NightFox Logo

NightFox

?

VyOS: Installation and Configuration Guide

VyOS is an open-source network operating system that provides advanced routing, firewalling, and VPN features in a customizable and scalable package. Built on Linux, VyOS is suitable for a wide range of use cases, from homelabs and small businesses to enterprise networks. This guide explores how to install, configure, and use VyOS as a router, firewall, and NAT device, making it an excellent choice for home or SMB setups.

Installing VyOS

VyOS can run on bare-metal hardware, virtual machines, or cloud platforms. The installation process is straightforward:

Step 1: Download VyOS

Begin by downloading the VyOS ISO image from the official website. Ensure you choose the appropriate version for your system.

Step 2: Prepare the Installation Media

Create a bootable USB drive using tools like Rufus (Windows) or dd (Linux/macOS). For example, on Linux, you can use the following command:

sudo dd if=vyos.iso of=/dev/sdX bs=4M status=progress

Replace `/dev/sdX` with the correct device for your USB drive.

Step 3: Install VyOS

Boot your target device from the USB drive and follow these steps:

  1. Select "Install VyOS" from the boot menu.
  2. Partition the disk as needed. You can use the default options for most installations.
  3. Set the hostname, username, and password during the setup process.
  4. Once the installation is complete, reboot the system and remove the USB drive.

Basic Configuration

After installation, you’ll need to configure the VyOS system for basic functionality. Log in to the system using the credentials created during setup.

Step 1: Set the Hostname and Timezone

configure
set system host-name vyos-router
set system time-zone UTC
commit
save

Step 2: Configure Network Interfaces

Assign IP addresses to the network interfaces. For example:

set interfaces ethernet eth0 address 192.168.1.1/24
set interfaces ethernet eth1 address dhcp
commit
save

In this example, `eth0` is configured with a static IP address for the LAN, and `eth1` is set to obtain an IP via DHCP for the WAN.

Step 3: Enable SSH for Remote Management

set service ssh
commit
save

Configuring NAT

Network Address Translation (NAT) is essential for allowing devices on a private network to access the internet using a single public IP address.

Set Up Source NAT (Masquerade)

Source NAT, or masquerade, is typically used for internet-bound traffic from private IP addresses:

set nat source rule 10 description "Outbound NAT"
set nat source rule 10 outbound-interface eth1
set nat source rule 10 source address 192.168.1.0/24
set nat source rule 10 translation address masquerade
commit
save

In this configuration, traffic from the `192.168.1.0/24` network is masqueraded when exiting the `eth1` interface.

Firewall Configuration

VyOS includes a powerful firewall that uses stateful packet inspection to control traffic. You can define zones and rules to enforce security policies.

Define Firewall Rules

Here’s an example of a basic firewall configuration:

set firewall name WAN_IN default-action drop
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable

set firewall name LAN_LOCAL default-action drop
set firewall name LAN_LOCAL rule 10 action accept
set firewall name LAN_LOCAL rule 10 source address 192.168.1.0/24
set firewall name LAN_LOCAL rule 10 protocol icmp

set interfaces ethernet eth0 firewall in name LAN_LOCAL
set interfaces ethernet eth1 firewall in name WAN_IN
commit
save

In this configuration:

  • The WAN interface drops all inbound traffic except established and related connections.
  • The LAN interface allows ICMP traffic (ping) from the local network.

Using VyOS as a Home or SMB Router

VyOS is an excellent choice for home or small business networks due to its flexibility and feature set. Here’s how you can optimize VyOS for these environments:

Dynamic DNS

If your ISP provides a dynamic IP address, configure Dynamic DNS to keep your public hostname updated:

set service dns dynamic interface eth1 service dyndns host-name yourhostname.dyndns.org
set service dns dynamic interface eth1 service dyndns login yourusername
set service dns dynamic interface eth1 service dyndns password yourpassword
commit
save

Quality of Service (QoS)

To prioritize specific types of traffic, configure QoS policies:

set traffic-policy shaper SHAPER default bandwidth 10mbit
set traffic-policy shaper SHAPER class 10 bandwidth 2mbit
set traffic-policy shaper SHAPER class 10 match protocol tcp
set interfaces ethernet eth1 traffic-policy out SHAPER
commit
save

In this example, TCP traffic is allocated a bandwidth limit of 2 Mbps.

VPN Server

VyOS can act as a VPN server for remote access. For example, to configure an OpenVPN server:

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 10.8.0.0/24
set interfaces openvpn vtun0 tls cert-file /config/auth/server.crt
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 openvpn-option "--push route 192.168.1.0 255.255.255.0"
commit
save

Ensure certificates are properly generated and stored in the specified locations.

Monitoring and Troubleshooting

VyOS provides powerful tools for monitoring and troubleshooting your network:

To view active NAT translations, use:

show nat source translations

To monitor interface statistics:

show interfaces

For real-time packet capture:

sudo tcpdump -i eth0

Conclusion

VyOS is a versatile and robust solution for networking enthusiasts, IT professionals, and small businesses. Its open-source nature and comprehensive feature set make it an ideal choice for routing, NAT, firewalling, and VPNs. Whether you're setting up a homelab or managing a small business network, VyOS offers the tools and flexibility to meet your needs.