How to configure site 2 site VPN with VyOS
Site2Site VPN Configuration
This Document describes the configuration of a Site2Site VPN connection between an external router and an instance on EXOSCALE.
Steps:
- Align on security parameters with provider of external router
- Create Private Network on EXOSCALE portal
- Start new instance using “VyOS” template
- Configure VyOS and test connection
- Setup and test connection on target instance
Configuration on EXOSCALE:
Prerequisites:
- Pre-Shared-Secret: Shared assword for Authentification
- VyOS 1.3 template
- Instance: Tiny with 10 GB
- SSH-Key
- Private Network - unmanaged
During the setup you have to use the following IP addresses:
WAN-IP router Local IP router WAN-IP Exoscale Local IP Exoscale
Ports needed on Firewall settings:
- Either use the “Default” Security group or create a new group
- Add the following FW rules:
22 TCP – SSH 3389 TCP – RDP (if Windows server is used) 500 UDP – IPSec 4500 UDP – IPSec ESP
Create a Private Network
- Click on “Add Private Network” and select “manual”
Connecting to VyOS
- Use “Puttygen” to create an SSH keypair (public + private)
- Import Public Key to EXOSCALE
- Create instance in target zone (e.g. VIE) including SSH key and Security Group
- Connect to VyOS with Putty using the private SSH key
Configuration VyOS
- Enter “vyos” as user
- Enter “configure” to got to “Edit” mode
- Enter the commands below, you can copy paste each block
set system host-name ‘vpn-endpoint’
set interfaces ethernet eth1 address ‘Local IP Exoscale‘
IPSEC base config
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec logging log-level ‘1’
set vpn ipsec logging log-modes ‘any’
IPSEC Phase 1
set vpn ipsec ike-group ike-local-remote close-action ‘none’
set vpn ipsec ike-group ike-local-remote dead-peer-detection action ‘clear’
set vpn ipsec ike-group ike-local-remote dead-peer-detection interval ‘30’
set vpn ipsec ike-group ike-local-remote dead-peer-detection timeout ‘90’
set vpn ipsec ike-group ike-local-remote ikev2-reauth ‘no’
set vpn ipsec ike-group ike-local-remote key-exchange ‘xxx’ (e.g. ikev2)
set vpn ipsec ike-group ike-local-remote lifetime ‘xxx’ (e.g. 86400)
set vpn ipsec ike-group ike-local-remote proposal 1 dh-group ‘XX’ (e.g. 21)
set vpn ipsec ike-group ike-local-remote proposal 1 encryption ‘xxx’ (e.g. aes256gcm128)
set vpn ipsec ike-group ike-local-remote proposal 1 hash ‘xxx’ (e.g. sha-512)
IPSEC Phase 2
set vpn ipsec esp-group esp-local-remote compression ‘disable’
set vpn ipsec esp-group esp-local-remote lifetime ‘xxx’ (e.g. 3600)
set vpn ipsec esp-group esp-local-remote mode ‘tunnel’
set vpn ipsec esp-group esp-local-remote pfs ‘xxx’ (e.g. dh-group21)
set vpn ipsec esp-group esp-local-remote proposal 1 encryption ‘xxx’ (e.g. aes256gcm128)
set vpn ipsec esp-group esp-local-remote proposal 1 hash ‘xxx’ (e.g. sha1)
IPSEC site-to-site config
set vpn ipsec site-to-site peer WAN-IP router authentication id ‘WAN-IP Exoscale‘
set vpn ipsec site-to-site peer WAN-IP router authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer WAN-IP router authentication pre-shared-secret ‘xxx’
set vpn ipsec site-to-site peer WAN-IP router connection-type ‘initiate’
set vpn ipsec site-to-site peer WAN-IP router default-esp-group ‘esp-local-remote’
set vpn ipsec site-to-site peer WAN-IP router ike-group ‘ike-local-remote’
set vpn ipsec site-to-site peer WAN-IP router ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer WAN-IP router local-address ‘WAN-IP Exoscale‘
set vpn ipsec site-to-site peer WAN-IP router tunnel 0 local prefix ‘Local IP Exoscale/Subnet‘
set vpn ipsec site-to-site peer WAN-IP router tunnel 0 remote prefix ‘Local IP router/Subnet‘
Check status of VPN Tunnel
In order to check the status of the new VPN tunnel, type in:
show vpn ipsec sa
IPSEC static routes
To enable connections between devices in your local and remote network, you need to set a static route:
set protocols static route Local IP router/Subnet next-hop Local IP Exoscale
Settings on Windows instance:
You need to set the route in your Windows instances as well:
route add Local IP router MASK Local Subnet Local IP Exoscale -p
Settings on Linux
Please refer to the documentation of your respective OS
Ping remote network to check Tunnel
ping XX.XX.XX.XX
Documentation
• https://vyos.readthedocs.io/en/latest
Useful commands:
• configure to enter configuration mode o commit to commit changes o save to save changes o exit discard to exit without saving changes • show configuration commands to show the configuration commands of the running config
Cloud-init
Beginning with version 1.2.4, cloud-init can be used to configure the instance.
Example: set set system host-name test01 set interfaces ethernet eth1 address ‘10.0.0.1/24’
or also possible: http://192.0.2.1/vyos-commands.txt
More information:
• https://github.com/zdc/vyos-cloud-init-userdata