You are on page 1of 4

Vyatta How To

Installation
1. Mount the ISO file in the machine (On a physical machine, burn the iso to a cd
and boot from it)
2. Login using vyatta/vyatta as username and password
3. start the installation with the following command
1.

install image

4. Follow the wizzard, accept all defaults


5. Reboot

Initial settings
Set hostname, ip addresses and enable ssh
1.
2.
4.
5.
6.
7.
8.
9.
10.
11.

configure
set interfaces ethernet eth0 address <ipaddress>/<prefix-length>
set interfaces ethernet eth1 address <ipaddress>/<prefix-length>
set system gateway-address <gw-ipaddress>
set system name-server <dns-ipaddress>
set service ssh
set service ssh protocol-version v2
set system host-name <hostname>
commit
save

The router is now routing between the two networks specified.

DNS Configuration
Configure router to forward DNS queries
1.
2.
3.
4.

set service dns forwarding listen-on eth0


set service dns forwarding system
commit
save

To set static dns records


1. set system static-host-mapping host-name <hostname> inet <ip-address>
2. commit
3. save

NAT configuration
Version 6.4
Configure the router to forward packets with NAT
1.
2.
3.
4.
5.

set nat
set nat
set nat
set nat
set nat

destination rule 200 destination port <nat-side-port>


destination rule 200 inbound-interface eth0
destination rule 200 translation address <destination-host-ip>
destination rule 200 translation port <destination-host-port>
destination rule 200 protocol tcp

6.
7.

commit
save

Legacy
Enable port forwarding for services inside the NAT:
1.
2.
3.
4.
5.
6.
7.
8.

set service
set service
set service
set service
set service
set service
commit
save

nat rule 200 destination port <nat-side-port>


nat rule 200 inbound-interface eth0
nat rule 200 inside-address address <destination-host-ip>
nat rule 200 inside-address port <destination-host-port>
nat rule 200 protocol tcp
nat rule 200 type destination

DHCP configuration
Configure a IPv4 DHCP scope
1. set service dhcp-server shared-network-name v12n
2. set service dhcp-server shared-network-name v12n authoritative disable
3. set service dhcp-server shared-network-name v12n subnet <subnet-toserve>/<prefix-length>

4. set service dhcp-server shared-network-name v12n subnet <subnet-to-serve>/<prefixlength> default-router <gateway>

5. set service dhcp-server shared-network-name v12n subnet <subnet-to-serve>/<prefixlength> dns-server <dns-server-ip>

6. set service dhcp-server shared-network-name v12n subnet <subnet-to-serve>/<prefixlength> dns-server <secondary-dns-server>

7. set service dhcp-server shared-network-name v12n subnet <subnet-toserve>/<prefix-length> start <start-ip> stop <end-ip>

8. set service dhcp-server disabled false


9. commit
10. save
Allocate an static IP address to a host
1. set service dhcp-server shared-network-name v12n subnet <subnet-to-serve>/<prefixlength> static-mapping <some-name> ip-address <ip-address>

2. set service dhcp-server shared-network-name v12n subnet <subnet-to-serve>/<prefixlength> static-mapping <some-name> mac-address <mac-address>

Openvpn RoadWarrior
Generate certificates and key files
Copy the Easy-RSA files to /etc/openvpn
1. vyatta@vyatta01# sudo su 2. root@vyatta01:~# cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
/etc/openvpn/
At the end of the vars file there are settings for company, location and so on. Edit
to reflect your organization

1.

root@vyatta01
:

/
etc/openvpn
#

nano vars

export KEY_COUNTRY="NO"
export KEY_PROVINCE="NA"
export KEY_CITY="Oslo"
export KEY_ORG="v12n"
export KEY_EMAIL="me@v12n.com"

Source the vars and clean the keys directory before start
1.

root@vyatta01
:

2.

root@vyatta01
:

/
etc/openvpn
#
/
etc/openvpn
#

source ./vars
./clean-all

Create the certificate Authority certificate:


1.

root@vyatta01
:

/
etc/openvpn
#

./build-ca

Create a key and certificate for the vyatta router. Accept defaults and enter a
password when prompted:
1.

root@vyatta01
:

/
etc/openvpn
#

./build-key-server vyatta01

Create a Diffie-Hellman file


1.

root@vyatta01
:

/
etc/openvpn
#

./build-dh

Create a client key. Change the client name to reflect your client:
1.

root@vyatta01
:

/
etc/openvpn
#

./build-key client

The outcome of this process should be something like this:


1.

root@vyatta01
:

/
etc/openvpn
#

ls keys/

Configure Vyatta
Configure Openvpn on the vyatta router:
1.
2.
3.
4.
5.
6.

set interface openvpn vtun0


set interface openvpn vtun0 encryption aes256
set interface openvpn vtun0 hash sha1
set interface openvpn vtun0 mode server
set interface openvpn vtun0 local-port 1194
set interface openvpn vtun0 protocol udp

7.
8.
9.
10.
11.
12.
13.
14.

set interface openvpn vtun0 server push-route 192.168.0.0/24 (Local subnet)


set interface openvpn vtun0 server subnet 10.12.12.0/29
set interface openvpn vtun0 tls ca-cert-file /config/auth/keys/ca.crt
set interface openvpn vtun0 tls cert-file /config/auth/keys/vyatta01.crt
set interface openvpn vtun0 tls dh-file /config/auth/keys/dh1024.pem
set interface openvpn vtun0 tls key-file /config/auth/keys/vyatta01.key
commit
save

Client side configuration


Copy the certificate and key files from the vyatta router to the client.
From a Ubuntu client:

sysadm@ubuntu:~$mkdir -p openvpn/keys
sysadm@ubuntu:~$cd openvpn/keys/
sysadm@ubuntu:~/openvpn/keys$ scp vyatta@vyatta01:/etc/openvpn/keys/ca.crt .
Welcome to Vyatta
vyatta@vyatta01's password:
ca.crt
100% 1131 1.1KB/s 00:00
sysadm@ubuntu:~/openvpn/keys$ scp vyatta@vyatta01:/etc/openvpn/keys/client.* .
Welcome to Vyatta
vyatta@vyatta01's password:
client.crt
100% 3615 3.5KB/s 00:00
client.csr
100% 692 0.7KB/s 00:00
client.key
100% 891 0.9KB/s 00:00
sysadm@ubuntu:~/openvpn/keys$

DynDNS configuration
Configure vyatta to use dyndns on the WAN interface, in this case eth0:
1.
2.
3.
4.
5.

set service dns dynamic interface eth0 service dyndns host-name <host-name.domain>
set service dns dynamic interface eth0 service dyndns login <username>
set service dns dynamic interface eth0 service dyndns password <password>
commit
save

Check DynDNS status


To verify current DynDNS status
1.
2.

show dns dynamic status


#Display status
update dns dynamic interface <interface> #force update DynDNS record

Other
Show the configuration from any mode
1.

run show configuration

To list settings without all the {}


1.

show configuration commands