Skip to content

HOWTO: Commission a VyOS Edge Router via HyOps

Purpose: Commission a VyOS edge router at Hetzner using the HybridOps blueprint, with BGP, IPsec, and NAT validated through structured run records.

Difficulty: Advanced

Track: Networking Foundations

Overview

Use this guide to turn a provisioned VyOS host into a working HybridOps WAN edge. The result is a reviewable edge baseline with the interfaces, routing, and tunnel posture needed for site extension, cloud peering, and later DR or burst work.

1. Blueprint Overview

  • Blueprint ID: blueprints/hetzner/vyos-edge.
  • Architecture position: Hetzner-hosted WAN edge.
  • Dependencies: Hetzner server provisioned, public IP allocated.

2. Module Inputs

  • Public interface IP and gateway.
  • Internal interface and VLAN configuration.
  • BGP ASN and peer definitions.
  • IPsec tunnel peer IPs and PSK references.
  • NAT masquerade configuration.

3. Interface Bring-Up

  • Public and internal interface configuration.
  • Verifying reachability on both paths.
  • Run record: interface state record.

4. BGP Peering

  • eBGP session to GCP hub or on-prem peers.
  • Prefix advertisement validation.
  • BGP summary run-record capture.

5. IPsec Tunnel Bootstrap

  • Tunnel configuration and IKE/ESP parameters.
  • Tunnel establishment verification.
  • Liveness probe output of the run record.

6. NAT and Routing Validation

  • NAT masquerade for on-prem outbound traffic.
  • Routing table verification: all expected prefixes present.
  • End-to-end path probe from on-prem to internet.

References

License: MIT-0 for code, CC-BY-4.0 for documentation unless otherwise stated.