Secure setup on a MacOS host
This repository is a guide to create your own secure setup on a MacOS host. In this setup, all traffic from the virtual machines will be routed through a VPN tunnel. For the VPN tunnel, Private Internet Access will be used as example in this guide.
- MacOS Sierra (10.12.3)
- VMWare Fusion (8.5.0)
- Private Internet Access (PIA) VPN
- VyOS Routing VM (1.17)
- Kali and Ubuntu VM's
- Download the latest stable image of VyOS here: https://vyos.io/#downloads
- Create a new VM and choose
Install from disc or imageas installation method.
- Select the downloaded image of VyOS.
- Customize the VM settings to 2 GB hard disk capacity and 512 MB memory.
- Set the network adapter in private mode (Private to my Mac).
- Boot the VM, and press return to boot the Live CD image.
- Login to the system using the default
install imageto install the image on disk.
vyos@vyos:~$ install image Welcome to the VyOS install program. This script will walk you through the process of installing the VyOS image to a local hard drive. Would you like to continue? (Yes/No) [Yes]: yes Probing drives: OK Looking for pre-existing RAID groups...none found. The VyOS image will require a minimum 1000MB root. Would you like me to try to partition a drive automatically or would you rather partition it manually with parted? If you have already setup your partitions, you may skip this step Partition (Auto/Parted/Skip) [Auto]: [return] I found the following drives on your system: sda 2147MB Install the image on? [sda]: [return] This will destroy all data on /dev/sda. Continue? (Yes/No) [No]: yes How big of a root partition should I create? (1000MB - 2147MB) MB: [return] Creating filesystem on /dev/sda1: OK Done! Mounting /dev/sda1... What would you like to name this image? [1.1.7]: OK. This image will be named: 1.1.7 Copying squashfs image... Copying kernel and initrd images... Done! I found the following configuration files: /config/config.boot /opt/vyatta/etc/config.boot.default Which one should I copy to sda? [/config/config.boot]: [return] Copying /config/config.boot to sda. Enter password for administrator account Enter password for user 'vyos': vyos # You will change this later Retype password for user 'vyos': vyos # You will change this later I need to install the GRUB boot loader. I found the following drives on your system: sda 2147MB Which drive should GRUB modify the boot partition on? [sda]: [return] Setting up grub: OK Done!
rebootto boot VyOS from disk
vyos@vyos:~$ reboot Proceed with reboot? (Yes/No) [No] yes
- You can now unmount the CD drive from the VM if you want to.
Using your own terminal is much more convenient to interact with VyOS, e.g. if you want to copy and paste commands into the console. Therefore we will set up SSH first through the KVM console.
First, enter the configuration mode.
Only in this mode you are allowed to edit configuration rules in VyOS.
The prompt symbol will change from
vyos@vyos:~$ configure  vyos@vyos#
You can exit the configuration mode using the command
Enable the eth0 interface in dhcp mode:
set interfaces ethernet eth0 address dhcp
Enable the SSH service of VyOS:
set service ssh port 22
Commit the changes, save them and exit the configuration mode.
vyos@vyos# commit [ interfaces ethernet eth0 address dhcp ] Starting DHCP client on eth0 ... [ service ssh ] Restarting OpenBSD Secure Shell server: sshd.  vyos@vyos# save Saving configuration to '/config/config.boot'... Done vyos@vyos# exit vyos@vyos$
Now you should be able to SSH into VyOS with your own terminal. You can look up the IP address of the VyOS VM with the following command:
vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 172.16.1.130/24 u/u lo 127.0.0.1/8 u/u ::1/128
$ ssh email@example.com The authenticity of host '172.16.1.130 (172.16.1.130)' can't be established. RSA key fingerprint is SHA256:5mIixFcwGJ53pxjgws0M6wlAhH1IhZq93z6V/xIrTVQ. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.1.130' (RSA) to the list of known hosts. Welcome to VyOS firstname.lastname@example.org's password: vyos Linux vyos 3.13.11-1-amd64-vyos Welcome to VyOS. This system is open-source software. The exact distribution terms for each module comprising the full system are described in the individual files in /usr/share/doc/*/copyright. vyos@vyos:~$
It is easier to add the VyOS host to your SSH config, such that you do not have to type the IP address every time.
From now on,
ssh vyos will be used in all commands.
Host vyos HostName 172.16.1.130 User vyos
Create and configure network adapters in VM's
First, we need to create a virtual network for the VM's which traffic needs to go through the PIA VPN tunnel.
Create a new virtual network in VMWare Fusion (
Preferences > Network > +).
In my case, the new virtual network is named
Due to limitations of VMWare, you cannot change the name of the virtual network.
Uncheck all boxes, because VM's will only communicate to the routing VM.
Create and configure network adapters for the VM's as following:
For the VyOS VM, create and configure three network adapters:
- eth0: Private to my Mac
- eth1: Bridged mode (Autodetect)
- eth2: vmnet4
VM's which traffic needs to go through the VPN tunnel
For other VM's, configure one network adapter:
- eth0: vmnet4
- Download the
- Download the PIA OpenVPN config files here: https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip
- Create a file named
pia-secret.txtwith your PIA username and password:
Execute the following commands in your Mac terminal:
# Unzip PIA OpenVPN config file user@mac:~$ unzip openvpn-strong-tcp.zip # Create the folder '/config/auth/pia' on the routing VM user@mac:~$ ssh vyos mkdir -p /config/auth/pia # Copy the content of 'openvpn-strong-tcp' to the pia folder user@mac:~$ scp openvpn-strong-tcp/* vyos:/config/auth/pia # Copy the credentials to VyOS user@mac:~$ scp pia-secret.txt vyos:/config/auth/pia # Copy the template configuration file to VyOS user@mac:~$ scp config.boot vyos:/config/config.boot
PIA - Username/Password Authentication
Private Internet Access uses username/password authentication for VPN connections. Therefore there is no cert-file or key-file needed. However, VyOS requires a cert-file and a key-file for every OpenVPN tunnel interface. To bypass the cert-file and key-file requirement, apply the following fix.
Download the patch here and run the following command:
user@mac:~$ ssh vyos sudo patch /opt/vyatta/share/perl5/Vyatta/OpenVPN/Config.pm < patch-ovpn-user-pass.txt
Up and Running
The last step is to reboot the routing VM to load the configuration of the new
Normally it is also possible to load the configuration from file without reboot (
However, the interfaces in the new
config.boot do not have hardware addresses, but they will be automatically set during startup.
user@mac:~$ ssh vyos sudo reboot
Your secure setup is now up and running!
What to do now?
set system login user vyos authentication plaintext-password mypassword
This command will automatically convert your plaintext password and store it as a secure password hash.
user@mac:~$ scp ~/.ssh/id_rsa.pub vyos:. # SSH into VyOS and enter configuration mode vyos@vyos# loadkey vyos id_rsa.pub Done  vyos@vyos# save Saving configuration to '/config/config.boot'... Done  vyos@vyos# exit exit
set system time-zone America/Los_Angeles
TAB to show options and to autocomplete.
Change PIA server
set interfaces openvpn vtun1 remote-host nl.privateinternetaccess.com
Find all other PIA servers here.
Create your own custom configuration
This is my current setup, but VyOS has many features like firewalls, static and dynamic routing, tunnel interfaces, proxies and more. If you want to learn more about VyOS, go to https://wiki.vyos.net/wiki/User_Guide.
Star this repo
If you like this guide, give this repository a star!