51工具盒子文章介绍:使用vyos-1.5.0滚动版自建组网,本篇使用组网协议:WireGuard,注意点:使用WireGuard自建组网必须一端有固定公网IP,ADSL动态pppoe拨号的那种公网IP不行。
一、组网架构 {#一-组网架构}
1.1、拓扑图 {#1-1-拓扑图}
1.2、拓扑说明 {#1-2-拓扑说明}
在vyos中使用wireguard组网建立隧道,必须一端有固定公网IP地址,根据上图所示,定义左侧VyOS PE 为服务端具有固定公网IP(因为我这里是纯内网环境,把eth0口的10.225.97.11作为这个固定公网IP使用),VyOS CE端无公网IP模式。
二、部署前准备 {#二-部署前准备}
2.1、镜像下载 {#2-1-镜像下载}
GitHub 滚动版 VyOS 下载地址 博主网盘 VyOS 下载地址
2.2、VyOS安装配置指导 {#2-2-VyOS安装配置指导}
三、vyos-pe端配置 {#三-vyos-pe端配置}
3.1、基础配置 {#3-1-基础配置}
set interfaces dummy dum0 address '10.10.10.10/32'
set interfaces ethernet eth0 address '10.225.97.11/24'
set protocols static route 0.0.0.0/0 next-hop 10.225.97.1
set service ssh port '22'
set system host-name 'vyos-pe'
3.2、生成公私钥 {#3-2-生成公私钥}
generate pki wireguard key-pair
四、vyos-ce端配置 {#四-vyos-ce端配置}
4.1、基础配置 {#4-1-基础配置}
set interfaces dummy dum0 address '20.20.20.20/32'
set interfaces ethernet eth0 address '10.225.97.12/24'
set protocols static route 0.0.0.0/0 next-hop 10.225.97.1
set service ssh port '22'
set system host-name 'vyos-ce'
4.2、生成公私钥 {#4-2-生成公私钥}
generate pki wireguard key-pair
五、配置wireguard接口 {#五-配置wireguard接口}
5.1、vyos-pe配置 {#5-1-vyos-pe配置}
configure
set interfaces wireguard wg1 address '100.64.2.1/30'
set interfaces wireguard wg1 description 'to-vyos-ce'
set interfaces wireguard wg1 peer vyos-ce allowed-ips '0.0.0.0/0'
set interfaces wireguard wg1 peer vyos-ce public-key 'yJx+q7mpA2Xkf+v5YumiCSwUNXGE5fxZHzExvoH0lVo='
set interfaces wireguard wg1 port '54430'
set interfaces wireguard wg1 private-key 'YLlFZ63ficgB4EheqpLDh4bnxsgUIbmzVuJCpHsHwUo='
commit
save
5.2、vyos-ce配置 {#5-2-vyos-ce配置}
configure
set interfaces wireguard wg1 address '100.64.2.2/30'
set interfaces wireguard wg1 description 'to-vyos-pe'
set interfaces wireguard wg1 peer vyos-pe address '10.225.97.11'
set interfaces wireguard wg1 peer vyos-pe allowed-ips '0.0.0.0/0'
set interfaces wireguard wg1 peer vyos-pe port '54430'
set interfaces wireguard wg1 peer vyos-pe public-key 'Q38gjMCrsocTCi7cUtAv1XN1gTb1xKeN0Q59mGRbFGc='
set interfaces wireguard wg1 private-key 'sBLkucXT91jcbD1CD3x5gcPR6X2ADEWlGeFyGYmUC2o='
commit
save
六、连通性测试 {#六-连通性测试}
6.1、pe-ping-ce {#6-1-pe-ping-ce}
ping 100.64.2.2 -c 4
6.2、ce-ping-pe {#6-2-ce-ping-pe}
ping 100.64.2.1 -c 4
七、配置BGP发布路由 {#七-配置BGP发布路由}
7.1、vyos-pe {#7-1-vyos-pe}
set policy prefix-list LAN rule 10 action 'permit'
set policy prefix-list LAN rule 10 prefix '10.10.10.10/32'
set policy route-map LAN rule 10 action 'permit'
set policy route-map LAN rule 10 match ip address prefix-list 'LAN'
set policy route-map LAN rule 20 action 'deny'
set protocols bgp address-family ipv4-unicast redistribute connected route-map 'LAN'
set protocols bgp neighbor 100.64.2.2 address-family ipv4-unicast prefix-list export 'LAN'
set protocols bgp neighbor 100.64.2.2 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 100.64.2.2 remote-as '65000'
set protocols bgp neighbor 100.64.2.2 update-source '100.64.2.1'
set protocols bgp parameters router-id '100.64.2.1'
set protocols bgp system-as '65000'
-
前缀列表:
set policy prefix-list LAN rule 10 action 'permit':允许前缀列表LAN中的规则10。set policy prefix-list LAN rule 10 prefix '10.10.10.10/32':在规则10中,指定前缀10.10.10.10/32。
-
路由映射:
set policy route-map LAN rule 10 action 'permit':允许路由映射LAN中的规则10。set policy route-map LAN rule 10 match ip address prefix-list 'LAN':规则10匹配前缀列表LAN。set policy route-map LAN rule 20 action 'deny':默认拒绝未匹配的路由。
-
BGP重新分发和邻居配置:
set protocols bgp address-family ipv4-unicast redistribute connected route-map 'LAN':使用路由映射LAN重新分发已连接路由。set protocols bgp neighbor 100.64.2.2 address-family ipv4-unicast prefix-list export 'LAN':使用前缀列表LAN过滤出口路由。set protocols bgp neighbor 100.64.2.2 address-family ipv4-unicast soft-reconfiguration inbound:启用入站软重配置。set protocols bgp neighbor 100.64.2.2 remote-as '65000':指定远端AS号。set protocols bgp neighbor 100.64.2.2 update-source '100.64.2.1':指定更新源地址。set protocols bgp parameters router-id '100.64.2.1':设置路由器ID。set protocols bgp system-as '65000':设置本地AS号。
7.2、vyos-ce {#7-2-vyos-ce}
set policy prefix-list LAN rule 10 action 'permit'
set policy prefix-list LAN rule 10 prefix '20.20.20.20/32'
set policy route-map LAN rule 10 action 'permit'
set policy route-map LAN rule 10 match ip address prefix-list 'LAN'
set policy route-map LAN rule 20 action 'deny'
set protocols bgp address-family ipv4-unicast redistribute connected route-map 'LAN'
set protocols bgp neighbor 100.64.2.1 address-family ipv4-unicast prefix-list export 'LAN'
set protocols bgp neighbor 100.64.2.1 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 100.64.2.1 remote-as '65000'
set protocols bgp neighbor 100.64.2.1 update-source '100.64.2.2'
set protocols bgp parameters router-id '100.64.2.2'
set protocols bgp system-as '65000'
-
策略路由相关配置:
- 这些命令定义了一个名为
LAN的前缀列表(prefix-list),并配置了一个名为LAN的路由映射(route-map)。 - 前缀列表
LAN包含一个允许(permit)的规则,匹配单个IP地址20.20.20.20/32。 - 路由映射
LAN包含两个规则:第一个规则允许匹配前缀列表LAN中的IP地址,第二个规则拒绝(deny)所有其他IP地址。
- 这些命令定义了一个名为
-
BGP相关配置:
redistribute connected route-map 'LAN': 将设备上的直连路由通过BGP协议向其他BGP邻居进行重分发,重分发时使用路由映射LAN进行筛选。neighbor 100.64.2.1 ...: 配置了一个BGP邻居,IP地址为100.64.2.1,远端AS号为65000。prefix-list export 'LAN': 向邻居导出匹配前缀列表LAN的路由。soft-reconfiguration inbound: 启用邻居的入站软重配置,以便在不中断BGP会话的情况下查看更新。update-source '100.64.2.2': 配置BGP会话的源IP地址为100.64.2.2。
router-id '100.64.2.2': 指定BGP路由器ID为100.64.2.2。system-as '65000': 设置本地设备的AS号为65000。
八、查看BGP状态 {#八-查看BGP状态}
8.1、vyos-pe {#8-1-vyos-pe}
show ip bgp summary
8.2、vyos-ce {#8-2-vyos-ce}
九、查看BGP路由信息 {#九-查看BGP路由信息}
9.1、查看bgp宣告的路由信息 {#9-1-查看bgp宣告的路由信息}
9.1.1、vyos-pe {#9-1-1-vyos-pe}
show ip bgp neighbors 100.64.2.2 advertised-routes
9.1.2、vyos-ce {#9-1-2-vyos-ce}
show ip bgp neighbors 100.64.2.1 advertised-routes
9.2、查看bgp接收的路由信息 {#9-2-查看bgp接收的路由信息}
9.2.1、vyos-pe {#9-2-1-vyos-pe}
show ip bgp neighbors 100.64.2.2 received-routes
9.2.2、vyos-ce {#9-2-2-vyos-ce}
show ip bgp neighbors 100.64.2.1 received-routes
十、ping/tracert测试 {#十-ping-tracert测试}
10.1、pe->-ce {#10-1-pe---ce}
sudo ping 20.20.20.20 -c 4
sudo traceroute 20.20.20.20
10.2、ce->-pe {#10-2-ce---pe}
sudo ping 10.10.10.10 -c 4
sudo traceroute 10.10.10.10
