Skip to content

Instantly share code, notes, and snippets.

@jbrodriguez
Last active December 10, 2021 16:37
Show Gist options
  • Save jbrodriguez/cc0b1d9f72f66e555ad7 to your computer and use it in GitHub Desktop.
Save jbrodriguez/cc0b1d9f72f66e555ad7 to your computer and use it in GitHub Desktop.
#!/bin/vbash
# CONFIG
wan=dhcp
lan=192.168.1.1
lan_segment=192.168.1.0
vpn_segment=192.168.5.0
domain=apertoire.org
lease_start=192.168.1.200
lease_stop=192.168.1.245
source /opt/vyatta/etc/functions/script-template
configure
# Fix for error "INIT: Id "TO" respawning too fast: disabled for 5 minutes"
delete system console device ttyS0
# System Configuration
## Hostname
set system host-name <hostname>
## Timezone
set system time-zone <timezone>
# NTP servers
set system ntp server <zone>.pool.ntp.org
set system ntp server 1.<zone>.pool.ntp.org
set system ntp server 2.pool.ntp.org
# Basic firewall
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects disable
set firewall source-validation disable
set firewall syn-cookies enable
# Configure network interfaces
set interfaces ethernet eth0 address $wan
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth1 address $lan/24
set interfaces ethernet eth1 description LAN
# OpenVPN
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet $vpn_segment/24
set interfaces openvpn vtun0 server name-server $lan
set interfaces openvpn vtun0 server domain-name $domain
set interfaces openvpn vtun0 server push-route $lan_segment/24
set interfaces openvpn vtun0 tls cert-file /config/auth/<router>.cert.pem
set interfaces openvpn vtun0 tls key-file /config/auth/<router>.key.pem
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca-chain.cert.pem
set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem
set interfaces openvpn vtun0 openvpn-option 'comp-lzo'
# Enable SSH for remote management:
set service ssh port 22
# Configure Source NAT for our "LAN" network.
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address $lan_segment/24
set nat source rule 100 translation address masquerade
# Configure a DHCP Server:
set service dhcp-server disabled 'false'
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 default-router $lan
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 dns-server $lan
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 domain-name $domain
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 lease 604800
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 start $lease_start stop $lease_stop
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 static-mapping <some-workstation> ip-address 192.168.1.10
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 static-mapping <some-workstation> mac-address <some-workstation mac address>
# set up system name servers
set system name-server '8.8.4.4'
set system name-server '8.8.8.8'
# And a DNS forwarder:
set service dns forwarding cache-size '2048'
set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '8.8.4.4'
set service dns forwarding name-server '8.8.8.8'
# listen on vtun0 to provide dns resolution to openvpn clients
set service dns forwarding listen-on vtun0
# Static DNS mappings
set system static-host-mapping host-name <some-workstation.local>
set system static-host-mapping host-name <some-workstation.local> alias some-workstation
set system static-host-mapping host-name <some-workstation.local> inet 192.168.1.10
# Firewall rulesets
# From the web (inbound)
set firewall name FROM-EXTERNAL default-action drop
set firewall name FROM-EXTERNAL rule 10 action accept
set firewall name FROM-EXTERNAL rule 10 state established enable
set firewall name FROM-EXTERNAL rule 10 state related enable
# Traffic destined to router
set firewall name TO-ROUTER default-action drop
set firewall name TO-ROUTER rule 10 action accept
set firewall name TO-ROUTER rule 10 state established enable
set firewall name TO-ROUTER rule 10 state related enable
set firewall name TO-ROUTER rule 20 action accept
set firewall name TO-ROUTER rule 20 icmp type-name 'echo-request'
set firewall name TO-ROUTER rule 20 protocol 'icmp'
set firewall name TO-ROUTER rule 20 state new 'enable'
#open firewall for openvpn
set firewall name TO-ROUTER rule 30 action accept
set firewall name TO-ROUTER rule 30 destination port 1194
set firewall name TO-ROUTER rule 30 protocol udp
# set firewall name TO-ROUTER rule 30 log enable
# Traffic within the LAN
set firewall name LAN-TO-LAN default-action 'accept'
# Apply the firewall rulesets
set interfaces ethernet eth0 firewall in name FROM-EXTERNAL
set interfaces ethernet eth0 firewall local name TO-ROUTER
set interfaces ethernet eth1 firewall in name LAN-TO-LAN
# # QOS
set traffic-policy shaper EGRESS_QOS bandwidth '20Mbit'
# default download priority
set traffic-policy shaper EGRESS_QOS default bandwidth '70%'
set traffic-policy shaper EGRESS_QOS default burst '2kb'
set traffic-policy shaper EGRESS_QOS default ceiling '100%'
set traffic-policy shaper EGRESS_QOS default priority 3
set traffic-policy shaper EGRESS_QOS default queue-type 'fq-codel'
# megasuper priority dns and ssh and icmp
set traffic-policy shaper EGRESS_QOS class 10 bandwidth 10%
set traffic-policy shaper EGRESS_QOS class 10 burst '2kb'
set traffic-policy shaper EGRESS_QOS class 10 ceiling 100%
set traffic-policy shaper EGRESS_QOS class 10 priority 5
set traffic-policy shaper EGRESS_QOS class 10 queue-type 'fq-codel'
set traffic-policy shaper EGRESS_QOS class 10 match icmp ip protocol icmp
# set traffic-policy shaper EGRESS_QOS class 10 match ssh ip source port 22
set traffic-policy shaper EGRESS_QOS class 10 match dns ip source port 53
# usenet traffic
set traffic-policy shaper EGRESS_QOS class 20 bandwidth '20%'
set traffic-policy shaper EGRESS_QOS class 20 burst '2kb'
set traffic-policy shaper EGRESS_QOS class 20 ceiling '100%'
set traffic-policy shaper EGRESS_QOS class 20 priority 1
# these rules restrict the policy to a given ip/port destination. change cidr notation as appropriate
# note that 22.22.22.22 is just an example
set traffic-policy shaper EGRESS_QOS class 20 match NNTPS ip source address 22.22.22.22/32
set traffic-policy shaper EGRESS_QOS class 20 match NNTPS ip source port 443
set traffic-policy shaper EGRESS_QOS class 20 queue-type 'fq-codel'
set interfaces ethernet eth1 traffic-policy out EGRESS_QOS
# set service ssh disable‐password‐authentication
# Dynamic DNS
set service dns dynamic interface eth0 service duckdns protocol dyndns2
set service dns dynamic interface eth0 service duckdns server www.duckdns.org
set service dns dynamic interface eth0 service duckdns login dummy
set service dns dynamic interface eth0 service duckdns password <duckdns api code>
set service dns dynamic interface eth0 service duckdns host-name <registered hostname>
commit
save
@jbrodriguez
Copy link
Author

This is a sample vyos firewall configuration.

Features

  • Drop any incoming traffic by default (except for vpn)
  • DHCP from ISP (WAN, ethernet eth0)
  • NAT for the local network (LAN, ethernet eth1, set to 192.168.1.0/24)
  • NTP synchronization
  • OpenVPN (road warrior) access
  • DCHP server for the local network, including sample static mappings for workstations
  • DNS forwarder
  • Sample static mappings for workstations (you can, for example, ping <your-workstation>)
  • SSH access to the router (from the local network)
  • DDNS setup (duckdns provider)
  • QOS setup, with 3 traffic 'lanes' (each 'lane' will use up all the bandwidth, if there's no other traffic on the ISP connection):
    • High Priority: dns, icmp and ssh protocols
    • Medium Priority: all traffic
    • Low Priority: usenet traffic (by specifying the usenet provider you connect to)

@tjharman
Copy link

Lovely, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment