In this howto, I will set up a VPN between a vyos gateway and an openvpn server hosted by a scaleway openvpn instance. The purpose of this is to hide my entire network behind a scaleway ip address.
Launch an openvpn on a C1 instance with a public ip address.
Openvpn server certificates will take some time to be fully generated. We can check that with scw-ovpn status:
# scw-ovpn status
Your server is done configuring !
You can now start using it.
We then need to create our user certificate :
# scw-ovpn create my_user
Server and client certificates are located in /etc/openvpn/easy-rsa/keys and the .ovpn file can be downloaded by launching scw-ovpn serve my_user
The Vyos configuration is fairly simple :
- eth0 is WAN interface
- eth1 is LAN interface
- LAN network (10.0.0.0/24) is natted through the openvpn tunnel
Here is the configuration :
# interfaces setup
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '10.0.0.254/24'
# dhcp server for LAN network
set service dhcp-server shared-network-name dhcp authoritative 'enable'
set service dhcp-server shared-network-name dhcp subnet 10.0.0.0/24 default-router '10.0.0.254'
set service dhcp-server shared-network-name dhcp subnet 10.0.0.0/24 dns-server '10.0.0.254'
set service dhcp-server shared-network-name dhcp subnet 10.0.0.0/24 lease '3600'
set service dhcp-server shared-network-name dhcp subnet 10.0.0.0/24 start 10.0.0.1 stop '10.0.0.10'
# dns forwarding server for LAN network
set service dns forwarding cache-size '150'
set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '9.9.9.9'
# OPENVPN client configuration
set interfaces openvpn vtun0 encryption 'aes256'
set interfaces openvpn vtun0 hash 'sha256'
set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 openvpn-option 'remote-cert-tls server'
set interfaces openvpn vtun0 openvpn-option 'tls-auth /config/auth/ovpn/tls-auth.key 0'
set interfaces openvpn vtun0 openvpn-option 'tls-version-min 1.2'
set interfaces openvpn vtun0 openvpn-option 'key-direction 1'
set interfaces openvpn vtun0 remote-host '51.15.XX.XX'
set interfaces openvpn vtun0 'replace-default-route'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/my_client.crt'
set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/my_client.key'
# Source nat rule
set nat source rule 100 outbound-interface 'vtun0'
set nat source rule 100 source address '10.0.0.0/24'
set nat source rule 100 translation address 'masquerade'
The openvpn configuration needs some tweaking to work with scaleway openvpn server (see openvpn-option). We also need to manually edit authentification files on vyos based on files we can find in /etc/openvpn/easy-rsa/keys directory on the scaleway server:
# On vyos :
sudo mkdir /config/auth/ovpn/
- copy scaleway:
/etc/openvpn/easy-rsa/keys/ca.crtto vyos:/config/auth/ovpn/ca.crt - copy scaleway:
/etc/openvpn/easy-rsa/keys/my_client.crtto vyos:/config/auth/ovpn/my_client.crt - copy scaleway:
/etc/openvpn/easy-rsa/keys/my_client.keyto vyos:/config/auth/ovpn/my_client.key - copy scaleway:
/etc/openvpn/easy-rsa/keys/ta.keyto vyos:/config/auth/ovpn/tls-auth.key
This vpn setup hasn't been tested againt DNS leaking or other privacy leaking. This howto is more like a memo and need improvment.