OSPF over VPN with VyOS
VyOS is a Linux-based firewall. It supports IPsec VPN, GRE tunnels, and the OSPF routing protocol. These features allow dynamic routing information to be exchanged between different private networks over a site-to-site VPN. More information on VyOS can be found here.
In this example, I have two VyOS firewalls with an IPsec VPN tunnel between them. There is a GRE tunnel inside the VPN tunnel which is needed for OSPF. Each VyOS firewall has 3 interfaces, but you could add many more. eth0 is used for external traffic (172.31.200.0/30 and 172.31.200.4/30). eth1 and eth2 are used for internal networks (10.200.0.0/24, 10.200.1.0/24, 10.200.4.0/24, and 10.200.5.0/24).
VyOS Firewall #1
interfaces {
ethernet eth0 {
address 172.31.200.2/30
duplex auto
hw-id 52:54:00:aa:aa:aa
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.200.0.1/24
duplex auto
hw-id 52:54:00:aa:aa:bb
smp_affinity auto
speed auto
}
ethernet eth2 {
address 10.200.1.1/24
duplex auto
hw-id 52:54:00:aa:aa:cc
smp_affinity auto
speed auto
}
loopback lo {
address 192.168.200.1/32
}
tunnel tun0 {
address 172.31.201.1/30
encapsulation gre
local-ip 192.168.200.1
multicast disable
remote-ip 192.168.200.2
}
}
nat {
source {
rule 100 {
outbound-interface eth0
source {
address 10.200.0.0/22
}
translation {
address masquerade
}
}
}
}
policy {
route-map connect {
rule 10 {
action permit
match {
interface lo
}
}
}
}
protocols {
ospf {
area 0.0.0.1 {
network 172.31.201.0/30
network 10.200.0.0/24
network 10.200.1.0/24
}
default-information {
originate {
always
metric 10
}
}
parameters {
abr-type cisco
router-id 192.168.200.1
}
redistribute {
connected {
metric-type 2
route-map connect
}
}
}
ospfv3 {
}
static {
route 0.0.0.0/0 {
next-hop 172.31.200.1 {
}
}
}
}
vpn {
ipsec {
esp-group esp-co {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group co {
lifetime 7200
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 172.31.200.6 {
authentication {
id 172.31.200.2
mode pre-shared-secret
pre-shared-secret sH4R3D-p4SSW0RD
}
connection-type initiate
default-esp-group esp-co
ike-group co
local-address 172.31.200.2
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 192.168.200.1/32
}
protocol all
remote {
prefix 192.168.200.2/32
}
}
}
}
}
}
VyOS Firewall #2
interfaces {
ethernet eth0 {
address 172.31.200.6/30
duplex auto
hw-id 52:54:00:bb:bb:aa
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.200.4.1/24
duplex auto
hw-id 52:54:00:bb:bb:bb
smp_affinity auto
speed auto
}
ethernet eth2 {
address 10.200.5.1/24
duplex auto
hw-id 52:54:00:bb:bb:cc
smp_affinity auto
speed auto
}
loopback lo {
address 192.168.200.2/32
}
tunnel tun0 {
address 172.31.201.2/30
encapsulation gre
local-ip 192.168.200.2
multicast disable
remote-ip 192.168.200.1
}
}
nat {
source {
rule 100 {
outbound-interface eth0
source {
address 10.200.4.0/22
}
translation {
address masquerade
}
}
}
}
policy {
route-map connect {
rule 10 {
action permit
match {
interface lo
}
}
}
}
protocols {
ospf {
area 0.0.0.1 {
network 172.31.201.0/30
network 10.200.4.0/24
network 10.200.5.0/24
}
parameters {
abr-type cisco
router-id 192.168.200.2
}
redistribute {
connected {
metric-type 2
route-map connect
}
}
}
static {
route 0.0.0.0/0 {
next-hop 172.31.200.5 {
}
}
}
}
vpn {
ipsec {
esp-group esp-co {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group co {
lifetime 7200
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 172.31.200.2 {
authentication {
id 172.31.200.6
mode pre-shared-secret
pre-shared-secret sH4R3D-p4SSW0RD
}
connection-type initiate
default-esp-group esp-co
ike-group co
local-address 172.31.200.6
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 192.168.200.2/32
}
protocol all
remote {
prefix 192.168.200.1/32
}
}
}
}
}
}
Summary
The VPN tunnel is on 192.168.200.0/30 and the GRE tunnel is on 172.31.201.0/30. Use the following command to check if your routes are getting distributed:
$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
S>* 0.0.0.0/0 [1/0] via 172.31.200.1, eth0
O 10.200.0.0/24 [110/10] is directly connected, eth1, 06w4d16h
C>* 10.200.0.0/24 is directly connected, eth1
C>* 10.200.1.0/24 is directly connected, eth2
O>* 10.200.4.0/24 [110/20] via 172.31.201.2, tun0, 00:02:44
O>* 10.200.5.0/24 [110/20] via 172.31.201.2, tun0, 00:00:08
C>* 127.0.0.0/8 is directly connected, lo
C>* 172.31.200.0/30 is directly connected, eth0
O 172.31.201.0/30 [110/10] is directly connected, tun0, 06w4d18h
C>* 172.31.201.0/30 is directly connected, tun0
C>* 192.168.200.1/32 is directly connected, lo
O 192.168.200.2/32 [110/20] via 172.31.201.2, 00:02:43
K>* 192.168.200.2/32 is directly connected, eth0
$
Once you see the routes in this list, the networks can begin sending data to each other.
- Previous: Using Active Directory and Group Policy
- Next: Masterless Puppet in AWS