From 42d29b1e83ee9775aafa2a2162bdb56b65df4ca6 Mon Sep 17 00:00:00 2001 From: Ginko <152240782+Giggum@users.noreply.github.com> Date: Fri, 3 May 2024 13:17:39 -0400 Subject: tunnelbroker: adds suggestion to source-address assignment for users with dynamic IPs (#1415) --- .../autotest/tunnelbroker/_include/vyos-wan_tun0.conf | 8 ++++---- docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst | 13 +++++++++++-- 2 files changed, 15 insertions(+), 6 deletions(-) (limited to 'docs/configexamples') diff --git a/docs/configexamples/autotest/tunnelbroker/_include/vyos-wan_tun0.conf b/docs/configexamples/autotest/tunnelbroker/_include/vyos-wan_tun0.conf index 03889ffd..ab70ccc5 100644 --- a/docs/configexamples/autotest/tunnelbroker/_include/vyos-wan_tun0.conf +++ b/docs/configexamples/autotest/tunnelbroker/_include/vyos-wan_tun0.conf @@ -1,8 +1,8 @@ -set interfaces tunnel tun0 address '2001:470:6c:779::2/64' #Tunnelbroker Client IPv6 Address +set interfaces tunnel tun0 address '2001:470:6c:779::2/64' #Tunnelbroker Client IPv6 address set interfaces tunnel tun0 description 'HE.NET IPv6 Tunnel' set interfaces tunnel tun0 encapsulation 'sit' -set interfaces tunnel tun0 remote '216.66.86.114' #Tunnelbroker Server IPv4 Address -set interfaces tunnel tun0 source-address '172.29.129.60' # Tunnelbroker Client IPv4 Address or if there is NAT the current WAN interface address +set interfaces tunnel tun0 remote '216.66.86.114' #Tunnelbroker Server IPv4 address +set interfaces tunnel tun0 source-address '172.29.129.60' # Tunnelbroker Client IPv4 address. See note below set protocols static route6 ::/0 interface tun0 @@ -10,4 +10,4 @@ set interface ethernet eth2 address '2001:470:6d:778::1/64' # Tunnelbroker Route set service router-advert interface eth2 name-server '2001:470:20::2' set service router-advert interface eth2 prefix 2001:470:6d:778::/64 # Tunnelbroker Routed /64 prefix -set system name-server 2001:470:20::2 #Tunnelbroker DNS Server \ No newline at end of file +set system name-server 2001:470:20::2 #Tunnelbroker DNS Server diff --git a/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst b/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst index 96c2e1af..5bfcb642 100644 --- a/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst +++ b/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst @@ -48,7 +48,15 @@ Now we are able to setup the tunnel interface. :language: none :lines: 1-5 -Setup the ipv6 default route to the tunnel interface +.. note:: The `source-address` is the Tunnelbroker client IPv4 + address or if there is NAT the current WAN interface address. + + If `source-address` is dynamic, the tunnel will cease working once + the address changes. To avoid having to manually update + `source-address` each time the dynamic IP changes, an address of + '0.0.0.0' can be specified. + +Setup the IPv6 default route to the tunnel interface .. literalinclude:: _include/vyos-wan_tun0.conf :language: none @@ -204,4 +212,5 @@ instead of `set firewall name NAME`, you would use `set firewall ipv6-name NAME`. Similarly, to attach the firewall, you would use `set interfaces ethernet eth0 -firewall in ipv6-name` or `et firewall zone LOCAL from WAN firewall ipv6-name`. \ No newline at end of file +firewall in ipv6-name` or `set firewall zone LOCAL from WAN firewall +ipv6-name`. -- cgit v1.2.3 From f777a5eebe2334e1acd3674c42c86b88f4c0d318 Mon Sep 17 00:00:00 2001 From: Alex W Date: Sat, 4 May 2024 21:33:27 +0100 Subject: config-examples: Corrected spelling mistakes --- docs/configexamples/policy-based-ipsec-and-firewall.rst | 4 ++-- docs/configexamples/wan-load-balancing.rst | 6 +++--- docs/configexamples/zone-policy.rst | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) (limited to 'docs/configexamples') diff --git a/docs/configexamples/policy-based-ipsec-and-firewall.rst b/docs/configexamples/policy-based-ipsec-and-firewall.rst index 2337c1ac..8dc07de6 100644 --- a/docs/configexamples/policy-based-ipsec-and-firewall.rst +++ b/docs/configexamples/policy-based-ipsec-and-firewall.rst @@ -13,7 +13,7 @@ configuration is done only on one router. Network Topology and requirements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This configuration example and the requirments consists of: +This configuration example and the requirements consists of: - Two VyOS routers with public IP address. @@ -37,7 +37,7 @@ This configuration example and the requirments consists of: - Allow all new connections from local subnets. - - Allow connections from LANs to LANs throught the tunnel. + - Allow connections from LANs to LANs through the tunnel. .. image:: /_static/images/policy-based-ipsec-and-firewall.png diff --git a/docs/configexamples/wan-load-balancing.rst b/docs/configexamples/wan-load-balancing.rst index ace9a981..0952cfe5 100644 --- a/docs/configexamples/wan-load-balancing.rst +++ b/docs/configexamples/wan-load-balancing.rst @@ -69,7 +69,7 @@ Example 2: Failover based on interface weights This example uses the failover mode. -.. _wan:example2_overwiew: +.. _wan:example2_overview: Overview ^^^^^^^^ @@ -98,7 +98,7 @@ The previous example used the failover command to send traffic through eth1 if eth0 fails. In this example, failover functionality is provided by rule order. -.. _wan:example3_overwiew: +.. _wan:example3_overview: Overview ^^^^^^^^ @@ -129,7 +129,7 @@ traffic. It is assumed for this example that eth1 is connected to a slower connection than eth0 and should prioritize VoIP traffic. -.. _wan:example4_overwiew: +.. _wan:example4_overview: Overview ^^^^^^^^ diff --git a/docs/configexamples/zone-policy.rst b/docs/configexamples/zone-policy.rst index 08db13b9..6658f2b1 100644 --- a/docs/configexamples/zone-policy.rst +++ b/docs/configexamples/zone-policy.rst @@ -6,7 +6,7 @@ Zone-Policy example ------------------- .. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall - structure can be found on all vyos instalations, and zone based firewall is + structure can be found on all vyos installations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall `_ -- cgit v1.2.3 From 0e98fdb64154011850ba5705b9c6f8e74868c955 Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Mon, 6 May 2024 13:49:48 -0400 Subject: Modified old option from 'enable-default-log' to new one 'default-log' --- docs/configexamples/zone-policy.rst | 8 ++++---- docs/configuration/firewall/bridge.rst | 8 ++++---- docs/configuration/firewall/ipv4.rst | 8 ++++---- docs/configuration/firewall/ipv6.rst | 10 +++++----- docs/configuration/policy/route.rst | 6 +++--- 5 files changed, 20 insertions(+), 20 deletions(-) (limited to 'docs/configexamples') diff --git a/docs/configexamples/zone-policy.rst b/docs/configexamples/zone-policy.rst index 08db13b9..d9a6bf89 100644 --- a/docs/configexamples/zone-policy.rst +++ b/docs/configexamples/zone-policy.rst @@ -145,7 +145,7 @@ To add logging to the default rule, do: .. code-block:: none - set firewall name enable-default-log + set firewall name default-log By default, iptables does not allow traffic for established sessions to @@ -251,7 +251,7 @@ Since we have 4 zones, we need to setup the following rulesets. Dmz-local Even if the two zones will never communicate, it is a good idea to -create the zone-pair-direction rulesets and set enable-default-log. This +create the zone-pair-direction rulesets and set default-log. This will allow you to log attempts to access the networks. Without it, you will never see the connection attempts. @@ -261,7 +261,7 @@ This is an example of the three base rules. name wan-lan { default-action drop - enable-default-log + default-log rule 1 { action accept state { @@ -285,7 +285,7 @@ Here is an example of an IPv6 DMZ-WAN ruleset. ipv6-name dmz-wan-6 { default-action drop - enable-default-log + default-log rule 1 { action accept state { diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst index 9fb019c5..bba9e56f 100644 --- a/docs/configuration/firewall/bridge.rst +++ b/docs/configuration/firewall/bridge.rst @@ -157,8 +157,8 @@ log options can be defined. Enable logging for the matched packet. If this configuration command is not present, then log is not enabled. -.. cfgcmd:: set firewall bridge forward filter enable-default-log -.. cfgcmd:: set firewall bridge name enable-default-log +.. cfgcmd:: set firewall bridge forward filter default-log +.. cfgcmd:: set firewall bridge name default-log Use this command to enable the logging of the default action on the specified chain. @@ -325,7 +325,7 @@ Configuration example: .. code-block:: none set firewall bridge forward filter default-action 'drop' - set firewall bridge forward filter enable-default-log + set firewall bridge forward filter default-log set firewall bridge forward filter rule 10 action 'continue' set firewall bridge forward filter rule 10 inbound-interface name 'eth2' set firewall bridge forward filter rule 10 vlan id '22' @@ -341,7 +341,7 @@ Configuration example: set firewall bridge forward filter rule 40 destination mac-address '66:55:44:33:22:11' set firewall bridge forward filter rule 40 source mac-address '11:22:33:44:55:66' set firewall bridge name TEST default-action 'accept' - set firewall bridge name TEST enable-default-log + set firewall bridge name TEST default-log set firewall bridge name TEST rule 10 action 'continue' set firewall bridge name TEST rule 10 log set firewall bridge name TEST rule 10 vlan priority '0' diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index ff739418..1cf50810 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -206,10 +206,10 @@ log options can be defined. Enable logging for the matched packet. If this configuration command is not present, then log is not enabled. -.. cfgcmd:: set firewall ipv4 forward filter enable-default-log -.. cfgcmd:: set firewall ipv4 input filter enable-default-log -.. cfgcmd:: set firewall ipv4 output filter enable-default-log -.. cfgcmd:: set firewall ipv4 name enable-default-log +.. cfgcmd:: set firewall ipv4 forward filter default-log +.. cfgcmd:: set firewall ipv4 input filter default-log +.. cfgcmd:: set firewall ipv4 output filter default-log +.. cfgcmd:: set firewall ipv4 name default-log Use this command to enable the logging of the default action on the specified chain. diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index 0aa8a137..c679ffd5 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -206,10 +206,10 @@ log options can be defined. Enable logging for the matched packet. If this configuration command is not present, then log is not enabled. -.. cfgcmd:: set firewall ipv6 forward filter enable-default-log -.. cfgcmd:: set firewall ipv6 input filter enable-default-log -.. cfgcmd:: set firewall ipv6 output filter enable-default-log -.. cfgcmd:: set firewall ipv6 name enable-default-log +.. cfgcmd:: set firewall ipv6 forward filter default-log +.. cfgcmd:: set firewall ipv6 input filter default-log +.. cfgcmd:: set firewall ipv6 output filter default-log +.. cfgcmd:: set firewall ipv6 name default-log Use this command to enable the logging of the default action on the specified chain. @@ -1177,7 +1177,7 @@ Example Partial Config } name INP-ETH1 { default-action drop - enable-default-log + default-log rule 10 { action accept protocol tcp_udp diff --git a/docs/configuration/policy/route.rst b/docs/configuration/policy/route.rst index 1a85ffc6..45975774 100644 --- a/docs/configuration/policy/route.rst +++ b/docs/configuration/policy/route.rst @@ -19,8 +19,8 @@ from 1 - 999999, at the first match the action of the rule will be executed. Provide a rule-set description. -.. cfgcmd:: set policy route enable-default-log -.. cfgcmd:: set policy route6 enable-default-log +.. cfgcmd:: set policy route default-log +.. cfgcmd:: set policy route6 default-log Option to log packets hitting default-action. @@ -271,4 +271,4 @@ setting a different routing table. .. cfgcmd:: set policy route rule set tcp-mss <500-1460> .. cfgcmd:: set policy route6 rule set tcp-mss <500-1460> - Set packet modifications: Explicitly set TCP Maximum segment size value. \ No newline at end of file + Set packet modifications: Explicitly set TCP Maximum segment size value. -- cgit v1.2.3 From c55362841c3c6f755116f9e3654921e7f5a4fadb Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Tue, 7 May 2024 12:26:58 -0400 Subject: Corrected the grammar and added the vyos client configuration --- .../OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst | 28 +++++++++++++++++----- 1 file changed, 22 insertions(+), 6 deletions(-) (limited to 'docs/configexamples') diff --git a/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst b/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst index e42d3567..6666399d 100644 --- a/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst +++ b/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst @@ -7,9 +7,9 @@ OpenVPN with LDAP | Testdate: 2023-05-11 | Version: 1.4-rolling-202305100734 -This LAB show how to uwe OpenVPN with a Active Directory authentication backend. +This LAB shows how to use OpenVPN with a Active Directory authentication method. -The Topology are consists of: +Topology consists of: * Windows Server 2019 with a running Active Directory * VyOS as a OpenVPN Server * VyOS as Client @@ -20,7 +20,7 @@ The Topology are consists of: Active Directory on Windows server ================================== -The Lab asume a full running Active Directory on the Windows Server. +The lab assumes a full running Active Directory on the Windows Server. Here are some PowerShell commands to quickly add a Test Active Directory. .. code-block:: powershell @@ -36,7 +36,7 @@ Here are some PowerShell commands to quickly add a Test Active Directory. New-ADUser user01 -AccountPassword(Read-Host -AsSecureString "Input Password") -Enabled $true -Configuration VyOS as OpenVPN Server +Configure VyOS as OpenVPN Server ==================================== In this example OpenVPN will be setup with a client certificate and username / password authentication. @@ -53,7 +53,7 @@ Please look :ref:`here ` for more information. Now generate all required certificates on the ovpn-server: -first the PCA +First the CA .. code-block:: none @@ -249,11 +249,27 @@ save the output to a file and import it in nearly all openvpn clients. +Configure VyOS as client +------------------------ + +.. code-block:: none + + set interfaces openvpn vtun10 authentication username 'user01' + set interfaces openvpn vtun10 authentication password '$ecret' + set interfaces openvpn vtun10 encryption cipher 'aes256' + set interfaces openvpn vtun10 hash 'sha512' + set interfaces openvpn vtun10 mode 'client' + set interfaces openvpn vtun10 persistent-tunnel + set interfaces openvpn vtun10 protocol 'udp' + set interfaces openvpn vtun10 remote-host '198.51.100.254' + set interfaces openvpn vtun10 remote-port '1194' + set interfaces openvpn vtun10 tls ca-certificate 'OVPN-CA' + set interfaces openvpn vtun10 tls certificate 'CLIENT' Monitoring ========== -If the client is connect successfully you can check the output with +If the client is connected successfully you can check the status .. code-block:: none -- cgit v1.2.3