New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
T5873: ipsec remote access VPN: support VTI interfaces. #3221
base: current
Are you sure you want to change the base?
Conversation
Changing this to a draft as it appears the up/down script may need some work for this to work properly. Seems to have been lost in the rebase. |
It’s not related to this PR. I also don’t think that fix is related to the instability I’ve been seeing in https://vyos.dev/T6177. I am planning to resume work on this shortly while I continue to debug that issue. |
Sounds great, thank you 🙂 |
Very interesting approach. But why I need also pools if now ecerything cones from the VTI? Is it b/c of IP address assignment reasons (fake dhcp?) |
Yeah, the IP addresses are still assigned to clients via the IKE protocol, so the pool configuration is needed to tell strongswan what range to create client IPs from. Getting the up/down logic for the interface right is a little interesting. I would assume if a remote access is bound to the VTI, the VTI interface should be up all the time. Cleanest implementation is probably to have vyos-1x/python/vyos/ifconfig/vti.py Line 59 in 9eb018c
Btw the logic for T6085 for site-to-site configs (9eb018c) has some potentially unintended behavior that disabling/re-enabling a VTI interface in the config does not immediately take effect—the interface state will only update after the ipsec connection gets torn down or ipsec is restarted. |
Any updates? |
I think I set this aside awaiting further feedback on the approach for the up/down script I shared in this comment: #3221 (comment). Let me re-visit later this week and try to put together an implementation—that may be a faster way to move this forward. |
Change Summary
Route-based VPNs can be more convenient to configure and tie in nicely with existing routing protocols, zone-based firewalls, and other common network configurations. OpenVPN users are already quite familiar with this pattern. This PR extends the IPsec (IKEv2) Remote Access VPN to support "virtual tunnel interfaces" enabling similar usage patterns.
Types of changes
Related Task(s)
https://vyos.dev/T5873
Related PR(s)
Component(s) name
ipsec remote-access
Proposed changes
This PR includes two key changes to enable VTI-based remote access VPNs:
remote-access pool
configuration block has been extended to accept arange
block, as an alternative to the current CIDRprefix
attribute. This allows defining a more granular range for assigning VPN client IPs, which is helpful if you want to reserve one or more IPs at the start of a CIDR block for the router itself on the VTI interface.remote-access connection
accepts a newbind
attribute. This works identically to thepeer <peer> vti bind
attribute (for site-to-site peers you either define one or moretunnel
s, or avti
block—there is no equivalent oftunnel
for remote-access connections hence the decision not to nest it undervti
here). Once defined, all traffic to/from connected peers uses the specified VTI interface, as opposed to being routed by kernel policies. This change is enabled by the internal change in VyOS 1.4 that switched from the legacyvti
interface type to the newerxfrm
interface type, which happily multiple tunnels with different local/remote traffic selectors, e.g. for each connected VPN client.How to test
Example configuration:
Smoketest result
Checklist: