Finally, VyOS Stream has been released in the first quarter of this year!
Unlike the rolling release, the stream branch will only receive features we can confidently include in future LTS releases.
I used it to do some testing on my home lab, so here it is.
Preparation
I used two VM nodes for this home lab project with 1 Cores 1GB Memory and 10GB for the root disk with operating systems VyOS 1.5 Stream 2025 Q1.
| Node Hostname | Node Role | vCPU | Memory | RootDisk | privateNet |
|---|---|---|---|---|---|
| btnlab01rtr01 | Master Router | 1 Core | 1 GB | 10 GB | 10.78.78.251 |
| btnlab01rtr02 | Secondary Router | 1 Core | 1 GB | 10 GB | 10.78.78.251 |
Interface and network mapping:
- eth0
198.51.100.253/24gateway198.51.100.254for virtual IP public network - eth1
10.78.78.0/24gateway10.78.78.254for private network
Installation
Unfortunately, VyOS Stream only provides generic ISO images; there is no additional flavor. So the only way right now is for you to boot the ISO to a CD-ROM on the virtual machine. Once done, log in to live ISO with default user vyos and password vyos and see the instructions seen in the image below
then reboot and remove ISO from CD-ROM.
Initialize Setup
Execute in all nodes.
Enter configuration mode withconfigurecommand
In this section we configure common or global configuration for each router.
set service ssh port 22
set system name-server 1.1.1.1
set system name-server 1.0.0.1
set system time-zone Asia/Jakarta
set system option reboot-on-panic
set system option time-format 24-hour
set system option performance throughput
del service ntp
set service ntp server time.cloudflare.com
Additional, add some banners before and after login.
set system login banner post-login "=============================================================================================================\nATTENTION!! UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.\nYou must have explicit, authorized permission to access or configure this device.\nUnauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.\nAll activities performed on this device are logged and monitored.\n============================================================================================================="
set system login banner pre-login "=============================================================================================================\nATTENTION!! UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.\nYou must have explicit, authorized permission to access or configure this device.\nUnauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.\nAll activities performed on this device are logged and monitored.\n============================================================================================================="
Additional, replace default vyos user and crate user vikiadm and add ssh public key.
set system login user vikiadm authentication encrypted-password '$6$rounds=4096$Fp08IS0HCcUvA0ln$3h.4UN9EXy4Pevt8McdNqajmpDxax2cvg6k01lnxCdZgI8d4AS833fSdnHH70dDFf2zkhmJT3fnGc0ZQLV1Eh1'
set system login user vikiadm authentication public-keys [email protected] type ssh-ed25519
set system login user vikiadm authentication public-keys [email protected] key AAAAC3NzaC1lZDI1NTE5AAAAIHgl+ZYCgd4eq+aMMO4uD9sjFv+tjFKFfAk+cvaYxzcq
Configure common firewall and nat rule, for now we allow all protocol incoming packet and traffic in interface eth1.
set firewall ipv4 input filter default-action drop
set firewall ipv4 input filter rule 10 action accept
set firewall ipv4 input filter rule 10 protocol icmp
set firewall ipv4 input filter rule 10 state established
set firewall ipv4 input filter rule 10 state related
set firewall ipv4 input filter rule 10 state new
set firewall ipv4 input filter rule 99 action accept
set firewall ipv4 input filter rule 99 protocol all
set firewall ipv4 input filter rule 99 inbound-interface name eth1
set firewall ipv4 input filter rule 99 source group network-group privateNet
set firewall ipv4 input filter rule 99 description allow-privateNet
set firewall ipv4 input filter rule 100 action accept
set firewall ipv4 input filter rule 100 protocol tcp
set firewall ipv4 input filter rule 100 destination port 22
set firewall ipv4 input filter rule 100 description allow-ssh
set nat source rule 100 description privateNet
set nat source rule 100 source address 10.78.78.0/24
set nat source rule 100 outbound-interface name eth0
set nat source rule 100 translation address masquerade
Don’t forget to
committhe current set of changes andsaveconfiguration
High Availibility Transition Script
Create transition script for vrrp service to handle public ip and default gateway for private network.
transition-script for become master
cat <<EOF | tee /config/scripts/vrrp-master.sh
#!/bin/vbash
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash \$(readlink -f \$0) \$@"
fi
source /opt/vyatta/etc/functions/script-template
configure
del protocols static route 0.0.0.0/0 next-hop 10.78.78.254
set protocols static route 0.0.0.0/0 next-hop 198.51.100.254
commit
save
exit
EOF
transition-script for become backup and fault
cat <<EOF | tee /config/scripts/vrrp-backup.sh
#!/bin/vbash
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash \$(readlink -f \$0) \$@"
fi
source /opt/vyatta/etc/functions/script-template
configure
del protocols static route 0.0.0.0/0 next-hop 198.51.100.254
set protocols static route 0.0.0.0/0 next-hop 10.78.78.254
commit
save
exit
EOF
Master Router
Execute in master only.
Enter configuration mode withconfigurecommand
Setup hostname and interface and IP address.
set system host-name btnlab01vrtr01
set interface ethernet eth0 description publicNet
set interface ethernet eth1 description privateNet
set interface ethernet eth1 address 10.78.78.251/24
Setup config-sync for Secondary/econdary router, at this point we only need a few configurations that need to be synchronized at the section config.
set service config-sync mode load
set service config-sync secondary address 10.78.78.252
set service config-sync secondary port 22940
set service config-sync secondary key config-sync-key
set service config-sync section firewall
set service config-sync section nat
set service config-sync section pki
set service config-sync section policy
set service config-sync section vpn
set service config-sync section service ntp
set service config-sync section qos interfaces
set service config-sync section qos policy
set service config-sync section interfaces wireguard
set service config-sync section system time-zone
set service config-sync section system option
set service config-sync section system static-host-mapping
Setup high availibility vrrp to secondary router is basically like the keepalived configuration. Higher priority value increases router’s precedence in the master elections.
set high-availability vrrp group defaultHA interface eth1
set high-availability vrrp group defaultHA hello-source-address 10.78.78.251
set high-availability vrrp group defaultHA peer-address 10.78.78.252
set high-availability vrrp group defaultHA address 10.78.78.254/24 interface eth1
set high-availability vrrp group defaultHA address 103.150.80.130/28 interface eth0
set high-availability vrrp group defaultHA no-preempt
set high-availability vrrp group defaultHA priority 101
set high-availability vrrp group defaultHA track interface eth1
set high-availability vrrp group defaultHA vrid 96
set high-availability vrrp sync-group sync member defaultHA
set high-availability vrrp sync-group sync health-check ping 10.78.78.252
set high-availability vrrp sync-group sync health-check interval 10
set high-availability vrrp sync-group sync health-check failure-count 3
set high-availability vrrp sync-group sync transition-script master '/config/scripts/vrrp-master.sh defaultHA'
set high-availability vrrp sync-group sync transition-script fault '/config/scripts/vrrp-backup.sh defaultHA'
set high-availability vrrp sync-group sync transition-script backup '/config/scripts/vrrp-backup.sh defaultHA'
Configure conntrack-sync and enable helpers
set service conntrack-sync accept-protocol tcp
set service conntrack-sync accept-protocol udp
set service conntrack-sync accept-protocol icmp
set service conntrack-sync event-listen-queue-size 8
set service conntrack-sync failover-mechanism vrrp sync-group sync
set service conntrack-sync interface eth1
set service conntrack-sync mcast-group 224.0.0.50
set service conntrack-sync sync-queue-size 8
used for stateful failover without conntrack synchronization, the backup firewall will see the active connection as “new” on failover, potentially disconnecting the session (e.g. VPN, banking).
Don’t forget to
committhe current set of changes andsaveconfiguration
Secondary Router
Execute in master only.
Enter configuration mode withconfigurecommand
Setup hostname and interface and IP address.
set system host-name btnlab01vrtr02
set interface ethernet eth0 description publicNet
set interface ethernet eth1 description privateNet
set interface ethernet eth1 address 10.78.78.252/24
Setup https service to provide config-sync via api
set service https port 22940
set service https listen-address 10.78.78.251
set service https allow-client address 10.78.78.252
Setup high availibility vrrp to master router is basically like the keepalived configuration. Higher priority value increases router’s precedence in the master elections.
set high-availability vrrp group defaultHA interface eth1
set high-availability vrrp group defaultHA hello-source-address 10.78.78.252
set high-availability vrrp group defaultHA peer-address 10.78.78.251
set high-availability vrrp group defaultHA address 10.78.78.254/24 interface eth1
set high-availability vrrp group defaultHA address 103.150.80.130/28 interface eth0
set high-availability vrrp group defaultHA no-preempt
set high-availability vrrp group defaultHA priority 100
set high-availability vrrp group defaultHA track interface eth1
set high-availability vrrp group defaultHA vrid 96
set high-availability vrrp sync-group sync member defaultHA
set high-availability vrrp sync-group sync health-check ping 10.78.78.251
set high-availability vrrp sync-group sync health-check interval 10
set high-availability vrrp sync-group sync health-check failure-count 3
set high-availability vrrp sync-group sync transition-script master '/config/scripts/vrrp-master.sh defaultHA'
set high-availability vrrp sync-group sync transition-script fault '/config/scripts/vrrp-backup.sh defaultHA'
set high-availability vrrp sync-group sync transition-script backup '/config/scripts/vrrp-backup.sh defaultHA'
Don’t forget to
committhe current set of changes andsaveconfiguration
Operational Command
if you run this command in configuration mode please add
runfirst before command execute.
To see firewall rules exec show firewall and show firewall statistics
To see nat masquerade rules exec show nat source rules and show nat source statistics
To see high availibility status show vrrp and show vrrp statistics
and if you want to test the Virtual IP transition, you can do restart vrrp command.
In my experience testing this VyOS Stream release is very comfortable and better performance than rolling releases that must be tested periodically, I think this is enough to do PoC on the staging environment before implementing it directly in the production environment. In the future, I might use it as a reverse proxy server and vpn server with a combination of prepared automation systems such as API, Ansible, Terraform, Cloud-init, etc.