Select Git revision
generator.go
-
Tóth Miklós Tibor authoredTóth Miklós Tibor authored
vyos.config 8.87 KiB
firewall {
interface eth0 {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
}
log-martians enable
name OUTSIDE-IN {
default-action drop
enable-default-log
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
description RDP
destination {
port 3389
}
protocol tcp_udp
state {
new enable
}
}
rule 30 {
action accept
description Linux
destination {
address 192.168.1.4
port 22
}
protocol tcp
state {
new enable
}
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 30 {
action drop
destination {
port 22
}
protocol tcp
recent {
count 4
time minute
}
state {
new enable
}
}
rule 31 {
action accept
destination {
port 22
}
protocol tcp
state {
new enable
}
}
rule 40 {
action accept
destination {
port 1194
}
protocol udp
}
}
}
interfaces {
ethernet eth0 {
address 152.66.211.122/24
description 211-OUTSIDE
hw-id 00:0c:29:8f:54:a0
}
ethernet eth1 {
hw-id 00:0c:29:8f:54:aa
}
ethernet eth2 {
address 192.168.1.254/24
description INTERNAL-INSIDE
hw-id 00:0c:29:8f:54:b4
}
loopback lo {
}
openvpn vtun10 {
local-port 1194
mode server
openvpn-option "--proto udp"
openvpn-option "--ifconfig-pool-persist ipp.txt"
openvpn-option "--keepalive 10 120"
openvpn-option "--user nobody --group nogroup"
openvpn-option "--persist-key --persist-tun"
openvpn-option "--status openvpn-status.log"
openvpn-option "--verb 3"
openvpn-option "--mute 10"
openvpn-option "--port 1194"
openvpn-option "--dev vtun10"
openvpn-option "--cipher AES-256-CBC"
openvpn-option "--auth SHA256"
openvpn-option --client-to-client
persistent-tunnel
protocol udp
server {
domain-name maze.local
name-server 192.168.1.2
push-route 10.0.0.0/8 {
}
push-route 172.16.0.0/16 {
}
push-route 192.168.0.0/16 {
}
subnet 10.8.0.0/24
}
tls {
ca-certificate ca-1
certificate srv-1
dh-params dh-1
}
}
vti vti11 {
address 169.254.79.154/30
description gcp-peer-01
mtu 1460
}
}
nat {
destination {
rule 100 {
description RDP
destination {
address 152.66.211.122
port 3389
}
inbound-interface eth0
protocol tcp_udp
translation {
address 192.168.1.2
port 3389
}
}
rule 101 {
description Linux
destination {
address 152.66.211.122
port 10022
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.1.4
port 22
}
}
}
source {
rule 100 {
outbound-interface eth0
source {
address 192.168.1.0/24
}
translation {
address masquerade
}
}
rule 101 {
outbound-interface eth0
source {
address 192.16.11.0/24
}
translation {
address masquerade
}
}
rule 110 {
outbound-interface eth0
source {
address 10.8.0.0/24
}
translation {
address masquerade
}
}
}
}
pki {
ca ca-1 {
certificate ...
private {
key ...
}
}
certificate computer {
certificate ...
private {
key ...
}
}
certificate srv-1 {
certificate ...
private {
key ...
}
}
dh dh-1 {
parameters ...
}
}
protocols {
bgp {
address-family {
ipv4-unicast {
network 10.8.0.0/24 {
}
network 192.168.1.0/24 {
}
}
}
neighbor 169.254.79.153 {
address-family {
ipv4-unicast {
soft-reconfiguration {
inbound
}
}
}
ebgp-multihop 10
remote-as 65510
timers {
holdtime 60
keepalive 20
}
}
system-as 65502
}
static {
route 0.0.0.0/0 {
next-hop 152.66.211.254 {
}
}
}
}
service {
dhcp-server {
shared-network-name LAN {
subnet 192.168.1.0/24 {
default-router 192.168.1.254
lease 86400
name-server 192.168.1.2
range 0 {
start 192.168.1.30
stop 192.168.1.60
}
}
}
}
dns {
forwarding {
allow-from 192.168.1.0/24
allow-from 10.8.0.0/24
cache-size 100
listen-address 192.168.1.254
listen-address 10.8.0.1
name-server 192.168.1.2
name-server 8.8.8.8
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
public-keys laszlorafael {
key AAAAC3NzaC1lZDI1NTE5AAAAIHiR9nibdlnatDAWA5S6fI6f4O9CLvrNcmf8ihda8TJ9
type ssh-ed25519
}
public-keys rlacko {
key AAAAC3NzaC1lZDI1NTE5AAAAIPpH+TNAwcmxYc5cVctH04wUU83Pba6s/AkKXOnhDn+m
type ssh-ed25519
}
}
}
}
ntp {
allow-clients {
address 192.168.1.0/24
}
listen-address 192.168.1.254
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
console {
facility all {
}
}
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
vpn {
ipsec {
esp-group ESP-TO-GCP {
lifetime 3600
pfs dh-group14
proposal ESP-1 {
encryption aes256
hash sha256
}
}
ike-group IKE-TO-GCP {
dead-peer-detection {
action restart
interval 20
timeout 80
}
key-exchange ikev2
lifetime 28800
proposal IKE-1 {
dh-group 14
encryption aes256
hash sha256
}
}
interface eth0
site-to-site {
peer left {
authentication {
mode pre-shared-secret
pre-shared-secret ...
remote-id 34.124.40.67
}
connection-type initiate
ike-group IKE-TO-GCP
local-address 152.66.211.122
remote-address 34.124.40.67
vti {
bind vti11
esp-group ESP-TO-GCP
}
}
}
}
}
