diff options
Diffstat (limited to 'docs/quick-start.rst')
| -rw-r--r-- | docs/quick-start.rst | 82 |
1 files changed, 56 insertions, 26 deletions
diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 19ee9f6e..655ce072 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -4,16 +4,20 @@ Quick Start ########### -This chapter will guide you on how to get up to speed using your new VyOS -system. It will show you a very basic configuration example that will provide -a :ref:`nat` gateway for a device with two network interfaces (`eth0` and -`eth1`). +This chapter will guide you on how to get up to speed quickly using your new +VyOS system. It will show you a very basic configuration example that will +provide a :ref:`nat` gateway for a device with two network interfaces +(`eth0` and `eth1`). .. _quick-start-configuration-mode: Configuration Mode ################## +By default, VyOS is in operational mode, and the command prompt displays a `$`. +To configure VyOS, you will need to enter configuration mode, resulting in the +command prompt displaying a `#`, as demonstrated below: + .. code-block:: none vyos@vyos$ configure @@ -22,13 +26,15 @@ Configuration Mode Commit and Save ################ -After every configuration change you need to apply the changes by using the +After every configuration change, you need to apply the changes by using the +following command: .. code-block:: none commit -Once your configuration works as expected you can save it permanently. +Once your configuration works as expected, you can save it permanently by using +the following command: .. code-block:: none @@ -37,10 +43,10 @@ Once your configuration works as expected you can save it permanently. Interface Configuration ####################### -* Your outside/WAN interface will be `eth0`, it receives it's interface address - be means of DHCP. -* Your internal/LAN interface is `eth1`. It uses a fixed IP address of - `192.168.0.1/24`. +* Your outside/WAN interface will be `eth0`. It will receive its interface + address via DHCP. +* Your internal/LAN interface will be `eth1`. It will use a static IP address + of `192.168.0.1/24`. After switching to :ref:`quick-start-configuration-mode` issue the following commands: @@ -66,23 +72,30 @@ on specific addresses only. set service ssh port '22' -Configure DHCP/DNS Servers -########################## +.. _dhcp-dns-quick-start: + +DHCP/DNS quick-start +#################### -* Provide DHCP service on your internal/LAN network where VyOS will act - as the default gateway and DNS server. -* Client IP addresses are assigned from the range ``192.168.0.9 - - 192.168.0.254`` +The following settings will configure DHCP and DNS services on +your internal/LAN network, where VyOS will act as the default gateway and +DNS server. + +* The default gateway and DNS recursor address will be `192.168.0.1/24` +* The address range `192.168.0.2/24 - 192.168.0.8/24` will be reserved for + static assignments +* DHCP clients will be assigned IP addresses within the range of + `192.168.0.9 - 192.168.0.254` and have a domain name of `internal-network` * DHCP leases will hold for one day (86400 seconds) -* VyOS will server as full DNS recursor - no need to bother the Google or - Cloudflare DNS servers (good for privacy) -* Only clients from your internal/LAN network can use the DNS resolver +* VyOS will serve as a full DNS recursor, replacing the need to utilize Google, + Cloudflare, or other public DNS servers (which is good for privacy) +* Only hosts from your internal/LAN network can use the DNS recursor .. code-block:: none set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1' - set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'internal-network' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'vyos.net' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start 192.168.0.9 set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.254' @@ -95,7 +108,9 @@ Configure DHCP/DNS Servers NAT ### -* Configure :ref:`source-nat` for our internal/LAN network +The following settings will configure :ref:`source-nat` rules for our +internal/LAN network, allowing hosts to communicate through the outside/WAN +network via IP masquerade. .. code-block:: none @@ -129,7 +144,8 @@ which was not initiated from the internal/LAN side first. set firewall name OUTSIDE-LOCAL rule 20 state new 'enable' If you wanted to enable SSH access to your firewall from the outside/WAN -interface, you could create some additional rules to allow that kind of traffic. +interface, you could create some additional rules to allow that kind of +traffic. These rules allow SSH traffic and rate limit it to 4 requests per minute. This blocks brute-forcing attempts: @@ -170,8 +186,8 @@ Commit changes, save the configuration, and exit configuration mode: Hardening ######### -Especially if you are allowing SSH remote access from the outside/WAN interface, -there are a few additional configuration steps that should be taken. +Especially if you are allowing SSH remote access from the outside/WAN +interface, there are a few additional configuration steps that should be taken. Replace the default `vyos` system user: @@ -188,11 +204,25 @@ Set up :ref:`ssh_key_based_authentication`: Finally, try and SSH into the VyOS install as your new user. Once you have confirmed that your new user can access your router without a password, delete -the original ``vyos`` user and probably disable password authentication for -:ref:`ssh` at all: +the original ``vyos`` user and completely disable password authentication for +:ref:`ssh`: .. code-block:: none delete system login user vyos set service ssh disable-password-authentication +As above, commit your changes, save the configuration, and exit +configuration mode: + +.. code-block:: none + + vyos@vyos# commit + vyos@vyos# save + Saving configuration to '/config/config.boot'... + Done + vyos@vyos# exit + vyos@vyos$ + +You now should have a simple yet secure and functioning router to experiment +with further. Enjoy!
\ No newline at end of file |