tech_documents:networking:vyos:vyos_ovpn_int

Initial Setup
Create Firewall Zones
Firewall Zone Pairs

In this document we're setting up an internal OpenVPN site-to-site server on VyOS. The install will have one Ethernet interface only and will be virtualized.

Note: only 1 server will need a port opened/forwarded on the firewall for this to work, though opening ports on either end works as well.

Note: if doing this on the main gateway for a network no additional routes beyond what's listed below are needed. If you are doing this as a stand alone OpenVPN server behind the main gateway then static routes will need to be added to the default gateway pointing to the IP of the OpenVPN server as the next hop address for any subnets on the other side of the OpenVPN tunnel.

Initial Setup

https://docs.vyos.io/en/equuleus/installation/install.html

Record the subnets that you'll be providing access to, e.g. 10.221.24.0/24, 10.221.25.0/24…
Record the subnets that you'll be gaining access to, e.g. 10.222.24.0/24, 10.222.25.0/24…
Record a static IP that will be assigned to the vyOS VPN server.
Record a static IP that will be assigned to the interface of the OpenVPN local device as well as the remote device (same subnet)
Record the UDP port(s) you'll be using for the OpenVPN server
Setup a DNS entry on your public DNS servers to point external clients to your WAN IP, e.g. WPN01.company.domain.com → Public WAN IP
Download install ISO from https://vyos.io (or roll your own if you want LTS)
Create a virtual guest with 1-2 vCPU, 512MB RAM, 2GB Drive, 1 NIC
Boot ISO and login using
```
vyos | vyos
```
Install system using
```
install image
```
and accept all defaults, set your password
Reboot

Initial Configuration

Set IP and Enable SSH

configure
set interfaces ethernet eth0 address 10.221.24.20/24
set service ssh port 22
commit
save

Create New Admin User

set system login user myvyosuser authentication plaintext-password mysecurepassword

Log out then back in using new account and delete the default account

delete system login user vyos

Set Time and Date

Set timezone

set system time-zone America/Los_Angeles
commit
sudo su
set date mmddhhmmyyyy
exit

Configure Misc Base Settings

set system host-name wpnsec01
set system domain-name yourdomain.com
set system time-zone US/Pacific
set system name-server 1.1.1.1
set system name-server 9.9.9.9
set system ntp server pool.ntp.org
set system login banner pre-login "\n\n\n\tUNAUTHORIZED USE OF THIS SYSTEM\n\tIS STRICTLY PROHIBITED\n\n\t Please contact "support@domain.com" to gain\n\taccess to this equipment if you need authorization.\n\n\n"

Configure Interfaces

set interfaces ethernet eth0 description "Management LAN"

Set Default Route

set protocols static route 0.0.0.0/0 next-hop 10.221.24.1

Create OpenVPN Key

sudo su
generate openvpn key /config/auth/vtun0-secret
chmod 600 /config/auth/vtun0-secret
exit

or if that doesn't work

sudo su
openvpn --genkey secret /config/auth/vtun0-secret
generate pki openvpn shared-secret file /config/auth/vtun0-secret
chmod 600 /config/auth/vtun0-secret
exit

Copy that file to the same location on your remote OpenVPN server, put a post-it or reminder somewhere…

Configure OpenVPN Interface

set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194
set interfaces openvpn vtun0 openvpn-option '--tun-mtu 1436'
set interfaces openvpn vtun0 remote-host remote-openvpn-server.com
set interfaces openvpn vtun0 local-address 172.21.200.1
set interfaces openvpn vtun0 remote-address 172.21.200.2
set interfaces openvpn vtun0 shared-secret-key /config/auth/vtun0-secret
set interfaces openvpn vtun0 openvpn-option "--float"
set interfaces openvpn vtun0 openvpn-option "--ping 10"
set interfaces openvpn vtun0 openvpn-option "--ping-restart 20"
set interfaces openvpn vtun0 openvpn-option "--ping-timer-rem"
set interfaces openvpn vtun0 openvpn-option "--persist-tun"
set interfaces openvpn vtun0 openvpn-option "--persist-key"
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"
set interfaces openvpn vtun0 encryption cipher aes256
set interfaces openvpn vtun0 hash sha512

Add Static Route for Remote Subnets

set protocols static interface-route 10.202.0.0/16 next-hop-interface vtun0

Configure OSPF

set protocols ospf parameters router-id 10.221.24.20 ### Set your router id, normally the IPV4 address of interface the is going to advertised routes

set protocols ospf passive-interface default ### Set all interfaces to passive by default so they don't broadcast OSPF advertisements

###set protocols ospf redistribute connected metric-type 2 ### Redistribute the connected interface subnets in OSPF advertisements

set protocols ospf area 0.0.0.0 area-type normal ### Set the OSPF area type

set protocols ospf area 0.0.0.0 authentication md5 ### Set the authentication type

set protocols ospf area 0.0.0.0 network 10.201.0.0/16 ### Set network that will be advertised by area 0.0.0.0

set protocols ospf passive-interface-exclude vtun0 ### Allow OSPF advertisments on this specific interface
set interfaces openvpn vtun0 ip ospf network point-to-point
set interfaces openvpn vtun0 ip ospf cost 10
set interfaces openvpn vtun0 ip ospf dead-interval 40
set interfaces openvpn vtun0 ip ospf hello-interval 10
set interfaces openvpn vtun0 ip ospf priority 1
set interfaces openvpn vtun0 ip ospf retransmit-interval 5
set interfaces openvpn vtun0 ip ospf transmit-delay 1
set interfaces openvpn vtun0 ip ospf authentication md5 key-id 1 md5-key somekoolPassword

Create Firewall Zones

set zone-policy zone LOCAL description "this is VyOS or local device"
set zone-policy zone LOCAL default-action drop
set zone-policy zone LOCAL local-zone

set zone-policy zone MGMT_LAN description "Management LAN"
set zone-policy zone MGMT_LAN default-action drop
set zone-policy zone MGMT_LAN interface eth0

set zone-policy zone VTUN0 description "site 49 to site 48 OpenVPN VPN"
set zone-policy zone VTUN0 default-action drop
set zone-policy zone VTUN0 interface vtun0

Firewall Zone Pairs

Note: don't commit until you've put in the rules that still allow you access to the LOCAL device and for the LOCAL device to reply back. Also, in this example all traffic is generally allowed, to be more restrictive remove rule 80 from each zone rule and add specific rules.

MGMT_LAN to LOCAL

set firewall name MGMT_LAN_to_LOCAL description "allow traffic from MGMT_LAN to LOCAL zone"
set firewall name MGMT_LAN_to_LOCAL enable-default-log
set firewall name MGMT_LAN_to_LOCAL rule 80 description "Allow All"
set firewall name MGMT_LAN_to_LOCAL rule 80 action accept
set firewall name MGMT_LAN_to_LOCAL rule 80 log disable
set firewall name MGMT_LAN_to_LOCAL rule 200 description "Drop invalid"
set firewall name MGMT_LAN_to_LOCAL rule 200 action drop
set firewall name MGMT_LAN_to_LOCAL rule 200 state invalid enable
set firewall name MGMT_LAN_to_LOCAL rule 200 log disable
set zone-policy zone LOCAL from MGMT_LAN firewall name MGMT_LAN_to_LOCAL

LOCAL to MGMT_LAN

set firewall name LOCAL_to_MGMT_LAN description "filter traffic from LOCAL to MGMT_LAN zone"
set firewall name LOCAL_to_MGMT_LAN enable-default-log
set firewall name LOCAL_to_MGMT_LAN rule 80 description "Allow All"
set firewall name LOCAL_to_MGMT_LAN rule 80 action accept
set firewall name LOCAL_to_MGMT_LAN rule 80 log disable
set firewall name LOCAL_to_MGMT_LAN rule 100 description "Allow established/related"
set firewall name LOCAL_to_MGMT_LAN rule 100 action accept
set firewall name LOCAL_to_MGMT_LAN rule 100 state established enable
set firewall name LOCAL_to_MGMT_LAN rule 100 state related enable
set firewall name LOCAL_to_MGMT_LAN rule 100 log disable
set firewall name LOCAL_to_MGMT_LAN rule 200 description "Drop invalid"
set firewall name LOCAL_to_MGMT_LAN rule 200 action drop
set firewall name LOCAL_to_MGMT_LAN rule 200 state invalid enable
set firewall name LOCAL_to_MGMT_LAN rule 200 log disable
set firewall name LOCAL_to_MGMT_LAN rule 1060 description "Allow OSPF"
set firewall name LOCAL_to_MGMT_LAN rule 1060 action accept
set firewall name LOCAL_to_MGMT_LAN rule 1060 protocol ospf
set firewall name LOCAL_to_MGMT_LAN rule 1060 state new enable
set firewall name LOCAL_to_MGMT_LAN rule 1060 log disable
set zone-policy zone MGMT_LAN from LOCAL firewall name LOCAL_to_MGMT_LAN

LOCAL to VTUN0

set firewall name LOCAL_to_VTUN0 description "Allow all traffic from LOCAL to VTUN0 zone"
set firewall name LOCAL_to_VTUN0 enable-default-log
set firewall name LOCAL_to_VTUN0 rule 80 description "Allow All"
set firewall name LOCAL_to_VTUN0 rule 80 action accept
set firewall name LOCAL_to_VTUN0 rule 80 log disable
set firewall name LOCAL_to_VTUN0 rule 200 description "Drop invalid"
set firewall name LOCAL_to_VTUN0 rule 200 action drop
set firewall name LOCAL_to_VTUN0 rule 200 state invalid enable
set firewall name LOCAL_to_VTUN0 rule 200 log disable
set zone-policy zone VTUN0 from LOCAL firewall name LOCAL_to_VTUN0

VTUN0 to LOCAL

set firewall name VTUN0_to_LOCAL description "filter traffic from VTUN0 to LOCAL zone"
set firewall name VTUN0_to_LOCAL enable-default-log
set firewall name VTUN0_to_LOCAL rule 100 description "Allow established/related"
set firewall name VTUN0_to_LOCAL rule 100 action accept
set firewall name VTUN0_to_LOCAL rule 100 state established enable
set firewall name VTUN0_to_LOCAL rule 100 state related enable
set firewall name VTUN0_to_LOCAL rule 100 log disable
set firewall name VTUN0_to_LOCAL rule 200 description "Drop invalid"
set firewall name VTUN0_to_LOCAL rule 200 action drop
set firewall name VTUN0_to_LOCAL rule 200 state invalid enable
set firewall name VTUN0_to_LOCAL rule 200 log disable
set firewall name VTUN0_to_LOCAL rule 1020 description "Allow ICMP"
set firewall name VTUN0_to_LOCAL rule 1020 action accept
set firewall name VTUN0_to_LOCAL rule 1020 icmp type-name echo-request
set firewall name VTUN0_to_LOCAL rule 1020 protocol icmp
set firewall name VTUN0_to_LOCAL rule 1020 state new enable
set firewall name VTUN0_to_LOCAL rule 1020 log disable
set firewall name VTUN0_to_LOCAL rule 1060 description "Allow OSPF"
set firewall name VTUN0_to_LOCAL rule 1060 action accept
set firewall name VTUN0_to_LOCAL rule 1060 protocol ospf
set firewall name VTUN0_to_LOCAL rule 1060 state new enable
set firewall name VTUN0_to_LOCAL rule 1060 log disable
set zone-policy zone LOCAL from VTUN0 firewall name VTUN0_to_LOCAL

VTUN0 to MGMT_LAN

set firewall name VTUN0_to_MGMT_LAN description "filter traffic from VTUN0 to MGMT_LAN zone"
set firewall name VTUN0_to_MGMT_LAN enable-default-log
set firewall name VTUN0_to_MGMT_LAN rule 80 description "Allow All"
set firewall name VTUN0_to_MGMT_LAN rule 80 action accept
set firewall name VTUN0_to_MGMT_LAN rule 80 log disable
set firewall name VTUN0_to_MGMT_LAN rule 100 action accept
set firewall name VTUN0_to_MGMT_LAN rule 100 state established enable
set firewall name VTUN0_to_MGMT_LAN rule 100 state related enable
set firewall name VTUN0_to_MGMT_LAN rule 100 log disable
set firewall name VTUN0_to_MGMT_LAN rule 200 description "Drop invalid"
set firewall name VTUN0_to_MGMT_LAN rule 200 action drop
set firewall name VTUN0_to_MGMT_LAN rule 200 state invalid enable
set firewall name VTUN0_to_MGMT_LAN rule 200 log disable
set firewall name VTUN0_to_MGMT_LAN rule 1020 description "Allow ICMP"
set firewall name VTUN0_to_MGMT_LAN rule 1020 action accept
set firewall name VTUN0_to_MGMT_LAN rule 1020 icmp type-name echo-request
set firewall name VTUN0_to_MGMT_LAN rule 1020 protocol icmp
set firewall name VTUN0_to_MGMT_LAN rule 1020 state new enable
set firewall name VTUN0_to_MGMT_LAN rule 1020 log disable
set zone-policy zone MGMT_LAN from VTUN0 firewall name VTUN0_to_MGMT_LAN

MGMT_LAN to VTUN0

set firewall name MGMT_LAN_to_VTUN0 description "filter traffic from MGMT_LAN to VTUN0 zone"
set firewall name MGMT_LAN_to_VTUN0 enable-default-log
set firewall name MGMT_LAN_to_VTUN0 rule 80 description "Allow All"
set firewall name MGMT_LAN_to_VTUN0 rule 80 action accept
set firewall name MGMT_LAN_to_VTUN0 rule 80 log disable
set firewall name MGMT_LAN_to_VTUN0 rule 100 action accept
set firewall name MGMT_LAN_to_VTUN0 rule 100 state established enable
set firewall name MGMT_LAN_to_VTUN0 rule 100 state related enable
set firewall name MGMT_LAN_to_VTUN0 rule 100 log disable
set firewall name MGMT_LAN_to_VTUN0 rule 200 description "Drop invalid"
set firewall name MGMT_LAN_to_VTUN0 rule 200 action drop
set firewall name MGMT_LAN_to_VTUN0 rule 200 state invalid enable
set firewall name MGMT_LAN_to_VTUN0 rule 200 log disable
set firewall name MGMT_LAN_to_VTUN0 rule 1020 description "Allow ICMP"
set firewall name MGMT_LAN_to_VTUN0 rule 1020 action accept
set firewall name MGMT_LAN_to_VTUN0 rule 1020 icmp type-name echo-request
set firewall name MGMT_LAN_to_VTUN0 rule 1020 protocol icmp
set firewall name MGMT_LAN_to_VTUN0 rule 1020 state new enable
set firewall name MGMT_LAN_to_VTUN0 rule 1020 log disable
set zone-policy zone VTUN0 from MGMT_LAN firewall name MGMT_LAN_to_VTUN0

Table of Contents