#VyOS VyOS is an open source router. The developers have a nightly rolling release that includes all the latest features such as Wireguard.
It can be downloaded here https://www.vyos.io/rolling-release/.
1.3-rolling-202004300117 is a known good release to work with Wireguard and DN42.
##Quick Start ###Quick to-do-list from router deployment to receiving DN42 routes
- Establish internet connectivity.
- Setup Wireguard.
- Setup BGP.
show ip route
##Wireguard
###Setup Keys
generate wireguard default-keypair
show wireguard keypairs pubkey default
Grab your public key and save it for later. This will be shared with peers.
###Configure Peer Tunnel
Your peer should provide their endpoint public IP, port, single DN42 address, and Wireguard public key.
set interfaces wireguard wg01 address '172.x.x.x/32'
this is a single address within your DN42 registered address space
set interfaces wireguard wg01 peer OtherGuy1 allowed-ips '0.0.0.0/0''
it's just easier to filter traffic with the firewall
set interfaces wireguard wg01 peer OtherGuy1 address 'x.x.x.x'
this is the public IP of your peers endpoint
set interfaces wireguard wg01 OtherGuy1 port '12345'
the configured port on your peers endpoint
set interfaces wireguard wg01 peer OtherGuy1 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
your peers public wireguard key
set interfaces wireguard wg01 port '12345'
the port your wireguard endpoint will "listen" on
###Set Static Route
In case you are wondering how you are going to route packets anywhere with a /32, the next command explains it all.
set protocols static interface-route 172.x.x.x/32 next-hop-interface wg01
this is a single provided address by your peer that is assigned to them in the registry
While a normal world configuration may allow multiple peers on one Wireguard interface, the configuration explained on this page will not work correctly if multiple peers are defined on the same interface.
##BGP
Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP.
###Initial Router Setup
set protocols bgp 424242XXXX address-family ipv4-unicast network 172.x.x.x\x
Insert your ASN and your assigned network block. Note that this should match your exact prefix as listed in the registry; if you try to advertise a subnet of your assigned block it could get filtered by some peers.
set protocols bgp 424242XXX parameters router-id 172.x.x.x
To keep it simple just make your router ID match your lower IP within the DN42 registered space.
###Neighbor Up With Peers
set protocols bgp 424242XXXX neighbor 172.x.x.x address-family ipv4-unicast
This is likely the same IP as the one used in your static route earlier when creating the Wireguard tunnel.
set protocols bgp 424242XXXX neighbor 172.x.x.x ebgp-multihop 20
This setting may need to be adjusted depending on circumstances
set protocols bgp 424242XXXX neighbor 172.x.x.x remote-as 424242XXXX
Your peers ASN
show ip bgp summary
##RPKI/ROA Checking ###Setup RPKI Caching Server Burble has made this super easy. More info can be found here on this wiki. Get started by running the below command on a Linux server with Docker installed.
sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
``
This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
###Point VyOS Router at RPKI Caching Server
`set protocols rpki cache GoRTR address x.x.x.x`
`set protocols rpki cache GoRTR port 8082`
You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.
###Create Route Map
set policy route-map DN42-ROA rule 10 action 'permit'
set policy route-map DN42-ROA rule 10 match rpki 'valid'
set policy route-map DN42-ROA rule 20 action 'permit'
set policy route-map DN42-ROA rule 20 match rpki 'notfound'
set policy route-map DN42-ROA rule 30 action 'deny'
set policy route-map DN42-ROA rule 30 match rpki 'invalid'
This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.
###Assign Route Map to Neighbor
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROAset protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA
###Example Firewall
In this example our VyOS router has one upstream uplink on **eth0**, and two tunnels/peers on **wg1** and **wg2**. We have two access lists: one for transit connections and one for local connections from our peer (BGP). Notice on the transit access list we don't black hole **invalid** packets - logic behind this is explained [here](https://wiki.dn42/howto/networksettings.md).
####Interfaces
ethernet eth0 { address 192.168.1.2/30 description "Upstream/ISP" hw-id 00:00:00:00:00:00 } wireguard wg1 { address 172.x.x.x/32 description "Tunnel 1" firewall { in { name Tunnels_Inbound } local { name Peer_Local_Connections } } peer us-east01 { address x.x.x.x allowed-ips 0.0.0.0/0 port 1100 pubkey ** } port 1101 } wireguard wg99 { address 172.x.x.x/32 description "Tunnel 2" firewall { in { name Tunnels_Inbound } local { name Peer_Local_Connections } } peer us-east02 { address x.x.x.x allowed-ips 0.0.0.0/0 port 1102 pubkey ** } port 1103 }
####Firewall Rules
group { network-group Allowed-Transit { network 10.0.0.0/8 network 172.20.0.0/14 } } name Peer_Local_Connections { default-action drop rule 1 { action accept description "Enable Stateful" state { established enable related enable } } rule 10 { action accept description "Allow BGP" destination { port 179 } protocol tcp source { address x.x.x.x **Peer 1 IP } } rule 11 { action accept description "Allow BGP" destination { port 179 } protocol tcp source { address x.x.x.x **Peer 2 IP } } rule 98 { action drop description "Black Hole" log enable source { address 0.0.0.0/0 } } rule 99 { action drop description "Black Hole" log enable state { invalid enable } } } name Tunnels_Inbound { default-action drop rule 1 { action accept description "Enable Stateful" state { established enable related enable } } rule 50 { action accept description "Allow Peer Transit" destination { group { network-group Allowed-Transit } } log enable source { group { network-group Allowed-Transit } } } rule 99 { action drop description "Black Hole" log enable source { address 0.0.0.0/0 } } } ````
This page is a work in progress from Owens Research. Feel free to contact for suggestions or questions.