Site-to-Site OpenVPN on VyOS

The tutorial discusses configuration of site-to-site VPN on VyOS using preshared-key. Static key configuration offers the simplest setup, and is ideal for point-to-point VPNs or proof-of-concept testing. The advantages of using static key are simple setup and no X509 PKI (Public Key Infrastructure) to maintain. The disadvantages are limited scalability - one client, one server setup and the lack of perfect forward secrecy - key compromise results in a total disclosure of previous sessions. Also, a secret key must exist in plain-text form on each VPN peer and it must be exchanged using a pre-existing secure channel.

Our lab consists of two remote sites (Picture 1). The router running network OS - VyOS is presented on each side, connecting computers PC and PC2 to to a particular LAN network. The both VyOS routers are configured forOpenVPN site-to-site mode and the routers also perform NAT (PAT) and firewall services.

Picture 1 - Network Topology

1. VyOS Site1 Configuration

1.1 Hostname, IP addresses, SSH

vyos@vyos:~$ configure
vyos@vyos# set system host-name Site1

yos@vyos# commit
vyos@vyos# save

vyos@Site1# set interfaces ethernet eth1 address 10.0.0.254/24
vyos@Site1# set interfaces ethernet eth0 address 11.0.2.1/24

vyos@Site1# set service ssh

vyos@Site1# commit
vyos@Site1# exit

Generate OpenVPN shared-secret key.

vyos@Site1:~$ generate openvpn key /config/auth/openvpn.key

Move to the part 2.1 in order to configure IP connectivity between routers Site1 and Site2. Enable SSH service on both routers.  Now, copy a file openvpn.key with the shared key from a router Site1 to the router Site2.

vyos@Site1:~$ sudo scp -rv /config/auth/openvpn.key vyos@11.0.2.2:/config/auth/
vyos@Site1:~$ configure

1.2 OpenVPN Tunnel

Create a tunnel interface vtun0.

vyos@Site1# set interfaces openvpn vtun0 local-address 192.168.1.1
vyos@Site1# set interfaces openvpn vtun0 mode site-to-site
vyos@Site1# set interfaces openvpn vtun0 remote-address 192.168.1.2
vyos@Site2# set interfaces openvpn vtun0 remote-host 11.0.2.2
vyos@Site1# set interfaces openvpn vtun0 shared-secret-key-file /config/auth/openvpn.key
vyos@Site1# set interfaces openvpn vtun0 hash sha512
vyos@Site1# set interfaces openvpn vtun0 encryption aes256

Add the static interface-route routing to use OpenVPN tunnel interface vtun0 as a next-hop.

vyos@Site1# set protocols static interface-route 10.0.1.0/24 next-hop-interface vtun0

1.3 Port Address Translation (PAT)

Packets sent from 10.0.0.0/24 to 10.0.1.0/24 within VPN tunnel must be excluded from NAT (rule 10). However, traffic sent from 10.0.0.0/24 to any other IP addresses (outside the tunnel) should be translated into the public address 11.0.2.1. If not,  it will be filtered by ISP as the traffic from the private IP addresses is not allowed to enter the public Internet (rule 20).

vyos@Site1# set nat source rule 10 description 'exclude_10.0.0.0/24_from_nat'
vyos@Site1# set nat source rule 10 destination address '10.0.1.0/24'
vyos@Site1# set nat source rule 10 exclude
vyos@Site1# set nat source rule 10 outbound-interface 'eth0'

vyos@Site1# set nat source rule 20 description 'include_10.0.0.0/24_to_nat'
vyos@Site1# set nat source rule 20 outbound-interface 'eth0'
vyos@Site1# set nat source rule 20 source address '10.0.0.0/24'
vyos@Site1# set nat source rule 20 translation address 'masquerade'

1.4 Firewall

vyos@Site1# set firewall name outside_local default-action drop
vyos@Site1# set firewall name outside_local enable-default-log
vyos@Site1# set firewall name outside_local rule 10 description 'incoming_established'
vyos@Site1# set firewall name outside_local rule 10 action 'accept'
vyos@Site1# set firewall name outside_local rule 10 state established 'enable'
vyos@Site1# set firewall name outside_local rule 10 state related 'enable'

vyos@Site1# set firewall name outside_local rule 20 description 'allow_openvpn'
vyos@Site1# set firewall name outside_local rule 20 action 'accept'
vyos@Site1# set firewall name outside_local rule 20 source address '11.0.2.2/32'
vyos@Site1# set firewall name outside_local rule 20 source port '1194'
vyos@Site1# set firewall name outside_local rule 20 destination address '11.0.2.1/32'
vyos@Site1# set firewall name outside_local rule 20 destination port '1194'
vyos@Site1# set firewall name outside_local rule 20 protocol 'udp'

vyos@Site1# set firewall name outside_in default-action drop
vyos@Site1# set firewall name outside_in enable-default-log
vyos@Site1# set firewall name outside_in rule 10 action 'accept'
vyos@Site1# set firewall name outside_in rule 10 state established 'enable'
vyos@Site1# set firewall name outside_in rule 10 state related 'enable'

vyos@Site1# set interfaces ethernet eth0 firewall in name outside_in
vyos@Site1# set interfaces ethernet eth0 firewall local name outside_local

yos@Site1# commit
vyos@Site1# save

2. VyOS Site2 Configuration

2.1 Hostname, IP addresses, SSH

vyos@vyos:~$ configure
vyos@vyos# set system host-name Site2

yos@vyos# commit
vyos@vyos# save

vyos@Site2# set interfaces ethernet eth0 address 11.0.2.2/24
vyos@Site2# set interfaces ethernet eth1 address 10.0.1.254/24

2.2 OpenVPN Tunnel

vyos@Site2# set interfaces openvpn vtun0 local-address 192.168.1.2
vyos@Site2# set interfaces openvpn vtun0 mode site-to-site
vyos@Site2# set interfaces openvpn vtun0 remote-address 192.168.1.1
vyos@Site2# set interfaces openvpn vtun0 remote-host 11.0.2.1
vyos@Site2# set interfaces openvpn vtun0 shared-secret-key-file /config/auth/openvpn.key
vyos@Site2# set interfaces openvpn vtun0 hash sha512
vyos@Site2# set interfaces openvpn vtun0 encryption aes256

Add the static interface-route routing to use OpenVPN tunnel interface vtun0 as a next-hop.

vyos@Site2# set protocols static interface-route 10.0.0.0/24 next-hop-interface vtun0

2.3 Port Address Translation (PAT)

vyos@Site2# set nat source rule 10 description 'exclude_10.0.1.0/24_from_nat'
vyos@Site2# set nat source rule 10 destination address '10.0.0.0/24'
vyos@Site2# set nat source rule 10 exclude
vyos@Site2# set nat source rule 10 outbound-interface 'eth0'

vyos@Site2# set nat source rule 20 description 'include_10.0.1.0/24_to_nat'
vyos@Site2# set nat source rule 20 outbound-interface 'eth0'
vyos@Site2# set nat source rule 20 source address '10.0.1.0/24'
vyos@Site2# set nat source rule 20 translation address 'masquerade'

vyos@Site2# set nat source rule 10 description 'exclude_10.0.1.0/24_from_nat'
vyos@Site2# set nat source rule 10 destination address '10.0.0.0/24'
vyos@Site2# set nat source rule 10 exclude
vyos@Site2# set nat source rule 10 outbound-interface 'eth0'

vyos@Site2# set nat source rule 20 description 'include_10.0.1.0/24_to_nat'
vyos@Site2# set nat source rule 20 outbound-interface 'eth0'
vyos@Site2# set nat source rule 20 source address '10.0.1.0/24'
vyos@Site2# set nat source rule 20 translation address 'masquerade'

2.4 Firewall

vyos@Site2# set firewall name outside_local default-action drop
vyos@Site2# set firewall name outside_local enable-default-log
vyos@Site2# set firewall name outside_local rule 10 description 'incoming_established'
vyos@Site2# set firewall name outside_local rule 10 action 'accept'
vyos@Site2# set firewall name outside_local rule 10 state established 'enable'
vyos@Site2# set firewall name outside_local rule 10 state related 'enable'

vyos@Site2# set firewall name outside_local rule 20 description 'allow_openvpn'
vyos@Site2# set firewall name outside_local rule 20 action 'accept'
vyos@Site2# set firewall name outside_local rule 20 source address '11.0.2.1/32'
vyos@Site2# set firewall name outside_local rule 20 source port '1194'
vyos@Site2# set firewall name outside_local rule 20 destination address '11.0.2.2/32'
vyos@Site2# set firewall name outside_local rule 20 destination port '1194'
vyos@Site2# set firewall name outside_local rule 20 protocol 'udp'

vyos@Site2# set firewall name outside_in default-action drop
vyos@Site2# set firewall name outside_in enable-default-log
vyos@Site2# set firewall name outside_in rule 10 action 'accept'
vyos@Site2# set firewall name outside_in rule 10 state established 'enable'
vyos@Site2# set firewall name outside_in rule 10 state related 'enable'

vyos@Site2# set interfaces ethernet eth0 firewall in name outside_in
vyos@Site2# set interfaces ethernet eth0 firewall local name outside_local

vyos@Site2# commit
vyos@Site2# save

3. Testing

Check the status of the tunnel with the command below.

vyos@Site1:~$ show openvpn site-to-site status

Picture 2 - Checking Status ov OpenVPN Tunnel on VyOS Site1

Issue the ping command from PC1 (10.0.0.1/24) to PC2 (10.0.1.1/24) to check connectivity (Picture 3).

Picture 3 - Checking Connectivity Between PC1 and PC2

End.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.