VyOS Isn’t as Scary as It Looks

VyOS is a capable and fast routing and firewall platform, equipped with features for both enterprise and home users. For home users, though, VyOS might appear daunting, as it brings the complexity and power of an enterprise-level Network OS (NOS) into the open-source space.

For the most part, VyOS will not hold any hands when it comes to configuring anything. This is intentional, as trying to configure “on rails” will greatly limit what can be designed and implemented for a user’s network. This doesn’t have to mean that home users should shy away from the product though.

In this series, we’re going to explore how to setup VyOS as a home router.

Story Time:
When I first started getting into networking, I remember buying my first Cisco router. Excited to get started on this networking journey, I plugged a cable into the router, and the other end into my laptop, and anxiously awaited getting an IP. Well, as some of you know, nothing happened.

Through some googling, I quickly realized I needed to put an IP and a DHCP Pool on the router. After doing that, I finally had an IP, so I figured let’s go ahead and test access to the internet. Well, that didn’t work either. I then learned about NAT. After configuring NAT, I could finally access the internet….but it was wide open. I needed to secure it.

Cisco had an auto firewall feature, so I figured I could use that. After using it, I couldn’t access anything. What a nightmare!

I imagine that’s a lot of peoples first impressions of VyOS as well. But just like my entry into the networking world with Cisco, you quickly learn there are only a few small building blocks for a home router, and it takes no time at all to learn them.

Hardware Selection

Before we go into how to install and configure VyOS, we first need to choose our hardware. VyOS can be installed on x86-64 systems, and is very lightweight. 2GB of RAM is usually more than enough for most home uses. I am going to recommend at least 4GB of ram for this setup, since we’re going to extend the capabilities of VyOS beyond a simple router and firewall later in this series.

My favorite hardware choice for VyOS is mini PCs with more than 1 NIC built in. The TinyMiniMicro market has exploded in recent years, making the availability of capable and affordable Mini PCs very broad.

While there are many manufacturers making Mini PCs, I’m going to recommend Minisforum PCs for this post. You’ll likely have similar results using any similarly spec’ed mini PC.

How fast is your internet?

The selection will generally be dictated by how fast your internet is. Even the most affordable mini PCs available can generally handle a 1Gbps internet connection. Your selection of Mini PC can typically be chosen based on the type of connection you need. Here’s some examples:

• 1Gbps (this is what I’m using in this series): Minisforum GK41
• 1Gbps (more powerful option): Minisforum UN300
• 2.5Gbps: Minisforum NAB6 Lite
• 10Gbps: Minisforum MS-01
• 25Gbps: Minisforum MS-01 (with 25Gb PCIe Expansion)

Even the cheapest of these includes 8GB of RAM, which is plenty for home use.

NOTE: You will see a lot of people install VyOS as a VM on a server. While this is possible, I don’t recommend doing this for a home router. You don’t want to make your home internet dependent on something that is running additional software that could inject instability.

Downloading VyOS

VyOS can be freely acquired, though the only version that can easily be downloaded is their rolling release, which is built nightly. These versions may include some bugs in it, but unless you’re using “new” features, experiencing these bugs should be infrequent.

The rolling releases can be downloaded from here:
VyOS Rolling Releases Github

The latest version as of the writing of this blog is: “vyos-1.5-rolling-202406130020-amd64.iso”. That’s what I’m going to be using for the rest of this series. You can see what commits were added for each new release:

Create a bootable USB

After downloading the ISO, we need to install it to a bootable flash drive so we can install it on our PC. To do this, I like to use the tried and tested Rufus to create a bootable USB drive from an ISO image. Rufus can be found here: Rufus

Once downloaded, launch Rufus.

Make sure you select the correct device:

Then click “SELECT” under the boot selection, and find the VyOS ISO you just downloaded:

Every other option you can keep as their defaults. Just click start to begin the process:

You may be presented with this message, just select “Write in ISO image mode (Recommended)”:

You may also be presented with this message, just select “Yes”:

And finally you’ll be presented with this warning. Ensure that you are in fact writing to the correct device, and that there’s nothing on that drive you’re not okay with losing. Select OK to continue:

Once the process completes, you should see that the drive has been updated with the label under “Volume label”, and Rufus should report it’s status as “READY”.

Boot the USB drive

NOTE: I do all initial configuration using a keyboard and monitor directly connected to the mini PC.

Ensure your device is powered off and insert the drive into whatever device you are going to use for VyOS. Once inserted, power on the device.

Different devices may have a different method for booting from a USB drive. Consult the documentation for your device to see how to boot from a USB drive.

For Minisforum, we can start pressing F11 to boot from the USB, or Delete to enter the boot menu. Directly after powering on the device, start rapidly pressing one of those keys. I used F11 to boot directly from the USB.

If you successfully booted from the USB drive, you should be presented with a grub boot loader. Select the KVM option and hit enter:

Logging In

Once booted, you’ll be presented with a login screen. The default credentials for VyOS are ‘vyos’ for both the user and password. Enter those credentials to gain access to the system.

Installing VyOS to Disk

We are currently in a LiveCD of VyOS, and any configuration we make will not be persistent. We need to install VyOS to the onboard storage. We can do that with the “install image” command.

install image

VyOS will walk you through a guided install:

Select ‘y’ here to continue.

This command will install VyOS to your permanent storage.
Would you like to continue? [y/N]

You can name the image anything you’d like. Just make sure you’ll remember what it is. When updating VyOS, you will want to be able to distinguish between new and older versions.

What would you like to name this image? (Default: 1.5-rolling-202405121403) 

Enter a password for the default user. This can be anything; we will be removing this user later. I’m going to use ‘vyos’ as the password.

Please enter a password for the "vyos" user: 
Please confirm password for the "vyos" user: 

You can select Serial if your device has a console port and you’d prefer to access it via console, otherwise, select ‘K’ for KVM.

What console should be used by default? (K: KVM, S: Serial)? (Default: S)  

Make sure you install to the onboard drive, and not the flash drive.

Probing disks
1 disk(s) found
The following disks were found:
Drive: /dev/sda (8.0 GB)
Which one should be used for installation? (Default: /dev/sda)

NOTE: You will likely be presented with the option to configure RAID-1 mirroring, select ‘n’ during that prompt.

You can select option 1 for this step. Since this is a fresh installation, it doesn’t really matter since both configs will be the same. If you were installing over an existing installation, you’d select option 1 to keep the previous config, or option 2 to default to a blank (default) config.

The following config files are available for boot:
        1: /opt/vyatta/etc/config/config.boot
        2: /opt/vyatta/etc/config.boot.default
Which file would you like as boot config? (Default: 1)

The installation will complete.

Creating temporary directories
Mounting new partitions
Creating a configuration file
Copying system image files
Installing GRUB configuration files
Installing GRUB to the drive
Cleaning up
Unmounting target filesystems
Removing temporary files
The image installed successfully; please reboot now.

Remove the flash drive and reboot the device to complete the installation.

reboot now

Once booted, you’ll be presented the same login prompt from before. Just login with the username ‘vyos’, and whatever password you typed during the installation process. For me that will be ‘vyos’.

Welcome to VyOS - vyos ttyS0

vyos login: vyos
Password: 
Welcome to VyOS!

   ┌── ┐
   . VyOS 1.5-rolling-202405121403
   └ ──┘  current

 * Documentation:  https://docs.vyos.io/en/latest
 * Project news:   https://blog.vyos.io
 * Bug reports:    https://vyos.dev

You can change this banner using "set system login banner post-login" command.

VyOS is a free software distribution that includes multiple components,
you can check individual component licenses under /usr/share/doc/*/copyright
vyos@vyos:~$ 

Initial Configuration of VyOS

We’re going to put on a very basic initial setup for VyOS. This will mostly be the ‘step 1’ stuff that should be done, so you don’t forget to do it later.

A quick note on VyOS modes. VyOS has 2 modes; Operational Mode (Op Mode) and Configuration Mode (Conf Mode). Op Mode will be used to view system information like interfaces, as well as reset services if needed. Conf Mode will be used to configure the system.

Enter Configuration Mode

We need to enter configuration mode to configure our initial setup.

configure

You should notice that your prompt changed to have a ‘#’ at the end of it. This signals that we are in Conf Mode.

vyos@vyos:~$ configure 
vyos@vyos# 

Setting the System Hostname

It’s a good idea to set the Hostname of the system to something that is easily identifiable. I am going to name mine based on the device model (GK41). Just name yours whatever makes sense to you.

set system host-name GK41

After entering the command, the change is not complete yet. VyOS uses a concept called a candidate config, which keeps the changes in memory until your sure you’re applying what you meant to apply. We can view the uncommited changes with either “compare” or “compare commands”.

vyos@vyos# compare 
- host-name "vyos"
+ host-name "GK41"

vyos@vyos# compare commands 
delete system host-name 'vyos'
set system host-name 'GK41'

Once you’re confident you’re making the changes you intend, you can type “commit” to commit the changes.

commit

The changes are now active, but are not permanent. You will need to save the configuration to ensure they survive a reboot.

save

If you’re confident that the changes you’re making are good, you can do both of those actions in one step like this.

commit;save

Additionally, if you’re not confident in the changes you’re making, you can do a “commit-confirm”. This will reboot the router to the last saved configuration if the user is not able to confirm the commit. This would set a 5 minute timer after the commit where the user needs to type “confirm” to cancel the timer.

admin@GK41# commit-confirm 5

You should save previous commits before commit-confirm !

commit-confirm will automatically reboot in 5 minutes unless changes
are confirmed.

Proceed ? [Y/n] y
Initialized commit-confirm; 5 minutes to confirm before reboot

admin@GK41# confirm 
Reboot timer stopped

You will need to logout and log back in to see the hostname updated. You can do that by typing ‘exit’ until you return to the login prompt.

vyos@vyos# exit
vyos@vyos:~$ exit

Welcome to VyOS - GK41 ttyS0

GK41 login: vyos
Password: 

vyos@GK41:~$ 

Disable VyOS as NTP Server

By default, VyOS will allow clients to use it as an NTP server. This will generally not be desired for home use, so I recommend deleting that capability. We can do that by deleting the “allow-client” section from the NTP config. You can see what is configured for NTP by looking at the specific configuration from Conf Mode.

vyos@GK41# show service ntp
 allow-client {
     address 127.0.0.0/8
     address 169.254.0.0/16
     address 10.0.0.0/8
     address 172.16.0.0/12
     address 192.168.0.0/16
     address ::1/128
     address fe80::/10
     address fc00::/7
 }
 server time1.vyos.net {
 }
 server time2.vyos.net {
 }
 server time3.vyos.net {
 }

To delete the allow-client section, we just need to type “delete” instead of “set”. You can delete full sections, or just individual lines. I don’t want that section, so I’m going to delete the full section.

delete service ntp allow-client 

vyos@GK41# compare commands 
delete service ntp allow-client address '127.0.0.0/8'
delete service ntp allow-client address '169.254.0.0/16'
delete service ntp allow-client address '10.0.0.0/8'
delete service ntp allow-client address '172.16.0.0/12'
delete service ntp allow-client address '192.168.0.0/16'
delete service ntp allow-client address '::1/128'
delete service ntp allow-client address 'fe80::/10'
delete service ntp allow-client address 'fc00::/7'

commit

After committing, we should see that we no longer have that portion of the configuration.

vyos@GK41# show service ntp 
 server time1.vyos.net {
 }
 server time2.vyos.net {
 }
 server time3.vyos.net {
 }

Change the NTP servers

The default NTP servers for VyOS are based in US, Germany, and Singapore (within AWS). It’s best to use servers that are geographically close to you, so I recommend using servers from pool.ntp.org. I am going to only use US based ones, since that’s where I’m located. You can just use “pool.ntp.org” and it will “try” to find the closest server to you, or you can try to find the server pool for your country by going here: https://www.ntppool.org/zone/@

delete service ntp server
set service ntp server 0.us.pool.ntp.org
set service ntp server 1.us.pool.ntp.org
set service ntp server 2.us.pool.ntp.org
set service ntp server 3.us.pool.ntp.org

vyos@GK41# compare commands 
delete service ntp server time1.vyos.net
delete service ntp server time2.vyos.net
delete service ntp server time3.vyos.net
set service ntp server 0.us.pool.ntp.org
set service ntp server 1.us.pool.ntp.org
set service ntp server 2.us.pool.ntp.org
set service ntp server 3.us.pool.ntp.org

commit

vyos@GK41# show service ntp 
 server 0.us.pool.ntp.org {
 }
 server 1.us.pool.ntp.org {
 }
 server 2.us.pool.ntp.org {
 }
 server 3.us.pool.ntp.org {
 }

Creating a New Admin Account

If you remember, I said we’d be deleting that “vyos” user later. Well, we need to first create another account before we’re able to delete that account.

I’m going to create a user called “admin”, with a password that is also “admin”. For your actual home router, make sure the user is an uncommon name, and that the password is strong. Don’t use usernames like “root”, “admin”, “superuser”, etc…

You’ll notice that VyOS will generate an encrypted version of the password you entered for you. This prevents people from knowing your password if they were able to see your config.

set system login user admin authentication plaintext-password admin

vyos@GK41# compare commands

set system login user admin authentication encrypted-password '$6$rounds=656000$tJ5aoY4kq4lCYogZ$JD6q8xj.0DHRI.SHRvZ8Oi68kbVdFKa88JEPnTK2.r1jFSAK4MIOiwfkOm4p50XxjXXvxMAq94s752jk2c.FR0'

commit

You’ll need to exit back to the login prompt to login to the new user account.

vyos@GK41# exit
vyos@GK41:~$ exit

Welcome to VyOS - GK41 ttyS0

GK41 login: admin
Password: 
Welcome to VyOS!
admin@GK41:~$ 

Once we’ve verified that the new user account works, we can delete the “vyos” account.

delete system login user vyos 

admin@GK41# compare commands 
delete system login user vyos authentication encrypted-password '$6$rounds=656000$5bkOiCnQKexumAdV$kMz/L7ajQBiz0ITkVIDAbaCA.Aoq1tYOsiT9QYfp6S3Gdf19NBOlgYybdLFEKADQG9eL3h4yedXyLAqEn2Y3M.'
delete system login user vyos authentication plaintext-password ''

commit

admin@GK41# show system login user 
 user admin {
     authentication {
         encrypted-password $6$rounds=656000$tJ5aoY4kq4lCYogZ$JD6q8xj.0DHRI.SHRvZ8Oi68kbVdFKa88JEPnTK2.r1jFSAK4MIOiwfkOm4p50XxjXXvxMAq94s752jk2c.FR0
     }
 }

Conclusion

That is all for Part 1. In Part 2 of the series, we will be configuring IP access to our provider and secure traffic to/from the provider with the VyOS firewall.

Video

My friend has been turning these posts into YouTube videos. You can check out this video here: