Open source multipoint VPN with VyOS

Connected Mesh

VyOS Compatibility

VyOS uses OpenNHRP [2], which implements DMVPN phase 1 (hub-to-spoke) and phase 2 (spoke-to-spoke). Phase 3 is proprietary to Cisco and takes care of scalability of up to thousands of sites.

A large number of routers or IP networks require a routing protocol. If the Cisco-style Enhanced Interior Gateway Routing Protocol (EIGRP) is already in place, then VyOS must fold. Cisco published EIGRP as RFC 7868 [7] in 2013, but the open source community does not yet have a stable implementation. VyOS can only play along with OSPF or RIP.

VyOS can translate network addresses for site-to-site VPNs, but not multipoint VPNs. If NAT is really required, you have to dig deep on the Linux command line. Convince the VPN software OpenSwan to authenticate the peer, even if the IP address inside the Internet Key Exchange (IKE) header mismatches the source address in the IP header. A good knowledge of Linux and IPsec is recommended; you should not mess with configuration files directly in a production environment. One hopes a future release of VyOS will master this special case.

Last, but not least, VyOS does not have a web interface. Life takes place on the command line with show, set, and config. If you are familiar with Juniper routers, then VyOS won't look too different. Fans of Cisco and its IOS networking software need a little training, and the remainder is similar.

Security First: Firewall

The missing support of IPv4 address translation in VyOS forces the need for a direct Internet access between the VPN router and a public address. The device must take care of its own security, but a firewall ruleset for the public interface is straightforward:

  • Allow UDP port 500 to negotiate security parameters of the VPN tunnel.
  • Allow Encapsulating Security Payload (ESP)/IPsec to contain the user data.
  • Drop everything else.

These rules do not apply to network traffic traveling through the tunnel. Inside the tunnel everything is permitted. If you want to filter inside the DMVPN, set up an additional firewall policy and apply it to the tunnel interface.

Authentication

Both OSPF and VRRP protocols have their own security methods to prevent an unknown device from becoming an OSPF neighbor or a VRRP master. However, VyOS and Cisco only become friends under OSPF if they choose authentication and have a matching MD5 checksum. A hostile OSPF router may announce itself to the network, but neighborship will fail. The failure of neighborship prevents unwanted routers and well-known routes pointing to wrong destinations.

The strongest authentication method in VRRP that both vendors implement is a cleartext password. Although it helps prevent some unintended peering, it will fail when an attacker knows how to operate Wireshark.

At least the VPN tunnel knows how to do strong encryption. Pick AES and a 256-bit key for the best security. The strongest form of authentication in VyOS for DMVPN is a pre-shared key, and it is best to build a key out of many different letters, numbers, and symbols. Unfortunately VyOS only can do RSA or X.509 certificates for site-to-site VPN.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Routing with Quagga

    Cisco and Juniper have implemented routing protocols to help your router find the optimum path. On Linux, you can use software like Quagga, with its Zebra daemon, to help automate this process.

  • Flexible software routing with open source FRR
    The FRR open routing stack can be integrated into many networks because it supports a large number of routing protocols, though its strong dependence on the underlying kernel means it requires some manual configuration.
  • IPv6 tunnel technologies
    Now that IPv6 is the official Internet protocol, all that remains is the simple task of migrating all the machines on the Internet. Until that happens, tunnel technologies provide an interim solution.
  • IPv6 security on IPv4-only networks
    Even though corporations are looking to move to IPv6, in some situations networks still rely exclusively on IPv4. We discuss ways to minimize delays and unsatisfactory behavior in mixed IPv4/IPv6 IT environments.
  • Creating a redundant array of inexpensive links
    The Fault Tolerant Router daemon uses multipath routing among multiple Internet connections to keep you connected, even when some connections go down.
comments powered by Disqus