Skip to content

Instantly share code, notes, and snippets.

@jbrodriguez
Last active December 10, 2021 16:37

Revisions

  1. jbrodriguez revised this gist Dec 17, 2015. 1 changed file with 0 additions and 4 deletions.
    4 changes: 0 additions & 4 deletions vyos.sh
    Original file line number Diff line number Diff line change
    @@ -158,10 +158,6 @@ set traffic-policy shaper EGRESS_QOS class 20 bandwidth '20%'
    set traffic-policy shaper EGRESS_QOS class 20 burst '2kb'
    set traffic-policy shaper EGRESS_QOS class 20 ceiling '100%'
    set traffic-policy shaper EGRESS_QOS class 20 priority 1
    # set traffic-policy shaper EGRESS_QOS class 20 description 'usenet'
    # set traffic-policy shaper EGRESS_QOS class 20 match FROM_SKYNET ip source address 192.168.1.70/32
    # set traffic-policy shaper EGRESS_QOS class 20 match NNTP ip source port 119
    # set traffic-policy shaper EGRESS_QOS class 20 match NNTPS ip source port 563

    # these rules restrict the policy to a given ip/port destination. change cidr notation as appropriate
    # note that 22.22.22.22 is just an example
  2. jbrodriguez created this gist Dec 17, 2015.
    185 changes: 185 additions & 0 deletions vyos.sh
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,185 @@
    #!/bin/vbash

    # CONFIG
    wan=dhcp
    lan=192.168.1.1
    lan_segment=192.168.1.0
    vpn_segment=192.168.5.0
    domain=apertoire.org
    lease_start=192.168.1.200
    lease_stop=192.168.1.245

    source /opt/vyatta/etc/functions/script-template

    configure

    # Fix for error "INIT: Id "TO" respawning too fast: disabled for 5 minutes"
    delete system console device ttyS0

    # System Configuration
    ## Hostname
    set system host-name <hostname>

    ## Timezone
    set system time-zone <timezone>

    # NTP servers
    set system ntp server <zone>.pool.ntp.org
    set system ntp server 1.<zone>.pool.ntp.org
    set system ntp server 2.pool.ntp.org

    # Basic firewall
    set firewall all-ping enable
    set firewall broadcast-ping disable
    set firewall ipv6-receive-redirects disable
    set firewall ipv6-src-route disable
    set firewall ip-src-route disable
    set firewall log-martians enable
    set firewall receive-redirects disable
    set firewall send-redirects disable
    set firewall source-validation disable
    set firewall syn-cookies enable

    # Configure network interfaces
    set interfaces ethernet eth0 address $wan
    set interfaces ethernet eth0 description WAN

    set interfaces ethernet eth1 address $lan/24
    set interfaces ethernet eth1 description LAN

    # OpenVPN
    set interfaces openvpn vtun0 mode server
    set interfaces openvpn vtun0 server subnet $vpn_segment/24
    set interfaces openvpn vtun0 server name-server $lan
    set interfaces openvpn vtun0 server domain-name $domain
    set interfaces openvpn vtun0 server push-route $lan_segment/24
    set interfaces openvpn vtun0 tls cert-file /config/auth/<router>.cert.pem
    set interfaces openvpn vtun0 tls key-file /config/auth/<router>.key.pem
    set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca-chain.cert.pem
    set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem
    set interfaces openvpn vtun0 openvpn-option 'comp-lzo'

    # Enable SSH for remote management:
    set service ssh port 22

    # Configure Source NAT for our "LAN" network.
    set nat source rule 100 outbound-interface eth0
    set nat source rule 100 source address $lan_segment/24
    set nat source rule 100 translation address masquerade

    # Configure a DHCP Server:
    set service dhcp-server disabled 'false'
    set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 default-router $lan
    set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 dns-server $lan
    set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 domain-name $domain
    set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 lease 604800
    set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 start $lease_start stop $lease_stop

    set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 static-mapping <some-workstation> ip-address 192.168.1.10
    set service dhcp-server shared-network-name LAN_POOL subnet 192.168.1.0/24 static-mapping <some-workstation> mac-address <some-workstation mac address>

    # set up system name servers
    set system name-server '8.8.4.4'
    set system name-server '8.8.8.8'

    # And a DNS forwarder:
    set service dns forwarding cache-size '2048'
    set service dns forwarding listen-on 'eth1'
    set service dns forwarding name-server '8.8.4.4'
    set service dns forwarding name-server '8.8.8.8'

    # listen on vtun0 to provide dns resolution to openvpn clients
    set service dns forwarding listen-on vtun0

    # Static DNS mappings
    set system static-host-mapping host-name <some-workstation.local>
    set system static-host-mapping host-name <some-workstation.local> alias some-workstation
    set system static-host-mapping host-name <some-workstation.local> inet 192.168.1.10


    # Firewall rulesets
    # From the web (inbound)
    set firewall name FROM-EXTERNAL default-action drop

    set firewall name FROM-EXTERNAL rule 10 action accept
    set firewall name FROM-EXTERNAL rule 10 state established enable
    set firewall name FROM-EXTERNAL rule 10 state related enable

    # Traffic destined to router
    set firewall name TO-ROUTER default-action drop

    set firewall name TO-ROUTER rule 10 action accept
    set firewall name TO-ROUTER rule 10 state established enable
    set firewall name TO-ROUTER rule 10 state related enable

    set firewall name TO-ROUTER rule 20 action accept
    set firewall name TO-ROUTER rule 20 icmp type-name 'echo-request'
    set firewall name TO-ROUTER rule 20 protocol 'icmp'
    set firewall name TO-ROUTER rule 20 state new 'enable'

    #open firewall for openvpn
    set firewall name TO-ROUTER rule 30 action accept
    set firewall name TO-ROUTER rule 30 destination port 1194
    set firewall name TO-ROUTER rule 30 protocol udp
    # set firewall name TO-ROUTER rule 30 log enable


    # Traffic within the LAN
    set firewall name LAN-TO-LAN default-action 'accept'


    # Apply the firewall rulesets
    set interfaces ethernet eth0 firewall in name FROM-EXTERNAL
    set interfaces ethernet eth0 firewall local name TO-ROUTER
    set interfaces ethernet eth1 firewall in name LAN-TO-LAN

    # # QOS
    set traffic-policy shaper EGRESS_QOS bandwidth '20Mbit'

    # default download priority
    set traffic-policy shaper EGRESS_QOS default bandwidth '70%'
    set traffic-policy shaper EGRESS_QOS default burst '2kb'
    set traffic-policy shaper EGRESS_QOS default ceiling '100%'
    set traffic-policy shaper EGRESS_QOS default priority 3
    set traffic-policy shaper EGRESS_QOS default queue-type 'fq-codel'

    # megasuper priority dns and ssh and icmp
    set traffic-policy shaper EGRESS_QOS class 10 bandwidth 10%
    set traffic-policy shaper EGRESS_QOS class 10 burst '2kb'
    set traffic-policy shaper EGRESS_QOS class 10 ceiling 100%
    set traffic-policy shaper EGRESS_QOS class 10 priority 5
    set traffic-policy shaper EGRESS_QOS class 10 queue-type 'fq-codel'
    set traffic-policy shaper EGRESS_QOS class 10 match icmp ip protocol icmp
    # set traffic-policy shaper EGRESS_QOS class 10 match ssh ip source port 22
    set traffic-policy shaper EGRESS_QOS class 10 match dns ip source port 53

    # usenet traffic
    set traffic-policy shaper EGRESS_QOS class 20 bandwidth '20%'
    set traffic-policy shaper EGRESS_QOS class 20 burst '2kb'
    set traffic-policy shaper EGRESS_QOS class 20 ceiling '100%'
    set traffic-policy shaper EGRESS_QOS class 20 priority 1
    # set traffic-policy shaper EGRESS_QOS class 20 description 'usenet'
    # set traffic-policy shaper EGRESS_QOS class 20 match FROM_SKYNET ip source address 192.168.1.70/32
    # set traffic-policy shaper EGRESS_QOS class 20 match NNTP ip source port 119
    # set traffic-policy shaper EGRESS_QOS class 20 match NNTPS ip source port 563

    # these rules restrict the policy to a given ip/port destination. change cidr notation as appropriate
    # note that 22.22.22.22 is just an example
    set traffic-policy shaper EGRESS_QOS class 20 match NNTPS ip source address 22.22.22.22/32
    set traffic-policy shaper EGRESS_QOS class 20 match NNTPS ip source port 443
    set traffic-policy shaper EGRESS_QOS class 20 queue-type 'fq-codel'

    set interfaces ethernet eth1 traffic-policy out EGRESS_QOS

    # set service ssh disable‐password‐authentication

    # Dynamic DNS
    set service dns dynamic interface eth0 service duckdns protocol dyndns2
    set service dns dynamic interface eth0 service duckdns server www.duckdns.org
    set service dns dynamic interface eth0 service duckdns login dummy
    set service dns dynamic interface eth0 service duckdns password <duckdns api code>
    set service dns dynamic interface eth0 service duckdns host-name <registered hostname>


    commit
    save