - allowed-vlan <vlan-id> - - **Configure allowed VLAN IDs for a specific member interface within a - VLAN-aware bridge.** - - Enter a single VLAN ID or a range of VLAN IDs separated by a hyphen. - - **Example:** - - To allow VLAN ID 4 on member interface ``eth0``: - - .. code-block:: none - - set interfaces bridge br1 member interface eth0 allowed-vlan 4 - - **Example:** - - To allow VLAN IDs 6 through 8 on member interface ``eth0``: - - .. code-block:: none - - set interfaces bridge br1 member interface eth0 allowed-vlan 6-8 - -SPAN port mirroring -=================== -.. cmdinclude:: ../../_include/interface-mirror.txt - :var0: bridge - :var1: br1 - :var2: eth3 - -******** -Examples -******** - -Configure a standard bridge -=========================== - -The following example creates a bridge named br100 with :abbr:`STP (Spanning -Tree Protocol)` enabled. - -Configuration requirements: - -* **Bridge name:** ``br100`` -* **Member interfaces:** Physical interface ``eth1`` and VLAN interface ``eth2.10``. -* **STP:** Enabled. -* **Bridge IP addresses:** ``192.0.2.1/24`` (IPv4) and ``2001:db8::ffff/64`` (IPv6). - -.. code-block:: none - - set interfaces bridge br100 address 192.0.2.1/24 - set interfaces bridge br100 address 2001:db8::ffff/64 - set interfaces bridge br100 member interface eth1 - set interfaces bridge br100 member interface eth2.10 - set interfaces bridge br100 stp - -Verify the configuration: - -.. code-block:: none - - vyos@vyos# show interfaces bridge br100 - address 192.0.2.1/24 - address 2001:db8::ffff/64 - member { - interface eth1 { - } - interface eth2.10 { - } - } - stp - - -Configure a VLAN-aware bridge -============================= - -The following example creates a VLAN-aware bridge named br100. In this setup, -one member interface is configured as a trunk port, and the other as an access -port. The VLAN interface is configured with IP addresses. - -**Configuration requirements:** - -* **Bridge name:** ``br100``. -* **Trunk port** (``eth1``): Handles **tagged** traffic for VLAN 10. -* **Access port** (``eth2``): Handles **untagged** traffic (assigned to native - VLAN 10). -* **STP:** Enabled. -* **VLAN IP addresses** (``vif 10``): ``192.0.2.1/24`` (IPv4) and - ``2001:db8::ffff/64`` (IPv6). - -.. code-block:: none - - set interfaces bridge br100 enable-vlan - set interfaces bridge br100 member interface eth1 allowed-vlan 10 - set interfaces bridge br100 member interface eth2 native-vlan 10 - set interfaces bridge br100 vif 10 address 192.0.2.1/24 - set interfaces bridge br100 vif 10 address 2001:db8::ffff/64 - set interfaces bridge br100 stp - -Verify the configuration: - -.. code-block:: none - - vyos@vyos# show interfaces bridge br100 - enable-vlan - member { - interface eth1 { - allowed-vlan 10 - } - interface eth2 { - native-vlan 10 - } - } - stp - vif 10 { - address 192.0.2.1/24 - address 2001:db8::ffff/64 - } - - -Operation -========= - -.. opcmd:: show bridge - - Show the status of member interfaces for all configured bridges. - - .. code-block:: none - - vyos@vyos:~$ show bridge - 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding - priority 32 cost 100 - 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding - priority 32 cost 100 - -.. opcmd:: show bridge <name> fdb - - Show the :abbr:`FDB (Forwarding Database)` for the specified bridge. - - .. code-block:: none - - vyos@vyos:~$ show bridge br0 fdb - 50:00:00:08:00:01 dev eth1 vlan 20 master br0 permanent - 50:00:00:08:00:01 dev eth1 vlan 10 master br0 permanent - 50:00:00:08:00:01 dev eth1 master br0 permanent - 33:33:00:00:00:01 dev eth1 self permanent - 33:33:00:00:00:02 dev eth1 self permanent - 01:00:5e:00:00:01 dev eth1 self permanent - 50:00:00:08:00:02 dev eth2 vlan 20 master br0 permanent - 50:00:00:08:00:02 dev eth2 vlan 10 master br0 permanent - 50:00:00:08:00:02 dev eth2 master br0 permanent - 33:33:00:00:00:01 dev eth2 self permanent - 33:33:00:00:00:02 dev eth2 self permanent - 01:00:5e:00:00:01 dev eth2 self permanent - 33:33:00:00:00:01 dev br0 self permanent - 33:33:00:00:00:02 dev br0 self permanent - 33:33:ff:08:00:01 dev br0 self permanent - 01:00:5e:00:00:6a dev br0 self permanent - 33:33:00:00:00:6a dev br0 self permanent - 01:00:5e:00:00:01 dev br0 self permanent - 33:33:ff:00:00:00 dev br0 self permanent - -.. opcmd:: show bridge <name> mdb - - Show the :abbr:`MDB (Multicast group Database)` for the specified bridge. - - The :abbr:`MDB (Multicast group Database)` is populated by :abbr:`IGMP - (Internet Group Management Protocol)`/:abbr:`MLD (Multicast Listener - Discovery)` snooping and lists the multicast groups currently active on the - bridge. - - .. code-block:: none - - vyos@vyos:~$ show bridge br0 mdb - dev br0 port br0 grp ff02::1:ff00:0 temp vid 1 - dev br0 port br0 grp ff02::2 temp vid 1 - dev br0 port br0 grp ff02::1:ff08:1 temp vid 1 - dev br0 port br0 grp ff02::6a temp vid 1 - -.. opcmd:: show bridge <name> macs - - Show the learned :abbr:`MAC (Media Access Control)` address table for the - specified bridge. - - .. code-block:: none - - vyos@vyos:~$ show bridge br100 macs - port no mac addr is local? ageing timer - 1 00:53:29:44:3b:19 yes 0.00 diff --git a/docs/configuration/interfaces/rst-dummy.rst b/docs/configuration/interfaces/rst-dummy.rst deleted file mode 100644 index 55c134e3..00000000 --- a/docs/configuration/interfaces/rst-dummy.rst +++ /dev/null @@ -1,87 +0,0 @@ -:lastproofread: 2026-01-23 - -.. _dummy-interface: - -##### -Dummy -##### - -A dummy interface is a virtual network interface that operates like the -loopback interface, accepting traffic and routing it back to the local host. -Unlike the loopback interface, which is limited to one per system and reserved -for internal system use, multiple dummy interfaces can be created, removed, and -managed without impacting core operations. - -As a software-based interface, the dummy interface does not depend on physical -link state and remains active as long as the operating system is running. - -Dummy interfaces are commonly used in environments with multiple redundant -uplinks (e.g., a server connected to two different switches), where assigning a -management IP address to a specific physical interface is risky. If that -interface fails, the management IP address becomes unreachable. - -Assigning the management IP address to a dummy interface and advertising it -over all available physical links ensures the address remains reachable as long -as at least one physical path is active. - -Dummy interfaces are also used for testing and simulation purposes. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-address.txt - :var0: dummy - :var1: dum0 - -.. cmdinclude:: /_include/interface-description.txt - :var0: dummy - :var1: dum0 - -.. cmdinclude:: /_include/interface-disable.txt - :var0: dummy - :var1: dum0 - -.. cmdinclude:: /_include/interface-vrf.txt - :var0: dummy - :var1: dum0 - -********* -Operation -********* - -.. opcmd:: show interfaces dummy - - Show brief interface information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces dummy - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - dum0 172.18.254.201/32 u/u - -.. opcmd:: show interfaces dummy <interface> - - Show detailed interface information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces dummy dum0 - dum0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 - link/ether 26:7c:8e:bc:fc:f5 brd ff:ff:ff:ff:ff:ff - inet 172.18.254.201/32 scope global dum0 - valid_lft forever preferred_lft forever - inet6 fe80::247c:8eff:febc:fcf5/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 0 0 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 1369707 4267 0 0 0 0 - - diff --git a/docs/configuration/interfaces/rst-ethernet.rst b/docs/configuration/interfaces/rst-ethernet.rst deleted file mode 100644 index e6c385e7..00000000 --- a/docs/configuration/interfaces/rst-ethernet.rst +++ /dev/null @@ -1,468 +0,0 @@ -:lastproofread: 2026-01-19 - -.. _ethernet-interface: - -######## -Ethernet -######## - -Ethernet interfaces (e.g., ``eth0``, ``eth1``) represent the host's physical -or virtual network ports. - -They are the most common interface type, serving as the base layer upon which -IP addresses, VLANs, and tunnels are configured to carry traffic across both -LANs and WANs. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-common-with-dhcp.txt - :var0: ethernet - :var1: eth0 - -.. cfgcmd:: set interfaces ethernet <interface> switchdev - - **Enable** ``switchdev`` **mode for the interface.** - - In ``switchdev`` mode, the interface offloads traffic switching between ports - to the hardware, bypassing the host CPU. This increases the interface’s - traffic-handling capacity and reduces its forwarding delay. - -.. note:: ``switchdev`` mode is available only on certain physical network - interfaces and requires a switchdev-compatible driver. - - -Ethernet options -================ - -.. cfgcmd:: set interfaces ethernet <interface> duplex <auto | full | half> - - **Configure duplex mode for the interface.** - - The following duplex modes are available: - - * ``auto``: The interface negotiates the duplex mode with the connected device. - * ``full``: The interface sends and receives data simultaneously. The - connected device must also be set to full-duplex to avoid a duplex mismatch. - * ``half``: The interface either sends or receives data, but not both at the - same time. - - The default duplex mode is ``auto``. - -.. cfgcmd:: set interfaces ethernet <interface> speed <auto | 10 | 100 | 1000 | - 2500 | 5000 | 10000 | 25000 | 40000 | 50000 | 100000> - - **Configure the interface's speed, in Mbit/s.** - - The following options are available: - - * ``auto``: The interface negotiates the speed with the connected device. - * ``10, 100, 1000 ...``: The interface operates at the selected speed. The - connected device must be set to the same speed to establish a connection. - - The default option is ``auto``. - -.. cfgcmd:: set interfaces ethernet <interface> ring-buffer rx <value> - - **Configure the receive (RX) ring buffer size for the interface.** - - The RX ring buffer size defines the number of incoming packets the interface - can queue in hardware before the CPU processes them. - - Higher values reduce the risk of drops when the NIC receives network traffic - faster than the CPU can process it, though latency may increase. Lower values - reduce latency but increase the risk of packet drops during incoming traffic - bursts. - - To view supported values for a specific interface, use: - -.. code-block:: none - - ethtool -g <interface> - -.. cfgcmd:: set interfaces ethernet <interface> ring-buffer tx <value> - - **Configure the transmit (TX) ring buffer size.** - - The TX ring buffer size defines the number of outgoing packets the interface - can queue in hardware before they are transmitted onto the network. - - Higher values reduce the risk of drops when the CPU generates traffic faster - than the NIC can handle, though latency may increase. Lower values reduce - latency but increase the risk of packet drops during outgoing traffic bursts. - - To view supported values for a specific interface, use: - -.. code-block:: none - - ethtool -g <interface> - -Interrupt Coalescing ----------- - -Interrupt coalescing is a mechanism that reduces CPU interrupt load by bundling -multiple packets into a single interrupt event instead of interrupting -the CPU for every packet arrival or transmission. - -.. note:: Not all network drivers or virtual interfaces support all - coalescing parameters. Use ``ethtool --show-coalesce <interface>`` - to verify which settings are supported by your hardware and driver. - -**Basic adaptive coalescing** - -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing adaptive-rx -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing adaptive-tx - - Enable adaptive interrupt coalescing. The NIC automatically tunes RX/TX - interrupt pacing based on traffic patterns to reduce CPU utilization - during high throughput while preserving latency at low packet rates. - -**Basic interrupt delay** - -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing rx-usecs <0-16384> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing tx-usecs <0-16384> - - Set the delay in microseconds before generating an RX/TX interrupt after - receiving or transmitting a packet. Lower values reduce latency; higher - values reduce CPU load. - -**Interrupt frame thresholds** - -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing rx-frames <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing tx-frames <number> - - Generate an RX/TX interrupt only after the specified number of packets - have been received or transmitted. - -**IRQ-specific coalescing** - -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing rx-usecs-irq <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing rx-frames-irq <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing tx-usecs-irq <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing tx-frames-irq <number> - - Control interrupt coalescing parameters while the driver is already - servicing an interrupt (IRQ context). These settings allow finer tuning - of interrupt behavior under sustained load. - -**Adaptive rate thresholds** - -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing pkt-rate-low <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing pkt-rate-high <number> - - Define packet-rate thresholds (packets per second) used by adaptive - coalescing to switch between low-rate and high-rate interrupt coalescing - profiles. - -**Low-rate adaptive parameters** - -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing rx-usecs-low <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing rx-frame-low <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing tx-usecs-low <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing tx-frame-low <number> - - Interrupt coalescing parameters applied when the packet rate is below - ``pkt-rate-low``. Typically optimized for lower latency. - -**High-rate adaptive parameters** - -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing rx-usecs-high <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing rx-frame-high <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing tx-usecs-high <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing tx-frame-high <number> - - Interrupt coalescing parameters applied when the packet rate exceeds - ``pkt-rate-high``. Typically optimized for maximum throughput and - reduced CPU utilization. - -**Statistics and sampling** - -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing stats-block-usecs <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing sample-interval <number> - - Control how frequently coalescing statistics are updated and how often - the NIC samples traffic rates for adaptive coalescing decisions. - -**Completion queue (CQE) mode** - -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing cqe-mode-rx -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing cqe-mode-tx - - Enable RX/TX Completion Queue Entry (CQE) mode, if supported by the - driver. CQE mode can improve performance on high-speed NICs by - optimizing completion handling. - -**Transmit aggregation** - -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing tx-aggr-max-bytes <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing tx-aggr-max-frames <number> -.. cfgcmd:: set interfaces ethernet <interface> interrupt-coalescing tx-aggr-time-usecs <number> - - Control transmit packet aggregation. Packets may be buffered and sent - together until one of the configured limits (bytes, frames, or time) - is reached, reducing interrupt and DMA overhead. - - -Offloading ----------- - -.. cfgcmd:: set interfaces ethernet <interface> offload <lro | tso | gso | - gro | rps | sg > - - **Configure the offloading features for the interface.** - - The interface offloading features define whether specific packet-processing tasks - are performed by hardware (the NIC) or by software (the kernel). You can enable - multiple offloading features for a single interface. - - - * ``lro`` **(Large Receive Offload):** Instructs the NIC to merge multiple - incoming packets into one larger packet before sending it to the CPU. - - .. note:: :abbr:`LRO (Large Receive Offload)` hardware support is often limited - to TCP/IPv4 packets. For details on LRO limitations, see - https://lwn.net/Articles/358910/ - - .. warning:: :abbr:`LRO (Large Receive Offload)` irreversibly alters packet - headers during merging. This prevents the merged packet from being correctly - split back into the original packets, causing packet drops and forwarding - failures on routers and bridges. Use :abbr:`LRO (Large Receive Offload)` only - for end-hosts that do not forward traffic. - - * ``tso`` **(TCP Segmentation Offload):** Instructs the NIC to split large TCP - packets into smaller ones before transmitting them to the network. - - **Important:** :abbr:`SG (Scatter-Gather/Scatter-Gather DMA)` must be enabled - for :abbr:`TSO (TCP Segmentation Offload)` to work. Additionally, :abbr:`GSO - (Generic Segmentation Offload)` should be enabled as a safety fallback; it - ensures that if traffic is rerouted to hardware without :abbr:`TSO (TCP - Segmentation Offload)` support, the kernel can still segment the packets, - preventing transmission failures. - - * ``gso`` **(Generic Segmentation Offload):** Instructs the kernel to split - large packets into smaller ones before sending them to the NIC. - - :abbr:`GSO (Generic Segmentation Offload)` serves as a software fallback for - hardware that does not support :abbr:`TSO (TCP Segmentation Offload)` or for - protocols (like UDP) that hardware cannot offload. - - **Important:** :abbr:`SG (Scatter-Gather/Scatter-Gather DMA)` must be enabled - for :abbr:`GSO (Generic Segmentation Offload)` to work. - - * ``gro`` **(Generic Receive Offload):** Instructs the kernel to merge multiple - incoming packets into one larger packet before passing it to upper protocol - layers. - - Unlike LRO, GRO preserves the necessary packet metadata so the merged packet - can be correctly split back into the original packets. This makes GRO safe for - use on routers and bridges. - - .. note:: The exception is for IPv4 IDs. If the "Don't Fragment" (DF) bit is - set and IDs are not sequential, :abbr:`GSO (Generic Segmentation Offload)` - alters them to maintain a consistent sequence for :abbr:`GSO (Generic - Segmentation Offload)` compatibility. - - * ``rps`` **(Receive Packet Steering):** Instructs the kernel to distribute - the processing of incoming packets across multiple CPU cores. - - The kernel calculates a hash from packet headers (IP addresses and ports) to - ensure packets from the same flow are processed by the same CPU core. - - .. note:: :abbr:`RPS (Receive Packet Steering)` is a software version of - :abbr:`RSS (Receive Side Scaling)` and is useful for NICs without hardware - multi-queue support. - - * ``sg`` **(Scatter-Gather/Scatter-Gather DMA):** Instructs the NIC to fetch - data fragments from various RAM locations and transmit them as a single packet - to the network, eliminating the need for the kernel to copy them into a - contiguous block first. - -802.1X (EAPOL) authentication ------------------------------ - -.. cmdinclude:: /_include/interface-eapol.txt - :var0: ethernet - :var1: eth0 - -EVPN Multihoming ----------------- - -Uplink/core tracking. - -.. cmdinclude:: /_include/interface-evpn-uplink.txt - :var0: ethernet - :var1: eth0 - -VLAN -==== - -Regular VLANs (802.1q) ----------------------- - -.. cmdinclude:: /_include/interface-vlan-8021q.txt - :var0: ethernet - :var1: eth0 - -802.1ad (QinQ) --------------- - -.. cmdinclude:: /_include/interface-vlan-8021ad.txt - :var0: ethernet - :var1: eth0 - -SPAN port mirroring -=================== -.. cmdinclude:: ../../_include/interface-mirror.txt - :var0: ethernet - :var1: eth1 - :var2: eth3 - -********* -Operation -********* - -.. opcmd:: show interfaces ethernet - - Show brief interface information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces ethernet - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - eth0 172.18.201.10/24 u/u LAN - eth1 172.18.202.11/24 u/u WAN - eth2 - u/D - -.. opcmd:: show interfaces ethernet <interface> - - Show detailed interface information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces ethernet eth0 - eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 - link/ether 00:50:44:00:f5:c9 brd ff:ff:ff:ff:ff:ff - inet6 fe80::250:44ff:fe00:f5c9/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 56735451 179841 0 0 0 142380 - TX: bytes packets errors dropped carrier collisions - 5601460 62595 0 0 0 0 - -.. stop_vyoslinter - -.. opcmd:: show interfaces ethernet <interface> physical - - Show interface hardware-level and driver details. - - .. code-block:: none - - vyos@vyos:~$ show interfaces ethernet eth0 physical - Settings for eth0: - Supported ports: [ TP ] - Supported link modes: 1000baseT/Full - 10000baseT/Full - Supported pause frame use: No - Supports auto-negotiation: No - Supported FEC modes: Not reported - Advertised link modes: Not reported - Advertised pause frame use: No - Advertised auto-negotiation: No - Advertised FEC modes: Not reported - Speed: 10000Mb/s - Duplex: Full - Port: Twisted Pair - PHYAD: 0 - Transceiver: internal - Auto-negotiation: off - MDI-X: Unknown - Supports Wake-on: uag - Wake-on: d - Link detected: yes - driver: vmxnet3 - version: 1.4.16.0-k-NAPI - firmware-version: - expansion-rom-version: - bus-info: 0000:0b:00.0 - supports-statistics: yes - supports-test: no - supports-eeprom-access: no - supports-register-dump: yes - supports-priv-flags: no - -.. start_vyoslinter - -.. opcmd:: show interfaces ethernet <interface> physical offload - - Show the status of the interface offloading features. - - .. code-block:: none - - vyos@vyos:~$ show interfaces ethernet eth0 physical offload - rx-checksumming on - tx-checksumming on - tx-checksum-ip-generic on - scatter-gather off - tx-scatter-gather off - tcp-segmentation-offload off - tx-tcp-segmentation off - tx-tcp-mangleid-segmentation off - tx-tcp6-segmentation off - udp-fragmentation-offload off - generic-segmentation-offload off - generic-receive-offload off - large-receive-offload off - rx-vlan-offload on - tx-vlan-offload on - ntuple-filters off - receive-hashing on - tx-gre-segmentation on - tx-gre-csum-segmentation on - tx-udp_tnl-segmentation on - tx-udp_tnl-csum-segmentation on - tx-gso-partial on - tx-nocache-copy off - rx-all off - -.. opcmd:: show interfaces ethernet <interface> transceiver - - Show information about the transceiver module plugged into the interface - (e.g., SFP+, QSFP). - - .. code-block:: none - - vyos@vyos:~$ show interfaces ethernet eth5 transceiver - Identifier : 0x03 (SFP) - Extended identifier : 0x04 (GBIC/SFP defined by 2-wire interface ID) - Connector : 0x07 (LC) - Transceiver codes : 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 - Transceiver type : Ethernet: 1000BASE-SX - Encoding : 0x01 (8B/10B) - BR, Nominal : 1300MBd - Rate identifier : 0x00 (unspecified) - Length (SMF,km) : 0km - Length (SMF) : 0m - Length (50um) : 550m - Length (62.5um) : 270m - Length (Copper) : 0m - Length (OM3) : 0m - Laser wavelength : 850nm - Vendor name : CISCO-FINISAR - Vendor OUI : 00:90:65 - Vendor PN : FTRJ-8519-7D-CS4 - Vendor rev : A - Option values : 0x00 0x1a - Option : RX_LOS implemented - Option : TX_FAULT implemented - Option : TX_DISABLE implemented - BR margin, max : 0% - BR margin, min : 0% - Vendor SN : FNS092xxxxx - Date code : 0506xx diff --git a/docs/configuration/interfaces/rst-geneve.rst b/docs/configuration/interfaces/rst-geneve.rst deleted file mode 100644 index bcd6c591..00000000 --- a/docs/configuration/interfaces/rst-geneve.rst +++ /dev/null @@ -1,100 +0,0 @@ -:lastproofread: 2026-02-02 - -.. _geneve-interface: - -###### -Geneve -###### - -:abbr:`Geneve (Generic Network Virtualization Encapsulation)` interfaces -operate as virtual network ports. Administrators can apply standard network -configurations on them, such as IP addressing, bridging, or firewall rules, -just as they would on physical Ethernet ports. - -The Geneve protocol encapsulates Layer 2 Ethernet frames originating from -endpoints such as virtual machines, containers, or physical servers inside UDP -packets. It unifies the features of earlier encapsulation protocols, including -VXLAN, NVGRE, and STT, and addresses their limitations, such as fixed header -structures and a lack of metadata support. Because of its extensibility, Geneve -may eventually replace those older protocols. - -Geneve tunnels are used to connect virtual switches residing within -hypervisors, physical switches, middleboxes, and other network appliances. - -Geneve tunnels operate over any standard IP network. In larger deployments, -the underlying network (underlay) is often built using a **Clos** topology, -also known as a *leaf-and-spine* or *fat-tree* topology. - -Geneve header: - -.. code-block:: none - - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - |Ver| Opt Len |O|C| Rsvd. | Protocol Type | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Virtual Network Identifier (VNI) | Reserved | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Variable Length Options | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-address.txt - :var0: geneve - :var1: gnv0 - -.. cmdinclude:: /_include/interface-description.txt - :var0: geneve - :var1: gnv0 - -.. cmdinclude:: /_include/interface-disable.txt - :var0: geneve - :var1: gnv0 - -.. cmdinclude:: /_include/interface-mac.txt - :var0: geneve - :var1: gnv0 - -.. cmdinclude:: /_include/interface-mtu.txt - :var0: geneve - :var1: gnv0 - -.. cmdinclude:: /_include/interface-ip.txt - :var0: geneve - :var1: gnv0 - -.. cmdinclude:: /_include/interface-ipv6.txt - :var0: geneve - :var1: gnv0 - -Geneve options -============== - -.. cfgcmd:: set interfaces geneve gnv0 remote <address> - - Configure the remote endpoint IP address for the Geneve tunnel. - -.. cfgcmd:: set interfaces geneve gnv0 vni <vni> - - **Configure** :abbr:`VNI (Virtual Network Identifier)` **for the Geneve - interface.** - - The VNI is a virtual network identifier. It allows multiple virtual networks to - share the same physical infrastructure and remain isolated. - - The VNI is also used to distribute traffic after it leaves the tunnel, for - example, to map packets with overlapping IP addresses to specific routing - tables. - -.. cfgcmd:: set interfaces gnv0 <interface> port <port> - - **Configure the destination UDP port for the remote Geneve tunnel endpoint.** - - Ensure the remote peer is configured to listen on this specific port. - - diff --git a/docs/configuration/interfaces/rst-index.rst b/docs/configuration/interfaces/rst-index.rst deleted file mode 100644 index 46d521b0..00000000 --- a/docs/configuration/interfaces/rst-index.rst +++ /dev/null @@ -1,28 +0,0 @@ -########## -Interfaces -########## - - -.. toctree:: - :maxdepth: 1 - :includehidden: - - bonding - bridge - dummy - ethernet - geneve - l2tpv3 - loopback - macsec - openvpn - wireguard - pppoe - pseudo-ethernet - sstp-client - tunnel - virtual-ethernet - vti - vxlan - wireless - wwan diff --git a/docs/configuration/interfaces/rst-l2tpv3.rst b/docs/configuration/interfaces/rst-l2tpv3.rst deleted file mode 100644 index 692dff93..00000000 --- a/docs/configuration/interfaces/rst-l2tpv3.rst +++ /dev/null @@ -1,167 +0,0 @@ -:lastproofread: 2026-02-05 - -.. _l2tpv3-interface: - -###### -L2TPv3 -###### - -:abbr:`L2TPv3 (Layer 2 Tunneling Protocol version 3)` interfaces let you -establish L2TPv3 tunnels to transport Layer 2 traffic over IP networks. - -The L2TPv3 protocol (defined in RFC 3931) wraps Layer 2 frames (e.g., Ethernet, -Frame Relay, HDLC) within IP packets, allowing them to traverse the underlying -IP infrastructure. - -Unlike L2TPv2, which strictly requires UDP encapsulation, the L2TPv3 protocol -is more flexible and supports two encapsulation types: - - * **Direct IP:** Tunnel data is encapsulated directly inside IP packets - (Protocol 115) for lower overhead. - * **UDP:** Tunnel data is encapsulated inside a UDP datagram. This allows the - tunnel to traverse NAT more easily. - -L2TPv3 tunnels connect geographically separated sites, serving as a simpler -alternative to :ref:`mpls` by operating over basic IP connectivity rather than -requiring a full MPLS infrastructure. - -L2TPv3 tunnels can be established over both IPv4 and IPv6 underlying networks. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-common-without-dhcp.txt - :var0: l2tpv3 - :var1: l2tpeth0 - -L2TPv3 options -============== - -Use the following commands to configure the L2TPv3 tunnel's specific parameters. - -.. cfgcmd:: set interfaces l2tpv3 <interface> encapsulation <udp | ip> - - **Configure the encapsulation type for the L2TPv3 tunnel.** - - Valid values are ``udp`` and ``ip``. - - The default encapsulation type is ``udp``. - -.. note:: The encapsulation type must match on both the local and remote peers - for the tunnel to establish. - -.. cfgcmd:: set interfaces l2tpv3 <interface> source-address <address> - - **Configure the L2TPv3 tunnel source IP address.** - - The specified address must be a local interface IP address and can be either - IPv4 or IPv6. - -.. cfgcmd:: set interfaces l2tpv3 <interface> remote <address> - - **Configure the L2TPv3 tunnel destination IP address.** - - The specified address must be a remote peer’s interface IP address and can be - either IPv4 or IPv6. - -.. cfgcmd:: set interfaces l2tpv3 <interface> session-id <id> - - **Configure the local session ID within the L2TPv3 tunnel.** - - The ``session-id`` is a 32-bit value that identifies an incoming tunnel session - on the local peer. - - The ``peer-session-id`` that identifies this session on the remote peer must be - set to the same value. - -.. cfgcmd:: set interfaces l2tpv3 <interface> peer-session-id <id> - - **Configure the peer session ID within the L2TPv3 tunnel.** - - The ``peer-session-id`` is a 32-bit value that identifies an outgoing tunnel - session from the local peer. - - The ``peer-session-id`` must match the ``session-id`` configured for this - session on the remote peer. - -.. cfgcmd:: set interfaces l2tpv3 <interface> tunnel-id <id> - - **Configure the local identifier for the L2TPv3 tunnel.** - - The ``tunnel-id`` is a 32-bit value that identifies the L2TPv3 tunnel on the - local peer. - - The ``peer-tunnel-id`` that identifies this tunnel on the remote peer must be - set to the same value. - -.. cfgcmd:: set interfaces l2tpv3 <interface> peer-tunnel-id <id> - - **Configure the peer identifier for the L2TPv3 tunnel.** - - The ``peer-tunnel-id`` is a 32-bit value that identifies the L2TPv3 tunnel on - the remote peer and must correspond to the ``tunnel-id`` configured for that - tunnel on that peer. - - The ``peer-tunnel-id`` must match the ``tunnel-id`` that identifies this tunnel - on the remote peer. - -******* -Example -******* - -L2TPv3 tunnel with IP encapsulation -=================================== - -The following example shows the configuration of an L2TPv3 tunnel using direct -IP encapsulation: - -.. code-block:: none - - # show interfaces l2tpv3 - l2tpv3 l2tpeth10 { - address 192.168.37.1/27 - encapsulation ip - source-address 192.0.2.1 - peer-session-id 100 - peer-tunnel-id 200 - remote 203.0.113.24 - session-id 100 - tunnel-id 200 - } - -The inverse configuration must be applied to the remote peer. - -L2TPv3 tunnel with UDP encapsulation -==================================== - -The following example shows the configuration of an L2TPv3 tunnel using UDP -encapsulation. - -This setup is recommended when the tunnel traverses NAT devices. - -Configuration notes: - -* Use a local LAN IP address as the ``source-address``. -* Configure a forwarding rule to allow tunnel traffic on the specified UDP port - on the upstream NAT device. -* Use a distinct UDP port for each individual tunnel. - -.. code-block:: none - - # show interfaces l2tpv3 - l2tpv3 l2tpeth10 { - address 192.168.37.1/27 - destination-port 9001 - encapsulation udp - source-address 192.0.2.1 - peer-session-id 100 - peer-tunnel-id 200 - remote 203.0.113.24 - session-id 100 - source-port 9000 - tunnel-id 200 - } diff --git a/docs/configuration/interfaces/rst-loopback.rst b/docs/configuration/interfaces/rst-loopback.rst deleted file mode 100644 index 68158111..00000000 --- a/docs/configuration/interfaces/rst-loopback.rst +++ /dev/null @@ -1,65 +0,0 @@ -:lastproofread: 2026-01-23 - -.. _loopback-interface: - -######## -Loopback -######## - -The loopback interface is a virtual, software-based network interface. All -traffic sent to it loops back and only targets services on the local host. - -.. note:: Only one loopback ``lo`` interface is allowed per operating system. - If you require multiple virtual interfaces, use the :ref:`dummy-interface` - interface type. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-address.txt - :var0: loopback - :var1: lo - -.. cmdinclude:: /_include/interface-description.txt - :var0: loopback - :var1: lo - -********* -Operation -********* - -.. opcmd:: show interfaces loopback - - Show brief interface information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces loopback - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - lo 127.0.0.1/8 u/u - ::1/128 - -.. opcmd:: show interfaces loopback lo - - Show detailed interface information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces loopback lo - lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 - link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 - inet 127.0.0.1/8 scope host lo - valid_lft forever preferred_lft forever - inet6 ::1/128 scope host - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 300 6 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 300 6 0 0 0 0 diff --git a/docs/configuration/interfaces/rst-macsec.rst b/docs/configuration/interfaces/rst-macsec.rst deleted file mode 100644 index 2a893943..00000000 --- a/docs/configuration/interfaces/rst-macsec.rst +++ /dev/null @@ -1,322 +0,0 @@ -:lastproofread: 2026-02-13 - -.. _macsec-interface: - -###### -MACsec -###### - -MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in -2006. It enables protocol-independent connectivity between two hosts, providing -data confidentiality, authenticity, and integrity using GCM-AES ciphers. MACsec -operates at the Ethernet layer as a Layer 2 protocol and secures traffic within -Layer 2 networks, including DHCP and ARP requests. It does not compete with -other security solutions, such as IPsec (Layer 3) or TLS (Layer 4), as each -addresses distinct use cases. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-common-with-dhcp.txt - :var0: macsec - :var1: macsec0 - -MACsec options -============== - -.. cfgcmd:: set interfaces macsec <interface> security cipher <gcm-aes-128|gcm-aes-256> - - **Configure the cipher suite for the MACsec interface.** - - This configuration parameter is mandatory. - -.. cfgcmd:: set interfaces macsec <interface> security encrypt - - **Enable encryption on the MACsec interface.** - - By default, MACsec interfaces only provide authentication; encryption is - optional. - - When enabled, outgoing packets are encrypted using the configured cipher suite. - -.. cfgcmd:: set interfaces macsec <interface> source-interface <physical-source> - - **Configure a physical source interface for the MACsec interface.** - - Traffic transmitted through this interface is authenticated and, if configured, - encrypted. - -MACsec key management ---------------------- - -**Static** :abbr:`SAK (Secure Authentication Key)` **mode** - -In static SAK mode, administrators must manually configure and update SAKs on -each MACsec peer. :abbr:`MKA (MACsec Key Agreement protocol)` cannot be used in -this mode. - -.. cfgcmd:: set interfaces macsec <interface> security static key <key> - - **Configure the Transmit (TX) SAK for the MACsec interface.** - - The key must be a 16-byte (GCM-AES-128) or 64-byte (GCM-AES-256) hexadecimal - string. - -.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> mac <mac address> - - **Configure the MAC address associated with the MACsec peer.** - -.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> key <key> - - **Configure the RX SAK for traffic from the MACsec peer.** - - The key must be a 16-byte (GCM-AES-128) or 64-byte (GCM-AES-256) hexadecimal - string. - -.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> disable - - Disable the specific MACsec peer. - - -**Dynamic** :abbr:`MKA (MACsec Key Agreement protocol)` **mode** - -In this mode, the :abbr:`MKA (MACsec Key Agreement protocol)` protocol is used -to generate, distribute, and update :abbr:`CAKs (MACsec Connectivity -Association Keys)`, and to authenticate MACsec peers. - - -.. cfgcmd:: set interfaces macsec <interface> security mka cak <key> - - **Configure the** :abbr:`CAK (MACsec Connectivity Association Key)` **for the - MACsec interface.** - - The :abbr:`CAK (MACsec Connectivity Association Key)` and its :abbr:`CKN - (MACsec Connectivity Association Key Name)` form the pre-shared master key pair - used to authenticate MACsec peers. - -.. cfgcmd:: set interfaces macsec <interface> security mka ckn <key> - - Configure the :abbr:`CKN (MACsec Connectivity Association Key Name)` for the - MACsec interface. - -.. cfgcmd:: set interfaces macsec <interface> security mka priority <priority> - - Configure the MKA key server priority for the MACsec interface. - - The peer with the lowest priority is elected as the key server. - -Replay protection ------------------ - -.. cfgcmd:: set interfaces macsec <interface> security replay-window <window> - - The replay protection window defines how many out-of-order frames can be - received before they are dropped as a potential replay attack. - - The following values are valid: - - - ``0``: Any out-of-order frame is immediately dropped. - - ``1-4294967295``: Allows the specified number of out-of-order frames. - -********* -Operation -********* - -.. opcmd:: run generate macsec mka cak <gcm-aes-128|gcm-aes-256> - - Generate a 128-bit (GCM-AES-128) or 256-bit (GCM-AES-256) :abbr:`MKA (MACsec - Key Agreement protocol)` :abbr:`CAK (MACsec Connectivity Association Key)`. - - .. code-block:: none - - vyos@vyos:~$ generate macsec mka cak gcm-aes-128 - 20693b6e08bfa482703a563898c9e3ad - -.. opcmd:: run generate macsec mka ckn - - Generate an :abbr:`MKA (MACsec Key Agreement protocol)` :abbr:`CAK (MACsec - Connectivity Association Key)`. - - .. code-block:: none - - vyos@vyos:~$ generate macsec mka ckn - 88737efef314ee319b2cbf30210a5f164957d884672c143aefdc0f5f6bc49eb2 - -.. opcmd:: show interfaces macsec - - Show all MACsec interfaces. - - .. code-block:: none - - vyos@vyos:~$ show interfaces macsec - 17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off - cipher suite: GCM-AES-128, using ICV length 16 - TXSC: 005056bfefaa0001 on SA 0 - 20: macsec0: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off - cipher suite: GCM-AES-128, using ICV length 16 - TXSC: 005056bfefaa0001 on SA 0 - -.. opcmd:: show interfaces macsec <interface> - - Show information for a specific MACsec interface. - - .. code-block:: none - - vyos@vyos:~$ show interfaces macsec macsec1 - 17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off - cipher suite: GCM-AES-128, using ICV length 16 - TXSC: 005056bfefaa0001 on SA 0 - -******** -Examples -******** - -**Site-to-site MACsec with dynamic MKA over an untrusted network** - -In the following example, two routers (R1 and R2) are connected via an -untrusted switch, using their ``eth1`` interfaces as the underlay. The MACsec -interface (``macsec1``) with dynamic MKA encrypts traffic between them. - -Topology details: - -* R1 IP addresses: ``192.0.2.1/24`` and ``2001:db8::1/64``. -* R2 IP addresses: ``192.0.2.2/24`` and ``2001:db8::2/64``. - -**R1** - -.. code-block:: none - - set interfaces macsec macsec1 address '192.0.2.1/24' - set interfaces macsec macsec1 address '2001:db8::1/64' - set interfaces macsec macsec1 security cipher 'gcm-aes-128' - set interfaces macsec macsec1 security encrypt - set interfaces macsec macsec1 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4' - set interfaces macsec macsec1 security mka ckn '40916f4b23e3d548ad27eedd2d10c6f98c2d21684699647d63d41b500dfe8836' - set interfaces macsec macsec1 source-interface 'eth1' - -**R2** - -.. code-block:: none - - set interfaces macsec macsec1 address '192.0.2.2/24' - set interfaces macsec macsec1 address '2001:db8::2/64' - set interfaces macsec macsec1 security cipher 'gcm-aes-128' - set interfaces macsec macsec1 security encrypt - set interfaces macsec macsec1 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4' - set interfaces macsec macsec1 security mka ckn '40916f4b23e3d548ad27eedd2d10c6f98c2d21684699647d63d41b500dfe8836' - set interfaces macsec macsec1 source-interface 'eth1' - -Pinging (IPv6) the other host and intercepting traffic on ``eth1`` confirm that -the content is encrypted. - -.. code-block:: none - - 17:35:44.586668 00:50:56:bf:ef:aa > 00:50:56:b3:ad:d6, ethertype Unknown (0x88e5), length 150: - 0x0000: 2c00 0000 000a 0050 56bf efaa 0001 d9fb ,......PV....... - 0x0010: 920a 8b8d 68ed 9609 29dd e767 25a4 4466 ....h...)..g%.Df - 0x0020: 5293 487b 9990 8517 3b15 22c7 ea5c ac83 R.H{....;."..\.. - 0x0030: 4c6e 13cf 0743 f917 2c4e 694e 87d1 0f09 Ln...C..,NiN.... - 0x0040: 0f77 5d53 ed75 cfe1 54df 0e5a c766 93cb .w]S.u..T..Z.f.. - 0x0050: c4f2 6e23 f200 6dfe 3216 c858 dcaa a73b ..n#..m.2..X...; - 0x0060: 4dd1 9358 d9e4 ed0e 072f 1acc 31c4 f669 M..X...../..1..i - 0x0070: e93a 9f38 8a62 17c6 2857 6ac5 ec11 8b0e .:.8.b..(Wj..... - 0x0080: 6b30 92a5 7ccc 720b k0..|.r. - -Disabling encryption on the MACsec interface by removing the ``security -encrypt`` option shows the unencrypted but authenticated content. - -.. code-block:: none - - 17:37:00.746155 00:50:56:bf:ef:aa > 00:50:56:b3:ad:d6, ethertype Unknown (0x88e5), length 150: - 0x0000: 2000 0000 0009 0050 56bf efaa 0001 86dd .......PV....... - 0x0010: 6009 86f3 0040 3a40 2001 0db8 0000 0000 `....@:@........ - 0x0020: 0000 0000 0000 0001 2001 0db8 0000 0000 ................ - 0x0030: 0000 0000 0000 0002 8100 d977 0f30 0003 ...........w.0.. - 0x0040: 1ca0 c65e 0000 0000 8d93 0b00 0000 0000 ...^............ - 0x0050: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................ - 0x0060: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f .!"#$%&'()*+,-./ - 0x0070: 3031 3233 3435 3637 87d5 eed3 3a39 d52b 01234567....:9.+ - 0x0080: a282 c842 5254 ef28 ...BRT.( - -**Site-to-site MACsec with static SAK over an untrusted network** - -This example uses the same topology as above, but applies static SAK mode to -the MACsec interface configuration. - -**R1** - -.. code-block:: none - - set interfaces macsec macsec1 address '192.0.2.1/24' - set interfaces macsec macsec1 address '2001:db8::1/64' - set interfaces macsec macsec1 security cipher 'gcm-aes-128' - set interfaces macsec macsec1 security encrypt - set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' - set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:02 - set interfaces macsec macsec1 security static peer R2 key 'eadcc0aa9cf203f3ce651b332bd6e6c7' - set interfaces macsec macsec1 source-interface 'eth1' - -**R2** - -.. code-block:: none - - set interfaces macsec macsec1 address '192.0.2.2/24' - set interfaces macsec macsec1 address '2001:db8::2/64' - set interfaces macsec macsec1 security cipher 'gcm-aes-128' - set interfaces macsec macsec1 security encrypt - set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7' - set interfaces macsec macsec1 security static peer R1 mac 00:11:22:33:44:01 - set interfaces macsec macsec1 security static peer R1 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' - set interfaces macsec macsec1 source-interface 'eth1' - -*************** -MACsec over WAN -*************** - -MACsec offers an alternative to traditional tunneling solutions by securing -Layer 2 with integrity, origin authentication, and optional encryption. - -While typically deployed between hosts and access switches, MACsec can also -secure traffic over a WAN. In the following example, we combine VXLAN (for -transport) and MACsec (for security) to create a secure tunnel between two -sites. - -**R1 MACsec01** - -.. code-block:: none - - set interfaces macsec macsec1 address '192.0.2.1/24' - set interfaces macsec macsec1 address '2001:db8::1/64' - set interfaces macsec macsec1 security cipher 'gcm-aes-128' - set interfaces macsec macsec1 security encrypt - set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' - set interfaces macsec macsec1 security static peer SEC02 key 'eadcc0aa9cf203f3ce651b332bd6e6c7' - set interfaces macsec macsec1 security static peer SEC02 mac '00:11:22:33:44:02' - set interfaces macsec macsec1 source-interface 'vxlan1' - set interfaces vxlan vxlan1 mac '00:11:22:33:44:01' - set interfaces vxlan vxlan1 remote '10.1.3.3' - set interfaces vxlan vxlan1 source-address '172.16.100.1' - set interfaces vxlan vxlan1 vni '10' - set protocols static route 10.1.3.3/32 next-hop 172.16.100.2 - -**R2 MACsec02** - -.. code-block:: none - - set interfaces macsec macsec1 address '192.0.2.2/24' - set interfaces macsec macsec1 address '2001:db8::2/64' - set interfaces macsec macsec1 security cipher 'gcm-aes-128' - set interfaces macsec macsec1 security encrypt - set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7' - set interfaces macsec macsec1 security static peer SEC01 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' - set interfaces macsec macsec1 security static peer SEC01 mac '00:11:22:33:44:01' - set interfaces macsec macsec1 source-interface 'vxlan1' - set interfaces vxlan vxlan1 mac '00:11:22:33:44:02' - set interfaces vxlan vxlan1 remote '10.1.2.2' - set interfaces vxlan vxlan1 source-address '172.16.100.2' - set interfaces vxlan vxlan1 vni '10' - set protocols static route 10.1.2.2/32 next-hop 172.16.100.1 diff --git a/docs/configuration/interfaces/rst-openvpn-examples.rst b/docs/configuration/interfaces/rst-openvpn-examples.rst deleted file mode 100644 index 6e746e46..00000000 --- a/docs/configuration/interfaces/rst-openvpn-examples.rst +++ /dev/null @@ -1,929 +0,0 @@ - -############ -Site-to-site -############ - -.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd - directives for command coverage tracking. - -OpenVPN is popular for client-server setups, but its site-to-site mode is less -common and often not supported by router appliances. Despite limited support, -it is effective for quickly establishing tunnels between routers. - -As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or -x.509 certificates. - -Pre-shared key mode is now deprecated and will be removed from future OpenVPN -versions. VyOS will also discontinue support for this option because pre-shared -keys are significantly less secure than TLS. - -We will configure OpenVPN with self-signed certificates, and then discuss the -legacy pre-shared key mode. - -In both cases, we will use the following settings: - -* The public IP address of the local VPN endpoint is 198.51.100.10. -* The public IP address of the remote VPN endpoint is 203.0.113.11. -* The tunnel uses 10.255.1.1 for the local IP address and 10.255.1.2 for the - remote IP address. -* The local site has a subnet of 10.0.0.0/16. -* The remote site has a subnet of 10.1.0.0/16. -* The official OpenVPN port 1194 is reserved for client VPN. For site-to-site - VPN, port 1195 is used. -* The ``persistent-tunnel`` directive allows us to configure tunnel-related - attributes, such as firewall policy, as we would on any standard network - interface. -* If known, the remote router's IP address can be configured using the - ``remote-host`` directive. If unknown, it can be omitted. We assume - the remote router has a dynamic IP address. - - -.. figure:: /_static/images/openvpn_site2site_diagram.* - -Set up site-to-site certificates --------------------------------- - -Deploying a complete Public Key Infrastructure (PKI) with a Certificate -Authority (CA) would overcomplicate site-to-site OpenVPN setups, which are -primarily designed for simplicity. To keep their configuration simple without -compromising security, VyOS 1.4 and later lets you verify self-signed -certificates using certificate fingerprints. - -Generate a self-signed certificate on each router, preferably using the -Elliptic Curve (EC) type. In configuration mode, run the following command: -``run generate pki certificate self-signed install <name>``. This adds the -certificate to the configuration session's ``pki`` subtree. Review and commit -the changes. - -.. stop_vyoslinter - -.. code-block:: none - - vyos@vyos# run generate pki certificate self-signed install openvpn-local - Enter private key type: [rsa, dsa, ec] (Default: rsa) ec - Enter private key bits: (Default: 256) - Enter country code: (Default: GB) - Enter state: (Default: Some-State) - Enter locality: (Default: Some-City) - Enter organization name: (Default: VyOS) - Enter common name: (Default: vyos.io) - Do you want to configure Subject Alternative Names? [y/N] - Enter how many days certificate will be valid: (Default: 365) - Enter certificate type: (client, server) (Default: server) - Note: If you plan to use the generated key on this router, do not encrypt the private key. - Do you want to encrypt the private key with a passphrase? [y/N] - 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. - [edit] - - vyos@vyos# compare - [pki] - + certificate openvpn-local { - + certificate "MIICJTCCAcugAwIBAgIUMXLfRNJ5iOjk/uAZqUe4phW8MdgwCgYIKoZIzj0EAwIwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA5MDcyMTQzMTNaFw0yNDA5MDYyMTQzMTNaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMWo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUBrAxRdFppdG/UBRdo7qNyHutaTQwHwYDVR0jBBgwFoAUBrAxRdFppdG/UBRdo7qNyHutaTQwCgYIKoZIzj0EAwIDSAAwRQIhAI2+8C92z9wTcTWkQ/goRxs10EBC+h78O+vgo9k97z5iAiBSeqfaVr5taQTS31+McGTAK3cYWNTg0DlOBI8aKO2oRg==" - + private { - + key "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtOeEb0dMb5P/2Exi09WWvk6Cvz0oOBoDuP68ZimS2LShRANCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMW" - + } - + } - - [edit] - - vyos@vyos# commit - -.. start_vyoslinter - -You do **not** need to copy the certificate to the other router. Instead, -retrieve its SHA-256 fingerprint. Since OpenVPN currently supports only SHA-256 -fingerprints, use the following command: - -.. stop_vyoslinter - -.. code-block:: none - - vyos@vyos# run show pki certificate openvpn-local fingerprint sha256 - 5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79 - -.. start_vyoslinter - -.. note:: Certificate names are arbitrary. While ``openvpn-local`` and - ``openvpn-remote`` are used here, you may choose any names. - -Repeat the procedure on the other router. - -Set up site-to-site OpenVPN ---------------------------- - -Local configuration: - -.. stop_vyoslinter - -.. code-block:: none - - Configure the tunnel: - - set interfaces openvpn vtun1 mode site-to-site - set interfaces openvpn vtun1 protocol udp - set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 remote-host '203.0.113.11' # Public IP of the other side - set interfaces openvpn vtun1 local-port '1195' - set interfaces openvpn vtun1 remote-port '1195' - set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface - set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface - set interfaces openvpn vtun1 tls certificate 'openvpn-local' # The self-signed certificate - set interfaces openvpn vtun1 tls peer-fingerprint <remote cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256' on the remote router - set interfaces openvpn vtun1 tls role active - -Remote configuration: - -.. code-block:: none - - set interfaces openvpn vtun1 mode site-to-site - set interfaces openvpn vtun1 protocol udp - set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 remote-host '198.51.100.10' # Pub IP of other site - set interfaces openvpn vtun1 local-port '1195' - set interfaces openvpn vtun1 remote-port '1195' - set interfaces openvpn vtun1 local-address '10.255.1.2' # Local IP of vtun interface - set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface - set interfaces openvpn vtun1 tls certificate 'openvpn-remote' # The self-signed certificate - set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256 on the local router - set interfaces openvpn vtun1 tls role passive - -.. start_vyoslinter - -Set up pre-shared keys ----------------------- - -Before VyOS 1.4, site-to-site OpenVPN without PKI required pre-shared keys. -This option is still available but is deprecated and will be removed in future -releases. If you need to set up a tunnel to an older VyOS version or a system -with older OpenVPN, you still need to use pre-shared keys. - -First, generate a key by running ``run generate pki openvpn shared-secret -install <name>`` in configuration mode. You can use any name; in this example, -we use ``s2s``. - -.. stop_vyoslinter - -.. code-block:: none - - vyos@local# run generate pki openvpn shared-secret install s2s - 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. - [edit] - vyos@local# compare - [pki openvpn shared-secret] - + s2s { - + key "7c73046a9da91e874d31c7ad894a32688cda054bde157c64270f28eceebc0bb2f44dbb70335fad45148b0456aaa78cb34a34c0958eeed4f75e75fd99ff519ef940f7029a316c436d2366a2b0fb8ea1d1c792a65f67d10a461af83ef4530adc25d1c872de6d9c7d5f338223d1f3b66dc3311bbbddc0e05228c47b91c817c721aadc7ed18f0662df52ad14f898904372679e3d9697d062b0869d12de47ceb2e626fa12e1926a3119be37dd29c9b0ad81997230f4038926900d5edb78522d2940cfe207f8e2b948e0d459fa137ebb18064ac5982b28dd1899020b4f2b082a20d5d4eb65710fbb1e62b5e061df39620267eab429d3eedd9a1ae85957457c8e4655f3" - + version "1" - + } - - [edit] - - vyos@local# commit - [edit] - -.. start_vyoslinter - -Next, install the key on the remote router: - -.. code-block:: none - - vyos@remote# set pki openvpn shared-secret s2s key <generated key string> - -Finally, configure the key in your OpenVPN interface settings: - -.. code-block:: none - - set interfaces openvpn vtun1 shared-secret-key s2s - -Set up firewall exceptions --------------------------- - -To allow OpenVPN traffic to pass through the WAN interface, create a firewall -exception: - -.. stop_vyoslinter - -.. code-block:: none - - set firewall ipv4 name OUTSIDE_LOCAL rule 10 action 'accept' - set firewall ipv4 name OUTSIDE_LOCAL rule 10 description 'Allow established/related' - set firewall ipv4 name OUTSIDE_LOCAL rule 10 state 'established' - set firewall ipv4 name OUTSIDE_LOCAL rule 10 state 'related' - set firewall ipv4 name OUTSIDE_LOCAL rule 20 action 'accept' - set firewall ipv4 name OUTSIDE_LOCAL rule 20 description 'OpenVPN_IN' - set firewall ipv4 name OUTSIDE_LOCAL rule 20 destination port '1195' - set firewall ipv4 name OUTSIDE_LOCAL rule 20 log - set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol 'udp' - -.. start_vyoslinter - -Apply the OUTSIDE_LOCAL firewall group to the WAN interface and to the input -filter for traffic destined for the router itself: - -.. code-block:: none - - set firewall ipv4 input filter rule 10 action 'jump' - set firewall ipv4 input filter rule 10 inbound-interface name eth0 - set firewall ipv4 input filter rule 10 jump-target OUTSIDE_LOCAL - -Static routing: - -Configure static routes by referencing the tunnel interface. For example, if -the local router's network is ``10.0.0.0/16`` and the remote router's network -is ``10.1.0.0/16``, define the routes as follows: - -Local configuration: - -.. code-block:: none - - set protocols static route 10.1.0.0/16 interface vtun1 - -Remote configuration: - -.. code-block:: none - - set protocols static route 10.0.0.0/16 interface vtun1 - -As with standard Ethernet interfaces, you can apply firewall policies to the -tunnel interface for input, output, and forward directions. - -If you use multiple tunnels, OpenVPN must distinguish between them beyond just -the pre-shared key. To achieve this, assign either unique IP addresses or -unique ports to each tunnel. - -Verify OpenVPN status using the show openvpn operational commands. - -.. stop_vyoslinter - -.. code-block:: none - - vyos@vyos:~$ show openvpn site-to-site - - OpenVPN status on vtun1 - - Client CN Remote Host Tunnel IP Local Host TX bytes RX bytes Connected Since - ----------- ----------------- ----------- ------------ ---------- ---------- ----------------- - N/A 10.110.12.54:1195 N/A N/A 504.0 B 656.0 B N/A - -.. start_vyoslinter - -Server-client -============= - -In OpenVPN’s server-client mode, the server acts as a central hub, allowing -multiple clients to connect and securely route their traffic or access a -private network. Multi-client server is the most popular OpenVPN mode for -routers. - -Set up server-client certificates ---------------------------------- - -Server-client mode always uses x.509 authentication and therefore requires a -PKI setup. The PKI utility now simplifies the creation of Certificate -Authorities (CAs), server and client certificates, and Diffie-Hellman keys -directly in VyOS using configuration or operational mode commands. - -On the server, generate all certificates by running the following commands in -configuration mode. The certificates will be added to the configuration -session's PKI subtree. - -Certificate Authority (CA): - -.. stop_vyoslinter - -.. code-block:: none - - vyos@vyos# run generate pki ca install ca-1 - Enter private key type: [rsa, dsa, ec] (Default: rsa) - Enter private key bits: (Default: 2048) - Enter country code: (Default: GB) - Enter state: (Default: Some-State) - Enter locality: (Default: Some-City) - Enter organization name: (Default: VyOS) - Enter common name: (Default: vyos.io) ca-1 - Enter how many days certificate will be valid: (Default: 1825) - Note: If you plan to use the generated key on this router, do not encrypt the private key. - Do you want to encrypt the private key with a passphrase? [y/N] - 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. - [edit] - vyos@vyos# compare - [pki] - + ca ca-1 { - + certificate "MIIDlzCCAn+gAwIBAgIUQW7AtPu0Qzp7VzT0TyYx83/ME8swDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2MTExMTIyMjJaFw0zMDA2MTAxMTIyMjJaMFQxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxDTALBgNVBAMMBGNhLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDi+v6i241T9ABxq1ngjWxDQITkqjV0nq2Jb3HSSuQpXRCu7DWdQZlbvnMHnkV/WTL0RNgkhS4iV/WYhE+bLihwiZ0GTeQnUd1QJSkusFROX46w6kKXYUR5IQtcBC+vdky8PESynPd+DXsJn5X9JTWqDeviUAQz/ZjDzWk+71MBCqa+Zps1zpIjK0ywn7pR/HnDrxJOQXlBMNgvbv8U3IAZ2jJp0jTB8TnuDtWSA+XZejMm/EN/AWUQyliX6OJFSCIhBL2BZ9lmVms4/HkRpbd50k3vvCoz+lAOEE6VsH0fEdLC3lZ+CtXZ7kjp2wdWWuSs5ggIJYZZkixsCisbtEmbAgMBAAGjYTBfMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUAG9lvr7AzJ/y4vY/XlWxXru+6m0wDQYJKoZIhvcNAQELBQADggEBAKsu4eZa8Fha9aKfuKqlGQHPpEFfVDaVJmebw0uMw+b5Y8EpBxzZrgbqbk3Mty8pBjNa9jkZzph04gHN4pR6kg3iQlUKGxZUfsB9ZUjKhkgNdUI9zq1323MKEvuIuYdt61DCfBHwY6Xax5Ge+BahR2bXdPaQH452/+xMTqkukkpLbioTeIDg6FCU2HYPY5emDF5DDZAZWXtTqi0zdT3Y6FqiTvs5VuWwXCcp+HM+Lwe1/VVJhwi4CHTq0CKWnQIH5blYjmyxzRBlrlZm4ntWlL5Mtepa1A3DJirY4kw/SqMAAh/Q9lh41JzBc8epf+OdnOzK55YmtmctGO2o+NBCFi0=" - + private { - + key "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDi+v6i241T9ABxq1ngjWxDQITkqjV0nq2Jb3HSSuQpXRCu7DWdQZlbvnMHnkV/WTL0RNgkhS4iV/WYhE+bLihwiZ0GTeQnUd1QJSkusFROX46w6kKXYUR5IQtcBC+vdky8PESynPd+DXsJn5X9JTWqDeviUAQz/ZjDzWk+71MBCqa+Zps1zpIjK0ywn7pR/HnDrxJOQXlBMNgvbv8U3IAZ2jJp0jTB8TnuDtWSA+XZejMm/EN/AWUQyliX6OJFSCIhBL2BZ9lmVms4/HkRpbd50k3vvCoz+lAOEE6VsH0fEdLC3lZ+CtXZ7kjp2wdWWuSs5ggIJYZZkixsCisbtEmbAgMBAAECggEAZdykF6wV8Z4n8NsoG4j8E/ZJbWEhWjO3x1y3JNutJw735LhmmysMSsreToXtxGfgYRTgNwt5l7oHoqmGHCsLxO1NBb5A7JBllIkIwUYqn31syOJofg0NsJpuwZ2zVLfvWe5mGg4tV2lvVPNEWXWwbp+Ow2KLcFWXkA+H8tFuW6F2mH3ntYlIi/WiCNjsEotNx8Kk7OVwt43DbkN/rbF5lxquuLedaSspOHuhIAOfZB5ZySfqohQalSAaguVD66rGPMrerZ2Vc7B1iJ6Mn/KZrSaQeHwyWrwDDHdzVwG9waydevtGTVO0dvH4etWnRypDx8p1FPJJKD4XVcsl3rR6oQKBgQD497Ep2RJcbNnKVj+kNXGriSGmyRSp6CL61KotepzgucK0RtGMeFJge56/otMHMAxIOcDMX6vRn2MB2pqVqwqUBQy6JfLrSemdpIjMN9xlX6Dw3BWP39SdewZ896/Eo0Q1ythMj1ORp+u3PqOlSa14Cy9aPwDWmNy2deD68YDnsQKBgQDpZE/T84BMQ0FzL6NRijZRzR6Dc775hRfmmSTYI0KqpG0gXNSc5UgrWSLN5H7fnx36mT01P7UkgXCInV0AlJOfkt4a8QTqM1Fh/rZbLLWpQE55S6Fs28GDiFYl2kvZT/TtxhA/E0POf/YXl/8KITS7ZVAZxE8rxBe1hVUfDbnlCwKBgQDeWUguGaGeTdCMNk8MNnbYPdaCAB+mRp3G6ls51sF4qi5Lltva2jKn3H/AoohZaP3vGzUm0WLACdsAct2QQXtnCsN9FBtJK2+qzKEn0dPR7X/s3IGdRse6BX+b6BFgSnfGmuxmI7L86L1JoHXCTnTQOx0FOjNjdI3ZnplZRIpdYQKBgFJacASU9l9yl+SiGZnLEDG7FBpEPE3lVbKrtSGDB6IY1NzHhMo76URKdop6Jv6XMcfcTIm+ihdwiRnblRaAVrrG4xJUm2xcYUoXy5bOZudq5oXMVxCHVngoImXG6l6q5P0Fl3P6Q0HZSye2HWsgnm/FZwdAisMhtU/61TdY65BTAoGBAM4jKeImiXta5lz1RgNiW/TPhft3UbOLj3TbzchNCNAamqCv4Tmh9YKB2d/mz2hNxbnAGe2cYn4iRYKcjJLMZ0UfBL2WxlrgQYQPPGzSD0fH1pLIXPohpBZpsGqNR3Nc8Jd+Uw3IiIJ2oxPCOPTOJsklNB0Xf1AlUUagB16bhhZZ" - + } - + } - - [edit] - vyos@vyos# commit - - -Server certificate: - -.. code-block:: none - - vyos@vyos# run generate pki certificate sign ca-1 install srv-1 - Do you already have a certificate request? [y/N] N - Enter private key type: [rsa, dsa, ec] (Default: rsa) - Enter private key bits: (Default: 2048) - Enter country code: (Default: GB) - Enter state: (Default: Some-State) - Enter locality: (Default: Some-City) - Enter organization name: (Default: VyOS) - Enter common name: (Default: vyos.io) srv-1 - Do you want to configure Subject Alternative Names? [y/N] - Enter how many days certificate will be valid: (Default: 365) - Enter certificate type: (client, server) (Default: server) server - Note: If you plan to use the generated key on this router, do not encrypt the private key. - Do you want to encrypt the private key with a passphrase? [y/N] - 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. - [edit] - vyos@vyos# compare - [pki certificate] - + srv-1 { - + certificate "MIIDrDCCApSgAwIBAgIULpu+qZjfG01kUI58XNmqXbQC3qQwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2MTExMTMxMDJaFw0yNjA2MTExMTMxMDJaMFUxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxDjAMBgNVBAMMBXNydi0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAysTrMfVH63aVidJT7bIf+zLwkLse07nGsv4aliGEbufr239RBHV4Jn8LbQ+nB/8mhYGjNY4OnZ7NYz3FU/iglo8qFtaZ26mWtPWpv2xW1F8JAEK7l5BAg42cBucxiIZFeRm+jkE6VN1bcNU0utnn3sbCwZMyH6pS9k08G1qrrFLA7ZFhv5AmgJcODmO8sigSAu7rRS/6O3eO6ICnVjvIfHLb+9DKKUEffHzFV8RrkqVCGmgisz9fF+j1Rvg9s+ylNc2lZJTbb1XnzixvSRro4t9I3uIWdpJ0iOu09YiTXGQgH9ER6V3rFiX00RdSiSXf+MJCV64hC1msg+8V3Nrw9QIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUzH0h4vBxma89HF9rUQ+DW052c5swHwYDVR0jBBgwFoAUAG9lvr7AzJ/y4vY/XlWxXru+6m0wDQYJKoZIhvcNAQELBQADggEBAI/Cyd0y7AJ7wY3yRssCud2iJAl9/ZjgxzXOUo6ibawYIYOnSf9tS3eD4CIH4BgppDXoJZ/qEA4WvIsLx3yvnyOxiqyk3TQmKIZ27VJH+yQkgzPeiKrHn1pCXBKEb1/jlT8Ozu4Lmn/oFwDH6nk8toxI8DM+qsTxqUFlTA3ea9yaRtxeNPMWJdaxZSUYGVSZL0wVKw5ZuQ1Gn7vGVApWlYDKYbMozCuZUG1q8wMzFBRa7x0anvh5hM4bksLz+Y1ujCS8f8b4Xtb8KIdFrZtTvtl97crv62bN05VueAcbwtYbIBNWNoT/CvmqV7k3uPg95GYSNddFqEMbQHoyd8hdDCo=" - + private { - + key "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKxOsx9UfrdpWJ0lPtsh/7MvCQux7Tucay/hqWIYRu5+vbf1EEdXgmfwttD6cH/yaFgaM1jg6dns1jPcVT+KCWjyoW1pnbqZa09am/bFbUXwkAQruXkECDjZwG5zGIhkV5Gb6OQTpU3Vtw1TS62efexsLBkzIfqlL2TTwbWqusUsDtkWG/kCaAlw4OY7yyKBIC7utFL/o7d47ogKdWO8h8ctv70MopQR98fMVXxGuSpUIaaCKzP18X6PVG+D2z7KU1zaVklNtvVefOLG9JGuji30je4hZ2knSI67T1iJNcZCAf0RHpXesWJfTRF1KJJd/4wkJXriELWayD7xXc2vD1AgMBAAECggEACsUk3PVzSX11+ekTDigM7NHK11UpEQPoGu/GR70mBKIK9BCyI/N9W0YaPEO9kn4p9KNrINgXzKV3sVLBnXEyTmzyRl5Fs9YxLBF0X7eIcSVPHBVvU2CVHKez5uX2ypKfNAx7A6FRUNqlFbwtXdNfLoUOKSwBWI86ctytWaKaRb/TTSGQkaP/z/cwIsXOLfG9m6iFkw98ShUzalrUWNo/4fJKlO1+DvXVYE9sv9rjD8J7DtAbr5KykQ5n0AAlZTCWQ7jwMybSnjjY9ypZUms0l17raJrfhrdbWayc6xMDvtrmNIDebkF+J7cHU06aEV+yQXV/7yjyZgUSM2ANcHMdzQKBgQDmTi5tUeaj1JUSl9lAP/XUzcElw2tcU1B8qpX69J4ofjTNgj5okLWQZVIy1UyAfLOI3LJbHTBUtSvedhH0VaMulq99NXs5qnbPGG3//RBAc0wKhJknB5Qv0D3FxMI14kMO6jzPly+aIGEk4dTtHvZuHbbVHbKSZ5MMouLyT+SS7wKBgQDhZETARZ0MazeWRaPJwdkjlfNcqqcsnDicdcppCkcDCjeLxkVPZc8ej37rshOvw2Pf1D0PddGyOhJoWCWA8QE2LQoDHLaDnQ0L6aQ3yjN5Gxx9RCDFi3Zuat/mPcv3tFO7uUmeYvRC5fGYrghq29NADmUefOopAc06Izd4A3iqWwKBgQC1uPrpR7a1jwgRo7/I8q8HO1MseQY903+u3ut5GYuyZ+NCRYL4/zZEua4ibivvNnZzh7E0M9PvAwWag4+nO+uG11+hbJHO7rLQtnYVh5lLQa6+neI66cAD+kzDwH1+BwriufFB3Amzk9kTQR7B+6x3NvsNLmG5JADj96Mbj+7MAQKBgFIevEXplyzdK6WevexWqoyip8aNjtdcG+w1pofa7MCYymAs3zfseihCVBYADdguModsxsqJPNvY+Lf31cJDDRP2GP3FSmJtqEE84U5KZ7KqRBkH54DSLVZRrj4vKc+YbiGpgr8ogqKVMQ9V6U81xKREGmefT5mdRG74Qc+CREadAoGAFtdsH5js1yFEeGFad4BZJ69grEavD3pNCfIe9oIPtXvvFdzxd+QbKgqFf3JMJp/HYi8A0iv/i4mzf00KXzF4JU7bIJYrUVlk/w8x77gzDRIphsPqpMBJkTI0jisQHZKWNEe7IbmM/dWW2S4jvCkrhB7F5Szf72Q+j/lPbfx2g/8=" - + } - + } - - [edit] - vyos@vyos# commit - - -Diffie-Hellman key: - -.. code-block:: none - - vyos@vyos# run generate pki dh install dh-1 - Enter DH parameters key size: (Default: 2048) - Generating parameters... - 1 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. - [edit] - vyos@vyos# compare - [pki] - + dh dh-1 { - + parameters "MIIBCAKCAQEAp25kxwZeLZ7wcbRii5E5RD4uWCUOBxarzKEE0msa84omh5nZ9dv/4bfJw4gIXlA2+sGc2lLV/jajZminMryiSwJdisyVuUdOB7sJWZwrzHBAY0qFbNyaRMVJBar2xVm+XcKd3A2eNTEgn10G7rPPvf6CJ5isUKFaKT8ymUv+mI0upLneYdGs8/yS3sAojzeulCf49fa5SiaGCcZZkdOI3Nby1u/ZG4okqJ2wE2c2hRVLs1k5qrrono0OF4Dh0B91ihnywRfp1xPYeqpiln+OPh+PPgTuBxkz4VxwRDoQ+NhVr/LOCb3vbhnyFisxI0w4r3109cA3QiDmo1L14aKl1wIBAg==" - + } - - [edit] - vyos@vyos# commit - -Client certificate: - -.. code-block:: none - - vyos@vyos:~$ generate pki certificate sign ca-1 install client1 - Do you already have a certificate request? [y/N] N - Enter private key type: [rsa, dsa, ec] (Default: rsa) - Enter private key bits: (Default: 2048) - Enter country code: (Default: GB) - Enter state: (Default: Some-State) - Enter locality: (Default: Some-City) - Enter organization name: (Default: VyOS) - Enter common name: (Default: vyos.io) client1 - Do you want to configure Subject Alternative Names? [y/N] - Enter how many days certificate will be valid: (Default: 365) - Enter certificate type: (client, server) (Default: server) client - Note: If you plan to use the generated key on this router, do not encrypt the private key. - Do you want to encrypt the private key with a passphrase? [y/N] - You are not in configure mode, commands to install manually from configure mode: - set pki certificate client1 certificate 'MIIDrjCCApagAwIBAgIUPvtffeYTdoOiHxu++wdrjHwwVX4wDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2MTExMTQxMDlaFw0yNjA2MTExMTQxMDlaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB2NsaWVudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9H6E6gm0PfXO1n/WoA9xlg89/bnScLmfztVDn1uyNn8epE6zAi2GWBhtj4ixLllIwLdkJ7L2mF3yUZtA1Q0oYbGIqTbnaZ37JydCygVGnlLT7UX9zfRfS3KebCIvIte7OyCmnUfVfFzdIsp+4LI3S2wX/9Vyn4UBAR8QQNbezRB3XPMk9gzULnuLhmEDP6GVcPq7RzGXoXUMqsCxfEOJBjej0y4ANKH07HGVVrfVRiY+zlGkM4TFjVuZKnEA0BO6dhOA0E+7gsIXsC06UzzatkjsyWHpb2/DOECIifBoYej9DITu8VxyyZmgaINHEn2gGb0LRHO7rvQapc+XZ2z9DAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQnUyqEzG+AqZzsdSud5MDqsOxiXTAfBgNVHSMEGDAWgBQAb2W+vsDMn/Li9j9eVbFeu77qbTANBgkqhkiG9w0BAQsFAAOCAQEAplItvZpoX/joG3QREu9tHVKwDTmXB2lwUM5G8iKPgd6D6oOILZMe2KuvWt12dcdEzUCGfJwJJ8M8R2WD0OmcLdFqvM/8UM1hYzUP2BCnFCLtElVD+b4wMlQNpdHqNbdckw8J4MLQlhUgu9rZAZ0XjWCprr+U50bX++vYRw7Un3Ds6ETEvjflm5WAPb2e0V1hhISPl8K+VXO7RAwxy0DHcDuR+YaD+hnNgMsJV3/QwA17Iy8x86RpOgqmesbt0U7e9Rmo81aVgiy/V4OCV7u6bPX03fmZNS8UwwJuRUlxkjO+epHNYB2cnOcjSkUxaIJ9Hv3tMWHQEtbVZsNYSOZozw==' - set pki certificate client1 private key 'MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC9H6E6gm0PfXO1n/WoA9xlg89/bnScLmfztVDn1uyNn8epE6zAi2GWBhtj4ixLllIwLdkJ7L2mF3yUZtA1Q0oYbGIqTbnaZ37JydCygVGnlLT7UX9zfRfS3KebCIvIte7OyCmnUfVfFzdIsp+4LI3S2wX/9Vyn4UBAR8QQNbezRB3XPMk9gzULnuLhmEDP6GVcPq7RzGXoXUMqsCxfEOJBjej0y4ANKH07HGVVrfVRiY+zlGkM4TFjVuZKnEA0BO6dhOA0E+7gsIXsC06UzzatkjsyWHpb2/DOECIifBoYej9DITu8VxyyZmgaINHEn2gGb0LRHO7rvQapc+XZ2z9DAgMBAAECggEAPS/Fhtt5k2BgFivZW3FcVc+OS0keGwV8hkFsGoXTZIKEIzSFWIn/mX0CUY90C0Rn9MRwiqB4PwssOAsHY6QQjdRK8irRbVK8l2ZeydHC7DfVUdXtKR0YnxTaePML3nTV/TqPF14Rx6EINtHrkLeBbu2DhGsKfhoHIoTVbvUiKLHa2TkGJOkhvjsyMSPKzUXa1AzLmu+UBIhRYpEPHj0SQUUJJnKgIb7mTR2fhJScHcKwsrPq6S8OpChvsYZ6zatgrTFz9tuhD4IjL7NBiYP45BwGaLIaQjph8yAJwwHWoOP+TTj5WYflkW6Uu8F9gC0ve6dPGPNEi2TUdirvAe4LYQKBgQD0UfAPm6tQg8pdkvfMBvYc21fk8zqmgcA4OtvDi60aXuv5jI5+faISvOG2JLuFhKIDOb5ZerzGvkN+LvWgzr9H7YdGZNNtwKgpS/MGqcuuHncTxWBAwYgKhf26a/tqFZRNurJ6GowxDiAcQEc1mWnmdngRa+dvvCwNbXvGVqfVEQKBgQDGKi447TqD76QfvRPn/fRSjM+QE1duk+XorEJ0HHIha5HV9kCrZdV/olGRjDLwPJO6JW7iE2FUsS9SsIrccFE/9P2ZUqfYP2wL5vNO5kAmoLLUl0gwqg1WnBTPJfXeKReTj2uGmOdEuuMPXpL/49hDuPViiE2Q4MGe2Z+oEYN/EwKBgHfQMuTEl2e9qaDn8OM6SrluC5V4fjunh6dLnfgwaCx1fk1702lOnQuJWzsiml9o4raoO6PP4AGqzphz2PsKSJ2ya1NnIJRDFXRjDYQoAn2Z7RViBsja36chfINObxXgDUFtHBdrK3LnFXIlR4aOfHOLh2grvWx7IDNZjIiAeH+xAoGAJlmFZnjqiRv4bDgAQTZRcSRVCvHjSsAOj0++8I+MutEBgSHN9B2aCsBT/tHeDcX7ZNvXsKLFhElh+iO2S+DkqHb2GRT47I2hkFAaqBtBMPiKgz/ftaNDP46nLEuRYHQdXu4zhfHTV+a/CHtqAWGLuddyjaYJNM96SQ6eqjzxcMcCgYAzdxOF2e27hIgo2ttjsROMGqW0/0r/HsKGKPnao7xHQNCAswTnBT+QGugPCe0NXjuxbySP7V1GeWMWF+WV5khtteWerT1/ELAC48NSDpaMxVa4GP8Q/0w6+ZyJty3UGbCYQzZZue81dU+42LUIaVJ4NAc2tYj3jD780udasawS6w==' - -.. start_vyoslinter - -Manually copy the CA, client certificate, and Diffie-Hellman key to the client -device, then commit them before configuring the OpenVPN interface. - -For more options, refer to :ref:`configuration/pki/index:pki`. - -Set up server-client OpenVPN ----------------------------- - -The following example demonstrates the most complicated scenario: each client -acts as a router with its own subnet (e.g., an HQ and multiple branch offices). -Simpler setups are subsets of it. - -In this scenario, the 10.23.1.0/24 network is used for client tunnel endpoints, -and all client subnets belong to 10.23.0.0/20. Each client needs access to the -192.168.0.0/16 network. - -Server configuration: - -.. code-block:: none - - set interfaces openvpn vtun10 encryption data-ciphers 'aes256' - set interfaces openvpn vtun10 hash 'sha512' - set interfaces openvpn vtun10 local-host '172.18.201.10' - set interfaces openvpn vtun10 local-port '1194' - set interfaces openvpn vtun10 mode 'server' - set interfaces openvpn vtun10 persistent-tunnel - set interfaces openvpn vtun10 protocol 'udp' - set interfaces openvpn vtun10 server client client1 ip '10.23.1.10' - set interfaces openvpn vtun10 server client client1 subnet '10.23.2.0/25' - set interfaces openvpn vtun10 server domain-name 'vyos.net' - set interfaces openvpn vtun10 server max-connections '250' - set interfaces openvpn vtun10 server name-server '172.16.254.30' - set interfaces openvpn vtun10 server subnet '10.23.1.0/24' - set interfaces openvpn vtun10 server topology 'subnet' - set interfaces openvpn vtun10 tls ca-certificate ca-1 - set interfaces openvpn vtun10 tls certificate srv-1 - set interfaces openvpn vtun10 tls dh-params dh-1 - -The configuration above uses the default 1194/UDP port, 256-bit AES encryption, -SHA-512 for HMAC authentication, and the persistent-tunnel option. -Persistent-tunnel is recommended as it keeps the TUN/TAP device active during -connection resets or daemon reloads. Clients are identified by the CN attribute -in their SSL certificates. - -To grant clients access to a specific network behind the router, use the -push-route option to automatically install the appropriate route on -each client. - -.. code-block:: none - - set interfaces openvpn vtun10 server push-route 192.168.0.0/16 - -OpenVPN does not automatically create kernel routes for client subnets when -clients connect; it only uses client-subnet association internally. Therefore, -you must manually create a route to the 10.23.0.0/20 network: - -.. code-block:: none - - set protocols static route 10.23.0.0/20 interface vtun10 - -Set up OpenVPN client ---------------------- - -VyOS can operate not only as an OpenVPN site-to-site peer or a server for -multiple clients, but also as an OpenVPN client. Any VyOS OpenVPN interface -can be configured to connect to another VyOS or third-party OpenVPN server. - -Client configuration: - -.. code-block:: none - - set interfaces openvpn vtun10 encryption data-ciphers 'aes256' - set interfaces openvpn vtun10 hash 'sha512' - set interfaces openvpn vtun10 mode 'client' - set interfaces openvpn vtun10 persistent-tunnel - set interfaces openvpn vtun10 protocol 'udp' - set interfaces openvpn vtun10 remote-host '172.18.201.10' - set interfaces openvpn vtun10 remote-port '1194' - set interfaces openvpn vtun10 tls ca-certificate ca-1 - set interfaces openvpn vtun10 tls certificate client1 - -Verification ------------- - -Check the tunnel status: - -.. stop_vyoslinter - -.. code-block:: none - - vyos@vyos:~$ show openvpn server - - OpenVPN status on vtun10 - - Client CN Remote Host Tunnel IP Local Host TX bytes RX bytes Connected Since - ----------- ------------------ ----------- ---------------- ---------- ---------- ------------------- - client1 172.16.12.54:33166 10.23.1.10 172.18.201.10:1194 3.4 KB 3.4 KB 2024-06-11 12:07:25 - -.. start_vyoslinter - -Server bridge -============= - -In Ethernet bridging configurations, an OpenVPN interface operating in server -mode with the device type set to TAP can be added to a bridge. By encapsulating -entire Ethernet frames (up to 1514 bytes) rather than just IP packets (up to -1500 bytes), this setup enables clients to transmit Layer 2 frames through the -OpenVPN tunnel. - -The following is a basic configuration example: - -Server side: - -.. code-block:: none - - set interfaces bridge br10 member interface eth1.10 - set interfaces bridge br10 member interface vtun10 - set interfaces openvpn vtun10 device-type 'tap' - set interfaces openvpn vtun10 encryption data-ciphers 'aes192' - set interfaces openvpn vtun10 hash 'sha256' - set interfaces openvpn vtun10 local-host '172.18.201.10' - set interfaces openvpn vtun10 local-port '1194' - set interfaces openvpn vtun10 mode 'server' - set interfaces openvpn vtun10 server bridge gateway '10.10.0.1' - set interfaces openvpn vtun10 server bridge start '10.10.0.100' - set interfaces openvpn vtun10 server bridge stop '10.10.0.200' - set interfaces openvpn vtun10 server bridge subnet-mask '255.255.255.0' - set interfaces openvpn vtun10 server topology 'subnet' - set interfaces openvpn vtun10 tls ca-certificate 'ca-1' - set interfaces openvpn vtun10 tls certificate 'srv-1' - set interfaces openvpn vtun10 tls dh-params 'dh-1' - -Client side: - -.. code-block:: none - - set interfaces openvpn vtun10 device-type 'tap' - set interfaces openvpn vtun10 encryption data-ciphers 'aes192' - set interfaces openvpn vtun10 hash 'sha256' - set interfaces openvpn vtun10 mode 'client' - set interfaces openvpn vtun10 protocol 'udp' - set interfaces openvpn vtun10 remote-host '172.18.201.10' - set interfaces openvpn vtun10 remote-port '1194' - set interfaces openvpn vtun10 tls ca-certificate 'ca-1' - set interfaces openvpn vtun10 tls certificate 'client-1' - - - -Server LDAP authentication -========================== - -LDAP ----- - -Enterprise installations usually include a directory service to centralize -employee password management. VyOS and OpenVPN support using LDAP and Active -Directory as a single user backend. - -Authentication is performed by the ``openvpn-auth-ldap.so`` plugin, included -with every VyOS installation. To use it, you must create a dedicated -configuration file. - -**Best practice:** Store the configuration file in the ``/config`` directory -to ensure it is preserved after image updates. - -.. stop_vyoslinter - -.. code-block:: none - - set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config" - -.. start_vyoslinter - -A sample configuration file is shown below: - -.. code-block:: none - - <LDAP> - # LDAP server URL - URL ldap://ldap.example.com - # Bind DN (If your LDAP server doesn't support anonymous binds) - BindDN cn=LDAPUser,dc=example,dc=com - # Bind Password password - Password S3cr3t - # Network timeout (in seconds) - Timeout 15 - </LDAP> - - <Authorization> - # Base DN - BaseDN "ou=people,dc=example,dc=com" - # User Search Filter - SearchFilter "(&(uid=%u)(objectClass=shadowAccount))" - # Require Group Membership - allow all users - RequireGroup false - </Authorization> - -Active Directory -^^^^^^^^^^^^^^^^ - -A sample configuration file is shown below: - -.. stop_vyoslinter - -.. code-block:: none - - <LDAP> - # LDAP server URL - URL ldap://dc01.example.com - # Bind DN (If your LDAP server doesn’t support anonymous binds) - BindDN CN=LDAPUser,DC=example,DC=com - # Bind Password - Password mysecretpassword - # Network timeout (in seconds) - Timeout 15 - # Enable Start TLS - TLSEnable no - # Follow LDAP Referrals (anonymously) - FollowReferrals no - </LDAP> - - <Authorization> - # Base DN - BaseDN "DC=example,DC=com" - # User Search Filter, user must be a member of the VPN AD group - SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))" - # Require Group Membership - RequireGroup false # already handled by SearchFilter - <Group> - BaseDN "OU=Groups,DC=example,DC=com" - SearchFilter "(|(cn=VPN))" - MemberAttribute memberOf - </Group> - </Authorization> - -.. start_vyoslinter - -If you only want to check that the user account is enabled and can -authenticate (against the primary group), the following snippet is -sufficient: - -.. code-block:: none - - <LDAP> - URL ldap://dc01.example.com - BindDN CN=SA_OPENVPN,OU=ServiceAccounts,DC=example,DC=com - Password ThisIsTopSecret - Timeout 15 - TLSEnable no - FollowReferrals no - </LDAP> - - <Authorization> - BaseDN "DC=example,DC=com" - SearchFilter "sAMAccountName=%u" - RequireGroup false - </Authorization> - -A complete example of an LDAP authentication configuration for OpenVPN -is shown below: - -.. stop_vyoslinter - -.. code-block:: none - - vyos@vyos# show interfaces openvpn - openvpn vtun0 { - mode server - openvpn-option "--tun-mtu 1500 --fragment 1300 --mssfix" - openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config" - openvpn-option "--push redirect-gateway" - openvpn-option --duplicate-cn - openvpn-option "--verify-client-cert none" - openvpn-option --comp-lzo - openvpn-option --persist-key - openvpn-option --persist-tun - server { - domain-name example.com - max-connections 5 - name-server 203.0.113.0.10 - name-server 198.51.100.3 - subnet 172.18.100.128/29 - } - tls { - ca-certificate ca.crt - certificate server.crt - dh-params dh1024.pem - } - } - -.. start_vyoslinter - -.. stop_vyoslinter - -For a detailed example, refer to -:doc:`OpenVPN with LDAP</configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP>`. - -.. start_vyoslinter - -Multi-factor authentication -=========================== - -VyOS supports multi-factor authentication (MFA) or two-factor authentication -using Time-based One-Time Passwords (TOTP). It is compatible with Google -Authenticator and other software tokens. - -Server side ------------ - -.. code-block:: none - - set interfaces openvpn vtun20 encryption cipher 'aes256' - set interfaces openvpn vtun20 hash 'sha512' - set interfaces openvpn vtun20 mode 'server' - set interfaces openvpn vtun20 persistent-tunnel - set interfaces openvpn vtun20 server client user1 - set interfaces openvpn vtun20 server mfa totp challenge 'disable' - set interfaces openvpn vtun20 server subnet '10.10.2.0/24' - set interfaces openvpn vtun20 server topology 'subnet' - set interfaces openvpn vtun20 tls ca-certificate 'openvpn_vtun20' - set interfaces openvpn vtun20 tls certificate 'openvpn_vtun20' - set interfaces openvpn vtun20 tls dh-params 'dh-pem' - -A TOTP secret is created for each client in the OpenVPN server configuration. -To display authentication information, use the following command: -``show interfaces openvpn vtun20 user user1 mfa qrcode``. - -Example: - -.. stop_vyoslinter - -.. code-block:: none - - vyos@vyos:~$ sh interfaces openvpn vtun20 user user1 mfa qrcode - █████████████████████████████████████ - █████████████████████████████████████ - ████ ▄▄▄▄▄ █▀▄▀ ▀▀▄▀ ▀▀▄ █ ▄▄▄▄▄ ████ - ████ █ █ █▀▀▄ █▀▀▀█▀██ █ █ █ ████ - ████ █▄▄▄█ █▀█ ▄ █▀▀ █▄▄▄█ █▄▄▄█ ████ - ████▄▄▄▄▄▄▄█▄█ █ █ ▀ █▄▀▄█▄▄▄▄▄▄▄████ - ████▄▄ ▄ █▄▄ ▄▀▄█▄ ▄▀▄█ ▄▄▀ ▀▄█ ▀████ - ████ ▀██▄▄▄█▄ ██ █▄▄▄▄ █▄▀█ █ █▀█████ - ████ ▄█▀▀▄▄ ▄█▀ ▀▄ ▄▄▀▄█▀▀▀ ▄▄▀████ - ████▄█ ▀▄▄▄▀ ▀ ▄█ ▄ █▄█▀ █▀ █▀█████ - ████▀█▀ ▀ ▄█▀▄▀▀█▄██▄█▀▀ ▀ ▀ ▄█▀████ - ████ ██▄▄▀▄▄█ ██ ▀█ ▄█ ▀▄█ █▀██▀████ - ████▄███▄█▄█ ▀█▄ ██▄▄▄█▀ ▄▄▄ █ ▀ ████ - ████ ▄▄▄▄▄ █▄█▀▄ ▀▄ ▀█▀ █▄█ ██▀█████ - ████ █ █ █ ▄█▀█▀▀▄ ▄▀▀▄▄▄▄▄▄ ████ - ████ █▄▄▄█ █ ▄ ▀ █▄▄▄██▄▀█▄▀▄█▄ █████ - ████▄▄▄▄▄▄▄█▄██▄█▄▄▄▄▄█▄█▄█▄██▄██████ - █████████████████████████████████████ - █████████████████████████████████████ - -.. start_vyoslinter - -Scan the QR code to add the user account to Google Authenticator. On the client -side, use the generated OTP as the password. - -Authentication with username/password -===================================== - -An OpenVPN server can securely obtain a username and password from a connecting -client and use this information for authentication. - -First, configure the server to use an authentication plugin or script. The -server calls this plugin every time a client tries to connect, passing it the -client's credentials. - -In the following example, the ``--auth-user-pass-verify`` directive is used -with the via-env method and a specified script path to validate the client's -username and password. - -Server configuration --------------------- - -.. stop_vyoslinter - -.. code-block:: none - - set interfaces openvpn vtun10 local-port '1194' - set interfaces openvpn vtun10 mode 'server' - set interfaces openvpn vtun10 openvpn-option '--auth-user-pass-verify /config/auth/check_user.sh via-env' - set interfaces openvpn vtun10 openvpn-option '--script-security 3' - set interfaces openvpn vtun10 persistent-tunnel - set interfaces openvpn vtun10 protocol 'udp' - set interfaces openvpn vtun10 server client client-1 ip '10.10.10.55' - set interfaces openvpn vtun10 server push-route 192.0.2.0/24 - set interfaces openvpn vtun10 server subnet '10.10.10.0/24' - set interfaces openvpn vtun10 server topology 'subnet' - set interfaces openvpn vtun10 tls ca-certificate 'ca-1' - set interfaces openvpn vtun10 tls certificate 'srv-1' - set interfaces openvpn vtun10 tls dh-params 'dh-1' - -.. start_vyoslinter - -The /config/auth/check_user.sh example includes two test users: - -.. code-block:: none - - #!/bin/bash - USERNAME="$username" - PASSWORD="$password" - - # Replace this with real user checking logic or use getent - if [[ "$USERNAME" == "client1" && "$PASSWORD" == "pass123" ]]; then - exit 0 - elif [[ "$USERNAME" == "peter" && "$PASSWORD" == "qwerty" ]]; then - exit 0 - else - exit 1 - fi - -Client configuration --------------------- - -Storing the client certificate locally lets you generate the OpenVPN client -configuration file. Use the following command: - -.. stop_vyoslinter - -.. code-block:: none - - vyos@vyos:~$ generate openvpn client-config interface vtun10 ca ca-1 certificate client1 - -.. start_vyoslinter - -Copy the output and save it as a .ovpn file. Add the ``auth-user-pass`` -directive to the file. This instructs the OpenVPN client to prompt the user -for a username and password, which are then sent to the server over the TLS -channel. You can now import this file into any OpenVPN client application. - -.. code-block:: none - - client - dev tun - proto udp - remote 192.168.77.10 1194 - - remote-cert-tls server - proto udp - dev tun - dev-type tun - persist-key - persist-tun - verb 3 - auth-user-pass - - - <ca> - -----BEGIN CERTIFICATE----- - MIIDlzCCAn+gAwIBAgIUQW7AtPu0Qzp7VzT0TyYx83/ME8swDQYJKoZIhvcNAQEL - BQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM - CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2 - MTExMTIyMjJaFw0zMDA2MTAxMTIyMjJaMFQxCzAJBgNVBAYTAkdCMRMwEQYDVQQI - DApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1Mx - DTALBgNVBAMMBGNhLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDi - +v6i241T9ABxq1ngjWxDQITkqjV0nq2Jb3HSSuQpXRCu7DWdQZlbvnMHnkV/WTL0 - RNgkhS4iV/WYhE+bLihwiZ0GTeQnUd1QJSkusFROX46w6kKXYUR5IQtcBC+vdky8 - PESynPd+DXsJn5X9JTWqDeviUAQz/ZjDzWk+71MBCqa+Zps1zpIjK0ywn7pR/HnD - rxJOQXlBMNgvbv8U3IAZ2jJp0jTB8TnuDtWSA+XZejMm/EN/AWUQyliX6OJFSCIh - BL2BZ9lmVms4/HkRpbd50k3vvCoz+lAOEE6VsH0fEdLC3lZ+CtXZ7kjp2wdWWuSs - 5ggIJYZZkixsCisbtEmbAgMBAAGjYTBfMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P - AQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4E - FgQUAG9lvr7AzJ/y4vY/XlWxXru+6m0wDQYJKoZIhvcNAQELBQADggEBAKsu4eZa - 8Fha9aKfuKqlGQHPpEFfVDaVJmebw0uMw+b5Y8EpBxzZrgbqbk3Mty8pBjNa9jkZ - zph04gHN4pR6kg3iQlUKGxZUfsB9ZUjKhkgNdUI9zq1323MKEvuIuYdt61DCfBHw - Y6Xax5Ge+BahR2bXdPaQH452/+xMTqkukkpLbioTeIDg6FCU2HYPY5emDF5DDZAZ - WXtTqi0zdT3Y6FqiTvs5VuWwXCcp+HM+Lwe1/VVJhwi4CHTq0CKWnQIH5blYjmyx - zRBlrlZm4ntWlL5Mtepa1A3DJirY4kw/SqMAAh/Q9lh41JzBc8epf+OdnOzK55Ym - tmctGO2o+NBCFi0= - -----END CERTIFICATE----- - - </ca> - - <cert> - -----BEGIN CERTIFICATE----- - MIIDrjCCApagAwIBAgIUN6vPxDEW89cfbEFPa0tZlnsW1GkwDQYJKoZIhvcNAQEL - BQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM - CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2 - MTExMTQ0MjlaFw0yNjA2MTExMTQ0MjlaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQI - DApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1Mx - EDAOBgNVBAMMB2NsaWVudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB - AQCdOWq8vdO8CznGN83uAXCuN4PcdTJaRFEdJIEfqHjlcG0MZQuPIAlDbOU+IWmu - QBmeCj7SlbYtVYo1uQOMUaIrAvxLIQUaL1Y60oLVTF5eAPrGV+NSTQR5uMApcH9/ - RcZcW530pu/QpYinKTbGkEd54so6YRVPmYbIOPNUMbnZbccpinYi5t2dqubBb585 - A7L40043VtsVVbPjQq5V0HDursvqlaMqMRcffhR8H4B4ByU/EPRK4yTKm1hi19v3 - UtRHiq74CfGtJzYtplgrLJBON7TsbIi/fEux4q1yhbKA0S66L6e5DZldRxNZOXG6 - QjEL0RkYloMgkbv/2HLCu09hAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0P - AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQCkfdfq3hv - 7UtqAxq/5VDRIdgJLTAfBgNVHSMEGDAWgBQAb2W+vsDMn/Li9j9eVbFeu77qbTAN - BgkqhkiG9w0BAQsFAAOCAQEAJ43+aDVRC+y2vsu6WRG2l6zYnLoIJZW4afdKMC1a - nhTWhj4AhAt8evhVbAxi/8qhQX3yXF2bUQKdS++8AVcvZFlSES32S5eBx83AwGLt - QkgvGx+QThKmoJwrelyuS2X0XX3P0WzohYI6HzSr6p9F8KhTvSW97E6SnldpdvEM - uG1C+61/Vys7WLmDBh1PZTGE03nRp3H4Q9ynyXEEf1MK3eZkzg5H3Evj66p82pD5 - 8IauRfghMHJf3tOC+y0YIoXshF3lPq4nYso5Jc/HGCHlsboCODMCnY3CZsH7/O1n - /MI710KpzZTCLnv4Qtx9JpZxR7FTddl36OOuYUXU3Gcnsg== - -----END CERTIFICATE----- - - </cert> - - <key> - -----BEGIN PRIVATE KEY----- - MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCdOWq8vdO8CznG - N83uAXCuN4PcdTJaRFEdJIEfqHjlcG0MZQuPIAlDbOU+IWmuQBmeCj7SlbYtVYo1 - uQOMUaIrAvxLIQUaL1Y60oLVTF5eAPrGV+NSTQR5uMApcH9/RcZcW530pu/QpYin - KTbGkEd54so6YRVPmYbIOPNUMbnZbccpinYi5t2dqubBb585A7L40043VtsVVbPj - Qq5V0HDursvqlaMqMRcffhR8H4B4ByU/EPRK4yTKm1hi19v3UtRHiq74CfGtJzYt - plgrLJBON7TsbIi/fEux4q1yhbKA0S66L6e5DZldRxNZOXG6QjEL0RkYloMgkbv/ - 2HLCu09hAgMBAAECggEAOR3xRVUO9Sr816JRSQwz486eNDpNSxazgwtOb3JUTUH9 - E7onq1y/kMOgOmSIEHoP9GaTcQxbbPe86IxomhLT/50ri52YzWzx/heY2SVPyQXB - FMo79putKw0vnj5UyydNiyLrbMQyrhFc5iFmWVdz5/c4cWHwjIThPp7V4znXYwHZ - OB/Xn1NNHDNy872oQn5wZWzuA4ml0OqjU5D+Ne9srODl3r4OTo3lb1N3JuH3aOSA - cACl1JnN/KElN8IotIdweeUFAdn2jsGjZnCpGaJvZQ+2iMn6doJXHgFiF5+GMF7o - aOatglElIuqgPtB/4nvnegSL0DSnB36ojqv2PAh24wKBgQDPBt4S4muqo8SqP2e0 - 8X78MyK3tz1VmgPKn3O68Vdi1V7FPz0RHRGsw/kdgxXsJlfZTWgzcq2NNFu0yPBJ - A/h7qo16mv8GW7cJCd2exjb+/oq4r5iWeqLdSsMUXN87x02LRaMNd9wz1mls1Z73 - oQ5hJ7zTtlyYXnvKPQo8X1ImjwKBgQDCaptQxZ/a3tcUQQlXAFMAScviODZd0LCL - 30ZalwpNs6nVVIPoZHD3tlzWN5Es74gndfkC7/Gm2cnsOW9QQaU56q+5LeNXItW8 - rc6yXq3vNQerqJxHNUmKWwLCQtSyLRjFqpGTl/PyX2bGXQ7/zjTL3W8VMD5otf4Y - SJJB+sKjDwKBgHSVX3WvAAamFtfwwMwKuwH3IfPnQqj0BHKUfK2nvxgvJCFbzV3X - yt5Jtf3ClhPYO9xpVOa0C7va4lHaXkYf8Exj7SxAIKFKALccUStaYBoU6bW7XOhQ - w2pu8ZCEBEo7oBVv77Rj7SNb+R6K5ex5TAm2QQXQSjCb9IYc/ail3TNNAoGBALu6 - GPMrgKnlFyV1j0E1DPBwUbDEuqpoArFtDRAYXFifLVTS4PQbWIG403f9++659Gy2 - G5ZcfqiwD6xL4VJLsPF1zewvhR/0gRJJehb+GVGrkRaOHykbKUGxk75kreDGbu8f - PqaXyXS17hWIch1Lzes0jDiXdwvA//QOzztqmVq9AoGAVMbmf04+QtzckLolAP4q - Uwr5svfy14A7V3IGkwlsHZdm37L26lfxW0kpOOE7g7D6gdinuALo6oopP7RN/IDq - PLaaHaGrIoLAEVFa0bRLGsrU2q87ytwfSgdra4jmsTn+xEabdI4IgmqWgwSRvGVf - KN18e19Ssw5x7Wq0Rsw/3VM= - -----END PRIVATE KEY----- - - </key> - -When prompted, log in with the username and password. diff --git a/docs/configuration/interfaces/rst-openvpn.rst b/docs/configuration/interfaces/rst-openvpn.rst deleted file mode 100644 index 85877d48..00000000 --- a/docs/configuration/interfaces/rst-openvpn.rst +++ /dev/null @@ -1,521 +0,0 @@ -.. _openvpn: - -####### -OpenVPN -####### - -Traditionally, hardware routers use IPsec exclusively because it is easy to -implement in hardware, and their CPUs lack sufficient power for software-based -encryption. This limitation is less relevant for VyOS, as it is a software -router. - -OpenVPN has been widely used on UNIX platforms for a long time and is a popular -choice for remote-access VPNs. It also supports site-to-site connections. - -OpenVPN offers the following advantages: - -* It uses a single TCP or UDP connection and does not rely on packet source - addresses, so it works even through double NAT. This makes it well-suited for - public hotspots. - -* It is easy to set up and offers very flexible split tunneling. - -* A variety of client GUI frontends are available for any platform. - -Disadvantages include: - -* It is slower than IPsec due to higher protocol overhead and because it runs - in user mode, while IPsec on Linux runs in kernel mode. - -* No operating system includes OpenVPN client software by default. - -In the VyOS CLI, OpenVPN is configured as a network interface using ``set -interfaces openvpn`` rather than ``set vpn``, which is often overlooked. - -************* -Configuration -************* - -.. cfgcmd:: set interfaces openvpn <interface> authentication password <text> - - **Configure the password for the** ``auth-user-pass`` **authentication method.** - - This option applies only to OpenVPN clients. - -.. cfgcmd:: set interfaces openvpn <interface> authentication username <text> - - **Configure the username for the** ``auth-user-pass`` **authentication method.** - - This option applies only to OpenVPN clients. - -.. cfgcmd:: set interfaces openvpn <interface> description <description> - - Configure the description for the OpenVPN interface. - -.. cfgcmd:: set interfaces openvpn <interface> device-type <tap | tun> - - **Configure the virtual network device type for the OpenVPN interface:** - - * ``tun`` **(default)**: Operates at Layer 3, encapsulating IPv4 or IPv6 packets. - * ``tap``: Operates at Layer 2, encapsulating Ethernet 802.3 frames. - -.. cfgcmd:: set interfaces openvpn <interface> disable - - Disable the specific OpenVPN interface. - -.. cfgcmd:: set interfaces openvpn <interface> encryption cipher < 3des | aes128 | aes128gcm | aes192 | aes192gcm | aes256 | aes256gcm | none > - - **Configure the static encryption cipher for the OpenVPN tunnel.** - - The ``cipher`` option maps to OpenVPN’s ``--cipher`` directive and specifies - the symmetric encryption algorithm for both control and data channels. - - This was previously the default encryption method in all OpenVPN modes. In - newer OpenVPN versions, the ``--cipher`` directive is considered **legacy** - and should be used only in compatibility scenarios. - -.. cfgcmd:: set interfaces openvpn <interface> encryption data-ciphers < 3des | aes128 | aes128gcm | aes192 | aes192gcm | aes256 | aes256gcm | none > - - **Configure a prioritized list of negotiated ciphers for OpenVPN in** - ``client`` **or** ``server`` **mode.** - - The ``data-ciphers`` option represents a list of supported encryption - algorithms. It corresponds to OpenVPN’s ``--data-ciphers`` directive and - enables cipher negotiation, where both peers automatically agree on a mutually - supported cipher during session startup. - - .. note:: This option is not compatible with ``site-to-site`` mode. - -.. cfgcmd:: set interfaces openvpn <interface> encryption data-ciphers-fallback < 3des | aes128 | aes128gcm | aes192 | aes192gcm | aes256 | aes256gcm | none > - - **Configure the fallback cipher for** ``site-to-site`` **mode.** - - The ``data-ciphers-fallback`` option maps to OpenVPN’s ``--data-ciphers- - fallback`` directive. It defines the cipher to use if negotiation is **not - supported**. - - .. note:: This option ensures consistent encryption between two static peers - without cipher negotiation capability. - -.. cfgcmd:: set interfaces openvpn <interface> hash <md5 | sha1 | sha256 | ...> - - Configure the hashing algorithm for the OpenVPN interface. - -.. cmdinclude:: /_include/interface-ip.txt - :var0: openvpn - :var1: vtun0 - -.. cmdinclude:: /_include/interface-ipv6.txt - :var0: openvpn - :var1: vtun0 - -.. cfgcmd:: set interfaces openvpn <interface> keep-alive failure-count <value> - - **Configure the number of tolerated keepalive packet failures.** - - Default: 60 consecutive failures. - -.. cfgcmd:: set interfaces openvpn <interface> keep-alive interval <value> - - **Configure the frequency, in seconds, at which keepalive packets are sent.** - - Default: 10 seconds. - -.. cfgcmd:: set interfaces openvpn <interface> local-address <address> - - Configure the local tunnel IP address for ``site-to-site`` mode. - -.. cfgcmd:: set interfaces openvpn <interface> local-host <address> - - **Configure the local IP address to accept connections.** - - If configured, OpenVPN binds to this IP address only. - - By default, OpenVPN binds to all interfaces. - -.. cfgcmd:: set interfaces openvpn <interface> local-port <port> - - Configure the local port to accept connections. - -.. cfgcmd:: set interfaces openvpn <interface> mirror egress <monitor-interface> - - Configure mirroring of outgoing traffic from this OpenVPN interface to the - designated monitor interface. - -.. cfgcmd:: set interfaces openvpn <interface> mirror ingress <monitor-interface> - - Configure mirroring of incoming traffic from this OpenVPN interface to the - designated monitor interface. - -.. cfgcmd:: set interfaces openvpn <interface> mode <site-to-site | server | client> - - **Configure OpenVPN operation mode:** - - * ``site-to-site``: Establishes a site-to-site VPN connection. - * ``client``: Operates as a client in server-client mode. - * ``server``: Operates as a server in server-client mode. - - -OpenVPN Data Channel Offload (DCO) -================================== - -OpenVPN :abbr:`DCO (Data Channel Offload)` improves the performance of -encrypted OpenVPN data processing by keeping most data handling in the kernel -and avoiding frequent context switches between the kernel and user space. - -As a result, packet processing becomes more efficient and may utilize hardware -encryption offload support available in the kernel. - -.. note:: - - * :abbr:`DCO (Data Channel Offload)` is an **experimental**, not fully supported - OpenVPN feature. Some OpenVPN features and deployment scenarios are **not - compatible** with :abbr:`DCO (Data Channel Offload)`. - - For a complete list of supported features, visit: - - https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features - - * :abbr:`DCO (Data Channel Offload)` is configured per tunnel and disabled - by default. Existing tunnels operate without :abbr:`DCO (Data Channel - Offload)` unless it is explicitly enabled. - - * Enabling :abbr:`DCO (Data Channel Offload)` resets the interface. - -**Best practice:** Create a new tunnel with :abbr:`DCO (Data Channel Offload)` -enabled to avoid compatibility issues with existing clients. - -.. cfgcmd:: set interfaces openvpn <interface> offload dco - - **Enable** :abbr:`DCO (Data Channel Offload)` **for the specified OpenVPN - interface.** - - Example: - - .. code-block:: none - - set interfaces openvpn vtun0 offload dco - - This command enables :abbr:`DCO (Data Channel Offload)` and loads the required - kernel module. - -.. cfgcmd:: set interfaces openvpn <interface> openvpn-option <text> - - **Add raw OpenVPN configuration options to the openvpn.conf file.** - - OpenVPN provides many configuration options, but not all are available in the - VyOS CLI. - - If a required option is missing, you may submit a feature request at - Phabricator so all users can benefit from it (see :ref:`issues_features`). - - Alternatively, use ``openvpn-option`` to pass raw OpenVPN configuration options - to the openvpn.conf file. - - .. warning:: Use this option only as a last resort. Invalid options or syntax - may prevent OpenVPN from starting. Check system logs for errors after applying - changes. - - Example: - - .. code-block:: none - - set interfaces openvpn vtun0 openvpn-option 'persist-key' - - This command adds ``persist-key`` to the configuration file. This solves the - problem by persisting keys across resets, so they do not need to be re-read. - - .. code-block:: none - - set interfaces openvpn vtun0 openvpn-option 'route-up "/config/auth/tun_up.sh arg1"' - - This command adds ``route-up "/config/auth/tun_up.sh arg1"`` to the - configuration file. This option is executed after connection authentication, - either immediately or after a short delay, as defined. - - Ensure the path and arguments are enclosed in single or double quotes. - - .. note:: Some raw configuration options require quotes. To include them, use - the " statement. - -.. cfgcmd:: set interfaces openvpn <interface> persistent-tunnel - - **Enable always-active mode for the TUN/TAP device.** - - When enabled, the TUN/TAP device remains active upon connection resets or - daemon reloads. - -.. cfgcmd:: set interfaces openvpn <interface> protocol <udp | tcp-passive | tcp-active > - - **Configure the protocol for OpenVPN communication with a remote host:** - - * ``udp`` **(default)**: Uses the UDP protocol. - * ``tcp-passive``: Uses the TCP protocol and accepts connections passively. - * ``tcp-active``: Uses the TCP protocol and initiates connections actively. - -.. cfgcmd:: set interfaces openvpn <interface> redirect <interface> - - Enable redirection of incoming packets to the specified interface. - -.. cfgcmd:: set interfaces openvpn <interface> remote-address <address> - - Configure the remote tunnel IP address for site-to-site mode. - -.. cfgcmd:: set interfaces openvpn <interface> remote-host <address | host> - - **Configure the IPv4/IPv6 address or hostname for a server device if OpenVPN - runs in client mode.** - - This setting is not used in server mode. - -.. cfgcmd:: set interfaces openvpn <interface> remote-port <port> - - Configure the remote port to connect to the server. - -.. cfgcmd:: set interfaces openvpn <interface> replace-default-route - - Configure the OpenVPN tunnel as the default route. - -.. cfgcmd:: set interfaces openvpn <interface> server bridge disable - - Disable the given instance. - -.. cfgcmd:: set interfaces openvpn <interface> server bridge gateway <ipv4 address> - - Configure the gateway IP address. - -.. cfgcmd:: set interfaces openvpn <interface> server bridge start <ipv4 address> - - Configure the first IP address in the pool to allocate to connecting clients. - -.. cfgcmd:: set interfaces openvpn <interface> server bridge stop <ipv4 address> - - Configure the last IP address in the pool to allocate to connecting clients. - -.. cfgcmd:: set interfaces openvpn <interface> server bridge subnet-mask <ipv4 subnet mask> - - Configure the subnet mask pushed to dynamic clients. - -.. cfgcmd:: set interfaces openvpn <interface> server client <name> - - Configure the Common Name (CN) specified in the client certificate. - -.. cfgcmd:: set interfaces openvpn <interface> server client <name> disable - - Disable the client connection. - -.. cfgcmd:: set interfaces openvpn <interface> server client <name> ip <address> - - Configure the IPv4/IPv6 address for the client. - -.. cfgcmd:: set interfaces openvpn <interface> server client <name> push-route <subnet> - - Configure a route to be pushed to the specific client. - -.. cfgcmd:: set interfaces openvpn <interface> server client <name> subnet <subnet> - - **Configure a fixed subnet to be routed from the server to the specified - client.** - - Used as OpenVPN’s ``iroute`` directive. - -.. cfgcmd:: set interfaces openvpn <interface> server client-ip-pool start <address> - - Configure the first IP address in the subnet's IPv4 pool to be dynamically - allocated to connecting clients. - -.. cfgcmd:: set interfaces openvpn <interface> server client-ip-pool stop <address> - - Configure the last IP address in the subnet's IPv4 pool to be dynamically - allocated to connecting clients. - -.. cfgcmd:: set interfaces openvpn <interface> server client-ip-pool subnet <netmask> - - **Configure the subnet mask pushed to dynamic clients.** - - Use this command only for the TAP device type. Do not use it for bridged - interfaces. - -.. cfgcmd:: set interfaces openvpn <interface> server client-ipv6-pool base <ipv6addr/bits> - - Configure the IPv6 address pool for dynamic assignment to clients. - -.. cfgcmd:: set interfaces openvpn <interface> server domain-name <name> - - Configure the DNS suffix to be pushed to all clients. - -.. cfgcmd:: set interfaces openvpn <interface> server max-connections <1-4096> - - Configure the maximum number of client connections. - -.. cfgcmd:: set interfaces openvpn <interface> server mfa totp challenge <enable | disable> - - If enabled, openvpn-otp expects a password as a result of the challenge/ - response protocol. - -.. cfgcmd:: set interfaces openvpn <interface> server mfa totp digits <1-65535> - - **Configure the number of digits to use for the** :abbr:`TOTP (Time-based - One-Time Password)` **hash.** - - Default: 6. - -.. cfgcmd:: set interfaces openvpn <interface> server mfa totp drift <1-65535> - - **Configure the time drift in seconds.** - - Default: 0. - -.. cfgcmd:: set interfaces openvpn <interface> server mfa totp slop <1-65535> - - **Configure the allowed clock slop in seconds.** - - Default: 180. - -.. cfgcmd:: set interfaces openvpn <interface> server mfa totp step <1-65535> - - **Configure the step value for** :abbr:`TOTP (Time-based One-Time Password)` - **in seconds.** - - Default: 30. - -.. cfgcmd:: set interfaces openvpn <interface> server name-server <address> - - Define the client DNS configuration to be used with the connection. - -.. cfgcmd:: set interfaces openvpn <interface> server push-route <subnet> - - Configure the route to be pushed to all clients. - -.. cfgcmd:: set interfaces openvpn <interface> server reject-unconfigured-client - - Reject connections from clients that are not explicitly configured. - -.. cfgcmd:: set interfaces openvpn <interface> server subnet <subnet> - - **Configure the IPv4 or IPv6 network.** - - This parameter is mandatory when operating in server mode. - -.. cfgcmd:: set interfaces openvpn <interface> server topology < net30 | point-to-point | subnet> - - **Configure the virtual addressing topology for** ``tun`` **mode.** - - This command does not affect ``tap`` mode, which always uses the ``subnet`` - topology. - - * ``subnet`` **(default)**: Allocates a single IP address to each connecting client. - This is the recommended topology. - * ``net30``: Allocates a /30 subnet to each connecting client. This is a legacy - topology used to support Windows clients. It is now effectively deprecated. - * ``point-to-point``: Creates a point-to-point topology where the remote - endpoint of the client’s ``tun`` interface always points to the local endpoint - of the server’s ``tun`` interface. - - Like ``subnet``, this topology allocates a single IP address per client. Use it - only if no clients run Windows operating systems. - - -.. cfgcmd:: set interfaces openvpn <interface> shared-secret-key <key> - - Configure the static secret key for a site-to-site OpenVPN connection. - -.. cfgcmd:: set interfaces openvpn <interface> tls auth-key <key> - - **Configure the TLS secret key for tls-auth.** - - This adds an HMAC signature to all SSL/TLS handshake packets to verify - integrity. - - Use ``run generate pki openvpn shared-secret install <name>`` to generate - the key. - -.. cfgcmd:: set interfaces openvpn <interface> tls ca-certificate <name> - - Configure the Certificate Authority chain in the PKI configuration. - -.. cfgcmd:: set interfaces openvpn <interface> tls certificate <name> - - Configure the certificate name in the PKI configuration. - -.. cfgcmd:: set interfaces openvpn <interface> tls crypt-key - - Configure a shared secret key to provide an additional level of security, - a variant similar to tls-auth. - -.. cfgcmd:: set interfaces openvpn <interface> tls dh-params - - Configure Diffie-Hellman parameters for server mode. - -.. cfgcmd:: set interfaces openvpn <interface> tls peer-fingerprint <text> - - Configure the peer certificate SHA256 fingerprint for site-to-site mode. - -.. cfgcmd:: set interfaces openvpn <interface> tls role <active | passive> - - **Configure the TLS negotiation role, preferably used in site-to-site mode:** - - * ``active``: Initiates TLS negotiation actively. - * ``passive``: Waits for incoming TLS connections. - -.. cfgcmd:: set interfaces openvpn <interface> tls tls-version-min <1.0 | 1.1 | 1.2 | 1.3 > - - Configure the minimum TLS version to be accepted from the peer. - -.. cfgcmd:: set interfaces openvpn <interface> use-lzo-compression - - Configure fast LZO compression on this TUN/TAP interface. - -.. cfgcmd:: set interfaces openvpn <interface> vrf <name> - - Assign the interface to a specific VRF instance. - -************** -Operation mode -************** - -.. opcmd:: show openvpn site-to-site - - Show tunnel status for OpenVPN site-to-site interfaces. - -.. opcmd:: show openvpn server - - Show tunnel status for OpenVPN server interfaces. - -.. opcmd:: show openvpn client - - Show tunnel status for OpenVPN client interfaces. - -.. opcmd:: show log openvpn - - Show logs for all OpenVPN interfaces. - -.. opcmd:: show log openvpn interface <interface> - - Show logs for the specific OpenVPN interface. - -.. opcmd:: reset openvpn client <text> - - Reset the specified OpenVPN client. - -.. opcmd:: reset openvpn interface <interface> - - Reset the OpenVPN process on the specified interface. - -.. opcmd:: generate openvpn client-config interface <interface> ca <name> certificate <name> - - Generate an OpenVPN client configuration file in the .ovpn format for client machines. - -******** -Examples -******** - -This section covers examples of OpenVPN configurations for various deployments. - -.. toctree:: - :maxdepth: 1 - :includehidden: - - openvpn-examples - -.. include:: /_include/common-references.txt diff --git a/docs/configuration/interfaces/rst-pppoe.rst b/docs/configuration/interfaces/rst-pppoe.rst deleted file mode 100644 index d2f8271c..00000000 --- a/docs/configuration/interfaces/rst-pppoe.rst +++ /dev/null @@ -1,391 +0,0 @@ -:lastproofread: 2026-03-03 - -.. _pppoe-interface: - -##### -PPPoE -##### - -:abbr:`PPPoE (Point-to-Point Protocol over Ethernet)` is a network protocol -that encapsulates PPP frames within Ethernet frames. -It's often used for connecting ISP clients to a broadband access server. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-description.txt - :var0: pppoe - :var1: pppoe0 - -.. cmdinclude:: /_include/interface-disable.txt - :var0: pppoe - :var1: pppoe0 - -.. cmdinclude:: /_include/interface-mtu.txt - :var0: pppoe - :var1: pppoe0 - -.. cmdinclude:: /_include/interface-vrf.txt - :var0: pppoe - :var1: pppoe0 - -PPPoE options -============= - -.. cfgcmd:: set interfaces pppoe <interface> access-concentrator <name> - - **Configure the name of the target access concentrator for the PPPoE session.** - - During the PPPoE discovery process, the client sends a PPPoE initiation packet. - Multiple access concentrators may respond with offer packets, and the client - selects one of them. - - This setting restricts the client to establishing sessions only with the - specified access concentrator. - -.. cfgcmd:: set interfaces pppoe <interface> authentication username <username> - - **Configure the username for PPPoE session authentication.** - - Although authentication is optional in the interface configuration, most ISPs - require it to establish a connection. - -.. cfgcmd:: set interfaces pppoe <interface> authentication password <password> - - **Configure the password for PPPoE session authentication.** - - Although authentication is optional in the interface configuration, most ISPs - require it to establish a connection. - -.. cfgcmd:: set interfaces pppoe <interface> connect-on-demand - - **Enable dial-on-demand on the PPPoE interface.** - - When enabled, the system establishes a PPPoE connection only when traffic - passes through the interface. If the connection fails, it is reestablished when - traffic resumes. - - For on-demand connections, you must also configure an ``idle-timeout`` period - to disconnect the session after inactivity. - - .. note:: Setting the idle timeout to zero, or leaving it unconfigured, keeps - the connection active continuously once established. - - By default, the PPPoE connection is established at boot and remains active - continuously; if the connection fails, it is reestablished immediately. - -.. cfgcmd:: set interfaces pppoe <interface> no-default-route - - Request an IP address from the PPPoE server without installing a default route. - - Example: - - .. code-block:: none - - set interfaces pppoe pppoe0 no-default-route - - .. note:: Introduced in VyOS 1.4, this command inverts the logic of the former - ``default-route`` CLI option. - -.. cfgcmd:: set interfaces pppoe <interface> default-route-distance <distance> - - Configure the distance for the default gateway provided by the PPPoE server. - - Example: - - .. code-block:: none - - set interfaces pppoe pppoe0 default-route-distance 220 - -.. cfgcmd:: set interfaces pppoe <interface> mru <mru> - - **Configure the** :abbr:`MRU (Maximum Receive Unit)` **for the PPPoE - interface.** - - This setting instructs the pppd daemon to restrict the remote peer from sending - packets larger than the configured MRU. Allowed MRU values range from 128 to - 16384 bytes. - - An MRU of 296 is suitable for very slow links (40 bytes for the TCP/IP header - and 256 bytes for data). - - The default MRU is 1492 bytes. - - .. note:: When using the IPv6 protocol, the MRU must be at least 1280 bytes. - -.. cfgcmd:: set interfaces pppoe <interface> idle-timeout <time> - - **Configure the idle timeout for on-demand PPPoE sessions.** - - This setting defines how long the connection remains active without any traffic - before being disconnected. - - .. note:: Setting the idle timeout to zero, or leaving it unconfigured, keeps - the connection active continuously once established. - -.. cfgcmd:: set interfaces pppoe <interface> holdoff <time> - - **Configure the redial delay for persistent PPPoE sessions.** - - If a persistent session (with ``connect-on-demand`` disabled) is terminated by - the remote peer or drops unexpectedly, the router waits the specified interval - before attempting to reconnect. - - The default redial delay is 30 seconds. - -.. cfgcmd:: set interfaces pppoe <interface> local-address <address> - - **Configure the local endpoint IP address for PPPoE sessions.** - - By default, this IP address is negotiated. - -.. cfgcmd:: set interfaces pppoe <interface> no-peer-dns - - Disable the installation of advertised DNS nameservers on the local system. - -.. cfgcmd:: set interfaces pppoe <interface> remote-address <address> - - **Configure the remote endpoint IP address for PPPoE sessions.** - - By default, this IP address is negotiated. - -.. cfgcmd:: set interfaces pppoe <interface> service-name <name> - - **Configure the service name of the target access concentrator for the PPPoE - session.** - - By default, the PPPoE interface connects to any available access concentrator. - -.. cfgcmd:: set interfaces pppoe <interface> source-interface <source-interface> - - **Configure the underlying interface for the PPPoE connection.** - - Each PPPoE connection is established over an underlying interface, which can be - an Ethernet interface, a VIF, or a bonding interface. - -.. cfgcmd:: set interfaces pppoe <interface> ip adjust-mss <mss | clamp-mss-to-pmtu> - - **Configure the** :abbr:`MSS (Maximum Segment Size)` **advertised in outgoing - TCP SYN packets on the specified interface.** - - By clamping the MSS value in TCP SYN packets, you instruct the remote side not - to send packets larger than the specified size. This helps prevent connection - issues if :abbr:`PMTUD (Path MTU Discovery)` fails. - - The following options are available: - - * ``mss``: Sets the MSS to a specific value in bytes. - * ``clamp-mss-to-pmtu``: Sets the MSS to the interface’s MTU minus 40 bytes for - IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). - This option is recommended to automatically set the proper value. - - .. note:: Introduced in VyOS 1.4, this command replaces the older ``set firewall - options interface <name> adjust-mss <value>`` syntax. - -.. cfgcmd:: set interfaces pppoe <interface> ip disable-forwarding - - **Configure the interface for host or router behavior.** - - If configured, the interface switches to host mode, and IPv4 forwarding is - disabled on it. - -.. cfgcmd:: set interfaces pppoe <interface> ip source-validation <strict | loose | disable> - - **Configure source IP address validation using** - :abbr:`RPF (Reverse Path Forwarding)` **on this interface, as specified in** - :rfc:`3704`. - - The following options are available: - - * ``strict``: Each incoming packet’s source IP address is checked against the - :abbr:`FIB (Forwarding Information Base)`. If the interface is not the best - route back to that source, validation fails, and the packet is dropped. - * ``loose``: Each incoming packet’s source IP address is checked against the - :abbr:`FIB (Forwarding Information Base)`. If the source IP address is - unreachable through any interface, validation fails. - * ``disable``: No source IP address validation is performed. All incoming - packets are accepted. - - :rfc:`3704` recommends enabling ``strict`` mode to prevent IP spoofing, such as - DDoS attacks. For asymmetric or other complex routing scenarios, use ``loose`` - mode. - -IPv6 ----- - -.. cfgcmd:: set interfaces pppoe <interface> ipv6 address autoconf - - Enable IPv6 address assignment via :abbr:`SLAAC (Stateless Address - Auto-Configuration)` on this interface. - -.. cfgcmd:: set interfaces pppoe <interface> ipv6 adjust-mss <mss | clamp-mss-to-pmtu> - - **Configure the** :abbr:`MSS (Maximum Segment Size)` **advertised in outgoing - TCP SYN packets on the specified interface.** - - By clamping the MSS value in TCP SYN packets, you instruct the remote side not - to send packets larger than the specified size. This helps prevent connection - issues if :abbr:`PMTUD (Path MTU Discovery)` fails. - - The following options are available: - - * ``mss``: Sets the MSS to a specific value in bytes. - * ``clamp-mss-to-pmtu``: Sets the MSS to the interface’s MTU minus 60 bytes for - IPv6 traffic (40 bytes for the IPv6 header and 20 bytes for the TCP header). - This option is recommended to automatically set the proper value. - - .. note:: Introduced in VyOS 1.4, this command replaces the older ``set firewall - options interface <name> adjust-mss <value>`` syntax. - - -.. cfgcmd:: set interfaces pppoe <interface> ipv6 disable-forwarding - - **Configure the interface for host or router behavior.** - - If configured, the interface switches to host mode, and IPv6 forwarding is - disabled on it. - -.. cmdinclude:: /_include/interface-dhcpv6-prefix-delegation.txt - :var0: pppoe - :var1: pppoe0 - -********* -Operation -********* - -.. opcmd:: show interfaces pppoe <interface> - - Show detailed information about a specific PPPoE interface. - - .. code-block:: none - - vyos@vyos:~$ show interfaces pppoe pppoe0 - pppoe0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN group default qlen 3 - link/ppp - inet 192.0.2.1 peer 192.0.2.255/32 scope global pppoe0 - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 7002658233 5064967 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 533822843 1620173 0 0 0 0 - -.. opcmd:: show interfaces pppoe <interface> queue - - Show queue information for a specific PPPoE interface. - - .. code-block:: none - - vyos@vyos:~$ show interfaces pppoe pppoe0 queue - qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 - Sent 534625359 bytes 1626761 pkt (dropped 62, overlimits 0 requeues 0) - backlog 0b 0p requeues 0 - -Connect/disconnect -================== - -.. opcmd:: disconnect interface <interface> - - Disconnect the specified interface. - -.. opcmd:: connect interface <interface> - - Initiate a session on the specified interface. - -******* -Example -******* - -PPPoE over DSL -============== - -**Configuration scenario:** - -* Your ISP's DSL modem is connected to the ``eth0`` interface on your VyOS - router. -* Your ISP does not require VLAN tagging. -* PPPoE credentials are provided by your ISP. The typical username format is - ``name@host.net``, though this may vary. - -**Configuration notes:** - -* The maximum MTU size for DSL is 1492 because of PPPoE overhead. If you are - switching from a DHCP-based ISP (e.g., a standard cable connection), ensure - VPN links have MTU sizes adjusted accordingly. -* To ignore ISP-provided nameservers and use only your statically configured - ones, set the ``name-server`` option to ``none``. -* A default route is automatically installed once the interface is up. To - change this behavior, use the ``no-default-route`` CLI option. - -.. note:: The PPPoE configuration syntax changed after VyOS 1.2 (Crux) and is - automatically migrated during an upgrade. - - -.. code-block:: none - - set interfaces pppoe pppoe0 authentication username 'userid' - set interfaces pppoe pppoe0 authentication password 'secret' - set interfaces pppoe pppoe0 source-interface 'eth0' - - -Secure your setup by creating rules matching the ``pppoe0`` interface in the -firewall chains: - -.. code-block:: none - - set firewall ipv4 input filter rule 10 inbound-interface name 'pppoe0' - set firewall ipv4 forward filter rule 10 inbound-interface name 'pppoe0' - - -PPPoE over VLAN -=============== - -Some ISPs require PPPoE connections to be -established over a VLAN interface. This specific topology is fully supported by -VyOS. - -The following configuration establishes the PPPoE connection through VLAN 7, -which is the default VLAN for Deutsche Telekom: - -.. code-block:: none - - set interfaces pppoe pppoe0 authentication username 'userid' - set interfaces pppoe pppoe0 authentication password 'secret' - set interfaces pppoe pppoe0 source-interface 'eth0.7' - - -IPv6 DHCPv6 prefix delegation ------------------------------ - -.. stop_vyoslinter - -**Configuration scenario:** - -The following configuration establishes a PPPoE session on the ``eth1`` -interface, requests a ``/56`` IPv6 prefix delegation from the ISP, and assigns -a ``/64`` subnet from that delegation to the ``eth0`` interface. - -**Configuration notes:** - -* The IPv6 address assigned to ``eth0`` is ``<prefix>::1/64``. -* If you do not know your delegated prefix size, begin with ``sla-len 0``. -* To advertise the prefix on the ``eth0`` link, configure IPv6 Router - Advertisement. - -.. start_vyoslinter - -.. code-block:: none - - set interfaces pppoe pppoe0 authentication username vyos - set interfaces pppoe pppoe0 authentication password vyos - set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 address '1' - set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 sla-id '0' - set interfaces pppoe pppoe0 dhcpv6-options pd 0 length '56' - set interfaces pppoe pppoe0 ipv6 address autoconf - set interfaces pppoe pppoe0 source-interface eth1 - - set service router-advert interface eth0 prefix ::/64 diff --git a/docs/configuration/interfaces/rst-pseudo-ethernet.rst b/docs/configuration/interfaces/rst-pseudo-ethernet.rst deleted file mode 100644 index cb42fafc..00000000 --- a/docs/configuration/interfaces/rst-pseudo-ethernet.rst +++ /dev/null @@ -1,54 +0,0 @@ -:lastproofread: 2026-03-05 - -.. _pseudo-ethernet-interface: - -######################### -MACVLAN (pseudo-Ethernet) -######################### - -MACVLAN, or pseudo-Ethernet interfaces, operate as logical subinterfaces of -standard Ethernet interfaces. Each subinterface has a unique MAC address but -shares a single physical Ethernet port. -That allows the user to send packets from different source IPv4 or IPv6 addresses -using a different MAC address. - - -Pseudo-Ethernet interfaces behave like physical Ethernet interfaces. They -support IPv4 and IPv6 addressing, can obtain IP addresses through DHCP or -DHCPv6, and are mapped to a physical Ethernet port. They inherit -characteristics such as speed and duplex from their parent interface and can -be referenced like standard Ethernet interfaces once created. - - -Pseudo-Ethernet interfaces may not work in environments that require a - :abbr:`NIC (Network Interface Card)` to have only one MAC address. - This includes: - - * VMware machines with default settings. - * Network switches that permit only a single MAC address. - * xDSL modems that learn the NIC's MAC address. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-common-with-dhcp.txt - :var0: pseudo-ethernet - :var1: peth0 - -MACVLAN (pseudo-Ethernet) options -================================= - -.. cfgcmd:: set interfaces pseudo-ethernet <interface> source-interface <ethX> - - Assign a physical Ethernet interface to the specified pseudo-Ethernet interface. - -VLAN -==== - -.. cmdinclude:: /_include/interface-vlan-8021q.txt - :var0: pseudo-ethernet - :var1: peth0 diff --git a/docs/configuration/interfaces/rst-sstp-client.rst b/docs/configuration/interfaces/rst-sstp-client.rst deleted file mode 100644 index 9c6c6e9b..00000000 --- a/docs/configuration/interfaces/rst-sstp-client.rst +++ /dev/null @@ -1,158 +0,0 @@ -:lastproofread: 2026-03-16 - -.. _sstp-client-interface: - -########### -SSTP client -########### - -:abbr:`SSTP (Secure Socket Tunneling Protocol)` transports PPP traffic over an -SSL/TLS channel, providing transport-level security through key negotiation, -encryption, and traffic integrity checking. The use of SSL/TLS over TCP port -443 (by default, the port can be changed) allows SSTP to pass through virtually -all firewalls and proxy servers, except for authenticated web proxies. - -.. note:: VyOS includes a built-in SSTP server. For more information, see - :ref:`sstp`. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-description.txt - :var0: sstpc - :var1: sstpc0 - -.. cmdinclude:: /_include/interface-disable.txt - :var0: sstpc - :var1: sstpc0 - -.. cmdinclude:: /_include/interface-mtu.txt - :var0: sstpc - :var1: sstpc0 - -.. cmdinclude:: /_include/interface-vrf.txt - :var0: sstpc - :var1: sstpc0 - -SSTP client options -=================== - -.. cfgcmd:: set interfaces sstpc <interface> no-default-route - - Request an IP address from the SSTP server without installing a default route. - - Example: - - .. code-block:: none - - set interfaces sstpc sstpc0 no-default-route - - .. note:: Introduced in VyOS 1.4, this command inverts the logic of the former - ``default-route`` CLI option. - -.. cfgcmd:: set interfaces sstpc <interface> default-route-distance <distance> - - Configure the distance for the default gateway provided by the SSTP server. - - Example: - - .. code-block:: none - - set interfaces sstpc sstpc0 default-route-distance 220 - -.. cfgcmd:: set interfaces sstpc <interface> no-peer-dns - - Disable the installation of advertised DNS nameservers on the local system. - -.. cfgcmd:: set interfaces sstpc <interface> server <address> - - **Configure the remote SSTP server address for the client connection.** - - The address can be either an IP address or a :abbr:`FQDN (Fully Qualified - Domain Name)`. - -.. cfgcmd:: set interfaces sstpc <interface> ip adjust-mss <mss | clamp-mss-to-pmtu> - - **Configure the** :abbr:`MSS (Maximum Segment Size)` **advertised in outgoing - TCP SYN packets on the specified interface.** - - By clamping the MSS value in TCP SYN packets, you instruct the remote side not - to send packets larger than the specified size. This helps prevent connection - issues if :abbr:`PMTUD (Path MTU Discovery)` fails. - - The following options are available: - - * ``mss``: Sets the MSS to a specific value in bytes. - * ``clamp-mss-to-pmtu``: Sets the MSS to the interface’s MTU minus 40 bytes for - IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). - This option is recommended to automatically set the proper value. - - .. note:: Introduced in VyOS 1.4, this command replaces the older ``set firewall - options interface <name> adjust-mss <value>`` syntax. - -.. cfgcmd:: set interfaces sstpc <interface> ip disable-forwarding - - **Configure the interface for host or router behavior.** - - If configured, the interface switches to host mode, and IPv4 forwarding is - disabled on it. - -.. cfgcmd:: set interfaces sstpc <interface> ip source-validation <strict | loose | disable> - - **Configure source IP address validation using** - :abbr:`RPF (Reverse Path Forwarding)` **on this interface, as specified in** - :rfc:`3704`. - - The following options are available: - - * ``strict``: Each incoming packet’s source IP address is checked against the - :abbr:`FIB (Forwarding Information Base)`. If the interface is not the best - route back to that source, validation fails, and the packet is dropped. - * ``loose``: Each incoming packet’s source IP address is checked against the - :abbr:`FIB (Forwarding Information Base)`. If the source IP address is - unreachable through any interface, validation fails. - * ``disable``: No source IP address validation is performed. All incoming - packets are accepted. - - :rfc:`3704` recommends enabling ``strict`` mode to prevent IP spoofing, such as - DDoS attacks. For asymmetric or other complex routing scenarios, use ``loose`` - mode. - -********* -Operation -********* - -.. opcmd:: show interfaces sstpc <interface> - - Show detailed information about the specified interface. - - .. code-block:: none - - vyos@vyos:~$ show interfaces sstpc sstpc10 - sstpc10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3 - link/ppp - inet 192.0.2.5 peer 192.0.2.254/32 scope global sstpc10 - valid_lft forever preferred_lft forever - inet6 fe80::fd53:c7ff:fe8b:144f/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 215 9 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 539 14 0 0 0 0 - - -Connect/disconnect -================== - -.. opcmd:: disconnect interface <interface> - - Disconnect the specified interface. - -.. opcmd:: connect interface <interface> - - Initiate a session on the specified interface. diff --git a/docs/configuration/interfaces/rst-tunnel.rst b/docs/configuration/interfaces/rst-tunnel.rst deleted file mode 100644 index f1376cdf..00000000 --- a/docs/configuration/interfaces/rst-tunnel.rst +++ /dev/null @@ -1,308 +0,0 @@ -:lastproofread: 2026-01-23 - -.. _tunnel-interface: - -###### -Tunnel -###### - -Tunnel interfaces are virtual links that transmit encapsulated traffic between -private networks or hosts across public infrastructure, such as the Internet. -They operate using encapsulation protocols to wrap original traffic for -transport. The supported protocols include :abbr:`GRE (Generic Routing -Encapsulation)`, IPIP, IPIP6, IP6IP6, and 6in4 (SIT). - -While :abbr:`GRE (Generic Routing Encapsulation)` is often the preferred -one-size-fits-all solution due to its versatility, other encapsulation -protocols may be better suited for specific use cases. - -VyOS uses a single tunnel interface type for all of these protocols. There are -no separate :abbr:`GRE (Generic Routing Encapsulation)`, IPIP, or IP6IP6 -interface types; instead, the desired encapsulation protocol is selected within -the ``set interfaces tunnel`` configuration. - -Configuration options for each protocol are described below. - -.. warning:: Do not change the encapsulation type for already configured tunnel - interfaces, as this may break their dependent configurations. - -Common interface configuration ------------------------------- - -.. cmdinclude:: /_include/interface-address.txt - :var0: tunnel - :var1: tun0 - -.. cmdinclude:: /_include/interface-common-without-mac.txt - :var0: tunnel - :var1: tun0 - -IPIP ----- - -IPIP is a straightforward encapsulation protocol defined in RFC 2003. It -encapsulates one IPv4 packet inside another IPv4 packet. - -Tunnels with IPIP encapsulation do not have protocol-specific configuration -options except for explicitly defining the encapsulation type as IPIP (see -the example below). - -Example: - -.. code-block:: none - - set interfaces tunnel tun0 encapsulation ipip - set interfaces tunnel tun0 source-address 192.0.2.10 - set interfaces tunnel tun0 remote 203.0.113.20 - set interfaces tunnel tun0 address 192.168.100.200/24 - -IP6IP6 ------- - -IP6IP6 is the IPv6 counterpart to IPIP. It encapsulates one IPv6 packet inside -another IPv6 packet. - -Similar to their IPIP counterparts, tunnels with IP6IP6 encapsulation do not -have protocol-specific configuration options except for explicitly defining -the encapsulation type as IP6IP6. - -Example: - -.. code-block:: none - - set interfaces tunnel tun0 encapsulation ip6ip6 - set interfaces tunnel tun0 source-address 2001:db8:aa::1 - set interfaces tunnel tun0 remote 2001:db8:aa::2 - set interfaces tunnel tun0 address 2001:db8:bb::1/64 - -IPIP6 ------ - -IPIP6 is an encapsulation protocol that wraps IPv4 packets inside IPv6 packets. - -Similar to IPIP and IP6IP6, protocol-specific configuration for tunnels with -IPIP6 encapsulation only requires defining the encapsulation type as IP6IP6. - -Example: - -.. code-block:: none - - set interfaces tunnel tun0 encapsulation ipip6 - set interfaces tunnel tun0 source-address 2001:db8:aa::1 - set interfaces tunnel tun0 remote 2001:db8:aa::2 - set interfaces tunnel tun0 address 192.168.70.80/24 - -6in4 (SIT) ----------- - -6in4, also known as :abbr:`SIT (Simple Internet Transition)`, is an -encapsulation protocol defined in :rfc:`4213` that wraps IPv6 packets -inside IPv4 packets. The encapsulating IPv4 headers use IP protocol number 41, -which is reserved exclusively for IPv6 encapsulation. - -The encapsulation process adds a 20-byte IPv4 header to each IPv6 packet. -Consequently, 6in4 tunnel interfaces can transmit IPv6 packets up to 1480 bytes -over an underlying network with a standard MTU of 1500 bytes without -fragmentation. - -6in4 tunnel interfaces are frequently used by IPv6 tunnel brokers (such as -`Hurricane Electric`_) to connect isolated IPv6 networks or individual hosts to -the IPv6 internet. - -Example: - -.. code-block:: none - - set interfaces tunnel tun0 encapsulation sit - set interfaces tunnel tun0 source-address 192.0.2.10 - set interfaces tunnel tun0 remote 192.0.2.20 - set interfaces tunnel tun0 address 2001:db8:bb::1/64 - -.. seealso:: For a practical configuration example, see the - :ref:`Tunnelbroker.net (IPv6) <examples-tunnelbroker-ipv6>` section. - -Generic Routing Encapsulation (GRE) ------------------------------------ - -:abbr:`GRE (Generic Routing Encapsulation)` is a versatile encapsulation -protocol defined in RFC 2784. Unlike simpler protocols such as IPIP, it allows -both IPv4 and IPv6 to be transported through the same tunnel. - -:abbr:`GRE (Generic Routing Encapsulation)` encapsulates original data packets -by adding a :abbr:`GRE (Generic Routing Encapsulation)` header, followed by an -IP header (the delivery header). The delivery header uses IP protocol number 47 -to identify :abbr:`GRE (Generic Routing Encapsulation)`-encapsulated traffic. - -In VyOS, :abbr:`GRE (Generic Routing Encapsulation)` tunnels can be established -over both IPv4 (encapsulation ``gre``) and IPv6 (encapsulation ``ip6gre``) -transport networks. - - -Configuration -^^^^^^^^^^^^^ - -To configure a :abbr:`GRE (Generic Routing Encapsulation)` tunnel, you need to -define a tunnel source IP address, a tunnel destination IP address, an -encapsulation type (:abbr:`GRE (Generic Routing Encapsulation)`), and a tunnel -interface IP address. - -Example: - -The following example shows how to configure an IPv4/IPv6-over-IPv6 :abbr:`GRE -(Generic Routing Encapsulation)` tunnel between a VyOS router and a Linux host -running ``systemd-networkd``. - -**VyOS router:** - -.. code-block:: none - - set interfaces tunnel tun101 address '2001:db8:feed:beef::1/126' - set interfaces tunnel tun101 address '192.168.5.1/30' - set interfaces tunnel tun101 encapsulation 'ip6gre' - set interfaces tunnel tun101 source-address '2001:db8:babe:face::3afe:3' - set interfaces tunnel tun101 remote '2001:db8:9bb:3ce::5' - -**Linux** ``systemd-networkd``: - -The ``systemd-networkd`` setup requires two configuration files: ``xxx.netdev`` -to create the :abbr:`GRE (Generic Routing Encapsulation)` tunnel interface, and -``xxx.network`` to assign IP addresses to it. - -.. code-block:: none - - # cat /etc/systemd/network/gre-example.netdev - [NetDev] - Name=gre-example - Kind=ip6gre - MTUBytes=14180 - - [Tunnel] - Remote=2001:db8:babe:face::3afe:3 - - - # cat /etc/systemd/network/gre-example.network - [Match] - Name=gre-example - - [Network] - Address=2001:db8:feed:beef::2/126 - - [Address] - Address=192.168.5.2/30 - -GRE keys -^^^^^^^^ - -A GRE key is an optional 32-bit field in the GRE header that allows multiple -GRE tunnels to operate between the same source and destination endpoints. When -a packet arrives, the receiver checks the GRE key to determine which tunnel -interface should process it. - -Although it may sound security-related, the GRE key is only an identifier and -provides no encryption or data protection. - -Example: - -.. code-block:: none - - set interfaces tunnel tun0 source-address 192.0.2.10 - set interfaces tunnel tun0 remote 192.0.2.20 - set interfaces tunnel tun0 address 10.40.50.60/24 - set interfaces tunnel tun0 parameters ip key 10 - -.. code-block:: none - - set interfaces tunnel tun1 source-address 192.0.2.10 - set interfaces tunnel tun1 remote 192.0.2.20 - set interfaces tunnel tun1 address 172.16.17.18/24 - set interfaces tunnel tun1 parameters ip key 20 - -GRETAP -^^^^^^^ - -Unlike GRE, which encapsulates only Layer 3 (IP) traffic, GRETAP encapsulates -Layer 2 (Ethernet) frames. - -That means that GRETAP tunnel interfaces can be members of a bridge interface. -This allows two geographically distant sites to connect as if they were on the -same LAN. - -GRETAP tunnels can be established over both IPv4 and IPv6 transport networks. - -Example: - -.. code-block:: none - - set interfaces bridge br0 member interface eth0 - set interfaces bridge br0 member interface tun0 - set interfaces tunnel tun0 encapsulation gretap - set interfaces tunnel tun0 source-address 198.51.100.2 - set interfaces tunnel tun0 remote 203.0.113.10 - - -Troubleshooting -^^^^^^^^^^^^^^^ - -GRE is a standardized tunneling protocol used in many network environments. - -Although the GRE tunnel setup is straightforward, connectivity failures -frequently occur because ACLs or firewall rules block IP protocol 47 or -prevent direct communication between the tunnel endpoints. - -If your GRE tunnel fails to establish, perform these diagnostic steps: - -1. Verify that the remote peer is reachable from the configured -``source-address``. - -This ensures that the underlying physical path between the two endpoints is -functional. - -.. code-block:: none - - vyos@vyos:~$ ping 203.0.113.10 interface 198.51.100.2 count 4 - PING 203.0.113.10 (203.0.113.10) from 198.51.100.2 : 56(84) bytes of data. - 64 bytes from 203.0.113.10: icmp_seq=1 ttl=254 time=0.807 ms - 64 bytes from 203.0.113.10: icmp_seq=2 ttl=254 time=1.50 ms - 64 bytes from 203.0.113.10: icmp_seq=3 ttl=254 time=0.624 ms - 64 bytes from 203.0.113.10: icmp_seq=4 ttl=254 time=1.41 ms - - --- 203.0.113.10 ping statistics --- - 4 packets transmitted, 4 received, 0% packet loss, time 3007ms - rtt min/avg/max/mdev = 0.624/1.087/1.509/0.381 ms - -2. Verify that the tunnel interface is correctly configured (with the link type -set to GRE) and is actively processing traffic. - -.. code-block:: none - - vyos@vyos:~$ show interfaces tunnel tun100 - tun100@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000 - link/gre 198.51.100.2 peer 203.0.113.10 - inet 10.0.0.1/30 brd 10.0.0.3 scope global tun100 - valid_lft forever preferred_lft forever - inet6 fe80::5efe:c612:2/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 2183 27 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 836 9 0 0 0 0 - -3. Test the connection through the tunnel using the private IP addresses -assigned to each tunnel endpoint. - -.. code-block:: none - - vyos@vyos:~$ ping 10.0.0.2 interface 10.0.0.1 count 4 - PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 : 56(84) bytes of data. - 64 bytes from 10.0.0.2: icmp_seq=1 ttl=255 time=1.05 ms - 64 bytes from 10.0.0.2: icmp_seq=2 ttl=255 time=1.88 ms - 64 bytes from 10.0.0.2: icmp_seq=3 ttl=255 time=1.98 ms - 64 bytes from 10.0.0.2: icmp_seq=4 ttl=255 time=1.98 ms - - --- 10.0.0.2 ping statistics --- - 4 packets transmitted, 4 received, 0% packet loss, time 3008ms - rtt min/avg/max/mdev = 1.055/1.729/1.989/0.395 ms - -.. _`other proposals`: https://www.isc.org/othersoftware/ -.. _`Hurricane Electric`: https://tunnelbroker.net/ diff --git a/docs/configuration/interfaces/rst-virtual-ethernet.rst b/docs/configuration/interfaces/rst-virtual-ethernet.rst deleted file mode 100644 index 5df7e962..00000000 --- a/docs/configuration/interfaces/rst-virtual-ethernet.rst +++ /dev/null @@ -1,117 +0,0 @@ -:lastproofread: 2026-01-26 - -.. _virtual-ethernet: - -################ -Virtual Ethernet -################ - -Virtual Ethernet (veth) interfaces are software-based interfaces that operate -in pairs, creating a tunnel between each other. Traffic transmitted into one -interface of the pair (e.g., ``veth0``) is delivered directly to its peer -interface (e.g., ``veth1``). - -Veth interfaces are commonly used to connect network namespaces or VRFs, but -they can also function as standalone virtual network interfaces. - -.. note:: Veth interfaces must be created in pairs, where each interface acts - as the peer of the other. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-address-with-dhcp.txt - :var0: virtual-ethernet - :var1: veth0 - -.. cmdinclude:: /_include/interface-description.txt - :var0: virtual-ethernet - :var1: veth0 - -VLAN -==== - -Regular VLANs (802.1q) ----------------------- -.. cmdinclude:: /_include/interface-vlan-8021q.txt - :var0: virtual-ethernet - :var1: veth0 - -802.1ad (QinQ) --------------- - -.. cmdinclude:: /_include/interface-vlan-8021ad.txt - :var0: virtual-ethernet - :var1: veth0 - -.. cmdinclude:: /_include/interface-disable.txt - :var0: virtual-ethernet - :var1: veth0 - -.. cmdinclude:: /_include/interface-vrf.txt - :var0: virtual-ethernet - :var1: veth0 - -********* -Operation -********* - -.. opcmd:: show interfaces virtual-ethernet - - Show brief interface information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces virtual-ethernet - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - veth10 100.64.0.0/31 u/u - veth11 100.64.0.1/31 u/u - -.. opcmd:: show interfaces virtual-ethernet <interface> - - Show detailed interface information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces virtual-ethernet veth11 - 10: veth11@veth10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master red state UP group default qlen 1000 - link/ether b2:7b:df:47:e9:11 brd ff:ff:ff:ff:ff:ff - inet 100.64.0.1/31 scope global veth11 - valid_lft forever preferred_lft forever - inet6 fe80::b07b:dfff:fe47:e911/64 scope link - valid_lft forever preferred_lft forever - - - RX: bytes packets errors dropped overrun mcast - 0 0 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 1369707 4267 0 0 0 0 - -******* -Example -******* - -The following example shows how to connect the global VRF to VRF ‘red ‘ using -the ``veth10`` and ``veth11`` veth pair. - -.. code-block:: none - - set interfaces virtual-ethernet veth10 address '100.64.0.0/31' - set interfaces virtual-ethernet veth10 peer-name 'veth11' - set interfaces virtual-ethernet veth11 address '100.64.0.1/31' - set interfaces virtual-ethernet veth11 peer-name 'veth10' - set interfaces virtual-ethernet veth11 vrf 'red' - set vrf name red table '1000' - - vyos@vyos:~$ ping 100.64.0.1 - PING 100.64.0.1 (100.64.0.1) 56(84) bytes of data. - 64 bytes from 100.64.0.1: icmp_seq=1 ttl=64 time=0.080 ms - 64 bytes from 100.64.0.1: icmp_seq=2 ttl=64 time=0.119 ms - - diff --git a/docs/configuration/interfaces/rst-vti.rst b/docs/configuration/interfaces/rst-vti.rst deleted file mode 100644 index e45c17d9..00000000 --- a/docs/configuration/interfaces/rst-vti.rst +++ /dev/null @@ -1,115 +0,0 @@ -.. _vti-interface: - -############################## -VTI (virtual tunnel interface) -############################## - -:abbr:`VTIs (virtual tunnel interfaces)` let you create secure, encrypted -tunnels between private networks or hosts across public infrastructure, such as -the Internet. They operate alongside an underlying IPsec tunnel, which handles -encapsulation and encryption, while VTIs function exclusively as routing -interfaces. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-address.txt - :var0: vti - :var1: vti0 - -.. cmdinclude:: /_include/interface-description.txt - :var0: vti - :var1: vti0 - -.. cmdinclude:: /_include/interface-disable.txt - :var0: vti - :var1: vti0 - -.. cmdinclude:: /_include/interface-ip.txt - :var0: vti - :var1: vti0 - -.. cmdinclude:: /_include/interface-ipv6.txt - :var0: vti - :var1: vti0 - -.. cmdinclude:: /_include/interface-mtu.txt - :var0: vti - :var1: vti0 - -.. cfgcmd:: set interfaces vti <interface> mirror egress <monitor-interface> - - Configure mirroring of outgoing traffic from the specified VTI to the - designated monitor interface. - -.. cfgcmd:: set interfaces vti <interface> mirror ingress <monitor-interface> - - Configure mirroring of incoming traffic from the specified VTI to the - designated monitor interface. - -.. cfgcmd:: set interfaces vti <interface> redirect <interface> - - Enable redirection of incoming packets to the specified interface. - -.. cmdinclude:: /_include/interface-vrf.txt - :var0: vti - :var1: vti0 - -********* -Operation -********* - -.. opcmd:: show interfaces vti <vtiX> - - Show the operational status and traffic statistics for the specified VTI. - -.. opcmd:: show interfaces vti <vtiX> brief - - Show a brief operational status summary for the specified VTI. - - -******* -Example -******* - -**Configure a VTI** - -Assign IPv4 and IPv6 addresses to the VTI, along with a brief description: - -.. code-block:: none - - set interfaces vti vti0 address 192.168.2.249/30 - set interfaces vti vti0 address 2001:db8:2::249/64 - set interfaces vti vti0 description "Description" - -Resulting configuration: - -.. code-block:: none - - vyos@vyos# show interfaces vti - vti vti0 { - address 192.168.2.249/30 - address 2001:db8:2::249/64 - description "Description" - } - -.. warning:: When configuring site-to-site IPsec with VTIs, ensure that route - autoinstall is disabled. - -.. code-block:: none - - set vpn ipsec options disable-route-autoinstall - -For more information about the IPsec and VTI issue, as well as the -``disable-route-autoinstall`` option, see: -https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july. - -The root cause of the problem is that VTI tunnels require their traffic -selectors to be set to ``0.0.0.0/0`` for traffic to match the tunnel, even -though routing decisions are based on netfilter marks. Unless route insertion -is explicitly disabled, strongSWAN incorrectly inserts a default route through -the VTI peer address, causing all traffic to be misrouted. diff --git a/docs/configuration/interfaces/rst-vxlan.rst b/docs/configuration/interfaces/rst-vxlan.rst deleted file mode 100644 index 0d357e9b..00000000 --- a/docs/configuration/interfaces/rst-vxlan.rst +++ /dev/null @@ -1,358 +0,0 @@ -:lastproofread: 2026-03-16 - -.. _vxlan-interface: - -##### -VXLAN -##### - -:abbr:`VXLAN (Virtual Extensible LAN)` is a network virtualization technology -that addresses scalability challenges in large cloud computing environments. -It encapsulates Ethernet frames (Layer 2) within UDP datagrams (Layer 4), which -are then transmitted via UDP port 4789, as assigned by IANA. VXLAN endpoints, -called :abbr:`VTEPs (VXLAN tunnel endpoints)`, terminate VXLAN tunnels and can -be either virtual or physical switch ports. - -VXLAN supports up to 16 million logical networks and enables Layer 2 adjacency -across Layer 3 IP networks. It uses multicast or unicast with head-end -replication (HER) to flood broadcast, unknown unicast, and multicast (BUM) -traffic. - -The VXLAN specification was initially developed by VMware, Arista Networks, and -Cisco. Other supporters include Huawei, Broadcom, Citrix, Pica8, Big Switch -Networks, Cumulus Networks, Dell EMC, Ericsson, Mellanox, FreeBSD, OpenBSD, Red -Hat, Joyent, and Juniper Networks. - -VXLAN is officially documented by the IETF in :rfc:`7348`. - -When configuring VXLAN in a VyOS virtual machine, ensure that MAC spoofing -(Hyper-V) or Forged Transmits (ESX) are permitted. Otherwise, the hypervisor -may block forwarded frames. - -.. note:: Although the IANA-assigned VXLAN port is **4789**, VyOS uses the - Linux default UDP port **8472** for VXLAN interfaces. To ensure compatibility - with other vendors, set the port to the IANA standard **4789**. - -Configuration -============= - -Common interface configuration ------------------------------- - -.. cmdinclude:: /_include/interface-common-without-dhcp.txt - :var0: vxlan - :var1: vxlan0 - -VXLAN-specific options ------------------------ - -.. cfgcmd:: set interfaces vxlan <interface> vni <number> - - **Configure a** :abbr:`VNI (VXLAN Network Identifier)` **for the VXLAN - interface.** - - Each VXLAN segment is identified by this 24-bit VNI, allowing up to 16 million - segments to coexist within the same administrative domain. - -.. cfgcmd:: set interfaces vxlan <interface> port <port> - - Configure the UDP port of the remote VXLAN endpoint. - - .. note:: Although the IANA-assigned VXLAN port is **4789**, VyOS uses the - Linux default UDP port **8472** for VXLAN interfaces. - -.. cfgcmd:: set interfaces vxlan <interface> source-address <address> - - Configure the source IP address for the VXLAN underlay. - - .. warning:: This setting is mandatory when deploying VXLAN via L2VPN/EVPN. - -.. cfgcmd:: set interfaces vxlan <interface> gpe - - **Enable the** :abbr:`GPE (Generic Protocol Extension)` **for the VXLAN - interface.** - - To use this feature, you must configure the interface with the ``external`` - parameter. - -.. cfgcmd:: set interfaces vxlan <interface> parameters external - - **Configure the VXLAN interface to use an external control plane, such as BGP - L2VPN/EVPN, for remote endpoint discovery.** - - If not configured, the internal :abbr:`FDB (Forwarding Database)` is used. - -.. cfgcmd:: set interfaces vxlan <interface> parameters neighbor-suppress - - **Enable ARP and ND suppression on the VXLAN interface.** - - This reduces ARP and ND message flooding across the VXLAN network. As defined - in :rfc:`7432#section-10`, participating VTEPs use known MAC-to-IP bindings - to reply to local requests on behalf of remote hosts. - -.. cfgcmd:: set interfaces vxlan <interface> parameters nolearning - - Disable :abbr:`SLLA (Source Link-Layer Address)` and IP address learning on - the VXLAN interface. - -.. cfgcmd:: set interfaces vxlan <interface> parameters vni-filter - - **Enable** :abbr:`VNI (VXLAN Network Identifier)` **filtering on the VXLAN - interface.** - - When enabled, the interface only receives packets with VNIs configured in its - VNI filtering table. - - .. note:: VNI filtering works only if the interface is configured with the - ``external`` parameter. - -Unicast -^^^^^^^ - -.. cfgcmd:: set interfaces vxlan <interface> remote <address> - - **Configure the IPv4 or IPv6 address of the remote VTEP.** - - Unlike multicast setups, this command allows you to directly configure the - remote IPv4 or IPv6 address. - -Multicast -^^^^^^^^^ - -.. cfgcmd:: set interfaces vxlan <interface> source-interface <interface> - - **Configure the source interface for the VXLAN underlay.** - - All VXLAN traffic is sent and received through the specified interface. - - This setting is mandatory when deploying VXLAN over a multicast network. - -.. cfgcmd:: set interfaces vxlan <interface> group <address> - - **Configure the IPv4 or IPv6 multicast group address for the VXLAN interface.** - - VXLAN tunnels can be built using either multicast group or unicast IP addresses. - -Multicast VXLAN -=============== - -Topology: PC4 - Leaf2 - Spine1 - Leaf3 - PC5 - -PC4 uses the IP address ``10.0.0.4/24``, and PC5 uses the IP address -``10.0.0.5/24``. Both devices assume they reside within the same broadcast -domain. - -Assume PC4 on Leaf2 pings PC5 on Leaf3. Rather than manually specifying Leaf3 -as the remote endpoint, Leaf2 encapsulates the packet into a UDP datagram and -sends it to the designated multicast address via Spine1. Spine1 forwards the -packet to all leaves in the same multicast group, including Leaf3. Upon -receiving the datagram, Leaf3 forwards it to PC5 and learns that PC4 is -reachable through Leaf2 by inspecting the source IP in the encapsulated -datagram. - -PC5 receives the ping and responds with an echo reply. Leaf3, now aware of -PC4's location, forwards the reply directly to Leaf2's unicast address. Upon -receiving the echo reply, Leaf2 learns that PC5 is reachable through Leaf3. - -After this discovery, subsequent traffic between PC4 and PC5 will not use the -multicast address between the leaves, as both leaves have learned the PCs' -locations. This reduces multicast traffic and network load, improving -scalability as more leaves are added. - -Single VXLAN device (SVD) -========================= - -In VyOS, you can configure multiple **VLAN-to-VNI mappings** for EVPN-VXLAN on -a single container interface, known as a single VXLAN device (SVD). This -enables significant VNI scaling because a separate VXLAN interface is not -required for each VNI. - -.. cfgcmd:: set interfaces vxlan <interface> vlan-to-vni <vlan> vni <vni> - - **Map a VLAN ID to a VNI on the specified VXLAN interface.** - - The VXLAN interface can be added to a bridge. - - The following example shows an SVD configuration with multiple VLAN-to-VNI - mappings. - - .. code-block:: none - - set interfaces bridge br0 member interface vxlan0 - set interfaces vxlan vxlan0 parameters external - set interfaces vxlan vxlan0 source-interface 'dum0' - set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010' - set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011' - set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030' - set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031' - -Example -------- - -The following example demonstrates a multicast VXLAN deployment. - -The setup includes three routers: Spine1, a Cisco IOS router, and Leaf2 and -Leaf3, which are VyOS routers. - -**Topology:** Leaf2 - Spine1 - Leaf3. - -The topology is built using GNS3. - -.. code-block:: none - - Spine1: - fa0/2 towards Leaf2, IP-address: 10.1.2.1/24 - fa0/3 towards Leaf3, IP-address: 10.1.3.1/24 - - Leaf2: - Eth0 towards Spine1, IP-address: 10.1.2.2/24 - Eth1 towards a VLAN-aware switch - - Leaf3: - Eth0 towards Spine1, IP-address 10.1.3.3/24 - Eth1 towards a VLAN-aware switch - -**Spine1 configuration:** - -.. code-block:: none - - conf t - ip multicast-routing - ! - interface fastethernet0/2 - ip address 10.1.2.1 255.255.255.0 - ip pim sparse-dense-mode - ! - interface fastethernet0/3 - ip address 10.1.3.1 255.255.255.0 - ip pim sparse-dense-mode - ! - router ospf 1 - network 10.0.0.0 0.255.255.255 area 0 - -Multicast routing is required for scalable traffic forwarding between leaves. -:abbr:`PIM (Protocol Independent Multicast)` must be enabled towards the leaves -so the spine can learn from which multicast groups each leaf expects traffic. - -**Leaf2 configuration:** - -.. code-block:: none - - set interfaces ethernet eth0 address '10.1.2.2/24' - set protocols ospf area 0 network '10.0.0.0/8' - - ! First VXLAN interface - set interfaces bridge br241 address '172.16.241.1/24' - set interfaces bridge br241 member interface 'eth1.241' - set interfaces bridge br241 member interface 'vxlan241' - - set interfaces vxlan vxlan241 group '239.0.0.241' - set interfaces vxlan vxlan241 source-interface 'eth0' - set interfaces vxlan vxlan241 vni '241' - - ! Second VXLAN interface - set interfaces bridge br242 address '172.16.242.1/24' - set interfaces bridge br242 member interface 'eth1.242' - set interfaces bridge br242 member interface 'vxlan242' - - set interfaces vxlan vxlan242 group '239.0.0.242' - set interfaces vxlan vxlan242 source-interface 'eth0' - set interfaces vxlan vxlan242 vni '242' - -**Leaf3 configuration:** - -.. code-block:: none - - set interfaces ethernet eth0 address '10.1.3.3/24' - set protocols ospf area 0 network '10.0.0.0/8' - - ! First VXLAN interface - set interfaces bridge br241 address '172.16.241.1/24' - set interfaces bridge br241 member interface 'eth1.241' - set interfaces bridge br241 member interface 'vxlan241' - - set interfaces vxlan vxlan241 group '239.0.0.241' - set interfaces vxlan vxlan241 source-interface 'eth0' - set interfaces vxlan vxlan241 vni '241' - - ! Second VXLAN interface - set interfaces bridge br242 address '172.16.242.1/24' - set interfaces bridge br242 member interface 'eth1.242' - set interfaces bridge br242 member interface 'vxlan242' - - set interfaces vxlan vxlan242 group '239.0.0.242' - set interfaces vxlan vxlan242 source-interface 'eth0' - set interfaces vxlan vxlan242 vni '242' - -The configurations for Leaf2 and Leaf3 are nearly identical. Detailed -explanations for each command are provided below. - -.. code-block:: none - - set interfaces bridge br241 address '172.16.241.1/24' - -This command creates a bridge to bind traffic on ``eth1`` VLAN 241 with the -``vxlan241`` interface. The IP address is optional. If configured, it can serve -as the default gateway for each leaf, allowing devices on the VLAN to reach -other subnets. Subnets must be redistributed by :abbr:`OSPF (Open Shortest Path -First)` so the spine can learn how to reach them. To advertise ``172.16/12`` -networks, change the :abbr:`OSPF (Open Shortest Path First)` network from -``10.0.0.0/8`` to ``0.0.0.0/0``. - -.. code-block:: none - - set interfaces bridge br241 member interface 'eth1.241' - set interfaces bridge br241 member interface 'vxlan241' - -These commands bind ``eth1.241`` and ``vxlan241`` as member interfaces of the -same bridge. - -.. code-block:: none - - set interfaces vxlan vxlan241 group '239.0.0.241' - -This command configures the multicast group used by all leaves for this VLAN -extension. It must be the same on all leaves that have this interface. - -.. code-block:: none - - set interfaces vxlan vxlan241 source-interface 'eth0' - -This command configures the interface that listens for multicast packets. It -can also be a loopback interface. - -.. code-block:: none - - set interfaces vxlan vxlan241 vni '241' - -This command configures the unique ID for the VXLAN interface. - -.. code-block:: none - - set interfaces vxlan vxlan241 port 12345 - -VyOS uses the Linux default UDP port **8472** for VXLAN interfaces. This -command allows you to configure a different UDP port. - -Unicast VXLAN -============= - -As an alternative to multicast, you can configure the VXLAN tunnel by -specifying the remote IPv4 address directly. The following updates the previous -multicast example: - -.. code-block:: none - - # leaf2 and leaf3 - delete interfaces vxlan vxlan241 group '239.0.0.241' - delete interfaces vxlan vxlan241 source-interface 'eth0' - - # leaf2 - set interfaces vxlan vxlan241 remote 10.1.3.3 - - # leaf3 - set interfaces vxlan vxlan241 remote 10.1.2.2 - -The default UDP port is 8472. To configure a different port, use ``set -interfaces vxlan <vxlanN> port <port>``. - diff --git a/docs/configuration/interfaces/rst-wireguard.rst b/docs/configuration/interfaces/rst-wireguard.rst deleted file mode 100644 index bc53b388..00000000 --- a/docs/configuration/interfaces/rst-wireguard.rst +++ /dev/null @@ -1,439 +0,0 @@ -:lastproofread: 2026-03-02 - -.. _wireguard: - -######### -WireGuard -######### - -WireGuard is an extremely simple, fast, and modern VPN that utilizes -state-of-the-art cryptography. See https://www.wireguard.com for more -information. - -**************** -Site-to-site VPN -**************** - -The following diagram illustrates a site-to-site VPN setup. - -.. figure:: /_static/images/wireguard_site2site_diagram.* - -******** -Keypairs -******** - -WireGuard requires a keypair, which includes a **private** key -to decrypt incoming traffic, and a **public** key for peer(s) to encrypt -outgoing traffic. - -Generate keypair -================ - -.. opcmd:: generate pki wireguard key-pair - - Generate a keypair: a public and a private key. - - .. note:: This command only outputs the keys to your console. It - neither stores them in the system nor applies them to the system - configuration. - - - .. code-block:: none - - vyos@vyos:~$ generate pki wireguard key-pair - Private key: iJJyEARGK52Ls1GYRCcFvPuTj7WyWYDo//BknoDU0XY= - Public key: EKY0dxRrSD98QHjfHOK13mZ5PJ7hnddRZt5woB3szyw= - -.. opcmd:: generate pki wireguard key-pair install interface <interface> - - Generate a keypair and output the private key assignment command for the - specified interface. - - .. code-block:: none - - vyos@vyos:~$ generate pki wireguard key-pair install interface wg10 - "generate" CLI command executed from operational level. - Generated private key is not automatically added to the VyOS configuration, use the following configuration mode commands to install key: - - set interfaces wireguard wg10 private-key '4Krkv8h6NkAYMMaBWI957yYDJDMvj9URTHstdlOcDU0=' - - Corresponding public-key to use on peer system is: 'UxDsYT6EnpTIOKUzvMlw2p0sNOKQvFxEdSVrnNrX1Ro=' - - .. note:: If you invoke this command from configuration mode with - the ``run`` prefix, the generated private key is automatically - assigned to the specified interface. - - .. code-block:: none - - vyos@vyos# run generate pki wireguard key-pair install interface wg10 - "generate" CLI command executed from config session. - Generated private-key was imported to CLI! - - Use the following command to verify: show interfaces wireguard wg10 - Corresponding public-key to use on peer system is: '7d9KwabjLhHpJiEJeIGd0CBlao/eTwFOh6xyCovTfG8=' - - vyos@vyos# compare - [edit interfaces] - +wireguard wg10 { - + private-key CJweb8FC6BU3Loj4PC2pn5V82cDjIPs7G1saW0ZfLWc= - +} - -.. opcmd:: show interfaces wireguard <interface> public-key - - Show the public key assigned to the interface. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wireguard wg01 public-key - EKY0dxRrSD98QHjfHOK13mZ5PJ7hnddRZt5woB3szyw= - - -Optional --------- - -.. opcmd:: generate pki wireguard preshared-key - - Generate a pre-shared key. - - The pre-shared key is optional. It adds an additional layer of symmetric-key - cryptography on top of the asymmetric cryptography. - - .. code-block:: none - - vyos@vyos:~$ generate pki wireguard preshared-key - Pre-shared key: OHH2EwZfMNK+1L6BXbYw3bKCtMrfjpR4mCAEeBlFnRs= - - -.. stop_vyoslinter - -.. opcmd:: generate pki wireguard preshared-key install interface <interface> peer <peer> - - Generate a pre-shared key and output the key assignment command for - the specified peer. - - .. code-block:: none - - vyos@vyos:~$ generate pki wireguard preshared-key install interface wg10 peer foo - "generate" CLI command executed from operational level. - Generated preshared-key is not stored to CLI, use configure mode commands to install key: - - set interfaces wireguard wg10 peer foo preshared-key '32vQ1w1yFKTna8n7Gu7EimubSe2Y63m8bafz55EG3Ro=' - - Pre-shared key: +LuaZ8W6DjsDFJFX3jJzoNqrsXHhvq08JztM9z8LHCs= - - - .. note:: If you invoke this command from configuration mode with - the run prefix, the generated key is automatically assigned to - the specified peer. - -.. start_vyoslinter - - -*********************** -Interface configuration -*********************** - -The next step is to configure your local WireGuard interface and define the -networks you want to tunnel (``allowed-ips``). - -If your system only initiates connections, specifying the listen port is -optional. If your system accepts incoming connections, you must define a port -for peers to connect to. Otherwise, WireGuard selects a random port at each -reboot, and that may break your peers' ability to connect if that port -is not enabled in your firewall rules. - -To configure a WireGuard tunnel, you also need your peer's public key. - -.. note:: The public key specified in the peer configuration block is always - the **remote** peer's public key, never your local one. - -**Local side configuration** - -The local side is configured with the following parameters: - -* Local WireGuard interface IP: ``10.1.0.1/30`` -* Local listen port: ``51820`` -* Remote peer name: ``to-wg02`` -* Remote peer endpoint: ``192.0.2.1`` on port ``51820`` -* Remote peer public key: ``XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI=`` -* Allowed networks: ``192.168.2.0/24`` - -.. code-block:: none - - set interfaces wireguard wg01 address '10.1.0.1/30' - set interfaces wireguard wg01 description 'VPN-to-wg02' - set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24' - set interfaces wireguard wg01 peer to-wg02 address '192.0.2.1' - set interfaces wireguard wg01 peer to-wg02 port '51820' - set interfaces wireguard wg01 peer to-wg02 public-key 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI=' - set interfaces wireguard wg01 port '51820' - - set protocols static route 192.168.2.0/24 interface wg01 - -To send traffic destined for ``192.168.2.0/24`` through the WireGuard interface -(``wg01``), configure a static route. Multiple IP addresses or networks can be -defined and routed. The final check is performed against ``allowed-ips``, which -either permits or drops the traffic. - -.. warning:: You cannot assign the same ``allowed-ips`` to multiple WireGuard - peers. This is a strict design restriction. For more information, check the - `WireGuard mailing list`_. - - -.. cfgcmd:: set interfaces wireguard <interface> private-key <private-key> - - Assign a private key to the specified WireGuard interface. - - Example: - - .. code-block:: none - - set interfaces wireguard wg01 private-key 'iJJyEARGK52Ls1GYRCcFvPuTj7WyWYDo//BknoDU0XY=' - - - To generate a private key, use the following command: - :opcmd:`generate pki wireguard key-pair`. - - To view the public key assigned to the interface so you can share it with a - peer, use the following command: - :opcmd:`show interfaces wireguard wg01 public-key`. - -.. cmdinclude:: /_include/interface-per-client-thread.txt - :var0: wireguard - :var1: wg01 - -**Remote side configuration** - -.. code-block:: none - - set interfaces wireguard wg01 address '10.1.0.2/30' - set interfaces wireguard wg01 description 'VPN-to-wg01' - set interfaces wireguard wg01 peer to-wg01 allowed-ips '192.168.1.0/24' - set interfaces wireguard wg01 peer to-wg01 address '192.0.2.2' - set interfaces wireguard wg01 peer to-wg01 port '51820' - set interfaces wireguard wg01 peer to-wg01 public-key 'EKY0dxRrSD98QHjfHOK13mZ5PJ7hnddRZt5woB3szyw=' - set interfaces wireguard wg01 port '51820' - set interfaces wireguard wg01 private-key 'OLTQY3HuK5qWDgVs6fJR093SwPgOmCKkDI1+vJLGoFU=' - - set protocols static route 192.168.1.0/24 interface wg01 - -******************* -Firewall exceptions -******************* - -To allow WireGuard traffic through the WAN interface, create a firewall -exception: - -.. code-block:: none - - set firewall ipv4 name OUTSIDE_LOCAL rule 10 action accept - set firewall ipv4 name OUTSIDE_LOCAL rule 10 description 'Allow established/related' - set firewall ipv4 name OUTSIDE_LOCAL rule 10 state established enable - set firewall ipv4 name OUTSIDE_LOCAL rule 10 state related enable - set firewall ipv4 name OUTSIDE_LOCAL rule 20 action accept - set firewall ipv4 name OUTSIDE_LOCAL rule 20 description WireGuard_IN - set firewall ipv4 name OUTSIDE_LOCAL rule 20 destination port 51820 - set firewall ipv4 name OUTSIDE_LOCAL rule 20 log enable - set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol udp - -Ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface -and in an input (local) direction. - -.. code-block:: none - - set firewall ipv4 input filter rule 10 action jump - set firewall ipv4 input filter rule 10 jump-target 'OUTSIDE_LOCAL' - set firewall ipv4 input filter rule 10 inbound-interface name 'eth0' - -Verify that your firewall rules permit traffic. If so, your WireGuard VPN -should be operational. - -.. code-block:: none - - wg01# ping 192.168.1.1 - PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. - 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.16 ms - 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=1.77 ms - - wg02# ping 192.168.2.1 - PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data. - 64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=4.40 ms - 64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=1.02 ms - -An additional layer of symmetric-key cryptography can be used on top of the -asymmetric cryptography. This is optional. - -.. code-block:: none - - vyos@vyos:~$ generate pki wireguard preshared-key - Pre-shared key: rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc= - -Copy the key, as it is not stored locally. Since it is a symmetric key, only -you and your peer should know its contents. Distribute the key securely. - -.. code-block:: none - - wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' - wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' - - -**************************** -Remote access (road warrior) -**************************** - -With WireGuard, a road warrior VPN configuration is similar to a site-to-site -VPN. It just omits the ``address`` and ``port`` statements. - -In the following example, the IP addresses for remote clients are defined -within each peer configuration. This allows peers to communicate with each -other. - -Additionally, this setup uses a ``persistent-keepalive`` flag set to 15 seconds -to keep the connection alive. This setting is mainly relevant if a peer is -behind NAT and cannot be reached if the connection is lost. For effectiveness, -the value should be lower than the UDP timeout. - -.. code-block:: none - - wireguard wg01 { - address 10.172.24.1/24 - address 2001:db8:470:22::1/64 - description RoadWarrior - peer MacBook { - allowed-ips 10.172.24.30/32 - allowed-ips 2001:db8:470:22::30/128 - persistent-keepalive 15 - pubkey F5MbW7ye7DsoxdOaixjdrudshjjxN5UdNV+pGFHqehc= - } - peer iPhone { - allowed-ips 10.172.24.20/32 - allowed-ips 2001:db8:470:22::20/128 - persistent-keepalive 15 - pubkey BknHcLFo8nOo8Dwq2CjaC/TedchKQ0ebxC7GYn7Al00= - } - port 2224 - private-key OLTQY3HuK5qWDgVs6fJR093SwPgOmCKkDI1+vJLGoFU= - } - -Below is the configuration for the iPhone peer. The ``AllowedIPs`` wildcard -setting directs all IPv4 and IPv6 traffic through the VPN connection. - -.. code-block:: none - - [Interface] - PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf= - Address = 10.172.24.20/24, 2001:db8:470:22::20/64 - DNS = 10.0.0.53, 10.0.0.54 - - [Peer] - PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc= - AllowedIPs = 0.0.0.0/0, ::/0 - Endpoint = 192.0.2.1:2224 - PersistentKeepalive = 15 - -To enable split tunneling, specify the remote subnets. This ensures that only -traffic destined for the remote site is sent through the tunnel, while all -other traffic remains unaffected. - -.. code-block:: none - - [Interface] - PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go= - Address = 10.172.24.30/24, 2001:db8:470:22::30/64 - - [Peer] - PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc= - AllowedIPs = 10.172.24.30/24, 2001:db8:470:22::/64 - Endpoint = 192.0.2.1:2224 - PersistentKeepalive = 15 - - -******************** -Operational commands -******************** - -Status -====== - -.. opcmd:: show interfaces wireguard wg01 summary - - Show information about the WireGuard service, including the latest handshake. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wireguard wg01 summary - interface: wg01 - public key: - private key: (hidden) - listening port: 51820 - - peer: <peer pubkey> - endpoint: <peer public IP> - allowed ips: 10.69.69.2/32 - latest handshake: 23 hours, 45 minutes, 26 seconds ago - transfer: 1.26 MiB received, 6.47 MiB sent - -.. opcmd:: show interfaces wireguard - - Show a list of all WireGuard interfaces. - - .. code-block:: none - - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - wg01 10.0.0.1/24 u/u - - -.. opcmd:: show interfaces wireguard <interface> - - Show general information about a specific WireGuard interface. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wireguard wg01 - interface: wg01 - address: 10.0.0.1/24 - public key: h1HkYlSuHdJN6Qv4Hz4bBzjGg5WUty+U1L7DJsZy1iE= - private key: (hidden) - listening port: 41751 - - RX: bytes packets errors dropped overrun mcast - 0 0 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 0 0 0 0 0 0 - -************************************ -Remote access (road warrior) clients -************************************ - -Some users connect mobile devices to their VyOS router using WireGuard. To -simplify deployment, generate a per-mobile configuration from the VyOS CLI. - -.. warning:: From a security perspective, it is not recommended to let a third - party create and share the private key for a secure connection. You should - create the private portion yourself and hand out only the public key. - - -.. opcmd:: generate wireguard client-config <name> interface <interface> server - <ip|fqdn> address <client-ip> - - **Generate a client configuration file that establishes a connection to the - specified interface.** - - The public key from the specified interface is automatically included in the - configuration file. - - The command also generates a configuration snippet that can be copied - into the VyOS CLI. The ``<name>`` you provide will be used as the peer - name in the snippet. - - You must also specify the IP address or FQDN of the server the client - connects to. The address parameter can be used twice to assign both an - IPv4 (/32) and an IPv6 (/128) address to the client. - - .. figure:: /_static/images/wireguard_qrcode.* - :alt: WireGuard Client QR code - -.. _`WireGuard mailing list`: - https://lists.zx2c4.com/pipermail/wireguard/2018-December/003704.html diff --git a/docs/configuration/interfaces/rst-wireless.rst b/docs/configuration/interfaces/rst-wireless.rst deleted file mode 100644 index 728783b2..00000000 --- a/docs/configuration/interfaces/rst-wireless.rst +++ /dev/null @@ -1,931 +0,0 @@ -:lastproofread: 2026-03-23 - -.. _wireless-interface: - -#################### -Wireless LAN / Wi-Fi -#################### - -:abbr:`WLAN (Wireless LAN)` interfaces provide 802.11 (a/b/g/n/ac) wireless -connectivity, referred to as Wi-Fi, and operate in one of the following -modes: - -* :abbr:`WAP (Wireless Access-Point)` mode provides network access to connecting - stations if the physical hardware supports acting as a WAP - -* Station mode acts as a Wi-Fi client accessing the network through an available - WAP - -* Monitor mode lets the system passively monitor wireless traffic - -If the system detects an unconfigured wireless device, it will be automatically -added to the configuration tree, specifying any detected settings (for example, -its MAC address) and configured to run in monitor mode. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-common-with-dhcp.txt - :var0: wireless - :var1: wlan0 - -System-wide configuration -========================= - -.. cfgcmd:: set system wireless country-code <cc> - - Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed - to indicate country in which device is operating. This can limit available - channels and transmit power. - - .. note:: This option is mandatory in ``access-point`` mode. - -Wireless options -================ - -.. cfgcmd:: set interfaces wireless <interface> channel <number> - - Configure the IEEE 802.11 wireless radio channel for the interface. - Channel allocation depends on the frequency band: - - * **2.4 GHz** (802.11b/g/n/ax): Channels range from 1 to 14. - * **5 GHz** (802.11a/h/j/n/ac/ax): Channels range from 34 to 177. - * **6 GHz** (802.11ax): Channels range from 1 to 233. - * **Automatic channel selection:** 0. - -.. cfgcmd:: set interfaces wireless <interface> disable-broadcast-ssid - - Send empty SSID in beacons and ignore probe request frames that do not specify - full SSID, i.e., require stations to know the SSID. - -.. cfgcmd:: set interfaces wireless <interface> expunge-failing-stations - - Disassociate stations based on excessive transmission failures or other - indications of connection loss. - - This depends on the driver capabilities and may not be available with all - drivers. - -.. cfgcmd:: set interfaces wireless <interface> isolate-stations - - Client isolation can be used to prevent low-level bridging of frames between - associated stations in the BSS. - - By default, this bridging is allowed. - -.. cfgcmd:: set interfaces wireless <interface> max-stations <count> - - Maximum number of stations allowed in station table. New stations will be - rejected after the station table is full. IEEE 802.11 has a limit of 2007 - different association IDs, so this number should not be larger than that. - - This defaults to 2007. - -.. cfgcmd:: set interfaces wireless <interface> mgmt-frame-protection - - Management Frame Protection (MFP) according to IEEE 802.11w - - .. note:: :abbr:`MFP (Management Frame Protection)` is required for WPA3. - -.. cfgcmd:: set interfaces wireless <interface> enable-bf-protection - - Beacon Protection: management frame protection for Beacon frames. - - .. note:: This option requires :abbr:`MFP (Management Frame Protection)` - to be enabled. - -.. cfgcmd:: set interfaces wireless <interface> mode <a | b | g | n | ac | ax> - - Operation mode of wireless radio. - - * ``a`` - 802.11a - 54 Mbits/sec - * ``b`` - 802.11b - 11 Mbits/sec - * ``g`` - 802.11g - 54 Mbits/sec (default) - * ``n`` - 802.11n - 600 Mbits/sec - * ``ac`` - 802.11ac - 1300 Mbits/sec - * ``ax`` - 802.11ax - exceeds 1GBit/sec - - .. note:: In VyOS, 802.11ax is only implemented for 2.4GHz and 6GHz. - -.. cfgcmd:: set interfaces wireless <interface> physical-device <device> - - Wireless hardware device used as underlay radio. - - This defaults to phy0. - -.. cfgcmd:: set interfaces wireless <interface> reduce-transmit-power <number> - - Adds the Power Constraint information element to Beacon and Probe Response - frames. - - This option adds the Power Constraint information element when applicable - and the Country information element is configured. The Power Constraint - element is required by Transmit Power Control. - - Valid values are 0..255. - -.. cfgcmd:: set interfaces wireless <interface> ssid <ssid> - - SSID to be used in IEEE 802.11 management frames - -.. cfgcmd:: set interfaces wireless <interface> type - <access-point | station | monitor> - - Wireless device type for this interface - - * ``access-point``: Forwards packets between other nodes. - * ``station``: Connects to another :abbr:`AP (Access Point)`. - * ``monitor``: Passively monitors all packets on the frequency/channel. - -.. cmdinclude:: /_include/interface-per-client-thread.txt - :var0: wireless - :var1: wlan0 - -PPDU ----- - -.. cfgcmd:: set interfaces wireless <interface> capabilities require-ht - -.. cfgcmd:: set interfaces wireless <interface> capabilities require-vht - -.. cfgcmd:: set interfaces wireless <interface> capabilities require-he - -HT (High Throughput) capabilities (802.11n) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - Configuring HT mode options is required when using 802.11n or - 802.11ax at 2.4GHz. - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht 40mhz-incapable - - Device is incapable of 40 MHz, do not advertise. This sets ``[40-INTOLERANT]`` - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht auto-powersave - - WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD] - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht - channel-set-width <ht20 | ht40+ | ht40-> - - Supported channel width set. - - * ``ht20`` - 20 MHz channel width - * ``ht40-`` - Both 20 MHz and 40 MHz with secondary channel below the primary - channel - * ``ht40+`` - Both 20 MHz and 40 MHz with secondary channel above the primary - channel - - .. note:: Channel availability for HT40- and HT40+ is limited. The following - table lists channels permitted for HT40- and HT40+ according to IEEE - 802.11n Annex J. Channel availability may vary by location. - - .. code-block:: none - - freq HT40- HT40+ - 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan) - 5 GHz 40,48,56,64 36,44,52,60 - - .. note:: 40 MHz channels may switch their primary and secondary channels if - needed or creation of 40 MHz channel may be rejected based on overlapping - BSSes. These changes are done automatically when hostapd is setting up the - 40 MHz channel. - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht - delayed-block-ack - - Enable HT-delayed Block Ack ``[DELAYED-BA]`` - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht dsss-cck-40 - - DSSS/CCK Mode in 40 MHz, this sets ``[DSSS_CCK-40]`` - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht greenfield - - This enables the greenfield option which sets the ``[GF]`` option - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht ldpc - - Enable LDPC coding capability - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht lsig-protection - - Enable L-SIG TXOP protection capability - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht max-amsdu - <3839 | 7935> - - Maximum A-MSDU length 3839 (default) or 7935 octets - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht - short-gi <20 | 40> - - Short GI capabilities for 20 and 40 MHz - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht - smps <static | dynamic> - - Spatial Multiplexing Power Save (SMPS) settings - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht stbc rx <num> - - Enable receiving PPDU using STBC (Space Time Block Coding) - -.. cfgcmd:: set interfaces wireless <interface> capabilities ht stbc tx - - Enable sending PPDU using STBC (Space Time Block Coding) - -VHT (Very High Throughput) capabilities (802.11ac) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. stop_vyoslinter - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht antenna-count <count> - -.. start_vyoslinter - - Number of antennas on this card - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht - antenna-pattern-fixed - - Set if antenna pattern does not change during the lifetime of an association - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht beamform - <single-user-beamformer | single-user-beamformee | multi-user-beamformer | - multi-user-beamformee> - - Beamforming capabilities: - - * ``single-user-beamformer`` - Support for operation as - single user beamformer - * ``single-user-beamformee`` - Support for operation as - single user beamformee - * ``multi-user-beamformer`` - Support for operation as - multi user beamformer - * ``multi-user-beamformee`` - Support for operation as - multi user beamformee - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht - center-channel-freq <freq-1 | freq-2> <number> - - VHT operating channel center frequency - center freq 1 - (for use with 80, 80+80 and 160 modes) - - VHT operating channel center frequency - center freq 2 - (for use with the 80+80 mode) - - <number> must be from 34 - 173. For 80 MHz channels it should be channel + 6. - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht - channel-set-width <0 | 1 | 2 | 3> - - * ``0`` - 20 or 40 MHz channel width (default) - * ``1`` - 80 MHz channel width - * ``2`` - 160 MHz channel width - * ``3`` - 80+80 MHz channel width - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht ldpc - - Enable LDPC (Low Density Parity Check) coding capability - -.. cfgcmd:: set interfaces wireless <interface> - capabilities vht link-adaptation - - VHT link adaptation capabilities - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht - max-mpdu <value> - - Increase Maximum MPDU length to 7991 or 11454 octets (default 3895 octets) - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht - max-mpdu-exp <value> - - Set the maximum length of A-MPDU pre-EOF padding that the station can - receive - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht - short-gi <80 | 160> - - Short GI capabilities - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht stbc rx <num> - - Enable receiving PPDU using STBC (Space Time Block Coding) - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht stbc tx - - Enable sending PPDU using STBC (Space Time Block Coding) - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht tx-powersave - - Enable VHT TXOP Power Save Mode - -.. cfgcmd:: set interfaces wireless <interface> capabilities vht vht-cf - - Station supports receiving VHT variant HT Control field - -HE (High Efficiency) capabilities (802.11ax) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. cfgcmd:: set interfaces wireless <interface> - capabilities he antenna-pattern-fixed - - Tell the AP that antenna positions are fixed and will not change - during the lifetime of an association. - -.. cfgcmd:: set interfaces wireless <interface> capabilities he beamform - <single-user-beamformer | single-user-beamformee | multi-user-beamformer> - - Beamforming capabilities: - - * ``single-user-beamformer`` - Support for operation as - single user beamformer - * ``single-user-beamformee`` - Support for operation as - single user beamformee - * ``multi-user-beamformer`` - Support for operation as multi - user beamformer - -.. cfgcmd:: set interfaces wireless <interface> - capabilities he bss-color <number> - - BSS coloring helps to prevent channel jamming when multiple APs use - the same channels. - - Valid values are 1..63 - -.. cfgcmd:: set interfaces wireless <interface> capabilities he - center-channel-freq <freq-1 | freq-2> <number> - - HE operating channel center frequency - center freq 1 - (for use with 80, 80+80 and 160 modes) - - HE operating channel center frequency - center freq 2 - (for use with the 80+80 mode) - - <number> must be within 1..233. For 80 MHz channels it should be - channel + 6 and for 160 MHz channels, it should be channel + 14. - -.. cfgcmd:: set interfaces wireless <interface> - capabilities he channel-set-width <number> - - <number> must be one of: - - * ``81`` - 20 MHz channel width (2.4GHz) - * ``83`` - 40 MHz channel width, secondary 20MHz channel above primary - channel (2.4GHz) - * ``84`` - 40 MHz channel width, secondary 20MHz channel below primary - channel (2.4GHz) - * ``131`` - 20 MHz channel width (6GHz) - * ``132`` - 40 MHz channel width (6GHz) - * ``133`` - 80 MHz channel width (6GHz) - * ``134`` - 160 MHz channel width (6GHz) - * ``135`` - 80+80 MHz channel width (6GHz) - -.. cfgcmd:: set interfaces wireless <interface> - capabilities he coding-scheme <number> - - This setting configures Spatial Stream and Modulation Coding Scheme - settings for HE mode (HE-MCS). It is usually not needed to set this - explicitly, but it might help with some WiFi adapters. - - <number> must be one of: - - * ``0`` - HE-MCS 0-7 - * ``1`` - HE-MCS 0-9 - * ``2`` - HE-MCS 0-11 - * ``3`` - HE-MCS is not supported - -Wireless options (Station/Client) -================================= - -The example creates a wireless station (commonly referred to as Wi-Fi client) -that accesses the network through the WAP defined in the above example. The -default physical device (``phy0``) is used. - -.. code-block:: none - - set system wireless country-code de - set interfaces wireless wlan0 type station - set interfaces wireless wlan0 address dhcp - set interfaces wireless wlan0 ssid 'TEST' - set interfaces wireless wlan0 security wpa passphrase '12345678' - -Resulting configuration: - -.. code-block:: none - - system { - wireless { - country-code de - } - } - interfaces { - wireless wlan0 { - address dhcp - security { - wpa { - passphrase "12345678" - } - } - ssid TEST - type station - } - -Security -======== - -:abbr:`WPA (Wi-Fi Protected Access)`, WPA2 Enterprise and WPA3 Enterprise in -combination with 802.1X based authentication can be used to authenticate -users or computers in a domain. - -The wireless client (supplicant) authenticates against the RADIUS server -(authentication server) using an :abbr:`EAP (Extensible Authentication -Protocol)` method configured on the RADIUS server. The WAP (also referred -to as authenticator) role is to send all authentication messages between the -supplicant and the configured authentication server, thus the RADIUS server -is responsible for authenticating the users. - -The WAP in this example has the following characteristics: - -* IP address ``192.168.2.1/24`` -* Network ID (SSID) ``Enterprise-TEST`` -* WPA passphrase ``12345678`` -* Use 802.11n protocol -* Wireless channel ``1`` -* RADIUS server at ``192.168.3.10`` with shared-secret ``VyOSPassword`` - -.. stop_vyoslinter -.. code-block:: none - - set system wireless country-code de - set interfaces wireless wlan0 address '192.168.2.1/24' - set interfaces wireless wlan0 type access-point - set interfaces wireless wlan0 channel 1 - set interfaces wireless wlan0 mode n - set interfaces wireless wlan0 ssid 'Enterprise-TEST' - set interfaces wireless wlan0 security wpa mode wpa2 - set interfaces wireless wlan0 security wpa cipher CCMP - set interfaces wireless wlan0 security wpa radius server 192.168.3.10 key 'VyOSPassword' - set interfaces wireless wlan0 security wpa radius server 192.168.3.10 port 1812 - -.. start_vyoslinter - -Resulting configuration: - -.. code-block:: none - - system { - wireless { - country-code de - } - } - interfaces { - [...] - wireless wlan0 { - address 192.168.2.1/24 - channel 1 - mode n - security { - wpa { - cipher CCMP - mode wpa2 - radius { - server 192.168.3.10 { - key 'VyOSPassword' - port 1812 - } - } - } - } - ssid "Enterprise-TEST" - type access-point - } - } - -VLAN -==== - -Regular VLANs (802.1q) ----------------------- - -.. cmdinclude:: /_include/interface-vlan-8021q.txt - :var0: wireless - :var1: wlan0 - -QinQ (802.1ad) --------------- - -.. cmdinclude:: /_include/interface-vlan-8021ad.txt - :var0: wireless - :var1: wlan0 - -********* -Operation -********* - -.. opcmd:: show interfaces wireless info - -Use this command to view operational status and wireless-specific information -about all wireless interfaces. - -.. code-block:: none - - vyos@vyos:~$ show interfaces wireless info - Interface Type SSID Channel - wlan0 access-point VyOS-TEST-0 1 - -.. opcmd:: show interfaces wireless detail - -Show the operational status and detailed wireless-specific -information about all wireless interfaces. - -.. stop_vyoslinter -.. code-block:: none - - vyos@vyos:~$ show interfaces wireless detail - wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 - link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff - inet xxx.xxx.99.254/24 scope global wlan0 - valid_lft forever preferred_lft forever - inet6 fe80::xxxx:xxxx:fe54:2fc3/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 66072 282 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 83413 430 0 0 0 0 - - wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 - link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff - inet xxx.xxx.100.254/24 scope global wlan0 - valid_lft forever preferred_lft forever - inet6 fe80::xxxx:xxxx:ffff:2ed3/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 166072 5282 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 183413 5430 0 0 0 0 - -.. start_vyoslinter - -.. opcmd:: show interfaces wireless <wlanX> - -This command shows both status and statistics on the specified wireless -interface. The wireless interface identifier can range from wlan0 to wlan999. - -.. stop_vyoslinter -.. code-block:: none - - vyos@vyos:~$ show interfaces wireless wlan0 - wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 - link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff - inet xxx.xxx.99.254/24 scope global wlan0 - valid_lft forever preferred_lft forever - inet6 fe80::xxxx:xxxx:fe54:2fc3/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 66072 282 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 83413 430 0 0 0 0 - -.. start_vyoslinter - - -.. opcmd:: show interfaces wireless <wlanX> brief - -This command gives a brief status overview of a specified wireless interface. -The wireless interface identifier can range from wlan0 to wlan999. - -.. code-block:: none - - vyos@vyos:~$ show interfaces wireless wlan0 brief - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - wlan0 192.168.2.254/24 u/u - - -.. opcmd:: show interfaces wireless <wlanX> queue - -Use this command to view wireless interface queue information. -The wireless interface identifier can range from wlan0 to wlan999. - -.. code-block:: none - - vyos@vyos:~$ show interfaces wireless wlan0 queue - qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 - Sent 810323 bytes 6016 pkt (dropped 0, overlimits 0 requeues 0) - rate 0bit 0pps backlog 0b 0p requeues 0 - - -.. opcmd:: show interfaces wireless <wlanX> scan - -This command is used to retrieve information about WAP within the range of your -wireless interface. This command is useful on wireless interfaces configured -in station mode. - -.. note:: Scanning is not supported on all wireless drivers and wireless - hardware. Refer to your driver and wireless hardware documentation for - further details. - -.. code-block:: none - - vyos@vyos:~$ show interfaces wireless wlan0 scan - Address SSID Channel Signal (dbm) - 00:53:3b:88:6e:d8 WLAN-576405 1 -64.00 - 00:53:3b:88:6e:da Telekom_FON 1 -64.00 - 00:53:00:f2:c2:a4 BabyView_F2C2A4 6 -60.00 - 00:53:3b:88:6e:d6 Telekom_FON 100 -72.00 - 00:53:3b:88:6e:d4 WLAN-576405 100 -71.00 - 00:53:44:a4:96:ec KabelBox-4DC8 56 -81.00 - 00:53:d9:7a:67:c2 WLAN-741980 1 -75.00 - 00:53:7c:99:ce:76 Vodafone Homespot 1 -86.00 - 00:53:44:a4:97:21 KabelBox-4DC8 1 -78.00 - 00:53:44:a4:97:21 Vodafone Hotspot 1 -79.00 - 00:53:44:a4:97:21 Vodafone Homespot 1 -79.00 - 00:53:86:40:30:da Telekom_FON 1 -86.00 - 00:53:7c:99:ce:76 Vodafone Hotspot 1 -86.00 - 00:53:44:46:d2:0b Vodafone Hotspot 1 -87.00 - - -******** -Examples -******** - -The following example creates a WAP. When configuring multiple WAP interfaces, -you must specify unique IP addresses, channels, Network IDs commonly referred -to as :abbr:`SSID (Service Set Identifier)`, and MAC addresses. - -The WAP in this example has the following characteristics: - -* IP address ``192.168.2.1/24`` -* Network ID (SSID) ``TEST`` -* WPA passphrase ``12345678`` -* Use 802.11n protocol -* Wireless channel ``1`` - -.. code-block:: none - - set system wireless country-code de - set interfaces wireless wlan0 address '192.168.2.1/24' - set interfaces wireless wlan0 type access-point - set interfaces wireless wlan0 channel 1 - set interfaces wireless wlan0 mode n - set interfaces wireless wlan0 ssid 'TEST' - set interfaces wireless wlan0 security wpa mode wpa2 - set interfaces wireless wlan0 security wpa cipher CCMP - set interfaces wireless wlan0 security wpa passphrase '12345678' - -Resulting configuration: - -.. code-block:: none - - system { - wireless { - country-code de - } - } - interfaces { - [...] - wireless wlan0 { - address 192.168.2.1/24 - channel 1 - mode n - security { - wpa { - cipher CCMP - mode wpa2 - passphrase "12345678" - } - } - ssid "TEST" - type access-point - } - } - -To enable access point functionality, configure a DHCP server for this -interface's network, or add the interface to an existing local bridge -(see :ref:`bridge-interface` for details). - -Wi-Fi 6/6E (802.11ax) -===================== - -The following examples configure Wi-Fi 6 (2.4 GHz) and Wi-Fi 6E (6 GHz) -:abbr:`APs (Access Points)` with the following parameters: - -* Network ID (SSID): ``test.ax`` -* WPA passphrase: ``super-dooper-secure-passphrase`` -* Protocol: 802.11ax -* Wireless channel for 2.4 GHz: ``11`` -* Wireless channel for 6 GHz: ``5`` - - -Example configuration: Wi-Fi 6 at 2.4 GHz ------------------------------------------- - -You may expect real throughput around 10 MB/s or higher in crowded areas. - -.. stop_vyoslinter - -.. code-block:: none - - set system wireless country-code de - set interfaces wireless wlan0 capabilities he antenna-pattern-fixed - set interfaces wireless wlan0 capabilities he beamform multi-user-beamformer - set interfaces wireless wlan0 capabilities he beamform single-user-beamformee - set interfaces wireless wlan0 capabilities he beamform single-user-beamformer - set interfaces wireless wlan0 capabilities he bss-color 13 - set interfaces wireless wlan0 capabilities he channel-set-width 81 - set interfaces wireless wlan0 capabilities ht 40mhz-incapable - set interfaces wireless wlan0 capabilities ht channel-set-width ht20 - set interfaces wireless wlan0 capabilities ht channel-set-width ht40+ - set interfaces wireless wlan0 capabilities ht channel-set-width ht40- - set interfaces wireless wlan0 capabilities ht short-gi 20 - set interfaces wireless wlan0 capabilities ht short-gi 40 - set interfaces wireless wlan0 capabilities ht stbc rx 2 - set interfaces wireless wlan0 capabilities ht stbc tx - set interfaces wireless wlan0 channel 11 - set interfaces wireless wlan0 description "802.11ax 2.4GHz" - set interfaces wireless wlan0 mode ax - set interfaces wireless wlan0 security wpa cipher CCMP - set interfaces wireless wlan0 security wpa cipher CCMP-256 - set interfaces wireless wlan0 security wpa cipher GCMP-256 - set interfaces wireless wlan0 security wpa cipher GCMP - set interfaces wireless wlan0 security wpa mode wpa2 - set interfaces wireless wlan0 security wpa passphrase super-dooper-secure-passphrase - set interfaces wireless wlan0 ssid test.ax - set interfaces wireless wlan0 type access-point - commit - -.. start_vyoslinter - -Resulting configuration: - -.. code-block:: none - - system { - wireless { - country-code de - } - } - interfaces { - [...] - wireless wlan0 { - capabilities { - he { - antenna-pattern-fixed - beamform { - multi-user-beamformer - single-user-beamformee - single-user-beamformer - } - bss-color 13 - channel-set-width 81 - } - ht { - 40mhz-incapable - channel-set-width ht20 - channel-set-width ht40+ - channel-set-width ht40- - short-gi 20 - short-gi 40 - stbc { - rx 2 - tx - } - } - } - channel 11 - description "802.11ax 2.4GHz" - hw-id [...] - mode ax - physical-device phy0 - security { - wpa { - cipher CCMP - cipher CCMP-256 - cipher GCMP-256 - cipher GCMP - mode wpa2 - passphrase super-dooper-secure-passphrase - } - } - ssid test.ax - type access-point - } - } - -Example configuration: Wi-Fi 6E at 6 GHz ------------------------------------------ - -You may expect real throughput between 50 MB/s and 150 MB/s, depending on -obstructions from walls, water, metal, or other materials -with high electromagnetic damping at 6 GHz. Best results are achieved -with the AP being in the same room and in line-of-sight. - -.. stop_vyoslinter - -.. code-block:: none - - set system wireless country-code de - set interfaces wireless wlan0 capabilities he antenna-pattern-fixed - set interfaces wireless wlan0 capabilities he beamform multi-user-beamformer - set interfaces wireless wlan0 capabilities he beamform single-user-beamformee - set interfaces wireless wlan0 capabilities he beamform single-user-beamformer - set interfaces wireless wlan0 capabilities he bss-color 13 - set interfaces wireless wlan0 capabilities he channel-set-width 134 - set interfaces wireless wlan0 capabilities he center-channel-freq freq-1 15 - set interfaces wireless wlan0 channel 5 - set interfaces wireless wlan0 description "802.11ax 6GHz" - set interfaces wireless wlan0 mode ax - set interfaces wireless wlan0 security wpa cipher CCMP - set interfaces wireless wlan0 security wpa cipher CCMP-256 - set interfaces wireless wlan0 security wpa cipher GCMP-256 - set interfaces wireless wlan0 security wpa cipher GCMP - set interfaces wireless wlan0 security wpa mode wpa3 - set interfaces wireless wlan0 security wpa passphrase super-dooper-secure-passphrase - set interfaces wireless wlan0 mgmt-frame-protection required - set interfaces wireless wlan0 enable-bf-protection - set interfaces wireless wlan0 ssid test.ax - set interfaces wireless wlan0 type access-point - set interfaces wireless wlan0 stationary-ap - commit - -.. start_vyoslinter - -Resulting configuration: - -.. code-block:: none - - system { - wireless { - country-code de - } - } - interfaces { - [...] - wireless wlan0 { - capabilities { - he { - antenna-pattern-fixed - beamform { - multi-user-beamformer - single-user-beamformee - single-user-beamformer - } - bss-color 13 - center-channel-freq { - freq-1 15 - } - channel-set-width 134 - } - } - channel 5 - description "802.11ax 6GHz" - enable-bf-protection - hw-id [...] - mgmt-frame-protection required - mode ax - physical-device phy0 - security { - wpa { - cipher CCMP - cipher CCMP-256 - cipher GCMP-256 - cipher GCMP - mode wpa3 - passphrase super-dooper-secure-passphrase - } - } - ssid test.ax - stationary-ap - type access-point - } - } - -.. _wireless-interface-intel-ax200: - -Intel AX200 -=========== - -The Intel AX200 card does not work out of the box in AP mode. You can -still put this card into AP mode using the following configuration: - -.. stop_vyoslinter -.. code-block:: none - - set system wireless country-code 'us' - set interfaces wireless wlan0 channel '1' - set interfaces wireless wlan0 mode 'n' - set interfaces wireless wlan0 physical-device 'phy0' - set interfaces wireless wlan0 ssid 'VyOS' - set interfaces wireless wlan0 type 'access-point' - -.. start_vyoslinter diff --git a/docs/configuration/interfaces/rst-wwan.rst b/docs/configuration/interfaces/rst-wwan.rst deleted file mode 100644 index 7ab3ac74..00000000 --- a/docs/configuration/interfaces/rst-wwan.rst +++ /dev/null @@ -1,342 +0,0 @@ -:lastproofread: 2026-03-30 - -.. _wwan-interface: - -#### -WWAN -#### - -:abbr:`WWAN (Wireless Wide Area Network)` interfaces provide access to cellular -networks via a cellular modem or card. - -Configure these interfaces under the ``interfaces wwan`` node. - -************* -Configuration -************* - -Common interface configuration -============================== - -.. cmdinclude:: /_include/interface-address-with-dhcp.txt - :var0: wwan - :var1: wwan0 - -.. cmdinclude:: /_include/interface-description.txt - :var0: wwan - :var1: wwan0 - -.. cmdinclude:: /_include/interface-disable.txt - :var0: wwan - :var1: wwan0 - -.. cmdinclude:: /_include/interface-disable-link-detect.txt - :var0: wwan - :var1: wwan0 - -.. cmdinclude:: /_include/interface-mtu.txt - :var0: wwan - :var1: wwan0 - -.. cmdinclude:: /_include/interface-ip.txt - :var0: wwan - :var1: wwan0 - -.. cmdinclude:: /_include/interface-ipv6.txt - :var0: wwan - :var1: wwan0 - -.. cmdinclude:: /_include/interface-vrf.txt - :var0: wwan - :var1: wwan0 - -**DHCP(v6)** - -.. cmdinclude:: /_include/interface-dhcp-options.txt - :var0: wwan - :var1: wwan0 - -.. cmdinclude:: /_include/interface-dhcpv6-options.txt - :var0: wwan - :var1: wwan0 - -.. cmdinclude:: /_include/interface-dhcpv6-prefix-delegation.txt - :var0: wwan - :var1: wwan0 - -WWAN options -============ - -.. cfgcmd:: set interfaces wwan <interface> apn <apn> - - **Configure the** :abbr:`APN (Access Point Name)` **for the WWAN connection.** - - Every WWAN connection requires an :abbr:`APN (Access Point Name)` to connect to - the cellular network. - - This parameter is mandatory. Contact your service provider for the correct - :abbr:`APN (Access Point Name)`. - - -********* -Operation -********* - -.. opcmd:: show interfaces wwan <interface> - - Show the operational status and traffic statistics for the specified WWAN - interface. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wwan wwan0 - wwan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000 - link/ether 02:c2:f3:00:01:02 brd ff:ff:ff:ff:ff:ff - inet 10.155.144.12/30 brd 10.155.144.15 scope global dynamic wwan0 - valid_lft 7012sec preferred_lft 7012sec - inet6 fe80::c2:f3ff:fe00:0102/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 640 2 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 3229 16 0 0 0 0 - -.. opcmd:: show interfaces wwan <interface> summary - - Show WWAN module hardware characteristics and connection information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wwan wwan0 summary - -------------------------------- - General | dbus path: /org/freedesktop/ModemManager1/Modem/0 - | device id: 79f4e9cc2e9fc8d4a3b8c8f6327c2e363170194d - -------------------------------- - Hardware | manufacturer: Sierra Wireless, Incorporated - | model: MC7710 - | revision: SWI9200X_03.05.29.03ap r6485 CNSHZ-ED-XP0031 2014/12/02 17:53:15 - | h/w revision: 1.0 - | supported: gsm-umts, lte - | current: gsm-umts, lte - | equipment id: 358xxxxxxxxxxxx - -------------------------------- - System | device: /sys/devices/pci0000:00/0000:00:13.0/usb3/3-1/3-1.3 - | drivers: qcserial, qmi_wwan - | plugin: Generic - | primary port: cdc-wdm0 - | ports: ttyUSB0 (qcdm), ttyUSB2 (at), cdc-wdm0 (qmi), wwan0 (net) - -------------------------------- - Numbers | own: 4917xxxxxxxx - -------------------------------- - Status | lock: sim-pin2 - | unlock retries: sim-pin (3), sim-pin2 (3), sim-puk (10), sim-puk2 (10) - | state: connected - | power state: on - | access tech: lte - | signal quality: 63% (recent) - -------------------------------- - Modes | supported: allowed: 2g; preferred: none - | allowed: 3g; preferred: none - | allowed: 4g; preferred: none - | allowed: 2g, 3g; preferred: 3g - | allowed: 2g, 3g; preferred: 2g - | allowed: 2g, 4g; preferred: 4g - | allowed: 2g, 4g; preferred: 2g - | allowed: 3g, 4g; preferred: 3g - | allowed: 3g, 4g; preferred: 4g - | allowed: 2g, 3g, 4g; preferred: 4g - | allowed: 2g, 3g, 4g; preferred: 3g - | allowed: 2g, 3g, 4g; preferred: 2g - | current: allowed: 2g, 3g, 4g; preferred: 2g - -------------------------------- - Bands | supported: egsm, dcs, pcs, utran-1, utran-8, eutran-1, eutran-3, - | eutran-7, eutran-8, eutran-20 - | current: egsm, dcs, pcs, utran-1, utran-8, eutran-1, eutran-3, - | eutran-7, eutran-8, eutran-20 - -------------------------------- - IP | supported: ipv4, ipv6, ipv4v6 - -------------------------------- - 3GPP | imei: 358xxxxxxxxxxxx - | operator id: 26201 - | operator name: Telekom.de - | registration: home - -------------------------------- - 3GPP EPS | ue mode of operation: ps-1 - -------------------------------- - SIM | dbus path: /org/freedesktop/ModemManager1/SIM/0 - -------------------------------- - Bearer | dbus path: /org/freedesktop/ModemManager1/Bearer/0 - - -.. opcmd:: show interfaces wwan <interface> capabilities - - Show WWAN module radio capabilities. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wwan wwan0 capabilities - Max TX channel rate: '50000000' - Max RX channel rate: '100000000' - Data Service: 'simultaneous-cs-ps' - SIM: 'supported' - Networks: 'gsm, umts, lte' - Bands: 'gsm-dcs-1800, gsm-900-extended, gsm-900-primary, gsm-pcs-1900, wcdma-2100, wcdma-900' - LTE bands: '1, 3, 7, 8, 20' - -.. opcmd:: show interfaces wwan <interface> firmware - - Show WWAN module firmware information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wwan wwan0 firmware - Model: MC7710 - Boot version: SWI9200X_03.05.29.03bt r6485 CNSHZ-ED-XP0031 2014/12/02 17:33:08 - AMSS version: SWI9200X_03.05.29.03ap r6485 CNSHZ-ED-XP0031 2014/12/02 17:53:15 - SKU ID: unknown - Package ID: unknown - Carrier ID: 0 - Config version: unknown - - -.. opcmd:: show interfaces wwan <interface> imei - - Show WWAN module IMEI. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wwan wwan0 imei - ESN: '0' - IMEI: '358xxxxxxxxxxxx' - MEID: 'unknown' - -.. opcmd:: show interfaces wwan <interface> imsi - - Show the IMSI of the associated SIM card. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wwan wwan0 imsi - IMSI: '262xxxxxxxxxxxx' - -.. opcmd:: show interfaces wwan <interface> model - - Show WWAN module model. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wwan wwan0 model - Model: 'MC7710' - -.. opcmd:: show interfaces wwan <interface> msisdn - - Show the MSISDN of the associated SIM card. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wwan wwan0 msisdn - MSISDN: '4917xxxxxxxx' - -.. opcmd:: show interfaces wwan <interface> revision - - Show WWAN module hardware revision. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wwan wwan0 revision - Revision: 'SWI9200X_03.05.29.03ap r6485 CNSHZ-ED-XP0031 2014/12/02 17:53:15' - -.. opcmd:: show interfaces wwan <interface> signal - - Show signal information for the cellular connection. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wwan wwan0 signal - LTE: - RSSI: '-74 dBm' - RSRQ: '-7 dB' - RSRP: '-100 dBm' - SNR: '13.0 dB' - Radio Interface: 'lte' - Active Band Class: 'eutran-3' - Active Channel: '1300' - -.. opcmd:: show interfaces wwan <interface> sim - - Show WWAN module SIM card information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wwan wwan0 sim - Provisioning applications: - Primary GW: slot '1', application '1' - Primary 1X: session doesn't exist - Secondary GW: session doesn't exist - Secondary 1X: session doesn't exist - Slot [1]: - Card state: 'present' - UPIN state: 'not-initialized' - UPIN retries: '0' - UPUK retries: '0' - Application [1]: - Application type: 'usim (2)' - Application state: 'ready' - Application ID: - A0:00:00:00:87:10:02:FF:49:94:20:89:03:10:00:00 - Personalization state: 'ready' - UPIN replaces PIN1: 'no' - PIN1 state: 'disabled' - PIN1 retries: '3' - PUK1 retries: '10' - PIN2 state: 'enabled-not-verified' - PIN2 retries: '3' - PUK2 retries: '10' - -******* -Example -******* - -The following example shows how to configure a cellular connection using a -Sierra Wireless MC7710 miniPCIe card that operates over USB despite its form -factor. The card is installed in a :ref:`pc-engines-apu4`. - -.. code-block:: none - - set interfaces wwan wwan0 apn 'internet.telekom' - set interfaces wwan wwan0 address 'dhcp' - -****************** -Supported hardware -****************** - -The following WWAN modules have been successfully tested with a -:ref:`pc-engines-apu4` board: - -* Sierra Wireless AirPrime MC7304 miniPCIe card (LTE) -* Sierra Wireless AirPrime MC7430 miniPCIe card (LTE) -* Sierra Wireless AirPrime MC7455 miniPCIe card (LTE) -* Sierra Wireless AirPrime MC7710 miniPCIe card (LTE) -* Huawei ME909u-521 miniPCIe card (LTE) -* Huawei ME909s-120 miniPCIe card (LTE) -* HP LT4120 Snapdragon X5 LTE - -*************** -Firmware update -*************** - -WWAN modules include reprogrammable firmware, and most vendors regularly -provide updates for it. - -Since VyOS communicates with these devices via the QMI interface, you can -update firmware directly within the system using the ``qmi-firmware-update`` -utility. - -The following example shows how to update the firmware for a Sierra Wireless -MC7710 module using the provided .cwe file. - -.. code-block:: bash - - $ sudo qmi-firmware-update --update -d 1199:68a2 \ - 9999999_9999999_9200_03.05.14.00_00_generic_000.000_001_SPKG_MC.cwe |
