Choosing the Right VPN Solution for VyOS
VyOS is a Debian-based, headless network operating system aimed at network administrators and infrastructure engineers rather than desktop users. It employs the familiar apt package manager under the hood, but most configuration is done through its unified CLI (“configure” mode), with changes committed and saved into a central configuration database. There’s no default desktop environment—everything runs in the console, and persistent storage is immutable apart from your committed configuration. Because VyOS acts as a dedicated router/firewall, you need VPN software that:
- Integrates cleanly with the CLI configuration model
- Is lightweight and performant on low-resource hardware
- Can be installed via
aptor is already baked into VyOS images - Has strong community support and documentation
In practice, three solutions stand out:
- WireGuard – now built into VyOS 1.3 kernels, ultra-fast, minimal configuration overhead.
- StrongSwan IPsec – native IPsec support in VyOS, mature and enterprise-grade for site-to-site tunnels.
- OpenVPN – flexible, widely supported by providers, easy .ovpn import.
Comparison Table
| Solution | Integration | Performance | Configuration Model | Link |
|---|---|---|---|---|
| WireGuard | Native module (VyOS 1.3 ) | Very high (kernel-space) | CLI “set interfaces wireguard …” | WireGuard.com |
| StrongSwan IPsec | Native (vyos-ipsec) | High (AES-NI, hardware offload) | CLI “set vpn ipsec …” | StrongSwan.org |
| OpenVPN | Debian package | Moderate | /etc/openvpn systemd or manual daemon | OpenVPN.net |
1. WireGuard on VyOS
WireGuard offers the best performance for point-to-point or site-to-site tunnels. On VyOS 1.3 or later it’s already included—you just need to configure it.
Generate key pair on your workstation or on VyOS itself:
wg genkey tee /config/auth/privatekey wg pubkey > /config/auth/publickey
Copy the public keys between peers, then enter configure mode and set up the interface:
configure set interfaces wireguard wg0 address 10.0.0.1/24 set interfaces wireguard wg0 listen-port 51820 set interfaces wireguard wg0 private-key file:/config/auth/privatekey # Peer definition (remote site) set interfaces wireguard wg0 peer REMOTE1 public-key PEER_PUBLIC_KEY set interfaces wireguard wg0 peer REMOTE1 allowed-ips 10.0.0.2/32 set interfaces wireguard wg0 peer REMOTE1 endpoint vpn.remote.example.com:51820 commit save exit
Finally, add routing or firewall rules as needed:
configure set protocols static table 10 route 0.0.0.0/0 next-hop 10.0.0.2 set firewall name OUTSIDE_IN rule 100 action accept set firewall name OUTSIDE_IN rule 100 protocol udp set firewall name OUTSIDE_IN rule 100 destination port 51820 commit save exit
2. StrongSwan IPsec on VyOS
VyOS comes with IPsec powered by StrongSwan, ideal for secure site-to-site or road-warrior VPNs.
Example: simple IKEv2 site-to-site.
configure # Define phase1 (IKE) set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec nat-networks allowed-network 192.168.10.0/24 set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret MySecretPSK set vpn ipsec site-to-site peer 203.0.113.1 connection-type respond set vpn ipsec site-to-site peer 203.0.113.1 default-esp-group ESP-GROUP # Define ESP parameters set vpn ipsec esp-group ESP-GROUP lifetime 3600 set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256 set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256 # Bind local and remote subnets set vpn ipsec site-to-site peer 203.0.113.1 local-address 198.51.100.10 set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 local prefix 192.168.10.0/24 set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 remote prefix 192.168.20.0/24 commit save exit
3. OpenVPN on VyOS
If you need to connect VyOS to a VPN provider, OpenVPN is the most universal choice. First, install the package:
sudo apt-get update sudo apt-get install openvpn
Copy your provider’s .ovpn file into /etc/openvpn/client.conf and start the service:
sudo cp /path/to/your-vpn-config.ovpn /etc/openvpn/client.conf sudo systemctl enable openvpn@client sudo systemctl start openvpn@client
Verify the tunnel:
show interfaces sudo journalctl -u openvpn@client -f
And then adjust VyOS policies or NAT rules so that select LAN traffic routes through tun0 or tun1 as required.
By choosing one of these three—especially WireGuard for point-to-point speed or StrongSwan for mission-critical IPsec—you’ll have a rock-solid VPN running on VyOS with minimal fuss. Happy routing from London!
Leave a Reply