Configuring the VyOS VPN Virtual Appliance On-Premises

To configure the VyOS VPN Virtual Appliance on-premises:

  1. Download the latest VyOS-VMW OVA from the region nearest to you:
  1. Login to the GCP portal and navigate to Compute Engine -> VM Instances. Find the XXX.velosvpngateway VM created by the script and record its Public IP address.
  2. On the vCenter Server, click File > Deploy OVF Templates. Follow the instructions to deploy the VyOS virtual appliance and click OK.
  3. Power on the VM.
  4. Login to the on premise VYOS VPN Appliance (for example, using vCenter VM console) with user vyos and password vyos.
  5. Set up a static IP for the appliance by entering the below commands. Replace the example with your on your subnet setup on-prem, and netmask bits (CIDR notation). Replace with the IP address of your local subnet default gateway. Use a gateway that can route to the internet, in order to allow the VPN tunnel to be created later on.
set interfaces ethernet eth0 address
set system gateway-address

note: if you had a DHCP address configured on the interface you will need to delete it by using the following command:

del interfaces ethernet eth0 address dhcp
  • Change MTU value for eth0
set interfaces ethernet eth0 mtu 1460
  1. Configure source-based NAT for the local network. This will allow virtual machines that run in the GCP VPC to communicate with corporate-side servers and services as needed without having to set up routing on these corporate servers.
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 translation address masquerade
  1. Enable SSH for remote management.
set service ssh port '22'
  1. Commit, save the changes and exit the configuration mode.

Note: you can now use an ssh client like Putty to connect to the Vyos appliance, this will streamline copy-paste of the below commands.

  1. Configure a VPN tunnel using OpenVPN. Generate a shared secret key file.
generate openvpn key /config/auth/secret
sudo chmod 640 /config/auth/secret
  1. Configure the VPN tunnel interface.

Note: Replace with the xxx.velosvpngateway instance public IP from GCP.

set interfaces openvpn vtun0 local-address
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 protocol udp
set interfaces openvpn vtun0 openvpn-option --comp-lzo
set interfaces openvpn vtun0 keep-alive interval 10
set interfaces openvpn vtun0 keep-alive failure-count 5
set interfaces openvpn vtun0 remote-address
set interfaces openvpn vtun0 remote-host
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret


UDP is a preferred protocol, performance wise for VPNs, as the overhead on traffic sent across the vpn tunnel is lower and there is no nesting of congestion handling. For deployments where UDP is not an option due to firewall constraints, you may use a TCP based tunnel. If there is a requirement to use an HTTP proxy for outbound internet access, you may also configure that along with a TCP based tunnel. Do note that a significant performance impact is to be expected, especially when dealing with low bandwidth links. For TCP setup example, see Configuring VPN using TCP.

  1. Set a static route to direct the local subnet traffic to the GCP network CIDR.

Note: Replace with the VPC CIDR value you have entered in the GCP PoC script

set protocols static route next-hop
  1. Commit and save the configuration.
  1. Copy the shared secret file from the on premise VyOS appliance (using PSCP for example) replace the IP example below with the on premise VyOS address

Pscp.exe -pw vyos vyos@ .