Accéder au contenu principal

GNS3: Simulating a 100% opensource site2site VPN using Wireguard, VyOS and OpenVSwitch

 This is something I had in mind but didn't find the time to accomplish before. It just took a very cold day to convince me that I have to play with Wireguard on VyOS.

I used GNS3 of course, on my personal Linux laptop to create this setup. Of course the performance was not that great since it is just a simulation. 

In real life, I am using Wireguard on a 10 years old Raspberry Pi Model B and amazingly with just a 700MHz single core ARM CPU and less than 512 MB of RAM I had a decent and stable permanent Wireguard tunnel. (My bandwidth would reach 24 Mbps without issue)

Back to my simulation, this is what it looks like :


Quick explanation: the VYOS routers labeled IPERF1 and IPERF2 are only used for an iperf3 test, which was able to reach about 50 to 60 Mbps each time. It ain't much but it was honest (and free) secure bandwidth!


I won't get into the details of this setup but I will just post the two most important configurations : R-East and R-West :

#### VYOS WireGuard Site2Site ####

##KEY GENERATION ON BOTH ROUTERS##

generate wireguard default-keypair

##GETTING THE PUBLIC KEY ON EACH ROUTER##

show wireguard keypairs pubkey default

#R-EAST CONFIG

set interfaces wireguard wg01 address '10.255.255.1/30'

set interfaces wireguard wg01 description 'VPN-to-wg02'

set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.0.0.0/24'

set interfaces wireguard wg01 peer to-wg02 address '172.16.0.2'

set interfaces wireguard wg01 peer to-wg02 port '51820'

set interfaces wireguard wg01 peer to-wg02 pubkey 'R-WEST PUBLIC KEY'

set interfaces wireguard wg01 port '51820'

set protocols static interface-route 10.0.0.0/24 next-hop-interface wg01

#R-WEST CONFIG

set interfaces wireguard wg01 address '10.255.255.2/30'

set interfaces wireguard wg01 description 'VPN-to-wg02'

set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.0.0/24'

set interfaces wireguard wg01 peer to-wg02 address '172.17.0.2'

set interfaces wireguard wg01 peer to-wg02 port '51820'

set interfaces wireguard wg01 peer to-wg02 pubkey 'R-EAST PUBLIC KEY'

set interfaces wireguard wg01 port '51820'

set protocols static interface-route 192.168.0.0/24 next-hop-interface wg01

## VYOS Firewall, on both routers

set firewall name OUTSIDE_LOCAL rule 10 action accept

set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related'

set firewall name OUTSIDE_LOCAL rule 10 state established enable

set firewall name OUTSIDE_LOCAL rule 10 state related enable

set firewall name OUTSIDE_LOCAL rule 20 action accept

set firewall name OUTSIDE_LOCAL rule 20 description WireGuard_IN

set firewall name OUTSIDE_LOCAL rule 20 destination port 51820

set firewall name OUTSIDE_LOCAL rule 20 log enable

set firewall name OUTSIDE_LOCAL rule 20 protocol udp

set firewall name OUTSIDE_LOCAL rule 20 source

set interfaces ethernet eth0 firewall local name 'OUTSIDE_LOCAL'


This configuration allows only the networks 192.168.0.0/24 from the East side and 10.0.0.0/24 from the West side to send traffic through the Wireguard VPN Tunnel between R-East and R-West. For testing purposes, you should for example ping from PC1 to PC2 and PC2 to PC1. Pinging from R-East to R-West would fail if the source is not set to the authorized network. 

Also, there has been no configuration whatsoever on the OpenVSwitch switches, they are used only for L2 packet switching.

Libellés :

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

GNS3 on Manjaro/Arch Linux: How to create virbr0 for NAT to work

Problem: You can't add a NAT connection to your GNS3 simulation, and you get the error : "ERROR template_manager:226 Error while creating node from template: NAT interface virbr0 is missing, please install libvirt" Steps to resolve: 1- Create a file named /tmp/default.xml 2- Paste this content and save: <network>   <name>default</name>   <bridge name="virbr0"/>   <forward mode="nat"/>   <ip address="192.168.123.1" netmask="255.255.255.0">     <dhcp>       <range start="192.168.123.2" end="192.168.123.254"/>     </dhcp>   </ip> </network> 3- Execute the following commands in your shell : virsh net-define /tmp/default.xml sudo virsh net-start default sudo virsh net-autostart default  
Enregistrer un commentaire
Lire la suite

Old school tool for news (RSS): NewsFlash

 Being an old school user who was very dependant on RSS feeds to keep me updated on my favourite subjects, I spent a lot of time looking for something that could do this in 2024. Surprisingly, I found a tool called "NewsFlash" which looks like it was tailored exactly for people like me, people who can't live without Slashdot , TheHackerNews and TechCrunch ! I am currently daily-driving Linux Manjaro for more than two years on my personal laptop (while unfortunately I have to work on a Win11 system for my regular job) and, being based on Arch Linux, the cutting edge community-driven Linux distribution, Manjaro is able to provide the latest and greatest opensource (and sometimes proprietary) software via its default repositories. You don't even have to do anything "geeky" to install NewsFlash (or any other package in the repositories) since the Pamac Software Manager is really becoming easy and powerful at the same time! This is NewsFlash, very simple and eas
Enregistrer un commentaire
Lire la suite