ICode9

精准搜索请尝试: 精确搜索
首页 > 互联网> 文章详细

vyos 配置

2018-12-10 14:15:46  阅读:201  来源: 互联网

标签:



1. 设置宽带上网

set int eth eth0 pppoe 0
set int eth eth0 pppo 0 user-id youre_username
set int eth eth0 pppo 0 password your_password

2. 配置dhcp

set service dhcp-server shared-network-name LAN authoritative enable 
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.150
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 223.5.5.5
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 223.6.6.6
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400

3. 设置nat

set nat source rule 1 outbound-interface pppoe0
set nat source rule 1 source address 192.168.1.0/24
set nat source rule 1 translation address masquerade

4. 配置open***

# 生成证书
cp -rv /usr/share/doc/open***/examples/easy-rsa/2.0/ /config/easy-rsa2

# 编辑生成证书用的配置文件
cat /config/easy-rsa2/vars
...
export KEY_SIZE=2048
...
export KEY_COUNTRY="CN"
export KEY_PROVINCE="test"
export KEY_CITY="tet"
export KEY_ORG="test"
export KEY_EMAIL="test@test.com"

# 生成证书
cd /config/easy-rsa2/
source ./vars
./build-ca
./build-dh
./build-key-server open***test

# 生成client key
./build-key testclient

# 复制证书
cp /config/easy-rsa2/keys/ca.crt /config/auth/
cp /config/easy-rsa2/keys/dh2048.pem /config/auth/
cp /config/easy-rsa2/keys/open***test.key /config/auth/
cp /config/easy-rsa2/keys/open***test.crt /config/auth/

# 配置open***
set int open*** vtun0 mode server
set int open*** vtun0 description "TCP version"
set int open*** vtun0 open***-option --comp-lzo
set int open*** vtun0 protocol tcp-passive
set int open*** vtun0 server subnet 192.168.3.0/24
set int open*** vtun0 server name-server 223.5.5.5
set int open*** vtun0 server name-server 223.6.6.6
set int open*** vtun0 server push-route 192.168.1.0/24
set int open*** vtun0 tls ca-cert-file /config/auth/ca.crt
set int open*** vtun0 tls cert-file /config/auth/open***test.crt
set int open*** vtun0 tls dh-file /config/auth/dh2048.pem
set int open*** vtun0 tls key-file /config/auth/open***test.key


# 创建 client 配置文件
cat <<EOF>> testclient.o***
client
dev tun
proto tcp
remote 192.168.56.102 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert testclient.crt
key testclient.key
ns-cert-type server
comp-lzo
verb 3
EOF

5. 配置 L2TP over IPsec

set *** ipsec ipsec-interfaces interface pppoe0
set *** ipsec nat-traversal enable
set *** ipsec nat-networks allowed-network 0.0.0.0/0

set *** l2tp remote-access outside-address <public-address>
set *** l2tp remote-access client-ip-pool start 192.168.255.1
set *** l2tp remote-access client-ip-pool stop 192.168.255.255
set *** l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set *** l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
set *** l2tp remote-access authentication mode local
set *** l2tp remote-access authentication local-users username <username> password <password>

# windows 添加路由
route add 192.168.1.0 mask 255.255.255.0 192.168.255.1

6、配置 dns 转发

set service dns forwarding name-server 223.5.5.5
set service dns forwarding name-server 223.6.6.6
set service dns forwarding cache-size 0
set service dns forwarding listen-on eth1
set service dns forwarding listen-on eth1.100
set service dns forwarding listen-on eth1.2

# 使用 dnsmasq 作dns forward,默认会读取优先从/etc/hosts读取作解析,
# /etc/hosts无所需要主机,则从dns server 解析
# 下面的命令可以为主机abc设置解析
set system static-host-mapping host-name abc inet 192.168.1.240

# 禁止dnsmasq读取/etc/hosts
set service dns forwarding ignore-hosts-file

7、设置vyos用户无密码登录

8、设置vyos用户登录密码

set system login user vyos authentication plaintext-password 123

9、设置防火墙

set firewall name out-inside default-action drop

set firewall name out-inside description "from out to inside"
set firewall name out-inside rule 1 state established enable
set firewall name out-inside rule 1 state related enable
set firewall name out-inside rule 1 action accept

set firewall name out-inside rule 2  description ssh
set firewall name out-inside rule 2  action accept
set firewall name out-inside rule 2  protocol tcp
set firewall name out-inside rule 2  destination port 22

set int eth eth0 pppoe 0 firewall local name out-inside

10、设置计划任务

set system task-scheduler task task_name executable path /bin/ls
set system task-scheduler task task_name interval 10m


标签:

专注分享技术,共同学习,共同进步。侵权联系[admin#icode9.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有