Jump to:navigation, search
Wiki

WireGuard Site-to-Site VPN (S2S)

From Securepoint Wiki




























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden








































































































{{var | Schlüsselmanagement Schlüssel tauschen | notempty<div class="Hinweis-Container__einblenden color-box-shadow em1 fs__icon__em1 bc__hgrau g}
Mit den Schlüsseln vom Typ x25519 muss noch folgendes getan werden: " ><i class="UTM fal fa-exclamation-triangle g}
Mit den Schlüsseln vom Typ x25519 muss noch folgendes getan werden:

em1 pdr2 pdt1 baseline" title="">
Diese Schritte sind unnötig, wenn die Schlüsselwerte direkt im Einrichtungsassistenten generiert werden.
<i class="UTM fal none g}
Mit den Schlüsseln vom Typ x25519 muss noch folgendes getan werden: em1 pdl5 pdt1 baseline">


In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden























































Configure Site-to-Site VPN (S2S) with WireGuard

Last adaptation to the version: 12.7.1

New:
Last updated: 
notempty
This article refers to a Beta version
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 VPN WireGuard









Configure Site-to-Site VPN (S2S) with WireGuard

Last adaptation to the version: 12.6.2

New:
Last updated: 
    12.2024
notempty
This article refers to a Beta version
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 VPN WireGuard
notempty
New as of: v12.6

Key management

When creating a WireGuard connection, there are several options for generating and managing the necessary key values. Each of these options has its advantages and disadvantages.
For two options, the required private or public key value is created directly in the WireGuard connection setup wizard.
The third option requires existing keys of type x25519.

Add key
Open key management under Authentication Key  with button Add key
Caption Value Description Add key UTMuser@firewall.name.fqdnAuthenticationKey
Name: x25519-device Assign a unique name.
notempty
The key name must not have the name of a (future) interface, such as wg0 or wg1.
Type: X25519 Select X25519 as type
Close dialog with Save and close button.
Export key
Public part (PEM) Private part (PEM) Export key in .pem format Key UTMuser@firewall.name.fqdnAuthentication Key management

Export target: clipboard
ED25519/X25519 Export Format: PEM
Public part (PEM) Private part (PEM)		 Copies the key in .pem format to the clipboard
Import key
Import key Opens the key import dialog Import key UTMuser@firewall.name.fqdnAuthenticationKey Upload
Source: file Import key from .pem file
Source: Clipboard Imports a key from the clipboard.
A name for the key must be assigned here.


Create WireGuard connection

  • A WireGuard connection provides access for multiple peers if necessary
  • Each connection is secured with its own key pair
  • All peers of a connection use its public key
  • Each peer needs its own key pair for authentication
    In addition, each peer should be secured with a strong PSK.

Given may the following configuration:

Location A location B Transfer network
FQDN a.vpn.anyideas.de b.vpn.anyideas.de
Local network IPv4 10.1.0.0/16 10.2.0.0/16 10.0.1.0/24
Local tunnel IPv4 10.0.1.1/24 10.0.1.2/24
Local network IPv6 fd00:a:0:0::0/64 fd00:b:0:0::0/64 fd00:0:0:0::0/64
Local tunnel IPv6 fd00:0:0:0::1/128 fd00:0:0:0::2/128
UTM Roadwarrior Transfer network
FQDN a.vpn.anyideas.de
Local network IPv4 10.1.0.0/16 10.0.1.0/24
Local tunnel IPv4 10.0.1.1/24 10.0.1.201/24
Local network IPv6 fd00:a:0:0::0/64 fd00:0:0:0::0/64
Local tunnel IPv6 fd00:0:0:0::1/128 fd00:0:0:0::C9/128
Configuration on Location A

Start assistant with the button Add WireGuard Connection

Step 1 - Import configuration
Location A Step 1 - Import configuration
Caption Value Description Add WireGuard connection UTMuser@firewall.name.fqdnVPNWireGuard WireGuard assistant - Step 1
file: Select a file If a WireGuard server configuration already exists, the server configuration can be uploaded as a file.
The corresponding settings are automatically entered in the respective elements in the following steps.
  • If several peers are available, only the first peer is used.
    • Configuration:     If a WireGuard server configuration already exists, the server configuration can be copied into this configuration field.
    The corresponding settings are automatically entered in the respective elements in the following steps.
  • If several peers are available, only the first peer is accepted.

    • [Interface] Address = 10.0.0.1/24 Address = C0FF::EEEE/64 ListenPort = 51824 PrivateKey = interfacePrivateKeyaaaaaaaaaaaaaaaaaaaaaaaa= [Peer] AllowedIPs = 10.0.0.2/32, 10.0.0.3/32 AllowedIPs = 10.0.0.4/32 Endpoint = 1.2.3.4:51825 PersistentKeepalive = 30 PresharedKey = peerPresharedKeyaaaaaaaaaaaaaaaaaaaaaaaaaaa= PublicKey = peerPublicKeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=

    Step 2 - Interface
    Location A Step 2 - Interface
    Interface: wg0 Name of the interface that will be created for the connection (automatic default, cannot be changed)
    WireGuard assistant - Step 2
    Name: wg_server Unique name for the connection
    IPv4 address: 10.0.1.1/24 IPv4 address for the network interface of the transfer network at location A
    This determines the network IP of the transfer net (here: 10.0.1.1/24)
    IPv6 address: fd00:0:0:0::1/64 IPv6 address for the network interface of the transfer network at location A (optional)
    This determines the network IP of the transfer net (here: fd00:0:0:0::1/64)
    Listening Port: 51820 Default-Port for WireGuard connections
    Private key:
    Generate automatically A private key value is generated automatically.
  • This key value is not displayed!
  • This key is not added in Authentication Key !
    • Enter key value directly     The key value is entered directly.
  • This key is not added in Authentication Key !

    • notempty
    The key value cannot be read out later for security reasons.

    notempty
    If a file was imported or the configuration entered in Step 1 - Import configuration, this option is automatically selected and the private key value is read from the configuration file and entered here.
    View
    Hide    		 Views / hides the key value
    Generate The key value is generated
    Select from keys x25519_a.vpn Private key in x25519 format.
    Only those keys that also have a private key part can be selected.
    Add key If there is no local key in x25519 format yet, this button can be used to generate one.
    Share server networks globally:     Networks on the (local) server side that the WireGuard tunnels of the peers can access in principle.notempty
    For the actual access additional network objects and portfilter rules are needed!
    Step 3 - Peer
    Location A Step 3 - Peer
    Peer type: PeerAD user Local user The type of peers
    S2S connections should always be set up with the Peer type
    Instructions for step 3 - Peer with AD connection
    Instructions for step 3 - Peer with local users
    WireGuard assistant - Step 3
    Name: peer-b Description of remote terminal
    Share peer networks: »10.2.0.0/16 »fd00:b:0:0::/64 Local network IP's of the remote side that can access the WireGuard tunnel
  • notempty
    For the actual access additional network objects and portfilter rules are needed!
    Endpoint: b.vpn.anyideas.de Public IP or within the public DNS resolvable FQDN of the remote terminal (here: Location B)
  • Is not required, if only the remote terminal (here: Location B) initiates the connection
    • Endpoint Port: 51820 Listening-port of the remote terminal (here: Location B)
    Public key:
    Enter key value directly     Public key value of the remote peer.
  • This key is not added in Authentication Key !

    • notempty
    If a file was imported or the configuration entered in Step 1 - Import configuration, this option is automatically selected and the private key value is read from the configuration file and entered here.
    Calculate from private key value     Calculates the key value from the private key value entered in Step 2 - Interface'
  • This key is not added in Authentication Key !

    • notempty
    The key value cannot be read out later for security reasons.
    View
    Hide    		 Views / hides the key value
    Generate The key value is generated
    Copy to clipboard Copies the key value to the clipboard
    Select from keys x25519 b vpn pub pem Public key of the roadwarrior in x25519 format.
    Only keys that have 'no private key can be selected.
  • Public key present but not selectable?
    Only keys for which there is not yet a connection on this interface can be selected. The PublicKey must be unique within a connection, as the routing of incoming packets is carried out via it.
    If the same PublicKey is to be used for a peer, e.g. for a fallback, another WireGuard connection must be created for this.
    • Add key If the public key of the remote terminal is not yet known, this button can be used to open the import of the key management.
    Export and import of the keys is also possible via the clipboard
    Pre-Shared Key (optional): ••••••••••••••••••••••••••• Pre-shared key for further securing the connection
    View
    Hide    		 Views / hides the key value
    Generate Generates a very strong pre-shared key notempty
    The pre-shared key must be identical at both ends of the VPN connection! It may only be generated on one side and must then be inserted on the other side.
    Copy to clipboard Copies the PSK to the clipboard
    Keepalive: Off Regularly sends a signal. This keeps connections open on NAT routers. On Activation is recommended.
  • For this function to work without complications, the system time must be set correctly!
    • 25 Seconds Interval in seconds at which a signal is sent
    Step 3 - Peer AD user
    Location A Step 3 - Peer AD user
    The default values are those configured under Authentication AD/LDAP Authentication  Area Advanced.
    Caption Value Description
    WireGuard Wizard - Step 3 with AD users as peers
    Values in the AD
    Peer type: PeerAD userLocal user AD user as peer
    WireGuard-Attributes (IPv4): extensionAttribute1 Attribute name in the AD, which contains the tunnel IPv4 for the RW as a value
    WireGuard-Attributes (IPv6): extensionAttribute2 Attribute name in the AD, which contains the tunnel IPv6 for the RW as a value
    WireGuard-public-key-attributes: extensionAttribute3 The public key of the user. The user must have the private key.
    Open AD/LDAP dialog: Off When activated, the dialog under Authentication AD/LDAP Authentication is opened.
    Finished Exits the wizard
    Step 3 - Peer Local user
    Location A Step 3 - Peer Local user
    notempty
    New as of v12.7.1
    Caption Value Description
    WireGuard Wizard - Step 3 with local user as peers
    Peer type: PeerAD user Local user Local user as peer
    Open user dialogue: Off Opens the user settings after completing the wizard
    Finished Exits the wizard
    WireGuard can then be configured for the desired user under VPN WireGuard  button Add local user as peer by clicking edit. More detailed information can be found here.
    Step 4 - Advanced settings
    Location A Step 4 - Advanced settings
    Create routes to the peer's networks:
    Yes
    No
    		Activation is recommended.
    Routes are created to the networks / hosts that were entered in step 3 under Share peer networks with the interface as gateway that was displayed in step 2.
    WireGuard assistant - Step 4

































    Initial situation

    It may be desirable to set the routes for VPN connections only when the connection is actually established.

    • This prevents packets from being routed to the Internet and stored by Conntrack, thus preventing the connection from being established correctly
    • This can be advantageous, for example, if VoIP is to go through the tunnel
    • Load balancing via a second firewall is significantly simplified if only the UTM receives a route where the tunnel is actually established

    CLI command

    Connection via SSH or via menu Extras CLI :

    route get determines the correct connection ID

    route set id <ID> flags BLACKHOLE_IF_OFFLINE

    E.G.: route set id "2" flags BLACKHOLE_IF_OFFLINE
    This command discards packets to this destination if the route does not exist.
    With SSL VPN or Wireguard, for example, if the tunnel is not available.

    Generate zones: Yes Generates a new zone for the WireGuard port
    Zone Name: wireguard-wg0 Name for the WireGuard connection zone
    Generate network objects for peer: Yes
    »wg-net-peer_rw»wg-net6-peer_rw    		 Creates Yes button when enabled for network objects (IPv4 and if necessary IPv6) of the remote terminal. Automatic suggestion can also be changed.
    Network group: wg0-network Network group of the connection is displayed
    Generate rules between peer and internal-networks: No Generates Yes autogenerated rules that make commissioning easier. notempty
    It is essential to replace these rules with your own rules that allow only necessary services with necessary network objects.
     notempty
    These custom rules must always be created with the WireGuard interface and the internal network, even if the WireGuard tunnel leads to a DMZ network.
    Finished Exits the wizard


    Configuration at location B
    Configuration at location B

    Start assistant with the button Add WireGuard Connection

    location B Step 1 - Import configuration
    location B Step 1 - Import configuration
    Caption Value Description Add WireGuard connection UTMuser@firewall.name.fqdnVPNWireGuard WireGuard assistant - Step 1
    file: Select a file If a WireGuard server configuration already exists, the server configuration can be uploaded as a file.
    The corresponding settings are automatically entered in the respective elements in the following steps.
  • If several peers are available, only the first peer is used.
    • Configuration:     If a WireGuard server configuration already exists, the server configuration can be copied into this configuration field.
    The corresponding settings are automatically entered in the respective elements in the following steps.
  • If several peers are available, only the first peer is accepted.

    • [Interface] Address = 10.0.0.1/24 Address = C0FF::EEEE/64 ListenPort = 51824 PrivateKey = interfacePrivateKeyaaaaaaaaaaaaaaaaaaaaaaaa= [Peer] AllowedIPs = 10.0.0.2/32, 10.0.0.3/32 AllowedIPs = 10.0.0.4/32 Endpoint = 1.2.3.4:51825 PersistentKeepalive = 30 PresharedKey = peerPresharedKeyaaaaaaaaaaaaaaaaaaaaaaaaaaa= PublicKey = peerPublicKeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=

    location B Step 2 - Interface
    location B Step 2 - Interface
    Interface: wg0 Name of the interface that will be created for the connection (automatic default, cannot be changed)
    WireGuard assistant - Step 2
    Name: wg_server Unique name for the connection
    IPv4 address: 10.0.1.2/24 IPv4 address for the network interface of the transfer network at location B
    Here you have to select an IP from the network that was set at location A (here: 10.0.1.2/24)
    IPv6 address: fd00:0:0:0::2/64 IPv6 address for the network interface of the transfer network at location A (optional)
    Here you have to choose an IP from the network that has been defined at location A(here: fd00:0:0::2/64)
    Listening Port: 51820 Default-Port for WireGuard connections
    Private key:
    Generate automatically A private key value is generated automatically.
  • This key value is not displayed!
  • This key is not added in Authentication Key !
    • Enter key value directly     The key value is entered directly.
  • This key is not added in Authentication Key !

    • notempty
    The key value cannot be read out later for security reasons.

    notempty
    If a file was imported or the configuration entered in Step 1 - Import configuration, this option is automatically selected and the private key value is read from the configuration file and entered here.
    Views / hides the key value
    Select from keys x25519_b.vpn Private key in x25519 format.
    Only those keys that also have a private key part can be selected.
    If there is no local key in x25519 format yet, this button can be used to generate one.
    Share server networks globally:     Networks on the (local) server side that the WireGuard tunnels of the peers can access in principle.notempty
    For the actual access additional network objects and portfilter rules are needed!
    location B Step 3 - Peer
    location B Step 3 - Peer
    Peer type: PeerAD user Local user The type of peers
    WireGuard assistant - Step 3
    Name: peer-a Description of remote terminal (here: Location A)
    Share peer networks: »10.1.0.0/16»fd00:a:0:0::/64
  • Site to Site - S2S
    Local network IP of remote terminal (here: Location A)
    • Endpoint: a.vpn.anyideas.de Public IP or within the public DNS resolvable FQDN of the remote terminal (here: Location A)
  • Is not required, if only the remote terminal (here: Location A) initiates the connection
    • Endpoint Port: 51820 Listening-port of the remote terminal (here: Location A)
    Public key:
    Enter key value directly     Public key value of the remote peer.
    Calculate from private key value     Calculates the key value from the private key value entered in Step 2 - Interface'
    Views / hides the key value
    Select from keys x25519_a_vpn_pub_pem Public key of the roadwarrior in x25519 format.
    Only keys that have 'no private key can be selected.
  • Public key present but not selectable?
    Only keys for which there is not yet a connection on this interface can be selected. The PublicKey must be unique within a connection, as the routing of incoming packets is carried out via it.
    If the same PublicKey is to be used for a peer, e.g. for a fallback, another WireGuard connection must be created for this.
    • If the public key of the remote terminal is not yet known, this button can be used to open the import of the key management.
    Export and import of the keys is also possible via the clipboard
    Pre-Shared Key (optional): …R0Z0DWUs+iCDFYzpP4= Pre-shared key for further securing the connection
    Generates a very strong pre-shared key notempty
    The same PSK must be inserted here as at location A
    Copies the PSK to the clipboard
    Keepalive: Off Regularly sends a signal. This keeps connections open on NAT routers. On Activation is recommended.
  • For this function to work without complications, the system time must be set correctly!
    • 25 Interval in seconds at which a signal is sent
    location B Step 4 - Advanced settings
    location B Step 4 - Advanced settings
    Create routes to the peer's networks: No Activation is recommended.
    Routes are created to the networks / hosts that were entered in step 3 under Share peer networks with the interface as gateway that was displayed in step 2.
    WireGuard assistant - Step 4

































    Initial situation

    It may be desirable to set the routes for VPN connections only when the connection is actually established.

    • This prevents packets from being routed to the Internet and stored by Conntrack, thus preventing the connection from being established correctly
    • This can be advantageous, for example, if VoIP is to go through the tunnel
    • Load balancing via a second firewall is significantly simplified if only the UTM receives a route where the tunnel is actually established

    CLI command

    Connection via SSH or via menu Extras CLI :

    route get determines the correct connection ID

    route set id <ID> flags BLACKHOLE_IF_OFFLINE

    E.G.: route set id "2" flags BLACKHOLE_IF_OFFLINE
    This command discards packets to this destination if the route does not exist.
    With SSL VPN or Wireguard, for example, if the tunnel is not available.

    Generate zones: No Generates a new zone for the WireGuard port
    Generate network objects for peer: No
    »net-wg-peer-a    		 Creates Yes button when enabled for network objects (IPv4 and if necessary IPv6) of the remote terminal. Automatic suggestion can also be changed.
    Generate rules between peer and internal-networks: No Generates Yes autogenerated rules that make commissioning easier. notempty
    It is essential to replace these rules with your own rules that allow only necessary services with necessary network objects.

    Fritzbox as remote terminal

    The following steps are a short description of the procedure. For a more detailed description, please consult the Wiki article WireGuard S2S with a Fritz!Box.
    If a third-party hardware is used as remote station, the following approach is recommended:
    1. Create key pair for the Fritzbox ( Authentication Key )
    2. Export public and private part of the key in .raw format
    3. Delete the key pair for the Fritzbox and reimport only the public part
    4. Add WireGuard connection as described above
    5. Export public key of UTM in .raw-format
    6. Complete the template below and add it to the Fritzbox under Internet / Shares / Tab VPN / Button Add VPN connection / Import a WireGuard connection option
    [Interface]

    PrivateKey = $PRIVATE_KEY_FRITZBOX ListenPort = $LISTENPORT_WIREGUARD_FRITZBOX Address = $LOCAL_IP_FRITZBOX/$NETMASK
    [Peer] PublicKey = $PUBLIC_KEY_UTM PresharedKey = $PRESHAREDKEY AllowedIPs = $NETWORK_UTM/$NETMASK Endpoint = $HOSTNAME_UTM:$LISTENPORT_WIREGUARD_UTM PersistentKeepalive = 1

    notempty
    Enabling the option  Allow NetBIOS over this connection may solve problems, e.g. with SMB orTP. .

    Thumbnail for

    Load video
    Vimeo
    Short film Configuration of a Fritzbox as remote terminal


    Widget

    There is a widget in the admin interface for the overview of WireGuard connections. Further information can be found in the Wiki article UTM Widget.





























    In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden





















    Connection Rate Limit

    Throttling of access from certain source IPs to recurring ports

    notempty

    The function is still in the testing phase and will be further expanded.
    The function can initially only be configured via the CLI

    The function aims to protect against attacks.
    SSL-VPN accesses can be protected against aggressive scans or login attempts, for example.

    From v12.6.2, the UTM can limit the number of TCP and/or UDP connections from an external IP address to one port.
    The following conditions apply:

    • Only incoming connections for which a default route exists are monitored
    • The connections from an IP address to a port of the UTM are counted within one minute
    • When activated, 5 connections / connection attempts per minute are permitted.
      The connections are then limited:
      • The additionally permitted connections are distributed evenly within 60 seconds of the first connection.
      • With a CONNECTION_RATE_LIMIT value of 20, an additional connection is added every 3 seconds.
      • 10 seconds after the first login, 3 further connections could be established (each from the same IP address to the same destination port)
    • Blocking an IP address only affects access to the port that has been used too often.


    Other ports can still be accessed.

    • The function is activated by default for new installations on 20 UDP connections / minute on all ports
    • For Updates the function must be manually activated
    extc-Variable Default Description
    CONNECTION_RATE_LIMIT_TCP 0 Number of permitted TCP connections of an IP address per port
    0 = Function deactivated, no blocking is performed
    CONNECTION_RATE_LIMIT_TCP_PORTS Ports to be monitored. Empty by default=all ports would be monitored (if activated).
    Individual ports are separated by spaces: [ 1194 1195 ]
    CONNECTION_RATE_LIMIT_UDP 20 / 0
    Default setting for new installations from v12.6.2: 20
    For update installations the value is 0, so the function is deactivated.
    		Number of permitted UDP connections of an IP address per port
    CONNECTION_RATE_LIMIT_UDP_PORTS Ports to be monitored. Empty by default=all ports are monitored (only for new installations!).
    Individual ports are separated by spaces: [ 1194 1195 ]

    Configuration with CLI commands

    CLI command Function
    extc value get application securepoint_firewall
    Alternatively as root user:
    spcli extc value get application securepoint_firewall | grep RATE     		Lists all variables of the securepoint_firewall application.
    The variables beginning with CONNECTION_RATE_LIMIT_ are responsible for the connection limit.

    application |variable |value --------------------+-------------------------------+----- securepoint_firewall |… |… |CONNECTION_RATE_LIMIT_TCP |0 |CONNECTION_RATE_LIMIT_TCP_PORTS| |CONNECTION_RATE_LIMIT_UDP |20 |CONNECTION_RATE_LIMIT_UDP_PORTS|

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    system update rule    		 Limits the allowed number of TCP connections from a single IP address to a specific port to 20 per minute
  • A change is made directly by a rule update.
    The value must not be set to 0 first!
    • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0
    system update rule    		 Deactivates the monitoring of TCP connections
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    system update rule     		Restricts the monitoring of TCP connections to ports 443 and 11115
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ]
    system update rule    		 There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    system update rule    		 Limits the allowed number of UDP connections from a single IP address to a specific port to 20 per minute
    Default setting for new installations from v12.6.2: 20
    For update installations the value is 0, so the function is deactivated.
  • A change is made directly by a rule update.
    The value must not be set to 0 first!
    • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0
    system update rule    		 Deactivates the monitoring of UDP connections
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ]
    system update rule     		Restricts the monitoring of UDP connections to ports 1194 and 1195.
    (Example for 2 created SSL-VPN tunnels).
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule    		 There must be spaces before and after the square brackets [ ]!

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule

    notempty

    Finally, the CLI command system update rule must be entered so that the values in the rules are applied.

    		For example, to allow a maximum of 20 connections per minute per IP address and port. For TCP, monitoring is restricted to ports 443 and 11115. All ports are monitored for UDP connections.
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/WireGuard-S2S&oldid=94015"