How to configure site 2 site VPN with VyOS
Site-to-Site VPN Configuration
This guide describes how to configure a site-to-site VPN connection between an external router and an instance on Exoscale.
Steps
- Align on the security parameters with the provider of the external router.
- Create a Private Network on the Exoscale Portal.
- Start new instance using VyOS template.
- Configure VyOS and test the connection.
- Setup and test the connection on your target instance.
Configuration on Exoscale
Prerequisites
- Pre-shared-secret: Shared password for authentication
- VyOS 1.3 template
- Instance: Tiny with 10 GB
- SSH Key
- Private Network - unmanaged
During the setup you have to use the following IP addresses:
- WAN-IP router
- Local IP router
- WAN-IP Exoscale
- Local IP Exoscale
Ports needed on Firewall settings
- Either use the
default
Security Group, or create a new group - Add the following firewall rules:
22 TCP – SSH
3389 TCP – RDP (if Windows server is used)
500 UDP – IPSec
4500 UDP – IPSec
ESP
Create a Private Network
- Click on
ADD PRIVATE NETWORK
and selectMANUAL
.
Connecting to VyOS
- Use Puttygen to create an SSH keypair (public + private)
- Import the public key to Exoscale
- Create an instance in target zone (such as VIE-1) including the SSH key and Security Group
- Connect to VyOS with Putty using the private SSH key
Configuration VyOS
- Enter vyos as user
- Enter configure to go to Edit mode
- Enter the commands below:
set system host-name 'vpn-endpoint'
set interfaces ethernet eth1 address '*Local IP Exoscale*'
IPSEC base configuration
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-level '1'
set vpn ipsec logging log-modes 'any'
IPSEC phase 1
set vpn ipsec ike-group ike-local-remote close-action 'none'
set vpn ipsec ike-group ike-local-remote dead-peer-detection action 'clear'
set vpn ipsec ike-group ike-local-remote dead-peer-detection interval '30'
set vpn ipsec ike-group ike-local-remote dead-peer-detection timeout '90'
set vpn ipsec ike-group ike-local-remote ikev2-reauth 'no'
set vpn ipsec ike-group ike-local-remote key-exchange 'xxx' (e.g. ikev2)
set vpn ipsec ike-group ike-local-remote lifetime 'xxx' (e.g. 86400)
set vpn ipsec ike-group ike-local-remote proposal 1 dh-group 'XX' (e.g. 21)
set vpn ipsec ike-group ike-local-remote proposal 1 encryption 'xxx' (e.g. aes256gcm128)
set vpn ipsec ike-group ike-local-remote proposal 1 hash 'xxx' (e.g. sha-512)
IPSEC Phase 2
set vpn ipsec esp-group esp-local-remote compression 'disable'
set vpn ipsec esp-group esp-local-remote lifetime 'xxx' (e.g. 3600)
set vpn ipsec esp-group esp-local-remote mode 'tunnel'
set vpn ipsec esp-group esp-local-remote pfs 'xxx' (e.g. dh-group21)
set vpn ipsec esp-group esp-local-remote proposal 1 encryption 'xxx' (e.g. aes256gcm128)
set vpn ipsec esp-group esp-local-remote proposal 1 hash 'xxx' (e.g. sha1)
IPSEC site-to-site configuration
set vpn ipsec site-to-site peer *WAN-IP router* authentication id '*WAN-IP Exoscale*'
set vpn ipsec site-to-site peer *WAN-IP router* authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer *WAN-IP router* authentication pre-shared-secret 'xxx'
set vpn ipsec site-to-site peer *WAN-IP router* connection-type 'initiate'
set vpn ipsec site-to-site peer *WAN-IP router* default-esp-group 'esp-local-remote'
set vpn ipsec site-to-site peer *WAN-IP router* ike-group 'ike-local-remote'
set vpn ipsec site-to-site peer *WAN-IP router* ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer *WAN-IP router* local-address '*WAN-IP Exoscale*'
set vpn ipsec site-to-site peer *WAN-IP router* tunnel 0 local prefix '*Local IP Exoscale/Subnet*'
set vpn ipsec site-to-site peer *WAN-IP router* tunnel 0 remote prefix '*Local IP router/Subnet*'
Check the status of VPN tunnel
To check the status of the new VPN tunnel, use the command:
*show vpn ipsec sa*
IPSEC static routes
To enable connections between devices in your local and remote network, you need to set a static route:
set protocols static route Local IP router/Subnet next-hop Local IP Exoscale
Settings on a Windows instance:
You will need to set the route in your Windows instances as well:
route add *Local IP router* MASK *Local Subnet* *Local IP Exoscale* -p
Settings on Linux
Please refer to the documentation of your respective OS
Ping remote network to check tunnel
ping XX.XX.XX.XX
Documentation
• https://vyos.readthedocs.io/en/latest
Useful Commands
configure to enter configuration mode
commit to commit changes
save to save changes
exit discard to exit without saving changes
show configuration commands to show the configuration commands of the running config
Cloud-Init
Beginning with version 1.2.4, you can use cloud-init to configure the instance.
Example:
set set system host-name test01
set interfaces ethernet eth1 address '10.0.0.1/24'
or also possible: http://192.0.2.1/vyos-commands.txt
More Information
• https://github.com/zdc/vyos-cloud-init-userdata