Page MenuHomeVyOS Platform

ipsec remote access VPN: support dhcp-interface
Closed, ResolvedPublic

Description

We should support dhcp-interface for the ipsec remote-access VPN to have parity with site-to-site. This is a niche usecase mostly applicable to homelabs (and maybe the rare SMB site), but is trivial to implement.

Details

Version
-
Is it a breaking change?
Perfectly compatible

Revisions and Commits

Event Timeline

lucasec renamed this task from ipsec remote access VPN: support dhcp to ipsec remote access VPN: support dhcp-interface.
lucasec created this object in space S1 VyOS Public.

Hi.

commit 40b0986d66c3a0891dedbedc273b5485e5a8ca3a
Author: Lucas Christian <lucas@lucasec.com>
Date:   Sat Feb 10 11:26:47 2024 -0800

    T5872: further fixes to ipsec dhcp exit hook

    (cherry picked from commit 92012a0b3db8e93b10db4137414073f0371ed8cc)

@lucasec

  1. This commit brings the regression with DHCP default routes. In this commit all "return" calls were replaced with "exit" calls (and added a few of new "exit" calls).
  2. In case of exit call dhclient stops execution rest of the scripts at all
  3. However, isc-dhcp-client package contains /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes file where DHCP default gateway is added
  4. Due to the alphabetic order this script goes after 99-ipsec-dhclient-hook and never executed
  5. To proove that dhclient never executes any script after the exit, you can create a simple file like: /etc/dhcp/dhclient-exit-hooks.d/00-test with only one string: "exit"
Viacheslav raised the priority of this task from Low to Urgent!.
dmbaturin lowered the priority of this task from Urgent! to Low.May 11 2024, 5:23 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Unspecified (please specify) to improvement.