Open source multipoint VPN with VyOS

Connected Mesh

VyOS Compatibility

VyOS uses OpenNHRP [2], which implements DMVPN phase 1 (hub-to-spoke) and phase 2 (spoke-to-spoke). Phase 3 is proprietary to Cisco and takes care of scalability of up to thousands of sites.

A large number of routers or IP networks require a routing protocol. If the Cisco-style Enhanced Interior Gateway Routing Protocol (EIGRP) is already in place, then VyOS must fold. Cisco published EIGRP as RFC 7868 [7] in 2013, but the open source community does not yet have a stable implementation. VyOS can only play along with OSPF or RIP.

VyOS can translate network addresses for site-to-site VPNs, but not multipoint VPNs. If NAT is really required, you have to dig deep on the Linux command line. Convince the VPN software OpenSwan to authenticate the peer, even if the IP address inside the Internet Key Exchange (IKE) header mismatches the source address in the IP header. A good knowledge of Linux and IPsec is recommended; you should not mess with configuration files directly in a production environment. One hopes a future release of VyOS will master this special case.

Last, but not least, VyOS does not have a web interface. Life takes place on the command line with show, set, and config. If you are familiar with Juniper routers, then VyOS won't look too different. Fans of Cisco and its IOS networking software need a little training, and the remainder is similar.

Security First: Firewall

The missing support of IPv4 address translation in VyOS forces the need for a direct Internet access between the VPN router and a public address. The device must take care of its own security, but a firewall ruleset for the public interface is straightforward:

  • Allow UDP port 500 to negotiate security parameters of the VPN tunnel.
  • Allow Encapsulating Security Payload (ESP)/IPsec to contain the user data.
  • Drop everything else.

These rules do not apply to network traffic traveling through the tunnel. Inside the tunnel everything is permitted. If you want to filter inside the DMVPN, set up an additional firewall policy and apply it to the tunnel interface.


Both OSPF and VRRP protocols have their own security methods to prevent an unknown device from becoming an OSPF neighbor or a VRRP master. However, VyOS and Cisco only become friends under OSPF if they choose authentication and have a matching MD5 checksum. A hostile OSPF router may announce itself to the network, but neighborship will fail. The failure of neighborship prevents unwanted routers and well-known routes pointing to wrong destinations.

The strongest authentication method in VRRP that both vendors implement is a cleartext password. Although it helps prevent some unintended peering, it will fail when an attacker knows how to operate Wireshark.

At least the VPN tunnel knows how to do strong encryption. Pick AES and a 256-bit key for the best security. The strongest form of authentication in VyOS for DMVPN is a pre-shared key, and it is best to build a key out of many different letters, numbers, and symbols. Unfortunately VyOS only can do RSA or X.509 certificates for site-to-site VPN.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Routing with Quagga

    Cisco and Juniper have implemented routing protocols to help your router find the optimum path. On Linux, you can use software like Quagga, with its Zebra daemon, to help automate this process.

  • Flexible software routing with open source FRR
    The FRR open routing stack can be integrated into many networks because it supports a large number of routing protocols, though its strong dependence on the underlying kernel means it requires some manual configuration.
  • IPv6 tunnel technologies
    Now that IPv6 is the official Internet protocol, all that remains is the simple task of migrating all the machines on the Internet. Until that happens, tunnel technologies provide an interim solution.
  • GENEVE network tunneling protocol
    LAN data transmission has evolved from the original IEEE 802.3 standard to virtual extensible LAN (VXLAN) technology and finally to today's Generic Network Virtualization Encapsulation (GENEVE) tunneling protocol, which offers improved flexibility and scalability, although it still faces some issues. We look at the three technologies and their areas of application.
  • Border Gateway Protocol
    We look at the Border Gateway Protocol, how it routes packets through the Internet, its weaknesses, and some hardening strategies.
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=