Moving from OPNSense: some advice

alexago · November 22, 2017, 1:45pm

Hi,

I am using OPNSense but I started to explore some other solutions (Linux based) and I found VyOS.

Before to start a deep exploration of VyOS features (until now I simply installed it in a ESXi VM), I would like to get some help to be sure to choose right way.

My current configuration is:

OPNSense 17.7.7, with 1 WAN and 1 LAN (both 1 Gbps), on a ESXi VM (X86 64 bit, 4 core, 4 GB RAM)
3OpenVPN connections (my router is a OpenVPN client to a VPN provider), with dynamic remote address

I need to:

route LAN traffic to a specific openvpn connection
route LAN traffic to any openvpn connections (round robin)
route LAN traffic to WAN port

according to source,destination IP address (or range) or port.

I use multiple openvpn connections to maximize traffic performance (openvpn is single thread, so a single vpn connection is limited, in the best scenario, to a 100-120Mbps with my CPU).

I am starting to learn about VyOS routing, PBR, firewall, tunneling but at this moment I need only some advice if this configuration is doable with VyOS.

Thanks in advance

pirateghost · November 22, 2017, 2:44pm

I don’t see why this isn’t possible to do.

alexago · November 22, 2017, 7:18pm

Ok, thanks: I will try to implement this cfg but I have only a doubt about openvpn connections: VPN’s remote address is not static but change (potentially) every time (to establish a VPN connection I use hostname with multiple IP addresses)

Just another question: do you think will be possible to add Wireguard protocol? I found it very useful and I would like to test in a router (I already tried on ubuntu)

Thanks again

Alex

pirateghost · November 23, 2017, 12:55am

you can use DNS hostnames. You don’t have to use IP addresses.

As for Wireguard, I don’t think it is a good idea to install something that will directly modify the /etc/network/interfaces, and it certainly won’t work within the VyOS command structure. Is there some reason normal OpenVPN will not work for you?

alexago · November 23, 2017, 12:51pm

OpenVPN works (although with vyos I still have to configure vpn connections) but I hate not being able to use it all internet bandwidth nor cpu power, because of the fact that openvpn is monothread and also wireguard seems to deliver performance far superior to openvpn.

I found a wireguard’s port to vyatta (GitHub - Lochnair/vyatta-wireguard) for ubiquiti edgerouter: do you think will be possible to adapt it to vyos?

Alex

pirateghost · November 25, 2017, 9:01pm

what makes you think you can’t use all internet bandwidth?

That wireguard port for EdgeRouter is designed and built for the MIPS/Octeon platform the edgerouter is built on. It will not work in a standard x86 environment