Page MenuHomeVyOS Platform

Ability to detect peer ip for openvpn
Open, WishlistPublicFEATURE REQUEST

Description

Ability to detect peer ip for site-to-site OpenVPN in op-mode.

For op-mode, we getting values from configuration now. The idea is to detect real peer IP if the remote site has a dynamic address.

Router01 (100.64.0.2)

set interfaces openvpn vtun1 local-address 10.255.1.1
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 mode 'site-to-site'
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 protocol 'udp'
set interfaces openvpn vtun1 remote-address '10.255.1.2'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/my.key'

Router2, dynamic IP (100.64.0.2)

set interfaces openvpn vtun1 local-address 10.255.1.2
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 mode 'site-to-site'
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 protocol 'udp'
set interfaces openvpn vtun1 remote-address '10.255.1.1'
set interfaces openvpn vtun1 remote-host '100.64.0.1'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/my.key'

Router01 op-mode

vyos@r1-roll:~$ show openvpn site-to-site 

OpenVPN status on vtun1

Client CN       Remote Host           Local Host            TX bytes    RX bytes   Connected Since
---------       -----------           ----------            --------    --------   ---------------

None (PSK)      N/A                   N/A                   7.0 KB      6.9 KB     N/A

The difficult that we can't get this info from the status

vyos@r1-roll:~$ sudo cat /run/openvpn/vtun1.status
OpenVPN STATISTICS
Updated,Sat May 15 10:42:58 2021
TUN/TAP read bytes,7040
TUN/TAP write bytes,7192
TCP/UDP read bytes,25460
TCP/UDP write bytes,24996
Auth read bytes,11243
END

Or via ss

vyos@r1-roll:~$ sudo ss dst 100.64.0.2
Netid                State                Recv-Q                Send-Q                               Local Address:Port                                 Peer Address:Port                Process                
vyos@r1-roll:~$

One thing which I find it logs

vyos@r1-roll:~$ show log openvpn | match Initiate
May 15 10:00:34 r1-roll openvpn-vtun1[3102]: Peer Connection Initiated with [AF_INET]100.64.0.2:1195
vyos@r1-roll:~$

May be it will be another solutions in the next releases.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Unspecified (please specify)

Event Timeline

Viacheslav triaged this task as Wishlist priority.

Is the IP address probably listed in

ip -d link show?

@c-po Nope,

vyos@r6-roll:~$ sudo ip -d link show | grep vtun -A 5
5: vtun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100
    link/none  promiscuity 0 minmtu 68 maxmtu 65535 
    tun type tun pi off vnet_hdr off persist off addrgenmode none numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
dmbaturin set Issue type to Unspecified (please specify).