VyOS Edge Router — Configuration Documentation
Hostname: vyos-edge
Timezone: Europe/Berlin
VyOS Release: 2025.11
Table of Contents
- Network Overview
- Physical Interfaces
- IP Addressing
- Firewall — Groups
- Firewall — Global Input Filter
- Firewall — Global Forward Filter
- NAT
- Routing
- VPN — IPsec Site-to-Site
- Services
- System
Network Overview
Internet
│
│ eth0 — 159.195.87.143/22 (primary WAN)
│ 152.53.173.192/32 (secondary public IP)
│ GW: 159.195.84.1
┌───┴──────────────────────────────────────────┐
│ vyos-edge (VPS) │
│ │
│ vti0 (10.255.255.1/30) — IPsec to Home │
└──────────────────────────────────────────────┘
│
IPsec VPN
│
vyos-fw (Home)
10.255.255.2/30
10.69.0.0/16
This is a cloud-hosted VPS router that acts as a public-facing gateway for services running in the home network. It:
- Terminates a site-to-site IPsec VPN back to the home router
- Port-forwards public traffic to home network services via the tunnel
- Uses a secondary public IP (
152.53.173.192/32) dedicated to specific home-hosted services - Enforces a strict stateful firewall permitting only VPN, SSH, and explicitly forwarded ports
Physical Interfaces
| Interface | Description | Address(es) |
|---|---|---|
eth0 | WAN — Public Internet | 159.195.87.143/22, 152.53.173.192/32 |
lo | Loopback | — |
vti0 | IPsec tunnel to Home | 10.255.255.1/30 |
IP Addressing
| Interface / Purpose | IP / Subnet | Notes |
|---|---|---|
| WAN primary | 159.195.87.143/22 | Main public IP, default gateway 159.195.84.1 |
| WAN secondary | 152.53.173.192/32 | Dedicated IP for Mumble, Minecraft, Home Traefik ACME |
| VTI tunnel local | 10.255.255.1/30 | VPS end of IPsec VTI tunnel |
| VTI tunnel remote | 10.255.255.2/30 | Home router end |
| Home network | 10.69.0.0/16 | Reachable via vti0 |
| Home DMZ | 10.69.70.0/24 | Reachable via vti0 (explicit route) |
Firewall — Groups
Network Groups
| Group | Network | Purpose |
|---|---|---|
BLOCKLIST | 0.0.0.0/32 (placeholder) | Aggregated IP blocklist (auto-updated daily) |
Firewall — Global Input Filter
Controls traffic destined for the router itself (all interfaces). Default action: drop (implicit — only explicitly accepted traffic is allowed).
| Rule | Action | Description |
|---|---|---|
| 1 | accept | Allow established/related |
| 2 | drop | Drop invalid state |
| 5 | drop | Drop blocklisted sources (BLOCKLIST) |
| 8 | accept | Allow ICMP (ping) |
| 9 | accept | Allow SSH from WAN (TCP port 22) |
| 10 | accept | Allow IKE key exchange (UDP port 500) |
| 20 | accept | Allow NAT-T (UDP port 4500) |
| 30 | accept | Allow ESP protocol (IPsec data) |
| 40 | accept | Allow all traffic inbound from vti0 |
Note: There is also a legacy named rule
WAN-LOCAL(rule 5) that drops blocklisted IPs with logging. This predates the global input filter and provides an additional logged drop for blocklisted sources.
Firewall — Global Forward Filter
Controls traffic transiting through the router. Default action: drop (rule 999).
| Rule | Action | Description |
|---|---|---|
| 1 | accept | Allow established/related |
| 5 | drop (log) | Drop blocklisted source IPs (BLOCKLIST) |
| 10 | accept | Forward all traffic inbound from vti0 |
| 15 | accept + set | MSS clamp TCP SYN outbound on vti0 to 1360 bytes (MTU compensation for VPN) |
| 20 | accept | Forward all traffic outbound to vti0 |
| 999 | drop | Drop everything else |
The forward policy effectively allows only VPN tunnel traffic to pass through — all other forwarding is dropped. Inbound port-forwarded connections (via DNAT) are also subject to this filter; they survive because they traverse vti0 after translation.
NAT
Destination NAT (Port Forwarding)
Inbound connections on eth0 are forwarded to home network services over the VPN tunnel.
| Rule | Destination Address | Port | Protocol | Translated To | Service |
|---|---|---|---|---|---|
| 20 | 152.53.173.192 | 443 | TCP | 10.69.20.40 | HTTPS → Home Traefik (matrix, openclaw, …; SNI-routed) |
| 21 | 152.53.173.192 | 8448 | TCP | 10.69.20.40 | Matrix Federation → Home Traefik |
| 80 | 152.53.173.192 | 80 | TCP | 10.69.20.40 | HTTP → Home Traefik (redirect to HTTPS) |
| 100 | 152.53.173.192 | 64738 | TCP | 10.69.70.10 | Mumble |
| 101 | 152.53.173.192 | 64738 | UDP | 10.69.70.10 | Mumble |
| 110 | 152.53.173.192 | 25565 | TCP | 10.69.70.20 | Minecraft |
All HTTP(S) traffic now lands on Home Traefik (10.69.20.40); Traefik does SNI-based virtual hosting for every public hostname (matrix.helix9.org, openclaw.helix9.org, …). DMZ services with their own ports (Mumble, Minecraft) still DNAT directly to the relevant DMZ host.
Removed in 2026-05 when Matrix TLS was consolidated onto Traefik:
- Rule 22 (
:80 → 10.69.70.30) — no longer needed; Traefik uses DNS-01 ACME (Cloudflare), so synapse does not need public :80 - Rule 125 (
:443 → 10.69.20.40, OpenClaw, disabled) — redundant with rule 20 now that rule 20 also targets Traefik
See Matrix Homeserver for the current Matrix path.
Source NAT (SNAT)
| Rule | Outbound Interface | Translation | Description |
|---|---|---|---|
| 100 | vti0 | 10.255.255.1 | SNAT all traffic sent into the tunnel to the VTI local address |
This ensures the home router sees the VPS tunnel endpoint as the source, enabling proper return routing.
Routing
| Destination | Next-Hop / Interface | Description |
|---|---|---|
0.0.0.0/0 | 159.195.84.1 | Default route via WAN gateway |
10.69.0.0/16 | vti0 | Home network via IPsec tunnel |
10.69.70.0/24 | vti0 | Home DMZ (explicit, more-specific route) |
VPN — IPsec Site-to-Site
Connects the VPS (vyos-edge) to the home router (vyos-fw) over IKEv2 using a Virtual Tunnel Interface.
| Parameter | VPS (Edge) | Home |
|---|---|---|
| Local ID | vps.helix9.org | home.helix9.org |
| Public IP | 159.195.87.143 | Dynamic (any) |
| Tunnel IP | 10.255.255.1/30 | 10.255.255.2/30 |
| VTI Interface | vti0 | vti0 |
| MTU | 1400 bytes | 1400 bytes |
| Connection type | respond | initiate |
The VPS always responds — it never initiates. The home router is the initiator.
IKE Profile (IKE-HOME)
| Setting | Value |
|---|---|
| Version | IKEv2 |
| Encryption | AES-256 |
| Hash | SHA-256 |
| DH Group | 14 (2048-bit MODP) |
| Lifetime | 28800s (8h) |
| DPD action | restart |
| DPD interval | 30s / timeout 120s |
| Close action | none |
ESP Profile (ESP-HOME)
| Setting | Value |
|---|---|
| Encryption | AES-256 |
| Hash | SHA-256 |
| PFS | DH Group 14 |
| Lifetime | 3600s (1h) |
Authentication: Pre-shared key (PSK ID: helix9).
Bound interface: eth0.
Services
SSH
- Port: 22
- Password authentication: disabled (key-only)
- Auth method: Public key —
sk-ssh-ed25519@openssh.com(YubiKey hardware-backed)
SSH is permitted from the WAN by the input filter (rule 9). No listen-address restriction — accessible on all interfaces.
NTP
The router serves as an NTP server for local and private-range clients.
Allowed clients:
| Range | Description |
|---|---|
127.0.0.0/8 | Loopback |
169.254.0.0/16 | Link-local |
10.0.0.0/8 | RFC1918 Class A |
172.16.0.0/12 | RFC1918 Class B |
192.168.0.0/16 | RFC1918 Class C |
::1/128 | IPv6 loopback |
fe80::/10 | IPv6 link-local |
fc00::/7 | IPv6 ULA |
Upstream servers: 0.pool.ntp.org, time1.vyos.net, time2.vyos.net, time3.vyos.net
Blocklist Auto-Update
A scheduled task keeps the BLOCKLIST firewall group current:
- Script:
/opt/vyos-blocklist/update-blocklists.sh - Interval: 1 day
- Effect: Dropped at both input (rule 5) and forward (rule 5) filters before traffic is processed
System
| Setting | Value |
|---|---|
| Hostname | vyos-edge |
| Timezone | Europe/Berlin |
| Console | ttyS0 at 115200 baud |
| Config revisions kept | 100 |
| Reboot on upgrade failure | after 5 minutes |
| Upstream DNS (system) | 1.1.1.1, 8.8.8.8 |
| Syslog | local, all facilities at info; local7 at debug |
| Login banner | Git Backup Active |
Login
Single user vyos with:
- Password authentication (encrypted, stored)
- YubiKey SSH public key (
sk-ssh-ed25519@openssh.com) - Password login over SSH disabled (key-only)