Configuring a VyOS VPN as an Internet Gateway
- 22/05/2013 1:42 PM
Applicable Plans - VyOS Network OS plans
Configuring a VyOS (Vyatta) VPN as an Internet Gateway
This is for our legacy VPN Appliance offering. For an updated guide using OPNsense, see https://support.eapps.com/vpn-appliance/inet-gatewayVyatta VPN users: VyOS is the continuation of the open source Vyatta project, which is no longer available. VyOS is a drop-in replacement for Vyatta and functions in exactly the same manner. If you currently have Virtual Servers built with Vyatta Network OS, no changes will need to be made to your existing setup.
Overview
Using a variation on the VyOS Site to Site VPN configuration, you can create an Internet Gateway, which will allow you to connect from your local network through the VyOS VPN, and then out through the eApps network to the Internet. All of your traffic that is routed through the VyOS VPN will appear to be coming from the eApps network that is located in the US.
In order for the Internet Gateway configuration to work, you will need to have the following:
- A Virtual Server built using the VyOS Network OS (VPN Appliance) template
- An IPsec compatible router or network appliance at your physical location
- A static public IP address that is attached to the IPsec compatible router or network appliance
- The ability to access and make configuration changes to the IPsec compatible router or network appliance
- The ability to make changes to the local area network (LAN) configuration for the computers at your physical location
Make sure that you understand that a Virtual Server built with the VyOS Network OS (VPN Appliance) template will only function as a VPN or router network appliance. It will do nothing else. You cannot host websites on this VS, or use it as a mail server, or for any purpose other than as a VPN or router. |
If you need assistance with your VyOS VPN, eApps offers a Professional Services option to help with the setup and configuration of your VPN. Our Technical Support team will work with you to determine your needs and put together a solution that meets your requirements. Please see our Professional Services page for more information - eApps Professional Services, or contact eApps Sales for more information.
Be aware that any changes to the router or network appliance or the local area network at your physical location are beyond the scope of eApps support. If you need assistance to make changes to your router or network appliance or LAN, you will need to contract with someone locally to make those changes for you.
VyOS Internet Gateway configuration
Internet Gateway configuration - overview
VPN configuration: Virtual Server Console
VPN configuration - Virtual Server: Command line
VPN Configuration file
VyOS Internet Gateway configuration
Internet Gateway configuration - overview
To configure the Internet Gateway, you will need to know the following:
-
The public IP address of the VyOS VS, and the gateway and CIDR netmask
-
The public IP address of the IPsec compatible router or network appliance at your physical location
-
The private network address of the IPsec compatible router or network appliance at your physical location, and the CIDR netmask for that network (This is not the private IP address of the router, but the network address)
-
The "shared-secret" password that both ends of the connection have to use for authentication
-
The values for ike-group and esp-group
1. Public IP address/gateway/CIDR netmask for VyOS VS
The location of the IP address will differ depending on whether you have a Virtual Cloud Server or a Virtual Machine in the Cloud. To determine which platform you have, look at the listing for the Virtual Servers in My Cloud > Virtual Servers.
A Virtual Cloud Server will be in the section labeled Virtual Cloud Server, and a Virtual Machine in the Cloud will be in the section labeled Virtual Machine in the Cloud. Note that this list is also broken down by Zone.
To find the IP address, click on the magnifying glass to the right of the Virtual Server. This takes you to the Product Details screen.
-
Virtual Cloud Server - to find the public IP address for a Virtual Cloud Server from the Product Details screen, go to the Additional Tools section and click on IP Information. This shows the Public (and Private) IP addresses for the VS. You will need the IP Address, Netmask, and Gateway for the first IP address in this list. You will also need the CIDR netmask, which is /22.
-
Virtual Machine in the Cloud - to find the public IP address for a Virtual Machine in the Cloud from the Product Details screen, click on IP Addresses in the top navigation, or Manage IP Addresses under the Actions section. This shows the Public (and Private) IP addresses for the VS. You will need the IP Address, Netmask, and Gateway for the first IP address in this list. You will also need the CIDR netmask, which is /22.
2. Public IP address of the IPsec compatible router or network appliance at your physical location
This is the IP address assigned to this device, usually provided by your ISP.
3. Private network address and CIDR netmask of the IPsec compatible router or network appliance at your physical location
Your local router or device should have a private network configured along with the public network. The private network (NOT a private IP address) will be in this format:
10.0.0.0/CIDR
172.16.0.0/CIDR
192.168.0.0/CIDR
To find the CIDR value, find the subnet mask for the private network, and then do an Internet search for a "CIDR table". This will help you find the correct value.
For items 2 and 3, you will need to access the device at your physical location in order to obtain these values. If you do not know how to access the device, you will need to contract with someone locally who can assist you.
4 & 5. Shared secret, ike-group, and esp-group
These values will have to match on the Virtual Server and your local IPsec compatible router or network appliance. Generally these values will come from the local device, but what matters is that they match on both the VyOS VS and the local device.
VPN configuration: Virtual Server Console
By default, the VyOS Network OS does not have SSH access enabled. Because of that, you will need to connect to the Virtual Server using the VS Console first, so that SSH access can be configured.
The location of the Virtual Console will differ depending on whether you have a Virtual Cloud Server or a Virtual Machine in the Cloud. To determine which platform you have, look at the listing for the Virtual Servers in My Cloud > Virtual Servers.
A Virtual Cloud Server will be in the section labeled Virtual Cloud Server, and a Virtual Machine in the Cloud will be in the section labeled Virtual Machine in the Cloud. Note that this list is also broken down by Zone.
To find the Virtual Console, click on the magnifying glass to the right of the Virtual Server. This takes you to the Product Details screen.
-
Virtual Cloud Server - the Virtual Console for a Virtual Cloud Server is found in the Manage Your Server section of the Product Details screen. Click on Open Console to open the Virtual Console.
-
Virtual Machine in the Cloud - the Virtual Console for a Virtual Machine in the Cloud is found in the Actions section of the Product Details screen. Click on Virtual Machine Console to open the Virtual Console.
NOTE: If you get a "Missing Plug-in" error when trying to use the Console the issue is with your browser and/or the version of Java installed on your computer. If you cannot resolve this issue by upgrading your browser, version of Java, or by installing the correct plugin, please contact eApps Support for assistance.
Log in as vyos, with a password of vyos. You will be changing this password during this initial configuration.
Some notes:
-
PUBLIC_IP/CIDR is the public IP address and the CIDR netmask for the VyOS VS that you found in the Overview
-
gateway-address is the gateway address for the public IP for the VyOS VS that you found in the Overview
-
PASSWORD is the new password for the vyos user. Since the vyos user has full access to configure the VPN, make certain to pick a very secure password. If your password is easily guessed, someone could compromise your VPN and access the systems and data that you are trying to secure. Consider using a secure password generator to create the password.
The commands to enter are:
configure
set interfaces ethernet eth0 address PUBLIC_IP/CIDR
set system gateway-address GATEWAY_IP
set system login user vyos authentication plaintext-password PASSWORD
set service ssh port 22
commit
save
exit
Enter each command one line at a time, pressing Enter or Return after each line.
Welcome to VyOS - vyos tty1
vyos login: vyos
Password:
Last login: Thu May 16 12:34:56 GMT 2013 on tty1
Linux vpn-test 2.6.35-1-amd64-vyos-virt #1 SMP Tue Apr 5 21:12:00 PDT x86_64
Welcome to VyOS.
This system is open-source software. The exact distrubtion terms for
each module compromising the full system are described in the individual
files in /usr/share/doc/*/copyright.
vyos@vyos:~$<br> vyos@vyos:~$ configure
[edit]
vyos@vyos# set interfaces ethernet eth0 address PUBLIC_IP/CIDR
[edit]
vyos@vyos# set system gateway-address GATEWAY_IP
[edit]
vyos@vyos# set system login user vyos authentication plaintext-password PASSWORD
[edit]
vyos@vyos# set service ssh port 22
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
Saving configuration to '/opt/vyos/etc/config/config.boot'...
Done
[edit]
vyos@vyos# exit
exit
vyos@vyos$
Once you have entered in the correct information and committed/saved, you can exit the VS Console.
VPN configuration - Virtual Server: Command line
After the VS Console configuration has been completed, you can log in to the Virtual Server as the vyos user via SSH, and continue with the rest of the configuration. Use the public IP address of the Virtual Server as the hostname.
localcomputer:~$ ssh vyos@IP_ADDRESS
The authenticity of host 'IP_ADDRESS (IP_ADDRESS)' can't be established.
RSA key fingerprint is fb:bb:6b:ef:d4:be:9b:b9:e4:03:df:16:a8:e6:9f:ce.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'IP_ADDRESS' (RSA) to the list of known hosts.
Welcome to VyOS
vyos@IP_ADDRESS's password: password
Linux vyos 2.6.35-1-amd64-vyos-virt #1 SMP Tue Apr 5 15:39:37 PDT 2011 x86_64
Welcome to VyOS.
This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the individual
files in /usr/share/doc/\/copyright.
Last login: Thu May 16 15:35:14 2013
vyos@vyos:~$
VPN Configuration file
The commands to configure the VPN can be entered in as one text file, with a new line for every command. The VyOS OS will see each new line as a separate command. This allows you to set the configuration options before applying them to the VPN, instead of typing in one line at a time.
The VPN configuration file has to be edited in a plain text editor, such as Notepad on Windows, or TextEdit on Mac OS X set up in plain text mode. Do not try to edit this file in a word processor, such as MS Word, LibreOffice, or Pages. Those applications will insert invisible control characters in the file which will cause errors when the configuration options are read by the VPN software. |
Copy and paste this file in to a plain text editor.
An explanation of all the variables that you need to change, which are in CAPITAL LETTERS, is below. The changes are explained line by line, for each line that needs to be changed.
Make sure that the lines do not wrap in your text editor, and that there are no tabs or spaces at the beginning or end of each line.
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group test-ike proposal 1
set vpn ipsec ike-group test-ike proposal 1 encryption aes256
set vpn ipsec ike-group test-ike proposal 1 hash sha1
set vpn ipsec ike-group test-ike lifetime 3600
set vpn ipsec esp-group test-esp proposal 1 encryption aes256
set vpn ipsec esp-group test-esp proposal 1 hash sha1
set vpn ipsec esp-group test-esp lifetime 1800
set vpn ipsec site-to-site peer LOCAL_ROUTER_IP authentication mode pre-shared-secret
edit vpn ipsec site-to-site peer LOCAL_ROUTER_IP
set authentication pre-shared-secret SECRET_PASSWORD
set ike-group test-ike
set local-address VYATTA_VS_PUBLIC_IP
set tunnel 1 local-subnet 0.0.0.0/0
set tunnel 1 remote-subnet LOCAL_ROUTER_NETWORK/CIDR
set tunnel 1 esp-group test-esp
top
set nat source rule 20 source address LOCAL_ROUTER_NETWORK/CIDR
set nat source rule 20 outbound-interface eth0
set nat source rule 20 translation address masquerade
commit
save
LOCAL_ROUTER_IP - this is the public IP of the local router in your physical location that the VyOS VPN will be connecting to. This was found in step 2 of the Internet Gateway configuration - overview section. LOCAL_ROUTER_IP appears on two lines in the configuration file.
SECRET_PASSWORD - the shared secret that is used by both the VyOS VPN and the local router. Entering it here will set this on the VyOS VS, you will still need to add this to the local router configuration.
The SECRET_PASSWORD can consist of only these characters, and it is recommended that you surround the password in single quotes:
- alphanumeric characters a-z A-Z 0-9
- special characters - + & ! @ # $ % ^ * ( ) , . : _
VYATTA_VS_PUBLIC_IP - the public IP of the VyOS VPN. This was found in step 1 of the Internet Gateway configuration - overview section
LOCAL_ROUTER_NETWORK/CIDR - the network address of the private network on the local router. This was found in step 3 of the Internet Gateway configuration - overview section. LOCAL_ROUTER_NETWORK/CIDR appears on two lines in the configuration file.
encryption aes256 - you can also use 3des for the encryption. These settings are found on your local IPsec compatible router or network appliance. What you are doing is setting this value on the VyOS VS to match your local device.
hash sha1 - you can also use md5 for the hash. These settings are found on your local IPsec compatible router or network appliance. What you are doing is setting this value on the VyOS VS to match your local device.
set ike-group test-ike - test-ike can be any name, such as foo-ike or bar-ike. These settings are found on your local IPsec compatible router or network appliance. What you are doing is setting this value on the VyOS VS to match your local device.
set tunnel 1 esp-group test-esp - test-esp can be any name, just like the test-ike value. These settings are found on your local IPsec compatible router or network appliance. What you are doing is setting this value on the VyOS VS to match your local device.
As an example, here is the VPN configuration file with actual values. This is for example purposes only.
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group test-ike proposal 1
set vpn ipsec ike-group test-ike proposal 1 encryption aes256
set vpn ipsec ike-group test-ike proposal 1 hash sha1
set vpn ipsec ike-group test-ike lifetime 3600
set vpn ipsec esp-group test-esp proposal 1 encryption aes256
set vpn ipsec esp-group test-esp proposal 1 hash sha1
set vpn ipsec esp-group test-esp lifetime 1800
set vpn ipsec site-to-site peer 108.54.72.44 authentication mode pre-shared-secret
edit vpn ipsec site-to-site peer 108.54.72.44
set authentication pre-shared-secret 'zRs934&6@g:'
set ike-group test-ike
set local-address 68.169.63.144
set tunnel 1 local-subnet 0.0.0.0/0
set tunnel 1 remote-subnet 10.0.0.0/24
set tunnel 1 esp-group test-esp
top
set nat source rule 20 source address 10.0.0.0/24
set nat source rule 20 outbound-interface eth0
set nat source rule 20 translation address masquerade
commit
save
From the vyos@vyos:~$ command prompt, type in configure and press return to enter configuration mode. This will put you at a vyos@vyos# prompt.
Paste in the contents of the VPN configuration file. What you paste in will be in one file, the VyOS OS will automatically insert the [edit] lines.
The system will pause for a few seconds between commit and save as the configurations are written.
After you see the save command on the screen, hit Return. This saves the configuration. If there are no errors reported, you can then exit from configuration.
If something goes wrong, you will usually see a Set failed error, with some indication as to what failed. To start over, use the exit discard command.
This is an example of what you will see:
vyos@vyos:~$ configure
[edit]
vyos@vyos# set vpn ipsec ipsec-interfaces interface eth0
[edit]
vyos@vyos# set vpn ipsec ike-group test-ike proposal 1
[edit]
vyos@vyos# set vpn ipsec ike-group test-ike proposal 1 encryption aes256
vpn ipsec esp-group test-esp proposal 1 encryption aes256
set vpn ipsec esp-group test-esp proposal 1 hash sha1
set vpn ipsec esp-group test-esp lifetime 1800
set vpn ipsec site-to-site peer 108.54.72.44 authentication mode pre-shared-secret
edit vpn ipse[edit]
vyos@vyos# set vpn ipsec ike-group test-ike proposal 1 hash sha1
[edit]
vyos@vyos# set vpn ipsec ike-group test-ike lifetime 3600
[edit]
vyos@vyos# set vpn ipsec esp-group test-esp proposal 1 encryption aes256
[edit]
vyos@vyos# set vpn ipsec esp-group test-esp proposal 1 hash sha1
[edit]
vyos@vyos# set vpn ipsec esp-group test-esp lifetime 1800
[edit]
vyos@vyos# set vpn ipsec site-to-site peer 108.54.72.44 authentication mode pre-shared-secret
[edit]
vyos@vyos# edit vpn ipsec site-to-site peer 108.54.72.44
[edit vpn ipsec site-to-site peer 108.54.72.44]
vyos@vyos# set authentication pre-shared-secret 'zRs934&6@g:'
[edit vpn ipsec site-to-site peer 108.54.72.44]
vyos@vyos# set ike-group test-ike
[edit vpn ipsec site-to-site peer 108.54.72.44]
vyos@vyos# set local-address 68.169.63.144
[edit vpn ipsec site-to-site peer 108.54.72.44]
vyos@vyos# set tunnel 1 local-subnet 0.0.0.0/0
[edit vpn ipsec site-to-site peer 108.54.72.44]
vyos@vyos# set tunnel 1 remote-subnet 10.0.0.0/24
[edit vpn ipsec site-to-site peer 108.54.72.44]
vyos@vyos# set tunnel 1 esp-group test-esp
[edit vpn ipsec site-to-site peer 108.54.72.44]
vyos@vyos# top
[edit]
vyos@vyos# set nat source rule 20 source address 10.0.0.0/24
[edit]
vyos@vyos# set nat source rule 20 outbound-interface eth0
[edit]
vyos@vyos# set nat source rule 20 translation address masquerade
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
Saving configuration to '/opt/vyos/etc/config/config.boot'...
Done
[edit]
vyos@vyos# exit
vyos@vyos:~$
This completes the basic setup of the VyOS VPN. You can exit from the configuration and SSH sessions.
Local network configuration and testing
Local network configuration
In order to use the VPN as an Internet Gateway, you will need to configure your local area network (LAN) to allow network traffic to use the local IPsec compatible router or network appliance. This might mean making changes to the computers on the network so that they use this device as their gateway, or it might mean making a configuration change to another device on your network to route Internet bound traffic to the IPsec router.
This configuration is outside the scope of eApps support - if you need assistance with making these changes you will need to contract with someone locally.
Testing the VPN/gateway connection
There are several commands you can run from the command line of the VyOS VPN Virtual Server to see the status of the VPN connection.
show vpn ipsec sa
- this will return the status of the tunnelshow vpn ike sa
- this will return the status of the tunnelshow vpn debug
- this will show the most information
Comments
Powered by WHMCompleteSolution