74e18cef9c9c835cf9d707d28963f1d49a0a6c93
howto/vyos.md
| ... | ... | @@ -1,211 +0,0 @@ |
| 1 | -# VyOS |
|
| 2 | -VyOS is an open source software router. It is feature rich and supports multiple deployment options such as physical hardware (Old PC's) or a VPC/VM. The developers have a nightly rolling release that includes all the latest features such as Wireguard. |
|
| 3 | - |
|
| 4 | -It can be downloaded here https://www.vyos.io/rolling-release/. |
|
| 5 | - |
|
| 6 | -## Firewall Baseline |
|
| 7 | -We will configure firewall access lists for inbound connections on our peer Wireguard interfaces as well as block all inbound connections to our router with the exception of BGP. This should be a good baseline firewall ruleset to filter inbound traffic on your network’s edge. Modifications may be needed depending on your specific goals. If your router has an uplink back to a larger internal network (outside of DN42), an outbound firewall ruleset will need to be applied to that interface. The examples here only cover **IPv4**, but the same concepts can be applied to **IPv6** rulesets. |
|
| 8 | - |
|
| 9 | -By default, VyOS is a **stateless** firewall. To enable **stateful** packet inspection globally enter the following commands. |
|
| 10 | -``` |
|
| 11 | -set firewall state-policy established action 'accept' |
|
| 12 | -set firewall state-policy related action 'accept' |
|
| 13 | -``` |
|
| 14 | - |
|
| 15 | -We also need to accept invalids on our network’s edge. However, this should not become common practice elsewhere. |
|
| 16 | -``` |
|
| 17 | -set firewall state-policy invalid action 'accept' |
|
| 18 | -``` |
|
| 19 | - |
|
| 20 | -The below commands create **in** and **local** baseline templates to be applied to all Wireguard interfaces that are facing peers. In this example, **172.20.20.0/24** is your assigned address space. |
|
| 21 | -``` |
|
| 22 | -#Create Groups |
|
| 23 | -set firewall group network-group Allowed-Transit-v4 network '10.0.0.0/8' |
|
| 24 | -set firewall group network-group Allowed-Transit-v4 network '172.20.0.0/14' |
|
| 25 | -set firewall group network-group Allowed-Transit-v4 network '172.31.0.0/16' |
|
| 26 | - |
|
| 27 | -#Inbound Connections |
|
| 28 | -set firewall name Tunnels_In_v4 default-action 'drop' |
|
| 29 | -set firewall name Tunnels_In_v4 enable-default-log |
|
| 30 | -set firewall name Tunnels_In_v4 rule 68 action 'drop' |
|
| 31 | -set firewall name Tunnels_In_v4 rule 68 description 'Block Traffic to Operator Assigned IP Space' |
|
| 32 | -set firewall name Tunnels_In_v4 rule 68 destination address '172.20.20.0/24' |
|
| 33 | -set firewall name Tunnels_In_v4 rule 68 log 'enable' |
|
| 34 | -set firewall name Tunnels_In_v4 rule 68 action 'drop' |
|
| 35 | -set firewall name Tunnels_In_v4 rule 70 action 'accept' |
|
| 36 | -set firewall name Tunnels_In_v4 rule 70 description 'Allow Peer Transit' |
|
| 37 | -set firewall name Tunnels_In_v4 rule 70 destination group network-group 'Allowed-Transit-v4' |
|
| 38 | -set firewall name Tunnels_In_v4 rule 70 source group network-group 'Allowed-Transit-v4' |
|
| 39 | -set firewall name Tunnels_In_v4 rule 70 log 'enable' |
|
| 40 | -set firewall name Tunnels_In_v4 rule 99 action 'drop' |
|
| 41 | -set firewall name Tunnels_In_v4 rule 99 description 'Black Hole' |
|
| 42 | -set firewall name Tunnels_In_v4 rule 99 log 'enable' |
|
| 43 | - |
|
| 44 | -#Local Connections |
|
| 45 | -set firewall name Tunnels_Local_v4 default-action 'drop' |
|
| 46 | -set firewall name Tunnels_Local_v4 rule 50 action 'accept' |
|
| 47 | -set firewall name Tunnels_Local_v4 rule 50 icmp |
|
| 48 | -set firewall name Tunnels_Local_v4 rule 50 protocol 'icmp' |
|
| 49 | -set firewall name Tunnels_Local_v4 rule 61 action 'accept' |
|
| 50 | -set firewall name Tunnels_Local_v4 rule 61 description 'Allow BGP' |
|
| 51 | -set firewall name Tunnels_Local_v4 rule 61 destination port '179' |
|
| 52 | -set firewall name Tunnels_Local_v4 rule 61 protocol 'tcp' |
|
| 53 | -set firewall name Tunnels_Local_v4 rule 98 action 'drop' |
|
| 54 | -set firewall name Tunnels_Local_v4 rule 98 description 'Black Hole' |
|
| 55 | -set firewall name Tunnels_Local_v4 rule 98 log 'enable' |
|
| 56 | -set firewall name Tunnels_Local_v4 rule 98 state invalid 'enable' |
|
| 57 | -set firewall name Tunnels_Local_v4 rule 99 action 'drop' |
|
| 58 | -set firewall name Tunnels_Local_v4 rule 99 description 'Black Hole' |
|
| 59 | -set firewall name Tunnels_Local_v4 rule 99 log 'enable' |
|
| 60 | -``` |
|
| 61 | - |
|
| 62 | -## Wireguard |
|
| 63 | -### Setup Keys |
|
| 64 | -``` |
|
| 65 | -generate wireguard default-keypair |
|
| 66 | -show wireguard keypairs pubkey default |
|
| 67 | -``` |
|
| 68 | -_Grab your public key and save it for later. This will be shared with peers._ |
|
| 69 | -### Configure First Peer |
|
| 70 | -``` |
|
| 71 | -#Your DN42 Address |
|
| 72 | -set interfaces wireguard wg92 address '172.20.20.1/32' |
|
| 73 | - |
|
| 74 | -#Apply Description and Firewall |
|
| 75 | -set interfaces wireguard wg92 description 'First Peer Example' |
|
| 76 | -set interfaces wireguard wg92 firewall in name 'Tunnels_In_v4' |
|
| 77 | -set interfaces wireguard wg92 firewall local name 'Tunnels_Local_v4' |
|
| 78 | - |
|
| 79 | -#Peer Endpoint Address (Clearnet) |
|
| 80 | -set interfaces wireguard wg92 peer location1 address '123.243.141.39' |
|
| 81 | - |
|
| 82 | -#Best to allow everything here - This is why we have a firewall |
|
| 83 | -set interfaces wireguard wg92 peer location1 allowed-ips '0.0.0.0/0' |
|
| 84 | - |
|
| 85 | -#First Peer's Endpoint Port and Public Key |
|
| 86 | -set interfaces wireguard wg92 peer location1 port '12345' |
|
| 87 | -set interfaces wireguard wg92 peer location1 pubkey '=kjhfkasdhjdsfasdefghjklfghjkl/' |
|
| 88 | - |
|
| 89 | -#Port Your Endpoint Listens On |
|
| 90 | -set interfaces wireguard wg92 port '12345' |
|
| 91 | - |
|
| 92 | -#Set static interface route to first peers /32 DN42 IPv4 on their tunnel endpoint |
|
| 93 | -set protocols static interface-route 172.20.50.1/32 next-hop-interface wg92 |
|
| 94 | -``` |
|
| 95 | - |
|
| 96 | - |
|
| 97 | - |
|
| 98 | - |
|
| 99 | -## BGP |
|
| 100 | -Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP. |
|
| 101 | -### Initial Router Setup |
|
| 102 | -`set protocols bgp 424242XXXX address-family ipv4-unicast network 172.x.x.x\x` |
|
| 103 | -_Insert your ASN and your assigned network block. Note that this should match your exact prefix as listed in the registry; if you try to advertise a subnet of your assigned block it could get filtered by some peers._ |
|
| 104 | -`set protocols bgp 424242XXX parameters router-id 172.x.x.x` |
|
| 105 | -_To keep it simple just make your router ID match your lower IP within the DN42 registered space._ |
|
| 106 | -### Neighbor Up With Peers |
|
| 107 | -`set protocols bgp 424242XXXX neighbor 172.x.x.x address-family ipv4-unicast` |
|
| 108 | -_This is likely the same IP as the one used in your static route earlier when creating the Wireguard tunnel._ |
|
| 109 | -`set protocols bgp 424242XXXX neighbor 172.x.x.x ebgp-multihop 20` |
|
| 110 | -_This setting may need to be adjusted depending on circumstances_ |
|
| 111 | -`set protocols bgp 424242XXXX neighbor 172.x.x.x remote-as 424242XXXX` |
|
| 112 | -_Your peers ASN_ |
|
| 113 | - |
|
| 114 | -`show ip bgp summary` |
|
| 115 | - |
|
| 116 | -## RPKI/ROA Checking |
|
| 117 | -### Setup RPKI Caching Server |
|
| 118 | -Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed. |
|
| 119 | - |
|
| 120 | -``` |
|
| 121 | -sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082 |
|
| 122 | -``` |
|
| 123 | - |
|
| 124 | -This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network. |
|
| 125 | - |
|
| 126 | -### Point VyOS Router at RPKI Caching Server |
|
| 127 | -`set protocols rpki cache GoRTR address x.x.x.x` |
|
| 128 | - |
|
| 129 | -`set protocols rpki cache GoRTR port 8082` |
|
| 130 | - |
|
| 131 | -You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`. |
|
| 132 | - |
|
| 133 | -### Create Route Map |
|
| 134 | -``` |
|
| 135 | -set policy route-map DN42-ROA rule 10 action 'permit' |
|
| 136 | -set policy route-map DN42-ROA rule 10 match rpki 'valid' |
|
| 137 | -set policy route-map DN42-ROA rule 20 action 'permit' |
|
| 138 | -set policy route-map DN42-ROA rule 20 match rpki 'notfound' |
|
| 139 | -set policy route-map DN42-ROA rule 30 action 'deny' |
|
| 140 | -set policy route-map DN42-ROA rule 30 match rpki 'invalid' |
|
| 141 | -``` |
|
| 142 | -This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking. |
|
| 143 | -### Assign Route Map to Neighbor |
|
| 144 | -``` |
|
| 145 | -set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA |
|
| 146 | -set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA |
|
| 147 | -``` |
|
| 148 | - |
|
| 149 | -## Example Route Map |
|
| 150 | -### No RPKI/ROA and Internal Network Falls Into DN42 Range |
|
| 151 | -``` |
|
| 152 | -##Build prefix list to match personal internal network |
|
| 153 | -set policy prefix-list BlockIPConflicts description 'Prevent Conflicting Routes' |
|
| 154 | -set policy prefix-list BlockIPConflicts rule 10 action 'permit' |
|
| 155 | -set policy prefix-list BlockIPConflicts rule 10 description 'Internal IP Space' |
|
| 156 | -set policy prefix-list BlockIPConflicts rule 10 le '32' |
|
| 157 | -set policy prefix-list BlockIPConflicts rule 10 prefix '10.10.0.0/16' |
|
| 158 | - |
|
| 159 | - |
|
| 160 | -##Build prefix list to match personal internal network |
|
| 161 | -set policy prefix-list6 BlockIPConflicts-v6 description 'Prevent Conflicting Routes' |
|
| 162 | -set policy prefix-list6 BlockIPConflicts-v6 rule 10 action 'permit' |
|
| 163 | -set policy prefix-list6 BlockIPConflicts-v6 rule 10 description 'Internal IP Space' |
|
| 164 | -set policy prefix-list6 BlockIPConflicts-v6 rule 10 le '128' |
|
| 165 | -set policy prefix-list6 BlockIPConflicts-v6 rule 10 prefix 'fd42:4242:1111::/48' |
|
| 166 | - |
|
| 167 | - |
|
| 168 | - |
|
| 169 | -##Build prefix list to match DN42's IPv4 network |
|
| 170 | -set policy prefix-list DN42-Network rule 10 action 'permit' |
|
| 171 | -set policy prefix-list DN42-Network rule 10 le '32' |
|
| 172 | -set policy prefix-list DN42-Network rule 10 prefix '172.20.0.0/14' |
|
| 173 | -set policy prefix-list DN42-Network rule 20 action 'permit' |
|
| 174 | -set policy prefix-list DN42-Network rule 20 le '32' |
|
| 175 | -set policy prefix-list DN42-Network rule 20 prefix '10.0.0.0/8' |
|
| 176 | - |
|
| 177 | - |
|
| 178 | -##Build prefix list to match DN42's IPv6 network |
|
| 179 | -set policy prefix-list6 DN42-Network-v6 rule 10 action 'permit' |
|
| 180 | -set policy prefix-list6 DN42-Network-v6 rule 10 le '128' |
|
| 181 | -set policy prefix-list6 DN42-Network-v6 rule 10 prefix 'fd00::/8' |
|
| 182 | - |
|
| 183 | - |
|
| 184 | - |
|
| 185 | - |
|
| 186 | -##Block prefixes within internal network range, then allow everything else within DN42, then block everything else. |
|
| 187 | -set policy route-map Default-Peering rule 10 action 'deny' |
|
| 188 | -set policy route-map Default-Peering rule 10 description 'Prevent IP Conflicts' |
|
| 189 | -set policy route-map Default-Peering rule 10 match ip address prefix-list 'BlockIPConflicts' |
|
| 190 | -set policy route-map Default-Peering rule 11 action 'deny' |
|
| 191 | -set policy route-map Default-Peering rule 11 description 'Prevent IP Conflicts' |
|
| 192 | -set policy route-map Default-Peering rule 11 match ip address prefix-list6 'BlockIPConflicts-v6' |
|
| 193 | -set policy route-map Default-Peering rule 20 action 'permit' |
|
| 194 | -set policy route-map Default-Peering rule 20 description 'Allow DN42-Network' |
|
| 195 | -set policy route-map Default-Peering rule 20 match ip address prefix-list 'DN42-Network-Network' |
|
| 196 | -set policy route-map Default-Peering rule 21 action 'permit' |
|
| 197 | -set policy route-map Default-Peering rule 21 description 'Allow DN42-Network' |
|
| 198 | -set policy route-map Default-Peering rule 21 match ip address prefix-list6 'DN42-Network-Network-v6' |
|
| 199 | -set policy route-map Default-Peering rule 99 action 'deny' |
|
| 200 | - |
|
| 201 | - |
|
| 202 | -##Apply the route-map on import/export |
|
| 203 | - |
|
| 204 | -set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-map export 'Default-Peering' |
|
| 205 | -set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-map import 'Default-Peering' |
|
| 206 | -set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map export 'Default-Peering' |
|
| 207 | -set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map import 'Default-Peering' |
|
| 208 | -``` |
|
| 209 | - |
|
| 210 | - |
|
| 211 | -This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out. |