Thursday, August 3, 2017

My Home Router is a VyOS VM

I had my home’s Netgear hacked with DD-WRT and I was running a PPTP server until Apple decided to stop support of PPTP VPNs last year. Since then I’ve been without a VPN service I could use when traveling abroad (setting up OpenVPN in DD-WRT ended up being more work than was worth it). But then the new season of Game of Thrones was about to start again and I wasn’t going to go a week or more without watching the episodes. I’m not paying someone else to provide me VPN service…and no, I’m not using the free ones either; they have to sell something to make money and guess what that something is.

I also had a need to create a DMZ to separate Hydra’s lab gear (I have a small room with a rack and servers and stuff, which is used by other A.I.M Hydra members) from my personal stuff so I decided to give VyOS a go at the task (L2TP VPN and DMZ). I already have servers running 24x7 so no reason why I couldn’t add one more VM (VyOS) to the mix and reconfigure my network. I will skip the details of all the trial and errors I had to go thought to get this to work (1- VyOS documentation is limited and 2- my brain decided to shutoff for 2 days) so I’ll go straight to the VyOS configs with some explanations.

Below is a diagram of the original state with the Netgear. Subnet External is there because of historical reasons (I’ve had it for something like 10 years now) and I just didn’t feel like removing it (sentimental reasons I suppose). Also, my APs mgt IPs are in that subnet (I have three UBNTs UniFi AP-AC dotted around the house). Router 1 is a Layer 3 switch (also from UBNT) that I got two years ago to provide PoE to the APs. For completeness let me add that I manage the APs using the Unifi Controller running in a VM (also running in subnet External); subnet External has no Internet access.


And this is how the new environment looks like. Subnet HydraLab is treated as an untrusted segment. It has access to the Internet and can’t initiate any sessions to the Internal subnets (hanging off Router 1). I also moved Subnet Cameras to the VyOS because otherwise I would’ve had to do a src and dst NAT when accessing the cameras from inside the house (the Netgear/DD-WRT did it automatically where as the VyOS needs to be configured to do it; I took the path of least resistance).


And these are the VyOS configurations with some explanation - where I think it is helpful. If the command is self-explanatory or is for a well-established protocol, I skipped the explaining.

Interfaces
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description Internet
set interfaces ethernet eth1 address x.x.x.x/y
set interfaces ethernet eth1 description HydraLab
set interfaces ethernet eth2 address x.x.x.x/y
set interfaces ethernet eth2 description Interno
set interfaces ethernet eth3 address x.x.x.x/y
set interfaces ethernet eth3 description Cameras

LT2P VPN
set vpn ipsec ipsec-interfaces interface eth0

!The following command tells the VyOS what the source IP of the VPN client can be. I assume I’ll be connecting from RFP1918 addresses. You can also use 0.0.0.0/0 to just allow from any subnet.

set vpn ipsec nat-networks allowed-network 10.0.0.0/8
set vpn ipsec nat-networks allowed-network 172.16.0.0/12
set vpn ipsec nat-networks allowed-network 192.168.0.0/16

set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication local-users username User password password
set vpn l2tp remote-access authentication mode local

!The following command tells the VyOS what IP range to use for IP assignment. It doesn’t matter much where the IP comes from as long as the IPs are available/unused. I used a range from the HydraLab subnet to conserve IPs.

set vpn l2tp remote-access client-ip-pool start First IP
set vpn l2tp remote-access client-ip-pool stop Last IP

set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret Secret
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600

!The following command is the one of two that bomb with VyOS. I need to use the IP of the Internet interface (eth0), which is acquired by DHCP. This command only takes an IP (not an interface). The day will come when my ISP (Frontier, formerly Verizon) would decide to give me a different IP and my VPN will be broken. I have a backup plan for such event.

set vpn l2tp remote-access outside-address Internet Interface IP

NAT Rules
!The rule numbers can be whatever you want.

set nat source rule 1 description Internet Access for Hydra LAB
set nat source rule 1 outbound-interface eth0
set nat source rule 1 source address HydraLab Subnet
set nat source rule 1 translation address masquerade

set nat source rule 2 description Internet Traffic for Internal
set nat source rule 2 outbound-interface eth0
set nat source rule 2 source address Internal Subnets
set nat source rule 2 translation address masquerade

!The following rule allows NAT traffic going to the cameras from the Internet. I only listed one camera. You would need to repeat these commands, with different rule numbers, for each camera you have.

set nat destination rule 101 description Camera1

!!Just like the remote-access outside-address in the VPN section, this next command needs an actual IP. This is the second command that sucks.

set nat destination rule 101 destination address Internet Interface IP

!!Specify the port number you use to connect to the camera.

set nat destination rule 101 destination port xxx

set nat destination rule 101 inbound-interface eth0
set nat destination rule 101 protocol tcp
set nat destination rule 101 translation address CAMERA1 IP

!!Specify the port number the camera listens to.

set nat destination rule 101 translation port yyy

!The following rule allows NAT traffic going to the cameras from inside the house. I only listed one camera. You would need to repeat these commands, with different rule numbers,  for each camera you have.

set nat destination rule 201 description Camera1

!!Specify the port number you use to connect to the camera.

set nat destination rule 201 destination port xxx

set nat destination rule 201 inbound-interface eth2
set nat destination rule 201 protocol tcp
set nat destination rule 201 translation address CAMERA1 IP

!!Specify the port number the camera listens to.

set nat destination rule 201 translation port yyy

Security Rules
!Global (optional) Commands.

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall config-trap disable
set firewall group
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects disable
set firewall source-validation disable
set firewall state-policy invalid action reject
set firewall syn-cookies enable
set firewall twa-hazards-protection disable

!These are the rules that will be enforced for inter-zone traffic. The rule numbers can be whatever you want.

set firewall name ESTABLISHED default-action drop
set firewall name ESTABLISHED enable-default-log
set firewall name ESTABLISHED rule 1001 action accept
set firewall name ESTABLISHED rule 1001 state established enable
set firewall name ESTABLISHED rule 1001 state related enable

set firewall name FromHYDRALAB default-action drop
set firewall name FromHYDRALAB enable-default-log
set firewall name FromHYDRALAB rule 2001 action accept
set firewall name FromHYDRALAB rule 2001 state established enable
set firewall name FromHYDRALAB rule 2001 state related enable

set firewall name LOCALMGT default-action drop
set firewall name LOCALMGT rule 3001 action accept
set firewall name LOCALMGT rule 3001 log enable
set firewall name LOCALMGT rule 3001 state established enable
set firewall name LOCALMGT rule 3001 state new enable
set firewall name LOCALMGT rule 3001 state related enable

set firewall name OUTGOING default-action drop
set firewall name OUTGOING enable-default-log
set firewall name OUTGOING rule 4001 action accept
set firewall name OUTGOING rule 4001 state established enable
set firewall name OUTGOING rule 4001 state new enable
set firewall name OUTGOING rule 4001 state related enable

set firewall name ToROUTER default-action drop
set firewall name ToROUTER enable-default-log
set firewall name ToROUTER rule 5001 action accept
set firewall name ToROUTER rule 5001 destination port 4500
set firewall name ToROUTER rule 5001 log enable
set firewall name ToROUTER rule 5001 protocol udp
set firewall name ToROUTER rule 5002 action accept
set firewall name ToROUTER rule 5002 destination port 500
set firewall name ToROUTER rule 5002 protocol udp
set firewall name ToROUTER rule 5003 action accept
set firewall name ToROUTER rule 5003 destination port 1701
set firewall name ToROUTER rule 5003 ipsec match-ipsec
set firewall name ToROUTER rule 5003 protocol udp
set firewall name ToROUTER rule 5004 action accept
set firewall name ToROUTER rule 5004 protocol esp
set firewall name ToROUTER rule 5005 action accept
set firewall name ToROUTER rule 5005 state established enable
set firewall name ToROUTER rule 5005 state related enable

set firewall name ToHYDRALAB default-action drop
set firewall name ToHYDRALAB enable-default-log
set firewall name ToHYDRALAB rule 6001 action accept
set firewall name ToHYDRALAB rule 6001 state established enable
set firewall name ToHYDRALAB rule 6001 state related enable

set firewall name ToINTERNO default-action drop
set firewall name ToINTERNO enable-default-log
set firewall name ToINTERNO rule 7001 action accept
set firewall name ToINTERNO rule 7001 state established enable
set firewall name ToINTERNO rule 7001 state related enable

set firewall name ToCAMERA default-action drop
set firewall name ToCAMERA rule 8001 action accept
set firewall name ToCAMERA rule 8001 destination port port number the cameras listen to
set firewall name ToCAMERA rule 8001 log enable
set firewall name ToCAMERA rule 8001 protocol tcp

Inter-Zone Security Rule Mapping (DMZ)
!Indicate traffic that is allowed to reach Internet.

set zone-policy zone INTERNET default-action drop
set zone-policy zone INTERNET from HYDRALAB firewall name OUTGOING
set zone-policy zone INTERNET from INTERNO firewall name OUTGOING
set zone-policy zone INTERNET from LOCAL firewall name OUTGOING
set zone-policy zone INTERNET from CAMERA firewall name ESTABLISHED
set zone-policy zone INTERNET from VPN firewall name OUTGOING
set zone-policy zone INTERNET interface eth0

!Indicate traffic that can enter HydraLab zone.

set zone-policy zone HYDRALAB default-action drop
set zone-policy zone HYDRALAB from INTERNET firewall name ToHYDRALAB
set zone-policy zone HYDRALAB from INTERNO firewall name OUTGOING
set zone-policy zone HYDRALAB from LOCAL firewall name OUTGOING
set zone-policy zone HYDRALAB from VPN firewall name OUTGOING
set zone-policy zone HYDRALAB interface eth1

!Indicate traffic that can enter Internal zone.

set zone-policy zone INTERNO default-action drop
set zone-policy zone INTERNO from HYDRALAB firewall name FromHYDRALAB
set zone-policy zone INTERNO from INTERNET firewall name ToINTERNO
set zone-policy zone INTERNO from LOCAL firewall name ESTABLISHED
set zone-policy zone INTERNO from CAMERA firewall name ESTABLISHED
set zone-policy zone INTERNO interface eth2

!Indicate traffic that can reach Cameras.

set zone-policy zone CAMERA default-action drop
set zone-policy zone CAMERA from INTERNET firewall name ToCAMERA
set zone-policy zone CAMERA from INTERNO firewall name ToCAMERA
set zone-policy zone CAMERA interface eth3

!Indicate traffic that can reach the router (think management, VPN, SSH, etc…).

set zone-policy zone LOCAL default-action drop
set zone-policy zone LOCAL from HYDRALAB firewall name ESTABLISHED
set zone-policy zone LOCAL from INTERNET firewall name ToROUTER
set zone-policy zone LOCAL from INTERNO firewall name LOCALMGT
set zone-policy zone LOCAL local-zone

!Indicate return traffic VPN users will see.

set zone-policy zone VPN from HYDRALAB firewall name FromHYDRALAB
set zone-policy zone VPN from INTERNET firewall name ESTABLISHED

!!I added support for four concurrent VPN connections (iPad, iPhone, Laptop, and JustInCase)

set zone-policy zone VPN interface l2tp0
set zone-policy zone VPN interface l2tp1
set zone-policy zone VPN interface l2tp2
set zone-policy zone VPN interface l2tp3

Elver’s Opinion: I didn’t find the VyOS configs to be too challenging; the challenge was finding the correct command references to get this done. There are a few more details on how my environment is setup and I may put up more in a later blog post (time permitting).

No comments:

Post a Comment