Chapter 54: VyOS - Open Source Network Operating System
Learning Objectives
By the end of this chapter, you will be able to: - Deploy and configure VyOS in ContainerLab environments - Implement routing, switching, and security features with VyOS - Configure VPN services and firewall policies - Integrate VyOS with existing network infrastructure - Automate VyOS configuration and management
Introduction to VyOS
What is VyOS?
VyOS is a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality. It’s based on Debian Linux and uses a unified configuration interface similar to Juniper JunOS. VyOS is the open-source continuation of the Vyatta project.
Key VyOS Features
- Unified CLI: Consistent command structure across all features
- Routing Protocols: OSPF, BGP, RIP, IS-IS, EIGRP support
- VPN Services: IPSec, OpenVPN, WireGuard, L2TP
- Firewall: Stateful packet filtering and NAT
- Load Balancing: WAN load balancing and failover
- High Availability: VRRP and clustering support
- Container Ready: Excellent ContainerLab integration
VyOS Architecture
Core Components
- Configuration System: Hierarchical configuration tree
- Routing Engine: FRRouting integration
- Firewall Engine: netfilter/iptables based
- VPN Engine: strongSwan and OpenVPN integration
- Management Interface: Web GUI and API
VyOS Lab Environment
Comprehensive VyOS Lab Setup
# VyOS comprehensive lab
name: vyos-network-lab
prefix: vyos
topology:
nodes:
# VyOS routers
vyos-r1:
kind: linux
image: vyos/vyos:1.4-rolling
mgmt-ipv4: 172.20.20.10
cmd: /sbin/init
binds:
- ./configs/vyos-r1:/opt/vyatta/etc/config
env:
VYOS_STARTUP_CONFIG: /opt/vyatta/etc/config/config.boot
vyos-r2:
kind: linux
image: vyos/vyos:1.4-rolling
mgmt-ipv4: 172.20.20.11
cmd: /sbin/init
binds:
- ./configs/vyos-r2:/opt/vyatta/etc/config
env:
VYOS_STARTUP_CONFIG: /opt/vyatta/etc/config/config.boot
vyos-r3:
kind: linux
image: vyos/vyos:1.4-rolling
mgmt-ipv4: 172.20.20.12
cmd: /sbin/init
binds:
- ./configs/vyos-r3:/opt/vyatta/etc/config
env:
VYOS_STARTUP_CONFIG: /opt/vyatta/etc/config/config.boot
# VyOS firewall/gateway
vyos-fw:
kind: linux
image: vyos/vyos:1.4-rolling
mgmt-ipv4: 172.20.20.13
cmd: /sbin/init
binds:
- ./configs/vyos-fw:/opt/vyatta/etc/config
env:
VYOS_STARTUP_CONFIG: /opt/vyatta/etc/config/config.boot
# Internal networks
internal-server:
kind: linux
image: nginx:alpine
mgmt-ipv4: 172.20.20.20
exec:
- ip addr add 192.168.10.10/24 dev eth1
- ip route add default via 192.168.10.1
dmz-server:
kind: linux
image: nginx:alpine
mgmt-ipv4: 172.20.20.21
exec:
- ip addr add 192.168.20.10/24 dev eth1
- ip route add default via 192.168.20.1
external-client:
kind: linux
image: alpine:latest
mgmt-ipv4: 172.20.20.22
exec:
- ip addr add 203.0.113.10/24 dev eth1
- ip route add default via 203.0.113.1
- apk add --no-cache curl iperf3
# Branch office
branch-client:
kind: linux
image: alpine:latest
mgmt-ipv4: 172.20.20.23
exec:
- ip addr add 192.168.30.10/24 dev eth1
- ip route add default via 192.168.30.1
links:
# Core network
- endpoints: ["vyos-r1:eth1", "vyos-r2:eth1"]
- endpoints: ["vyos-r1:eth2", "vyos-r3:eth1"]
- endpoints: ["vyos-r2:eth2", "vyos-r3:eth2"]
# Firewall connections
- endpoints: ["vyos-r1:eth3", "vyos-fw:eth1"]
- endpoints: ["vyos-fw:eth2", "internal-server:eth1"]
- endpoints: ["vyos-fw:eth3", "dmz-server:eth1"]
- endpoints: ["vyos-fw:eth4", "external-client:eth1"]
# Branch office
- endpoints: ["vyos-r3:eth3", "branch-client:eth1"]VyOS Configuration Structure
Basic VyOS Configuration
# Create configuration directories
mkdir -p configs/vyos-r1 configs/vyos-r2 configs/vyos-r3 configs/vyos-fw
# VyOS-R1 Configuration
cat > configs/vyos-r1/config.boot << 'EOF'
interfaces {
ethernet eth1 {
address 10.1.12.1/30
description "To-VyOS-R2"
}
ethernet eth2 {
address 10.1.13.1/30
description "To-VyOS-R3"
}
ethernet eth3 {
address 10.1.14.1/30
description "To-Firewall"
}
loopback lo {
address 1.1.1.1/32
}
}
protocols {
ospf {
area 0 {
network 10.1.12.0/30
network 10.1.13.0/30
network 10.1.14.0/30
network 1.1.1.1/32
}
log-adjacency-changes
parameters {
router-id 1.1.1.1
}
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos-r1
login {
user vyos {
authentication {
encrypted-password $6$rounds=656000$YxM3u8HhkvEm0x7C$w2S9GPSKVVppNHqcq8Qg.7QLBe/W8npPLQsyLwLW0Q1Qzj9Z8.9X2Q3K4L5M6N7O8P9Q0R1S2T3U4V5W6X7Y8Z9
plaintext-password ""
}
level admin
}
}
ntp {
server time1.vyos.net
server time2.vyos.net
}
syslog {
global {
facility all {
level info
}
}
}
}
EOFVyOS Routing Configuration
OSPF Configuration
# Deploy VyOS lab
containerlab deploy -t vyos-network-lab.yml
# Connect to VyOS-R1
docker exec -it clab-vyos-vyos-r1 vbash
# Enter configuration mode
configure
# Configure OSPF
set protocols ospf area 0 network 10.1.12.0/30
set protocols ospf area 0 network 10.1.13.0/30
set protocols ospf area 0 network 1.1.1.1/32
set protocols ospf parameters router-id 1.1.1.1
set protocols ospf log-adjacency-changes
# Configure interfaces
set interfaces ethernet eth1 address 10.1.12.1/30
set interfaces ethernet eth1 description "To-VyOS-R2"
set interfaces ethernet eth2 address 10.1.13.1/30
set interfaces ethernet eth2 description "To-VyOS-R3"
set interfaces loopback lo address 1.1.1.1/32
# Commit and save
commit
save
# Verify OSPF
show ip ospf neighbor
show ip route ospfBGP Configuration
# Configure BGP on VyOS-R1
configure
# Basic BGP setup
set protocols bgp 65001 parameters router-id 1.1.1.1
set protocols bgp 65001 parameters log-neighbor-changes
# eBGP neighbor
set protocols bgp 65001 neighbor 10.1.12.2 remote-as 65002
set protocols bgp 65001 neighbor 10.1.12.2 description "VyOS-R2-eBGP"
set protocols bgp 65001 neighbor 10.1.12.2 address-family ipv4-unicast
# Network advertisement
set protocols bgp 65001 address-family ipv4-unicast network 1.1.1.1/32
set protocols bgp 65001 address-family ipv4-unicast network 192.168.1.0/24
# Route maps
set policy route-map LOCAL-PREF rule 10 action permit
set policy route-map LOCAL-PREF rule 10 match ip address prefix-list CUSTOMER-ROUTES
set policy route-map LOCAL-PREF rule 10 set local-preference 200
set protocols bgp 65001 neighbor 10.1.12.2 address-family ipv4-unicast route-map import LOCAL-PREF
commit
save
# Verify BGP
show ip bgp summary
show ip bgp neighbors
show ip route bgpStatic Routing
# Configure static routes
configure
# Default route
set protocols static route 0.0.0.0/0 next-hop 203.0.113.1
# Specific static routes
set protocols static route 192.168.100.0/24 next-hop 10.1.14.2
set protocols static route 192.168.100.0/24 description "Internal Network"
# Route with administrative distance
set protocols static route 192.168.200.0/24 next-hop 10.1.14.3 distance 200
commit
save
# Verify static routes
show ip route static
show ip routeVyOS Firewall Configuration
Zone-Based Firewall
# Configure firewall zones
configure
# Define zones
set zone-policy zone LAN description "Internal LAN"
set zone-policy zone DMZ description "DMZ Network"
set zone-policy zone WAN description "External WAN"
# Assign interfaces to zones
set zone-policy zone LAN interface eth2
set zone-policy zone DMZ interface eth3
set zone-policy zone WAN interface eth4
# Configure zone rules
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN
set zone-policy zone LAN from WAN firewall name WAN-to-LAN
set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ
set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN
commit
saveFirewall Rules
# Configure firewall rules
configure
# LAN to WAN (allow most traffic)
set firewall name LAN-to-WAN default-action accept
set firewall name LAN-to-WAN rule 10 action drop
set firewall name LAN-to-WAN rule 10 destination port 23,135-139,445
set firewall name LAN-to-WAN rule 10 protocol tcp
set firewall name LAN-to-WAN rule 10 description "Block dangerous ports"
# WAN to LAN (restrictive)
set firewall name WAN-to-LAN default-action drop
set firewall name WAN-to-LAN rule 10 action accept
set firewall name WAN-to-LAN rule 10 state established enable
set firewall name WAN-to-LAN rule 10 state related enable
set firewall name WAN-to-LAN rule 10 description "Allow established connections"
# WAN to DMZ (allow specific services)
set firewall name WAN-to-DMZ default-action drop
set firewall name WAN-to-DMZ rule 10 action accept
set firewall name WAN-to-DMZ rule 10 destination port 80,443
set firewall name WAN-to-DMZ rule 10 protocol tcp
set firewall name WAN-to-DMZ rule 10 description "Allow HTTP/HTTPS to DMZ"
set firewall name WAN-to-DMZ rule 20 action accept
set firewall name WAN-to-DMZ rule 20 state established enable
set firewall name WAN-to-DMZ rule 20 state related enable
# DMZ to LAN (very restrictive)
set firewall name DMZ-to-LAN default-action drop
set firewall name DMZ-to-LAN rule 10 action accept
set firewall name DMZ-to-LAN rule 10 destination address 192.168.10.100
set firewall name DMZ-to-LAN rule 10 destination port 3306
set firewall name DMZ-to-LAN rule 10 protocol tcp
set firewall name DMZ-to-LAN rule 10 description "Allow DMZ to database server"
commit
save
# Verify firewall
show firewall
show zone-policyNAT Configuration
# Configure NAT
configure
# Source NAT (masquerade)
set nat source rule 100 outbound-interface eth4
set nat source rule 100 source address 192.168.10.0/24
set nat source rule 100 translation address masquerade
set nat source rule 100 description "LAN to WAN NAT"
set nat source rule 110 outbound-interface eth4
set nat source rule 110 source address 192.168.20.0/24
set nat source rule 110 translation address masquerade
set nat source rule 110 description "DMZ to WAN NAT"
# Destination NAT (port forwarding)
set nat destination rule 10 inbound-interface eth4
set nat destination rule 10 destination port 80
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 192.168.20.10
set nat destination rule 10 translation port 80
set nat destination rule 10 description "HTTP to DMZ server"
set nat destination rule 20 inbound-interface eth4
set nat destination rule 20 destination port 443
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 192.168.20.10
set nat destination rule 20 translation port 443
set nat destination rule 20 description "HTTPS to DMZ server"
commit
save
# Verify NAT
show nat source statistics
show nat destination statisticsVyOS VPN Configuration
IPSec Site-to-Site VPN
# Configure IPSec VPN
configure
# IPSec configuration
set vpn ipsec esp-group ESP-GROUP compression disable
set vpn ipsec esp-group ESP-GROUP lifetime 3600
set vpn ipsec esp-group ESP-GROUP mode tunnel
set vpn ipsec esp-group ESP-GROUP pfs dh-group2
set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256
set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha1
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action restart
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval 30
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout 120
set vpn ipsec ike-group IKE-GROUP lifetime 28800
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 2
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256
set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha1
# Site-to-site tunnel
set vpn ipsec site-to-site peer 203.0.113.100 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.100 authentication pre-shared-secret SecretVPNKey123
set vpn ipsec site-to-site peer 203.0.113.100 connection-type initiate
set vpn ipsec site-to-site peer 203.0.113.100 default-esp-group ESP-GROUP
set vpn ipsec site-to-site peer 203.0.113.100 ike-group IKE-GROUP
set vpn ipsec site-to-site peer 203.0.113.100 local-address 203.0.113.1
set vpn ipsec site-to-site peer 203.0.113.100 tunnel 1 local prefix 192.168.10.0/24
set vpn ipsec site-to-site peer 203.0.113.100 tunnel 1 remote prefix 192.168.30.0/24
commit
save
# Verify IPSec
show vpn ipsec sa
show vpn ipsec statusOpenVPN Configuration
# Configure OpenVPN server
configure
# Generate certificates (simplified for lab)
set pki ca CA certificate "-----BEGIN CERTIFICATE-----
...certificate content...
-----END CERTIFICATE-----"
set pki certificate server certificate "-----BEGIN CERTIFICATE-----
...certificate content...
-----END CERTIFICATE-----"
set pki certificate server private key "-----BEGIN PRIVATE KEY-----
...private key content...
-----END PRIVATE KEY-----"
# OpenVPN server configuration
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 10.8.0.0/24
set interfaces openvpn vtun0 server push-route 192.168.10.0/24
set interfaces openvpn vtun0 server push-route 192.168.20.0/24
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/server.crt
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem
commit
save
# Verify OpenVPN
show interfaces openvpn
show openvpn status server vtun0WireGuard Configuration
# Configure WireGuard
configure
# Generate keys
run generate wireguard keypair
# WireGuard interface
set interfaces wireguard wg0 address 10.9.0.1/24
set interfaces wireguard wg0 description "WireGuard VPN"
set interfaces wireguard wg0 port 51820
set interfaces wireguard wg0 private-key "private-key-here"
# Peer configuration
set interfaces wireguard wg0 peer client1 allowed-ips 10.9.0.2/32
set interfaces wireguard wg0 peer client1 allowed-ips 192.168.40.0/24
set interfaces wireguard wg0 peer client1 public-key "client-public-key-here"
commit
save
# Verify WireGuard
show interfaces wireguard
show wireguard keypairsVyOS High Availability
VRRP Configuration
# Configure VRRP for high availability
configure
# VRRP group
set high-availability vrrp group LAN vrid 10
set high-availability vrrp group LAN interface eth2
set high-availability vrrp group LAN virtual-address 192.168.10.1/24
set high-availability vrrp group LAN priority 200
set high-availability vrrp group LAN preempt true
set high-availability vrrp group LAN authentication type plaintext-password
set high-availability vrrp group LAN authentication password VRRPSecret123
# Sync group for multiple interfaces
set high-availability vrrp sync-group MAIN member LAN
set high-availability vrrp sync-group MAIN member DMZ
commit
save
# Verify VRRP
show vrrp
show vrrp detailConfiguration Synchronization
# Configure config sync between VRRP peers
configure
set service config-sync mode load-balance
set service config-sync secondary 192.168.10.2
set service config-sync section firewall
set service config-sync section nat
set service config-sync section vpn
commit
saveVyOS Load Balancing
WAN Load Balancing
# Configure WAN load balancing
configure
# Load balancing rules
set load-balancing wan interface-health eth3 nexthop 203.0.113.1
set load-balancing wan interface-health eth4 nexthop 198.51.100.1
set load-balancing wan rule 1 inbound-interface eth2
set load-balancing wan rule 1 interface eth3 weight 1
set load-balancing wan rule 1 interface eth4 weight 1
set load-balancing wan rule 1 protocol all
set load-balancing wan rule 1 description "Load balance LAN traffic"
# Failover configuration
set load-balancing wan interface-health eth3 failure-count 3
set load-balancing wan interface-health eth3 success-count 3
set load-balancing wan interface-health eth3 test 10 type ping
set load-balancing wan interface-health eth3 test 10 target 8.8.8.8
commit
save
# Verify load balancing
show load-balancing wan
show load-balancing wan interface-healthVyOS Monitoring and Troubleshooting
System Monitoring
# System information
show version
show system uptime
show system memory
show system storage
# Interface monitoring
show interfaces
show interfaces ethernet eth1
show interfaces statistics
# Protocol monitoring
show ip route
show ip ospf neighbor
show ip bgp summary
show vpn ipsec saLogging and Debugging
# Configure logging
configure
set system syslog global facility all level info
set system syslog host 192.168.10.100 facility all level info
set system syslog file /var/log/vyos.log facility all level debug
commit
save
# View logs
show log
show log tail 50
show log | match "ospf"
# Debug commands
debug ip ospf packet all
debug bgp updatesPerformance Monitoring
# Monitor system performance
show system processes
show system processes extensive
show interfaces counters
# Network testing
ping 8.8.8.8 count 10
traceroute 8.8.8.8
monitor traffic interface eth1VyOS Automation
Configuration Management
#!/usr/bin/env python3
# vyos_config_manager.py
import subprocess
import json
import time
class VyOSManager:
def __init__(self, container_name):
self.container_name = container_name
def execute_command(self, command, config_mode=False):
"""Execute command on VyOS"""
if config_mode:
cmd = f"docker exec {self.container_name} vbash -c 'source /opt/vyatta/etc/functions/script-template && configure && {command} && commit && save'"
else:
cmd = f"docker exec {self.container_name} vbash -c 'source /opt/vyatta/etc/functions/script-template && {command}'"
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
return result.stdout, result.stderr
def configure_interface(self, interface, address, description=None):
"""Configure interface"""
commands = [
f"set interfaces ethernet {interface} address {address}"
]
if description:
commands.append(f"set interfaces ethernet {interface} description '{description}'")
for cmd in commands:
stdout, stderr = self.execute_command(cmd, config_mode=True)
if stderr:
print(f"Error: {stderr}")
def configure_ospf(self, router_id, networks):
"""Configure OSPF"""
commands = [
f"set protocols ospf parameters router-id {router_id}",
"set protocols ospf log-adjacency-changes"
]
for network in networks:
commands.append(f"set protocols ospf area {network['area']} network {network['network']}")
for cmd in commands:
stdout, stderr = self.execute_command(cmd, config_mode=True)
if stderr:
print(f"Error: {stderr}")
def get_routing_table(self):
"""Get routing table"""
stdout, stderr = self.execute_command("show ip route")
return stdout
def get_interface_status(self):
"""Get interface status"""
stdout, stderr = self.execute_command("show interfaces")
return stdout
# Usage example
if __name__ == '__main__':
vyos = VyOSManager('clab-vyos-vyos-r1')
# Configure interface
vyos.configure_interface('eth1', '10.1.12.1/30', 'To-VyOS-R2')
# Configure OSPF
networks = [
{'network': '10.1.12.0/30', 'area': '0'},
{'network': '1.1.1.1/32', 'area': '0'}
]
vyos.configure_ospf('1.1.1.1', networks)
# Get status
print("Routing table:")
print(vyos.get_routing_table())Ansible Integration
# vyos_playbook.yml
---
- name: Configure VyOS Network
hosts: vyos_routers
gather_facts: no
connection: network_cli
vars:
ansible_network_os: vyos
ansible_user: vyos
ansible_password: vyos
tasks:
- name: Configure interfaces
vyos_interfaces:
config:
- name: eth1
description: "To-Core-Network"
enabled: true
state: merged
- name: Configure OSPF
vyos_ospfv2:
config:
router_id: "{{ router_id }}"
log_adjacency_changes: true
areas:
- area_id: "0"
networks:
- address: "{{ ospf_networks }}"
state: merged
- name: Configure firewall
vyos_firewall_rules:
config:
- afi: ipv4
rule_sets:
- name: "LAN-to-WAN"
default_action: accept
rules:
- number: 10
action: drop
destination:
port: "23,135-139,445"
protocol: tcp
state: merged
- name: Save configuration
vyos_config:
save: trueVyOS Best Practices
Security Hardening
# Security configuration
configure
# Strong authentication
set system login user admin authentication encrypted-password '$6$rounds=656000$...'
set system login user admin level admin
# SSH hardening
set service ssh port 2222
set service ssh protocol-version v2
set service ssh client-keepalive-interval 60
# Disable unnecessary services
delete service telnet
delete service ftp
# Firewall logging
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall config-trap disable
set firewall twa-hazards-protection disable
commit
savePerformance Optimization
# Performance tuning
configure
# Interface optimization
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload sg
set interfaces ethernet eth1 offload tso
# System optimization
set system option performance throughput
set system option kernel disable-power-saving
commit
saveBackup and Recovery
# Configuration backup
show configuration commands | save /config/backup-$(date +%Y%m%d).conf
# System image backup
add system image http://example.com/vyos-image.iso
# Configuration archive
set system config-management commit-archive location 'scp://backup-server/vyos-configs'Summary
VyOS provides a comprehensive, open-source network operating system with enterprise-grade features. Its unified configuration interface, extensive protocol support, and container-native design make it an excellent choice for both learning and production deployments. Understanding VyOS capabilities enables cost-effective implementation of routing, security, and VPN services.
Key concepts covered: - VyOS architecture and configuration system - Routing protocols (OSPF, BGP, static) - Zone-based firewall and NAT configuration - VPN services (IPSec, OpenVPN, WireGuard) - High availability with VRRP - Load balancing and performance optimization - Automation and management techniques
In the next chapter, we’ll explore OpenWrt, a Linux-based operating system for embedded devices and wireless access points.
Review Questions
- What are the main advantages of VyOS over traditional router operating systems?
- How do you configure zone-based firewall policies in VyOS?
- What VPN technologies does VyOS support and how do they differ?
- How do you implement high availability with VRRP in VyOS?
- What are best practices for VyOS security hardening?
Hands-on Exercises
Exercise 1: Basic VyOS Deployment
- Deploy the VyOS network lab
- Configure interfaces and basic routing
- Verify connectivity and routing tables
- Test configuration persistence
Exercise 2: Firewall and NAT Configuration
- Configure zone-based firewall policies
- Implement NAT rules for different scenarios
- Test firewall rule effectiveness
- Monitor firewall logs and statistics
Exercise 3: VPN Implementation
- Configure IPSec site-to-site VPN
- Set up OpenVPN server for remote access
- Implement WireGuard for modern VPN
- Test VPN connectivity and performance
Exercise 4: High Availability Setup
- Configure VRRP for gateway redundancy
- Implement configuration synchronization
- Test failover scenarios
- Monitor HA status and performance