Skip to content
高进波的博客

Vyos部署指南

网络操作系统对比及VyOS详细配置指南

各网络操作系统特性对比

特性VyOSpfSenseOPNsenseOpenWrtTinc
GUI
易用性较难容易中等较难容易
功能丰富度中等中等
安全性中等中等
性能中等中等
社区活跃度中等
适用场景大型企业、定制化需求中小型企业、分支机构对安全性要求高的场景低成本、定制化边缘设备简单、安全的 VPN 连接
是否推荐推荐商业化推荐推荐/
阿里云部署成功/失败成功/

VyOS介绍

VyOS是一个基于Linux的开源的企业级路由器平台,使用Debian GNU/Linux作为其基础,并添加了FRR(一个强大的开源路由套件),以及开源的VPN技术OpenVPN、Wireguard和IPSec在内的多种工具来增强其功能。

构建VyOS

  1. 原生构建
    Terminal window
    git clone -b current --single-branch https://github.com/vyos/vyos-build
    cd vyos-build
    make clean
    ./build-vyos-image generic --architecture amd64 --build-by "j.randomhacker@vyos.io"
  2. docker构建
    Terminal window
    docker pull vyos/vyos-build:current
    git clone -b current --single-branch https://github.com/vyos/vyos-build
    cd vyos-build
    docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:current bash
    make clean
    ./build-vyos-image --architecture amd64 --build-by "j.randomhacker@vyos.io" generic

安装VyOS

  1. 在docker上安装
    Terminal window
    mkdir vyos && cd vyos
    curl -o vyos-1.5-rolling-202501110007-generic-amd64.iso  https://github.com/vyos/vyos-nightly-build/releases/download/1.5-rolling-202501110007/vyos-1.5-rolling-202501110007-generic-amd64.iso
    mkdir rootfs
    mount -o loop vyos-1.5-rolling-202501110007-generic-amd64.iso rootfs
    apt-get install -y squashfs-tools
    mkdir unsquashfs
    unsquashfs -f -d unsquashfs/ rootfs/live/filesystem.squashfs
    tar -C unsquashfs -c . | docker import - vyos:1.5-rolling-202501110007
    umount rootfs
    docker run -d --net host --name vyos --privileged -v /lib/modules:/lib/modules  vyos:1.5-rolling-202501110007 /sbin/init
    docker exec -it vyos bash
    netstat -ntupl
  2. 提交到镜像仓库
    Terminal window
    docker login swr.cn-south-1.myhuaweicloud.com -u cn-south-1@L2VRSJUQWSAXPWLNPUMH -p 486b0ea3ee846dcd4b7c7e880b8719cd347f721de6113fd5210f3c4b5d19c195
    docker commit vyos  swr.cn-south-1.myhuaweicloud.com/kailinjt/vyos:1.5-rolling-202501110007
    docker push swr.cn-south-1.myhuaweicloud.com/kailinjt/vyos:1.5-rolling-202501110007
    docker run -d --name vyos --privileged --sysctl net.ipv6.conf.all.disable_ipv6=0 -v /lib/modules:/lib/modules  swr.cn-south-1.myhuaweicloud.com/kailinjt/vyos:1.5-rolling-202501110007 /sbin/init
    docker exec -it vyos su - vyos
  3. 在虚拟机virtualbox上安装
    • 添加硬盘选择vhd格式,可以导入到阿里云
    • iso加载光驱启动,选择Kvm console
    • 用户密码:vyos/hy123456
    Terminal window
    show version
    install image  # 安装
  4. 配置ssh和IP
    Terminal window
    show interfaces
    configure
    set service ssh port 22 #配置默认ssh端口
    set interfaces ethernet eth0 address 192.168.6.195/24 #配置eth0口上网ip
    set protocols static route 0.0.0.0/0 next-hop 192.168.6.254 #配置默认路由
    commit #应用配置
    save #保存配置
  5. 配置DNS:参考https://docs.vyos.io/en/latest/configuration/system/name-server.html
    Terminal window
    configure
    set system name-server 114.114.114.114
    set system name-server 8.8.8.8
  6. VHD镜像导入阿里云
    • 可以启动ECS
    • 使用vnc连接,配置IP
    Terminal window
    configure
    set interfaces ethernet eth1 address dhcp
    commit #应用配置
    save #保存配置
    exit
    ip r
    show version
    • 版本信息:
    Version:          VyOS 1.5-rolling-202502080927
    Release train:    current
    Release flavor:   generic
    

    Built by:         j.randomhacker@vyos.io
    Built on:         Sat 08 Feb 2025 09:27 UTC
    Build UUID:       e3c31cde-512e-4d5b-afa9-7a95a1d18978
    Build commit ID:  d1cdd2d87d94ac
    

    Architecture:     x86_64
    Boot via:         installed image
    System type:      KVM guest
    Secure Boot:      n/a (BIOS)
    

    Hardware vendor:  Alibaba Cloud
    Hardware model:   Alibaba Cloud ECS
    Hardware S/N:     0b233b88-18c5-43fd-9c76-6b699df03c83
    Hardware UUID:    0b233b88-18c5-43fd-9c76-6b699df03c83
    

    Copyright:        VyOS maintainers and contributors

VyOS架构部署(使用HUB集线器模式)

  1. 架构信息
    • gateways A 10.1.0.0/16 112.124.44.27
    • gateways B 10.2.0.0/16 47.104.140.31
    • gateways C 10.3.0.0/16 39.106.40.53
    • 使用HUB集线器模式,A充当集线器需要公网IP,B/C不需要公网IP
  2. A配置(Hub)
    • 隧道配置
    Terminal window
    set interfaces tunnel tun100 address '192.168.254.62/32'
    set interfaces tunnel tun100 enable-multicast
    set interfaces tunnel tun100 encapsulation 'gre'
    set interfaces tunnel tun100 parameters ip key '42'
    set interfaces tunnel tun100 source-interface 'eth1'
    • NHRP设置
    Terminal window
    set protocols nhrp tunnel tun100 authentication 'U2XMZqZP'
    set protocols nhrp tunnel tun100 holdtime '300'
    set protocols nhrp tunnel tun100 multicast 'dynamic'
    set protocols nhrp tunnel tun100 network-id '1'
    set protocols nhrp tunnel tun100 redirect
    set protocols nhrp tunnel tun100 registration-no-unique
    • 静态路由,分支网络
    Terminal window
    set protocols static route 10.2.0.0/16 next-hop 192.168.254.1
    set protocols static route 10.3.0.0/16 next-hop 192.168.254.2
    • IPSec配置
    Terminal window
    set vpn ipsec esp-group ESP-HUB lifetime '1800'
    set vpn ipsec esp-group ESP-HUB mode 'transport'
    set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
    set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
    set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
    set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
    set vpn ipsec ike-group IKE-HUB lifetime '3600'
    set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
    set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
    set vpn ipsec interface 'eth1'
    set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
    set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'JFSXAtNAXEmN9ZcX'
    set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
    set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
    set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
  3. B配置(Spoke)
    • 隧道配置
    Terminal window
    set interfaces tunnel tun100 address '192.168.254.1/32'
    set interfaces tunnel tun100 enable-multicast
    set interfaces tunnel tun100 encapsulation 'gre'
    set interfaces tunnel tun100 parameters ip key '42'
    set interfaces tunnel tun100 source-interface 'eth1'
    • NHRP设置
    Terminal window
    set protocols nhrp tunnel tun100 authentication "U2XMZqZP"
    set protocols nhrp tunnel tun100 holdtime '300'
    set protocols nhrp tunnel tun100 multicast 'dynamic'
    set protocols nhrp tunnel tun100 network-id '1'
    set protocols nhrp tunnel tun100 nhs tunnel-ip dynamic nbma '112.124.44.27'
    set protocols nhrp tunnel tun100 registration-no-unique
    set protocols nhrp tunnel tun100 shortcut
    • 静态路由
    Terminal window
    set protocols static route 192.168.254.0/24 next-hop 192.168.254.62
    set protocols static route 10.1.0.0/16 next-hop 192.168.254.62
    set protocols static route 10.3.0.0/16 next-hop 192.168.254.2
    • IPSec配置
    Terminal window
    set vpn ipsec esp-group ESP-HUB lifetime '1800'
    set vpn ipsec esp-group ESP-HUB mode 'transport'
    set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
    set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
    set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
    set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
    set vpn ipsec ike-group IKE-HUB lifetime '3600'
    set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
    set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
    set vpn ipsec interface 'eth1'
    set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
    set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'JFSXAtNAXEmN9ZcX'
    set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
    set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
    set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
  4. C配置(Spoke)
    • 隧道配置
    Terminal window
    set interfaces tunnel tun100 address '192.168.254.2/32'
    set interfaces tunnel tun100 enable-multicast
    set interfaces tunnel tun100 encapsulation 'gre'
    set interfaces tunnel tun100 parameters ip key '42'
    set interfaces tunnel tun100 source-interface 'eth1'
    • NHRP设置
    Terminal window
    set protocols nhrp tunnel tun100 authentication "U2XMZqZP"
    set protocols nhrp tunnel tun100 holdtime '300'
    set protocols nhrp tunnel tun100 multicast 'dynamic'
    set protocols nhrp tunnel tun100 network-id '1'
    set protocols nhrp tunnel tun100 nhs tunnel-ip dynamic nbma '112.124.44.27'
    set protocols nhrp tunnel tun100 registration-no-unique
    set protocols nhrp tunnel tun100 shortcut
    • 静态路由
    Terminal window
    set protocols static route 192.168.254.0/24 next-hop 192.168.254.62
    set protocols static route 10.1.0.0/16 next-hop 192.168.254.62
    set protocols static route 10.2.0.0/16 next-hop 192.168.254.1
    • IPSec配置
    Terminal window
    set vpn ipsec esp-group ESP-HUB lifetime '1800'
    set vpn ipsec esp-group ESP-HUB mode 'transport'
    set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
    set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
    set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
    set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
    set vpn ipsec ike-group IKE-HUB lifetime '3600'
    set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
    set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
    set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
    set vpn ipsec interface 'eth1'
    set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
    set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'JFSXAtNAXEmN9ZcX'
    set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
    set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
    set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

VyOS检测、VPN配置及监控指南

检测命令

  1. 查看IPsec连接信息:
Terminal window
show vpn ipsec con
  1. 查看IPsec安全关联(SA)信息:
Terminal window
show vpn ipsec sa
  1. 查看NHRP缓存:
Terminal window
show ip nhrp cache
  1. 查看NHRP下一跳服务器(NHS)信息:
Terminal window
show ip nhrp nhs

SSL VPN配置

  1. 参考文档:
  2. 生成CA证书(有效期3650天):
Terminal window
configure
run generate pki ca install ca-ocserv
  1. 生成服务器证书(有效期3650天):
Terminal window
run generate pki certificate sign ca-ocserv install srv-ocserv
  1. Openconnect配置:
Terminal window
set vpn openconnect authentication local-users username gaojinbo password 'gaojinbo.com'
set vpn openconnect authentication mode local password
set vpn openconnect network-settings client-ip-settings subnet '172.20.20.0/24'
set vpn openconnect network-settings name-server '114.114.114.114'
set vpn openconnect network-settings name-server '8.8.8.8'
set vpn openconnect ssl ca-certificate 'ca-ocserv'
set vpn openconnect ssl certificate 'srv-ocserv'
  1. 设置HTTP安全头:
Terminal window
set vpn openconnect http-security-headers
  1. 配置客户端路由:
    • 使客户端全部流量走SSL VPN:
Terminal window
set vpn openconnect network-settings push-route '0.0.0.0/0'
- 配置客户端指定网段(如10.0.0.0/8)走SSL VPN(需删除`0.0.0.0/0`配置):
Terminal window
set vpn openconnect network-settings push-route '10.0.0.0/8'
  1. 配置NAT转发:
Terminal window
set nat source rule 100 outbound-interface 'eth1'
set nat source rule 100 translation address 'masquerade'
  1. 配置双因素认证(2FA):
    • 生成用户gaojinbo的OTP密钥并获取二维码给用户扫描:
Terminal window
generate openconnect username gaojinbo otp-key hotp-time
- 配置系统时区:
Terminal window
configure
set system time-zone Asia/Chongqing
- 设置认证模式为本地密码+OTP:
Terminal window
set vpn openconnect authentication mode local password-otp
- 设置用户`gaojinbo`的OTP密钥:
Terminal window
set vpn openconnect authentication local-users username gaojinbo otp key '1a3612358a0fe732e3e915c7cfd573da69edf73c'
- 提交并保存配置,重启服务使2FA生效:
Terminal window
commit
save
restart openconnect-server
  1. 查看会话和用户OTP信息:
    • 查看Openconnect服务器会话:
Terminal window
sh openconnect-server sessions
- 查看用户`gaojinbo`的完整OTP信息:
Terminal window
show openconnect-server user gaojinbo otp full
  1. 客户端下载:

SSTP VPN配置

参考文档:https://docs.vyos.io/en/latest/configuration/vpn/sstp.html 说明:通过SSTP配置的VPN可以实现科学上网,使用PPP拨号并通过443端口传输数据。

监控

参考文档:https://docs.vyos.io/pt/latest/configuration/service/monitoring.html