b58002a3f621ec6a06c05143176965cfdbd45cda
howto/vyos.md
| ... | ... | @@ -1,47 +1,104 @@ |
| 1 | 1 | #VyOS |
| 2 | -VyOS is an open source router. The developers have a nightly rolling release that includes all the latest features such as Wireguard. |
|
| 3 | - |
|
| 2 | +VyOS is an open source software router. It is feature rich and supports multiple deployment options such as physical hardware (Old PC's) or a VPC/VM. The developers have a nightly rolling release that includes all the latest features such as Wireguard. |
|
| 3 | + |
|
| 4 | 4 | It can be downloaded here https://www.vyos.io/rolling-release/. |
| 5 | - |
|
| 6 | 5 | |
| 7 | -While _1.3-rolling-202004300117_ is a known good release to fallback to, at this time it's recommended to grab the latest nightly build. |
|
| 6 | +## Firewall Baseline |
|
| 7 | +We will configure firewall access lists for inbound connections on our peer Wireguard interfaces as well as block all inbound connections to our router with the exception of BGP. This should be a good baseline firewall ruleset to filter inbound traffic on your network’s edge. Modifications may be needed depending on your specific goals. If your router has an uplink back to a larger internal network (outside of DN42), an outbound firewall ruleset will need to be applied to that interface. The examples here only cover **IPv4**, but the same concepts can be applied to **IPv6** rulesets. |
|
| 8 | 8 | |
| 9 | +By default, VyOS is a **stateless** firewall. To enable **stateful** packet inspection globally enter the following commands. |
|
| 10 | +``` |
|
| 11 | +set firewall state-policy established action 'accept' |
|
| 12 | +set firewall state-policy related action 'accept' |
|
| 13 | +``` |
|
| 9 | 14 | |
| 10 | -##Quick Start |
|
| 11 | -###Quick to-do-list from router deployment to receiving DN42 routes |
|
| 12 | -1. Establish internet connectivity. |
|
| 13 | -2. Setup Wireguard. |
|
| 14 | -3. Setup BGP. |
|
| 15 | -4. `show ip route` |
|
| 15 | +We also need to accept invalids on our network’s edge. More on this is explained [here](https://wiki.dn42/howto/networksettings.md). However, this should not become common practice elsewhere. |
|
| 16 | +``` |
|
| 17 | +set firewall state-policy invalid action 'accept' |
|
| 18 | +``` |
|
| 16 | 19 | |
| 20 | +The below commands create **in** and **local** baseline templates to be applied to all Wireguard interfaces that are facing peers. In this example, **172.20.20.0/24** is your assigned address space. |
|
| 21 | +``` |
|
| 22 | +#Create Groups |
|
| 23 | +set firewall group network-group Allowed-Transit-v4 network '10.0.0.0/8' |
|
| 24 | +set firewall group network-group Allowed-Transit-v4 network '172.20.0.0/14' |
|
| 25 | + |
|
| 26 | +#Inbound Connections |
|
| 27 | +set firewall name Tunnels_In_v4 default-action 'drop' |
|
| 28 | +set firewall name Tunnels_In_v4 enable-default-log |
|
| 29 | +set firewall name Tunnels_In_v4 rule 68 action 'drop' |
|
| 30 | +set firewall name Tunnels_In_v4 rule 68 description 'Block Traffic to DN42 Space' |
|
| 31 | +set firewall name Tunnels_In_v4 rule 68 source address '172.20.20.0/24' |
|
| 32 | +set firewall name Tunnels_In_v4 rule 68 log 'enable' |
|
| 33 | +set firewall name Tunnels_In_v4 rule 68 action 'drop' |
|
| 34 | +set firewall name Tunnels_In_v4 rule 69 description 'Block Traffic to DN42 Space' |
|
| 35 | +set firewall name Tunnels_In_v4 rule 69 destination address '172.20.20.0/24' |
|
| 36 | +set firewall name Tunnels_In_v4 rule 69 log 'enable' |
|
| 37 | +set firewall name Tunnels_In_v4 rule 70 action 'accept' |
|
| 38 | +set firewall name Tunnels_In_v4 rule 70 description 'Allow Peer Transit' |
|
| 39 | +set firewall name Tunnels_In_v4 rule 70 destination group network-group 'Allowed-Transit-v4' |
|
| 40 | +set firewall name Tunnels_In_v4 rule 70 source group network-group 'Allowed-Transit-v4' |
|
| 41 | +set firewall name Tunnels_In_v4 rule 70 log 'enable' |
|
| 42 | +set firewall name Tunnels_In_v4 rule 98 action 'drop' |
|
| 43 | +set firewall name Tunnels_In_v4 rule 98 description 'Black Hole' |
|
| 44 | +set firewall name Tunnels_In_v4 rule 98 destination address '0.0.0.0/0' |
|
| 45 | +set firewall name Tunnels_In_v4 rule 98 log 'enable' |
|
| 46 | +set firewall name Tunnels_In_v4 rule 99 action 'drop' |
|
| 47 | +set firewall name Tunnels_In_v4 rule 99 description 'Black Hole' |
|
| 48 | +set firewall name Tunnels_In_v4 rule 99 log 'enable' |
|
| 49 | +set firewall name Tunnels_In_v4 rule 99 source address '0.0.0.0/0' |
|
| 50 | + |
|
| 51 | +#Local Connections |
|
| 52 | +set firewall name Tunnels_Local_v4 default-action 'drop' |
|
| 53 | +set firewall name Tunnels_Local_v4 rule 61 action 'accept' |
|
| 54 | +set firewall name Tunnels_Local_v4 rule 61 description 'Allow BGP' |
|
| 55 | +set firewall name Tunnels_Local_v4 rule 61 destination port '179' |
|
| 56 | +set firewall name Tunnels_Local_v4 rule 61 protocol 'tcp' |
|
| 57 | +set firewall name Tunnels_Local_v4 rule 98 action 'drop' |
|
| 58 | +set firewall name Tunnels_Local_v4 rule 98 description 'Black Hole' |
|
| 59 | +set firewall name Tunnels_Local_v4 rule 98 log 'enable' |
|
| 60 | +set firewall name Tunnels_Local_v4 rule 98 destination address '0.0.0.0/0' |
|
| 61 | +set firewall name Tunnels_Local_v4 rule 99 action 'drop' |
|
| 62 | +set firewall name Tunnels_Local_v4 rule 99 description 'Black Hole' |
|
| 63 | +set firewall name Tunnels_Local_v4 rule 99 log 'enable' |
|
| 64 | +set firewall name Tunnels_Local_v4 rule 99 source address '0.0.0.0/0' |
|
| 65 | +``` |
|
| 17 | 66 | |
| 18 | -##Wireguard |
|
| 19 | -###Setup Keys |
|
| 20 | -`generate wireguard default-keypair` |
|
| 21 | -`show wireguard keypairs pubkey default` |
|
| 67 | +## Wireguard |
|
| 68 | +### Setup Keys |
|
| 69 | +``` |
|
| 70 | +generate wireguard default-keypair |
|
| 71 | +show wireguard keypairs pubkey default |
|
| 72 | +``` |
|
| 22 | 73 | _Grab your public key and save it for later. This will be shared with peers._ |
| 23 | -###Configure Peer Tunnel |
|
| 24 | -Your peer should provide their endpoint public IP, port, single DN42 address, and Wireguard public key. |
|
| 25 | - |
|
| 26 | -`set interfaces wireguard wg01 address '172.x.x.x/32'` |
|
| 27 | -_this is a single address within your DN42 registered address space_ |
|
| 28 | -`set interfaces wireguard wg01 peer OtherGuy1 allowed-ips '0.0.0.0/0''` |
|
| 29 | -_it's just easier to filter traffic with the firewall_ |
|
| 30 | -`set interfaces wireguard wg01 peer OtherGuy1 address 'x.x.x.x'` |
|
| 31 | -_this is the public IP of your peers endpoint_ |
|
| 32 | -`set interfaces wireguard wg01 OtherGuy1 port '12345'` |
|
| 33 | -_the configured port on your peers endpoint_ |
|
| 34 | -`set interfaces wireguard wg01 peer OtherGuy1 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='` |
|
| 35 | -_your peers public wireguard key_ |
|
| 36 | -`set interfaces wireguard wg01 port '12345'` |
|
| 37 | -_the port your wireguard endpoint will "listen" on_ |
|
| 38 | -###Set Static Route |
|
| 39 | -In case you are wondering how you are going to route packets anywhere with a /32, the next command explains it all. |
|
| 40 | - |
|
| 41 | -`set protocols static interface-route 172.x.x.x/32 next-hop-interface wg01` |
|
| 42 | -_this is a single provided address by your peer that is assigned to them in the registry_ |
|
| 43 | - |
|
| 44 | -While a normal world configuration may allow multiple peers on one Wireguard interface, the configuration explained on this page will not work correctly if multiple peers are defined on the same interface. |
|
| 74 | +### Configure First Peer |
|
| 75 | +``` |
|
| 76 | +#Your DN42 Address |
|
| 77 | +set interfaces wireguard wg92 address '172.20.20.1/32' |
|
| 78 | + |
|
| 79 | +#Apply Description and Firewall |
|
| 80 | +set interfaces wireguard wg92 description 'First Peer Example' |
|
| 81 | +set interfaces wireguard wg92 firewall in name 'Tunnels_In_v4' |
|
| 82 | +set interfaces wireguard wg92 firewall local name 'Tunnels_Local_v4' |
|
| 83 | + |
|
| 84 | +#Peer Endpoint Address (Clearnet) |
|
| 85 | +set interfaces wireguard wg92 peer de2 address '116.203.141.239' |
|
| 86 | + |
|
| 87 | +#Best to allow everything here - This is why we have a firewall |
|
| 88 | +set interfaces wireguard wg92 peer de2 allowed-ips '0.0.0.0/0' |
|
| 89 | + |
|
| 90 | +#First Peer's Endpoint Port and Public Key |
|
| 91 | +set interfaces wireguard wg92 peer de2 port '12345' |
|
| 92 | +set interfaces wireguard wg92 peer de2 pubkey 'B1xSG/XTJRLd+GrWDsB06BqnIq8Xud93YVh/LYYYtUY=' |
|
| 93 | + |
|
| 94 | +#Port Your Endpoint Listens On |
|
| 95 | +set interfaces wireguard wg92 port '12345' |
|
| 96 | + |
|
| 97 | +#Set static interface route to first peers /32 DN42 IPv4 on their tunnel endpoint |
|
| 98 | +set protocols static interface-route 172.20.50.1/32 next-hop-interface wg92 |
|
| 99 | +``` |
|
| 100 | + |
|
| 101 | + |
|
| 45 | 102 | |
| 46 | 103 | |
| 47 | 104 | ##BGP |
| ... | ... | @@ -92,162 +149,4 @@ This example allows all routes in unless they are marked invalid or in other wor |
| 92 | 149 | ``` |
| 93 | 150 | set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA |
| 94 | 151 | set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA |
| 95 | -``` |
|
| 96 | - |
|
| 97 | -##Example Firewall |
|
| 98 | -In this example our VyOS router has one upstream uplink on **eth0**, and two tunnels/peers on **wg1** and **wg2**. We have two access lists: one for transit connections and one for local connections from our peer (BGP). Notice on the transit access list we don't black hole **invalid** packets - logic behind this is explained [here](https://wiki.dn42/howto/networksettings.md). |
|
| 99 | - |
|
| 100 | -####Interfaces |
|
| 101 | -```` |
|
| 102 | - ethernet eth0 { |
|
| 103 | - address 192.168.1.2/30 |
|
| 104 | - description "Upstream/ISP" |
|
| 105 | - hw-id 00:00:00:00:00:00 |
|
| 106 | - } |
|
| 107 | - wireguard wg1 { |
|
| 108 | - address 172.x.x.x/32 |
|
| 109 | - description "Tunnel 1" |
|
| 110 | - firewall { |
|
| 111 | - in { |
|
| 112 | - name Tunnels_Inbound |
|
| 113 | - } |
|
| 114 | - local { |
|
| 115 | - name Peer_Local_Connections |
|
| 116 | - } |
|
| 117 | - } |
|
| 118 | - peer us-east01 { |
|
| 119 | - address x.x.x.x |
|
| 120 | - allowed-ips 0.0.0.0/0 |
|
| 121 | - port 1100 |
|
| 122 | - pubkey *** |
|
| 123 | - } |
|
| 124 | - port 1101 |
|
| 125 | - } |
|
| 126 | - wireguard wg2 { |
|
| 127 | - address 172.x.x.x/32 |
|
| 128 | - description "Tunnel 2" |
|
| 129 | - firewall { |
|
| 130 | - in { |
|
| 131 | - name Tunnels_Inbound |
|
| 132 | - } |
|
| 133 | - local { |
|
| 134 | - name Peer_Local_Connections |
|
| 135 | - } |
|
| 136 | - } |
|
| 137 | - peer us-east02 { |
|
| 138 | - address x.x.x.x |
|
| 139 | - allowed-ips 0.0.0.0/0 |
|
| 140 | - port 1102 |
|
| 141 | - pubkey *** |
|
| 142 | - } |
|
| 143 | - port 1103 |
|
| 144 | - } |
|
| 145 | -```` |
|
| 146 | -####Firewall Rules |
|
| 147 | -```` |
|
| 148 | - |
|
| 149 | - group { |
|
| 150 | - network-group Allowed-Transit { |
|
| 151 | - network 10.0.0.0/8 |
|
| 152 | - network 172.20.0.0/14 |
|
| 153 | - } |
|
| 154 | - } |
|
| 155 | - name Peer_Local_Connections { |
|
| 156 | - default-action drop |
|
| 157 | - rule 1 { |
|
| 158 | - action accept |
|
| 159 | - description "Enable Stateful" |
|
| 160 | - state { |
|
| 161 | - established enable |
|
| 162 | - related enable |
|
| 163 | - } |
|
| 164 | - } |
|
| 165 | - rule 10 { |
|
| 166 | - action accept |
|
| 167 | - description "Allow BGP" |
|
| 168 | - destination { |
|
| 169 | - port 179 |
|
| 170 | - } |
|
| 171 | - protocol tcp |
|
| 172 | - source { |
|
| 173 | - address x.x.x.x **Peer 1 IP |
|
| 174 | - } |
|
| 175 | - } |
|
| 176 | - rule 11 { |
|
| 177 | - action accept |
|
| 178 | - description "Allow BGP" |
|
| 179 | - destination { |
|
| 180 | - port 179 |
|
| 181 | - } |
|
| 182 | - protocol tcp |
|
| 183 | - source { |
|
| 184 | - address x.x.x.x **Peer 2 IP |
|
| 185 | - } |
|
| 186 | - } |
|
| 187 | - rule 98 { |
|
| 188 | - action drop |
|
| 189 | - description "Black Hole" |
|
| 190 | - log enable |
|
| 191 | - source { |
|
| 192 | - address 0.0.0.0/0 |
|
| 193 | - } |
|
| 194 | - } |
|
| 195 | - rule 99 { |
|
| 196 | - action drop |
|
| 197 | - description "Black Hole" |
|
| 198 | - log enable |
|
| 199 | - state { |
|
| 200 | - invalid enable |
|
| 201 | - } |
|
| 202 | - } |
|
| 203 | - } |
|
| 204 | - name Tunnels_Inbound { |
|
| 205 | - default-action drop |
|
| 206 | - rule 1 { |
|
| 207 | - action accept |
|
| 208 | - description "Enable Stateful" |
|
| 209 | - state { |
|
| 210 | - established enable |
|
| 211 | - related enable |
|
| 212 | - } |
|
| 213 | - } |
|
| 214 | - rule 50 { |
|
| 215 | - action accept |
|
| 216 | - description "Allow Peer Transit" |
|
| 217 | - destination { |
|
| 218 | - group { |
|
| 219 | - network-group Allowed-Transit |
|
| 220 | - } |
|
| 221 | - } |
|
| 222 | - log enable |
|
| 223 | - source { |
|
| 224 | - group { |
|
| 225 | - network-group Allowed-Transit |
|
| 226 | - } |
|
| 227 | - } |
|
| 228 | - } |
|
| 229 | - rule 99 { |
|
| 230 | - action drop |
|
| 231 | - description "Black Hole" |
|
| 232 | - log enable |
|
| 233 | - source { |
|
| 234 | - address 0.0.0.0/0 |
|
| 235 | - } |
|
| 236 | - } |
|
| 237 | - } |
|
| 238 | -```` |
|
| 239 | - |
|
| 240 | - |
|
| 241 | - |
|
| 242 | - |
|
| 243 | -This page is a work in progress from Owens Research. Feel free to contact for suggestions or questions. |
|
| 244 | - |
|
| 245 | - |
|
| 246 | - |
|
| 247 | - |
|
| 248 | - |
|
| 249 | - |
|
| 250 | - |
|
| 251 | - |
|
| 252 | - |
|
| 253 | - |
|
| 152 | +``` |
|
| ... | ... | \ No newline at end of file |