I described my needs and ideas for home lab network last time. Recall the main points of our blueprint and let’s go to set up.
Sum-up requirements[1]:
- configuration should be one and wide on whole cluster
- separate subnets
- I have to be able to quick create it and easy connect and switch VM’s to them
- free authorized access beside local network
Step 0: Proxmox network setup.
First, we have to prepare virtual network interfaces. I think about it like virtual Ethernet plugs.
The first plug was already created during installation. Its characteristic feature is that it has the bridge ports
parameter set. What’s meant is reflected to our physical network card. It will be our WAN. I always use the Linux bridge with the lowest index - vmbr0
for example.
Option path is: {YOUR_NODE} > system > Network
- On the list you cen see your network card (the real one); its type is
Network Device
. - important thing is to put an IP address with a mask in the CIDR field when you set up proxmox availability in your network (1.1.1.1/24 - for example).
WAN
~WAN example
If you get the WAN, you can create the rest of the plugs. The rest of the vyos configuration you can repeat for all of them. It’s kind of a common configuration pack.
When creating a new Linux Bridge
setup, only the autostart
option and comment
. The remaining fields are dependent on the needs.
SUBNET
~SUBNET example
Step 1: Creating and installation vyos virtual machine.
I won’t describe the details of that now. I’ll post some installation tutorials another time, maybe. But now, what you need to know are two facts.
- Unfortunately, to use a stable version of the vyos you’ve got to compile yourself. It sounds hard, but it is super easy. A great step-by-step guide is available in the official docs
- This guide was created for a stable version. As of the date of writing this article, this is 1.3.x.
- The virtual machine specification is following the documentation again.
“The minimum system requirements are 512 MiB RAM and 2 GiB storage. Depending on your use, you might need additional RAM and CPU resources e.g. when having multiple BGP full tables in your system."[2]
[2]“Installation and Image Management » Installation » Hardware requirements”
VM’s network devices
Remember, add all of created
Linux Bridge
to our virtual machine, likeNetwork Divace
. Recommend that the indexes match.vmbr0
→net0
. The Vyos changes names a little, and nat0 is eth0, for example, but you’ll know what it looks like on the index number.
Stop for a second and understand how do things with the vyos
The Vyos has two modes:
- operation mode - where can you check some configuration, etc.
- configure mode - this mode is for changing our settings.
To apply changes, use the commit
command. For saving, you have to type save
. You can save any committed changes. Claro? 🧐
I recommend looking at official documentation for more.
Step 2: WAN Configuration
WAN - it’s wide network. The simplest way to say it’s that network is the Internet. In our configuration, one of the things we have to know is that all rules to describe traffic in and out of that network are public. It’s our window to the world.
Add a description for our WAN interface. The name of the interface depends on the virtual machine configuration.
|
|
DHCP
Enabling DHCP for our WAN (eth0) interface
|
|
OUTSIDE-IN
Create OUTSIDE-IN
firewall rules that control the traffic from the outside network to the inside network. The rule drops all traffic by default, except for the packets that match rule 10, which allows traffic that is either established or related to an existing connection.
In all examples below, I use variables for easy coping and pasting.
|
|
commit
& save
OUTSIDE-LOCAL
And the same action for OUTSIDE-LOCAL
. This firewall rule defines a policy for the OUTSIDE-LOCAL interface, which drops all traffic by default, except for the following cases:
- It allows traffic that is part of an established or related connection (rule 10).
- It allows ICMP echo-request packets (ping) that are new (rule 20).
|
|
commit
& save
Step 3: The Vyos’s SSH access: do it once and for all.
The important secure step that you should take immediately after installation is ssh setup and disabling ssh password login.
Enabling ssh port listing.
For example, I use 22, but my recommendation is to use other, non-typical ports.
OUTSIDE-LOCAL
Open the ssh port. It has to be the same as the port that we typed before. We have to add a rule to Created before [OUTSIDE-LOCAL
]
commit
& save
Remember to forward port to the vyos IP on the physical router.
The IP address is under command (operation mode):
show interfaces ethernet eth0
Disable password authentication.
Chceck it works and disable ssh password auth.
commit
& save
Step 4(+ n) - Creation of a separate network (for HOME or LAB VMs)
It’s recursive, repeat this step every time you set up a new network.
Interface
In the creation of new subnets, you have to decide some things:
-
Interface which it’ll be configured
-
Description. It’s obvious.
-
IP address range. Strongly recommend uing RFC 1918 standards.
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
-
Domain name.
-
Dhcp addesses range.
Assigns a description, an IP address, and a subnet mask to the Ethernet interface.
commit
& save
DHCP
Assigns network settings to devices that connect to the VyOS device. The service has a name and a subnet, which define the network segment that the service applies to. The commands also specify the gateway, the DNS server, the domain name, the lease time, and the range of IP addresses that the service can assign to the devices.
|
|
commit
& save
NAT - The internet access
These commands are used to configure network address translation. NAT is a technique that allows devices with private IP addresses to communicate with the public Internet by using a public IP address.
The Important thing is knowing which interface is WAN in your setup. In this example is eth0
You have to check I choose correct rule number. My recommendation is to 100-199 for WAN 200-299 for the next subnet, and so on.
|
|
commit
& save
Here I draw your attention to the translation address
field. I use masquarade
technique, which allows multiple devices on a private network to share a single public IP address by changing the source address and port number of outgoing packets.
HOME-OUT
It’s time to block access from your subnet. If you want to separate your network from others.
|
|
commit
& save
DNS
If you have your own DNS server, you should set up forwarding for the created subnet.
commit
& save
Step 5: Access to the subnet via the WireGuard
I decided to use WireGuard instead of a VPN. Simplicity of configuration, security of connection, and the vyos has it out-of-the-box. Besides this, people say it utilises state-of-the-art cryptography.
firewall
To establish a connection, we have to open ports in our WAN, so add the next rule in OUTSIDE-LOCAL
. I suggest changing ports one more time. It’s a one-time step.
|
|
commit
& save
And one more time, remember to forward port to the vyos IP on the physical router.
interface
Setting up the WireGuard is very similar to creating a new subnet. The little difference is that you have to generate key pairs at the beginning. The rest is almost the same.
|
|
At least one WireGuard peer is required, so add it. In the beginning, create a public key and a preshared key. This second isn’t necessary but will increase security, so use it. Next, we assign those keys to the newly created peer. On the end, set up allowed-ips
. It usually sets one possible address for per-peer communication, but everything demands what you need to achieve.
|
|
commit
& save
generate peer
The vyos provides us with a tool to generate configuration files, but it’s not recommended for production use.
[3]Remote Access “RoadWarrior” clients
HOME-OUT
Now we can create a link to the network whose access we want. For doing this, open port in HOME-OUT
and setup NAT translation from WireGuard net to subnet.
commit
& save
NAT
These vyos commands configure a NAT source rule for a WireGuard VPN. They set the outbound interface, replace the source IP with the interface IP (masquerade), specify the WireGuard subnet to apply the rule to. This step is optional, use if you’d like mask WireGuard IPs
commit
& save
In case you want to allow all internet traffic via the WireGuard connection, you have to set up NAT translation for the WAN network.
|
|
commit
& save
Fianl step 🏁 - Connect VMs to setted up subnet and see how easy and fast can you switch them
Finally, now you can manage which VMs are on which network. Only one thing you need to do is select which Linux Bridge
(vmbr
) uses your VM. It’s Hardware
> Network Divace
. Visualise it like plugs one into a virtual router, the other into your machine. It’s simple.