This post has already been read 8362 times!
Last week whilst attending the Automation Framework Masterclass in London (check the link for more details and to register) run by Eric from Xenapp Blog we started chatting about the configuration of the virtual VyOS Router and what extra functionality we could bring to the table.
In my lab I use Microsoft Routing and Remote Access to segregate my networks and also provide connectivity to my Azure vNet, I wanted to see if I could replace this with VyOS and save precious resources.
Eric has already written a great post on Configuring the VyOS Router on Nutanix CE and goes into the setup and config well on that post, with that in mind what I am going to build for you here is a 3 Node VyOS Router with a Site to Site VPN Connection to an Azure Resource Manager vNet. This will give you connectivity from your on-premises environment to the Azure Public Cloud over a secure VPN.
First lets take a look at the network setup I want to achieve
Looking at the above I have the following:
- 192.168.0.0/16 CIDR Block allocated for on-premises use
- 192.168.0.0/24 for my Home Network – Note to self – Don’t touch this or you will have an angry wife and kids when the internet breaks!
- 192.168.85.0/24 for my Lab LAN Network
- 192.168.86.0/24 for my Lab DMZ Network
- 10.0.0.0/16 CIDR Block allocated for Azure Networks
- 10.0.1.0/24 for Azure Infrastructure
- 10.0.2.0/24 for Azure Citrix Worker Servers
Ok, so lets start with the Azure Configuration. Log into your Azure Resource Management Portal
Go to Virtual networks and add a new network in the region that you want the Site to Site VPN to be established
Once created go to the overview
2 things to note here. The Address space for the entire vNet is 10.0.0.0/16 and the DNS servers are set to my on-premises DNS Server as well as the Google DNS Servers.
When adding the vNet make sure to specify your infrastructure and any additional subnets you want to have. In my case I have added 10.0.1.0/24 for Infrastructure and 10.0.2.0/24 for Citrix Worker Servers
Next you need to head over to Virtual network gateways and create a new gateway for your vNet
When creating the gateway be sure to use “Route Based”
Once done (and this can take up for 1/2 an hour) click on the overview
You should see your Gateway created. Take a note of the Public IP Address you assigned during the gateway creation as you will need this later during the VyOS configuration
Next you need a Local network gateway to define your on-premises networks. Make sure you add the address space for your entire on-premises network, in my case 192.168.0.0/16. When prompted for the local network public IP enter the Public IP Address for your on-premises router
Once created click on the overview
You will see the public IP Address of your on-premises environment and the address space that resides behind that IP address
Finally you need a Connection to link the Azure Gateway and the Local network gateway
Create a new Connection and select the 2 networks to link (Azure and Local)
Clicking Overview will show you both ends of the connection
Take a note of the Pre-Shared key you assigned as you will also need this during your VyOS configuration
Deploying the VyOS Virtual Router
I am using XenServer in my lab currently and the following article will explain to you how to build and import your own VyOS Template for XenServer. Once done you can deploy it to your environment.
When asked about CPU and Memory set it to the following
Finally make sure your interfaces are set as below
- Eth0 – WAN – 192.168.0.0/24
- Eth1 – LAN – 192.168.85.0/24
- Eth2 – DMZ – 192.168.86.0/24
Deploy and power on the virtual router
Configuring the VyOS Router
Copy and Paste the below script into the VyOS Router once logged in (vyos and vyos are the default username and password)
Some things to change:
- <YOUR_DOMAIN_NAME> – your fwdn domain name e.g bretty.me.uk
- Eth0 Address – Address on your local WAN Network
- Eth1 Address – The Address you will use for the default gateway on your LAN
- Eth2 Address – The Address you will use for the default gateway on your DMZ
- <DNS_SERVER_IP_ADDRESS> – On-Premises DNS Server IP
- <AZURE_GATEWAY_PUBLIC_IP> – Public IP Address for the Azure Gateway
- <YOUR_PRE_SHARED_KEY_FOR_THE_CONNECTION> – The pre-shared key you defined when creating the Azure to Local Connection
- IP ADDRESSES – When refering to IP Address blocks make sure to use the entire CIDR block for the destination network e.g. 10.0.0.0/16 for Azure and 192.168.0.0/16 for on-premises
Once this has been configured and rebooted the VyOS router is attempting to create a VPN Tunnel with Azure
configure set system host-name vyos set system domain-name <YOUR_DOMAIN_NAME> set interfaces ethernet eth0 address '192.168.0.101/24' set interfaces ethernet eth0 description 'wan' set interfaces ethernet eth1 address 192.168.85.1/24 set interfaces ethernet eth1 description lan set interfaces ethernet eth2 address 192.168.86.1/24 set interfaces ethernet eth2 description dmz set service ssh port 22 set system name-server <DNS_SERVER_IP_ADDRESS> set system time-zone <TIMEZONE e.g. Europe/London> set protocols static route 0.0.0.0/0 next-hop 192.168.0.1 set vpn ipsec ike-group IKE-POLICY lifetime '28800' set vpn ipsec ike-group IKE-POLICY proposal 1 encryption 'aes128' set vpn ipsec ike-group IKE-POLICY proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group '2' set vpn ipsec esp-group ESP-POLICY lifetime '3600' set vpn ipsec esp-group ESP-POLICY pfs disable set vpn ipsec esp-group ESP-POLICY proposal 1 encryption 'aes128' set vpn ipsec esp-group ESP-POLICY proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> authentication pre-shared-secret '<YOUR_PRE_SHARED_SECRET_FOR_THE_CONNECTION>' set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> connection-type respond set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> default-esp-group 'ESP-POLICY' set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> ike-group 'IKE-POLICY' set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> local-address '192.168.0.101' set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> tunnel 1 local prefix '192.168.0.0/16' set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> tunnel 1 remote prefix '10.0.0.0/16' set nat source rule 5 source address '192.168.0.0/16' set nat source rule 5 destination address '10.0.0.0/16' set nat source rule 5 outbound-interface 'eth0' set nat source rule 5 'exclude' set nat source rule 20 source address '10.0.0.0/16' set nat source rule 20 destination address '192.168.0.0/16' set nat source rule 20 outbound-interface 'eth0' set nat source rule 20 'exclude' set nat source rule 10 outbound-interface eth0 set nat source rule 10 source address 192.168.85.0/24 set nat source rule 10 translation address masquerade set nat source rule 11 outbound-interface eth0 set nat source rule 11 source address 192.168.86.0/24 set nat source rule 11 translation address masquerade commit save exit reboot yes
The Local Firewall
The final thing to do is to set up the rules on your local firewall to point VPN traffic to the IP Address of your VyOS routers WAN Interface
Create rules for UDP Port 500, UDP Port 4500 and TCP_UDP Port 50
Once the firewall rules are in place you should see the status of the connection in Azure change to Connected
You can now ping from the LAN to the DMZ and Azure
You can also ping from the DMZ to the LAN and Azure
And finally you can ping from Azure to the DMZ and the LAN
I know you will have to put firewall rules onto the VyOS router to secure communications but that is for another post. At this stage you should now have a Hybrid Cloud lab to play with.