In this document we're setting up an internal OpenVPN site-to-site server on VyOS. The install will have one Ethernet interface only and will be virtualized.
Note: only 1 server will need a port opened/forwarded on the firewall for this to work, though opening ports on either end works as well.
Note: if doing this on the main gateway for a network no additional routes beyond what's listed below are needed. If you are doing this as a stand alone OpenVPN server behind the main gateway then static routes will need to be added to the default gateway pointing to the IP of the OpenVPN server as the next hop address for any subnets on the other side of the OpenVPN tunnel.
====Initial Setup====
https://docs.vyos.io/en/equuleus/installation/install.html
* Record the subnets that you'll be providing access to, e.g. 10.221.24.0/24, 10.221.25.0/24…
* Record the subnets that you'll be gaining access to, e.g. 10.222.24.0/24, 10.222.25.0/24…
* Record a static IP that will be assigned to the vyOS VPN server.
* Record a static IP that will be assigned to the interface of the OpenVPN local device as well as the remote device (same subnet)
* Record the UDP port(s) you'll be using for the OpenVPN server
* Setup a DNS entry on your public DNS servers to point external clients to your WAN IP, e.g. WPN01.company.domain.com → Public WAN IP
* Download install ISO from https://vyos.io (or roll your own if you want LTS)
* Create a virtual guest with 1-2 vCPU, 512MB RAM, 2GB Drive, 1 NIC
* Boot ISO and login using vyos | vyos
* Install system using install image and accept all defaults, set your password
* Reboot
==Initial Configuration==
Set IP and Enable SSH
configure
set interfaces ethernet eth0 address 10.221.24.20/24
set service ssh port 22
commit
save
==Create New Admin User==
set system login user myvyosuser authentication plaintext-password mysecurepassword
Log out then back in using new account and delete the default account
delete system login user vyos
==Set Time and Date==
Set timezone
set system time-zone America/Los_Angeles
commit
sudo su
set date mmddhhmmyyyy
exit
==Configure Misc Base Settings==
set system host-name wpnsec01
set system domain-name yourdomain.com
set system time-zone US/Pacific
set system name-server 1.1.1.1
set system name-server 9.9.9.9
set system ntp server pool.ntp.org
set system login banner pre-login "\n\n\n\tUNAUTHORIZED USE OF THIS SYSTEM\n\tIS STRICTLY PROHIBITED\n\n\t Please contact "support@domain.com" to gain\n\taccess to this equipment if you need authorization.\n\n\n"
==Configure Interfaces==
set interfaces ethernet eth0 description "Management LAN"
==Set Default Route==
set protocols static route 0.0.0.0/0 next-hop 10.221.24.1
==Create OpenVPN Key==
sudo su
generate openvpn key /config/auth/vtun0-secret
chmod 600 /config/auth/vtun0-secret
exit
or if that doesn't work
sudo su
openvpn --genkey secret /config/auth/vtun0-secret
generate pki openvpn shared-secret file /config/auth/vtun0-secret
chmod 600 /config/auth/vtun0-secret
exit
Copy that file to the same location on your remote OpenVPN server, put a post-it or reminder somewhere...
==Configure OpenVPN Interface==
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194
set interfaces openvpn vtun0 openvpn-option '--tun-mtu 1436'
set interfaces openvpn vtun0 remote-host remote-openvpn-server.com
set interfaces openvpn vtun0 local-address 172.21.200.1
set interfaces openvpn vtun0 remote-address 172.21.200.2
set interfaces openvpn vtun0 shared-secret-key /config/auth/vtun0-secret
set interfaces openvpn vtun0 openvpn-option "--float"
set interfaces openvpn vtun0 openvpn-option "--ping 10"
set interfaces openvpn vtun0 openvpn-option "--ping-restart 20"
set interfaces openvpn vtun0 openvpn-option "--ping-timer-rem"
set interfaces openvpn vtun0 openvpn-option "--persist-tun"
set interfaces openvpn vtun0 openvpn-option "--persist-key"
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"
set interfaces openvpn vtun0 encryption cipher aes256
set interfaces openvpn vtun0 hash sha512
==Add Static Route for Remote Subnets==
set protocols static interface-route 10.202.0.0/16 next-hop-interface vtun0
==Configure OSPF==
set protocols ospf parameters router-id 10.221.24.20 ### Set your router id, normally the IPV4 address of interface the is going to advertised routes
set protocols ospf passive-interface default ### Set all interfaces to passive by default so they don't broadcast OSPF advertisements
###set protocols ospf redistribute connected metric-type 2 ### Redistribute the connected interface subnets in OSPF advertisements
set protocols ospf area 0.0.0.0 area-type normal ### Set the OSPF area type
set protocols ospf area 0.0.0.0 authentication md5 ### Set the authentication type
set protocols ospf area 0.0.0.0 network 10.201.0.0/16 ### Set network that will be advertised by area 0.0.0.0
set protocols ospf passive-interface-exclude vtun0 ### Allow OSPF advertisments on this specific interface
set interfaces openvpn vtun0 ip ospf network point-to-point
set interfaces openvpn vtun0 ip ospf cost 10
set interfaces openvpn vtun0 ip ospf dead-interval 40
set interfaces openvpn vtun0 ip ospf hello-interval 10
set interfaces openvpn vtun0 ip ospf priority 1
set interfaces openvpn vtun0 ip ospf retransmit-interval 5
set interfaces openvpn vtun0 ip ospf transmit-delay 1
set interfaces openvpn vtun0 ip ospf authentication md5 key-id 1 md5-key somekoolPassword
====Create Firewall Zones====
set zone-policy zone LOCAL description "this is VyOS or local device"
set zone-policy zone LOCAL default-action drop
set zone-policy zone LOCAL local-zone
set zone-policy zone MGMT_LAN description "Management LAN"
set zone-policy zone MGMT_LAN default-action drop
set zone-policy zone MGMT_LAN interface eth0
set zone-policy zone VTUN0 description "site 49 to site 48 OpenVPN VPN"
set zone-policy zone VTUN0 default-action drop
set zone-policy zone VTUN0 interface vtun0
====Firewall Zone Pairs====
Note: don't commit until you've put in the rules that still allow you access to the LOCAL device and for the LOCAL device to reply back. Also, in this example all traffic is generally allowed, to be more restrictive remove rule 80 from each zone rule and add specific rules.
==MGMT_LAN to LOCAL==
set firewall name MGMT_LAN_to_LOCAL description "allow traffic from MGMT_LAN to LOCAL zone"
set firewall name MGMT_LAN_to_LOCAL enable-default-log
set firewall name MGMT_LAN_to_LOCAL rule 80 description "Allow All"
set firewall name MGMT_LAN_to_LOCAL rule 80 action accept
set firewall name MGMT_LAN_to_LOCAL rule 80 log disable
set firewall name MGMT_LAN_to_LOCAL rule 200 description "Drop invalid"
set firewall name MGMT_LAN_to_LOCAL rule 200 action drop
set firewall name MGMT_LAN_to_LOCAL rule 200 state invalid enable
set firewall name MGMT_LAN_to_LOCAL rule 200 log disable
set zone-policy zone LOCAL from MGMT_LAN firewall name MGMT_LAN_to_LOCAL
==LOCAL to MGMT_LAN==
set firewall name LOCAL_to_MGMT_LAN description "filter traffic from LOCAL to MGMT_LAN zone"
set firewall name LOCAL_to_MGMT_LAN enable-default-log
set firewall name LOCAL_to_MGMT_LAN rule 80 description "Allow All"
set firewall name LOCAL_to_MGMT_LAN rule 80 action accept
set firewall name LOCAL_to_MGMT_LAN rule 80 log disable
set firewall name LOCAL_to_MGMT_LAN rule 100 description "Allow established/related"
set firewall name LOCAL_to_MGMT_LAN rule 100 action accept
set firewall name LOCAL_to_MGMT_LAN rule 100 state established enable
set firewall name LOCAL_to_MGMT_LAN rule 100 state related enable
set firewall name LOCAL_to_MGMT_LAN rule 100 log disable
set firewall name LOCAL_to_MGMT_LAN rule 200 description "Drop invalid"
set firewall name LOCAL_to_MGMT_LAN rule 200 action drop
set firewall name LOCAL_to_MGMT_LAN rule 200 state invalid enable
set firewall name LOCAL_to_MGMT_LAN rule 200 log disable
set firewall name LOCAL_to_MGMT_LAN rule 1060 description "Allow OSPF"
set firewall name LOCAL_to_MGMT_LAN rule 1060 action accept
set firewall name LOCAL_to_MGMT_LAN rule 1060 protocol ospf
set firewall name LOCAL_to_MGMT_LAN rule 1060 state new enable
set firewall name LOCAL_to_MGMT_LAN rule 1060 log disable
set zone-policy zone MGMT_LAN from LOCAL firewall name LOCAL_to_MGMT_LAN
==LOCAL to VTUN0==
set firewall name LOCAL_to_VTUN0 description "Allow all traffic from LOCAL to VTUN0 zone"
set firewall name LOCAL_to_VTUN0 enable-default-log
set firewall name LOCAL_to_VTUN0 rule 80 description "Allow All"
set firewall name LOCAL_to_VTUN0 rule 80 action accept
set firewall name LOCAL_to_VTUN0 rule 80 log disable
set firewall name LOCAL_to_VTUN0 rule 200 description "Drop invalid"
set firewall name LOCAL_to_VTUN0 rule 200 action drop
set firewall name LOCAL_to_VTUN0 rule 200 state invalid enable
set firewall name LOCAL_to_VTUN0 rule 200 log disable
set zone-policy zone VTUN0 from LOCAL firewall name LOCAL_to_VTUN0
==VTUN0 to LOCAL==
set firewall name VTUN0_to_LOCAL description "filter traffic from VTUN0 to LOCAL zone"
set firewall name VTUN0_to_LOCAL enable-default-log
set firewall name VTUN0_to_LOCAL rule 100 description "Allow established/related"
set firewall name VTUN0_to_LOCAL rule 100 action accept
set firewall name VTUN0_to_LOCAL rule 100 state established enable
set firewall name VTUN0_to_LOCAL rule 100 state related enable
set firewall name VTUN0_to_LOCAL rule 100 log disable
set firewall name VTUN0_to_LOCAL rule 200 description "Drop invalid"
set firewall name VTUN0_to_LOCAL rule 200 action drop
set firewall name VTUN0_to_LOCAL rule 200 state invalid enable
set firewall name VTUN0_to_LOCAL rule 200 log disable
set firewall name VTUN0_to_LOCAL rule 1020 description "Allow ICMP"
set firewall name VTUN0_to_LOCAL rule 1020 action accept
set firewall name VTUN0_to_LOCAL rule 1020 icmp type-name echo-request
set firewall name VTUN0_to_LOCAL rule 1020 protocol icmp
set firewall name VTUN0_to_LOCAL rule 1020 state new enable
set firewall name VTUN0_to_LOCAL rule 1020 log disable
set firewall name VTUN0_to_LOCAL rule 1060 description "Allow OSPF"
set firewall name VTUN0_to_LOCAL rule 1060 action accept
set firewall name VTUN0_to_LOCAL rule 1060 protocol ospf
set firewall name VTUN0_to_LOCAL rule 1060 state new enable
set firewall name VTUN0_to_LOCAL rule 1060 log disable
set zone-policy zone LOCAL from VTUN0 firewall name VTUN0_to_LOCAL
==VTUN0 to MGMT_LAN==
set firewall name VTUN0_to_MGMT_LAN description "filter traffic from VTUN0 to MGMT_LAN zone"
set firewall name VTUN0_to_MGMT_LAN enable-default-log
set firewall name VTUN0_to_MGMT_LAN rule 80 description "Allow All"
set firewall name VTUN0_to_MGMT_LAN rule 80 action accept
set firewall name VTUN0_to_MGMT_LAN rule 80 log disable
set firewall name VTUN0_to_MGMT_LAN rule 100 action accept
set firewall name VTUN0_to_MGMT_LAN rule 100 state established enable
set firewall name VTUN0_to_MGMT_LAN rule 100 state related enable
set firewall name VTUN0_to_MGMT_LAN rule 100 log disable
set firewall name VTUN0_to_MGMT_LAN rule 200 description "Drop invalid"
set firewall name VTUN0_to_MGMT_LAN rule 200 action drop
set firewall name VTUN0_to_MGMT_LAN rule 200 state invalid enable
set firewall name VTUN0_to_MGMT_LAN rule 200 log disable
set firewall name VTUN0_to_MGMT_LAN rule 1020 description "Allow ICMP"
set firewall name VTUN0_to_MGMT_LAN rule 1020 action accept
set firewall name VTUN0_to_MGMT_LAN rule 1020 icmp type-name echo-request
set firewall name VTUN0_to_MGMT_LAN rule 1020 protocol icmp
set firewall name VTUN0_to_MGMT_LAN rule 1020 state new enable
set firewall name VTUN0_to_MGMT_LAN rule 1020 log disable
set zone-policy zone MGMT_LAN from VTUN0 firewall name VTUN0_to_MGMT_LAN
==MGMT_LAN to VTUN0==
set firewall name MGMT_LAN_to_VTUN0 description "filter traffic from MGMT_LAN to VTUN0 zone"
set firewall name MGMT_LAN_to_VTUN0 enable-default-log
set firewall name MGMT_LAN_to_VTUN0 rule 80 description "Allow All"
set firewall name MGMT_LAN_to_VTUN0 rule 80 action accept
set firewall name MGMT_LAN_to_VTUN0 rule 80 log disable
set firewall name MGMT_LAN_to_VTUN0 rule 100 action accept
set firewall name MGMT_LAN_to_VTUN0 rule 100 state established enable
set firewall name MGMT_LAN_to_VTUN0 rule 100 state related enable
set firewall name MGMT_LAN_to_VTUN0 rule 100 log disable
set firewall name MGMT_LAN_to_VTUN0 rule 200 description "Drop invalid"
set firewall name MGMT_LAN_to_VTUN0 rule 200 action drop
set firewall name MGMT_LAN_to_VTUN0 rule 200 state invalid enable
set firewall name MGMT_LAN_to_VTUN0 rule 200 log disable
set firewall name MGMT_LAN_to_VTUN0 rule 1020 description "Allow ICMP"
set firewall name MGMT_LAN_to_VTUN0 rule 1020 action accept
set firewall name MGMT_LAN_to_VTUN0 rule 1020 icmp type-name echo-request
set firewall name MGMT_LAN_to_VTUN0 rule 1020 protocol icmp
set firewall name MGMT_LAN_to_VTUN0 rule 1020 state new enable
set firewall name MGMT_LAN_to_VTUN0 rule 1020 log disable
set zone-policy zone VTUN0 from MGMT_LAN firewall name MGMT_LAN_to_VTUN0