10 files changed, 472 insertions, 119 deletions

diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst
index de91e54b..5d235eb8 100644
--- a/docs/configuration/firewall/general-legacy.rst
+++ b/docs/configuration/firewall/general-legacy.rst
@@ -1,14 +1,14 @@
 :lastproofread: 2021-06-29
 
-.. _firewall:
+.. _legacy-firewall:
 
-###############
-Firewall-Legacy
-###############
+###################################
+Firewall Configuration (Deprecated)
+###################################
 
 .. note:: **Important note:**
    This documentation is valid only for VyOS Sagitta prior to
-   1.4-rolling-YYYYMMDDHHmm
+   1.4-rolling-202308040557
 
 ********
 Overview
@@ -153,7 +153,7 @@ Groups
 ******
 
 Firewall groups represent collections of IP addresses, networks, ports,
-mac addresses or domains. Once created, a group can be referenced by 
+mac addresses or domains. Once created, a group can be referenced by
 firewall, nat and policy route rules as either a source or destination
 matcher. Members can be added or removed from a group without changes to,
 or the need to reload, individual firewall rules.
@@ -424,11 +424,13 @@ There are a lot of matching criteria against which the package can be tested.
    An arbitrary netmask can be applied to mask addresses to only match against
    a specific portion. This is particularly useful with IPv6 and a zone-based
    firewall as rules will remain valid if the IPv6 prefix changes and the host
-   portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses
-   <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
-   
+   portion of systems IPv6 address is static (for example, with SLAAC or
+   `tokenised IPv6 addresses
+   <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_).
+
    This functions for both individual addresses and address groups.
 
+   .. stop_vyoslinter
    .. code-block:: none
 
       # Match any IPv6 address with the suffix ::0000:0000:0000:beef
@@ -442,6 +444,7 @@ There are a lot of matching criteria against which the package can be tested.
       set firewall group ipv6-address-group WEBSERVERS address ::2000
       set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS
       set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff
+   .. start_vyoslinter
 
 .. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn>
 .. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn>
@@ -1048,4 +1051,4 @@ Update geoip database
 
 .. opcmd:: update geoip
 
-   Command used to update GeoIP database and firewall sets.
\ No newline at end of file
+   Command used to update GeoIP database and firewall sets.
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst
index 0e172a24..3fe876f2 100644
--- a/docs/configuration/firewall/general.rst
+++ b/docs/configuration/firewall/general.rst
@@ -1,10 +1,10 @@
-:lastproofread: 2021-06-29
+:lastproofread: 2023-09-17
 
-.. _firewall:
+.. _firewall-configuration:
 
-########
-Firewall
-########
+######################
+Firewall Configuration
+######################
 
 ********
 Overview
@@ -17,48 +17,41 @@ The firewall supports the creation of groups for addresses, domains,
 interfaces, mac-addresses, networks and port groups. This groups can be used
 later in firewall ruleset as desired.
 
-.. note:: **Important note on usage of terms:**
-   The firewall makes use of the terms `forward`, `input`, and `output`
-   for firewall policy. More information of Netfilter hooks and Linux
-   networking packet flows can be found in `Netfilter-Hooks
-   <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_
-
-
 Main structure is shown next:
 
 .. code-block:: none
 
    - set firewall
        * global-options
-           + all-ping
-           + broadcast-ping
-           + ...
+            + all-ping
+            + broadcast-ping
+            + ...
        * group
-           - address-group
-           - ipv6-address-group
-           - network-group
-           - ipv6-network-group
-           - interface-group
-           - mac-group
-           - port-group
-           - domain-group
+            - address-group
+            - ipv6-address-group
+            - network-group
+            - ipv6-network-group
+            - interface-group
+            - mac-group
+            - port-group
+            - domain-group
        * ipv4
-           - forward
+            - forward
                + filter
-           - input
+            - input
                + filter
-           - output
+            - output
                + filter
-           - name
+            - name
                + custom_name
        * ipv6
-           - forward
+            - forward
                + filter
-           - input
+            - input
                + filter
-           - output
+            - output
                + filter
-           - ipv6-name
+            - ipv6-name
                + custom_name
 
 Where, main key words and configuration paths that needs to be understood:
@@ -351,10 +344,12 @@ The action can be :
 
    * ``queue``: Enqueue packet to userspace.
 
+   * ``synproxy``: synproxy the packet.
+
 .. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action
-   [accept | drop | jump | queue | reject | return]
+   [accept | drop | jump | queue | reject | return | synproxy]
 .. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> action
-   [accept | drop | jump | queue | reject | return]
+   [accept | drop | jump | queue | reject | return | synproxy]
 .. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> action
    [accept | drop | jump | queue | reject | return]
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action
@@ -1264,6 +1259,49 @@ geoip) to keep database and rules updated.
    Match when 'count' amount of connections are seen within 'time'. These
    matching criteria can be used to block brute-force attempts.
 
+********
+Synproxy
+********
+Synproxy connections
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> action synproxy
+.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> protocol tcp
+.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535>
+
+    Set TCP-MSS (maximum segment size) for the connection
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14>
+
+    Set the window scale factor for TCP window scaling
+
+Example synproxy
+================
+Requirements to enable synproxy:
+
+  * Traffic must be symmetric
+  * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled
+  * Disable conntrack loose track option
+
+.. code-block:: none
+
+  set system sysctl parameter net.ipv4.tcp_timestamps value '1'
+
+  set system conntrack tcp loose disable
+  set system conntrack ignore ipv4 rule 10 destination port '8080'
+  set system conntrack ignore ipv4 rule 10 protocol 'tcp'
+  set system conntrack ignore ipv4 rule 10 tcp flags syn
+
+  set firewall global-options syn-cookies 'enable'
+  set firewall ipv4 input filter rule 10 action 'synproxy'
+  set firewall ipv4 input filter rule 10 destination port '8080'
+  set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
+  set firewall ipv4 input filter rule 10 protocol 'tcp'
+  set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
+  set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
+  set firewall ipv4 input filter rule 1000 action 'drop'
+  set firewall ipv4 input filter rule 1000 state invalid 'enable'
+
+
 ***********************
 Operation-mode Firewall
 ***********************
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 567e48a0..4b923143 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -1,24 +1,85 @@
+:lastproofread: 2023-09-17
+
 ########
 Firewall
 ########
 
-Starting from VyOS 1.4-rolling-202308040557, a new firewall structure
-can be found on all vyos installations. Documentation for most new firewall
-cli can be found here:
+.. attention:: 
+   Starting from VyOS 1.4-rolling-202308040557, a new firewall structure
+   can be found on all vyos installations.
+
+.. note:: 
+   The legacy and zone-based firewall configuration options is not longer
+   supported. They are here for reference purposes only.
 
+Netfilter based
+^^^^^^^^^^^^^^^
 .. toctree::
    :maxdepth: 1
    :includehidden:
 
    general
 
-Also, for those who haven't updated to newer version, legacy documentation is
-still present and valid for all sagitta version prior to VyOS
-1.4-rolling-202308040557:
+With VyOS being based on top of Linux and its kernel, the Netfilter project created
+the iptables and now the successor nftables for the Linux kernel to work directly
+on the data flows. This now extends the concept of zone-based security to allow
+for manipulating the data at multiple stages once accepted by the network interface
+and the driver before being handed off to the destination (e.g. a web server OR
+another device).
+
+To configure VyOS with the new :doc:`firewall configuration </configuration/firewall/general>`
+
+The only stages VyOS will process as part of the firewall configuration is the 
+`forward` (F4 stage), `input` (L4 stage), and `output` (L5 stage). All the other
+stages and steps are for reference and cant be manipulated through VyOS.
+
+In this example image, a simplifed traffic flow is shown to help provide context
+to the terms of `forward`, `input`, and `output` for the new firewall CLI format.
 
+.. figure:: /_static/images/firewall-netfilter.png
+
+.. note:: **For more information**
+   of Netfilter hooks and Linux networking packet flows can be
+   found in `Netfilter-Hooks
+   <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_
+
+Legacy Firewall
+^^^^^^^^^^^^^^^
 .. toctree::
    :maxdepth: 1
    :includehidden:
 
    general-legacy
+
+Traditionally firewalls weere configured with the concept of data going in and
+out of an interface. The router just listened to the data flowing through and
+responding as required if it was directed at the router itself.
+
+To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`
+
+As the example image below shows, the device was configured with rules blocking
+inbound or outbound traffic on each interface.
+
+.. figure:: /_static/images/firewall-traditional.png
+
+Zone-based firewall
+^^^^^^^^^^^^^^^^^^^
+.. toctree::
+   :maxdepth: 1
+   :includehidden:
+
    zone
+
+With zone-based firewalls a new concept was implemented, in addtion to the standard
+in and out traffic flows, a local flow was added. This local was for traffic
+originating and destined to the router itself. Which means additional rules were 
+required to secure the firewall itself from the network, in addition to the existing
+inbound and outbound rules from the traditional concept above.
+
+To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>`
+
+As the example image below shows, the device now needs rules to allow/block traffic
+to or from the services running on the device that have open connections on that
+interface.
+
+.. figure:: /_static/images/firewall-zonebased.png
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst
index 6afd47e9..38869c32 100644
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@@ -2,11 +2,21 @@
 
 .. _firewall-zone:
 
-###################
-Zone Based Firewall
-###################
-
-.. note:: For latest releases, refer the `firewall 
+################################
+Zone Based Firewall (Deprecated)
+################################
+
+.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
+   structure can be found on all vyos instalations, and zone based firewall is
+   no longer supported. Documentation for most of the new firewall CLI can be
+   found in the `firewall
+   <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
+   chapter. The legacy firewall is still available for versions before
+   1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy`
+   chapter. The examples in this section use the legacy firewall configuration
+   commands, since this feature has been removed in earlier releases.
+
+.. note:: For latest releases, refer the `firewall (interface-groups) 
    <https://docs.vyos.io/en/latest/configuration/firewall/general.html#interface-groups>`_ 
    main page to configure zone based rules. New syntax was introduced here 
    :vytask:`T5160`
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index c0019577..70161e1e 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -40,30 +40,27 @@ Site-to-Site
 
 .. figure:: /_static/images/openvpn_site2site_diagram.jpg
 
-While many are aware of OpenVPN as a Client VPN solution, it is often
-overlooked as a site-to-site VPN solution due to lack of support for this mode
-in many router platforms.
+OpenVPN is popular for client-server setups, but its site-to-site mode
+remains a relatively obscure feature, and many router appliances
+still don't support it. However, it's very useful for quickly setting up
+tunnels between routers.
 
-Site-to-site mode supports x.509 but doesn't require it and can also work with
-static keys, which is simpler in many cases. In this example, we'll configure
-a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key.
+As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or x.509 certificates.
 
-First, one of the systems generate the key using the :ref:`generate pki openvpn shared-secret<configuration/pki/index:pki>`
-command. Once generated, you will need to install this key on the local system,
-then copy and install this key to the remote router.
+The pre-shared key mode is deprecated and will be removed from future OpenVPN versions,
+so VyOS will have to remove support for that option as well. The reason is that using pre-shared keys
+is significantly less secure than using TLS.
 
-In our example, we used the key name ``openvpn-1`` which we will reference
-in our configuration.
+We'll configure OpenVPN using self-signed certificates, and then discuss the legacy
+pre-shared key mode.
+
+In both cases, we will use the following settings:
 
 * The public IP address of the local side of the VPN will be 198.51.100.10.
 * The public IP address of the remote side of the VPN will be 203.0.113.11.
 * The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote.
 * The local site will have a subnet of 10.0.0.0/16.
 * The remote site will have a subnet of 10.1.0.0/16.
-* Static Routing or other dynamic routing protocols can be used over the vtun interface
-* OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency,
-  while TCP will work better for lossy connections; generally UDP is preferred
-  when possible.
 * The official port for OpenVPN is 1194, which we reserve for client VPN; we
   will use 1195 for site-to-site VPN.
 * The ``persistent-tunnel`` directive will allow us to configure tunnel-related
@@ -73,85 +70,140 @@ in our configuration.
   ``remote-host`` directive; if unknown, it can be omitted. We will assume a
   dynamic IP for our remote router.
 
+Setting up certificates
+-----------------------
 
-Local Configuration:
+Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose
+of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity,
+compared to server setups that need to support multiple clients.
 
-.. code-block:: none
+However, since VyOS 1.4, it is possible to verify self-signed certificates using
+certificate fingerprints.
 
-  run generate pki openvpn shared-secret install openvpn-1
-  Configure mode commands to install OpenVPN key:
-  set pki openvpn shared-secret openvpn-1 key 'generated_key_string'
-  set pki openvpn shared-secret openvpn-1 version '1'
+On both sides, you need to generate a self-signed certificate, preferrably using the "ec" (elliptic curve) type.
+You can generate them by executing command ``run generate pki certificate self-signed install <name>`` in the configuration mode.
+Once the command is complete, it will add the certificate to the configuration session, to the ``pki`` subtree.
+You can then review the proposed changes and commit them.
 
-  set interfaces openvpn vtun1 mode site-to-site
-  set interfaces openvpn vtun1 protocol udp
-  set interfaces openvpn vtun1 persistent-tunnel
-  set interfaces openvpn vtun1 remote-host '203.0.113.11'
-  set interfaces openvpn vtun1 local-port '1195'
-  set interfaces openvpn vtun1 remote-port '1195'
-  set interfaces openvpn vtun1 shared-secret-key openvpn-1
-  set interfaces openvpn vtun1 local-address '10.255.1.1'
-  set interfaces openvpn vtun1 remote-address '10.255.1.2'
+.. code-block:: none
 
-Local Configuration - Annotated:
+  vyos@vyos# run generate pki certificate self-signed install openvpn-local
+  Enter private key type: [rsa, dsa, ec] (Default: rsa) ec
+  Enter private key bits: (Default: 256) 
+  Enter country code: (Default: GB) 
+  Enter state: (Default: Some-State) 
+  Enter locality: (Default: Some-City) 
+  Enter organization name: (Default: VyOS) 
+  Enter common name: (Default: vyos.io) 
+  Do you want to configure Subject Alternative Names? [y/N] 
+  Enter how many days certificate will be valid: (Default: 365) 
+  Enter certificate type: (client, server) (Default: server) 
+  Note: If you plan to use the generated key on this router, do not encrypt the private key.
+  Do you want to encrypt the private key with a passphrase? [y/N] 
+  2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
+  [edit]
+
+  vyos@vyos# compare 
+  [pki]
+  + certificate openvpn-local {
+  +     certificate "MIICJTCCAcugAwIBAgIUMXLfRNJ5iOjk/    uAZqUe4phW8MdgwCgYIKoZIzj0EAwIwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA5MDcyMTQzMTNaFw0yNDA5MDYyMTQzMTNaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMWo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUBrAxRdFppdG/UBRdo7qNyHutaTQwHwYDVR0jBBgwFoAUBrAxRdFppdG/UBRdo7qNyHutaTQwCgYIKoZIzj0EAwIDSAAwRQIhAI2+8C92z9wTcTWkQ/goRxs10EBC+h78O+vgo9k97z5iAiBSeqfaVr5taQTS31+McGTAK3cYWNTg0DlOBI8aKO2oRg=="
+  +     private {
+  +         key "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtOeEb0dMb5P/2Exi09WWvk6Cvz0oOBoDuP68ZimS2LShRANCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMW"
+  +     }
+  + }
+
+  [edit]
+
+  vyos@vyos# commit
+
+You do **not** need to copy the certificate to the other router. Instead, you need to retrieve its SHA-256 fingerprint.
+OpenVPN only supports SHA-256 fingerprints at the moment, so you need to use the following command:
 
 .. code-block:: none
 
-  run generate pki openvpn shared-secret install openvpn-1                        # Locally genearated OpenVPN shared secret.
-                                                                                    The generated secret is the output to
-                                                                                    the console.
-  Configure mode commands to install OpenVPN key:
-  set pki openvpn shared-secret openvpn-1 key 'generated_key_string'              # Generated secret displayed in the output to
-                                                                                    the console.
-  set pki openvpn shared-secret openvpn-1 version '1'                             # Generated secret displayed in the output to
-                                                                                    the console.
+  vyos@vyos# run show pki certificate openvpn-local fingerprint sha256 
+  5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79
 
-  set interfaces openvpn vtun1 mode site-to-site
-  set interfaces openvpn vtun1 protocol udp
-  set interfaces openvpn vtun1 persistent-tunnel
-  set interfaces openvpn vtun1 remote-host '203.0.113.11'                         # Pub IP of other site
-  set interfaces openvpn vtun1 local-port '1195'
-  set interfaces openvpn vtun1 remote-port '1195'
-  set interfaces openvpn vtun1 shared-secret-key openvpn-1                        # Locally generated secret name
-  set interfaces openvpn vtun1 local-address '10.255.1.1'                         # Local IP of vtun interface
-  set interfaces openvpn vtun1 remote-address '10.255.1.2'                        # Remote IP of vtun interface
+Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote' but they can be arbitrary.
 
+Repeat the procedure on the other router.
 
-Remote Configuration:
+Setting up OpenVPN
+------------------
+
+Local Configuration:
 
 .. code-block:: none
 
-  set pki openvpn shared-secret openvpn-1 key 'generated_key_string'
-  set pki openvpn shared-secret openvpn-1 version '1'
+  Configure the tunnel:
 
   set interfaces openvpn vtun1 mode site-to-site
   set interfaces openvpn vtun1 protocol udp
   set interfaces openvpn vtun1 persistent-tunnel
-  set interfaces openvpn vtun1 remote-host '198.51.100.10'
+  set interfaces openvpn vtun1 remote-host '203.0.113.11'                         # Public IP of the other side
   set interfaces openvpn vtun1 local-port '1195'
   set interfaces openvpn vtun1 remote-port '1195'
-  set interfaces openvpn vtun1 shared-secret-key openvpn-1
-  set interfaces openvpn vtun1 local-address '10.255.1.2'
-  set interfaces openvpn vtun1 remote-address '10.255.1.1'
+  set interfaces openvpn vtun1 local-address '10.255.1.1'                         # Local IP of vtun interface
+  set interfaces openvpn vtun1 remote-address '10.255.1.2'                        # Remote IP of vtun interface
+  set interfaces openvpn vtun1 tls certificate 'openvpn-local'                    # The self-signed certificate
+  set interfaces openvpn vtun1 tls peer-fingerprint <remote cert fingerprint>     # The output of 'run show pki certificate <name> fingerprint sha256
+                                                                                    on the remote rout
 
-Remote Configuration - Annotated:
+Remote Configuration:
 
 .. code-block:: none
 
-  set pki openvpn shared-secret openvpn-1 key 'generated_key_string'               # Locally genearated OpenVPN shared secret
-                                                                                    (from the Local Configuration Block).
-  set pki openvpn shared-secret openvpn-1 version '1'
-
   set interfaces openvpn vtun1 mode site-to-site
   set interfaces openvpn vtun1 protocol udp
   set interfaces openvpn vtun1 persistent-tunnel
   set interfaces openvpn vtun1 remote-host '198.51.100.10'                         # Pub IP of other site
   set interfaces openvpn vtun1 local-port '1195'
   set interfaces openvpn vtun1 remote-port '1195'
-  set interfaces openvpn vtun1 shared-secret-key openvpn-1                         # Locally generated secret name
   set interfaces openvpn vtun1 local-address '10.255.1.2'                          # Local IP of vtun interface
   set interfaces openvpn vtun1 remote-address '10.255.1.1'                         # Remote IP of vtun interface
+  set interfaces openvpn vtun1 tls certificate 'openvpn-remote'                    # The self-signed certificate
+  set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint>       # The output of 'run show pki certificate <name> fingerprint sha256
+                                                                                    on the local router
+
+Pre-shared keys
+---------------
+
+Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys.
+That option is still available but it is deprecated and will be removed in the future.
+However, if you need to set up a tunnel to an older VyOS version or a system with older OpenVPN,
+you need to still need to know how to use it.
+
+First, you need to generate a key by running ``run generate pki openvpn shared-secret install <name>`` from configuration mode.
+You can use any name, we will use ``s2s``.
+
+.. code-block:: none
+
+  vyos@local# run generate pki openvpn shared-secret install s2s
+  2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
+  [edit]
+  vyos@local# compare
+  [pki openvpn shared-secret]
+  + s2s {
+  +     key   "7c73046a9da91e874d31c7ad894a32688cda054bde157c64270f28eceebc0bb2f44dbb70335fad45148b0456aaa78cb34a34c0958eeed4f75e75fd99ff519ef940f7029a316c436d2366a2b0fb8ea1d1c792a65f67d10a461af83ef4530adc25d1c872de6d9c7d5f338223d1f3b66dc3311bbbddc0e05228c47b91c817c721aadc7ed18f0662df52ad14f898904372679e3d9697d062b0869d12de47ceb2e626fa12e1926a3119be37dd29c9b0ad81997230f4038926900d5edb78522d2940cfe207f8e2b948e0d459fa137ebb18064ac5982b28dd1899020b4f2b082a20d5d4eb65710fbb1e62b5e061df39620267eab429d3eedd9a1ae85957457c8e4655f3"
+  +     version "1"
+  + }
+
+  [edit]
+
+  vyos@local# commit
+  [edit]
+
+Then you need to install the key on the remote router:
+
+.. code-block:: none
+
+  vyos@remote# set pki openvpn shared-secret s2s key <generated key string>
+
+Then you need to set the key in your OpenVPN interface settings:
+
+.. code-block:: none
 
+  set interfaces openvpn vtun1 shared-secret-key s2s
 
 Firewall Exceptions
 ===================
diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst
index 86568686..2cb0b2f1 100644
--- a/docs/configuration/interfaces/vxlan.rst
+++ b/docs/configuration/interfaces/vxlan.rst
@@ -132,6 +132,36 @@ For optimal scalability, Multicast shouldn't be used at all, but instead use BGP
 to signal all connected devices between leaves. Unfortunately, VyOS does not yet
 support this.
 
+Single VXLAN device (SVD)
+=========================
+
+FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when
+working with the Linux kernel. In this new way, the mapping of a VLAN to a
+:abbr:`VNI (VXLAN Network Identifier (or VXLAN Segment ID))` is configured
+against a container VXLAN interface which is referred to as a
+:abbr:`SVD (Single VXLAN device)`.
+
+Multiple VLAN to VNI mappings can be configured against the same SVD. This
+allows for a significant scaling of the number of VNIs since a separate VXLAN
+interface is no longer required for each VNI.
+
+.. cfgcmd:: set interfaces vxlan <interface> vlan-to-vni <vlan> vni <vni>
+
+   Maps the VNI to the specified VLAN id. The VLAN can then be consumed by
+   a bridge.
+
+   Sample configuration of SVD with VLAN to VNI mappings is shown below.
+
+   .. code-block:: none
+
+    set interfaces bridge br0 member interface vxlan0
+    set interfaces vxlan vxlan0 external
+    set interfaces vxlan vxlan0 source-interface 'dum0'
+    set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010'
+    set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011'
+    set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030'
+    set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031'
+
 Example
 -------
 
@@ -252,7 +282,7 @@ advertised.
   set interfaces bridge br241 member interface 'eth1.241'
   set interfaces bridge br241 member interface 'vxlan241'
 
-Binds eth1.241 and vxlan241 to each other by making them both member 
+Binds eth1.241 and vxlan241 to each other by making them both member
 interfaces of the same bridge.
 
 .. code-block:: none
diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst
index 29dc230f..237608a1 100644
--- a/docs/configuration/protocols/index.rst
+++ b/docs/configuration/protocols/index.rst
@@ -16,6 +16,7 @@ Protocols
    mpls
    segment-routing
    ospf
+   pim6
    rip
    rpki
    static
diff --git a/docs/configuration/protocols/pim6.rst b/docs/configuration/protocols/pim6.rst
new file mode 100644
index 00000000..1d316cfb
--- /dev/null
+++ b/docs/configuration/protocols/pim6.rst
@@ -0,0 +1,94 @@
+.. _pim6:
+
+##############
+IPv6 Multicast
+##############
+
+VyOS facilitates IPv6 Multicast by supporting **PIMv6** and **MLD**.
+
+PIMv6 (Protocol Independent Multicast for IPv6) must be configured in every
+interface of every participating router. Every router must also have the
+location of the Rendevouz Point manually configured.
+Then, unidirectional shared trees rooted at the Rendevouz Point will
+automatically be built for multicast distribution.
+
+Traffic from multicast sources will go to the Rendezvous Point, and receivers
+will pull it from a shared tree using MLD (Multicast Listener Discovery).
+
+Multicast receivers will talk MLD to their local router, so, besides having
+PIMv6 configured in every router, MLD must also be configured in any router
+where there could be a multicast receiver locally connected.
+
+VyOS supports both MLD version 1 and version 2
+(which allows source-specific multicast).
+
+Basic commands
+==============
+These are the commands for a basic setup.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name>
+
+   Use this command to enable PIMv6 in the selected interface so that it
+   can communicate with PIMv6 neighbors. This command also enables MLD reports
+   and query on the interface unless :cfgcmd:`mld disable` is configured.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld disable
+
+   Disable MLD reports and query on the interface.
+
+
+Tuning commands
+===============
+You can also tune multicast with the following commands.
+
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld interval <seconds>
+
+   Use this command to configure in the selected interface the MLD
+   host query interval (1-65535) in seconds that PIM will use.
+   The default value is 125 seconds.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld join <multicast-address>
+
+   Use this command to allow the selected interface to join a multicast group.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld join <multicast-address> source <source-address>
+
+   Use this command to allow the selected interface to join a source-specific multicast
+   group.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld last-member-query-count <count>
+
+   Set the MLD last member query count. The default value is 2.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld last-member-query-interval <milliseconds>
+
+   Set the MLD last member query interval in milliseconds (100-6553500). The default value is 1000 milliseconds.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld max-response-time <milliseconds>
+
+   Set the MLD query response timeout in milliseconds (100-6553500). The default value is 10000 milliseconds.
+
+.. cfgcmd:: set protocols pim6 interface <interface-name> mld version <version-number>
+
+   Set the MLD version used on this interface. The default value is 2.
+
+*********************
+Configuration Example
+*********************
+
+To enable MLD reports and query on interfaces `eth0` and `eth1`:
+
+.. code-block:: none
+
+  set protocols pim6 interface eth0
+  set protocols pim6 interface eth1
+
+The following configuration explicitly joins multicast group `ff15::1234` on interface `eth1`
+and source-specific multicast group `ff15::5678` with source address `2001:db8::1` on interface
+`eth1`:
+
+.. code-block:: none
+
+  set protocols pim6 interface eth0 mld join ff15::1234
+  set protocols pim6 interface eth1 mld join ff15::5678 source 2001:db8::1
diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst
index bb7bdc86..0cbcecde 100644
--- a/docs/configuration/system/login.rst
+++ b/docs/configuration/system/login.rst
@@ -275,6 +275,22 @@ Configuration
 
    Source all connections to the RADIUS servers from given VRF `<name>`.
 
+Configuration Example
+---------------------
+
+.. code-block:: none
+
+  set system login radius server 192.168.0.2 key 'test-vyos'
+  set system login radius server 192.168.0.2 port '1812'
+  set system login radius server 192.168.0.2 timeout '5'
+  set system login radius source-address '192.168.0.1'
+
+
+   If there is no communication between VyOS and RADIUS server users can 
+   authenticate from local user accounts. During authentication from the local
+   accounts users can observe some timeouts. Timeout in seconds depends on
+   the configured timeout option.
+
 .. hint:: If you want to have admin users to authenticate via RADIUS it is
    essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without
    the attribute you will only get regular, non privilegued, system users.
@@ -328,6 +344,18 @@ Configuration
 
    Source all connections to the TACACS servers from given VRF `<name>`.
 
+Configuration Example
+---------------------
+
+.. code-block:: none
+
+  set system login tacacs server 192.168.0.2 key 'test-vyos'
+  set system login tacacs server 192.168.0.2 port '49'
+  set system login tacacs source-address '192.168.0.1'
+
+
+   If there is no communication between VyOS and TACACS server users can 
+   authenticate from local user accounts.
 
 Login Banner
 ============
diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst
index a51aca52..dea53321 100644
--- a/docs/configuration/vrf/index.rst
+++ b/docs/configuration/vrf/index.rst
@@ -279,6 +279,42 @@ Configuration
     set vrf name red protocols static route 10.0.0.0/24 interface eth1 vrf 'default'
     set vrf name red table '2000'
 
+VRF and NAT
+-----------
+
+Configuration
+^^^^^^^^^^^^^
+
+  .. code-block:: none
+
+    set interfaces ethernet eth0 address '172.16.50.12/24'
+    set interfaces ethernet eth0 vrf 'red'
+
+    set interfaces ethernet eth1 address '192.168.130.100/24'
+    set interfaces ethernet eth1 vrf 'blue'
+
+    set nat destination rule 110 description 'NAT ssh- INSIDE'
+    set nat destination rule 110 destination port '2022'
+    set nat destination rule 110 inbound-interface 'eth0'
+    set nat destination rule 110 protocol 'tcp'
+    set nat destination rule 110 translation address '192.168.130.40'
+
+    set nat source rule 100 outbound-interface 'eth0'
+    set nat source rule 100 protocol 'all'
+    set nat source rule 100 source address '192.168.130.0/24'
+    set nat source rule 100 translation address 'masquerade'
+
+    set service ssh vrf 'red'
+
+    set vrf bind-to-all
+    set vrf name blue protocols static route 0.0.0.0/0 next-hop 172.16.50.1 vrf 'red'
+    set vrf name blue protocols static route 172.16.50.0/24 interface eth0 vrf 'red'
+    set vrf name blue table '1010'
+
+    set vrf name red protocols static route 0.0.0.0/0 next-hop 172.16.50.1
+    set vrf name red protocols static route 192.168.130.0/24 interface eth1 vrf 'blue'
+    set vrf name red table '2020'
+
 .. _vrf example operation:
 
 Operation
@@ -427,9 +463,9 @@ address-family.
 .. cfgcmd:: set vrf name <name> protocols bgp address-family
             <ipv4-unicast|ipv6-unicast> label vpn allocation-mode per-nexthop
 
-   Select how labels are allocated in the given VRF. By default, the per-vrf 
-   mode is selected, and one label is used for all prefixes from the VRF. The 
-   per-nexthop will use a unique label for all prefixes that are reachable via 
+   Select how labels are allocated in the given VRF. By default, the per-vrf
+   mode is selected, and one label is used for all prefixes from the VRF. The
+   per-nexthop will use a unique label for all prefixes that are reachable via
    the same nexthop.
 
 .. cfgcmd:: set vrf name <name> protocols bgp address-family