Configuring the VyOS VPN Virtual Appliance On-Premises
To configure the VyOS VPN Virtual Appliance on-premises:
- Download the latest VyOS-VMW OVA from the region nearest to you:
- Login to the GCP portal and navigate to Compute Engine -> VM Instances. Find the XXX.velosvpngateway VM created by the script and record its Public IP address.
- On the vCenter Server, click File > Deploy OVF Templates. Follow the instructions to deploy the VyOS virtual appliance and click OK.
- Power on the VM.
- Login to the on premise VYOS VPN Appliance (for example, using vCenter VM console) with user vyos and password vyos.
- Set up a static IP for the appliance by entering the below commands. Replace the example 192.168.10.10/24 with your on your subnet setup on-prem, and netmask bits (CIDR notation). Replace 192.168.10.1 with the IP address of your local subnet default gateway. Use a gateway that can route to the internet, in order to allow the VPN tunnel to be created later on.
config set interfaces ethernet eth0 address 192.168.10.10/24 set system gateway-address 192.168.10.1
note: if you had a DHCP address configured on the interface you will need to delete it by using the following command:
del interfaces ethernet eth0 address dhcp
- Change MTU value for eth0
set interfaces ethernet eth0 mtu 1460
- Configure source-based NAT for the local network. This will allow virtual machines that run in the GCP VPC to communicate with corporate-side servers and services as needed without having to set up routing on these corporate servers.
set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 translation address masquerade
- Enable SSH for remote management.
set service ssh port '22'
- Commit, save the changes and exit the configuration mode.
commit save exit
Note: you can now use an ssh client like Putty to connect to the Vyos appliance, this will streamline copy-paste of the below commands.
- Configure a VPN tunnel using OpenVPN. Generate a shared secret key file.
generate openvpn key /config/auth/secret sudo chmod 640 /config/auth/secret
- Configure the VPN tunnel interface.
Note: Replace 184.108.40.206 with the xxx.velosvpngateway instance public IP from GCP.
config set interfaces openvpn vtun0 local-address 172.16.100.2 set interfaces openvpn vtun0 mode site-to-site set interfaces openvpn vtun0 protocol udp set interfaces openvpn vtun0 openvpn-option --comp-lzo set interfaces openvpn vtun0 keep-alive interval 10 set interfaces openvpn vtun0 keep-alive failure-count 5 set interfaces openvpn vtun0 remote-address 172.16.100.1 set interfaces openvpn vtun0 remote-host 220.127.116.11 set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
UDP is a preferred protocol, performance wise for VPNs, as the overhead on traffic sent across the vpn tunnel is lower and there is no nesting of congestion handling. For deployments where UDP is not an option due to firewall constraints, you may use a TCP based tunnel. If there is a requirement to use an HTTP proxy for outbound internet access, you may also configure that along with a TCP based tunnel. Do note that a significant performance impact is to be expected, especially when dealing with low bandwidth links. For TCP setup example, see Configuring VPN using TCP.
- Set a static route to direct the local subnet traffic to the GCP network CIDR.
Note: Replace 10.10.0.0/16 with the VPC CIDR value you have entered in the GCP PoC script
set protocols static route 10.10.0.0/16 next-hop 172.16.100.1
- Commit and save the configuration.
commit save exit
- Copy the shared secret file from the on premise VyOS appliance (using PSCP for example) replace the IP example below 192.168.10.10 with the on premise VyOS address
Pscp.exe -pw vyos firstname.lastname@example.org:/config/auth/secret .