HON95-wiki/networking/vyos.md

---

title: VyOS breadcrumbs:

• title: Network --- {% include header.md %}

Resources

• VyOS User Guide

Info

• Debian-based.
• Forked from Vyatta.

Installation

See Installation (VyOS).

1. (Recommended) Disable Intel Hyper-Threading.
2. Download the latest rolling release (free) or LTS release (paid) ISO.
3. Burn and boot from it (it's a live image).
4. Log in using user vyos and password vyos.
5. Run install image to run the permanent installation wizard.
   • Keep the suggested image name to keep track of versions.
   • If asked about which config to copy, any one is fine.
6. Remove the live image and reboot.

Initial Configuration

An example of a full configuration. Except intuitive stuff I forgot to mention.

1. Log in as user vyos and password as set in the installation (or vyos if using the live media).
   • It'll drop you directly into operational mode.
2. Fix the keyboard layout:
   • Run config TUI: set console keymap
   • FIXME: This doesn't seem to work. Relogging or restarting doesn't help either.
3. Enter configuration mode: configure
   • This changes the prompt from $ to #.
4. Set hostname:
   1. (Note) <host-name>.<domain-name> should be an FQDN.
   2. Hostname: set system host-name <hostname>
   3. Domain name: set system domain-name <domain-name>
5. Set the DNS servers: set system name-server <ip-address> (for each server)
6. Set the time zone: set system time-zone Europe/Oslo (example)
7. (Optional) Replace the NTP servers:
   1. Remove default NTP servers: delete system ntp <server> (for each server)
   2. Add new NTP servers: set system ntp server ntp.justervesenet.no (example)
8. (Optional) Enable Ctrl+Alt+Del reboot: set system options ctrl-alt-del-action reboot (or ignore)
9. Set up a plain WAN-facing interface with an IP address (without LAG or VLAN):
   1. Show all Ethernet interfaces: run show interfaces ethernet detail
   2. Enter interface config: edit interfaces ethernet <if>
   3. Set the MAC address if missing (from show int ...): set hw-id <mac-addr>
   4. Set description: set description <description>
   5. (Alternative) Set static address (IPv4 + IPv6): set address <addr>/<prefix-length>
   6. (Alternative) Set to get IPv4 address from DHCPv4: set address dhcp
   7. (Alternative) Set to get IPv6 address from DHCPv6: set address dhcpv6
   8. (Alternative) Set to get IPv6 address from SLAAC: set ipv6 address autoconf
   9. (Optional) Set firewall policies: set firewall {local | in | out} <...>
10. Set default routes: set protocols static route[6] <0.0.0.0/0|::/0> next-hop <next-hop> (for IPv4 and IPv6)
11. (Optional) Setup basic SSHD:
    1. Enable server: set service ssh
    2. (Optional) Commit and log in through SSH instead of the console.
12. Replace default user:
    1. (Note) You may want to skip ahead to the SSHD step so you can paste stuff vis SSH instead of manually writing it into the console.
    2. Enter new user: edit system login user <username>
    3. Set password: set authentication plaintext-password "<password>"
       • Remember quotation marks if the password string spaces.
       • To generate an encrypted-password instead of specifying it as plaintext, run openssl passwd -6 on a "safe" machine. (TODO Is this broken in 1.3? It only adds the last characters of the supplied text.)
    4. (Optional) Add your personal SSH pubkey:
       1. Set key type: set authentication public-keys <name> type ssh-rsa
       2. Set key (only the Base64-encoded part): set authentication public-keys <name> key <key>
    5. Commit and log into the new user.
    6. Delete the default user: delete system login user vyos
13. Setup SSHD:
    1. Enable server: set service ssh
    2. (Optional) Disable password login (pubkeys only): set service ssh disable-password-authentication
14. (Optional) Set up a LAG interface:
    1. Enter interface config: edit interfaces bonding bond<n>
    2. Set member interfaces: set member interface <if>
    3. Enable LACP: set mode 802.3ad
    4. Set hashing policy: set hash-policy layer2+3
    5. Configure as a normal interface.
15. (Optional) Set up a VLAN interface:
    1. Enter the parent/physical interface config.
    2. Enter the VLAN subinterface config: edit vif <VID>
    3. Configure as a normal interface.
16. (Optional) Set black hole route: set protocols static route[6] <prefix> blackhole (for IPv4 and IPv6)
17. Enable LLDP: set service lldp interface all
18. Enable unicast reverse path forwarding (uRPF) globally: set firewall source-validation strict
19. Set firewall:
    1. Enter firewall section.
    2. Set options:
       1. set all-ping enable (default) (still recommended to add ping rules)
       2. set broadcast-ping disable
       3. set receive-redirects disable
       4. set ipv6-receive-redirects disable
       5. set ip-src-route disable
       6. set ipv6-src-route disable
       7. set log-martians disable
       8. set send-redirects disable
    3. Set default policies:
       • set firewall state-policy established action accept
       • set firewall state-policy related action accept
       • set firewall state-policy invalid action drop
    4. Create IPv4 and IPv6 rule sets. Note that IPv4 and IPv6 rule sets can't share names, so you can suffix the names with -4 and -6 to avoid conflict.
    5. Attach rule sets to interfaces (typically "local" and "out").
20. Set banners:
    1. (Note) Newlines must be escaped with \n.
    2. Set pre-login banner: set system login banner pre-login "" (disable)
    3. Set post-login banner: set system logim banner post-login ""
21. (Optional) Tuning (bare metal):
    • TODO This can be done in the interface ethernet configs instead.
    • See the Linux router notes.
    • Enable GRO (example): ethtool -K <if> gro on
    • Increase RX/TX buffer sizes (example): ethtool -G <if> tx 4096 rx 4096
    • Enable scatter/gather aka vectored I/O (example): ethtool -K <if> sg on
    • Make any ethtool (e.g.) commands permanent by adding them to /config/scripts/vyos-postconfig-bootup.script.
22. Commit and save: commit and save.

General Configuration

CLI

• The system is in "operational mode" ($) after logging in. Enter "configuration mode" (#) using the configure command.
• Use ? to show alternatives and tab to auto-complete.
• Use run to run operational mode commands in configuration mode.

Basics

• System information:
  • Show log: show log [tail]
• Interface and routing information:
  • L2/L3 interfaces overview: show interfaces
  • Routes: show ip routes and show ipv6 routes
• Configuration changes:
  • Show configuration: show
    • Running this in conf mode shows any changes.
    • Run this in op mode if you intend to copy it from the terminal, to avoid the change indentation.
  • Apply changes: commit
  • Apply changes with confirmation: commit-confirm [comment <comment>] [minutes]
    • Run confirm within N minutes when you've verified that the changes are working as intended.
    • Not confirming in time will cause the system to reboot.
  • Save changes: save

Tasks

Reset Admin Password

Reboot the device and wait for the boot screen. In the boot screen, select the "lost password change (KVM)" option. It will boot to into a prompt asking you to set a new password. After setting a new password, the device will automatically reboot.

Add Service

This example shows how to download an application to persistent storage and run it at boot as a service.

1. Enter persistent storage: cd /usr/lib/live/mount/persistence/
2. Create an opt dir to store apps in: mkdir opt and cd opt.
3. Download the app: wget <whatever-v0> and extract it (keep the version number).
4. Make a symlink without the version number: ln -s <whatever-v0> <whatever>
5. Try to run the executable to make sure it works.
6. Make a folder too keep systemd service files: mkdir systemd
7. Create a service file for the application as systemd/<whatever>.service (see example below).
8. Make sure the service works by manually adding it and starting it (see the script to do it automatically at boot).
9. Add and start the service at boot by adding it through /config/scripts/vyos-postconfig-bootup.script (see example below).
10. Reboot and make sure it works (systemctl status <whatever>.service).

Example service file (<whatever>.service):

[Unit]
Description=Node Exporter
After=network.target

[Service]
Type=simple
Restart=always
ExecStart=/usr/lib/live/mount/persistence/opt/node_exporter/node_exporter --collector.interrupts

[Install]
WantedBy=multi-user.target

Example /config/scripts/vyos-postconfig-bootup.script (excluding old stuff):

# ...

# Enable Node Exporter
if [[ -f /usr/lib/live/mount/persistence/opt/systemd/node-exporter.service ]]; then
    ln -s /usr/lib/live/mount/persistence/opt/systemd/node-exporter.service /etc/systemd/system/node-exporter.service
    systemctl daemon-reload
    systemctl enable --now node-exporter.service
fi

Random Notes

• The DHCPv4 relay requires the interface towards the upstream DHCP server to be included in the relay interfaces. Otherwise the responses from the upstream server will be dropped. The relay is also very bugged at the moment so I'd recommend not using it until it gets fixed. See T377 and T1276.

{% include footer.md %}