Vyatta How To Installation 1. Mount the ISO file in the machine (On a physical machine, burn the iso to a cd and boot from it) 2. Login using vyatta/vyatta as username and password 3. start the installation with the following command 1.
install image
4. Follow the wizzard, accept all defaults 5. Reboot
Initial settings Set hostname, ip addresses and enable ssh 1. 2. 4. 5. 6. 7. 8. 9. 10. 11.
configure set interfaces ethernet eth0 address
/ set interfaces ethernet eth1 address / set system gateway-address set system name-server set service ssh set service ssh protocol-version v2 set system host-name commit save
The router is now routing between the two networks specified.
DNS Configuration Configure router to forward DNS queries 1. 2. 3. 4.
set service dns forwarding listen-on eth0 set service dns forwarding system commit save
To set static dns records 1. set system static-host-mapping host-name inet 2. commit 3. save
NAT configuration Version 6.4 Configure the router to forward packets with NAT 1. 2. 3. 4. 5.
set nat set nat set nat set nat set nat
destination rule 200 destination port destination rule 200 inbound-interface eth0 destination rule 200 translation address destination rule 200 translation port destination rule 200 protocol tcp
6. 7.
commit save
Legacy Enable port forwarding for services inside the NAT: 1. 2. 3. 4. 5. 6. 7. 8.
set service set service set service set service set service set service commit save
nat rule 200 destination port nat rule 200 inbound-interface eth0 nat rule 200 inside-address address nat rule 200 inside-address port nat rule 200 protocol tcp nat rule 200 type destination
DHCP configuration Configure a IPv4 DHCP scope 1. set service dhcp-server shared-network-name v12n 2. set service dhcp-server shared-network-name v12n authoritative disable 3. set service dhcp-server shared-network-name v12n subnet /
4. set service dhcp-server shared-network-name v12n subnet / default-router
5. set service dhcp-server shared-network-name v12n subnet / dns-server
6. set service dhcp-server shared-network-name v12n subnet / dns-server
7. set service dhcp-server shared-network-name v12n subnet / start stop
8. set service dhcp-server disabled false 9. commit 10. save Allocate an static IP address to a host 1. set service dhcp-server shared-network-name v12n subnet / static-mapping ip-address
2. set service dhcp-server shared-network-name v12n subnet / static-mapping mac-address
Openvpn RoadWarrior Generate certificates and key files Copy the Easy-RSA files to /etc/openvpn 1. vyatta@vyatta01# sudo su 2. root@vyatta01:~# cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/ At the end of the vars file there are settings for company, location and so on. Edit to reflect your organization
1.
root@vyatta01 :
/ etc/openvpn #
nano vars
export KEY_COUNTRY="NO" export KEY_PROVINCE="NA" export KEY_CITY="Oslo" export KEY_ORG="v12n" export KEY_EMAIL="[email protected]"
Source the vars and clean the keys directory before start 1.
root@vyatta01 :
2.
root@vyatta01 :
/ etc/openvpn # / etc/openvpn #
source ./vars ./clean-all
Create the certificate Authority certificate: 1.
root@vyatta01 :
/ etc/openvpn #
./build-ca
Create a key and certificate for the vyatta router. Accept defaults and enter a password when prompted: 1.
root@vyatta01 :
/ etc/openvpn #
./build-key-server vyatta01
Create a Diffie-Hellman file 1.
root@vyatta01 :
/ etc/openvpn #
./build-dh
Create a client key. Change the client name to reflect your client: 1.
root@vyatta01 :
/ etc/openvpn #
./build-key client
The outcome of this process should be something like this: 1.
root@vyatta01 :
/ etc/openvpn #
ls keys/
Configure Vyatta Configure Openvpn on the vyatta router: 1. 2. 3. 4. 5. 6.
set interface openvpn vtun0 set interface openvpn vtun0 encryption aes256 set interface openvpn vtun0 hash sha1 set interface openvpn vtun0 mode server set interface openvpn vtun0 local-port 1194 set interface openvpn vtun0 protocol udp
7. 8. 9. 10. 11. 12. 13. 14.
set interface openvpn vtun0 server push-route 192.168.0.0/24 (Local subnet) set interface openvpn vtun0 server subnet 10.12.12.0/29 set interface openvpn vtun0 tls ca-cert-file /config/auth/keys/ca.crt set interface openvpn vtun0 tls cert-file /config/auth/keys/vyatta01.crt set interface openvpn vtun0 tls dh-file /config/auth/keys/dh1024.pem set interface openvpn vtun0 tls key-file /config/auth/keys/vyatta01.key commit save
Client side configuration Copy the certificate and key files from the vyatta router to the client. From a Ubuntu client:
sysadm@ubuntu:~$mkdir -p openvpn/keys sysadm@ubuntu:~$cd openvpn/keys/ sysadm@ubuntu:~/openvpn/keys$ scp vyatta@vyatta01:/etc/openvpn/keys/ca.crt . Welcome to Vyatta vyatta@vyatta01's password: ca.crt 100% 1131 1.1KB/s 00:00 sysadm@ubuntu:~/openvpn/keys$ scp vyatta@vyatta01:/etc/openvpn/keys/client.* . Welcome to Vyatta vyatta@vyatta01's password: client.crt 100% 3615 3.5KB/s 00:00 client.csr 100% 692 0.7KB/s 00:00 client.key 100% 891 0.9KB/s 00:00 sysadm@ubuntu:~/openvpn/keys$
DynDNS configuration Configure vyatta to use dyndns on the WAN interface, in this case eth0: 1. 2. 3. 4. 5.
set service dns dynamic interface eth0 service dyndns host-name set service dns dynamic interface eth0 service dyndns login set service dns dynamic interface eth0 service dyndns password commit save
Check DynDNS status To verify current DynDNS status 1. 2.
show dns dynamic status #Display status update dns dynamic interface #force update DynDNS record
Other Show the configuration from any mode 1.
run show configuration
To list settings without all the {} 1.
show configuration commands