Home / Core Networking / Cấu hình cơ bản Vyatta

Cấu hình cơ bản Vyatta

Installation

Download Vyatta: http://adf.ly/1VxMII

  1. Mount the ISO file in the machine (On a physical machine, burn the iso to a cd and boot from it)
  2. Login using vyatta/vyatta as username and password
  3. start the installation with the following command
    install system
  4. Follow the wizzard, accept all defaults
  5. Reboot

Initial settings

Set hostname, ip addresses and enable ssh

configure
set interfaces ethernet eth0 address <ipaddress>/<prefix-length>
set interfaces ethernet eth1 address <ipaddress>/<prefix-length>
set system gateway-address <gw-ipaddress>
set system name-server <dns-ipaddress>
set service ssh
set service ssh protocol-version v2
set system host-name <hostname>
commit
save

The router is now routing between the two networks specified.

DNS Configuration

Configure router to forward DNS queries

set service dns forwarding listen-on eth0
set service dns forwarding system
commit
save

To set static dns records

set system static-host-mapping host-name <hostname> inet <ip-address>
commit
save

NAT configuration

Version 6.4

Configure the router to forward packets with NAT

set nat source rule 1 source address 192.168.100.0/24
set nat source rule 1 outbound-interface eth0
set nat source rule 1 translation address masquerade

Legacy

Configure the router to forward packets with NAT

set service nat rule 1
set service nat rule 1 outbound-interface eth2
set service nat rule 1 protocol all
set service nat rule 1 source address <subnet-to-nat>/<prefix-length>
set service nat rule 1 type masquerade
set service nat rule 1 destination address 0.0.0.0/0
commit
save

Port Forwarding with NAT

Version 6.4

Enable port forwarding for services inside the NAT:

set nat destination rule 200 destination port <nat-side-port>
set nat destination rule 200 inbound-interface eth0
set nat destination rule 200 translation address <destination-host-ip>
set nat destination rule 200 translation port <destination-host-port>
set nat destination rule 200 protocol tcp
commit
save

Legacy

Enable port forwarding for services inside the NAT:

set service nat rule 200 destination port <nat-side-port>
set service nat rule 200 inbound-interface eth0
set service nat rule 200 inside-address address <destination-host-ip>
set service nat rule 200 inside-address port <destination-host-port>
set service nat rule 200 protocol tcp
set service nat rule 200 type destination
commit
save

DHCP configuration

Configure a IPv4 DHCP scope

set service dhcp-server shared-network-name v12n
set service dhcp-server shared-network-name v12n authoritative disable
set service dhcp-server shared-network-name v12n subnet <subnet-to-serve>/<prefix-length>
set service dhcp-server shared-network-name v12n subnet <subnet-to-serve>/<prefix-length> default-router <gateway>
set service dhcp-server shared-network-name v12n subnet <subnet-to-serve>/<prefix-length> dns-server <dns-server-ip>
set service dhcp-server shared-network-name v12n subnet <subnet-to-serve>/<prefix-length> dns-server <secondary-dns-server>
set service dhcp-server shared-network-name v12n subnet <subnet-to-serve>/<prefix-length> start <start-ip> stop <end-ip>
set service dhcp-server disabled false
commit
save

Allocate an static IP address to a host

set service dhcp-server shared-network-name v12n subnet <subnet-to-serve>/<prefix-length> static-mapping <some-name> ip-address <ip-address>
set service dhcp-server shared-network-name v12n subnet <subnet-to-serve>/<prefix-length> static-mapping <some-name> mac-address <mac-address>

OpenVPN RoadWarrior

Generate certificates and key files

Copy the Easy-RSA files to /etc/openvpn

vyatta@vyatta01# sudo su -
root@vyatta01:~# cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/

At the end of the vars file there are settings for company, location and so on. Edit to reflect your organization

root@vyatta01:/etc/openvpn#nano vars
export KEY_COUNTRY="NO"
export KEY_PROVINCE="NA"
export KEY_CITY="Oslo"
export KEY_ORG="v12n"
export KEY_EMAIL="me@v12n.com"

Source the vars and clean the keys directory before start

root@vyatta01:/etc/openvpn#source ./vars
root@vyatta01:/etc/openvpn#./clean-all

Create the certificate Authority certificate:

root@vyatta01:/etc/openvpn#./build-ca 

Create a key and certificate for the vyatta router. Accept defaults and enter a password when prompted:

root@vyatta01:/etc/openvpn# ./build-key-server vyatta01

Create a Diffie-Hellman file

root@vyatta01:/etc/openvpn#./build-dh

Create a client key. Change the client name to reflect your client:

root@vyatta01:/etc/openvpn# ./build-key client

The outcome of this process should be something like this:

root@vyattaHome:/etc/openvpn# ls keys/
01.pem	ca.key	    index.txt.attr	client.crt  serial	    vyatta01.csr
02.pem	dh1024.pem  index.txt.attr.old	client.csr  serial.old      vyatta01.key
ca.crt	index.txt   index.txt.old	client.key  vyatta01.crt
root@vyattaHome:/etc/openvpn#

Configure Vyatta

Configure OpenVPN on the vyatta router:

set interface openvpn vtun0
set interface openvpn vtun0 encryption aes256
set interface openvpn vtun0 hash sha1
set interface openvpn vtun0 mode server
set interface openvpn vtun0 local-port 1194
set interface openvpn vtun0 protocol udp
set interface openvpn vtun0 server push-route 192.168.0.0/24 (Local subnet)
set interface openvpn vtun0 server subnet 10.12.12.0/29
set interface openvpn vtun0 tls ca-cert-file /config/auth/keys/ca.crt
set interface openvpn vtun0 tls cert-file /config/auth/keys/vyatta01.crt
set interface openvpn vtun0 tls dh-file /config/auth/keys/dh1024.pem
set interface openvpn vtun0 tls key-file /config/auth/keys/vyatta01.key
commit
save

Client side configuration

Copy the certificate and key files from the vyatta router to the client.

From a Ubuntu client:

sysadm@ubuntu:~$mkdir -p openvpn/keys
sysadm@ubuntu:~$cd openvpn/keys/
sysadm@ubuntu:~/openvpn/keys$ scp vyatta@vyatta01:/etc/openvpn/keys/ca.crt .
Welcome to Vyatta
vyatta@vyatta01's password: 
ca.crt                                            100% 1131     1.1KB/s   00:00    
sysadm@ubuntu:~/openvpn/keys$ scp vyatta@vyatta01:/etc/openvpn/keys/client.* .
Welcome to Vyatta
vyatta@vyatta01's password: 
client.crt                                      100% 3615     3.5KB/s   00:00    
client.csr                                      100%  692     0.7KB/s   00:00    
client.key                                      100%  891     0.9KB/s   00:00    
sysadm@ubuntu:~/openvpn/keys$ 

DynDNS configuration

Configure vyatta to use dyndns on the WAN interface, in this case eth0:

set service dns dynamic interface eth0 service dyndns host-name <host-name.domain>
set service dns dynamic interface eth0 service dyndns login <username>                    
set service dns dynamic interface eth0 service dyndns password <password>
commit
save

Check DynDNS status

To verify current DynDNS status

show dns dynamic status                   #Display status
update dns dynamic interface <interface>  #force update DynDNS record

Other

Show the configuration from any mode

run show configuration

To list settings without all the {}

show configuration commands
Print Friendly

About dongpolice

Check Also

sms-thuong-hieu

SMS Thương Hiệu

SMS thương hiệu, SMS Brandname Ngày nay, nhu cầu sử dụng sms, sms thương hiệu, …