vyos

#VyOS VyOS is an open source router. The developers have a nightly rolling release that includes all the latest features such as Wireguard.

It can be downloaded here https://www.vyos.io/rolling-release/.

While 1.3-rolling-202004300117 is a known good release to fallback to, at this time it's recommended to grab the latest nightly build.

##Quick Start ###Quick to-do-list from router deployment to receiving DN42 routes

1. Establish internet connectivity.
2. Setup Wireguard.
3. Setup BGP.
4. show ip route

##Wireguard ###Setup Keys generate wireguard default-keypair
show wireguard keypairs pubkey default
Grab your public key and save it for later. This will be shared with peers.
###Configure Peer Tunnel
Your peer should provide their endpoint public IP, port, single DN42 address, and Wireguard public key.

set interfaces wireguard wg01 address '172.x.x.x/32'
this is a single address within your DN42 registered address space
set interfaces wireguard wg01 peer OtherGuy1 allowed-ips '0.0.0.0/0''
it's just easier to filter traffic with the firewall
set interfaces wireguard wg01 peer OtherGuy1 address 'x.x.x.x'
this is the public IP of your peers endpoint
set interfaces wireguard wg01 OtherGuy1 port '12345'
the configured port on your peers endpoint
set interfaces wireguard wg01 peer OtherGuy1 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
your peers public wireguard key
set interfaces wireguard wg01 port '12345'
the port your wireguard endpoint will "listen" on
###Set Static Route
In case you are wondering how you are going to route packets anywhere with a /32, the next command explains it all.

set protocols static interface-route 172.x.x.x/32 next-hop-interface wg01
this is a single provided address by your peer that is assigned to them in the registry

While a normal world configuration may allow multiple peers on one Wireguard interface, the configuration explained on this page will not work correctly if multiple peers are defined on the same interface.

##BGP Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP.
###Initial Router Setup
set protocols bgp 424242XXXX address-family ipv4-unicast network 172.x.x.x\x
Insert your ASN and your assigned network block. Note that this should match your exact prefix as listed in the registry; if you try to advertise a subnet of your assigned block it could get filtered by some peers.
set protocols bgp 424242XXX parameters router-id 172.x.x.x
To keep it simple just make your router ID match your lower IP within the DN42 registered space.
###Neighbor Up With Peers set protocols bgp 424242XXXX neighbor 172.x.x.x address-family ipv4-unicast
This is likely the same IP as the one used in your static route earlier when creating the Wireguard tunnel.
set protocols bgp 424242XXXX neighbor 172.x.x.x ebgp-multihop 20
This setting may need to be adjusted depending on circumstances
set protocols bgp 424242XXXX neighbor 172.x.x.x remote-as 424242XXXX
Your peers ASN

show ip bgp summary

##RPKI/ROA Checking ###Setup RPKI Caching Server Burble has made this super easy. More info can be found here on this wiki. Get started by running the below command on a Linux server with Docker installed.

sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082

This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.

###Point VyOS Router at RPKI Caching Server set protocols rpki cache GoRTR address x.x.x.x

set protocols rpki cache GoRTR port 8082

You can check the connection with show rpki cache-connection and the received prefix-table with show rpki prefix-table.

###Create Route Map

set policy route-map DN42-ROA rule 10 action 'permit'
set policy route-map DN42-ROA rule 10 match rpki 'valid'
set policy route-map DN42-ROA rule 20 action 'permit'
set policy route-map DN42-ROA rule 20 match rpki 'notfound'
set policy route-map DN42-ROA rule 30 action 'deny'
set policy route-map DN42-ROA rule 30 match rpki 'invalid'

This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.
###Assign Route Map to Neighbor

set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA  
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA   

##Example Firewall In this example our VyOS router has one upstream uplink on eth0, and two tunnels/peers on wg1 and wg2. We have two access lists: one for transit connections and one for local connections from our peer (BGP). Notice on the transit access list we don't black hole invalid packets - logic behind this is explained here.

####Interfaces

 ethernet eth0 {
     address 192.168.1.2/30
     description "Upstream/ISP"
     hw-id 00:00:00:00:00:00
 }
 wireguard wg1 {
     address 172.x.x.x/32
     description "Tunnel 1"
     firewall {
         in {
             name Tunnels_Inbound
         }
         local {
             name Peer_Local_Connections
         }
     }
     peer us-east01 {
         address x.x.x.x
         allowed-ips 0.0.0.0/0
         port 1100
         pubkey ***
     }
     port 1101
 }
 wireguard wg2 {
     address 172.x.x.x/32
     description "Tunnel 2"
     firewall {
         in {
             name Tunnels_Inbound
         }
         local {
             name Peer_Local_Connections
         }
     }
     peer us-east02 {
         address x.x.x.x
         allowed-ips 0.0.0.0/0
         port 1102
         pubkey ***
     }
     port 1103
 }

####Firewall Rules

 group {
     network-group Allowed-Transit {
         network 10.0.0.0/8
         network 172.20.0.0/14
     }
 }
 name Peer_Local_Connections {
     default-action drop
     rule 1 {
         action accept
         description "Enable Stateful"
         state {
             established enable
             related enable
         }
     }
     rule 10 {
         action accept
         description "Allow BGP"
         destination {
             port 179
         }
         protocol tcp
         source {
             address x.x.x.x  **Peer 1 IP
         }
     }
     rule 11 {
         action accept
         description "Allow BGP"
         destination {
             port 179
         }
         protocol tcp
         source {
             address x.x.x.x  **Peer 2 IP
         }
     }
     rule 98 {
         action drop
         description "Black Hole"
         log enable
         source {
             address 0.0.0.0/0
         }
     }
     rule 99 {
         action drop
         description "Black Hole"
         log enable
         state {
             invalid enable
         }
     }
 }
 name Tunnels_Inbound {
     default-action drop
     rule 1 {
         action accept
         description "Enable Stateful"
         state {
             established enable
             related enable
         }
     }
     rule 50 {
         action accept
         description "Allow Peer Transit"
         destination {
             group {
                 network-group Allowed-Transit
             }
         }
         log enable
         source {
             group {
                 network-group Allowed-Transit
             }
         }
     }
     rule 99 {
         action drop
         description "Black Hole"
         log enable
         source {
             address 0.0.0.0/0
         }
     }
 }

This page is a work in progress from Owens Research. Feel free to contact for suggestions or questions.