vyos的命令行界面是基于shell的,没有图形界面, 但是可以用tab自动补全.
本文的vyos命令是基于vyos的vyos-rolling-nightly-builds的1.5.x版本.
**特别感谢大卫佬给予的指导与帮助**
pve安装vyos:
下载nightly-build: https://github.com/vyos/vyos-nightly-build/releases pve的虚拟机设置和安装(略), 建议内存2G, 磁盘10G或更大, 因为vyos可以运行容器, vyos用podman管理容器.
vm运行后, 用vyos:vyos登录. 用命令
install image安装vyos.
进入配置模式:
configure生效:
commit保存配置:
save取消生效的,未保存的配置:
discard下面开始配置,随时都可以输入生效命令,如果不保存,重启后配置会失效
设置ssh登录:
set service ssh port '22'创建用户gary:
set system login user gary full-name gary
set system login user gary authentication plaintext-password '密码'建议ssh密钥登录:
set system login user gary authentication public-keys gary@laptop key 'your-public-key'
set system login user gary authentication public-keys gary@laptop type 'ssh-rsa'禁用默认的vyos用户:
set system login user vyos disable设置系统的hostname:
set system host-name 'vyos'查看系统的hostname
show system host-name设置时区:
set system time-zone 'Asia/Shanghai'设置ntp:
set service ntp server 129.250.35.251
set service ntp server 203.107.6.88(注: 可以设置多个ntp服务器, 建议用运营商的ntp服务器, 最好是纯ip, 可删除默认的ntp服务器)
设置接口组(可选但建议):
set firewall group interface-group LAN interface 'eth0'
set firewall group interface-group WAN interface 'eth1'设置网络组(可选):
set firewall group network-group LAN-v4 network '192.168.100.0/24'设置ip:
set interfaces ethernet eth0 address 192.168.100.1/24配置dhcp server:
set service dhcp-server shared-network-name VYOS subnet 192.168.100.0/24 subnet-id 1
set service dhcp-server hostfile-update
set service dhcp-server shared-network-name VYOS authoritative #开启特定共享网络的授权,防止出现冲突和混乱(第三方加的)
set service dhcp-server shared-network-name VYOS subnet 192.168.100.0/24 lease '86400'
set service dhcp-server shared-network-name VYOS subnet 192.168.100.0/24 option default-router '192.168.100.1' #dhcp option 默认网关
set service dhcp-server shared-network-name VYOS subnet 192.168.100.0/24 option name-server '192.168.100.1' #dhcp option dns
set service dhcp-server shared-network-name VYOS subnet 192.168.100.0/24 option ntp-server '192.168.100.1' #dhcp option ntp
set service dhcp-server shared-network-name VYOS subnet 192.168.100.0/24 range 0 start '192.168.100.101'
set service dhcp-server shared-network-name VYOS subnet 192.168.100.0/24 range 0 stop '192.168.100.200'补充(可选):
添加一个dhcp下的dns
set service dhcp-server shared-network-name VYOS subnet 192.168.100.0/24 option name-server '192.168.100.2'
删除一个dpcp下的dns
delete service dhcp-server shared-network-name VYOS subnet 192.168.100.0/24 option name-server '192.168.100.1'
更改dhcp下的网关地址
set service dhcp-server shared-network-name VYOS subnet 192.168.100.0/24 option default-router '192.168.100.2' 设置外网网口为dhcp客户端,从上级路由获取 (可选):
set interfaces ethernet eth1 address dhcp设置pppoe1参考配置(一)
当eth1是pppoe时,配置 PPPoE 拨号:
set interfaces pppoe pppoe0 source-interface 'eth1'
set interfaces pppoe pppoe0 authentication username '054546帐号6266'
set interfaces pppoe pppoe0 authentication password '24密码502'
set interfaces pppoe pppoe0 mtu '1492'
set interfaces pppoe pppoe0 ip adjust-mss 'clamp-mss-to-pmtu'
set interfaces pppoe pppoe1 no-default-route
(注: 当设置no-default-route时, 需要在后面指定静态路由, 或者也可不设置no-default-route这条, vyos会自动添加默认路由)小技巧:在 VyOS 中,要删除一条已有的配置,需要使用 delete 命令。
对于 set interfaces pppoe pppoe0 source-interface 'eth1',可以这样删除:
configure
delete interfaces pppoe pppoe1 source-interface
commit
save
exit设置出Wan口的默认静态路由:
set protocols static route 0.0.0.0/0 interface pppoe0
set protocols static route6 ::/0 interface pppoe0
(注: 前面设置了no-default-route, 所以这里需要设置默认路由)设置dns:
set system name-server '223.5.5.5'
set service dns forwarding cache-size '0' ## 关闭了缓存,默认是150
set service dns forwarding listen-address '192.168.100.1' ## 监听 LAN 口
# 3. 限制 DNS 解析范围,仅允许内网使用
set service dns forwarding allow-from '192.168.100.0/24'设置端口转发(DNAT):
set nat destination rule 10 description 'DSTNAT-wg'
set nat destination rule 10 destination port '53822'
set nat destination rule 10 inbound-interface group 'WAN' #可用interface eth1代替
set nat destination rule 10 protocol 'udp'
set nat destination rule 10 translation address '192.168.10.145'
set nat destination rule 10 translation port '53822' #可省略, 如果端口相同设置防火墙: 设置masquerade(SNAT):
set nat source rule 100 translation address 'masquerade'指定网段:
set nat source rule 100 source address '192.168.100.0/24'设置回流:
由于上面masquerade(SNAT)的规则, 这里不需要设置回流.
---------------------------------------------
这里防火墙rule 数字可自定, 同一数字为一组, 建议设置数字时, 留出空隙, 以便以后添加新的规则.
针对上面这条nat source rule 100 规则, 建议不要限制接口, 就只用上面一条, 这对以后的端口转发和回流设置, 都很方便.
设置防火墙规则:
全局:
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy related action 'accept'
#下面一条是容器与内网互通
set firewall global-options apply-to-bridged-traffic invalid-connections设置ipv4入站(input链)规则:
set firewall ipv4 name WAN_LOCAL default-action 'drop' #默认拒绝
set firewall ipv4 name WAN_LOCAL rule 10 action 'accept' #允许已建立和相关连接
set firewall ipv4 name WAN_LOCAL rule 10 state 'established'
set firewall ipv4 name WAN_LOCAL rule 10 state 'related'
set firewall ipv4 name WAN_LOCAL rule 30 action 'accept' #允许icmp
set firewall ipv4 name WAN_LOCAL rule 30 protocol 'icmp'下面是wireguard放行端口(可选)
set firewall ipv4 name WAN_LOCAL rule 20 action 'accept' #允许连接wg0
set firewall ipv4 name WAN_LOCAL rule 20 destination port '11133'
set firewall ipv4 name WAN_LOCAL rule 20 protocol 'udp'
set firewall ipv4 name WAN_LOCAL rule 40 action 'accept' #连续端口样例
set firewall ipv4 name WAN_LOCAL rule 40 destination port '10000-10100'
set firewall ipv4 name WAN_LOCAL rule 40 protocol 'udp'设置ipv6入站(input链)规则:
set firewall ipv6 name WAN_LOCAL default-action 'drop' #默认拒绝
set firewall ipv6 name WAN_LOCAL rule 10 action 'accept' #允许已建立和相关连接
set firewall ipv6 name WAN_LOCAL rule 10 state 'established'
set firewall ipv6 name WAN_LOCAL rule 10 state 'related'
set firewall ipv6 name WAN_LOCAL rule 20 action 'accept' #允许icmpv6
set firewall ipv6 name WAN_LOCAL rule 20 protocol 'icmpv6'
set firewall ipv6 name WAN_LOCAL rule 30 action 'accept' #允许从ISP处获取的dhcp6的信息
set firewall ipv6 name WAN_LOCAL rule 30 destination port '546'
set firewall ipv6 name WAN_LOCAL rule 30 protocol 'udp'
set firewall ipv6 name WAN_LOCAL rule 30 source port '547'下面是wireguard放行端口(可选)
set firewall ipv6 name WAN_LOCAL rule 40 action 'accept' #允许连接wg0
set firewall ipv6 name WAN_LOCAL rule 40 destination port '11133'
set firewall ipv6 name WAN_LOCAL rule 40 protocol 'udp'设置ipv4转发(forward链)规则:
set firewall ipv4 name WAN_IN default-action 'drop' #默认拒绝
set firewall ipv4 name WAN_IN rule 10 action 'accept' #允许已建立和相关连接
set firewall ipv4 name WAN_IN rule 10 state 'established'
set firewall ipv4 name WAN_IN rule 10 state 'related'如有ipv4进来后的端口转发加下面三条
set firewall ipv4 name WAN_IN rule 20 action 'accept' #允许已DNAT的连接
set firewall ipv4 name WAN_IN rule 20 connection-status nat 'destination'
set firewall ipv4 name WAN_IN rule 20 state 'new'如有ipv6进来后的端口转发 也需要和v4一样 加这条
set firewall ipv6 name WAN_IN rule 40 action 'accept'
set firewall ipv6 name WAN_IN rule 40 connection-status nat 'destination'
set firewall ipv6 name WAN_IN rule 40 state 'new'设置ipv6转发(forward链)规则:
set firewall ipv6 name WAN_IN default-action 'drop' #默认拒绝
set firewall ipv6 name WAN_IN rule 10 action 'accept' #允许已建立和相关连接
set firewall ipv6 name WAN_IN rule 10 state 'established'
set firewall ipv6 name WAN_IN rule 10 state 'related'
set firewall ipv6 name WAN_IN rule 20 action 'accept' #允许icmpv6
set firewall ipv6 name WAN_IN rule 20 protocol 'icmpv6'
set firewall ipv6 name WAN_IN rule 30 action 'accept' #允许ipsec
set firewall ipv6 name WAN_IN rule 30 destination port '500,4500'
set firewall ipv6 name WAN_IN rule 30 protocol 'udp'然后分别从input和forward链, 调用WAN_LOCAL和WAN_IN:
set firewall ipv4 input filter rule 10 action 'jump'
set firewall ipv4 input filter rule 10 inbound-interface group 'WAN'
set firewall ipv4 input filter rule 10 jump-target 'WAN_LOCAL'
set firewall ipv4 forward filter rule 10 action 'jump'
set firewall ipv4 forward filter rule 10 inbound-interface group 'WAN'
set firewall ipv4 forward filter rule 10 jump-target 'WAN_IN'
set firewall ipv6 input filter rule 10 action 'jump'
set firewall ipv6 input filter rule 10 inbound-interface group 'WAN'
set firewall ipv6 input filter rule 10 jump-target 'WAN_LOCAL'
set firewall ipv6 forward filter rule 10 action 'jump'
set firewall ipv6 forward filter rule 10 inbound-interface group 'WAN'
set firewall ipv6 forward filter rule 10 jump-target 'WAN_IN'注: DNAT是流量进入后, 最先处理的, 然后进入forward链, 而SNAT是流量出站前, 最后处理的.
配置wireguard:
set interfaces wireguard wg0 address '10.20.20.1/24'
set interfaces wireguard wg0 peer iphone allowed-ips '10.20.20.2/32'
set interfaces wireguard wg0 peer iphone preshared-key 'preshared-key'
set interfaces wireguard wg0 peer iphone public-key 'public-key'
set interfaces wireguard wg0 port '11133'
set interfaces wireguard wg0 private-key 'private-key'配置ddns:
cloudflare ddns:
set service dns dynamic name DDNS-CF-v4 address interface 'pppoe1'
set service dns dynamic name DDNS-CF-v4 host-name 'ddns.example.com'
set service dns dynamic name DDNS-CF-v4 ip-version 'ipv4'
set service dns dynamic name DDNS-CF-v4 password 'token'
set service dns dynamic name DDNS-CF-v4 protocol 'cloudflare'
set service dns dynamic name DDNS-CF-v4 zone 'example.com'
set service dns dynamic name DDNS-CF-v6 address interface 'eth0'
set service dns dynamic name DDNS-CF-v6 host-name 'ddns6.example.com'
set service dns dynamic name DDNS-CF-v6 ip-version 'ipv6'
set service dns dynamic name DDNS-CF-v6 password 'token'
set service dns dynamic name DDNS-CF-v6 protocol 'cloudflare'
set service dns dynamic name DDNS-CF-v6 zone 'example.com'dnspod ddns:
set service dns dynamic name DNSPOD-v4 address interface 'pppoe1'
set service dns dynamic name DNSPOD-v4 host-name 'ddns.example.com'
set service dns dynamic name DNSPOD-v4 password 'token'
set service dns dynamic name DNSPOD-v4 protocol 'dyndns2'
set service dns dynamic name DNSPOD-v4 server 'dnsapi.cn'
set service dns dynamic name DNSPOD-v4 username 'id'个人使用下来, 上述配置并不需要设置interval, ip变化也会自动更新.
设置策略路由:
举例: 让wg0的流量走100号路由表, 100号路由表是sb的路由表
set policy route WG0-to-SB interface 'wg0'
set policy route WG0-to-SB rule 10 destination group network-group '!LAN-v4'
set policy route WG0-to-SB rule 10 set table '100'路由表
set protocols static table 100 route 0.0.0.0/0 next-hop 192.168.10.90Happy Routing!