I had my home’s Netgear hacked with DD-WRT and I was running
a PPTP server until Apple decided to stop support of PPTP VPNs last year. Since
then I’ve been without a VPN service I could use when traveling abroad (setting up OpenVPN in DD-WRT ended up being more work than was worth it). But
then the new season of Game of Thrones was about to start again and I wasn’t
going to go a week or more without watching the episodes. I’m not paying
someone else to provide me VPN service…and no, I’m not using the free ones
either; they have to sell something
to make money and guess what that something
is.
I also had a need to create a DMZ to separate Hydra’s lab
gear (I have a small room with a rack and servers and stuff, which is used by
other A.I.M Hydra members) from my personal stuff so I decided to give
VyOS a go at the task (L2TP VPN and DMZ). I already have servers running 24x7 so no reason why I
couldn’t add one more VM (VyOS) to the mix and reconfigure my network. I will
skip the details of all the trial and errors I had to go thought to get this to
work (1- VyOS documentation is limited and 2- my brain decided to shutoff for 2
days) so I’ll go straight to the VyOS configs with some explanations.
Below is a diagram of the original state with the Netgear.
Subnet External is there because of
historical reasons (I’ve had it for something like 10 years now) and I just didn’t
feel like removing it (sentimental reasons I suppose). Also, my APs mgt IPs are
in that subnet (I have three UBNTs UniFi AP-AC dotted around the house). Router
1 is a Layer 3 switch (also from UBNT) that I got two years ago to provide PoE to
the APs. For completeness let me add
that I manage the APs using the Unifi Controller running in a VM (also running
in subnet External); subnet External
has no Internet access.
And this is how the new environment looks like. Subnet HydraLab is treated as an untrusted
segment. It has access to the Internet and can’t initiate any sessions to the
Internal subnets (hanging off Router 1). I also moved Subnet Cameras to the VyOS because otherwise I would’ve
had to do a src and dst NAT when accessing the cameras from inside the house
(the Netgear/DD-WRT did it automatically where as the VyOS needs to be
configured to do it; I took the path of least resistance).
And these are the VyOS configurations with some explanation - where I think it is helpful. If the command is self-explanatory or is for a
well-established protocol, I skipped the explaining.
Interfaces
set interfaces ethernet eth0
address dhcp
set interfaces ethernet eth0
description Internet
set interfaces ethernet eth1
address x.x.x.x/y
set interfaces ethernet eth1
description HydraLab
set interfaces ethernet eth2
address x.x.x.x/y
set interfaces ethernet eth2
description Interno
set interfaces ethernet eth3
address x.x.x.x/y
set interfaces ethernet eth3
description Cameras
LT2P VPN
set vpn ipsec
ipsec-interfaces interface eth0
!The following command
tells the VyOS what the source IP of the VPN client can be. I assume I’ll be
connecting from RFP1918 addresses. You can also use 0.0.0.0/0 to just allow
from any subnet.
set vpn ipsec nat-networks
allowed-network 10.0.0.0/8
set vpn ipsec nat-networks
allowed-network 172.16.0.0/12
set vpn ipsec nat-networks
allowed-network 192.168.0.0/16
set vpn ipsec nat-traversal
enable
set vpn l2tp remote-access
authentication local-users username User
password password
set vpn l2tp remote-access
authentication mode local
!The following command
tells the VyOS what IP range to use for IP assignment. It doesn’t matter much
where the IP comes from as long as the IPs are available/unused. I used a range
from the HydraLab subnet to conserve IPs.
set vpn l2tp remote-access
client-ip-pool start First IP
set vpn l2tp remote-access
client-ip-pool stop Last IP
set vpn l2tp remote-access
dns-servers server-1 8.8.8.8
set vpn l2tp remote-access
ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access
ipsec-settings authentication pre-shared-secret Secret
set vpn l2tp remote-access
ipsec-settings ike-lifetime 3600
!The following command
is the one of two that bomb with VyOS. I need to use the IP of the Internet
interface (eth0), which is acquired by DHCP. This command only takes an IP (not
an interface). The day will come when my ISP (Frontier, formerly Verizon) would
decide to give me a different IP and my VPN will be broken. I have a backup
plan for such event.
set vpn l2tp remote-access
outside-address Internet Interface IP
NAT Rules
!The rule numbers can
be whatever you want.
set nat source rule 1
description Internet Access for Hydra LAB
set nat source rule 1
outbound-interface eth0
set nat source rule 1 source
address HydraLab Subnet
set nat source rule 1 translation
address masquerade
set nat source rule 2
description Internet Traffic for Internal
set nat source rule 2
outbound-interface eth0
set nat source rule 2 source
address Internal Subnets
set nat source rule 2 translation
address masquerade
!The following rule allows
NAT traffic going to the cameras from the Internet. I only listed one camera.
You would need to repeat these commands, with different rule numbers, for each
camera you have.
set nat destination rule 101
description Camera1
!!Just like the
remote-access outside-address in the VPN section, this next command needs an
actual IP. This is the second command that sucks.
set nat destination rule 101
destination address Internet Interface IP
!!Specify the port
number you use to connect to the camera.
set nat destination rule 101
destination port xxx
set nat destination rule 101
inbound-interface eth0
set nat destination rule 101
protocol tcp
set nat destination rule 101
translation address CAMERA1 IP
!!Specify the port
number the camera listens to.
set nat destination rule 101
translation port yyy
!The following rule allows
NAT traffic going to the cameras from inside the house. I only listed one
camera. You would need to repeat these commands, with different rule numbers, for each camera you have.
set nat destination rule 201
description Camera1
!!Specify the port
number you use to connect to the camera.
set nat destination rule 201
destination port xxx
set nat destination rule 201
inbound-interface eth2
set nat destination rule 201
protocol tcp
set nat destination rule 201
translation address CAMERA1 IP
!!Specify the port
number the camera listens to.
set nat destination rule 201
translation port yyy
Security Rules
!Global (optional)
Commands.
set firewall all-ping enable
set firewall broadcast-ping
disable
set firewall config-trap
disable
set firewall group
set firewall
ipv6-receive-redirects disable
set firewall ipv6-src-route
disable
set firewall ip-src-route
disable
set firewall log-martians
enable
set firewall
receive-redirects disable
set firewall send-redirects
disable
set firewall
source-validation disable
set firewall state-policy
invalid action reject
set firewall syn-cookies
enable
set firewall
twa-hazards-protection disable
!These are the rules
that will be enforced for inter-zone traffic. The rule numbers can be whatever
you want.
set firewall name ESTABLISHED
default-action drop
set firewall name ESTABLISHED
enable-default-log
set firewall name ESTABLISHED
rule 1001 action accept
set firewall name ESTABLISHED
rule 1001 state established enable
set firewall name ESTABLISHED
rule 1001 state related enable
set firewall name
FromHYDRALAB default-action drop
set firewall name
FromHYDRALAB enable-default-log
set firewall name
FromHYDRALAB rule 2001 action accept
set firewall name
FromHYDRALAB rule 2001 state established enable
set firewall name
FromHYDRALAB rule 2001 state related enable
set firewall name LOCALMGT
default-action drop
set firewall name LOCALMGT
rule 3001 action accept
set firewall name LOCALMGT
rule 3001 log enable
set firewall name LOCALMGT
rule 3001 state established enable
set firewall name LOCALMGT
rule 3001 state new enable
set firewall name LOCALMGT
rule 3001 state related enable
set firewall name OUTGOING
default-action drop
set firewall name OUTGOING
enable-default-log
set firewall name OUTGOING
rule 4001 action accept
set firewall name OUTGOING
rule 4001 state established enable
set firewall name OUTGOING
rule 4001 state new enable
set firewall name OUTGOING
rule 4001 state related enable
set firewall name ToROUTER
default-action drop
set firewall name ToROUTER
enable-default-log
set firewall name ToROUTER
rule 5001 action accept
set firewall name ToROUTER
rule 5001 destination port 4500
set firewall name ToROUTER
rule 5001 log enable
set firewall name ToROUTER
rule 5001 protocol udp
set firewall name ToROUTER
rule 5002 action accept
set firewall name ToROUTER
rule 5002 destination port 500
set firewall name ToROUTER
rule 5002 protocol udp
set firewall name ToROUTER
rule 5003 action accept
set firewall name ToROUTER
rule 5003 destination port 1701
set firewall name ToROUTER
rule 5003 ipsec match-ipsec
set firewall name ToROUTER
rule 5003 protocol udp
set firewall name ToROUTER
rule 5004 action accept
set firewall name ToROUTER
rule 5004 protocol esp
set firewall name ToROUTER
rule 5005 action accept
set firewall name ToROUTER
rule 5005 state established enable
set firewall name ToROUTER
rule 5005 state related enable
set firewall name ToHYDRALAB
default-action drop
set firewall name ToHYDRALAB
enable-default-log
set firewall name ToHYDRALAB
rule 6001 action accept
set firewall name ToHYDRALAB
rule 6001 state established enable
set firewall name ToHYDRALAB
rule 6001 state related enable
set firewall name ToINTERNO
default-action drop
set firewall name ToINTERNO
enable-default-log
set firewall name ToINTERNO
rule 7001 action accept
set firewall name ToINTERNO
rule 7001 state established enable
set firewall name ToINTERNO
rule 7001 state related enable
set firewall name ToCAMERA
default-action drop
set firewall name ToCAMERA rule
8001 action accept
set firewall name ToCAMERA rule
8001 destination port port number the
cameras listen to
set firewall name ToCAMERA rule
8001 log enable
set firewall name ToCAMERA rule
8001 protocol tcp
Inter-Zone Security
Rule Mapping (DMZ)
!Indicate traffic that
is allowed to reach Internet.
set zone-policy zone INTERNET
default-action drop
set zone-policy zone INTERNET
from HYDRALAB firewall name OUTGOING
set zone-policy zone INTERNET
from INTERNO firewall name OUTGOING
set zone-policy zone INTERNET
from LOCAL firewall name OUTGOING
set zone-policy zone INTERNET
from CAMERA firewall name ESTABLISHED
set zone-policy zone INTERNET
from VPN firewall name OUTGOING
set zone-policy zone INTERNET
interface eth0
!Indicate traffic that
can enter HydraLab zone.
set zone-policy zone HYDRALAB
default-action drop
set zone-policy zone HYDRALAB
from INTERNET firewall name ToHYDRALAB
set zone-policy zone HYDRALAB
from INTERNO firewall name OUTGOING
set zone-policy zone HYDRALAB
from LOCAL firewall name OUTGOING
set zone-policy zone HYDRALAB
from VPN firewall name OUTGOING
set zone-policy zone HYDRALAB
interface eth1
!Indicate traffic that
can enter Internal zone.
set zone-policy zone INTERNO
default-action drop
set zone-policy zone INTERNO
from HYDRALAB firewall name FromHYDRALAB
set zone-policy zone INTERNO
from INTERNET firewall name ToINTERNO
set zone-policy zone INTERNO
from LOCAL firewall name ESTABLISHED
set zone-policy zone INTERNO
from CAMERA firewall name ESTABLISHED
set zone-policy zone INTERNO
interface eth2
!Indicate traffic that
can reach Cameras.
set zone-policy zone CAMERA
default-action drop
set zone-policy zone CAMERA
from INTERNET firewall name ToCAMERA
set zone-policy zone CAMERA
from INTERNO firewall name ToCAMERA
set zone-policy zone CAMERA
interface eth3
!Indicate traffic that
can reach the router (think management, VPN, SSH, etc…).
set zone-policy zone LOCAL
default-action drop
set zone-policy zone LOCAL
from HYDRALAB firewall name ESTABLISHED
set zone-policy zone LOCAL
from INTERNET firewall name ToROUTER
set zone-policy zone LOCAL
from INTERNO firewall name LOCALMGT
set zone-policy zone LOCAL
local-zone
!Indicate return
traffic VPN users will see.
set zone-policy zone VPN from
HYDRALAB firewall name FromHYDRALAB
set zone-policy zone VPN from
INTERNET firewall name ESTABLISHED
!!I added support for
four concurrent VPN connections (iPad, iPhone, Laptop, and JustInCase)
set zone-policy zone VPN
interface l2tp0
set zone-policy zone VPN
interface l2tp1
set zone-policy zone VPN
interface l2tp2
set zone-policy zone VPN
interface l2tp3
Elver’s Opinion: I didn’t
find the VyOS configs to be too challenging; the challenge was finding the
correct command references to get this done. There are a few more details on
how my environment is setup and I may put up more in a later blog post (time
permitting).
No comments:
Post a Comment