Configure site-to-site VPN on VyOS

Sometimes, implementing security makes it more complicated to adjust security on the server side. In a production environment, we are required to secure the network, especially on two different servers that must be connected.

To ease the burden of configuring firewalls or security groups on each server, we can implement site-to-site VPN on each server so that the two servers can connect using a private IP without any limitations on the network side, and don’t forget that the connection between the two servers is encrypted.

For example, in the case here, we will implement site-to-site VPN on two Vyos routers with a VyOS 1.4-rolling version which we deploy in two separate regions, SGP1 (Singapore) and NYC3 (New York).

The first step is that we can create an address on each interface, for the eth0 interface we can attach a public IP to the digital ocean droplet, and on the eth1 interface, we can attach a private IP droplet, by setting a DHCP address on each interface.

vyos@vyos# set interfaces ethernet eth0 address dhcp
vyos@vyos# set interfaces ethernet eth1 address dhcp
vyos@vyos# commit
vyos@vyos# save

Can be seen interface and IP address on SGP1 region,

vyos@vyos# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             159.223.59.74/20                  u/u
eth1             10.104.0.3/20                     u/u
lo               127.0.0.1/8                       u/u
                 ::1/128

Also, can be seen interface and IP address on NYC3 region,

vyos@vyos# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             134.209.174.36/20                 u/u
eth1             10.108.0.2/20                     u/u
lo               127.0.0.1/8                       u/u
                 ::1/128

First, on SGP1 region, we can start configuring site-to-site VPN esp-group and encryption algorithm, define esp group name to-nyc with encryption aes256.

esp-group to-nyc {
         lifetime 86400
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes256
             hash sha256
         }
     }

Next, add ike-group to-nyc configuration with key-exchange option ikev2 and also encryption using aes256.

ike-group to-nyc {
         key-exchange ikev2
         lifetime 86400
         proposal 1 {
             dh-group 14
             encryption aes256
             hash sha256
         }
     }

Then add interface eth0 for IP public related interface, create peer to-nyc name with authentication local-id that is SGP1 IP public, remote-id that is NYC3 IP public, also we can set authentication with pre-shared-secret mode.

Define to-nyc ike-group that previously we create, and set remote address to NYC3 region IP address, also we can define local prefix of SGP1 and remote prefix of local NYC3, and add esp-group to-nyc that previously we create on tunnel 0 configuration.

interface eth0
site-to-site {
   peer to-nyc {
       authentication {
           local-id 159.223.59.74
           mode pre-shared-secret
           pre-shared-secret P@ssw0rd123!
           remote-id 134.209.174.36
       }
       ike-group to-nyc
       local-address any
       remote-address 134.209.174.36
       tunnel 0 {
           esp-group to-nyc
           local {
               prefix 10.104.0.0/20
           }
           remote {
               prefix 10.108.0.0/20
           }
       }
   }
}

Below we can see full configuration site-to-site VPN on SGP1 region,

ipsec {
     esp-group to-nyc {
         lifetime 86400
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes256
             hash sha256
         }
     }
     ike-group to-nyc {
         key-exchange ikev2
         lifetime 86400
         proposal 1 {
             dh-group 14
             encryption aes256
             hash sha256
         }
     }
     interface eth0
     site-to-site {
         peer to-nyc {
             authentication {
                 local-id 159.223.59.74
                 mode pre-shared-secret
                 pre-shared-secret P@ssw0rd123!
                 remote-id 134.209.174.36
             }
             ike-group to-nyc
             local-address any
             remote-address 134.209.174.36
             tunnel 0 {
                 esp-group to-nyc
                 local {
                     prefix 10.104.0.0/20
                 }
                 remote {
                     prefix 10.108.0.0/20
                 }
             }
         }
     }
 }

Example implementation on vyos cli,

set vpn ipsec esp-group to-nyc lifetime 86400
set vpn ipsec esp-group to-nyc mode tunnel

Next on Vyos NYC3 region, configuration same as before configuration on SGP1 region, adjustment on esp-group name, ike-group name, local-id, remote-id, remote-address, and local prefix and remote prefix on tunnel 0, we can seen example configuration below on NYC3 region,

ipsec {
     esp-group to-sgp {
         lifetime 86400
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes256
             hash sha256
         }
     }
     ike-group to-sgp {
         key-exchange ikev2
         lifetime 86400
         proposal 1 {
             dh-group 14
             encryption aes256
             hash sha256
         }
     }
     interface eth0
     site-to-site {
         peer to-sgp {
             authentication {
                 local-id 134.209.174.36
                 mode pre-shared-secret
                 pre-shared-secret P@ssw0rd123!
                 remote-id 159.223.59.74
             }
             ike-group to-sgp
             local-address any
             remote-address 159.223.59.74
             tunnel 0 {
                 esp-group to-sgp
                 local {
                     prefix 10.108.0.0/20
                 }
                 remote {
                     prefix 10.104.0.0/20
                 }
             }
         }
     }
 }

After configure site-to-site VPN, we can show site-to-site VPN status on SGP1 region, as we can seen the state of connection is up, it means the two server is already connected,

vyos@vyos# run show vpn ipsec connections
Connection       State    Type    Remote address    Local TS       Remote TS      Local id       Remote id       Proposal
---------------  -------  ------  ----------------  -------------  -------------  -------------  --------------  ---------------------------------------
to-nyc           up       IKEv2   134.209.174.36    -              -              159.223.59.74  134.209.174.36  AES_CBC/256/HMAC_SHA2_256_128/MODP_2048
to-nyc-tunnel-0  up       IPsec   134.209.174.36    10.104.0.0/20  10.108.0.0/20  159.223.59.74  134.209.174.36  AES_CBC/256/HMAC_SHA2_256_128/MODP_2048

Show site-to-site VPN status on NYC3 region, as we can seen the state of connection also up,

vyos@vyos# run show vpn ipsec connections
Connection      State    Type    Remote address    Local TS       Remote TS      Local id        Remote id      Proposal
--------------  -------  ------  ----------------  -------------  -------------  --------------  -------------  ---------------------------------------
to-sgp           up       IKEv2   159.223.59.74     -              -              134.209.174.36  159.223.59.74  AES_CBC/256/HMAC_SHA2_256_128/MODP_2048
to-sgp-tunnel-0  up       IPsec   159.223.59.74     10.108.0.0/20  10.104.0.0/20  134.209.174.36  159.223.59.74  AES_CBC/256/HMAC_SHA2_256_128/MODP_2048

Last we can test the connection between two servers with ping each other, ping to NYC3 region private IP from SGP1 region,

vyos@vyos# ping 10.108.0.2
PING 10.108.0.2 (10.108.0.2) 56(84) bytes of data.
64 bytes from 10.108.0.2: icmp_seq=1 ttl=64 time=239 ms
64 bytes from 10.108.0.2: icmp_seq=2 ttl=64 time=236 ms
64 bytes from 10.108.0.2: icmp_seq=3 ttl=64 time=237 ms
64 bytes from 10.108.0.2: icmp_seq=4 ttl=64 time=237 ms
^C
--- 10.108.0.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 236.405/237.125/238.856/1.003 ms

Test ping to SGP1 region private IP from NYC3 region,

vyos@vyos# ping 10.104.0.3
PING 10.104.0.3 (10.104.0.3) 56(84) bytes of data.
64 bytes from 10.104.0.3: icmp_seq=1 ttl=64 time=236 ms
64 bytes from 10.104.0.3: icmp_seq=2 ttl=64 time=237 ms
64 bytes from 10.104.0.3: icmp_seq=3 ttl=64 time=236 ms
64 bytes from 10.104.0.3: icmp_seq=4 ttl=64 time=236 ms
^C
--- 10.104.0.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 236.169/236.409/236.606/0.156 ms

1 comments

dosys Nov. 22, 2024, 1:25 p.m.

nice blog dude!

Configure site-to-site VPN on VyOS

Share this article

1 comments

Leave a comment