Page MenuHomeVyOS Platform

ipsec remote access VPN: support VTI interfaces
In progress, LowPublicFEATURE REQUEST

Description

VTI can be convenient for remote access usecases as well, and users are familiar with using routing rules for remote access users from OpenVPN interfaces.

Now that we use XFRM interfaces under the hood for VTI it is feasible to bind multiple remote-access tunnels to a single XFRM interface.

As part of this, we should also allow explicit IP ranges to be specified for remote-access pools as the user might want to assign the router an IP on the VTI interface.

Details

Version
-
Is it a breaking change?
Perfectly compatible

Event Timeline

lucasec created this object in space S1 VyOS Public.
lucasec updated the task description. (Show Details)
Unknown Object (User) subscribed.Apr 3 2024, 10:12 PM

Just wondering - is it possible to add a vti interface to a zone in the firewall?
How would one go about using this with the zone based firewall? 🙂

Hi -- this works. The VTI interface is just another interface so you can add it to a firewall zone just as you would an Ethernet interface. This can be done with existing site-to-site ipsec VTIs today. I also do it with OpenVPN interfaces for remote access on some of my installations.

Unknown Object (User) added a comment.Apr 7 2024, 5:49 AM

Great 😃

dmbaturin edited projects, added VyOS Rolling; removed Restricted Project.Oct 14 2024, 10:54 AM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Unspecified (please specify) to improvement.
syncer moved this task from Need Triage to Backlog - Feature Requests on the VyOS Rolling board.
syncer changed the subtype of this task from "Task" to "Feature Request".