VPN VyOS setup

VPN VyOS

VyOS is a fully open source network OS that runs on a wide range of hardware, virtual machines, and cloud providers and offers features for any networks, small and large.

VyOS on AWS

Setup VyOS

  • Launch instance with community AMI - VyOS (HVM) 1.x.x

  • Customize the setup script

    #!/bin/bash
    source /opt/vyatta/etc/functions/script-template
    
    AWS_PRIVATE_IP=10.104.16.128
    AWS_PUBLIC_IP=13.14.15.16
    AWS_NAT_SUBNET=10.104.0.0/16
    REMOTE_NAT_IP=127.17.12.172
    REMOTE_VPN_SUBNET=146.164.46.0/24
    REMOTE_1ST_VPN_IP=202.22.20.2
    # REMOTE_2ND_VPN_IP=202.22.2.20 # redundant connection not currently used
    REMOTE_PRE_SHARED_KEY=Your_Remote_Key
    
    # begin configuration
    configure
    
    # input settings using set
    set system host-name vyos-vpn
    
    # setting up NAT
    set interfaces ethernet eth0 description 'aws-internal'
    # create dummy ethernet device to represent REMOTE-provided private IP
    set interfaces dummy dum0 address ${REMOTE_NAT_IP}/32
    set interfaces dummy dum0 description 'remote-vpn-ip'
    # configure SNAT
    set nat source rule 100 description 'Internal to REMOTE'
    set nat source rule 100 destination address ${REMOTE_VPN_SUBNET}
    set nat source rule 100 outbound-interface 'any'
    set nat source rule 100 source address ${AWS_NAT_SUBNET}
    set nat source rule 100 translation address ${REMOTE_NAT_IP}
    
    # setting up VPN
    # set primary ethernet interface as the VPN interface
    set vpn ipsec ipsec-interfaces interface 'eth0'
    set vpn ipsec nat-traversal 'enable'
    set vpn ipsec logging log-modes 'all' 
    # esp-group
    set vpn ipsec esp-group vpn-nat-esp compression 'disable'
    set vpn ipsec esp-group vpn-nat-esp lifetime '28800'
    set vpn ipsec esp-group vpn-nat-esp mode 'tunnel'
    set vpn ipsec esp-group vpn-nat-esp pfs 'dh-group2'
    set vpn ipsec esp-group vpn-nat-esp proposal 1 encryption 'aes256'
    set vpn ipsec esp-group vpn-nat-esp proposal 1 hash 'sha1'
    # ike-group
    set vpn ipsec ike-group vpn-nat-ike ikev2-reauth 'no'
    set vpn ipsec ike-group vpn-nat-ike key-exchange 'ikev1'
    set vpn ipsec ike-group vpn-nat-ike lifetime '28800'
    set vpn ipsec ike-group vpn-nat-ike proposal 1 encryption 'aes256'
    set vpn ipsec ike-group vpn-nat-ike proposal 1 hash 'sha512'
    set vpn ipsec ike-group vpn-nat-ike proposal 1 dh-group '5'
    set vpn ipsec ike-group vpn-nat-ike dead-peer-detection action 'restart'
    set vpn ipsec ike-group vpn-nat-ike dead-peer-detection interval '30'
    set vpn ipsec ike-group vpn-nat-ike dead-peer-detection timeout '30'
    # site-to-site peer
    edit vpn ipsec site-to-site peer ${REMOTE_NSW_VPN_IP}
    set authentication mode 'pre-shared-secret'
    set authentication pre-shared-secret ${REMOTE_PRE_SHARED_KEY} 
    set authentication id ${AWS_PUBLIC_IP}
    set connection-type 'initiate'
    set default-esp-group 'vpn-nat-esp'
    set ike-group 'vpn-nat-ike'
    set ikev2-reauth 'inherit'
    set local-address ${AWS_PRIVATE_IP}
    set tunnel 0 local prefix ${REMOTE_NAT_IP}/32
    set tunnel 0 remote prefix ${REMOTE_VPN_SUBNET}
    
    # commit command applies changes to VyOS device
    commit
    # save configuration to machine
    save
    # exit configuration mode
    exit
    # check status of VPN tunnel
    show vpn ipsec sa
    # commands to check VPN status/logs/information:
    
    # monitor vpn ipsec
    # show vpn debug
    # show log vpn ipsec
    
    

Update VyOS config

  • Manual update the key Your_Remote_Key or remote IP, e.g. 202.22.20.2

    interfaces {
    dummy dum0 {
        address 127.17.12.172/32
        address 172.17.130.96/32
        description remote-vpn-ip
    }
    ethernet eth0 {
        address dhcp
        description aws-internal
        duplex auto
        hw-id 06:73:3f:28:dd:68
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
    }
    nat {
    source {
        rule 100 {
            description "Internal to REMOTE"
            destination {
                address 146.164.46.0/24
            }
            outbound-interface any
            source {
                address 10.104.0.0/16
            }
            translation {
                address 127.17.12.172
            }
        }
    }
    }
    service {
    ssh {
        disable-password-authentication
        port 22
    }
    }
    system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name vyos-vpn
    login {
        user vyos {
            authentication {
                encrypted-password "*"
                plaintext-password ""
                public-keys aws.vpn.vyos.key.io-bd:dc:ae:d6:28:b3:5f:5b:2e:43:6f:31:b8:b3:a0:58 {
                    key AAAA1234SDjsfwfsfowerudhfhdGV/V1OEqvlpeTM49TyYmGBXzq/6262fsdfyhSOHND+USFHSDGF056nvz+ilB5HcCl/+FUig3sONKKWElxK8O/oUEurERsif+IJynsdfuyhn7ndhfdfhjlshdlfhGA+Z30knWV2QDRiID52U60YijvG4wEWwOf1xEOisccbH+09fdhfbdbfHSF/3Pt0b0uafoySi5yhCX6iuhjavl5p/Rsidfysd534sdfGHdpofygeylsdgflshsFGVNSUDF/rnpludfEqjJe/75TU026vD7A7dNn816iLVnsK+NsjrT8OtXUyGzy403
                    type ssh-rsa
                }
            }
            level admin
        }
    }
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password ""
            url http://packages.vyos.net/vyos
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    }
    vpn {
    ipsec {
        esp-group vpn-nat-esp {
            compression disable
            lifetime 28800
            mode tunnel
            pfs dh-group14
            proposal 1 {
                encryption aes256
                hash sha256
            }
        }
        ike-group vpn-nat-ike {
            dead-peer-detection {
                action restart
                interval 30
                timeout 30
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes256
                hash sha256
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        logging {
            log-modes all
        }
        nat-traversal enable
        site-to-site {
            peer 202.22.20.2 {
                authentication {
                    id 13.14.15.16
                    mode pre-shared-secret
                    pre-shared-secret Your_Remote_Key
                }
                connection-type initiate
                default-esp-group vpn-nat-esp
                ike-group vpn-nat-ike
                ikev2-reauth inherit
                local-address 10.104.16.128
                tunnel 0 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 127.17.12.172/32
                    }
                    remote {
                        prefix 146.164.46.0/24
                    }
                }
            }
        }
    }
    }
    
  • Reboot the VyOS

    _vyatta_op_run reboot