diff options
-rw-r--r-- | docs/_static/images/policy-based-ipsec-and-firewall.png | bin | 0 -> 42987 bytes | |||
-rw-r--r-- | docs/configexamples/index.rst | 1 | ||||
-rw-r--r-- | docs/configexamples/policy-based-ipsec-and-firewall.rst | 281 | ||||
-rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 173 | ||||
-rw-r--r-- | docs/configuration/vrf/index.rst | 42 |
5 files changed, 432 insertions, 65 deletions
diff --git a/docs/_static/images/policy-based-ipsec-and-firewall.png b/docs/_static/images/policy-based-ipsec-and-firewall.png Binary files differnew file mode 100644 index 00000000..6e9d43ac --- /dev/null +++ b/docs/_static/images/policy-based-ipsec-and-firewall.png diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index 80083fe1..a0413bfd 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -21,6 +21,7 @@ This chapter contains various configuration examples: qos segment-routing-isis nmp + policy-based-ipsec-and-firewall Configuration Blueprints (autotest) diff --git a/docs/configexamples/policy-based-ipsec-and-firewall.rst b/docs/configexamples/policy-based-ipsec-and-firewall.rst new file mode 100644 index 00000000..1f969453 --- /dev/null +++ b/docs/configexamples/policy-based-ipsec-and-firewall.rst @@ -0,0 +1,281 @@ +.. _examples-policy-based-ipsec-and-firewall: + + +Policy-Based Site-to-Site VPN and Firewall Configuration +-------------------------------------------------------- + +This guide shows an example policy-based IKEv2 site-to-site VPN between two +VyOS routers, and firewall configiuration. + +For simplicity, configuration and tests are done only using ipv4, and firewall +configuration in done only on one router. + +Network Topology and requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This configuration example and the requirments consists on: + +- Two VyOS routers with public IP address. + +- 2 private subnets on each site. + +- Local subnets should be able to reach internet using source nat. + +- Communication between private subnets should be done through ipsec tunnel + without nat. + +- Configuration of basic firewall in one site, in order to: + + - Protect the router on 'WAN' interface, allowing only ipsec connections + and ssh access from trusted ips. + + - Allow access to the router only from trusted networks. + + - Allow dns requests only only for local networks. + + - Allow icmp on all interfaces. + + - Allow all new connections from local subnets. + + - Allow connections from LANs to LANs throught the tunnel. + + +.. image:: /_static/images/policy-based-ipsec-and-firewall.png + + +Configuration +^^^^^^^^^^^^^ + +Interface and routing configuration: + +.. code-block:: none + + # LEFT router: + set interfaces ethernet eth0 address '198.51.100.14/30' + set interfaces ethernet eth1 vif 111 address '10.1.11.1/24' + set interfaces ethernet eth2 vif 112 address '10.1.12.1/24' + set protocols static route 0.0.0.0/0 next-hop 198.51.100.13 + + # RIGHT router: + set interfaces ethernet eth0 address '192.0.2.130/30' + set interfaces ethernet eth1 vif 221 address '10.2.21.1/24' + set interfaces ethernet eth2 vif 222 address '10.2.22.1/24' + + +IPSec configuration: + +.. code-block:: none + + # LEFT router: + set vpn ipsec authentication psk RIGHT id '198.51.100.14' + set vpn ipsec authentication psk RIGHT id '192.0.2.130' + set vpn ipsec authentication psk RIGHT secret 'p4ssw0rd' + set vpn ipsec esp-group ESP-GROUP mode 'tunnel' + set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' + set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256' + set vpn ipsec interface 'eth0' + set vpn ipsec site-to-site peer RIGHT authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer RIGHT connection-type 'initiate' + set vpn ipsec site-to-site peer RIGHT default-esp-group 'ESP-GROUP' + set vpn ipsec site-to-site peer RIGHT ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer RIGHT local-address '198.51.100.14' + set vpn ipsec site-to-site peer RIGHT remote-address '192.0.2.130' + set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '10.1.11.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '10.2.21.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix '10.1.11.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix '10.2.22.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 2 local prefix '10.1.12.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 2 remote prefix '10.2.21.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 3 local prefix '10.1.12.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 3 remote prefix '10.2.22.0/24' + + # RIGHT router: + set vpn ipsec authentication psk LEFT id '192.0.2.130' + set vpn ipsec authentication psk LEFT id '198.51.100.14' + set vpn ipsec authentication psk LEFT secret 'p4ssw0rd' + set vpn ipsec esp-group ESP-GROUP mode 'tunnel' + set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' + set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256' + set vpn ipsec interface 'eth0' + set vpn ipsec site-to-site peer LEFT authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer LEFT connection-type 'respond' + set vpn ipsec site-to-site peer LEFT default-esp-group 'ESP-GROUP' + set vpn ipsec site-to-site peer LEFT ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer LEFT local-address '192.0.2.130' + set vpn ipsec site-to-site peer LEFT remote-address '198.51.100.14' + set vpn ipsec site-to-site peer LEFT tunnel 0 local prefix '10.2.21.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 0 remote prefix '10.1.11.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix '10.2.22.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix '10.1.11.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 2 local prefix '10.2.21.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 2 remote prefix '10.1.12.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 3 local prefix '10.2.22.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 3 remote prefix '10.1.12.0/24' + +Firewall Configuration: + +.. code-block:: none + + # Firewall Groups: + set firewall group network-group LOCAL-NETS network '10.1.11.0/24' + set firewall group network-group LOCAL-NETS network '10.1.12.0/24' + set firewall group network-group REMOTE-NETS network '10.2.21.0/24' + set firewall group network-group REMOTE-NETS network '10.2.22.0/24' + set firewall group network-group TRUSTED network '198.51.100.125/32' + set firewall group network-group TRUSTED network '203.0.113.0/24' + set firewall group network-group TRUSTED network '10.1.11.0/24' + set firewall group network-group TRUSTED network '192.168.70.0/24' + + # Forward traffic: default drop and only allow what is needed + set firewall ipv4 forward filter default-action 'drop' + + # Forward traffic: global state policies + set firewall ipv4 forward filter rule 1 action 'accept' + set firewall ipv4 forward filter rule 1 state established 'enable' + set firewall ipv4 forward filter rule 1 state related 'enable' + set firewall ipv4 forward filter rule 2 action 'drop' + set firewall ipv4 forward filter rule 2 state invalid 'enable' + + # Forward traffic: Accept all connections from local networks + set firewall ipv4 forward filter rule 10 action 'accept' + set firewall ipv4 forward filter rule 10 source group network-group 'LOCAL-NETS' + + # Forward traffic: accept connections from remote LANs to local LANs + set firewall ipv4 forward filter rule 20 action 'accept' + set firewall ipv4 forward filter rule 20 destination group network-group 'LOCAL-NETS' + set firewall ipv4 forward filter rule 20 source group network-group 'REMOTE-NETS' + + # Input traffic: default drop and only allow what is needed + set firewall ipv4 input filter default-action 'drop' + + # Input traffic: global state policies + set firewall ipv4 input filter rule 1 action 'accept' + set firewall ipv4 input filter rule 1 state established 'enable' + set firewall ipv4 input filter rule 1 state related 'enable' + set firewall ipv4 input filter rule 2 action 'drop' + set firewall ipv4 input filter rule 2 state invalid 'enable' + + # Input traffic: add rules needed for ipsec connection + set firewall ipv4 input filter rule 10 action 'accept' + set firewall ipv4 input filter rule 10 destination port '500,4500' + set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth0' + set firewall ipv4 input filter rule 10 protocol 'udp' + set firewall ipv4 input filter rule 15 action 'accept' + set firewall ipv4 input filter rule 15 inbound-interface interface-name 'eth0' + set firewall ipv4 input filter rule 15 protocol 'esp' + + # Input traffic: accept ssh connection from trusted ips + set firewall ipv4 input filter rule 20 action 'accept' + set firewall ipv4 input filter rule 20 destination port '22' + set firewall ipv4 input filter rule 20 protocol 'tcp' + set firewall ipv4 input filter rule 20 source group network-group 'TRUSTED' + + # Input traffic: accepd dns requests only from local networks. + set firewall ipv4 input filter rule 25 action 'accept' + set firewall ipv4 input filter rule 25 destination port '53' + set firewall ipv4 input filter rule 25 protocol 'udp' + set firewall ipv4 input filter rule 25 source group network-group 'LOCAL-NETS' + + # Input traffic: allow icmp + set firewall ipv4 input filter rule 30 action 'accept' + set firewall ipv4 input filter rule 30 protocol 'icmp' + +And NAT Configuration: + +.. code-block:: none + + set nat source rule 10 destination group network-group 'REMOTE-NETS' + set nat source rule 10 exclude + set nat source rule 10 outbound-interface 'eth0' + set nat source rule 10 source group network-group 'LOCAL-NETS' + set nat source rule 20 outbound-interface 'eth0' + set nat source rule 20 source group network-group 'LOCAL-NETS' + set nat source rule 20 translation address 'masquerade' + +Checking through op-mode commands +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +After some testing, we can check ipsec status, and counter on every tunnel: + +.. code-block:: none + + vyos@LEFT:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + -------------- ------- -------- -------------- ---------------- ---------------- ----------- --------------------------------------- + RIGHT-tunnel-0 up 36m24s 840B/840B 10/10 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 + RIGHT-tunnel-1 up 36m33s 588B/588B 7/7 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 + RIGHT-tunnel-2 up 35m50s 1K/1K 15/15 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 + RIGHT-tunnel-3 up 36m54s 2K/2K 32/32 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 + vyos@LEFT:~$ + + +Also, we can check firewall counters: + +.. code-block:: none + + vyos@LEFT:~$ show firewall + Rulesets Information + + --------------------------------- + IPv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------------------------------------ + 1 accept all 681 96545 ct state { established, related } accept + 2 drop all 0 0 ct state invalid + 10 accept all 360 27205 ip saddr @N_LOCAL-NETS accept + 20 accept all 8 648 ip daddr @N_LOCAL-NETS ip saddr @N_REMOTE-NETS accept + default drop all + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------------- + 1 accept all 901 123709 ct state { established, related } accept + 2 drop all 0 0 ct state invalid + 10 accept udp 0 0 udp dport { 500, 4500 } iifname "eth0" accept + 15 accept esp 0 0 meta l4proto esp iifname "eth0" accept + 20 accept tcp 1 60 tcp dport 22 ip saddr @N_TRUSTED accept + 25 accept udp 0 0 udp dport 53 ip saddr @N_LOCAL-NETS accept + 30 accept icmp 0 0 meta l4proto icmp accept + default drop all + + vyos@LEFT:~$ + vyos@LEFT:~$ show firewall statistics + Rulesets Statistics + + --------------------------------- + IPv4 Firewall "forward filter" + + Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface + ------- --------- ------- -------- ----------- ------------- ------------------- -------------------- + 1 681 96545 accept any any any any + 2 0 0 drop any any any any + 10 360 27205 accept LOCAL-NETS any any any + 20 8 648 accept REMOTE-NETS LOCAL-NETS any any + default N/A N/A drop any any any any + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface + ------- --------- ------- -------- ---------- ------------- ------------------- -------------------- + 1 905 124213 accept any any any any + 2 0 0 drop any any any any + 10 0 0 accept any any eth0 any + 15 0 0 accept any any eth0 any + 20 1 60 accept TRUSTED any any any + 25 0 0 accept LOCAL-NETS any any any + 30 0 0 accept any any any any + default N/A N/A drop any any any any + + vyos@LEFT:~$ diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index c0019577..2160e781 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -40,30 +40,27 @@ Site-to-Site .. figure:: /_static/images/openvpn_site2site_diagram.jpg -While many are aware of OpenVPN as a Client VPN solution, it is often -overlooked as a site-to-site VPN solution due to lack of support for this mode -in many router platforms. +OpenVPN is popular for client-server setups, but its site-to-site mode +remains a relatively obscure feature, and many router appliances +still don't support it. However, it's very useful for quickly setting up +tunnels between routers. -Site-to-site mode supports x.509 but doesn't require it and can also work with -static keys, which is simpler in many cases. In this example, we'll configure -a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key. +As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or x.509 certificates. -First, one of the systems generate the key using the :ref:`generate pki openvpn shared-secret<configuration/pki/index:pki>` -command. Once generated, you will need to install this key on the local system, -then copy and install this key to the remote router. +The pre-shared key mode is deprecated and will be removed from future OpenVPN versions, +so VyOS will have to remove support for that option as well. The reason is that using pre-shared keys +is significantly less secure than using TLS. -In our example, we used the key name ``openvpn-1`` which we will reference -in our configuration. +We'll configure OpenVPN using self-signed certificates, and then discuss the legacy +pre-shared key mode. + +In both cases, we will use the following settings: * The public IP address of the local side of the VPN will be 198.51.100.10. * The public IP address of the remote side of the VPN will be 203.0.113.11. * The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote. * The local site will have a subnet of 10.0.0.0/16. * The remote site will have a subnet of 10.1.0.0/16. -* Static Routing or other dynamic routing protocols can be used over the vtun interface -* OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, - while TCP will work better for lossy connections; generally UDP is preferred - when possible. * The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN. * The ``persistent-tunnel`` directive will allow us to configure tunnel-related @@ -73,85 +70,137 @@ in our configuration. ``remote-host`` directive; if unknown, it can be omitted. We will assume a dynamic IP for our remote router. +Setting up certificates +----------------------- -Local Configuration: +Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose +of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity, +compared to server setups that need to support multiple clients. -.. code-block:: none +However, since VyOS 1.4, it is possible to verify self-signed certificates using +certificate fingerprints. - run generate pki openvpn shared-secret install openvpn-1 - Configure mode commands to install OpenVPN key: - set pki openvpn shared-secret openvpn-1 key 'generated_key_string' - set pki openvpn shared-secret openvpn-1 version '1' +On both sides, you need to generate a self-signed certificate, preferrably using the "ec" (elliptic curve) type. +You can generate them by executing command ``run generate pki certificate self-signed install <name>`` in the configuration mode. +Once the command is complete, it will add the certificate to the configuration session, to the ``pki`` subtree. +You can then review the proposed changes and commit them. - set interfaces openvpn vtun1 mode site-to-site - set interfaces openvpn vtun1 protocol udp - set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 remote-host '203.0.113.11' - set interfaces openvpn vtun1 local-port '1195' - set interfaces openvpn vtun1 remote-port '1195' - set interfaces openvpn vtun1 shared-secret-key openvpn-1 - set interfaces openvpn vtun1 local-address '10.255.1.1' - set interfaces openvpn vtun1 remote-address '10.255.1.2' +.. code-block:: none -Local Configuration - Annotated: + vyos@vyos# run generate pki certificate self-signed install openvpn-local + Enter private key type: [rsa, dsa, ec] (Default: rsa) ec + Enter private key bits: (Default: 256) + Enter country code: (Default: GB) + Enter state: (Default: Some-State) + Enter locality: (Default: Some-City) + Enter organization name: (Default: VyOS) + Enter common name: (Default: vyos.io) + Do you want to configure Subject Alternative Names? [y/N] + Enter how many days certificate will be valid: (Default: 365) + Enter certificate type: (client, server) (Default: server) + Note: If you plan to use the generated key on this router, do not encrypt the private key. + Do you want to encrypt the private key with a passphrase? [y/N] + 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. + [edit] + + vyos@vyos# compare + [pki] + + certificate openvpn-local { + + certificate "MIICJTCCAcugAwIBAgIUMXLfRNJ5iOjk/ uAZqUe4phW8MdgwCgYIKoZIzj0EAwIwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA5MDcyMTQzMTNaFw0yNDA5MDYyMTQzMTNaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMWo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUBrAxRdFppdG/UBRdo7qNyHutaTQwHwYDVR0jBBgwFoAUBrAxRdFppdG/UBRdo7qNyHutaTQwCgYIKoZIzj0EAwIDSAAwRQIhAI2+8C92z9wTcTWkQ/goRxs10EBC+h78O+vgo9k97z5iAiBSeqfaVr5taQTS31+McGTAK3cYWNTg0DlOBI8aKO2oRg==" + + private { + + key "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtOeEb0dMb5P/2Exi09WWvk6Cvz0oOBoDuP68ZimS2LShRANCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMW" + + } + + } + + [edit] + + vyos@vyos# commit + +You do **not** need to copy the certificate to the other router. Instead, you need to retrieve its SHA-256 fingerprint. +OpenVPN only supports SHA-256 fingerprints at the moment, so you need to use the following command: .. code-block:: none - run generate pki openvpn shared-secret install openvpn-1 # Locally genearated OpenVPN shared secret. - The generated secret is the output to - the console. - Configure mode commands to install OpenVPN key: - set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Generated secret displayed in the output to - the console. - set pki openvpn shared-secret openvpn-1 version '1' # Generated secret displayed in the output to - the console. + vyos@vyos# run show pki certificate openvpn-local fingerprint sha256 + 5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79 - set interfaces openvpn vtun1 mode site-to-site - set interfaces openvpn vtun1 protocol udp - set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 remote-host '203.0.113.11' # Pub IP of other site - set interfaces openvpn vtun1 local-port '1195' - set interfaces openvpn vtun1 remote-port '1195' - set interfaces openvpn vtun1 shared-secret-key openvpn-1 # Locally generated secret name - set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface - set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface +Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote' but they can be arbitrary. +Repeat the procedure on the other router. -Remote Configuration: +Setting up OpenVPN +------------------ + +Local Configuration: .. code-block:: none - set pki openvpn shared-secret openvpn-1 key 'generated_key_string' - set pki openvpn shared-secret openvpn-1 version '1' + Configure the tunnel: set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 remote-host '198.51.100.10' + set interfaces openvpn vtun1 remote-host '203.0.113.11' # Public IP of the other side set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 remote-port '1195' - set interfaces openvpn vtun1 shared-secret-key openvpn-1 - set interfaces openvpn vtun1 local-address '10.255.1.2' - set interfaces openvpn vtun1 remote-address '10.255.1.1' - -Remote Configuration - Annotated: + set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface + set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface + set interfaces openvpn vtun1 tls certificate 'openvpn-local' # The self-signed certificate + set interfaces openvpn vtun1 tls peer-fingerprint <remote cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256 + on the remote rout +Remote Configuration: .. code-block:: none - set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Locally genearated OpenVPN shared secret - (from the Local Configuration Block). - set pki openvpn shared-secret openvpn-1 version '1' - set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp set interfaces openvpn vtun1 persistent-tunnel set interfaces openvpn vtun1 remote-host '198.51.100.10' # Pub IP of other site set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 remote-port '1195' - set interfaces openvpn vtun1 shared-secret-key openvpn-1 # Locally generated secret name set interfaces openvpn vtun1 local-address '10.255.1.2' # Local IP of vtun interface set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface + set interfaces openvpn vtun1 tls certificate 'openvpn-remote' # The self-signed certificate + set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256 + on the local router +Pre-shared keys +--------------- + +Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys. +That option is still available but it is deprecated and will be removed in the future. +However, if you need to set up a tunnel to an older VyOS version or a system with older OpenVPN, +you need to still need to know how to use it. + +First, you need to generate a key by running ``run generate pki openvpn shared-secret install <name>`` from configuration mode. +You can use any name, we will use ``s2s``. + +.. code-block:: none + vyos@local# run generate pki openvpn shared-secret install s2s + 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. + [edit] + vyos@local# compare + [pki openvpn shared-secret] + + s2s { + + key "7c73046a9da91e874d31c7ad894a32688cda054bde157c64270f28eceebc0bb2f44dbb70335fad45148b0456aaa78cb34a34c0958eeed4f75e75fd99ff519ef940f7029a316c436d2366a2b0fb8ea1d1c792a65f67d10a461af83ef4530adc25d1c872de6d9c7d5f338223d1f3b66dc3311bbbddc0e05228c47b91c817c721aadc7ed18f0662df52ad14f898904372679e3d9697d062b0869d12de47ceb2e626fa12e1926a3119be37dd29c9b0ad81997230f4038926900d5edb78522d2940cfe207f8e2b948e0d459fa137ebb18064ac5982b28dd1899020b4f2b082a20d5d4eb65710fbb1e62b5e061df39620267eab429d3eedd9a1ae85957457c8e4655f3" + + version "1" + + } + + [edit] + + vyos@local# commit + [edit] + +Then you need to install the key on the remote router: + +.. code-block:: none + + vyos@remote# set pki openvpn shared-secret s2s key <generated key string> + +Then you need to set the key in your OpenVPN interface settings: + +.. code-block:: none + set interfaces openvpn vtun1 shared-secret-key s2s Firewall Exceptions =================== diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst index a51aca52..dea53321 100644 --- a/docs/configuration/vrf/index.rst +++ b/docs/configuration/vrf/index.rst @@ -279,6 +279,42 @@ Configuration set vrf name red protocols static route 10.0.0.0/24 interface eth1 vrf 'default' set vrf name red table '2000' +VRF and NAT +----------- + +Configuration +^^^^^^^^^^^^^ + + .. code-block:: none + + set interfaces ethernet eth0 address '172.16.50.12/24' + set interfaces ethernet eth0 vrf 'red' + + set interfaces ethernet eth1 address '192.168.130.100/24' + set interfaces ethernet eth1 vrf 'blue' + + set nat destination rule 110 description 'NAT ssh- INSIDE' + set nat destination rule 110 destination port '2022' + set nat destination rule 110 inbound-interface 'eth0' + set nat destination rule 110 protocol 'tcp' + set nat destination rule 110 translation address '192.168.130.40' + + set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 protocol 'all' + set nat source rule 100 source address '192.168.130.0/24' + set nat source rule 100 translation address 'masquerade' + + set service ssh vrf 'red' + + set vrf bind-to-all + set vrf name blue protocols static route 0.0.0.0/0 next-hop 172.16.50.1 vrf 'red' + set vrf name blue protocols static route 172.16.50.0/24 interface eth0 vrf 'red' + set vrf name blue table '1010' + + set vrf name red protocols static route 0.0.0.0/0 next-hop 172.16.50.1 + set vrf name red protocols static route 192.168.130.0/24 interface eth1 vrf 'blue' + set vrf name red table '2020' + .. _vrf example operation: Operation @@ -427,9 +463,9 @@ address-family. .. cfgcmd:: set vrf name <name> protocols bgp address-family <ipv4-unicast|ipv6-unicast> label vpn allocation-mode per-nexthop - Select how labels are allocated in the given VRF. By default, the per-vrf - mode is selected, and one label is used for all prefixes from the VRF. The - per-nexthop will use a unique label for all prefixes that are reachable via + Select how labels are allocated in the given VRF. By default, the per-vrf + mode is selected, and one label is used for all prefixes from the VRF. The + per-nexthop will use a unique label for all prefixes that are reachable via the same nexthop. .. cfgcmd:: set vrf name <name> protocols bgp address-family |