I’ve used Mikrotik’s RouterOS operating system for a while, mainly in the form of tiny MIPS-based routers sold under the Routerboard brand.

In late 2012, Ubiquiti - a maker of little SoC-based wireless equipment - announced its first router product, the EdgeRouter Lite. Built around a dual core, 500 MHz Cavium Octeon Plus CN5020 (more specs), the operating system, branded EdgeOS, is actually a reskinned port of VyOS to a MIPS64-based embedded system.

So what’s VyOS? It’s a community fork of Vyatta, which was a dual-license (supported / free) Linux-based “router distro” that was “closed up” when Vyatta was bought by Brocade. Kind of like OpenIndiana and friends sprung forth from Oracle closing up OpenSolaris.

Anyway, that was my introduction to VyOS. The user experience is “JunOS-like, but definitely rough around the edges”. Technically things are sort of beta-ish - lots of functionality is missing or doesn’t work quite as expected, but you can still win with simple use cases.

VyOS can be virtualized fairly painlessly. I’m running a couple of VMs for laptop VPN Internet use (for instance, including avoiding surveillance, circumventing content blocks, etc) under SmartOS KVM. A configuration like his makes a good springboard for building more complex stuff like “split VPN to 1918 space for the IPMI/BMC VLAN”.

Caveat: When you go to install VyOS, you’ll be booting from a thumb drive. Remember to type “install image”, and then reboot. VyOS booted from a memory stick will happily let you type in configurations and save them (whether you have first run the installer or not), and you’ll be very puzzled when you reboot and all of your configuration has disappeared into the aether.

Here’s a sample configuration is done on VyOS 1.1.7 (Helium) with a single virtualized interface (virtio). It implements L2TP/IPSEC for talking to a Mac or iPhone using the built-in VPN functionality. It includes both a “NAT Out” pool of addresses (192.168.90.100-240) and a couple of static address logins for Gaige and me. In the interest of keeping the configuration terse, 192.0.2.96/28 (the subnet with the “static” addresses on it) is static routed to this virtualized router from the upstream pair of routers. No active routing protcols are in use. Keen-eyed readers will notice that I’ve removed the NTP server stanzas from the default config. That’s not because I suddenly developed an allergy to correct time in my logs, but rather because in this particular situation the system clock is handled by the hypervisor and I don’t want the clocks to get into any fights.

Security considerations: Note that we’re running sshd on an alternate port. We’re under no illusions about this providing any kind of security improvement but it sure keeps the amount of crap in the logs down. The NAT provides a modicum of protection or the addresses that are in the NAT pool, but the static addresses are hanging wide out there in the breeze. Firewall policy, implementation, and testing are left as an exercise to the reader.

vyos@l2tptestbox:~$ show configuration 
interfaces {
ethernet eth0 {
    address 192.0.2.188/29
    duplex auto
    smp_affinity auto
    speed auto
}
loopback lo {
}
}
nat {
source {
    rule 5000 {
	outbound-interface eth0
	source {
	    address 192.168.90.0/24
	}
	translation {
	    address masquerade
	}
    }
}
}
protocols {
static {
    route 0.0.0.0/0 {
	next-hop 192.0.2.185 {
	}
    }
}
}
service {
ssh {
    port 2200
}
}
system {
config-management {
    commit-revisions 20
}
console {
    device ttyS0 {
	speed 9600
    }
}
host-name l2tptestbox.seastrom.com
login {
    user vyos {
	authentication {
	    encrypted-password ****************
	}
	level admin
    }
}
name-server 192.0.2.11
name-server 192.0.2.12
package {
    auto-sync 1
    repository community {
	components main
	distribution helium
	password ****************
	url http://packages.vyos.net/vyos
	username ""
    }
}
syslog {
    global {
	facility all {
	    level notice
	}
	facility protocols {
	    level debug
	}
    }
}
time-zone UTC
}
vpn {
ipsec {
    ipsec-interfaces {
	interface eth0
    }
    nat-networks {
	allowed-network 0.0.0.0/0 {
	}
    }
    nat-traversal enable
}
l2tp {
    remote-access {
	authentication {
	    local-users {
		username gaige {
		    password ****************
		}
		username gaigefixed {
		    password ****************
		    static-ip 192.0.2.101
		}
		username rs {
		    password ****************
		}
		username rsfixed {
		    password ****************
		    static-ip 192.0.2.100
		}
	    }
	    mode local
	}
	client-ip-pool {
	    start 192.168.90.100
	    stop 192.168.90.240
	}
	dns-servers {
	    server-1 192.0.2.11
	    server-2 192.0.2.12
	}
	ipsec-settings {
	    authentication {
		mode pre-shared-secret
		pre-shared-secret ****************
	    }
	    ike-lifetime 3600
	}
	outside-address 192.0.2.188
    }
}
}
vyos@l2tptestbox:~$