文章介绍:本篇主要内容如下:
①云上Vultr安装Vyos作为服务器端;
②本地VMware ESXi安装Vyos作为客户端;
③云上Vultr中的Vyos运行GoBGP给本地VMware ESXi中的Vyos下发路由,实现路由分流;
④本地VMware ESXi中的Vyos运行SmartDNS,实现DNS分流,规避DNS污染。
一、上传镜像至Vultr
https://github.com/hcuk94/vyos-autobuild/releases/download/1.4.0-epa2/vyos-1.4.0-epa2-amd64.iso
二、创建实例
2.1、点击:Products
2.2、Deploy New Instance
2.3、关闭备份
2.4、取消自定义数据
2.5、启动完成:Running
2.6、查看服务器
2.7、配置vyos
2.8、进入vyos
2.9、安装vyos
install image
2.10、移除ISO
2.11、连接vyos
2.12、进入vyos
2.13、查看接口IP
show int
2.14、配置接口
2.15、配置SSH登录
2.16、退出系统
三、vyos-pe基础配置
3.1、登录Vyos
3.2、修改账户密码
configure #进入配置模式
set system login user yydy authentication plaintext-password yydy@vyos #新建账号:yydy,密码:yydy@vyos
commit #应用配置
save #保存配置
3.3、修改hostname
set system host-name vyos-pe
commit
save
3.4、禁用默认账户vyos
configure
set system login user vyos disable #禁用vyos账户登录
commit
save
3.5、vyos-pe安全加固
这些配置是针对防火墙全局选项的设置,每个选项的作用如下:
set firewall global-options all-ping 'disable': 允许 ICMP echo-request(ping)到所有地址。set firewall global-options broadcast-ping 'disable': 禁用 ICMP echo-request 到广播地址的回应。set firewall global-options ip-src-route 'disable': 禁用 IP 源路由选项。set firewall global-options ipv6-source-validation 'disable': 禁用 IPv6 源地址验证。set firewall global-options ipv6-src-route 'disable': 禁用 IPv6 源路由选项。set firewall global-options log-martians 'enable': 启用记录未知源 IP 或无效 TTL 的数据包。set firewall global-options receive-redirects 'disable': 禁用接收 ICMP 重定向消息。set firewall global-options send-redirects 'enable': 启用发送 ICMP 重定向消息。set firewall global-options source-validation 'disable': 禁用源地址验证。set firewall global-options syn-cookies 'enable': 启用 SYN cookies 以防止 SYN 洪泛攻击。set firewall global-options twa-hazards-protection 'disable': 禁用 TWA(TCP Window Adjustment) 危险保护。set firewall group network-group firewall-whitelist network '10.255.255.2/32': 创建一个网络组,允许只有10.255.255.2/32这个 IP 地址的流量通过。set firewall ipv4 input filter default-action 'accept': 默认情况下,允许所有 IPv4 输入流量通过。set firewall ipv4 input filter rule 100 action 'accept': 允许特定规则的 IPv4 输入流量通过。set firewall ipv4 input filter rule 100 source group network-group 'firewall-whitelist': 允许网络组firewall-whitelist中定义的地址通过。set firewall ipv4 input filter rule 200 action 'drop': 将未匹配到其他规则的 IPv4 输入流量丢弃。set firewall ipv4 input filter rule 200 destination port '22,179,53': 针对特定端口的流量进行处理。set firewall ipv4 input filter rule 200 protocol 'tcp_udp': 仅针对 TCP 和 UDP 流量进行处理。set firewall ipv4 input filter rule 300 action 'drop'': 将未匹配到其他规则的 IPv4 输入流量丢弃。set firewall ipv4 input filter rule 300 protocol 'icmp'': 仅针协议是 ICMP 流量进行处理。
set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-source-validation 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'disable'
set firewall global-options syn-cookies 'enable'
set firewall global-options twa-hazards-protection 'disable'
set firewall group network-group firewall-whitelist network '10.255.255.2/32'
set firewall ipv4 input filter default-action 'accept'
set firewall ipv4 input filter rule 100 action 'accept'
set firewall ipv4 input filter rule 100 source group network-group 'firewall-whitelist'
set firewall ipv4 input filter rule 200 action 'drop'
set firewall ipv4 input filter rule 200 destination port '22,179,53'
set firewall ipv4 input filter rule 200 protocol 'tcp_udp'
set firewall ipv4 input filter rule 300 action 'drop'
set firewall ipv4 input filter rule 300 protocol 'icmp'
commit
save
四、VMware ESXi 安装 Vyos
4.1、安装
4.2、配置vyos
configure
set system host-name vyos-ce #修改主机名
commit
save
五、配置虚拟隧道WireGuard
5.1、生成密钥对
generate pki wireguard key-pair
5.1.1、vyos-pe
yydy@vyos-pe:~$ generate pki wireguard key-pair
Private key: MEUnSrblAhPuXiFBe+JAtPqFQN+PU7s3mq5pYq/3dnQ=
Public key: vPVCN+MqUz5ljTYMY99NvOHQeQlYZoeAPQ9cj+taVSo=
yydy@vyos-pe:~$
5.1.2、vyos-ce
vyos@vyos-ce:~$ generate pki wireguard key-pair
Private key: EH37HTk2+YD1/YYvwmKhswzuZ4za2VjjM8GjhDw423Q=
Public key: 5RP73V1r+HDYorMyDnbvLXd9Uw0mIdrL2z6J53hRiAA=
vyos@vyos-ce:~$
5.2、创建wg0接口
5.2.1、vyos-pe
配置 WireGuard VPN 接口的详细命令含义如下:
set interfaces wireguard wg0 address '10.255.255.1/30': 这条命令设置了WireGuard接口的本地IP地址和子网掩码。set interfaces wireguard wg0 description 'to-vyos-ce': 这条命令为WireGuard接口设置了描述,用于标识接口的用途或描述信息。set interfaces wireguard wg0 peer vyos-ce address '45.76.198.130': 这条命令设置了本端的IP地址。set interfaces wireguard wg0 peer vyos-ce allowed-ips '0.0.0.0/0': 这条命令设置了允许流量从远程对等点进入的IP地址范围。在这种情况下,允许所有IP地址。set interfaces wireguard wg0 peer vyos-ce port '64430': 这条命令设置了对端的端口号。set interfaces wireguard wg0 peer vyos-ce public-key '5RP73V1r+HDYorMyDnbvLXd9Uw0mIdrL2z6J53hRiAA=': 这条命令设置了远程对等点的公钥,用于加密通信。set interfaces wireguard wg0 port '64430': 这条命令设置了本地WireGuard接口的端口号。set interfaces wireguard wg0 private-key 'MEUnSrblAhPuXiFBe+JAtPqFQN+PU7s3mq5pYq/3dnQ=': 这条命令设置了本地WireGuard接口的私钥,用于加密通信。
set interfaces wireguard wg0 address '10.255.255.1/30'
set interfaces wireguard wg0 description 'to-vyos-ce'
set interfaces wireguard wg0 peer vyos-ce address '45.76.198.130'
set interfaces wireguard wg0 peer vyos-ce allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer vyos-ce port '64430'
set interfaces wireguard wg0 peer vyos-ce public-key '5RP73V1r+HDYorMyDnbvLXd9Uw0mIdrL2z6J53hRiAA='
set interfaces wireguard wg0 port '64430'
set interfaces wireguard wg0 private-key 'MEUnSrblAhPuXiFBe+JAtPqFQN+PU7s3mq5pYq/3dnQ='
commit
save
5.2.2、vyos-ce
set interfaces wireguard wg0 address '10.255.255.2/30'
set interfaces wireguard wg0 description 'to-vyos-pe'
set interfaces wireguard wg0 peer vyos-pe address '45.76.198.130'
set interfaces wireguard wg0 peer vyos-pe allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer vyos-pe port '64430'
set interfaces wireguard wg0 peer vyos-pe public-key 'vPVCN+MqUz5ljTYMY99NvOHQeQlYZoeAPQ9cj+taVSo='
set interfaces wireguard wg0 port '64430'
set interfaces wireguard wg0 private-key 'EH37HTk2+YD1/YYvwmKhswzuZ4za2VjjM8GjhDw423Q='
commit
save
5.3、安装密钥到wg0接口
generate pki wireguard key-pair install interface wg0
5.3.1、vyos-pe
yydy@vyos-pe:~$ generate pki wireguard key-pair install interface wg0
You are not in configure mode, commands to install manually from configure mode:
set interfaces wireguard wg0 private-key 'UBfCDbi+mC2Bx4BZQ22bvN6As6mExPgMYeFtBN+b8EY='
Corresponding public-key to use on peer system is: 'ef1XMtebOpJPfHbwrdf/7clvwmtTCneLRhn4jA0byg4='
yydy@vyos-pe:~$
5.3.2、vyos-ce
vyos@vyos-ce:~$ generate pki wireguard key-pair install interface wg0
You are not in configure mode, commands to install manually from configure mode:
set interfaces wireguard wg0 private-key 'SB+ALToDEC8wrISJhUl0g1OlUuBqClRppXxAkV1FCVQ='
Corresponding public-key to use on peer system is: 'D3ySgonlZOqE4Gy2uPqP6p/faQbZbk5pBiy7DXXVFkA='
vyos@vyos-ce:~$
5.4、连通信测试
sudo ping -i 0.01 -c 1000 -s 1024 10.255.255.2
5.5、mtu测试不分片
sudo ping -M do -s 1400 10.255.255.2
5.5.1、配置mtu
set interfaces wireguard wg0 mtu '1420'
commit
save
5.6、配置tcp mss
set interfaces wireguard wg0 ip adjust-mss '1300'
commit
save
六、配置完善
6.1、vyos-ce
6.1.1、全局默认路由
set protocols static route 45.76.198.130/32 next-hop 10.225.97.1
set protocols static route 0.0.0.0/0 next-hop 10.255.255.1 distance '230'
commit
save
下面这些命令配置使用故障转移(failover)策略,用于在主要路由不可用时切换到备用路由,以下是每条命令的详细解释:
-
set protocols failover route 0.0.0.0/0 next-hop 10.255.255.1 check target '10.255.255.1':- 配置了默认路由
0.0.0.0/0的下一跳地址为10.255.255.1。 - 使用 ICMP 目标检查功能,以确保下一跳地址
10.255.255.1的连通性。
- 配置了默认路由
-
set protocols failover route 0.0.0.0/0 next-hop 10.255.255.1 check timeout '5':- 设置 ICMP 目标检查的超时时间为 5 秒。
-
set protocols failover route 0.0.0.0/0 next-hop 10.255.255.1 check type 'icmp':- 指定 ICMP 类型的目标检查,用于检查下一跳地址
10.255.255.1的连通性。
- 指定 ICMP 类型的目标检查,用于检查下一跳地址
-
set protocols failover route 0.0.0.0/0 next-hop 10.255.255.1 interface 'wg0':- 指定下一跳地址
10.255.255.1的接口为wg0,表示该路由通过接口wg0发送。
- 指定下一跳地址
-
set protocols failover route 0.0.0.0/0 next-hop 10.255.255.1 metric '230':- 配置默认路由
0.0.0.0/0到达目标的优先级(metric)为 230,优先级较低,表示备选路由。
- 配置默认路由
-
set protocols failover route 0.0.0.0/0 next-hop 10.225.97.1 check target '10.225.97.1':- 配置了另一条默认路由
0.0.0.0/0的下一跳地址为10.225.97.1。 - 使用 ICMP 目标检查功能,以确保下一跳地址
10.225.97.1的连通性。
- 配置了另一条默认路由
-
set protocols failover route 0.0.0.0/0 next-hop 10.225.97.1 check timeout '5':- 设置 ICMP 目标检查的超时时间为 5 秒。
-
set protocols failover route 0.0.0.0/0 next-hop 10.225.97.1 check type 'icmp':- 指定 ICMP 类型的目标检查,用于检查下一跳地址
10.225.97.1的连通性。
- 指定 ICMP 类型的目标检查,用于检查下一跳地址
-
set protocols failover route 0.0.0.0/0 next-hop 10.225.97.1 interface 'eth0':- 指定下一跳地址
10.225.97.1的接口为eth0,表示该路由通过接口eth0发送。
- 指定下一跳地址
-
set protocols failover route 0.0.0.0/0 next-hop 10.225.97.1 metric '240':- 配置默认路由
0.0.0.0/0到达目标的优先级(metric)为 240,优先级较高,表示首选路由。
- 配置默认路由
这些命令的目的是为默认路由 0.0.0.0/0 配置两个备选路由,并设置检查目标和超时时间以确保备选路由的连通性。通过配置不同的优先级(metric),可以定义主要路由和备用路由的优先级。
set protocols failover route 0.0.0.0/0 next-hop 10.255.255.1 check target '10.255.255.1'
set protocols failover route 0.0.0.0/0 next-hop 10.255.255.1 check timeout '5'
set protocols failover route 0.0.0.0/0 next-hop 10.255.255.1 check type 'icmp'
set protocols failover route 0.0.0.0/0 next-hop 10.255.255.1 interface 'wg0'
set protocols failover route 0.0.0.0/0 next-hop 10.255.255.1 metric '230'
set protocols failover route 0.0.0.0/0 next-hop 10.225.97.1 check target '10.225.97.1'
set protocols failover route 0.0.0.0/0 next-hop 10.225.97.1 check timeout '5'
set protocols failover route 0.0.0.0/0 next-hop 10.225.97.1 check type 'icmp'
set protocols failover route 0.0.0.0/0 next-hop 10.225.97.1 interface 'eth0'
set protocols failover route 0.0.0.0/0 next-hop 10.225.97.1 metric '240'
6.1.2、SNAT配置
set nat source rule 100 outbound-interface name 'wg0'
set nat source rule 100 translation address 'masquerade'
commit
save
6.1.3、DNS配置
set system name-server 223.5.5.5
set system name-server 223.6.6.6
commit
save
6.2、vyos-pe
6.2.1、SNAT配置
set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 translation address 'masquerade'
commit
save
6.2.2、DNS配置
set system name-server 8.8.8.8
set system name-server 8.8.4.4
commit
save
七、全局模式测试
7.1、PC测试
ip.skk.moe
www.yalala.com
whoer.net
7.2、路径和解析
tracert -d -w 1 8.8.8.8
nslookup www.youtube.com
八、路由分流配置
8.1、下载GoBGP程序
sudo -i
mkdir bgp
cd bgp
wget https://github.com/yangpin97/BGPServer/releases/download/0.5/bgp
wget https://github.com/yangpin97/BGPServer/releases/download/0.5/ChinaBGPZip.gob
wget https://github.com/yangpin97/BGPServer/releases/download/0.5/config.ini
wget https://github.com/yangpin97/BGPServer/releases/download/0.5/map.json.gz
8.2、赋予权限
sudo chmod +x bgp
8.3、修改config.ini
sudo nano config.ini
[server]
RouterId = 10.255.255.1
ASN = 65000
NextHop = 10.225.97.1
UpdateSource = 10.255.255.1
[peer]
IP = 10.255.255.2
ASN = 65000
-
[server]部分说明:RouterId = 10.255.255.1:指定本地路由器的 BGP 路由器ID。路由器ID 用于标识路由器的唯一性,是 BGP 运行所必需的。ASN = 65000:指定本地路由器的自治系统号(ASN)。ASN 是用于识别网络中的唯一自治系统的数字标识符。NextHop = 10.225.97.1:指定在生成更新消息时使用的下一跳地址。在 BGP 中,Next Hop 属性指定了到达目的网络的下一跳路由器的 IP 地址,因为我们下面学习的是国内BGP路由信息,所以这里写vyos-ce的eth0接口网关。UpdateSource = 10.255.255.1:指定用于向对等方发送 BGP 更新消息的源 IP 地址。这个参数用于多点连接的情况,确保更新消息从正确的接口发送出去。
-
[peer]部分说明:IP = 10.255.255.2:指定对等方的 IP 地址。这个对等方是本地路由器将要建立 BGP 邻居关系的对等方。ASN = 65000:指定对等方的自治系统号(ASN)。这个对等方的 ASN 应该与对等方配置的 ASN 相匹配,以确保 BGP 邻居关系的正确建立。
8.4、运行程序
sudo screen -S bgp_session -d -m ./bgp -c ./config.ini -l CN
8.5、vyos-ce配置bgp邻居
set protocols bgp parameters router-id 10.255.255.2
set protocols bgp neighbor 10.255.255.1 remote-as 65000
set protocols bgp neighbor 10.255.255.1 update-source 10.255.255.2
set protocols bgp neighbor 10.255.255.1 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp system-as 65000
set protocols bgp timers holdtime '60'
set protocols bgp timers keepalive '20'
commit
save
8.6、查看邻居建立状态
8.6.1、vyos-pe
sudo screen -r
8.6..2、vyos-ce
show bgp summary
8.7、路由查询
show ip route 223.5.5.5
show ip route 8.8.8.8
8.8、路由分流测试
8.8.1、tracert阿里云dns
tracert -d -w 1 223.5.5.5
8.8.2、tracert谷歌dns
tracert -d -w 1 8.8.8.8
九、SmartDNS配置
9.1、下载smartdns
sudo -i
curl -k -O https://github.com/pymumu/smartdns/releases/download/Release45/smartdns.1.2024.02.08-0828.x86_64-debian-all.deb
curl -k -O https://alist.yydy.link:2023/d/🧩Share---共享文件/smartdns/smartdns.1.2024.02.08-0828.x86_64-debian-all.deb
9.2、安装smartdns
dpkg -i smartdns.1.2024.02.08-0828.x86_64-debian-all.deb
9.3、删除vyos的dns
9.3.1、退出root
exit
9.3.2、进入配置模式
conf
delete system name-server
commit
save
9.3.3、进入root
exit
sudo -i
9.4、修改配置文件
nano /etc/smartdns/smartdns.conf
# 开启ipv6-ipv4-dns服务
bind [::]:53 #默认开启
# 国内上游服务器(上海电信DNS)
server 202.96.209.133
server 202.96.209.5
server 180.168.255.118
server 116.228.111.118
# 国外上游服务器
server 8.8.8.8
server 8.8.4.4
server 208.67.222.222
server 208.67.220.220
# 缓存配置
cache-size 32768
cache-persist yes
prefetch-domain yes
cache-file /etc/smartdns/dnscache
# 测速模式
speed-check-mode ping,tcp:80,tcp:443
# 其他
force-qtype-SOA 65 #默认开启
log-level info #默认开启
9.5、启动smartdns
sudo systemctl start smartdns
sudo systemctl enable smartdns
9.6、dns分流测试
十、带宽测试
10.1、iperf打流
10.1.1、ce打流pe模拟上传
10.1.2、pe打流ce模拟下载
10.2、speedtest测速
其他
sudo screen -r进入刚刚运行的服务,然后Ctrl+C结束会话,然后在进行下面的操作。
sudo nano /etc/systemd/system/bgp.service
[Unit]
Description=BGP Service
After=network.target
[Service]
Type=simple
ExecStart=/root/bgp/bgp -c /root/bgp/config.ini -l CN
Restart=always
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable bgp.service
sudo systemctl start bgp.service
sudo systemctl status bgp.service
sudo systemctl stop bgp.service
sudo journalctl -u bgp.service
