Page MenuHomeVyOS Platform

Better VRF support
Open, NormalPublicFEATURE REQUEST

Description

In some core network, public Internet will be treated as a VRF in the router. But VyOS doesn't seem to have really good support on VRFs.

For example, you can't use IPsec/OpenVPN to punch a tunnel through a VRF (T5049, T4031). And NTP/DNS client can't correctly handle VRF.

e.g. If I set a public accessible DNS server, the dns service works only in ip vrf exec internet ping <some domain>, but not in ping <some domain>.

And source NAT is not working when I want to NAT between two VRFs, too (T3655). VyOS can correct translate the outbound packet in the source nat rule, but doesn't handle the reply (inbound) packet correctly.

Details

Version
1.4-rolling-202303280317
Is it a breaking change?
Perfectly compatible

Event Timeline

diodep triaged this task as Wishlist priority.
diodep created this object in space S1 VyOS Public.
Viacheslav changed the subtype of this task from "Task" to "Feature Request".Mar 28 2023, 12:35 PM

Do you know how to tell Linux to use nameservers within a VRF?
What you mean IPSec/OpenVPN "punch a tunnel through a VRF" ? So the underlay should run via a VRF? source-interface binding does not work?

In T5116#147640, @c-po wrote:

Do you know how to tell Linux to use nameservers within a VRF?
What you mean IPSec/OpenVPN "punch a tunnel through a VRF" ? So the underlay should run via a VRF? source-interface binding does not work?

First, I don't know how to tell applications use a nameserver within a VRF, but maybe you can use dnsmasq to relay DNS server from a VRF to global, it solves problem but not pretty.

Secondly, the underlay network should run via a VRF, source-interface binding doesn't work, I have to change systemd charon service to run in a VRF (ip vrf exec ...), but it's too ugly too, and can't run multiple IPsec tunnel over different VRFs.

I think the only solution is to use network namespaces
https://docs.strongswan.org/docs/5.9/howtos/nameSpaces.html

Well, use VRF can implement this, but we have to figure out a proper way to start bunch of strongswan in different VRFs.

Because I tried ip vrf exec internet_vrf charon and it worked out, maybe I should say acceptable. But if I doing this, IPsec VPN's source interface have to in one of VRF, not all VRFs.

Out of the blue it seems like "network namespaces" would solve alot of current VRF compatability issues within VyOS:

https://linuxhint.com/use-linux-network-namespace/

dmbaturin edited projects, added VyOS Rolling; removed Restricted Project.Oct 14 2024, 9:20 AM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Unspecified (please specify) to improvement.