部署 Vyos - HackMD

# 部署 Vyos VyOS 是一款開源的網路作業系統，它提供了一系列強大的路由、防火牆、VPN 等功能。簡單來說，你可以把它想像成一個軟體路由器或防火牆，安裝在標準的伺服器、虛擬機器或雲端環境中。 ## 開始部署到此[連結](https://vyos.net/get/nightly-builds/)可以下載 VyOS rolling 版本 ISO 到此[連結](https://cdn.as212934.net/routers/VyOS/)可以下載 VyOS 穩定版本 ISO 以下範例是使用 `vyos-1.4.3-generic-amd64.iso` 這張 iso 安裝 > 注意，每一個不同版本所要執行的指令都會稍微不同 ### 驗證 ISO * 下載公鑰檔 ``` $ curl -L -o vyos-release.minisign.pub \ https://raw.githubusercontent.com/vyos/vyos-build/refs/heads/current/data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-release.minisign.pub ``` * 使用 minisign 驗證 ISO ``` $ minisign -Vm vyos-1.4.3-generic-amd64.iso -p vyos-release.minisign.pub ``` 螢幕輸出： ``` Signature and comment signature verified Trusted comment: timestamp:1751909904 file:vyos-1.4.3-generic-amd64.iso ``` ## 開始安裝 VyOS ![image](https://hackmd.io/_uploads/B1u0UdZFxx.png) * 預設登入帳號密碼 > Username: vyos > Password: vyos * 執行安裝指令，安裝完畢後重新開機就可以移除 iso ``` vyos@vyos:~$ install image vyos@vyos:~$ reboot ``` * 設定 ssh server，並設定允許密碼登入 ``` $ sudo su $ sudo nano /etc/ssh/sshd_config ...... PasswordAuthentication yes $ systemctl enable --now ssh ``` ## 設定網路 * 查看現在的所有網路介面 ``` $ show interfaces ``` * 設定固定 ip，設定前先執行 `config` ，設定好後再使用 `commit` 保存，`save` 設定機器重啟後設定不會消失 ``` $ config $ set interfaces ethernet eth0 address '10.10.7.4/24' $ set interfaces ethernet eth1 address '172.20.0.1/16' # 設定 default gateway 10.10.7.254 $ set protocols static route 0.0.0.0/0 next-hop 10.10.7.254 # 設定 Name Server (DNS 伺服器) $ set system name-server 8.8.8.8 $ commit $ save ``` ``` $ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 10.10.7.4/24 u/u eth1 172.20.0.1/16 u/u lo 127.0.0.1/8 u/u ::1/128 ``` ``` $ show ip route 0.0.0.0 Routing entry for 0.0.0.0/0 Known via "static", distance 1, metric 0, best Last update 00:01:00 ago * 10.10.7.254, via eth0, weight 1 ``` ## 系統設定 ``` $ set system host-name myvyos $ set system time-zone Asia/Taipei $ commit $ save ``` ## 設定 DHCP Server ``` # 設定從 dhcp 可分配到的 ip $ set service dhcp-server shared-network-name MYLAN subnet 172.20.0.0/16 range 0 start 172.20.128.1 $ set service dhcp-server shared-network-name MYLAN subnet 172.20.0.0/16 range 0 stop 172.20.255.249 $ set service dhcp-server shared-network-name MYLAN subnet 172.20.0.0/16 lease '86400' # 設定從 dhcp 拿到的 gateway $ set service dhcp-server shared-network-name MYLAN subnet 172.20.0.0/16 default-router '172.20.0.1' # 設定從 dhcp 拿到的 nameserver $ set service dhcp-server shared-network-name MYLAN subnet 172.20.0.0/16 name-server 172.20.0.1 $ commit $ save ``` * 檢查 dhcp 設定 ``` $ show service dhcp-server shared-network-name MYLAN { subnet 172.20.0.0/16 { default-router 172.20.0.1 lease 86400 name-server 172.20.0.1 range 0 { start 172.20.128.1 stop 172.20.255.249 } } } [edit] ``` ## 設定 NAT * eth0 是我可以上網的網卡 ``` $ set nat source rule 10 source address 172.20.0.0/16 $ set nat source rule 10 outbound-interface name eth0 $ set nat source rule 10 translation address 'masquerade' $ commit $ save ``` * 檢查設定 ``` $ show nat source rule 10 { outbound-interface { name eth0 } source { address 172.20.0.0/16 } translation { address masquerade } } [edit] ``` ## 設定 DNS ``` # 設定 DNS Forwarder 不啟用快取 $ set service dns forwarding cache-size '0' # 允許 172.20.0.0/16 來源網段的客戶端可以使用 VyOS 這台做 DNS Forwarder $ set service dns forwarding allow-from '172.20.0.0/16' # 指定 VyOS 在哪個 IP 上提供 DNS 服務 $ set service dns forwarding listen-address '172.20.0.1' # 指定上游 DNS 伺服器 $ set service dns forwarding name-server '8.8.8.8' $ commit $ save ``` ``` $ show service dns forwarding { allow-from 172.20.0.0/16 cache-size 0 listen-address 172.20.0.1 name-server 8.8.8.8 { } } [edit] ``` ### 設定反解析 ``` $ sudo nano /run/pdns-recursor/recursor.conf ...... forward-zones=1.20.172.in-addr.arpa=10.10.7.41 $ sudo systemctl restart pdns-recursor ``` ## ssh 關閉密碼驗證 * 關閉密碼登入 ``` $ set service ssh disable-password-authentication $ commit $ save ``` * 設定使用公鑰登入 - `<USERNAME>`: 需要指定來源的使用者 ``` $ set system login user vyos authentication public-keys <USERNAME> type ssh-rsa # key 後面要放的是 public key 去掉 ssh-rsa 以及使用者名稱的內容(去掉頭跟尾) $ set system login user vyos authentication public-keys <USERNAME> key "c3NoLXJzYSBBQUF...." $ commit $ save ``` * 查看設定 ``` $ show system login user vyos ``` ## 設定 DNAT ``` $ set nat destination rule 100 description "Forward VC Web UI" $ set nat destination rule 100 inbound-interface name eth0 # 您的外網介面 (10.10.7.9 在這張網卡) $ set nat destination rule 100 destination address 10.10.7.4 $ set nat destination rule 100 destination port 443 $ set nat destination rule 100 protocol tcp $ set nat destination rule 100 translation address 172.20.0.10 $ set nat destination rule 100 translation port 443 $ commit $ save ``` ``` $ show nat destination rule 100 { description "Forward VC Web UI" destination { address 10.10.7.4 port 443 } inbound-interface { name eth0 } protocol tcp translation { address 172.20.0.10 port 443 } } [edit] ``` ## 參考 https://docs.vyos.io/en/1.3/installation/install.html#live-installation https://ithelp.ithome.com.tw/m/articles/10267666