Configuring a VyOS VPN for Remote Access


Applicable Plans - VyOS Network OS plans

VyOS (Vyatta) VPN Network Appliance - Remote Access VPN Configuration Guide

This is for our legacy VPN Appliance offering. For an updated guide using OPNsense, see https://docs.opnsense.org/manual/how-tos/sslvpn_client.html 

Vyatta VPN users: VyOS is the continuation of the open source Vyatta project, which is no longer available. VyOS is a drop-in replacement for Vyatta and functions in exactly the same manner. If you currently have Virtual Servers built with Vyatta Network OS, no changes will need to be made to your existing setup.

Overview

Using the VyOS Network OS (VPN Appliance) template, you can create a Virtual Server that acts as a network appliance that can function as an IPSEC compliant VPN, which will allow you to securely connect users to your services hosted in the eApps cloud. This is called a Remote Access VPN, and is documented in this User Guide.

Warning Make sure that you understand that a Virtual Server built with the VyOS Network OS (VPN Appliance) template will only function as a VPN or router network appliance. It will do nothing else. You cannot host websites on this VS, or use it as a mail server, or for any purpose other than as a VPN or router.

If you need assistance with your VyOS VPN, eApps offers a Professional Services option to help with the setup and configuration of your VPN. Our Technical Support team will work with you to determine your needs and put together a solution that meets your requirements. Please see our Professional Services page - eApps Professional Services or contact eApps Sales for more information.

Prerequisites

VPN Configuration - Remote Access VPN
    VPN configuration - overview
    VPN configuration: Virtual Server Console
    VPN configuration - Virtual Server: Command line

VPN Client Configuration
    Windows VPN client configuration
    Mac OS X VPN client configuration

Using the VyOS VPN to connect to your services


Prerequisites

In order to configure a Remote Access VPN, you will need to have the following:

  • A Virtual Server built using the VyOS Network OS (VPN Appliance) template
  • Additional private IP addresses for each user who will be connecting to the Remote Access VPN (purchased in Upgrade/Downgrade after the VS is built).

You will also need to know the following:

  • The public IP address, gateway, and CIDR netmask for the Virtual Server
  • The private IP addresses that you purchased for your VS, their gateway, and their CIDR netmask
  • The user names and passwords for every user who will be connecting to the Remote Access VPN

VPN Configuration - Remote Access VPN

A Remote Access VPN configuration is where you have a Virtual Server located behind the VyOS VPN on the eApps network, and your users connect to the VPN in order to access those servers. All access to the secured services running on those Virtual Servers goes through the VPN.

All of the configuration for the VPN has to be done from the command line of the Virtual Server, starting with the Virtual Server Console that is available in the Customer Portal, and then continuing from the command line of the VS itself using SSH.

VPN configuration - overview

Public and Private IP addresses/gateway/CIDR netmask

The location of the IP addresses will differ depending on whether you have a Virtual Cloud Server or a Virtual Machine in the Cloud. To determine which platform you have, look at the listing for the Virtual Servers in My Cloud > Virtual Servers.

Virtual Server List

A Virtual Cloud Server will be in the section labeled Virtual Cloud Server, and a Virtual Machine in the Cloud will be in the section labeled Virtual Machine in the Cloud. Note that this list is also broken down by Zone.

To find the IP addresses, click on the magnifying glass to the right of the Virtual Server. This takes you to the Product Details screen.

  • Virtual Cloud Server - to find the public IP address for a Virtual Cloud Server from the Product Details screen, go to the Additional Tools section and click on IP Information. This shows the Public and Private IP addresses for the VS. For the public IP address you will need the IP Address, Netmask, and Gateway for the first IP address in this list. You will also need the CIDR netmask, which is /22. For the private IP addresses, you will need the entire list, the Netmask and the Gateway (which should be the same for all private IPs). You will also need the CIDR netmask, which is /24.

  • Virtual Machine in the Cloud - to find the public IP address for a Virtual Machine in the Cloud from the Product Details screen, click on IP Addresses in the top navigation, or Manage IP Addresses under the Actions section. This shows the Public and Private IP addresses for the VS. You will need the IP Address, Netmask, and Gateway for the first IP address in this list. You will also need the CIDR netmask, which is /22. For the private IP addresses, you will need the entire list, the Netmask and the Gateway (which should be the same for all private IPs). You will also need the CIDR netmask, which is /24.

If you have a large number of VPN users, you will have a large number of private IP addresses, which will all be in sequential order. Make a note of the first and second private IP addresses, and the last private IP address. The first private IP address will be configured as eth1 on the Virtual Server, and the second through last private IP addresses will define the range of IP addresses on the VPN.

User name for each VPN user

Each user that will be connecting to the VPN will need a user name. The general convention for this user name is some form of the user's actual name, like johnd or jdoe or johndoe for John Doe. The user name should be in lowercase letters.

If you are going to have eApps configure the VPN for you, you will need to supply the user names to eApps support.

Password for each VPN user

Each VPN user will also need a password. How strictly you enforce secure passwords is up to you. eApps recommends that you use a Strong Password Generator for the passwords so that the passwords are secure. Remember that the entire reason to have a VPN is for security, so it makes sense to have good passwords.

If you are going to have eApps configure the VPN for you, you can either create the passwords, or have eApps generate them with a random password generator. If you generate them, you will need to supply that information to eApps support in a Ticket created on the Ticket System web interface, which is encrypted.

VPN configuration: Virtual Server Console

By default, the VyOS Network OS does not have SSH access enabled. Because of that, you will need to connect to the Virtual Server using the VS Console first, so that SSH access can be configured.

The location of the Virtual Console will differ depending on whether you have a Virtual Cloud Server or a Virtual Machine in the Cloud. To determine which platform you have, look at the listing for the Virtual Servers in My Cloud > Virtual Servers.

A Virtual Cloud Server will be in the section labeled Virtual Cloud Server, and a Virtual Machine in the Cloud will be in the section labeled Virtual Machine in the Cloud. Note that this list is also broken down by Zone.

To find the Virtual Console, click on the magnifying glass to the right of the Virtual Server. This takes you to the Product Details screen.

  • Virtual Cloud Server - the Virtual Console for a Virtual Cloud Server is found in the Manage Your Server section of the Product Details screen. Click on Open Console to open the Virtual Console.

  • Virtual Machine in the Cloud - the Virtual Console for a Virtual Machine in the Cloud is found in the Actions section of the Product Details screen. Click on Virtual Machine Console to open the Virtual Console.

NOTE: If you get a "Missing Plug-in" error when trying to use the Console the issue is with your browser and/or the version of Java installed on your computer. If you cannot resolve this issue by upgrading your browser, version of Java, or by installing the correct plugin, please contact eApps Support for assistance.


Log in as vyos, with a password of vyos. You will be changing this password during this initial configuration.

Some notes:

  • PUBLIC_IP/22 is the public IP address and the CIDR netmask ( /22 ) that you found in step 1 of the Overview

  • gateway-address is found in the Customer Portal with the Public IP

  • PASSWORD is the new password for the vyos user. Since the vyos user has full access to configure the VPN, make certain to pick a very secure password. If your password is easily guessed, someone could compromise your VPN and access the systems and data that you are trying to secure. Consider using a Strong Password Generator to create the password.


The commands to enter are:

configure
set interfaces ethernet eth0 address PUBLIC_IP/22
set system gateway-address GATEWAY_ADDRESS
set system login user vyos authentication plaintext-password PASSWORD
set service ssh port 22
commit
save
exit

Enter each command one line at a time, pressing Enter or Return after each line.

Linux vyos 2.6.35-1-amd64-vyos-virt #1 SMP Tue Apr 5 15:39:37 PDT 2011 x86_64
Welcome to VyOS.
This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the individual
files in /usr/share/doc//copyright.
vyos@vyos:~$<br> vyos@vyos:~$ configure
[edit]
vyos@vyos# set interfaces ethernet eth0 address PUBLIC_IP/22
[edit]
vyos@vyos# set system gateway-address GATEWAY_ADDRESS
[edit]
vyos@vyos# set system login user vyos authentication plaintext-password PASSWORD
[edit]
vyos@vyos# set service ssh port 22
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
Saving configuration to '/opt/vyos/etc/config/config.boot'...
Done
[edit]
vyos@vyos# exit
exit
vyos@vyos:~$

Once you have entered the correct information and committed and saved, you can exit the Virtual Server Console.

VPN configuration - Virtual Server: Command line

After the VS Console configuration has been completed, you can log in to the Virtual Server as the vyos user via SSH, and continue with the rest of the configuration. Use the public IP address of the Virtual Server as the hostname.

-localcomputer~:$ ssh vyos@PUBLIC_IP
The authenticity of host 'PUBLIC_IP (PUBLIC_IP)' can't be established.
RSA key fingerprint is 9c:dd:99:43:f9:ff:05:03:9c:62:67:3a:b6:ba:8c:49.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'PUBLIC_IP' (RSA) to the list of known hosts.
Welcome to VyOS
vyos@PUBLIC_IP's password: passwd
Linux vyos 2.6.35-1-amd64-vyos-virt #1 SMP Tue Apr 5 15:39:37 PDT 2014 x86_64
Welcome to VyOS. This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the
individual files in /usr/share/doc//copyright.
Last login: Mon Jun 20 11:48:05 2014
vyos@vyos:~$

VPN Configuration file

The commands to configure the VPN can be entered in as one text file, with a new line for every command. The VyOS OS will see each new line as a separate command. This allows you to set the configuration options before applying them to the VPN, instead of typing in one line at a time.

Note The VPN configuration file has to be edited in a plain text editor, such as Notepad on Windows, or TextEdit on Mac OS X set up in plain text mode. Do not try to edit this file in a word processor, such as MS Word, LibreOffice, or Pages. Those applications will insert invisible control characters in the file which will cause errors when the configuration options are read by the VPN software.

Copy and paste this file in to your plain text editor. Assuming that you have two VPN users who each have a private IP address, the file has 20 lines. Depending on your configuration, the file may end up being somewhat longer. An explanation of all the variables that you need to change, which are in CAPITAL LETTERS, is below. The changes are explained line by line, for each line that needs to be changed.

Make sure that the lines do not wrap in your text editor, and that there are no tabs or spaces at the beginning of each line.

set interfaces ethernet eth1 address PRIVATE_IP/24
set system host-name vyos-COMPANY_NAME
set system name-server 216.154.208.4
set system name-server 216.154.208.5
set vpn ipsec ipsec-interfaces interface eth0
set vpn l2tp remote-access authentication local-users username USERNAME password PASSWORD
set vpn l2tp remote-access authentication local-users username USERNAME password PASSWORD
set vpn l2tp remote-access client-ip-pool start PRIVATE_IP
set vpn l2tp remote-access client-ip-pool stop PRIVATE_IP
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SECRET_PASSWORD
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access outside-address PUBLIC_IP
set vpn l2tp remote-access outside-nexthop 68.169.48.1
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 10.0.0.0/24
set vpn ipsec nat-networks allowed-network 172.16.0.0/20
set vpn ipsec nat-networks allowed-network 192.168.0.0/16
commit
save

PRIVATE_IP - enter either the first or last of the private IP addresses allocated to the VS. This becomes the IP attached to the eth1 interface. Remember to use the CIDR netmask of /24.

COMPANY_NAME - use anything here that will be relevant to you for hostname of the Virtual Server.

USERNAME and PASSWORD - enter the user name and password for each VPN user, one user and password per line.

PRIVATE_IP - the start PRIVATE_IP is the first available private IP address in the sequence of private IP addresses allocated to the Virtual Server.

PRIVATE_IP - the stop PRIVATE_IP is the last of the private IP addresses in the sequence of private IP addresses allocated to the Virtual Server. You only need to enter the first and last of the private IP addresses in the range, you do not need to enter all the IP addresses.

SECRET_PASSWORD - the pre_shared_secret is a password that both the VPN client and the VPN server will use. As with the other passwords for the VPN, use a password generator to create a strong password, and make a note of this password in a secure location.

PUBLIC_IP - this is the public IP address that was noted in step 1 of the Overview


As an example, here is the VPN configuration file with actual values:

set interfaces ethernet eth1 address 10.0.22.42/24
set system host-name vyos-eapps
set system name-server 216.154.208.4
set system name-server 216.154.208.5
set vpn ipsec ipsec-interfaces interface eth0
set vpn l2tp remote-access authentication local-users username johndoe password QCN37yuj
set vpn l2tp remote-access authentication local-users username janedoe password oY2Z2WSK
set vpn l2tp remote-access client-ip-pool start 10.0.22.38
set vpn l2tp remote-access client-ip-pool stop 10.0.22.39
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret i2u9KzDC
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access outside-address 68.169.51.55
set vpn l2tp remote-access outside-nexthop 68.169.48.1
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 10.0.0.0/24
set vpn ipsec nat-networks allowed-network 172.16.0.0/20
set vpn ipsec nat-networks allowed-network 192.168.0.0/16
commit
save

From the vyos@vyos:~$ command prompt, type in configure and press return to enter configuration mode. This will put you at a vyos@vyos# prompt.

Paste in the contents of the VPN configuration file. What you paste in will be in one file, the VyOS OS will automatically insert the [edit] lines.

The system will pause for a few seconds between commit and save as the configurations are written.

After you see the save command on the screen, hit Return. This saves the configuration.

If something goes wrong, you will usually see a Set failed error, with some indication as to what failed. To start over, use the exit discard command.

This is an example of what you will see:

vyos@vyos:~$ configure
[edit]
vyos@vyos# set interfaces ethernet eth1 address 10.0.22.42/24
[edit]
vyos@vyos# set system host-name vyos-vpn
[edit]
vyos@vyos# set system name-server 216.154.208.4
rs username johndoe password jd123 < br > setvpnl2tpremote − accessauthenticationlocal − usersusernamejanedoepasswordjd123
set vpn l2tp remote-access client-ip-pool start 10.0.22.38   
set vpn l2tp remote-access client-ip-pool stop 10.0.22.39
set vpn l2t[edit]
vyos@vyos# set system name-server 216.154.208.5
p remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret jd123$
set vpn l2tp remote-access authentication mode local    
set vpn l2tp remote-access outside-address 68.[edit]
vyos@vyos# set vpn ipsec ipsec-interfaces interface eth0
169.51.55
set vpn l2tp remote-access outside-nexthop 68.169.48.1 
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 10.0.0.0/24
set vpn ipsec nat-networks allowed-network 172.16.0.0/20
set vpn ipsec nat-networks allowed-network 192.168.0.0/16
commit
save[edit]
vyos@vyos# set vpn l2tp remote-access authentication local-users username johndoe password QCN37yuj
[edit]
vyos@vyos# set vpn l2tp remote-access authentication local-users username janedoe password oY2Z2WSK
[edit]
vyos@vyos# set vpn l2tp remote-access client-ip-pool start 10.0.22.38   
[edit]
vyos@vyos# set vpn l2tp remote-access client-ip-pool stop 10.0.22.39
[edit]
vyos@vyos# set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
[edit]
vyos@vyos# set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret i2u9KzDC
[edit]
vyos@vyos# set vpn l2tp remote-access authentication mode local    
[edit]
vyos@vyos# set vpn l2tp remote-access outside-address 68.169.51.55
[edit]
vyos@vyos# set vpn l2tp remote-access outside-nexthop 68.169.48.1
[edit]
vyos@vyos# set vpn ipsec nat-traversal enable
[edit]
vyos@vyos# set vpn ipsec nat-networks allowed-network 10.0.0.0/24
[edit]
vyos@vyos# set vpn ipsec nat-networks allowed-network 172.16.0.0/20
[edit]
vyos@vyos# set vpn ipsec nat-networks allowed-network 192.168.0.0/16
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
Saving configuration to '/opt/vyos/etc/config/config.boot'...
Done
[edit]
vyos@vyos#

This completes the basic setup of the VyOS VPN. You can exit from the configuration and SSH sessions.

You will need to contact your users to distribute their user name and password, and also the shared secret if their VPN client requires it.


VPN Client Configuration

There are many VPN clients available. If you already have a preferred solution, verify that it will work with an L2TP over IPSec VPN, and allows for a Shared Secret.

If you have not already decided on which VPN client to use, you may want to check if your operating system comes with a built in solution. There are built in VPN clients for Windows (starting with Windows 98) and Mac OS X (starting with 10.3 for L2TP) that you can use.

Warning Because of the large number of VPN client solutions available, and also because of the variations between different versions of the Windows and Mac OS X operating systems, there is no way for eApps to offer any official support for your VPN client. There are numerous resources online that are available if have questions or need assistance with your particular VPN client.

As always, eApps will try to assist you whenever possible. But be aware that our ability to answer specific questions about your VPN client are limited.

Windows VPN client configuration

All Windows versions starting from Windows 98 onward have a built-in VPN client that may be used to connect to your VyOS VPN. However, with Windows XP, Windows Vista, and Windows 7, the version of the operating system you are on (Home, Home Premium, Professional, etc) may not allow all types of VPN connections. Please make sure to verify that the version of Windows you have will allow the type of VPN connection you wish to set up. If it does not, you will need to find a third-party solution, or upgrade your version of Windows.

For more information on Windows VPN client configuration, search Microsoft's TechNet

Some specific information can be found here:

Mac OS X VPN client configuration

Mac OS X has had the ability to connect to an L2TP IPSec VPN since version 10.3 (Panther). The built in VPN client in Mac OS X is found in System Preferences > Network - click the plus sign (+) under the left pane that show the existing connections, and add a VPN connection. Make sure to choose L2TP over IPSec as the VPN Type.

Please see the official Apple documentation for Mac OS X 10.5 and Mac OS X 10.6 if you need further information on configuring the VPN client.


Using the VyOS VPN to connect to your services

Once you have the VyOS VPN set up, and your VPN client installed and configured, you can connect to the services behind the VPN. To do this, you will need to first connect with your VPN client to the public IP of the VyOS VPN. Once that connection is established, you will be able to connect to the private IP address of the Virtual Server where the services are running.

How you connect to these services (web browser, SSH, mail client, file browser, etc) will depend on what services you are running on the Virtual Server behind the VPN. Common scenarios include a secured web application, file sharing, or e-mail.



Comments

Please login to comment