Linux:VyOS: Difference between revisions
From Cheatsheet
Jump to navigationJump to search
(→Basics) |
|||
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Category:Cheatsheet]] | [[Category:Cheatsheet]] | ||
Commands are for Vyos 1.4 unless otherwise noted. | |||
== Commandline == | == Commandline == | ||
| Line 18: | Line 20: | ||
# Exit the configuration mode | # Exit the configuration mode | ||
exit | exit | ||
# Use delete and then the already configured command, to remove/delete/undo said configured command | |||
delete | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 41: | Line 46: | ||
# Show interface configuration | # Show interface configuration | ||
show interfaces | show interfaces | ||
# Show OS version | |||
show version | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 52: | Line 60: | ||
set system name-server 176.9.37.132 | set system name-server 176.9.37.132 | ||
set system name-server 195.10.195.195 | set system name-server 195.10.195.195 | ||
# Create a default route for this router, pointing to 1.2.3.4 | |||
set protocols static route 0.0.0.0/0 next-hop 1.2.3.4 | |||
</syntaxhighlight> | </syntaxhighlight> | ||
=== SSH === | === SSH === | ||
<syntaxhighlight lang='bash'> | <syntaxhighlight lang='bash'> | ||
Enable SSH by configuring a port to listen on | # Enable SSH by configuring a port to listen on | ||
set service ssh port <port> | set service ssh port <port> | ||
# Add an ed25519 key to the vyos user, with the description of 'doomguy' | |||
set system login user vyos authentication public-keys 'doomguy' type ssh-ed25519 | |||
set system login user vyos authentication public-keys 'doomguy' key AAAAC3NzaC1128iqaushdkjah12873iqghdkahsk | |||
# Optionally disable password authentication | |||
set service ssh disable-password-authentication | |||
# Optionally set an IP to listen on | # Optionally set an IP to listen on | ||
| Line 63: | Line 81: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== NAT === | === DHCP-relay === | ||
* https://docs.vyos.io/en/latest/configuration/service/dhcp-relay.html | |||
<syntaxhighlight lang='bash'> | |||
# Set the interfaces where the DHCP-server listens on and where the client lives | |||
set service dhcp-relay interface eth1 | |||
set service dhcp-relay interface eth0 | |||
# Configure the IP of the DHCP-server | |||
set service dhcp-relay server 10.0.0.20 | |||
# Discard packets coming from a relay-agent, so you only keep packets coming directly from DHCP-clients | |||
set service dhcp-relay relay-options relay-agents-packets discard | |||
</syntaxhighlight> | |||
=== Network === | |||
==== Interfaces ==== | |||
<syntaxhighlight lang='bash'> | |||
# Give interface eth0 an IP-adress and description | |||
set interfaces ethernet eth1 address '10.0.0.1/24' | |||
set interfaces ethernet eth1 description 'Local network gateway' | |||
</syntaxhighlight> | |||
==== Network Address Translation (NAT) ==== | |||
<syntaxhighlight lang='bash'> | <syntaxhighlight lang='bash'> | ||
# Set an interface as outbound | # Set an interface as outbound | ||
| Line 73: | Line 113: | ||
# The method of NAT translation is masquerade as the IP (on eth0) | # The method of NAT translation is masquerade as the IP (on eth0) | ||
set nat source rule 100 translation address masquerade | set nat source rule 100 translation address masquerade | ||
</syntaxhighlight> | |||
==== Port-forward ==== | |||
The example below is a basic configuration for a port-forward listening on the WAN interface 1022, forwarding to a host on the LAN for SSH access | |||
===== Firewall ===== | |||
<syntaxhighlight lang='bash'> | |||
# Set this firewall rule to accept | |||
set firewall name 'rockylinuxssh' rule 65 action accept | |||
# Enable the firewall rule | |||
set firewall name 'rockylinuxssh' rule 65 state new enable | |||
# Set protocol to allow through this rule | |||
set firewall name 'rockylinuxssh' rule 65 protocol 'tcp_udp' | |||
# Set the IP of the host on the local network, to port-forward to | |||
set firewall name 'rockylinuxssh' rule 65 destination address 10.0.0.10 | |||
# Set the port to forward to, of the host on the local network | |||
set firewall name 'rockylinuxssh' rule 65 destination port 22 | |||
</syntaxhighlight> | |||
===== NAT rule ===== | |||
<syntaxhighlight lang='bash'> | |||
# Give a name to the NAT rule | |||
set nat destination rule 65 description 'ROCKYLINUXFORWARDSSH' | |||
# Set the port to listen on | |||
set nat destination rule 65 destination port 1022 | |||
# Set the interface to listen on | |||
set nat destination rule 65 inbound-interface 'eth0' | |||
# Set the protocol to translate to | |||
set nat destination rule 65 protocol 'tcp_udp' | |||
# Set the IP-address to forward to, when earlier configured communication happens on eth0 port 1022 | |||
set nat destination rule 65 translation address 10.0.0.10 | |||
# Set the port to forward to, when earlier configured communication happens on eth0 port 1022 | |||
set nat destination rule 65 translation port 22 | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Latest revision as of 16:03, 17 November 2024
Commands are for Vyos 1.4 unless otherwise noted.
Commandline
Basics
# Enter configuration mode configure # Commit changed configuration to RAM commit # Discard uncommitted changes discard # Save committed changes save # Exit the configuration mode exit # Use delete and then the already configured command, to remove/delete/undo said configured command delete
# Use ? to list available parameters for a command:
vyos@vyos# set
Possible completions:
> cluster Clustering
> container Container applications
> firewall Firewall
> high-availability
High availability settings
> interfaces Network interfaces
...
...
Checks
# Show the routers' full configuration show # Show interface configuration show interfaces # Show OS version show version
Configuration
Common
# Configure a hostname for this router set system host-name LinuxRouter # Configure DNS servers set system name-server 176.9.37.132 set system name-server 195.10.195.195 # Create a default route for this router, pointing to 1.2.3.4 set protocols static route 0.0.0.0/0 next-hop 1.2.3.4
SSH
# Enable SSH by configuring a port to listen on set service ssh port <port> # Add an ed25519 key to the vyos user, with the description of 'doomguy' set system login user vyos authentication public-keys 'doomguy' type ssh-ed25519 set system login user vyos authentication public-keys 'doomguy' key AAAAC3NzaC1128iqaushdkjah12873iqghdkahsk # Optionally disable password authentication set service ssh disable-password-authentication # Optionally set an IP to listen on set service ssh listen-address 192.168.77.202
DHCP-relay
# Set the interfaces where the DHCP-server listens on and where the client lives set service dhcp-relay interface eth1 set service dhcp-relay interface eth0 # Configure the IP of the DHCP-server set service dhcp-relay server 10.0.0.20 # Discard packets coming from a relay-agent, so you only keep packets coming directly from DHCP-clients set service dhcp-relay relay-options relay-agents-packets discard
Network
Interfaces
# Give interface eth0 an IP-adress and description set interfaces ethernet eth1 address '10.0.0.1/24' set interfaces ethernet eth1 description 'Local network gateway'
Network Address Translation (NAT)
# Set an interface as outbound set nat source rule 100 outbound-interface 'eth0' # Set an internal range to NAT for set nat source rule 100 source address 10.0.0.0/8 # The method of NAT translation is masquerade as the IP (on eth0) set nat source rule 100 translation address masquerade
Port-forward
The example below is a basic configuration for a port-forward listening on the WAN interface 1022, forwarding to a host on the LAN for SSH access
Firewall
# Set this firewall rule to accept set firewall name 'rockylinuxssh' rule 65 action accept # Enable the firewall rule set firewall name 'rockylinuxssh' rule 65 state new enable # Set protocol to allow through this rule set firewall name 'rockylinuxssh' rule 65 protocol 'tcp_udp' # Set the IP of the host on the local network, to port-forward to set firewall name 'rockylinuxssh' rule 65 destination address 10.0.0.10 # Set the port to forward to, of the host on the local network set firewall name 'rockylinuxssh' rule 65 destination port 22
NAT rule
# Give a name to the NAT rule set nat destination rule 65 description 'ROCKYLINUXFORWARDSSH' # Set the port to listen on set nat destination rule 65 destination port 1022 # Set the interface to listen on set nat destination rule 65 inbound-interface 'eth0' # Set the protocol to translate to set nat destination rule 65 protocol 'tcp_udp' # Set the IP-address to forward to, when earlier configured communication happens on eth0 port 1022 set nat destination rule 65 translation address 10.0.0.10 # Set the port to forward to, when earlier configured communication happens on eth0 port 1022 set nat destination rule 65 translation port 22
