VyOS as a VPN Concentrator


#1

We’re looking at replacing some Cisco 2911 routers that are handling Cisco Anyconnect VPN with VyOS.

This will be for around 300 roadwariors that connect daily.

The Box does not sit directly on the WAN, instead it will hat a 1:1 Nat Mapping on the edge firewall and ports that are needed will be opened. Obliviously for the routing part I just put a static route on VyOS for 0.0.0.0 for to go to the closest router and on the other routers static route the VPN Subnet to VyOS.

But the VyOS VM will only have one NIC since it will be using that for static nat mapping, How do I configure VyOS for this case? also what about the VPN (we’d like to use one that uses the native windows client) and would like to setup authentication to LDAP based on group membership. It’s a single group and there are no subnet security polices based on group, if they are allowed in they get to any subnets.

Thanks for any guidance I’m new to VyOS.


#2

One NIC shouldn’t be a problem, just configure IP address and required routes.
Native windows clients restriction,you can use L2TP or PPTP, L2TP preferred as being more secure.
map appropriate ports (1701 500 4500 udp)
for authentication, use radius (requires NPS on windows server)
When setting up clients manually, you can’t push routes to them like you’re used to in anyconnect method.
But you can when using CMAK to setup clients