Skip to content

Instantly share code, notes, and snippets.

@p7cq

p7cq/VyOS_Router_Firewall_IPsec_Site_To_Site_BGP_IPsec_RA.md

Created October 16, 2024 17:23
Show Gist options
  • Save p7cq/7c6e992bf63039d172bd36ec79099123 to your computer and use it in GitHub Desktop.
Save p7cq/7c6e992bf63039d172bd36ec79099123 to your computer and use it in GitHub Desktop.
Download ZIP
VyOS - Router, Firewall, IPsec Site-To-Site, BGP, IPsec Remote Access
Raw
VyOS_Router_Firewall_IPsec_Site_To_Site_BGP_IPsec_RA.md

Configuration steps for a router and firewall based on VyOS replacing my pfSense box in a home environment.

Basic Configuration

This configuration was performed using a serial connection, with the old router still active. All infrastructure is bare metal.

Disclaimer: I have no networking background and no prior experience with VyOS.

Description IP/Subnet Interface Domain
WAN 172.16.172.16/22 eth0 example.net
LAN 10.16.10.1/24 eth1 lan.example.net

System

set system host-name gateway
set system time-zone Europe/Bucharest

delete service ntp server

set service ntp allow-client address '10.16.10.0/24'
set service ntp server 0.pool.ntp.org
set service ntp server 1.pool.ntp.org
set service ntp server 2.pool.ntp.org
set service ntp server 3.pool.ntp.org

set system static-host-mapping host-name example.net inet 172.16.172.16

commit; save

LAN

With the new router connected to my network only, I continued with LAN and Firewall configuration. During this time, LAN interface and SSH were configured with a temporary IP which I changed to the one below when I was ready to replace the old router.

Configure subnet and address

set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 address '10.16.10.1/24'

commit; save

Configure SSH

set service ssh listen-address '10.16.10.1'
set service ssh port '22'
set service ssh disable-password-authentication

commit; save

restart ssh

Remove default user

set system login user admin authentication plaintext-password 'login password for admin'

set system login user admin authentication public-keys p7cq type ssh-ed25519
set system login user admin authentication public-keys p7cq key AAAA...

commit; save

Test SSH access with admin user then remove the default user.

delete system login user vyos

commit; save

Configure DHCP relay

I use an existing DHCP server, available at 10.16.10.4.

set service dhcp-relay listen-interface eth1
set service dhcp-relay upstream-interface eth1
set service dhcp-relay server 10.16.10.4
set service dhcp-relay relay-options relay-agents-packets discard

commit; save

For a DHCP server:

set service dhcp-server shared-network-name LAN subnet 10.16.10.0/24 subnet-id 2
set service dhcp-server shared-network-name LAN subnet 10.16.10.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 10.16.10.0/24 range 0 start '10.16.10.200'
set service dhcp-server shared-network-name LAN subnet 10.16.10.0/24 range 0 stop '10.16.10.250'
set service dhcp-server shared-network-name LAN subnet 10.16.10.0/24 option default-router '10.16.10.1'
set service dhcp-server shared-network-name LAN subnet 10.16.10.0/24 option domain-name 'lan.example.net'
set service dhcp-server shared-network-name LAN subnet 10.16.10.0/24 option name-server '10.16.10.3'
set service dhcp-server shared-network-name LAN subnet 10.16.10.0/24 option name-server '10.16.10.2'

commit; save

Configure Source NAT

set nat source rule 10 outbound-interface name eth0
set nat source rule 10 source address '10.16.10.0/24'
set nat source rule 10 translation address masquerade
set nat source rule 10 description 'NAT source address for all traffic leaving WAN'

commit; save

Configure DNS

I use existing DNS servers.

set system domain-search lan.example.net
set system name-server 10.16.10.3
set system name-server 10.16.10.2

commit; save

Firewall

The following will configure a minimal zone-based firewall.

Notes:

  • An interface can be assigned to only one zone
  • All traffic to and from an interface within a zone is permitted
  • All traffic between zones is subject to existing policies
  • Traffic cannot flow between a zone member interface and any interface that is not a zone member
  • Two firewalls are needed to define traffic, one for each direction

Zones:

Name Interface Description
WAN eth0 Internet
FIREWALL local-zone This firewall
LAN eth1 Private network

Firewalls:

  • WAN-LAN
  • WAN-FIREWALL
  • FIREWALL-WAN
  • FIREWALL-LAN
  • LAN-WAN
  • LAN-FIREWALL
set firewall ipv4 name WAN-FIREWALL default-action drop
set firewall ipv4 name WAN-FIREWALL description 'Block unsolicited traffic, allow ping'
set firewall ipv4 name WAN-FIREWALL rule 10 action accept
set firewall ipv4 name WAN-FIREWALL rule 10 state 'established'
set firewall ipv4 name WAN-FIREWALL rule 10 state 'related'
set firewall ipv4 name WAN-FIREWALL rule 10 description 'Block unsolicited traffic from WAN'
set firewall ipv4 name WAN-FIREWALL rule 20 action accept
set firewall ipv4 name WAN-FIREWALL rule 20 protocol icmp
set firewall ipv4 name WAN-FIREWALL rule 20 state 'new'
set firewall ipv4 name WAN-FIREWALL rule 20 description 'Allow ping'

set firewall ipv4 name WAN-LAN default-action drop
set firewall ipv4 name WAN-LAN description 'Block unsolicited traffic'
set firewall ipv4 name WAN-LAN rule 10 action accept
set firewall ipv4 name WAN-LAN rule 10 state 'established'
set firewall ipv4 name WAN-LAN rule 10 state 'related'
set firewall ipv4 name WAN-LAN rule 10 description 'Block unsolicited traffic from WAN'

set firewall ipv4 name LAN-WAN default-action accept
set firewall ipv4 name LAN-WAN description 'Allow everything'
set firewall ipv4 name LAN-WAN rule 10 action drop
set firewall ipv4 name LAN-WAN rule 10 state invalid
set firewall ipv4 name LAN-WAN rule 10 description 'Drop invalid packets'

set firewall ipv4 name LAN-FIREWALL default-action accept
set firewall ipv4 name LAN-FIREWALL description 'Allow everything'

set firewall ipv4 name FIREWALL-LAN default-action accept
set firewall ipv4 name FIREWALL-LAN description 'Allow everything'

set firewall ipv4 name FIREWALL-WAN default-action accept
set firewall ipv4 name FIREWALL-WAN description 'Allow everything'
set firewall ipv4 name FIREWALL-WAN rule 10 action drop
set firewall ipv4 name FIREWALL-WAN rule 10 state invalid
set firewall ipv4 name FIREWALL-WAN rule 10 description 'Drop invalid packets'

set firewall zone WAN interface eth0
set firewall zone WAN description 'Public zone'
set firewall zone WAN default-action drop
set firewall zone LAN from WAN firewall name WAN-LAN
set firewall zone FIREWALL from WAN firewall name WAN-FIREWALL

set firewall zone LAN interface eth1
set firewall zone LAN description 'Private zone'
set firewall zone LAN default-action drop
set firewall zone WAN from LAN firewall name LAN-WAN
set firewall zone FIREWALL from LAN firewall name LAN-FIREWALL

set firewall zone FIREWALL local-zone
set firewall zone FIREWALL description 'This firewall'
set firewall zone FIREWALL default-action drop
set firewall zone WAN from FIREWALL firewall name FIREWALL-WAN
set firewall zone LAN from FIREWALL firewall name FIREWALL-LAN

commit; save

WAN

Prepare to go online

Shutdown the old router. Connect via serial and change LAN IP to the existing address:

delete interfaces ethernet eth1 address
set interfaces ethernet eth1 address '10.16.10.1/24'

compare
commit; save

Reconfigure SSH:

delete service ssh listen-address
set service ssh listen-address '10.16.10.1'

compare
commit; save

Configure public interface

set interfaces ethernet eth0 description 'WAN'
# 172.16.172.16, netmask: 22   255.255.252.0   0xfffffc00
set interfaces ethernet eth0 address 172.16.172.16/22
# or, dynamically:
# set interfaces ethernet eth0 address dhcp

set protocols static route 0.0.0.0/0 next-hop 172.16.172.1

commit; save

Test internet connection.

IPsec Site-to-Site

IPsec Site-to-Site VPN with dynamic routing and VTI tunnels.

Connectivity details

Description Value
IPsec Cloud public IP #1 172.31.172.31
Remote IPsec tunnel #1 169.254.1.21/30
Local IPsec tunnel #1 169.254.1.22/30
IPsec Cloud public IP #2 172.31.172.32
Remote IPsec tunnel #2 169.254.2.21/30
Local IPsec tunnel #2 169.254.2.22/30
Local network 10.16.10.1/24
Cloud network 192.168.31.0/24
Local AS 65000
Remote AS 64999

IPsec configuration

set vpn ipsec interface 'eth0'

set vpn ipsec options disable-route-autoinstall

set vpn ipsec ike-group CLX-IKE close-action 'none'
set vpn ipsec ike-group CLX-IKE dead-peer-detection action 'restart'
set vpn ipsec ike-group CLX-IKE dead-peer-detection interval '15'
set vpn ipsec ike-group CLX-IKE dead-peer-detection timeout '20'
set vpn ipsec ike-group CLX-IKE disable-mobike
set vpn ipsec ike-group CLX-IKE key-exchange 'ikev2'
set vpn ipsec ike-group CLX-IKE lifetime '28800'
set vpn ipsec ike-group CLX-IKE proposal 1 dh-group '14'
set vpn ipsec ike-group CLX-IKE proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group CLX-IKE proposal 1 hash 'sha256'

commit; save
set vpn ipsec esp-group CLX-ESP lifetime '3600'
set vpn ipsec esp-group CLX-ESP mode 'tunnel'
set vpn ipsec esp-group CLX-ESP pfs 'dh-group14'
set vpn ipsec esp-group CLX-ESP proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group CLX-ESP proposal 1 hash 'sha256'

commit; save

Tunnel #1

  • IPsec Cloud public IP #1 - 172.31.172.31
  • Remote IPsec tunnel #1 - 169.254.1.21/30
  • Local IPsec tunnel #1 - 169.254.1.22/30
set interfaces vti vti0 address '169.254.1.22/30'
set interfaces vti vti0 description 'CLX Tunnel #1'
# Clamp the VTI's MSS to avoid PMTU blackholes
set interfaces vti vti0 ip adjust-mss clamp-mss-to-pmtu
set interfaces vti vti0 mtu 1400

set vpn ipsec authentication psk CLX-T1 id '172.16.172.16'
set vpn ipsec authentication psk CLX-T1 id '172.31.172.31'
set vpn ipsec authentication psk CLX-T1 secret 'CLX Tunnel #1 Shared Secret'

set vpn ipsec site-to-site peer CLX-T1 authentication local-id '172.16.172.16'

set vpn ipsec site-to-site peer CLX-T1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer CLX-T1 authentication remote-id '172.31.172.31'

set vpn ipsec site-to-site peer CLX-T1 connection-type 'initiate'
set vpn ipsec site-to-site peer CLX-T1 description 'CLX Tunnel #1'
set vpn ipsec site-to-site peer CLX-T1 ike-group 'CLX-IKE'
set vpn ipsec site-to-site peer CLX-T1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer CLX-T1 local-address '172.16.172.16'
set vpn ipsec site-to-site peer CLX-T1 remote-address '172.31.172.31'
set vpn ipsec site-to-site peer CLX-T1 vti bind 'vti0'
set vpn ipsec site-to-site peer CLX-T1 vti esp-group 'CLX-ESP'

commit; save

Tunnel #2

  • IPsec Cloud public IP #2 - 172.31.172.32
  • Remote IPsec tunnel #2 - 169.254.2.21/30
  • Local IPsec tunnel #2 - 169.254.2.22/30
set interfaces vti vti1 address '169.254.2.22/30'
set interfaces vti vti1 description 'CLX Tunnel #2'
# Clamp the VTI's MSS to avoid PMTU blackholes
set interfaces vti vti1 ip adjust-mss clamp-mss-to-pmtu
set interfaces vti vti1 mtu 1400

set vpn ipsec authentication psk CLX-T2 id '172.16.172.16'
set vpn ipsec authentication psk CLX-T2 id '172.31.172.32'
set vpn ipsec authentication psk CLX-T2 secret 'CLX Tunnel #2 Shared Secret'

set vpn ipsec site-to-site peer CLX-T2 authentication local-id '172.16.172.16'

set vpn ipsec site-to-site peer CLX-T2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer CLX-T2 authentication remote-id '172.31.172.32'

set vpn ipsec site-to-site peer CLX-T2 connection-type 'initiate'
set vpn ipsec site-to-site peer CLX-T2 description 'CLX Tunnel #2'
set vpn ipsec site-to-site peer CLX-T2 ike-group 'CLX-IKE'
set vpn ipsec site-to-site peer CLX-T2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer CLX-T2 local-address '172.16.172.16'
set vpn ipsec site-to-site peer CLX-T2 remote-address '172.31.172.32'
set vpn ipsec site-to-site peer CLX-T2 vti bind 'vti1'
set vpn ipsec site-to-site peer CLX-T2 vti esp-group 'CLX-ESP'

commit; save

Firewall

Add new zone

Zone name:

  • CLX

Firewalls:

  • WAN-CLX
  • FIREWALL-CLX
  • LAN-CLX
  • CLX-WAN
  • CLX-FIREWALL
  • CLX-LAN
set firewall zone CLX interface vti0
set firewall zone CLX interface vti1

set firewall zone CLX description 'CLX'
set firewall zone CLX default-action drop
set firewall zone WAN from CLX firewall name CLX-WAN
set firewall zone LAN from CLX firewall name CLX-LAN
set firewall zone FIREWALL from CLX firewall name CLX-FIREWALL
set firewall zone CLX from WAN firewall name WAN-CLX
set firewall zone CLX from LAN firewall name LAN-CLX
set firewall zone CLX from FIREWALL firewall name FIREWALL-CLX

set firewall ipv4 name CLX-WAN default-action accept
set firewall ipv4 name CLX-WAN description 'Allow everything'
set firewall ipv4 name CLX-FIREWALL default-action accept
set firewall ipv4 name CLX-FIREWALL description 'Allow everything'
set firewall ipv4 name CLX-LAN default-action accept
set firewall ipv4 name CLX-LAN description 'Allow everything'

set firewall ipv4 name WAN-CLX default-action drop
set firewall ipv4 name WAN-CLX description 'Block everything'
set firewall ipv4 name LAN-CLX default-action accept
set firewall ipv4 name LAN-CLX description 'Allow everything'
set firewall ipv4 name FIREWALL-CLX default-action accept
set firewall ipv4 name FIREWALL-CLX description 'Allow everything'

commit; save

Allow IPsec

set firewall ipv4 name WAN-FIREWALL rule 30 action accept
set firewall ipv4 name WAN-FIREWALL rule 30 destination port '500,4500'
set firewall ipv4 name WAN-FIREWALL rule 30 protocol 'udp'
set firewall ipv4 name WAN-FIREWALL rule 30 log enable

set firewall ipv4 name WAN-FIREWALL rule 31 action accept
set firewall ipv4 name WAN-FIREWALL rule 31 protocol 'esp'
set firewall ipv4 name WAN-FIREWALL rule 31 log enable

compare
commit; save

Routing configuration

  • Remote IPsec tunnel #1 - 169.254.1.21/30
  • Local IPsec tunnel #1 - 169.254.1.22/30
  • Remote IPsec tunnel #2 - 169.254.2.21/30
  • Local IPsec tunnel #2 - 169.254.2.22/30
  • Local network - 10.16.10.1/24
  • Cloud network - 192.168.31.0/24
  • Local AS - 65000
  • Remote AS - 64999

Add route to remote network

set protocols static route 192.168.31.0/24 interface vti0
set protocols static route 192.168.31.0/24 interface vti1

commit; save

Configure BGP

set protocols bgp system-as 65000
set protocols bgp parameters router-id '169.254.1.22'
set protocols bgp address-family ipv4-unicast network '10.16.10.0/24'
set protocols bgp address-family ipv4-unicast redistribute connected

# Tunnel #1
set protocols bgp neighbor 169.254.1.21 remote-as 64999
set protocols bgp neighbor 169.254.1.21 update-source 169.254.1.22
set protocols bgp neighbor 169.254.1.21 address-family ipv4-unicast soft-reconfiguration 'inbound'
set protocols bgp neighbor 169.254.1.21 timers holdtime '30'
set protocols bgp neighbor 169.254.1.21 timers keepalive '10'

# Tunnel #2
set protocols bgp neighbor 169.254.2.21 update-source 169.254.2.22
set protocols bgp neighbor 169.254.2.21 address-family ipv4-unicast soft-reconfiguration 'inbound'
set protocols bgp neighbor 169.254.2.21 timers holdtime '30'
set protocols bgp neighbor 169.254.2.21 timers keepalive '10'

commit; save

Add policies

set policy prefix-list CLX
set policy prefix-list CLX description 'Allow CLX network IPv4'
set policy prefix-list CLX rule 10 action permit
set policy prefix-list CLX rule 10 prefix '192.168.31.0/24'

set policy prefix-list HOME
set policy prefix-list HOME description 'Allow home network IPv4'
set policy prefix-list HOME rule 10 action permit
set policy prefix-list HOME rule 10 prefix '10.16.10.0/24'
set policy prefix-list HOME rule 20 action deny
set policy prefix-list HOME rule 20 le 32
set policy prefix-list HOME rule 20 prefix '0.0.0.0/0'

commit; save

Configure Neighbors

set protocols bgp neighbor 169.254.1.21 address-family ipv4-unicast prefix-list export HOME
set protocols bgp neighbor 169.254.1.21 address-family ipv4-unicast prefix-list import CLX

set protocols bgp neighbor 169.254.2.21 address-family ipv4-unicast prefix-list export HOME
set protocols bgp neighbor 169.254.2.21 address-family ipv4-unicast prefix-list import CLX

commit; save

IPsec Remote Access

Add PEM-encoded certificates as one line string, after stripping header and footer, e.g. with tail -n +2 cert.pem | head -n -1 | tr -d '\n'.

ECDSA certificates are not supported yet (as of 1.5-rolling-202409250007).

Remote clients will get an IP from subnet:

  • IPsec RA network - 10.127.157.16/30

Create PKI

set pki ca root-ca certificate 'MII...'
set pki ca sign-ca certificate 'MII...'

set pki certificate example.net certificate 'MII...'
set pki certificate example.net private key 'EEi...'

commit; save

Configure IPsec

set vpn ipsec esp-group RA-ESP lifetime '3600'
set vpn ipsec esp-group RA-ESP pfs 'disable'
set vpn ipsec esp-group RA-ESP proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group RA-ESP proposal 1 hash 'sha256'

set vpn ipsec ike-group RA-IKE key-exchange 'ikev2'
set vpn ipsec ike-group RA-IKE lifetime '7200'
set vpn ipsec ike-group RA-IKE proposal 1 dh-group '14'
set vpn ipsec ike-group RA-IKE proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group RA-IKE proposal 1 hash 'sha256'

set vpn ipsec remote-access pool RA-POOL name-server '10.16.10.3'
set vpn ipsec remote-access pool RA-POOL name-server '10.16.10.2'
set vpn ipsec remote-access pool RA-POOL prefix '10.127.157.16/30'

set vpn ipsec remote-access connection RA authentication local-id 'example.net'
set vpn ipsec remote-access connection RA authentication server-mode x509
set vpn ipsec remote-access connection RA authentication x509 ca-certificate 'root-ca'
set vpn ipsec remote-access connection RA authentication x509 certificate 'example.net'
set vpn ipsec remote-access connection RA esp-group 'RA-ESP'
set vpn ipsec remote-access connection RA ike-group 'RA-IKE'
set vpn ipsec remote-access connection RA local-address '172.16.172.16'
set vpn ipsec remote-access connection RA pool 'RA-POOL'

set vpn ipsec remote-access connection RA authentication client-mode 'eap-mschapv2'
set vpn ipsec remote-access connection RA authentication local-users username ra-user password 'User password'

commit; save

Configure Firewall

Allow client subnet

set firewall ipv4 name WAN-LAN rule 20 action accept
set firewall ipv4 name WAN-LAN rule 20 destination address '10.16.10.0/24'
set firewall ipv4 name WAN-LAN rule 20 source address '10.127.157.16/30'
set firewall ipv4 name WAN-LAN rule 20 description 'Allow IPsec RA subnet'

commit-confirm
# test
confirm; save

Allow Internet access

set nat source rule 20 outbound-interface name eth0
set nat source rule 20 source address '10.127.157.16/30'
set nat source rule 20 translation address masquerade
set nat source rule 20 description 'NAT IPsec RA traffic'

commit-confirm;
# test
confirm; save

Client configuration

Import root-ca and mark certificate as trusted.

To configure IKEv2 VPN for macOS, go to Settings, VPN and add a new IKEv2 configuration with the following details:

Description Value
Server Address example.net
Remote ID example.net
User authentication Username
Username ra-user
Password User password

For Linux, install networkmanager-strongswan (or similar) plugin, and use the same information to configure a IKEv2 VPN connection.

Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment