Networking: Infrastructure: VyOS - eliminmax/cncs-journal GitHub Wiki
- Configuration
Much like Cisco routers and switches, VyOS has a specific configuration mode, accessible with the configure command.
Run the configure command
In configuration mode, run commit, then run save.
To leave configuration mode, run exit.
Unless otherwise specified, run all of these in Configuration mode.
set system host-name <hostname>
set system login user <username> authentication plaintext-password <password>
- the VyOS docs explicitly state that passwords entered this way "will be automatically transferred into a secure hashed password and not saved anywhere in plaintext."
- if you'd rather not enter a visible plaintext password at all (and who could blame you), and have a hashed password available, you could replace the
plaintext-password <password>part of the command withencrypted-password <hashed-password>
(from the VyOS Docs)
set system login user <username> authentication public-keys <identifier> key <key>
If you do it this way, then update VyOS, it will delete your key from authorized keys.
(on SSH client)
ssh-copy-id <username>@<address>
set system syslog host <address> facility <keyword> level <keyword>
set system syslog host <address> format <format>
set system syslog host <address> port <port>
For a list of keywords to use, see The VyOS Docs
For example: send kernel debug logs to a Gralyog listener on 10.0.22.32 port 1514:
set system syslog host 10.0.222.32 facility kern level debug
set system syslog host 10.0.222.32 format octet-counted
set system syslog host 10.0.22.32 port 1514
VyOS does its own thing that's different enough from other Linux systems to justify a section in the general Linux: Setup: Hostname and Static IP page.
(I am not only writing this because I am supposed to have a single dedicated VyOS page on this wiki.)For this example, I am using the interface eth0 connected to WAN, with the static IP address 203.0.113.5/24, and the default gateway 203.0.113.1, and Cloudflare's 1.1.1.1 DNS servers; and the interface eth1 connected to LAN, with the static IP address 10.10.40.1/24
YOU MUST commit AND save FOR CHANGES TO TAKE EFFECT
- Disable DHCP on interface (if necessary)
delete interfaces ethernet eth0 address dhcp
delete interfaces ethernet eth1 address dhcp
- Set interface descriptions
set interfaces ethernet eth0 description WAN-IF
set interfaces ethernet eth1 description LAN-IF
- Set up IP addresses
set interfaces ethernet eth0 address 203.0.113.5/24
set interfaces ethernet eth1 address 10.10.40.1/24
- Set up default route and name server
set protocols static route 0.0.0.0/0 next-hop 203.0.113.1
set system name-server 1.1.1.1
- NAT forwarding
set nat source rule 10 description "NAT from LAN to WAN"
set nat source rule 10 outbount-interface eth0
set nat source rule 10 source address 10.10.40.0/24
set nat source rule 10 translation address masquerade
- DNS forwarding
set service dns forwarding listen-address 10.10.40.1
set service dns forwarding allow-from 10.10.40.0/24
set service dns forwarding system
-
Copy the URL for a build at vyos.net/get/nightly-builds/
-
In VyOS, type the following, without pressing enter:
add system image
- Paste in the URL, press enter, follow the defaults, and reboot
For this section, I am building off of the setup I set up in the Routing section
DOING THIS WILL ENABLE A BLOCK-BY-DEFAULT POLICY. Without defining firewall rules, this will effectively shut down any network that relies on this system.
set zone-policy zone WAN interface eth0
set zone-policy zone LAN interface eth1
- Define two firewall rule sets - allow LAN to WAN connections by default, block and log WAN to LAN connections by default:
set firewall name LAN-to-WAN default-action allow
set firewall name WAN-to-LAN default-action drop
set firewall name WAN-to-LAN enable-default-log
- Apply the new rules to the appropriate zones
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
set zone-policy zone LAN from WAN firewall name WAN-to-LAN
- Allow TCP and UDP connections to 10.10.40.21 port 25565 - we want our pals to be able to access our Minecraft server, after all.
Disclaimer: This would require destination NAT, also known as port forwarding, in a real-world scenario, which I have added instructions for (see below)
set firewall name WAN-to-LAN rule 10 action accept
set firewall name WAN-to-LAN rule 10 destination address 10.0.40.21
set firewall name WAN-to-LAN rule 10 destination port 25565
set firewall name WAN-to-LAN rule 10 protocol tcp_udp
set firewall name WAN-to-LAN rule 10 description "Allow WAN access to Minecraft server on 10.10.40.21"
- Allow WAN-to-LAN connections if initiated by LAN
Often data needs to be sent bidirectionally. Currently, the outbound data will be allowed, but the inboud replies won't be - this is little better than being completely disconnected from the internet. Let's fix it:
set firewall name WAN-to-LAN rule 1 action accept
set firewall name WAN-to-LAN rule 1 state established enable
Don't forget to commit and save!
Say we wanted to connect a second private network (192.168.30.0/23, on eth0 on a new router) to the LAN used in previous examples, and configure routing between them. Here's how it would work:
To configure RIP, run the following on the original router:
set protocols rip interface eth1
# advertise the network
set protocols rip network 10.10.40.0/24
Similarly, on the new router, run the following
set protocols rip interface eth0
set protocols rip network 192.168.30.0/23
In configuration mode, you can run save <path/to/file>, save scp://<user>:<pass>@<host>/</path/to/file>, save sftp://<user>:<pass>@<host>/</path/to/file>, or save tftp://<host>/file to write the running config to that location instead of /config/config.boot. The remote host must have an SSH server or TFTP server running for those to work (see The VyOS Docs). You can also run load <file> (in configuration mode) to load a saved configuration from a file, or any of the following:
load scp://<user>:<passwd>@<host>/</path/to/file>load sftp://<user>:<passwd>@<host>/</path/to/file>load ftp://<host>/</path/to/file>load http://<host>/<path/to/file>load https://<host>/<path/to/file>load tftp://<host>/</path/to/file>
Again, see the VyOS Docs
Building on [the above scenario], here's how to allow external access to a Minecraft server hosted on a private network:
Add the Destination NAT rules as follows
set nat destination rule 10 description "Port forward to Minecraft server"
set nat destination rule 10 inbound-interface eth1
set nat destination rule 10 destination port 25565
set nat destination rule 10 translation address 10.10.40.20
set nat destination rule 10 protocol tcp_udp
For more information, see this VyOS Knowledgebase article on the topic