Connect VyOS to Oracle Cloud

January 20, 2023 | 7 minute read
Jake Bloom
Principal Solution Architect
Text Size 100%:

 

In this post, we will be integrating an OCI hosted VyOS instance with the OCI native VPNaaS (VPN as a service) to create an IPSec Backplane. Once configured, OCI and VyOS will be able to exchange routing information and we can use the VyOS instance to connect remote networks into OCI with the various protocols mentioned in the first blog post in this series.

 

Here is a high level diagram of what we will be building. Let's get started!

 

VyOS VPNaaS

 

 

In this configuration, we will build 2 IPSec Tunnels between VyOS and OCI, and then set up BGP to dynamically learn routes over the tunnel. Here are the steps we will follow for deployment.

1.) Prepare the Oracle Cloud environment for the VyOS image

2.) Deploy VyOS on Oracle Cloud Infrastructure

3.) Set up the IPSec Backplane on Oracle Cloud

4.) Set up the IPSec Backplane on VyOS

5.) Deploy a spoke VCN to verify routes are being received by VyOS

 

1.) Prepare the Oracle Cloud environment for the VyOS image

We will prepare the environment by building some constructs with OCI

  • Create a compartment if you want a new one at this time
  • Create a new VCN (without the wizard)
  • Create a new subnet
  • Modify the Security List to allow IPSec UDP/4500 traffic. (This will help confirm that traffic is not leaking over the internet unencrypted, including BGP traffic)
  • Create an Internet Gateway
  • Create a default route (0.0.0.0/0) to the Internet Gateway on the Route Table for the Hub VCN. IPSec Traffic from VyOS will go over the Internet Gateway

Step 1

 

2.) Deploy VyOS on Oracle Cloud Infrastructure

Type "VyOS" in the search bar of the OCI console. You will see VyOS as a marketplace image. Make sure that you have the right compartment selected before launching the image.

Now you will configure the image for deployment into the HUB VCN that was just configured. I used these options, but you may need to modify them for your deployment.

  • Shape - Intel Optimized (VM.Optimized3.Flex)
    • A Intel VM.Optimized3.Flex Shape can provide 4gbps with 1 OCPU, and has a high clock rate which is great for faster decryption processing for the Remote Access VPN's that aren't decrypted in kernel.
  • Assign the previously created public subnet
    • Do not assign a public IP
    • Add a static private IP for eth0. I like to use the last usable IP address in the IP block.

 

After the initial deployment of VyOS is complete, go to the vNIC and configure the following.

  • Configure Eth0
    • Clicking on the name of the vNIC and go to IPv4 Addresses. From here, you will reserve a public IP address and assign it to the interface.
    • Make sure that the "Skip Source/Destination" field is ticked. It is not enabled by default.

 

Step 2

 

 

3.) Set up the IPSec Backplane on Oracle Cloud

Go to Networking -> Customer Connectivity. We will be adding adding several configurations here.

 

  • Under Customer-Premise-Equipment
    • Create a new device and add the newly reserved public IP address of VyOS under "Public IP Address"
  • Under Dynamic Routing Gateway
    • Create a new DRG with a memorable name
  • Under Site-to-Site VPN
    • Configure a new IPSec Connection. You will configure 2 IPSec Tunnels here, and both will connect to the VyOS Router.
    • Make sure the following parameters are set.
      • The VyOS CPE
      • (Checked) CPE is behind a NAT device
      • Select previously created DRG
    • Configure your Tunnels with the following configuration. Deviations from this configuration will need to be updated in the VyOS configuration on the next step (such as local AS)
      • Per-Tunnel-Configuration - All defaults are set, except for the following:
        • (Checked) provide custom shared secret, and add your custom secret
        • Tunnel 1
          • IKEv2
          • BGP ASN - 65500
          • Inside Interface - 1.1.0.0/31
          • Oracle Inside - 1.1.0.1/31
        • Tunnel 2 - needs a different IP space for the point to point connection and is otherwise the same configuration as Tunnel 1  
          • Inside Interface 2.1.0.0/31
          • Oracle Inside - 2.1.0.1/31

 

Step 3

 

Be aware that by adding more tunnels and enabling ECMP on the DRG, you can increase the throughput significantly for diverse traffic types. I show a 2 tunnel configuration in this blog, but the configuration in this blog can be used in increase throughput on the backplane.

 

4.) Set up the IPSec Backplane on VyOS

We are getting close! Now we will configure VyOS to connect into OCI. You can grab the RAW file from my GitHub. This has a pre-built configuration using OCI's recommended parameters for Site-to-Site tunnels. Copy/paste the contents of the GitHub file to your favorite desktop text editor.

Find and replace the following variables with the configuration parameters you built out in previous steps of this post.

S2S_VPN_OCI_PUB_IP_CPE_1_TUN_1 (Site-to-Site VPN Public IP for OCI, Tunnel 1)
S2S_VPN_OCI_PUB_IP_CPE_1_TUN_2 (Site-to-Site VPN Public IP for OCI, Tunnel 2)
S2S_VPN_CPE1_PUB_IP (Reserved Public IP on vNIC0)
CPE1_ETH0_PRIVATE_IP (Reserved Private IP on vNIC0)
OCI_PRIVATE_KEY (Pre-Shared Key that will be used to authenticate the session)

 

Go over the configuration and make sure there are no syntax errors (spaces in IP address, password is correct, etc). Afterwards, SSH into the VyOS router with the username vyos, and run 'conf'. Copy and paste the script into the router. The router will show errors if there are any syntax errors. If there are no errors, run 'commit;save;exit'. The router will do a final validation of the configuration, and then will save and commit the configuration.

If all is well, you should be able to run "show ip bgp neighbor 1.1.0.1" and the neighbor state should be "Established". Verify this for the 2.1.0.1 neighbor as well. If it didn't work, make sure that you didn't mix up the tunnel_1 and tunnel_2 configuration!

 

Step 4

 

5.) Deploy a spoke VCN to verify routes are being received by VyOS and use for future testing.

Create a new VCN "SPOKE VCN" (10.1.0.0/16) and add the following configurations

  • Internet Gateway
  • Subnet (10.1.0.0/24)
  • Create a DRG attachment to the new DRG
  • Security List, add an ingress rule for ICMP from 0.0.0.0/0
  • Add the route rules for traffic you are expecting to configure. The 2 route entries will be the Remote VPN network and the default gateway to the internet (for SSH access)
    • Target Type -> DRG
      • Destination 10.7.254.0/24 (Wireguard) or 10.8.254.0/24 (OpenConnect) or 10.9.254.0/24 (OpenVPN)
        • Only one of these destinations needs to be configured. I have them as a list for your convenience.
    • Target Type -> Internet Gateway
      • Destination CIDR 0.0.0.0/0
  • Deploy a test instance in the spoke VCN
    • I deploy an Oracle Linux 8 machine with an Intel Optimized shape (VM.Optimized3.Flex) with 1-OCPU

 

Final Verification

If all is working, you should be able to run "show ip route bgp" and see the 10.1.0.0/24 prefix from both BGP neighbors. Great job! Now lets move on to the the VPN configuration that needs to be added to connect remote office and users into the VyOS router, as referred to in the Connecting to Oracle Cloud using VPNs blog series.

Jake Bloom

Principal Solution Architect


Previous Post

Connecting to Oracle Cloud using VPNs with VyOS

Jake Bloom | 4 min read

Next Post

Automated document classification and key-value extraction using OCI Document Understanding and OCI Data Labeling service

Rekha Mathew | 7 min read
Resources for
Why Oracle
Learn
What's New
Contact Us