Site-to-Site VPN Configuration

This guide describes how to configure a site-to-site VPN connection between an external router and an instance on Exoscale.

Steps

  • Align on the security parameters with the provider of the external router.
  • Create a Private Network on the Exoscale Portal.
  • Start new instance using VyOS template.
  • Configure VyOS and test the connection.
  • Setup and test the connection on your target instance.

Configuration on Exoscale

Prerequisites

  • Pre-shared-secret: Shared password for authentication
  • VyOS 1.3 template
  • Instance: Tiny with 10 GB
  • SSH Key
  • Private Network - unmanaged

During the setup you have to use the following IP addresses:

  • WAN-IP router
  • Local IP router
  • WAN-IP Exoscale
  • Local IP Exoscale

Ports needed on Firewall settings

  • Either use the default Security Group, or create a new group
  • Add the following firewall rules:

0.65

22 TCP – SSH
3389 TCP – RDP (if Windows server is used)
500 UDP – IPSec
4500 UDP – IPSec
ESP

Create a Private Network

  • Click on ADD PRIVATE NETWORK and select MANUAL.

0.65

Connecting to VyOS

  • Use Puttygen to create an SSH keypair (public + private)
  • Import the public key to Exoscale
  • Create an instance in target zone (such as VIE-1) including the SSH key and Security Group
  • Connect to VyOS with Putty using the private SSH key

Configuration VyOS

  • Enter vyos as user
  • Enter configure to go to Edit mode
  • Enter the commands below:
set system host-name 'vpn-endpoint'

set interfaces ethernet eth1 address '*Local IP Exoscale*'

IPSEC base configuration

set vpn ipsec ipsec-interfaces interface 'eth0'

set vpn ipsec logging log-level '1'

set vpn ipsec logging log-modes 'any'

IPSEC phase 1

set vpn ipsec ike-group ike-local-remote close-action 'none'

set vpn ipsec ike-group ike-local-remote dead-peer-detection action 'clear'

set vpn ipsec ike-group ike-local-remote dead-peer-detection interval '30'

set vpn ipsec ike-group ike-local-remote dead-peer-detection timeout '90'

set vpn ipsec ike-group ike-local-remote ikev2-reauth 'no'

set vpn ipsec ike-group ike-local-remote key-exchange 'xxx' (e.g. ikev2)

set vpn ipsec ike-group ike-local-remote lifetime 'xxx' (e.g. 86400)

set vpn ipsec ike-group ike-local-remote proposal 1 dh-group 'XX' (e.g. 21)

set vpn ipsec ike-group ike-local-remote proposal 1 encryption 'xxx' (e.g. aes256gcm128)

set vpn ipsec ike-group ike-local-remote proposal 1 hash 'xxx' (e.g. sha-512)

IPSEC Phase 2

set vpn ipsec esp-group esp-local-remote compression 'disable'

set vpn ipsec esp-group esp-local-remote lifetime 'xxx' (e.g. 3600)

set vpn ipsec esp-group esp-local-remote mode 'tunnel'

set vpn ipsec esp-group esp-local-remote pfs 'xxx' (e.g. dh-group21)

set vpn ipsec esp-group esp-local-remote proposal 1 encryption 'xxx' (e.g. aes256gcm128)

set vpn ipsec esp-group esp-local-remote proposal 1 hash 'xxx' (e.g. sha1)

IPSEC site-to-site configuration

set vpn ipsec site-to-site peer *WAN-IP router* authentication id '*WAN-IP Exoscale*'

set vpn ipsec site-to-site peer *WAN-IP router* authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer *WAN-IP router* authentication pre-shared-secret 'xxx'

set vpn ipsec site-to-site peer *WAN-IP router* connection-type 'initiate'

set vpn ipsec site-to-site peer *WAN-IP router* default-esp-group 'esp-local-remote'

set vpn ipsec site-to-site peer *WAN-IP router* ike-group 'ike-local-remote'

set vpn ipsec site-to-site peer *WAN-IP router* ikev2-reauth 'inherit'

set vpn ipsec site-to-site peer *WAN-IP router* local-address '*WAN-IP Exoscale*'

set vpn ipsec site-to-site peer *WAN-IP router* tunnel 0 local prefix '*Local IP Exoscale/Subnet*'

set vpn ipsec site-to-site peer *WAN-IP router* tunnel 0 remote prefix '*Local IP router/Subnet*'

Check the status of VPN tunnel

To check the status of the new VPN tunnel, use the command:

*show vpn ipsec sa*

0.65

IPSEC static routes

To enable connections between devices in your local and remote network, you need to set a static route:

set protocols static route Local IP router/Subnet next-hop Local IP Exoscale

Settings on a Windows instance:

You will need to set the route in your Windows instances as well:

route add *Local IP router* MASK *Local Subnet* *Local IP Exoscale* -p

Settings on Linux

Please refer to the documentation of your respective OS

Ping remote network to check tunnel

ping XX.XX.XX.XX

Documentation

• https://vyos.readthedocs.io/en/latest

Useful Commands

configure to enter configuration mode
commit to commit changes
save to save changes
exit discard to exit without saving changes
show configuration commands to show the configuration commands of the running config

Cloud-Init

Beginning with version 1.2.4, you can use cloud-init to configure the instance.

Example:

set set system host-name test01
set interfaces ethernet eth1 address '10.0.0.1/24'

or also possible: http://192.0.2.1/vyos-commands.txt

More Information

• https://github.com/zdc/vyos-cloud-init-userdata