Working with VyOS (SEC 350) - Chromosom3/TechNotes GitHub Wiki
Intro
VyOS is an open source network operating system based on Debian. VyOS provides a free routing platform that competes directly with other commercially available solutions from well known network providers. Wikipedia
Website: https://vyos.io/
Documentation: https://docs.vyos.io/en/latest/
VyOS Command Line Interface
VyOS like the Cisco CLI has multiple command modes. The two command modes in VyOS are operational and configuration mode. The operational mode is noted by the prompt $ where configuration mode is noted by #. To switch from operational mode to configuration mode enter configure to leave configuration mode and return to operational mode simply type exit.
| Prompt | Mode |
|---|---|
| vyos@vyos:~$ | Operational Mode |
| vyos@vyos:~# | Configuration Mode |
VyOS Configurations
There are three types of configurations in VyOS. The first is the active configuration. This is the configuration that is currently being used on the system. This can be compared to the Cisco running configuration. The second is working configuration. This configuration is the one being currently edited by configuration mode. This does not go into effect until the command commit is run. Once that command is run the working config will replace the active configuration. The final configuration is saved. The saved configuration will run at boot. Once you confirm changes to the running-config work as expected you can issue the save command to save the configuration to the default configuration location at /config/config.boot. You should also be able to use the save command and then specify another location to save the file.
Setting Up VyOS
install image from live boot installs it to the disk.
For this lab our VyOS machine will have three network interfaces, each running on a different network. We will set up this machine to route traffic and allow DNS forwarding. The first thing we will need to do is set the system hostname so we know what machine we are working on. To do this run the commands below from the operational mode.
configure
set system host-name fw01-dylan
commit
save
exit
The above commands will enter configuration mode, set the system hostname, copy the working configuration to active, copy the active configuration to the default one, and then exit the configure mode.
Next, we will want to configure our interfaces. Using the show interfaces command we could see that we needed to adjust all three interfaces on the system. When we were provided the system the first and second interface was set to use DHCP. We want to change that to static addresses. We will also set descriptions on each interface to help us keep track of which is which. Run the following commands from operational mode.
configure
delete interfaces ethernet eth0 address dhcp
delete interfaces ethernet eth1 address dhcp
set interfaces ethernet eth0 description SEC350-WAN
set interfaces ethernet eth1 description DYLAN-DMZ
set interfaces ethernet eth2 description DYLAN-LAN
set interfaces ethernet eth0 address 10.0.17.137/24
set interfaces ethernet eth1 address 172.16.50.2/29
set interfaces ethernet eth2 address 172.16.150.2/24
commit
save
The first section of the above command will enter the configuration mode and then remove DHCP from the first two interfaces. This was not needed for eth2 as it was not configured yet. The second section sets interface descriptions so we can track the purpose of each interface. In this configuration, the description is the same as the vSphere port group the interface is connected to. The third section sets the proper network addresses for each interface then sets the running-config. Finally, it saves the running-config to the default.
Now that the networks are configured on the host we will implement some routes. We will just be setting up a static route for the default route. Our upstream gateway is on the SEC350-WAN network, it’s IP address is 10.0.17.2. We will also use that host as our name server. To do this we will run the following commands from the configuration mode.
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
commit
save
While remaining in the configuration mode we will run the following commands to configure NAT and DNS forwarding on the system.
set nat source rule 10 description "NAT FROM DMZ to WAN"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 172.16.50.0/29
set nat source rule 10 translation address masquerade
commit
save
In the above command, we create a new NAT source rule with a number of 10 and set the description to “NAT FROM DMZ to WAN”. Then we set the outbound interface to eth0 (Our WAN network). Se then set the source address of the traffic for this rule to be from the DMZ subnet. Finally, we set IP masquerading.
Note From the Docs:
NAT is configured entirely on a series of so called rules.
Rules are numbered and evaluated by the underlying OS in numerical order!
The rule numbers can be changes by utilizing the rename and copy commands.
The final thing we will set up (for now) is DNS forwarding. As it currently stands we will not have DNS servers on the current networks and will implement the VyOS host as a forwarder. Doing this is relatively simple we will run the following commands from the configuration mode prompt.
set service dns forwarding listen-address 172.16.50.2
set service dns forwarding allow-from 172.16.50.0/29
set service dns forwarding system
commit
save
This will set up DNS forwarding for the DMZ network only.
New Users in VyOS
We will want to create new user accounts for the system. We also want to change the default password for the VyOS user we were given. First, let's create a new user account. To do this we will run the following commands from operational mode.
configure
set system login user dylan full-name "Dylan Navarro"
set system login user dylan authentication plaintext-password examplepassword
commit
save
In addition to using a password, we can also use ssh keys for authentication. To set this up we will run the following commands. For this example we will be using the ssh key ssh-rsa AAAAB3NzaC1yc2EAAAABAA...VBD5lKwEWB [email protected] Replace this with your actual public key. Also change dylan to the user you want to set the key for.
configure
set system login user dylan authentication public-keys rw01-key key AAAAB3NzaC1yc2EAAAABAA...VBD5lKwEWB
set system login user dylan authentication public-keys rw01-key type ssh-rsa
commit
save
If you only wanted to have key-based authentication you can run set service ssh disable-password-authentication.
To reset the password for the default user we can run set system login user vyos authentication plaintext-password examplepassword from the configuration mode.
For more information on VyOS SSH authentication check out these two resources.