文章介绍:使用vyos-1.5.0滚动版自建组网,本篇使用组网协议:WireGuard,注意点:使用WireGuard自建组网必须一端有固定公网IP,ADSL动态pppoe拨号的那种公网IP不行。

一、组网架构

1.1、拓扑图

yydy_2024-06-29_13-19-07

1.2、拓扑说明

在vyos中使用wireguard组网建立隧道,必须一端有固定公网IP地址,根据上图所示,定义左侧VyOS PE 为服务端具有固定公网IP(因为我这里是纯内网环境,把eth0口的10.225.97.11作为这个固定公网IP使用),VyOS CE端无公网IP模式。

二、部署前准备

2.1、镜像下载

GitHub 滚动版 VyOS 下载地址 博主网盘 VyOS 下载地址

2.2、VyOS安装配置指导

VyOS 开源篇

三、vyos-pe端配置

官方 VyOS 配置 WireGuard 指导

3.1、基础配置

set interfaces dummy dum0 address '10.10.10.10/32'
set interfaces ethernet eth0 address '10.225.97.11/24'
set protocols static route 0.0.0.0/0 next-hop 10.225.97.1
set service ssh port '22'
set system host-name 'vyos-pe'

3.2、生成公私钥

generate pki wireguard key-pair

四、vyos-ce端配置

4.1、基础配置

set interfaces dummy dum0 address '20.20.20.20/32'
set interfaces ethernet eth0 address '10.225.97.12/24'
set protocols static route 0.0.0.0/0 next-hop 10.225.97.1
set service ssh port '22'
set system host-name 'vyos-ce'

4.2、生成公私钥

generate pki wireguard key-pair

五、配置wireguard接口

5.1、vyos-pe配置

configure
set interfaces wireguard wg1 address '100.64.2.1/30'
set interfaces wireguard wg1 description 'to-vyos-ce'
set interfaces wireguard wg1 peer vyos-ce allowed-ips '0.0.0.0/0'
set interfaces wireguard wg1 peer vyos-ce public-key 'yJx+q7mpA2Xkf+v5YumiCSwUNXGE5fxZHzExvoH0lVo='
set interfaces wireguard wg1 port '54430'
set interfaces wireguard wg1 private-key 'YLlFZ63ficgB4EheqpLDh4bnxsgUIbmzVuJCpHsHwUo='
commit
save

5.2、vyos-ce配置

configure
set interfaces wireguard wg1 address '100.64.2.2/30'
set interfaces wireguard wg1 description 'to-vyos-pe'
set interfaces wireguard wg1 peer vyos-pe address '10.225.97.11'
set interfaces wireguard wg1 peer vyos-pe allowed-ips '0.0.0.0/0'
set interfaces wireguard wg1 peer vyos-pe port '54430'
set interfaces wireguard wg1 peer vyos-pe public-key 'Q38gjMCrsocTCi7cUtAv1XN1gTb1xKeN0Q59mGRbFGc='
set interfaces wireguard wg1 private-key 'sBLkucXT91jcbD1CD3x5gcPR6X2ADEWlGeFyGYmUC2o='
commit
save

六、连通性测试

6.1、pe-ping-ce

ping 100.64.2.2 -c 4

yydy_2024-06-29_16-59-14

6.2、ce-ping-pe

ping 100.64.2.1 -c 4

yydy_2024-06-29_17-00-26

七、配置BGP发布路由

7.1、vyos-pe

set policy prefix-list LAN rule 10 action 'permit'
set policy prefix-list LAN rule 10 prefix '10.10.10.10/32'
set policy route-map LAN rule 10 action 'permit'
set policy route-map LAN rule 10 match ip address prefix-list 'LAN'
set policy route-map LAN rule 20 action 'deny'
set protocols bgp address-family ipv4-unicast redistribute connected route-map 'LAN'
set protocols bgp neighbor 100.64.2.2 address-family ipv4-unicast prefix-list export 'LAN'
set protocols bgp neighbor 100.64.2.2 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 100.64.2.2 remote-as '65000'
set protocols bgp neighbor 100.64.2.2 update-source '100.64.2.1'
set protocols bgp parameters router-id '100.64.2.1'
set protocols bgp system-as '65000'

  1. 前缀列表

    • set policy prefix-list LAN rule 10 action 'permit':允许前缀列表LAN中的规则10。
    • set policy prefix-list LAN rule 10 prefix '10.10.10.10/32':在规则10中,指定前缀10.10.10.10/32

  2. 路由映射

    • set policy route-map LAN rule 10 action 'permit':允许路由映射LAN中的规则10。
    • set policy route-map LAN rule 10 match ip address prefix-list 'LAN':规则10匹配前缀列表LAN
    • set policy route-map LAN rule 20 action 'deny':默认拒绝未匹配的路由。

  3. BGP重新分发和邻居配置

    • set protocols bgp address-family ipv4-unicast redistribute connected route-map 'LAN':使用路由映射LAN重新分发已连接路由。
    • set protocols bgp neighbor 100.64.2.2 address-family ipv4-unicast prefix-list export 'LAN':使用前缀列表LAN过滤出口路由。
    • set protocols bgp neighbor 100.64.2.2 address-family ipv4-unicast soft-reconfiguration inbound:启用入站软重配置。
    • set protocols bgp neighbor 100.64.2.2 remote-as '65000':指定远端AS号。
    • set protocols bgp neighbor 100.64.2.2 update-source '100.64.2.1':指定更新源地址。
    • set protocols bgp parameters router-id '100.64.2.1':设置路由器ID。
    • set protocols bgp system-as '65000':设置本地AS号。

7.2、vyos-ce

set policy prefix-list LAN rule 10 action 'permit'
set policy prefix-list LAN rule 10 prefix '20.20.20.20/32'
set policy route-map LAN rule 10 action 'permit'
set policy route-map LAN rule 10 match ip address prefix-list 'LAN'
set policy route-map LAN rule 20 action 'deny'
set protocols bgp address-family ipv4-unicast redistribute connected route-map 'LAN'
set protocols bgp neighbor 100.64.2.1 address-family ipv4-unicast prefix-list export 'LAN'
set protocols bgp neighbor 100.64.2.1 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 100.64.2.1 remote-as '65000'
set protocols bgp neighbor 100.64.2.1 update-source '100.64.2.2'
set protocols bgp parameters router-id '100.64.2.2'
set protocols bgp system-as '65000'

  1. 策略路由相关配置:

    • 这些命令定义了一个名为LAN的前缀列表(prefix-list),并配置了一个名为LAN的路由映射(route-map)。
    • 前缀列表LAN包含一个允许(permit)的规则,匹配单个IP地址 20.20.20.20/32
    • 路由映射LAN包含两个规则:第一个规则允许匹配前缀列表LAN中的IP地址,第二个规则拒绝(deny)所有其他IP地址。

  2. BGP相关配置:

    • redistribute connected route-map 'LAN': 将设备上的直连路由通过BGP协议向其他BGP邻居进行重分发,重分发时使用路由映射LAN进行筛选。
    • neighbor 100.64.2.1 ...: 配置了一个BGP邻居,IP地址为 100.64.2.1,远端AS号为 65000
      • prefix-list export 'LAN': 向邻居导出匹配前缀列表LAN的路由。
      • soft-reconfiguration inbound: 启用邻居的入站软重配置,以便在不中断BGP会话的情况下查看更新。
      • update-source '100.64.2.2': 配置BGP会话的源IP地址为 100.64.2.2
    • router-id '100.64.2.2': 指定BGP路由器ID为 100.64.2.2
    • system-as '65000': 设置本地设备的AS号为 65000

八、查看BGP状态

8.1、vyos-pe

show ip bgp summary

yydy_2024-06-29_17-14-45

8.2、vyos-ce

yydy_2024-06-29_17-14-55

九、查看BGP路由信息

9.1、查看bgp宣告的路由信息

9.1.1、vyos-pe

show ip bgp neighbors 100.64.2.2 advertised-routes

yydy_2024-06-29_17-16-43

9.1.2、vyos-ce

show ip bgp neighbors 100.64.2.1 advertised-routes

yydy_2024-06-29_17-17-42

9.2、查看bgp接收的路由信息

9.2.1、vyos-pe

show ip bgp neighbors 100.64.2.2 received-routes

yydy_2024-06-29_17-18-12

9.2.2、vyos-ce

show ip bgp neighbors 100.64.2.1 received-routes

yydy_2024-06-29_17-18-27

十、ping/tracert测试

10.1、pe->-ce

sudo ping 20.20.20.20 -c 4

sudo traceroute 20.20.20.20

yydy_2024-06-29_17-19-32

10.2、ce->-pe

sudo ping 10.10.10.10 -c 4

sudo traceroute 10.10.10.10

yydy_2024-06-29_17-20-10