In questo articolo, ti guiderò attraverso la configurazione di VyOS versione 1.5 per reindirizzare il traffico della tua LAN attraverso una VPN WireGuard utilizzando il servizio Mullvad. Questa configurazione include il mantenimento dell’accesso alla rete locale per indirizzi specifici mentre tutto il traffico restante viene instradato attraverso il tunnel VPN. I comandi e le configurazioni qui descritte sono aggiornati per le versioni più recenti di VyOS, sostituendo il precedente articolo valido solo fino alla versione 1.3.
Introduzione
VyOS è una piattaforma di routing open-source potente e flessibile. In questa guida, configureremo due interfacce Ethernet: una per la WAN e una per la LAN. Utilizzeremo WireGuard per creare un tunnel VPN con Mullvad. Grazie all’uso delle policy di routing, potremo mantenere l’accesso alla rete locale per alcuni indirizzi specifici, mentre tutto il resto del traffico sarà instradato attraverso la VPN. Configurazione del Firewall
Opzioni Globali del Firewall
Iniziamo configurando le opzioni globali del firewall per migliorare la sicurezza e le prestazioni del nostro router VyOS:
set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'disable'
set firewall global-options syn-cookies 'enable'
set firewall global-options twa-hazards-protection 'disable'
- all-ping ’enable’: Permette al router di rispondere ai ping ICMP, utile per diagnosticare problemi di rete.
- broadcast-ping ‘disable’: Disabilita i ping broadcast per prevenire attacchi di tipo Smurf.
- ip-src-route ‘disable’: Disabilita il routing delle sorgenti IP per evitare attacchi di spoofing.
- ipv6-receive-redirects ‘disable’: Disabilita i reindirizzamenti IPv6 per migliorare la sicurezza.
- ipv6-src-route ‘disable’: Disabilita il routing delle sorgenti IPv6 per prevenire attacchi.
- log-martians ’enable’: Abilita il logging dei pacchetti con sorgenti IP non valide.
- receive-redirects ‘disable’: Disabilita i reindirizzamenti ICMP per evitare modifiche indesiderate alla tabella di routing.
- send-redirects ’enable’: Abilita l’invio di reindirizzamenti ICMP per notificare i client di rotte più efficienti.
- source-validation ‘disable’: Disabilita la validazione delle sorgenti per prevenire falsi positivi in alcune configurazioni di rete.
- syn-cookies ’enable’: Abilita i SYN cookies per prevenire attacchi di tipo SYN flood.
- twa-hazards-protection ‘disable’: Disabilita la protezione contro alcuni tipi di attacchi, normalmente disabilitata per evitare falsi positivi.
Gruppi di Indirizzi e Reti
Configuriamo i gruppi di indirizzi e le reti per semplificare la gestione delle regole del firewall:
set firewall group address-group WG-CLIENT address '192.168.100.3-192.168.100.253'
set firewall group network-group LAN-Allowed description 'Lan Network allowed to connect to clients'
set firewall group network-group LAN-Allowed network '192.168.20.0/24'
set firewall group network-group LAN-Allowed network '192.168.160.0/24'
set firewall group network-group LAN-Allowed network '192.168.80.0/24'
set firewall group network-group LAN-Allowed network '192.168.4.0/24'
set firewall group network-group PROXY_WG_NETWORK description 'Proxy LAN for Mullwad VPN'
set firewall group network-group PROXY_WG_NETWORK network '192.168.0.0/24'
set firewall group network-group PROXY_WG_NETWORK network '192.168.1.0/24'
set firewall group network-group PROXY_WG_NETWORK network '192.168.2.0/24'
set firewall group network-group RFC1918 network '192.168.0.0/16'
set firewall group network-group RFC1918 network '10.0.0.0/8'
set firewall group network-group RFC1918 network '172.16.0.0/12'
Regole di Filtering
Definiamo le regole di filtering per il traffico in avanti e in ingresso:
set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 15 action 'jump'
set firewall ipv4 forward filter rule 15 inbound-interface name 'wg80'
set firewall ipv4 forward filter rule 15 jump-target 'wg80-in'
set firewall ipv4 forward filter rule 25 action 'jump'
set firewall ipv4 forward filter rule 25 jump-target 'WAN_OUT'
set firewall ipv4 forward filter rule 25 outbound-interface name 'eth0'
set firewall ipv4 input filter default-action 'accept'
set firewall ipv4 input filter rule 15 action 'jump'
set firewall ipv4 input filter rule 15 inbound-interface name 'wg80'
set firewall ipv4 input filter rule 15 jump-target 'wg80-local'
Le regole sopra configurano il traffico per essere accettato per impostazione predefinita. Tuttavia, se il traffico proviene dall’interfaccia wg80, sarà gestito dalle regole specifiche per wg80.
Regole Specifiche per WAN
Configuriamo le regole specifiche per il traffico in uscita dalla WAN per garantire che il traffico sia gestito correttamente:
set firewall ipv4 name WAN_OUT default-action 'accept'
set firewall ipv4 name WAN_OUT description 'Block navigation if VPN is down'
set firewall ipv4 name WAN_OUT rule 9 action 'accept'
set firewall ipv4 name WAN_OUT rule 9 state 'established'
set firewall ipv4 name WAN_OUT rule 9 state 'related'
set firewall ipv4 name WAN_OUT rule 10 action 'accept'
set firewall ipv4 name WAN_OUT rule 10 state 'established'
set firewall ipv4 name WAN_OUT rule 10 state 'related'
set firewall ipv4 name WAN_OUT rule 11 action 'accept'
set firewall ipv4 name WAN_OUT rule 11 protocol 'icmp'
set firewall ipv4 name WAN_OUT rule 14 action 'accept'
set firewall ipv4 name WAN_OUT rule 14 protocol 'icmp'
set firewall ipv4 name WAN_OUT rule 14 source group address-group 'WG-CLIENT'
set firewall ipv4 name WAN_OUT rule 97 action 'accept'
set firewall ipv4 name WAN_OUT rule 97 description 'Allow always navigation to LAN devices'
set firewall ipv4 name WAN_OUT rule 97 destination group network-group 'LAN-Allowed'
set firewall ipv4 name WAN_OUT rule 101 action 'reject'
set firewall ipv4 name WAN_OUT rule 101 description 'Block all except Port-IN to avoid navigation without VPN line for Mullvad WG group'
set firewall ipv4 name WAN_OUT rule 101 destination port '!53'
set firewall ipv4 name WAN_OUT rule 101 protocol 'tcp_udp'
set firewall ipv4 name WAN_OUT rule 101 source group address-group 'WG-CLIENT'
Queste regole assicurano che il traffico VPN sia gestito correttamente, bloccando il traffico non autorizzato se la VPN non è attiva.
Regole di Filtering per WireGuard
Configuriamo le regole di filtering specifiche per WireGuard:
set firewall ipv4 name wg80-in default-action 'drop'
set firewall ipv4 name wg80-in rule 1 action 'accept'
set firewall ipv4 name wg80-in rule 1 description 'Allow established and related'
set firewall ipv4 name wg80-in rule 1 state 'established'
set firewall ipv4 name wg80-in rule 1 state 'related'
set firewall ipv4 name wg80-in rule 2 action 'drop'
set firewall ipv4 name wg80-in rule 2 description 'Drop invalid'
set firewall ipv4 name wg80-in rule 2 state 'invalid'
set firewall ipv4 name wg80-local default-action 'drop'
set firewall ipv4 name wg80-local rule 1 action 'return'
set firewall ipv4 name wg80-local rule 1 description 'Allow established and related'
set firewall ipv4 name wg80-local rule 1 state 'established'
set firewall ipv4 name wg80-local rule 1 state 'related'
set firewall ipv4 name wg80-local rule 2 action 'drop'
set firewall ipv4 name wg80-local rule 2 description 'Drop invalid'
set firewall ipv4 name wg80-local rule 2 state 'invalid'
Configurazione delle Interfacce di Rete
Interfacce Ethernet e Loopback
Configuriamo le interfacce Ethernet e la loopback:
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 hw-id '00:11:22:33:44:1e'
set interfaces ethernet eth0 ipv6 address autoconf
set interfaces ethernet eth3 address '192.168.100.254/24'
set interfaces ethernet eth3 description 'WG-CLIENT'
set interfaces ethernet eth3 hw-id '00:11:22:33:44:c9'
set interfaces loopback lo
Interfaccia WireGuard
Configuriamo l’interfaccia WireGuard:
set interfaces wireguard wg80 address '10.0.0.1/32'
set interfaces wireguard wg80 address 'fd15:aasa:3edd::1:3232/128'
set interfaces wireguard wg80 description 'Mullvad wireguard'
set interfaces wireguard wg80 peer mullvad address 'ipv6:address:of:mullvad:server o ipv4'
set interfaces wireguard wg80 peer mullvad allowed-ips '0.0.0.0/0'
set interfaces wireguard wg80 peer mullvad allowed-ips '::/0'
set interfaces wireguard wg80 peer mullvad persistent-keepalive '10'
set interfaces wireguard wg80 peer mullvad port '51820'
set interfaces wireguard wg80 peer mullvad public-key 'public-key'
set interfaces wireguard wg80 private-key 'your-private-key'
Questa configurazione stabilisce un’interfaccia WireGuard wg80 con Mullvad come peer, permettendo al traffico di essere instradato attraverso la VPN.
Configurazione NAT
Regole NAT
Configuriamo le regole NAT per l’interfaccia WireGuard:
set nat source rule 80 outbound-interface name 'wg80'
set nat source rule 80 source address '192.168.100.0/24'
set nat source rule 80 translation address 'masquerade'
Queste regole NAT assicurano che il traffico proveniente dalla rete 192.168.100.0/24 venga mascherato quando esce attraverso l’interfaccia wg80.
Policy di Routing
Policy di Routing per la LAN
Definiamo le policy di routing per il traffico della LAN:
set policy route VPN description 'Set ROUTE local for LAN-Allowed else to MullVAD VPN'
set policy route VPN interface 'eth3'
set policy route VPN rule 8 action 'accept'
set policy route VPN rule 8 description 'Route this IPs for Mullvad Proxy'
set policy route VPN rule 8 destination group network-group 'PROXY_WG_NETWORK'
set policy route VPN rule 8 set table '80'
set policy route VPN rule 8 source group address-group 'WG-CLIENT'
set policy route VPN rule 9 action 'accept'
set policy route VPN rule 9 destination group network-group 'RFC1918'
set policy route VPN rule 9 set table 'main'
set policy route VPN rule 10 action 'accept'
set policy route VPN rule 10 destination address '0.0.0.0/0'
set policy route VPN rule 10 set table '80'
set policy route VPN rule 10 source group address-group 'WG-CLIENT'
Queste policy di routing specificano che il traffico della LAN per gli indirizzi nel gruppo PROXY_WG_NETWORK sarà instradato attraverso la tabella di routing 80 (VPN), mentre il traffico verso gli indirizzi locali (definiti nel gruppo RFC1918) utilizzerà la tabella di routing principale.
Rotte Statiche
Configuriamo le rotte statiche:
set protocols static route 0.0.0.0/0 next-hop 10.0.0.2
set protocols static route 192.168.100.0/24 next-hop 192.168.100.254
set protocols static route 192.168.150.0/24 next-hop 192.168.150.1
set protocols static route 192.168.160.0/24 next-hop 192.168.150.1
set protocols static table 80 route 0.0.0.0/0 interface wg80 distance '1'
set protocols static table 80 route 0.0.0.0/0 next-hop 10.0.0.1
Queste configurazioni stabiliscono le rotte necessarie per instradare il traffico correttamente attraverso la VPN.
Configurazione dei Servizi
DHCP Server
Configuriamo il server DHCP:
set service dhcp-server shared-network-name LAN subnet 192.168.100.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.100.0/24 option default-router '192.168.100.254'
set service dhcp-server shared-network-name LAN subnet 192.168.100.0/24 option domain-name 'localdomain'
set service dhcp-server shared-network-name LAN subnet 192.168.100.0/24 option name-server '192.168.100.3'
set service dhcp-server shared-network-name LAN subnet 192.168.100.0/24 range 0 start '192.168.100.10'
set service dhcp-server shared-network-name LAN subnet 192.168.100.0/24 range 0 stop '192.168.100.253'
DNS Forwarding
Configuriamo il servizio di DNS forwarding:
set service dns forwarding allow-from '192.168.100.0/24'
set service dns forwarding domain localdomain name-server 192.168.160.14
set service dns forwarding domain localdomain name-server 192.168.160.15
set service dns forwarding listen-address '192.168.80.254'
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
NTP
Configuriamo il server NTP:
set service ntp allow-client '192.168.0.0/0'
set service ntp allow-client '::/0'
set service ntp server time.google.com
set service ntp server time.cloudflare.com
SSH
Configuriamo il servizio SSH:
set service ssh port '22'
Configurazione del Sistema
Infine, configuriamo le impostazioni di sistema:
set system config-management commit-archive
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system domain-name 'localdomain'
set system host-name 'vyos-router'
set system login user 'admin' authentication encrypted-password 'your-encrypted-password'
set system name-server '192.168.160.14'
set system name-server '192.168.160.15'
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
Queste configurazioni assicurano che il sistema sia correttamente configurato per il logging, il tracciamento delle connessioni e la gestione degli utenti.