概要
- VPNサーバー(アクセスポイント)を vyOS でクラウド上に構築
- 接続方式は L2TP, PPTP
- Firewall 内部で自身は public IP を持たない
- Win/Mac 共に標準のVPN接続機能で接続したい
- ssh 外側も設定していますが FW で制限すべき
環境
- vyOS 1.2.9-S1
- eth0: 10.22.0.2/23
- eth1: 192.168.20.2/23
- GW/DNS: 10.22.0.1
コツ
- dum0: XXX.XXX.XXX.XXX/32 として public IP設定を入れる
- 1.1.8 から 1.2.9-S1 へは system image の更新でアップグレード可能
- 1.4.x にバージョンアップしたら PPTP が接続できなくなったので戻しました
既知の問題らしい
- L2TP では同一IPから同時に1接続のみ(Windows)
設定
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name IN-LOCAL default-action 'drop'
set firewall name IN-LOCAL rule 910 action 'drop'
set firewall name IN-LOCAL rule 910 destination port 'ssh'
set firewall name IN-LOCAL rule 910 protocol 'tcp'
set firewall name IN-LOCAL rule 910 recent count '3'
set firewall name IN-LOCAL rule 910 recent time '30'
set firewall name IN-LOCAL rule 910 state new 'enable'
set firewall name IN-LOCAL rule 911 action 'accept'
set firewall name IN-LOCAL rule 911 destination port 'ssh'
set firewall name IN-LOCAL rule 911 protocol 'tcp'
set firewall name IN-LOCAL rule 911 state new 'enable'
set firewall name IN-LOCAL rule 912 action 'accept'
set firewall name IN-LOCAL rule 912 destination port '53'
set firewall name IN-LOCAL rule 912 protocol 'tcp'
set firewall name IN-LOCAL rule 912 state new 'enable'
set firewall name OUT-LOCAL default-action 'drop'
set firewall name OUT-LOCAL enable-default-log
set firewall name OUT-LOCAL rule 50 action 'accept'
set firewall name OUT-LOCAL rule 50 protocol 'esp'
set firewall name OUT-LOCAL rule 51 action 'accept'
set firewall name OUT-LOCAL rule 51 protocol 'gre'
set firewall name OUT-LOCAL rule 200 action 'accept'
set firewall name OUT-LOCAL rule 200 destination port '500'
set firewall name OUT-LOCAL rule 200 protocol 'udp'
set firewall name OUT-LOCAL rule 210 action 'accept'
set firewall name OUT-LOCAL rule 210 destination port '4500'
set firewall name OUT-LOCAL rule 210 protocol 'udp'
set firewall name OUT-LOCAL rule 220 action 'accept'
set firewall name OUT-LOCAL rule 220 destination port '1701'
set firewall name OUT-LOCAL rule 220 ipsec match-ipsec
set firewall name OUT-LOCAL rule 220 protocol 'udp'
set firewall name OUT-LOCAL rule 230 action 'accept'
set firewall name OUT-LOCAL rule 230 destination port '1723'
set firewall name OUT-LOCAL rule 230 protocol 'tcp'
set firewall name OUT-LOCAL rule 910 action 'drop'
set firewall name OUT-LOCAL rule 910 destination port 'ssh'
set firewall name OUT-LOCAL rule 910 protocol 'tcp'
set firewall name OUT-LOCAL rule 910 recent count '3'
set firewall name OUT-LOCAL rule 910 recent time '30'
set firewall name OUT-LOCAL rule 910 state new 'enable'
set firewall name OUT-LOCAL rule 911 action 'accept'
set firewall name OUT-LOCAL rule 911 destination port 'ssh'
set firewall name OUT-LOCAL rule 911 protocol 'tcp'
set firewall name OUT-LOCAL rule 911 state new 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall state-policy established action 'accept'
set firewall state-policy related action 'accept'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces dummy dum0 address 'XXX.XXX.XXX.XXX/32' <- public IP
set interfaces ethernet eth0 address '10.22.0.2/23'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 firewall local name 'OUT-LOCAL'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '192.168.20.2/23'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 firewall local name 'IN-LOCAL'
set interfaces ethernet eth1 ip
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces loopback lo
set nat destination rule 999 description 'Global to Private AntiNAT'
set nat destination rule 999 inbound-interface 'eth0'
set nat destination rule 999 translation address 'XXX.XXX.XXX.XXX' <- public IP
set nat source rule 998 description 'PPTP Client Pool to eth0'
set nat source rule 998 outbound-interface 'eth0'
set nat source rule 998 source address '10.22.6.0/24'
set nat source rule 998 translation address 'masquerade'
set nat source rule 999 description 'L2TP Client Pool to eth0'
set nat source rule 999 outbound-interface 'eth0'
set nat source rule 999 source address '10.22.5.0/24'
set nat source rule 999 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 10.22.0.1
set service dns forwarding allow-from '10.22.0.0/21'
set service dns forwarding listen-address '10.22.0.2'
set service ssh port '22'
set system config-management commit-revisions '20'
set system host-name 'vy02'
set system login user vyos authentication encrypted-password 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system name-server '10.22.0.1'
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'Asia/Tokyo'
set vpn ipsec esp-group ESP-REMOTE compression 'disable'
set vpn ipsec esp-group ESP-REMOTE lifetime '3600'
set vpn ipsec esp-group ESP-REMOTE mode 'tunnel'
set vpn ipsec esp-group ESP-REMOTE pfs 'enable'
set vpn ipsec esp-group ESP-REMOTE proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-REMOTE proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-REMOTE proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP-REMOTE proposal 2 hash 'sha256'
set vpn ipsec ike-group IKE-REMOTE close-action 'none'
set vpn ipsec ike-group IKE-REMOTE dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-REMOTE dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-REMOTE dead-peer-detection timeout '90'
set vpn ipsec ike-group IKE-REMOTE ikev2-reauth 'no'
set vpn ipsec ike-group IKE-REMOTE key-exchange 'ikev2'
set vpn ipsec ike-group IKE-REMOTE lifetime '3600'
set vpn ipsec ike-group IKE-REMOTE proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-REMOTE proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-REMOTE proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-REMOTE proposal 2 dh-group '16'
set vpn ipsec ike-group IKE-REMOTE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE-REMOTE proposal 2 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'dum0'
set vpn ipsec logging log-level '1'
set vpn ipsec logging log-modes 'any'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username testuser password 'samplePassword'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access authentication require 'mschap-v2'
set vpn l2tp remote-access client-ip-pool start '10.22.5.1'
set vpn l2tp remote-access client-ip-pool stop '10.22.5.200'
set vpn l2tp remote-access dns-servers server-1 '8.8.8.8'
set vpn l2tp remote-access dns-servers server-2 '8.8.4.4'
set vpn l2tp remote-access idle '1800'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'sampleSecret'
set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
set vpn l2tp remote-access ipsec-settings lifetime '3600'
set vpn l2tp remote-access mtu '1454'
set vpn l2tp remote-access outside-address 'XXX.XXX.XXX.XXX' <- public IP
set vpn l2tp remote-access outside-nexthop 'XXX.XXX.XXX.XXX' <- public IP
set vpn pptp remote-access authentication local-users username testuser password 'samplePassword'
set vpn pptp remote-access authentication mode 'local'
set vpn pptp remote-access authentication require 'mschap-v2'
set vpn pptp remote-access client-ip-pool start '10.22.6.1'
set vpn pptp remote-access client-ip-pool stop '10.22.6.200'
set vpn pptp remote-access dns-servers server-1 '8.8.8.8'
set vpn pptp remote-access dns-servers server-2 '8.8.4.4'
set vpn pptp remote-access outside-address 'XXX.XXX.XXX.XXX' <- public IP
以上、お疲れ様でした!