I am working on a project to setup a HA VPN endpoint and came across vyos. Vyos looks like a super useful tool but for my use case it would only be terminating remote access VPNs. Are there any significant benefits to using vyos as opposed to dedicated strongswan servers?
To throw something else in here real quick, at first glance it looks like the CLI doesn’t provide a means to configure all of the options for ipsec.conf that I am currently using in my test strongswan setup. Is it acceptable to directly edit the ipsec.conf file on the vyos? I was looking at some examples here ( GitHub - vyos/vyos-strongswan ) and it looks like that is what they were doing for the different scenarios. However, I noticed that any modification of the VPN config through the CLI overwrites the strongswan configurations.
Hello,
it’s difficult to say if VyOS better or worse than raw StrongS/WAN in your particular case,
since we don’t know details
Current stable version(e.g. 1.1.x) is based on old StrongS/WAN
Current beta version(1.2.0) use much fresh StrongS/WAN
it’s not supported to edit config manually since it will be overwritten
but there are some workarounds,
which options are missing ?
The one thing that I needed was the ability to assign IPs based on the client configuration. On the client side I set the sourceip and on the server side I have it setup sourceip=%config so that I can pin IPs per client. The only way that I can assign a specific IP, from what I have seen, is with L2TP remote access VPNs.
I just combed through my config again and I think that is it.
Remote access IPsec without L2TP is not very popular, I think you may be the first person ever to request it. It’s by no means a bad or invalid scenario though, the sole reason we don’t have CLI for it is that none of us uses it and no one asked for it either.
If you have any idea what the CLI for it should be, please share.
Whether VyOS or pure StrongSWAN is better for your case, well, if StrongSWAN is all you need and you are comfortable with managing it by hand, I see absolutely nothing wrong with it. Myself I often use VyOS where a normal linux box would suffice, for additional features such as config archive and revisions, but it can be done with e.g. etckeeper as well. The case where VyOS really makes a difference to me is integrating multiple features, this can easily become annoying if done by hand, when config for multiple things need to be kept in sync.