Skip to content

Openvpn reneg #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
c-po merged 2 commits into from
Sep 17, 2019
Merged

Openvpn reneg #105

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
22ab45d
firewall_all-ping
currite Sep 16, 2019
8a9b0b6
add note on vpn-option -reneg-sec
currite Sep 16, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion docs/firewall.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,27 @@ first be created):

set zone-policy zone INSIDE from OUTSIDE firewall name INSIDE-OUT

How VyOS replies when being pinged
----------------------------------

By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you avoid it through its firewall.

With the firewall you can set rules to accept, drop or reject ICMP in, out or local traffic. You can also use the general **firewall all-ping** command. This command affects only to LOCAL (packets destined for your VyOS system), not to IN or OUT traffic.

.. note:: **firewall all-ping** affects only to LOCAL and it always behaves in the most restrictive way

.. code-block:: sh

set firewall all-ping enable

When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied droping or rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests.

.. code-block:: sh

set firewall all-ping disable

When the comand above is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where it comes from or whether more specific rules are being applied to accept them.

Example Partial Config
----------------------

Expand Down Expand Up @@ -170,4 +191,4 @@ Example Partial Config
}
}
}
}
}
4 changes: 4 additions & 0 deletions docs/vpn/openvpn.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,10 @@ First we need to specify the basic settings. 1194/UDP is the default. The
`persistent-tunnel` option is recommended, it prevents the TUN/TAP device from
closing on connection resets or daemon reloads.


.. note:: Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used at both server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur.


.. code-block:: sh

set interfaces openvpn vtun10 mode server
Expand Down