ICode9
精准搜索请尝试: 精确搜索
首页
编程语言>
数据库
系统相关
互联网
其他分享
Python
Java
JavaScript
android
PHP
首页 > 互联网> 文章详细

vyos 配置

2018-12-10 14:15:46  阅读:1366  来源: 互联网

标签:


1. 设置宽带上网

set int eth eth0 pppoe 0
set int eth eth0 pppo 0 user-id youre_username
set int eth eth0 pppo 0 password your_password

2. 配置dhcp

set service dhcp-server shared-network-name LAN authoritative enable 
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.150
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 223.5.5.5
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 223.6.6.6
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400

3. 设置nat

set nat source rule 1 outbound-interface pppoe0
set nat source rule 1 source address 192.168.1.0/24
set nat source rule 1 translation address masquerade

4. 配置open***

# 生成证书
cp -rv /usr/share/doc/open***/examples/easy-rsa/2.0/ /config/easy-rsa2

# 编辑生成证书用的配置文件
cat /config/easy-rsa2/vars
...
export KEY_SIZE=2048
...
export KEY_COUNTRY="CN"
export KEY_PROVINCE="test"
export KEY_CITY="tet"
export KEY_ORG="test"
export KEY_EMAIL="test@test.com"

# 生成证书
cd /config/easy-rsa2/
source ./vars
./build-ca
./build-dh
./build-key-server open***test

# 生成client key
./build-key testclient

# 复制证书
cp /config/easy-rsa2/keys/ca.crt /config/auth/
cp /config/easy-rsa2/keys/dh2048.pem /config/auth/
cp /config/easy-rsa2/keys/open***test.key /config/auth/
cp /config/easy-rsa2/keys/open***test.crt /config/auth/

# 配置open***
set int open*** vtun0 mode server
set int open*** vtun0 description "TCP version"
set int open*** vtun0 open***-option --comp-lzo
set int open*** vtun0 protocol tcp-passive
set int open*** vtun0 server subnet 192.168.3.0/24
set int open*** vtun0 server name-server 223.5.5.5
set int open*** vtun0 server name-server 223.6.6.6
set int open*** vtun0 server push-route 192.168.1.0/24
set int open*** vtun0 tls ca-cert-file /config/auth/ca.crt
set int open*** vtun0 tls cert-file /config/auth/open***test.crt
set int open*** vtun0 tls dh-file /config/auth/dh2048.pem
set int open*** vtun0 tls key-file /config/auth/open***test.key


# 创建 client 配置文件
cat <<EOF>> testclient.o***
client
dev tun
proto tcp
remote 192.168.56.102 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert testclient.crt
key testclient.key
ns-cert-type server
comp-lzo
verb 3
EOF

5. 配置 L2TP over IPsec

set *** ipsec ipsec-interfaces interface pppoe0
set *** ipsec nat-traversal enable
set *** ipsec nat-networks allowed-network 0.0.0.0/0

set *** l2tp remote-access outside-address <public-address>
set *** l2tp remote-access client-ip-pool start 192.168.255.1
set *** l2tp remote-access client-ip-pool stop 192.168.255.255
set *** l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set *** l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
set *** l2tp remote-access authentication mode local
set *** l2tp remote-access authentication local-users username <username> password <password>

# windows 添加路由
route add 192.168.1.0 mask 255.255.255.0 192.168.255.1

6、配置 dns 转发

set service dns forwarding name-server 223.5.5.5
set service dns forwarding name-server 223.6.6.6
set service dns forwarding cache-size 0
set service dns forwarding listen-on eth1
set service dns forwarding listen-on eth1.100
set service dns forwarding listen-on eth1.2

# 使用 dnsmasq 作dns forward,默认会读取优先从/etc/hosts读取作解析,
# /etc/hosts无所需要主机,则从dns server 解析
# 下面的命令可以为主机abc设置解析
set system static-host-mapping host-name abc inet 192.168.1.240

# 禁止dnsmasq读取/etc/hosts
set service dns forwarding ignore-hosts-file

7、设置vyos用户无密码登录

8、设置vyos用户登录密码

set system login user vyos authentication plaintext-password 123

9、设置防火墙

set firewall name out-inside default-action drop

set firewall name out-inside description "from out to inside"
set firewall name out-inside rule 1 state established enable
set firewall name out-inside rule 1 state related enable
set firewall name out-inside rule 1 action accept

set firewall name out-inside rule 2  description ssh
set firewall name out-inside rule 2  action accept
set firewall name out-inside rule 2  protocol tcp
set firewall name out-inside rule 2  destination port 22

set int eth eth0 pppoe 0 firewall local name out-inside

10、设置计划任务

set system task-scheduler task task_name executable path /bin/ls
set system task-scheduler task task_name interval 10m

标签:
来源:

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

关于我们 | 联系我们 | 留言反馈

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有