Accéder au contenu principal

GNS3: Simulating a 100% opensource site2site VPN using Wireguard, VyOS and OpenVSwitch

 This is something I had in mind but didn't find the time to accomplish before. It just took a very cold day to convince me that I have to play with Wireguard on VyOS.

I used GNS3 of course, on my personal Linux laptop to create this setup. Of course the performance was not that great since it is just a simulation. 

In real life, I am using Wireguard on a 10 years old Raspberry Pi Model B and amazingly with just a 700MHz single core ARM CPU and less than 512 MB of RAM I had a decent and stable permanent Wireguard tunnel. (My bandwidth would reach 24 Mbps without issue)

Back to my simulation, this is what it looks like :


Quick explanation: the VYOS routers labeled IPERF1 and IPERF2 are only used for an iperf3 test, which was able to reach about 50 to 60 Mbps each time. It ain't much but it was honest (and free) secure bandwidth!


I won't get into the details of this setup but I will just post the two most important configurations : R-East and R-West :

#### VYOS WireGuard Site2Site ####

##KEY GENERATION ON BOTH ROUTERS##

generate wireguard default-keypair

##GETTING THE PUBLIC KEY ON EACH ROUTER##

show wireguard keypairs pubkey default

#R-EAST CONFIG

set interfaces wireguard wg01 address '10.255.255.1/30'

set interfaces wireguard wg01 description 'VPN-to-wg02'

set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.0.0.0/24'

set interfaces wireguard wg01 peer to-wg02 address '172.16.0.2'

set interfaces wireguard wg01 peer to-wg02 port '51820'

set interfaces wireguard wg01 peer to-wg02 pubkey 'R-WEST PUBLIC KEY'

set interfaces wireguard wg01 port '51820'

set protocols static interface-route 10.0.0.0/24 next-hop-interface wg01

#R-WEST CONFIG

set interfaces wireguard wg01 address '10.255.255.2/30'

set interfaces wireguard wg01 description 'VPN-to-wg02'

set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.0.0/24'

set interfaces wireguard wg01 peer to-wg02 address '172.17.0.2'

set interfaces wireguard wg01 peer to-wg02 port '51820'

set interfaces wireguard wg01 peer to-wg02 pubkey 'R-EAST PUBLIC KEY'

set interfaces wireguard wg01 port '51820'

set protocols static interface-route 192.168.0.0/24 next-hop-interface wg01

## VYOS Firewall, on both routers

set firewall name OUTSIDE_LOCAL rule 10 action accept

set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related'

set firewall name OUTSIDE_LOCAL rule 10 state established enable

set firewall name OUTSIDE_LOCAL rule 10 state related enable

set firewall name OUTSIDE_LOCAL rule 20 action accept

set firewall name OUTSIDE_LOCAL rule 20 description WireGuard_IN

set firewall name OUTSIDE_LOCAL rule 20 destination port 51820

set firewall name OUTSIDE_LOCAL rule 20 log enable

set firewall name OUTSIDE_LOCAL rule 20 protocol udp

set firewall name OUTSIDE_LOCAL rule 20 source

set interfaces ethernet eth0 firewall local name 'OUTSIDE_LOCAL'


This configuration allows only the networks 192.168.0.0/24 from the East side and 10.0.0.0/24 from the West side to send traffic through the Wireguard VPN Tunnel between R-East and R-West. For testing purposes, you should for example ping from PC1 to PC2 and PC2 to PC1. Pinging from R-East to R-West would fail if the source is not set to the authorized network. 

Also, there has been no configuration whatsoever on the OpenVSwitch switches, they are used only for L2 packet switching.

Commentaires

Posts les plus consultés de ce blog

GNS3 on Manjaro/Arch Linux: How to create virbr0 for NAT to work

Problem: You can't add a NAT connection to your GNS3 simulation, and you get the error : "ERROR template_manager:226 Error while creating node from template: NAT interface virbr0 is missing, please install libvirt" Steps to resolve: 1- Create a file named /tmp/default.xml 2- Paste this content and save: <network>   <name>default</name>   <bridge name="virbr0"/>   <forward mode="nat"/>   <ip address="192.168.123.1" netmask="255.255.255.0">     <dhcp>       <range start="192.168.123.2" end="192.168.123.254"/>     </dhcp>   </ip> </network> 3- Execute the following commands in your shell : virsh net-define /tmp/default.xml sudo virsh net-start default sudo virsh net-autostart default  

Les 69 bonnes raisons de préférer la bière aux femmes:

J'ai trouvé ça sur Facebook et j'ai trouvé marrant. 01- Une bière froide est une bonne bière 02- On arrive toujours a faire mousser une bière 03- Une bière est toujours prête et humide 04- Une bière n'a jamais la migraine 05- On peut consommer 2 bières en même temps sans complications 06- Une bière n'est jamais jalouse d'une autre 07- On n'a pas besoin de raconter des mots doux a une bière pour se soulager 08- Une bière, ça se commande 09- En soirée, on peut toujours se taper une bière 10- Une bière ne parle pas 11- Une bière reste consommable 28 jours sur 28 12- Quand on finit une bière, on peut récupérer la consigne 13- Quand on ne la finit pas, elle ne fait pas la gueule 14- La bière ne donne que PARFOIS mal a la tête 15- On peut rester actif après s'être taper une bonne bière 16- Même la bière belge n'est pas stupide 17- Une bière est non violente 18- Une bière n'est jamais complexée 19- On voit toujours facilement a l'intérieur d'une biè...