Configuring a VyOS VPN for Site to Site Connections


Applicable Plans - VyOS Network OS plans

VyOS (Vyatta) VPN Network Appliance - Site to Site VPN Configuration Guide

Overview

This is for our legacy VPN Appliance offering. For an updated guide using OPNsense, see https://support.eapps.com/vpn-appliance/site-to-site 

Vyatta VPN users: VyOS is the continuation of the open source Vyatta project, which is no longer available. VyOS is a drop-in replacement for Vyatta and functions in exactly the same manner. If you currently have Virtual Servers built with Vyatta Network OS, no changes will need to be made to your existing setup.

Using the VyOS Network OS (VPN Appliance) template, you can create a Virtual Server that acts as a network appliance that can function as an IPSEC compliant VPN, which will allow you to securely connect applications or services running on your Virtual Servers to applications or services running on remote servers (either on or off the eApps network). This is called a Site to Site VPN, and is documented in this User Guide.

Warning Make sure that you understand that a Virtual Server built with the VyOS Network OS (VPN Appliance) template will only function as a VPN or router network appliance. It will do nothing else. You cannot host websites on this VS, or use it as a mail server, or for any purpose other than as a VPN or router.

If you need assistance with your VyOS VPN, eApps offers a Professional Services option to help with the setup and configuration of your VPN. Our Technical Support team will work with you to determine your needs and put together a solution that meets your requirements. Please see our Professional Services page - eApps Professional Services or contact eApps Sales for more information.

Prerequisites

VPN Configuration - Site to Site VPN
    VPN configuration - overview
    VPN configuration: Virtual Server Console
    VPN configuration - Virtual Server: Command line


Prerequisites

In order to configure a Remote Access VPN, you will need to have the following:

  • A Virtual Server built using the VyOS Network OS (VPN Appliance) template
  • Additional private IP address for the VyOS VPN Virtual Server (Purchased in Upgrade/Downgrade after the VS is built).
  • Additional private IP address for each Virtual Server on the eApps network that will be connecting to the VyOS VPN VS (Purchased in Upgrade/Downgrade).

You will also need to know the following:

  • The public IP address, gateway, and CIDR netmask for the Virtual Server
  • The private IP address that you purchased for your VyOS VPN VS along with the gateway and CIDR netmask
  • The private IP address that you purchased for the Virtual Server(s) that are connecting to the VyOS VPN VS along with the gateway and CIDR netmask
  • The public IP address of the remote router that your VyOS VPN will be connecting to. You will need to contact the owners/admins of the remote site for this information.
  • The private IP addresses and CIDR netmask of the remote services that your applications will be connecting to. You will need to contact the owners/admins of the remote site for this information.
  • The "shared-secret" password that both ends of the connection have to use for authentication. Either you will create this and provide it to the owners/admins of the remote site, or they will create it and provide it to you.
  • The values for ike-group and esp-group. You will need to contact the owners/admins of the remote site for this information.

VPN Configuration - Site to Site VPN

A Site to Site VPN configuration is where you have applications or services running on a Virtual Server, and you are connecting those applications to services running on a remote server over a VPN connection.

An example of this would be a web site that displayed content (news, stock reports, sports scores, etc) that were hosted or aggregated on a remote server. For example, you would be running an application like MySQL, and pointing it to a database on the remote server. To access this content and display it on your web site, the owners/admins of the remote service require that you connect to that service over a VPN connection. Often this is done for content that you are paying for, so that the content is only available to customers.

VPN configuration - overview

All of the configuration for the VPN has to be done from the command line of the Virtual Server, starting with the Virtual Server Console that is available in the Customer Portal, and then continuing from the command line of the VS itself using SSH.

Public and Private IP addresses/gateway/CIDR netmask

The location of the IP addresses will differ depending on whether you have a Virtual Cloud Server or a Virtual Machine in the Cloud. To determine which platform you have, look at the listing for the Virtual Servers in My Cloud > Virtual Servers.

Virtual Server List

A Virtual Cloud Server will be in the section labeled Virtual Cloud Server, and a Virtual Machine in the Cloud will be in the section labeled Virtual Machine in the Cloud. Note that this list is also broken down by Zone.

To find the IP addresses, click on the magnifying glass to the right of the Virtual Server. This takes you to the Product Details screen.

  • Virtual Cloud Server - to find the public IP address for a Virtual Cloud Server from the Product Details screen, go to the Additional Tools section and click on IP Information. This shows the Public and Private IP addresses for the VS. For the public IP address you will need the IP Address, Netmask, and Gateway for the first IP address in this list. You will also need the CIDR netmask, which is /22. For the private IP addresses, you will need the entire list, the Netmask and the Gateway (which should be the same for all private IPs). You will also need the CIDR netmask, which is /24.

  • Virtual Machine in the Cloud - to find the public IP address for a Virtual Machine in the Cloud from the Product Details screen, click on IP Addresses in the top navigation, or Manage IP Addresses under the Actions section. This shows the Public and Private IP addresses for the VS. You will need the IP Address, Netmask, and Gateway for the first IP address in this list. You will also need the CIDR netmask, which is /22. For the private IP addresses, you will need the entire list, the Netmask and the Gateway (which should be the same for all private IPs). You will also need the CIDR netmask, which is /24.

Public and private IP addresses of the remote services

You will need to contact the owners or admins of the remote site for this information. If this is a commercial service, this information may be available publicly, or as part of some information that you received when you signed up for the service. eApps Support will not have this information, only the site owners or admins will be able to provide this for you.

Shared secret, ike-group, and esp-group

You will need to contact the owners or admins of the remote site for this information. eApps Support will not have this information.

VPN configuration: Virtual Server Console

By default, the VyOS Network OS does not have SSH access enabled. Because of that, you will need to connect to the Virtual Server using the VS Console first, so that SSH access can be configured.

The location of the Virtual Console will differ depending on whether you have a Virtual Cloud Server or a Virtual Machine in the Cloud. To determine which platform you have, look at the listing for the Virtual Servers in My Cloud > Virtual Servers.

A Virtual Cloud Server will be in the section labeled Virtual Cloud Server, and a Virtual Machine in the Cloud will be in the section labeled Virtual Machine in the Cloud. Note that this list is also broken down by Zone.

To find the Virtual Console, click on the magnifying glass to the right of the Virtual Server. This takes you to the Product Details screen.

  • Virtual Cloud Server - the Virtual Console for a Virtual Cloud Server is found in the Manage Your Server section of the Product Details screen. Click on Open Console to open the Virtual Console.

  • Virtual Machine in the Cloud - the Virtual Console for a Virtual Machine in the Cloud is found in the Actions section of the Product Details screen. Click on Virtual Machine Console to open the Virtual Console.

NOTE: If you get a "Missing Plug-in" error when trying to use the Console the issue is with your browser and/or the version of Java installed on your computer. If you cannot resolve this issue by upgrading your browser, version of Java, or by installing the correct plugin, please contact eApps Support for assistance.


Log in as vyos, with a password of vyos. You will be changing this password during this initial configuration.

Some notes:

  • PUBLIC_IP/22 is the public IP address and the CIDR netmask ( /22 ) that you found in step 1 of the Overview

  • gateway-address is found in the Customer Portal with the Public IP

  • PASSWORD is the new password for the vyos user. Since the vyos user has full access to configure the VPN, make certain to pick a very secure password. If your password is easily guessed, someone could compromise your VPN and access the systems and data that you are trying to secure. Consider using a Strong Password Generator to create the password.


The commands to enter are:

configure
set interfaces ethernet eth0 address PUBLIC_IP/22
set system gateway-address GATEWAY_ADDRESS
set system login user vyos authentication plaintext-password PASSWORD
set service ssh port 22
commit
save
exit

Enter each command one line at a time, pressing Enter or Return after each line.

Linux vyos 2.6.35-1-amd64-vyos-virt #1 SMP Tue Apr 5 15:39:37 PDT 2011 x86_64
Welcome to VyOS.
This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the individual
files in /usr/share/doc//copyright.
vyos@vyos:~$<br> vyos@vyos:~$ configure
[edit]
vyos@vyos# set interfaces ethernet eth0 address PUBLIC_IP/22
[edit]
vyos@vyos# set system gateway-address GATEWAY_ADDRESS
[edit]
vyos@vyos# set system login user vyos authentication plaintext-password PASSWORD
[edit]
vyos@vyos# set service ssh port 22
[edit]a
vyos@vyos# commit
[edit]
vyos@vyos# save
Saving configuration to '/opt/vyos/etc/config/config.boot'...
Done
[edit]
vyos@vyos# exit
exit
vyos@vyos:~$

Once you have entered the correct information and committed and saved, you can exit the Virtual Server Console.

VPN configuration - Virtual Server: Command line

After the VS Console configuration has been completed, you can log in to the Virtual Server as the vyos user via SSH, and continue with the rest of the configuration. Use the public IP address of the Virtual Server as the hostname.

-localcomputer:~$ ssh vyos@PUBLIC_IP
The authenticity of host 'PUBLIC_IP (PUBLIC_IP)' can't be established.
RSA key fingerprint is 9c:dd:99:43:f9:ff:05:03:9c:62:67:3a:b6:ba:8c:49.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'PUBLIC_IP' (RSA) to the list of known hosts.
Welcome to VyOS
vyos@PUBLIC_IP's password: passwd
Linux vyos 2.6.35-1-amd64-vyos-virt #1 SMP Tue Apr 5 15:39:37 PDT 2014 x86_64
Welcome to VyOS. This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the
individual files in /usr/share/doc//copyright.
Last login: Mon Jun 20 11:48:05 2014
vyos@vyos:~$

After the VS Console configuration has been completed, you can log in to the Virtual Server as the vyos user via SSH, and continue with the rest of the configuration. Use the public IP address of the Virtual Server as the hostname.

VPN Configuration file

The commands to configure the VPN can be entered in as one text file, with a new line for every command. The VyOS OS will see each new line as a separate command. This allows you to set the configuration options before applying them to the VPN, instead of typing in one line at a time.

Note The VPN configuration file has to be edited in a plain text editor, such as Notepad on Windows, or TextEdit on Mac OS X set up in plain text mode. Do not try to edit this file in a word processor, such as MS Word, LibreOffice, or Pages. Those applications will insert invisible control characters in the file which will cause errors when the configuration options are read by the VPN software.

Copy and paste this file in to a plain text editor.

An explanation of all the variables that you need to change, which are in CAPITAL LETTERS, is below. The changes are explained line by line, for each line that needs to be changed.

Make sure that the lines do not wrap in your text editor, and that there are no tabs or spaces at the beginning or end of each line.

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group test-ike proposal 1
set vpn ipsec ike-group test-ike proposal 1 encryption aes256
set vpn ipsec ike-group test-ike proposal 1 hash sha1
set vpn ipsec ike-group test-ike lifetime 3600
set vpn ipsec esp-group test-esp proposal 1 encryption aes256
set vpn ipsec esp-group test-esp proposal 1 hash sha1
set vpn ipsec esp-group test-esp lifetime 1800
set vpn ipsec site-to-site peer REMOTE_ROUTER_IP authentication mode pre-shared-secret
edit vpn ipsec site-to-site peer REMOTE_ROUTER_IP
set authentication pre-shared-secret SECRET_PASSWORD
set ike-group test-ike
set local-address VYATTA_VS_PUBLIC_IP
set tunnel 1 local prefix VS_PRIVATE_IP/CIDR
set tunnel 1 remote prefix REMOTE_SERVICE_PRIVATE_IP/CIDR
set tunnel 1 esp-group test-esp
top
commit
save

REMOTE_ROUTER_IP - this is the public IP of the remote router that the VyOS VPN will be connecting to. You will need to get this information from the owner/admin of the remote site. This could be a Cisco router, an OpenSWAN router, or any type of device that can do IPSec. REMOTE_ROUTER_IP appears on two lines in the configuration file.

SECRET_PASSWORD - the shared secret that is used by both the VyOS VPN and the remote router. You will need to get this information from the owner/admin of the remote site, or create it and provide it to the remote site admin.

VYATTA_VS_PUBLIC_IP - the public IP of the VyOS VPN.

VS_PRIVATE_IP/CIDR - This is the private IP of the VS that is behind the VyOS VPN, not the private IP of the VyOS VS itself. If there is only one VS and one private IP, the CIDR netmask will be /32. If you have multiple VSs and services running, you will need to work closely with eApps Support to assign private IPs and set the CIDR netmask.

REMOTE_SERVICE_PRIVATE_IP/CIDR - these are the private IPs of the servers on the remote end of the VPN connection. You will need to get this information from the owner/admin of the remote site.

Some other notes:

set ike-group test-ike - test-ike can be any name, such as foo-ike or bar-ike. The network admin for the remote site may have default names that need to be used, please contact them to determine if this is the case.

set tunnel 1 esp-group test-esp - test-esp can be any name, just like the test-ike value. The network admin for the remote site may have default names that need to be used, please contact them to determine if this is the case.

You can also have multiple tunnels, connecting different VSs to different remote sites. This is an advanced configuration, please consult the VyOS documentation, or contact eApps Sales to discuss having the configuration done for you by an eApps technician.


As an example, here is the VPN configuration file with actual values:

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group test-ike proposal 1
set vpn ipsec ike-group test-ike proposal 1 encryption aes256
set vpn ipsec ike-group test-ike proposal 1 hash sha1
set vpn ipsec ike-group test-ike lifetime 3600
set vpn ipsec esp-group test-esp proposal 1 encryption aes256
set vpn ipsec esp-group test-esp proposal 1 hash sha1
set vpn ipsec esp-group test-esp lifetime 1800
set vpn ipsec site-to-site peer 68.169.50.236 authentication mode pre-shared-secret
edit vpn ipsec site-to-site peer 68.169.50.236
set authentication pre-shared-secret b44s0!Op
set ike-group test-ike
set local-address 68.169.49.8
set tunnel 1 local prefix 10.0.23.6/32
set tunnel 1 remote prefix 10.0.1.5/24
set tunnel 1 esp-group test-esp
top
commit
save

From the vyos@vyos:~$ command prompt, type in configure and press return to enter configuration mode. This will put you at a vyos@vyos# prompt.

Paste in the contents of the VPN configuration file. What you paste in will be in one file, the VyOS OS will automatically insert the [edit] lines.

The system will pause for a few seconds between commit and save as the configurations are written.

After you see the save command on the screen, hit Return. This saves the configuration.

If something goes wrong, you will usually see a Set failed error, with some indication as to what failed. To start over, use the exit discard command.

This is an example of what you will see:

vyos@vyos:~$ configure
[edit]
vyos@vyos# set vpn ipsec ipsec-interfaces interface eth0
[edit]
vyos@vyos# set vpn ipsec ike-group test-ike proposal 1
3600
set vpn ipsec esp-group test-esp proposal 1 encryption aes256
set vpn ipsec esp-group test-esp proposal 1 hash sha1       
set vpn ipsec esp-group test-esp lifetime 1800            
set vpn ipsec site-to-site peer 68.169.50.236 authentication mode pre-shared-secret 
edit vpn ipsec site-to-site peer 68.169.50.236
set authentication pre-shared-secret b44s0!Op
set ike-group test-ike
set local-address 68.169.49.8
set tunnel 1 local prefix 10.0.23.6/32
set tunnel 1 remote prefix 10.0.1.5/24
set tunnel [edit]
vyos@vyos# set vpn ipsec ike-group test-ike proposal 1 encryption aes256
[edit]
vyos@vyos# set vpn ipsec ike-group test-ike proposal 1 hash sha1       
[edit]
vyos@vyos# set vpn ipsec ike-group test-ike lifetime 3600
[edit]
vyos@vyos# set vpn ipsec esp-group test-esp proposal 1 encryption aes256
[edit]
vyos@vyos# set vpn ipsec esp-group test-esp proposal 1 hash sha1       
[edit]
vyos@vyos# set vpn ipsec esp-group test-esp lifetime 1800            
[edit]
vyos@vyos# set vpn ipsec site-to-site peer 68.169.50.236 authentication mode pre-shared-secret 
[edit]
vyos@vyos# edit vpn ipsec site-to-site peer 68.169.50.236
[edit vpn ipsec site-to-site peer 68.169.50.236]
vyos@vyos# set authentication pre-shared-secret vyostest
[edit vpn ipsec site-to-site peer 68.169.50.236]
vyos@vyos# set ike-group test-ike
[edit vpn ipsec site-to-site peer 68.169.50.236]
vyos@vyos# set local-address 68.169.49.8
[edit vpn ipsec site-to-site peer 68.169.50.236]
vyos@vyos# set tunnel 1 local prefix 10.0.23.6/32
[edit vpn ipsec site-to-site peer 68.169.50.236]
vyos@vyos# set tunnel 1 remote prefix 10.0.1.5/24
[edit vpn ipsec site-to-site peer 68.169.50.236]
vyos@vyos# set tunnel 1 esp-group test-esp
[edit vpn ipsec site-to-site peer 68.169.50.236]
vyos@vyos# top
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
Saving configuration to '/opt/vyos/etc/config/config.boot'...
Done
[edit]
vyos@vyos#

This completes the basic setup of the VyOS VPN. You can exit from the configuration and SSH sessions.

Now you can start to configure your applications and services to connect to the VyOS VPN. Use the private IP address of the VyOS VPN Virtual Server if your application requires an IP address to connect to.

eApps Support may be able to assist with basic configuration questions, but any type of in-depth configuration assistance would need to be a billable service.

You may also need to work closely with the owners/admins of the remote site in order to properly configure your service.



Comments

Please login to comment