VyOS ... is it Vyable?
See what I did there? Yeah, I know. Pretty lame …
I’ve been providing networking services for quite a while now. It all started with Data Generic’s Generic Barracks in the early 80’s, which was my 24-hour BBS running on the venerable Commodore 64. Over the past few decades I’ve leveraged a bunch of other technologies and products to provide networking services for customers. This includes Bay/Nortel/Juniper/ADTRAN/Cisco/NetWare/Microsoft/Linux and pretty much all the BSD flavors. And probably a bunch more I’ve forgotten. But for nearly 2 decades now I’ve leveraged OpenBSD for nearly everything; it is tiny, fast, secure, and simple. It is an absolutely fantastic fit for all manner of network services.
After having used the UniFi line of Ubiquiti products for several large and small wireless deployments, and loving their management software, I started looking at their switching and routing products as well. Their switches and security Gateways can be managed by their controller software, which can be installed on your own server or managed in the cloud using a tiny little cloud key. Overall, the capabilities afforded by this solution are very good indeed.
More complex management can be achieved via command-line interface, and that is of course what I gravitate toward. For example, I found that the USG cannot be configured to use multiple external ip addresses using the controller software - but doing so via command-line is definitely possible. This was a need for me, so learning the command-line interface was a must. My first thought was that the interface reminded me a lot of Cisco and Juniper. It is in fact based on a fork of Vyatta that Ubiquiti calls EdgeOS. After learning a bit of that and really liking it, I ran across VyOS - which was also a fork of Vyatta and designed to run on commodity hardware. The same hardware I currently leverage for OpenBSD network appliances. So that piqued my interest - spawning a project to see whether VyOS could potentially be a viable replacement for OpenBSD in some of my use cases, and whether it might be a better fit in any particular case. You know, right tool for the job and all that.
For VyOS to be a viable replacement for my typical OpenBSD deployments, it must provide all of the following:
- Stateful packet filter (firewall)
- VPN endpoint for remote access
- VPN endpoint for site-to-site connections
- NAT gateway to hide internal networks
- PAT for “publishing” internal services externally
- Bonded, bridged, trunked and tunnel interfaces
- Multiple routing protocols
- DHCP for multiple VLANs
- NTP for local hosts
- Authoritative DNS for internal namespaces
- Caching DNS forwarder for external namespaces
- The ability to cluster some/all services
All of these seem to be possible, and I’ll provide examples in another post or two. There are several instances where I like OpenBSD much better, but VyOS has a few niceties of its own. One of these is backup/recovery. While OpenBSD leverages very simple and intelligent configuration files, VyOS piles it all into one file (
/config/config.boot). To me, that’s a big win for OpenBSD from a configuration standpoint; but the ability to recover an entire VyOS system configuration with a single file is a pretty decent argument. This is one way VyOS is purposefully designed to mimic the hardware routers which some of us are already familiar with.