高进波的博客 基础实施,网络安全 使用vyos实现多云互通

使用vyos实现多云互通

2025年2月15日2025年2月15日| 高进波高进波| 0 Comment| 09:40
Categories:

vyos介绍

VyOS是一个基于Linux的开源的企业级路由器平台,使用Debian GNU/Linux作为其基础,并添加了FRR(一个强大的开源路由套件),以及开源的VPN技术OpenVPN、Wireguard和IPSec在内的多种工具来增强其功能

生成ISO安装文件

docker pull vyos/vyos-build:current
git clone -b current --single-branch https://github.com/vyos/vyos-build
cd vyos-build
docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:current bash

make clean
./build-vyos-image --architecture amd64 --build-by "j.randomhacker@vyos.io" generic

使用virtualbox安装vyos

添加硬盘选择vhd格式,可以导入到阿里云
iso加载光驱启动,选择Kvm console
用户和密码vyos

配置ssh和IP

show interfaces
configure
set service ssh port 22 #配置默认ssh端口
set interfaces ethernet eth0 address 192.168.6.195/24 #配置eth0口上网ip
set protocols static route 0.0.0.0/0 next-hop 192.168.6.254 #配置默认路由

commit #应用配置
save #保存配置

#配置DNS
set system name-server 114.114.114.114
set system name-server 8.8.8.8

VHD镜像导入阿里云成功,可以启动ECS

#使用vnc连接,配置IP
configure
set interfaces ethernet eth1 address dhcp

commit #应用配置
save #保存配置
exit
ip r
show version
"Version:          VyOS 1.5-rolling-202502080927
Release train:    current
Release flavor:   generic

Built by:         j.randomhacker@vyos.io
Built on:         Sat 08 Feb 2025 09:27 UTC
Build UUID:       e3c31cde-512e-4d5b-afa9-7a95a1d18978
Build commit ID:  d1cdd2d87d94ac

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest
Secure Boot:      n/a (BIOS)

Hardware vendor:  Alibaba Cloud
Hardware model:   Alibaba Cloud ECS
Hardware S/N:     0b233b88-18c5-43fd-9c76-6b699df03c83
Hardware UUID:    0b233b88-18c5-43fd-9c76-6b699df03c83

Copyright:        VyOS maintainers and contributors"

部署DMVPN,可实现多云多互通

gateways A 10.1.0.0/16	112.124.44.27	10.1.1.21	192.168.254.62/32	A	杭州
gateways B 10.2.0.0/16	47.104.140.31	10.2.0.31	192.168.254.1/32	B	青岛
gateways C 10.3.0.0/16	39.106.40.53	10.3.0.253	192.168.254.2/32	C	北京
使用HUB集线器模式,A充当集线器需要公网IP,B/C不需要公网IP

A配置Hub

set interfaces tunnel tun100 address '192.168.254.62/32'
set interfaces tunnel tun100 enable-multicast
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 parameters ip key '42'
set interfaces tunnel tun100 source-interface 'eth1'
set protocols nhrp tunnel tun100 authentication 'U2XMZqZP'
set protocols nhrp tunnel tun100 holdtime '300'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 network-id '1'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 registration-no-unique
set protocols static route 10.2.0.0/16 next-hop 192.168.254.1
set protocols static route 10.3.0.0/16 next-hop 192.168.254.2
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'JFSXAtNAXEmN9ZcX'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

B配置Spoke

set interfaces tunnel tun100 address '192.168.254.1/32'
set interfaces tunnel tun100 enable-multicast
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 parameters ip key '42'
set interfaces tunnel tun100 source-interface 'eth1'
set protocols nhrp tunnel tun100 authentication "U2XMZqZP"
set protocols nhrp tunnel tun100 holdtime '300'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 network-id '1'
set protocols nhrp tunnel tun100 nhs tunnel-ip dynamic nbma '112.124.44.27'
set protocols nhrp tunnel tun100 registration-no-unique
set protocols nhrp tunnel tun100 shortcut
set protocols static route 192.168.254.0/24 next-hop 192.168.254.62
set protocols static route 10.1.0.0/16 next-hop 192.168.254.62
set protocols static route 10.3.0.0/16 next-hop 192.168.254.2
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'JFSXAtNAXEmN9ZcX'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

C配置Spoke

set interfaces tunnel tun100 address '192.168.254.2/32'
set interfaces tunnel tun100 enable-multicast
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 parameters ip key '42'
set interfaces tunnel tun100 source-interface 'eth1'
set protocols nhrp tunnel tun100 authentication "U2XMZqZP"
set protocols nhrp tunnel tun100 holdtime '300'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 network-id '1'
set protocols nhrp tunnel tun100 nhs tunnel-ip dynamic nbma '112.124.44.27'
set protocols nhrp tunnel tun100 registration-no-unique
set protocols nhrp tunnel tun100 shortcut
set protocols static route 192.168.254.0/24 next-hop 192.168.254.62
set protocols static route 10.1.0.0/16 next-hop 192.168.254.62
set protocols static route 10.2.0.0/16 next-hop 192.168.254.1
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'JFSXAtNAXEmN9ZcX'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

检测

show vpn ipsec con
show vpn ipsec sa
show ip nhrp cache
show ip nhrp nhs

Related Post