Consolidate firewall documentation (#1386)

docs/cloud-do.md

@@ -96,9 +96,7 @@ For more, see [Scripted Deployment](deploy-from-ansible.md).
 
 ## Using the DigitalOcean firewall with Algo
 
-Many cloud providers include the option to configure an external firewall between the Internet and your cloud server. For some providers this is mandatory and Algo will configure it for you, but for DigitalOcean the external firewall is optional.
-
-An Algo VPN runs its own firewall and doesn't require an external firewall, but you might wish to use the DigitalOcean firewall for example to limit the addresses which can connect to your Algo VPN over SSH, or perhaps to block SSH altogether.
+Many cloud providers include the option to configure an external firewall between the Internet and your cloud server. For some providers this is mandatory and Algo will configure it for you, but for DigitalOcean the external firewall is optional. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.
 
 To configure the DigitalOcean firewall, go to **Networking**, **Firewalls**, and choose **Create Firewall**.
 

docs/deploy-from-script-or-cloud-init-to-localhost.md

@@ -1,6 +1,6 @@
 # Deploy from script or cloud-init
 
-You can use `install.sh` to prepare the environment and deploy AlgoVPN on the local Ubuntu server in one shot using cloud-init or run the script directly on the server. The script doesn't configure any parameters in your cloud, so it's on your own to configure related [firewall rules](faq.md#what-inbound-ports-are-used), a floating ip address and other resources you may need.
+You can use `install.sh` to prepare the environment and deploy AlgoVPN on the local Ubuntu server in one shot using cloud-init or run the script directly on the server. The script doesn't configure any parameters in your cloud, so it's on your own to configure related [firewall rules](/docs/firewalls.md), a floating ip address and other resources you may need.
 
 ## Cloud init deployment
 

docs/deploy-to-ubuntu.md

@@ -1,6 +1,6 @@
 # Local deployment
 
-You can use Algo to configure a local server as an Algo VPN rather than create and configure a new server on a cloud provider.
+You can use Algo to configure a local server as an AlgoVPN rather than create and configure a new server on a cloud provider.
 
 Install the Algo scripts on your server and follow the normal installation instructions, then choose:
 ```
@@ -8,4 +8,6 @@ Install to existing Ubuntu 18.04 server (Advanced)
 ```
 Make sure your server is running the operating system specified.
 
-**PLEASE NOTE**: Algo is intended for use as a _dedicated_ VPN server. If you install Algo on an existing server, then any existing services might break. In particular, the firewall rules will be overwritten. If you don't want to overwrite the rules you must deploy via `ansible-playbook` and skip the `iptables` tag as described in [deploy-from-ansible.md](deploy-from-ansible.md), after which you'll need to implement the necessary rules yourself.
+**PLEASE NOTE**: Algo is intended for use as a _dedicated_ VPN server. If you install Algo on an existing server, then any existing services might break. In particular, the firewall rules will be overwritten. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.
+
+If you don't want to overwrite the rules you must deploy via `ansible-playbook` and skip the `iptables` tag as described in [deploy-from-ansible.md](deploy-from-ansible.md), after which you'll need to implement the necessary rules yourself.

docs/faq.md

@@ -74,4 +74,4 @@ No.
 
 ## What inbound ports are used?
 
-You should only need 22/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any firewall that sits between your clients and your Algo server.
+You should only need 22/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any firewall that sits between your clients and your Algo server. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.

docs/firewalls.md

@@ -0,0 +1,34 @@
+# AlgoVPN and Firewalls
+
+Your AlgoVPN requires properly configured firewalls. The key points to know are:
+
+* If you deploy to a **cloud** provider all firewall configuration will done automatically.
+
+* If you perform a **local** installation on an existing server you are responsible for configuring any external firewalls. You must also take care not to interfere with the server firewall configuration of the AlgoVPN.
+
+## The Two Types of Firewall
+
+![Firewall Illustration](/docs/images/firewalls.png)
+
+### Server Firewall
+
+During installation Algo configures the Linux [Netfilter](https://en.wikipedia.org/wiki/Netfilter) firewall on the server. The rules added are required for AlgoVPN to work properly. The package `netfilter-persistent` is used to load the IPv4 and IPv6 rules files that Algo generates and stores in `/etc/iptables`. The rules for IPv6 are only generated if the server appears to be properly configured for IPv6. The use of conflicting firewall packages on the server such as `ufw` will likely break AlgoVPN.
+
+### External Firewall
+
+Most cloud service providers offer a firewall that sits between the Internet and your AlgoVPN. With some providers (such as EC2, Lightsail, and GCE) this firewall is required and is configured by Algo during a **cloud** deployment. If the firewall is not required by the provider then Algo does not configure it.
+
+External firewalls are not configured when performing a **local** installation, even when using a server from a cloud service provider.
+
+Any external firewall must be configured to pass the following incoming ports over IPv4 :
+
+Port | Protocol | Description | Related variables in `config.cfg`
+---- | -------- | ----------- | ---------------------------------
+22    | TCP | Secure Shell (SSH) | None
+500   | UDP | IPsec IKEv2 | `ipsec_enabled`
+4500  | UDP | IPsec NAT-T | `ipsec_enabled`
+51820 | UDP | WireGuard | `wireguard_enabled`, `wireguard_port`
+
+If you have chosen to disable either IPsec or WireGuard in `config.cfg` before running `./algo` then the corresponding ports don't need to pass through the firewall. SSH is used when performing a **cloud** deployment and when subsequently modifying the list of VPN users by running `./algo update-users`.
+
+Even when not required by the cloud service provider, you still might wish to use an external firewall to limit SSH access to your AlgoVPN to connections from certain IP addresses, or perhaps to block SSH access altogether if you don't need it. Every service provider firewall is different so refer to the provider's documentation for more information.