Vyos configuration
12 Feb 2017Enable stateful firewall
set firewall name EXT-INT default-action 'drop'
set firewall name EXT-INT rule 10 action 'accept'
set firewall name EXT-INT rule 10 state established 'enable'
set firewall name EXT-INT rule 10 state related 'enable'
Enable access over ssh and openvpn (1194/udp)
set firewall name EXT-LOCAL default-action 'drop'
set firewall name EXT-LOCAL rule 40 action 'accept'
set firewall name EXT-LOCAL rule 40 description 'openvpn'
set firewall name EXT-LOCAL rule 40 destination port '1194'
set firewall name EXT-LOCAL rule 40 protocol 'udp'
set firewall name EXT-LOCAL rule 50 action 'accept'
set firewall name EXT-LOCAL rule 50 state established 'enable'
set firewall name EXT-LOCAL rule 50 state related 'enable'
Configure openvpn and ssh
set interfaces openvpn vtun0 openvpn-option '--proto udp'
set interfaces openvpn vtun0 openvpn-option '--ifconfig-pool-persist ipp.txt'
set interfaces openvpn vtun0 openvpn-option '--keepalive 10 120'
set interfaces openvpn vtun0 openvpn-option '--comp-lzo'
set interfaces openvpn vtun0 openvpn-option '--user nobody --group nogroup'
set interfaces openvpn vtun0 openvpn-option '--persist-key --persist-tun'
set interfaces openvpn vtun0 openvpn-option '--status openvpn-status.log'
set interfaces openvpn vtun0 openvpn-option '--verb 3'
set interfaces openvpn vtun0 openvpn-option '--mute 10'
set interfaces openvpn vtun0 openvpn-option '--port 1194'
set interfaces openvpn vtun0 openvpn-option '--dev vtun0'
set interfaces openvpn vtun0 server push-route '10.20.10.0/24'
set interfaces openvpn vtun0 server subnet '10.20.11.0/24'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/server.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/dh2048.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/server.key'
set service ssh listen-address '0.0.0.0'
set service ssh port '22'
Enable nat and dhcp, forward dns
set nat source rule 100 outbound-interface 'eth1'
set nat source rule 100 source address '10.20.10.0/24'
set nat source rule 100 translation address 'masquerade'
set service dhcp-server disabled 'false'
set service dhcp-server shared-network-name LAN authoritative 'enable'
set service dhcp-server shared-network-name LAN subnet 10.20.10.0/24 default-router '10.20.10.1'
set service dhcp-server shared-network-name LAN subnet 10.20.10.0/24 dns-server '10.20.10.1'
set service dhcp-server shared-network-name LAN subnet 10.20.10.0/24 lease '3600'
set service dhcp-server shared-network-name LAN subnet 10.20.10.0/24 start 10.20.10.100 stop '10.20.10.254'
set service dns forwarding listen-on 'eth0'
Configure networking, ntp, dns
set interfaces ethernet eth0 address '10.20.10.1/24'
set interfaces ethernet eth0 description 'INT'
set interfaces ethernet eth1 address IP
set interfaces ethernet eth1 description 'EXT'
set interfaces ethernet eth1 firewall in name 'EXT-INT'
set interfaces ethernet eth1 firewall local name 'EXT-LOCAL'
set system gateway-address GW
set system host-name HOSTNAME
set system name-server IP
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system time-zone 'UTC'