#VyOS VyOS is an open source router. The developers have a nightly rolling release that includes all the latest features such as Wireguard.
It can be downloaded here https://www.vyos.io/rolling-release/.
1.3-rolling-202004300117 is a known good release to work with Wireguard and DN42.
##Quick Start ###Quick to-do-list from router deployment to receiving DN42 routes
- Establish internet connectivity.
- Setup Wireguard.
- Setup BGP.
show ip route
##Wireguard
###Setup Keys
generate wireguard default-keypair
show wireguard keypairs pubkey default
Grab your public key and save it for later. This will be shared with peers.
###Configure Peer Tunnel
Your peer should provide their endpoint public IP, port, single DN42 address, and Wireguard public key.
set interfaces wireguard wg01 address '172.x.x.x/32'
this is a single address within your DN42 registered address space
set interfaces wireguard wg01 peer OtherGuy1 allowed-ips '0.0.0.0/0''
it's just easier to filter traffic with the firewall
set interfaces wireguard wg01 peer OtherGuy1 address 'x.x.x.x'
this is the public IP of your peers endpoint
set interfaces wireguard wg01 OtherGuy1 port '12345'
the configured port on your peers endpoint
set interfaces wireguard wg01 peer OtherGuy1 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
your peers public wireguard key
set interfaces wireguard wg01 port '12345'
the port your wireguard endpoint will "listen" on
###Set Static Route
In case you are wondering how you are going to route packets anywhere with a /32, the next command explains it all.
set protocols static interface-route 172.x.x.x/32 next-hop-interface wg01
this is a single provided address by your peer that is assigned to them in the registry
While a normal world configuration may allow multiple peers on one Wireguard interface, the configuration explained on this page will not work correctly if multiple peers are defined on the same interface.
##BGP
Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP.
###Initial Router Setup
set protocols bgp 424242XXXX address-family ipv4-unicast network 172.x.x.x\x
Insert your ASN and your assigned network block. Note that this should match your exact prefix as listed in the registry; if you try to advertise a subnet of your assigned block it could get filtered by some peers.
set protocols bgp 424242XXX parameters router-id 172.x.x.x
To keep it simple just make your router ID match your lower IP within the DN42 registered space.
###Neighbor Up With Peers
set protocols bgp 424242XXXX neighbor 172.x.x.x address-family ipv4-unicast
This is likely the same IP as the one used in your static route earlier when creating the Wireguard tunnel.
set protocols bgp 424242XXXX neighbor 172.x.x.x ebgp-multihop 20
This setting may need to be adjusted depending on circumstances
set protocols bgp 424242XXXX neighbor 172.x.x.x remote-as 424242XXXX
Your peers ASN
show ip bgp summary
##RPKI/ROA Checking ###Setup RPKI Caching Server Burble has made this super easy. More info can be found here on this wiki. Get started by running the below command on a Linux server with Docker installed.
sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
###Point VyOS Router at RPKI Caching Server
set protocols rpki cache GoRTR address x.x.x.x
set protocols rpki cache GoRTR port 8082
You can check the connection with show rpki cache-connection
and the received prefix-table with show rpki prefix-table
.
###Create Route Map
set policy route-map DN42-ROA rule 10 action 'permit'
set policy route-map DN42-ROA rule 10 match rpki 'valid'
set policy route-map DN42-ROA rule 20 action 'permit'
set policy route-map DN42-ROA rule 20 match rpki 'notfound'
set policy route-map DN42-ROA rule 30 action 'deny'
set policy route-map DN42-ROA rule 30 match rpki 'invalid'
This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.###Assign Route Map to Neighbor
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA
###Example Firewall In this example our VyOS router has one upstream uplink on eth0, and two tunnels/peers on wg1 and wg2.
####Interfaces
ethernet eth0 {
address 192.168.1.2/30
description "Upstream/ISP"
firewall {
out {
name To_Upstream_Network
}
}
hw-id 00:00:00:00:00:00
}
wireguard wg1 {
address 172.x.x.x/32
description "Tunnel 1"
firewall {
in {
name Tunnels_Inbound
}
local {
name Peer_Local_Connections
}
}
peer us-east01 {
address x.x.x.x
allowed-ips 0.0.0.0/0
port 1100
pubkey ***
}
port 1101
}
wireguard wg99 {
address 172.x.x.x/32
description "Tunnel 2"
firewall {
in {
name Tunnels_Inbound
}
local {
name Peer_Local_Connections
}
}
peer us-east02 {
address x.x.x.x
allowed-ips 0.0.0.0/0
port 1102
pubkey ***
}
port 1103
}
####Firewall Rules
group {
network-group Allowed-Transit {
network 10.0.0.0/8
network 172.20.0.0/14
}
}
name Peer_Local_Connections {
default-action drop
rule 1 {
action accept
description "Enable Stateful"
state {
established enable
related enable
}
}
rule 10 {
action accept
description "Allow BGP"
destination {
port 179
}
protocol tcp
source {
address x.x.x.x **Peer 1 IP
}
}
rule 11 {
action accept
description "Allow BGP"
destination {
port 179
}
protocol tcp
source {
address x.x.x.x **Peer 2 IP
}
}
rule 98 {
action drop
description "Black Hole"
log enable
source {
address 0.0.0.0/0
}
}
rule 99 {
action drop
description "Black Hole"
log enable
state {
invalid enable
}
}
}
name Tunnels_Inbound {
default-action drop
rule 1 {
action accept
description "Enable Stateful"
state {
established enable
related enable
}
}
rule 50 {
action accept
description "Allow Peer Transit (DN42 Only)"
destination {
group {
network-group Allowed-Transit
}
}
log enable
source {
group {
network-group Allowed-Transit
}
}
}
rule 99 {
action drop
description "Black Hole"
log enable
source {
address 0.0.0.0/0
}
}
}
This page is a work in progress from Owens Research. Feel free to contact for suggestions or questions.