How to configure site 2 site VPN with VyOS
Site2Site VPN Configuration
This Document describes the configuration of a Site2Site VPN connection between an external router and an instance on EXOSCALE.
Steps:
- Align on security parameters with provider of external router
- Create Private Network on EXOSCALE portal
- Start new instance using “VyOS” template
- Configure VyOS and test connection
- Setup and test connection on target instance
Configuration on EXOSCALE:
Prerequisites:
- Pre-Shared-Secret: Shared assword for Authentification
- VyOS 1.3 template
- Instance: Tiny with 10 GB
- SSH-Key
- Private Network - unmanaged
During the setup you have to use the following IP addresses:
WAN-IP router Local IP router WAN-IP Exoscale Local IP Exoscale
Ports needed on Firewall settings:
- Either use the “Default” Security group or create a new group
- Add the following FW rules:
22 TCP – SSH 3389 TCP – RDP (if Windows server is used) 500 UDP – IPSec 4500 UDP – IPSec ESP
Create a Private Network
- Click on “Add Private Network” and select “manual”
Connecting to VyOS
- Use “Puttygen” to create an SSH keypair (public + private)
- Import Public Key to EXOSCALE
- Create instance in target zone (e.g. VIE) including SSH key and Security Group
- Connect to VyOS with Putty using the private SSH key
Configuration VyOS
- Enter “vyos” as user
- Enter “configure” to got to “Edit” mode
- Enter the commands below, you can copy paste each block
set system host-name 'vpn-endpoint'
set interfaces ethernet eth1 address '*Local IP Exoscale*'
IPSEC base config
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-level '1'
set vpn ipsec logging log-modes 'any'
IPSEC Phase 1
set vpn ipsec ike-group ike-local-remote close-action 'none'
set vpn ipsec ike-group ike-local-remote dead-peer-detection action 'clear'
set vpn ipsec ike-group ike-local-remote dead-peer-detection interval '30'
set vpn ipsec ike-group ike-local-remote dead-peer-detection timeout '90'
set vpn ipsec ike-group ike-local-remote ikev2-reauth 'no'
set vpn ipsec ike-group ike-local-remote key-exchange 'xxx' (e.g. ikev2)
set vpn ipsec ike-group ike-local-remote lifetime 'xxx' (e.g. 86400)
set vpn ipsec ike-group ike-local-remote proposal 1 dh-group 'XX' (e.g. 21)
set vpn ipsec ike-group ike-local-remote proposal 1 encryption 'xxx' (e.g. aes256gcm128)
set vpn ipsec ike-group ike-local-remote proposal 1 hash 'xxx' (e.g. sha-512)
IPSEC Phase 2
set vpn ipsec esp-group esp-local-remote compression 'disable'
set vpn ipsec esp-group esp-local-remote lifetime 'xxx' (e.g. 3600)
set vpn ipsec esp-group esp-local-remote mode 'tunnel'
set vpn ipsec esp-group esp-local-remote pfs 'xxx' (e.g. dh-group21)
set vpn ipsec esp-group esp-local-remote proposal 1 encryption 'xxx' (e.g. aes256gcm128)
set vpn ipsec esp-group esp-local-remote proposal 1 hash 'xxx' (e.g. sha1)
IPSEC site-to-site config
set vpn ipsec site-to-site peer *WAN-IP router* authentication id '*WAN-IP Exoscale*'
set vpn ipsec site-to-site peer *WAN-IP router* authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer *WAN-IP router* authentication pre-shared-secret 'xxx'
set vpn ipsec site-to-site peer *WAN-IP router* connection-type 'initiate'
set vpn ipsec site-to-site peer *WAN-IP router* default-esp-group 'esp-local-remote'
set vpn ipsec site-to-site peer *WAN-IP router* ike-group 'ike-local-remote'
set vpn ipsec site-to-site peer *WAN-IP router* ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer *WAN-IP router* local-address '*WAN-IP Exoscale*'
set vpn ipsec site-to-site peer *WAN-IP router* tunnel 0 local prefix '*Local IP Exoscale/Subnet*'
set vpn ipsec site-to-site peer *WAN-IP router* tunnel 0 remote prefix '*Local IP router/Subnet*'
Check status of VPN Tunnel
In order to check the status of the new VPN tunnel, type in:
*show vpn ipsec sa*
IPSEC static routes
To enable connections between devices in your local and remote network, you need to set a static route:
set protocols static route Local IP router/Subnet next-hop Local IP Exoscale
Settings on Windows instance:
You need to set the route in your Windows instances as well:
route add *Local IP router* MASK *Local Subnet* *Local IP Exoscale* -p
Settings on Linux
Please refer to the documentation of your respective OS
Ping remote network to check Tunnel
ping XX.XX.XX.XX
Documentation
• https://vyos.readthedocs.io/en/latest
Useful commands:
configure to enter configuration mode
commit to commit changes
save to save changes
exit discard to exit without saving changes
show configuration commands to show the configuration commands of the running config
Cloud-init
Beginning with version 1.2.4, cloud-init can be used to configure the instance.
Example:
set set system host-name test01
set interfaces ethernet eth1 address '10.0.0.1/24'
or also possible: http://192.0.2.1/vyos-commands.txt
More information:
• https://github.com/zdc/vyos-cloud-init-userdata