Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OPENVPN: T6555: add server-bridge options in mode server #3920

Merged
merged 3 commits into from
Aug 5, 2024

Conversation

fett0
Copy link
Contributor

@fett0 fett0 commented Jul 31, 2024

based in official documentation , OpenVPN add a new mode how to created bridge interface ( TAP- to Layer2 frames). this requirement involved in change new feature request .

Change Summary

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

https://vyos.dev/T6555

Related PR(s)

Component(s) name

openvpn

Proposed changes

How to test

Vyos server - configuration:

set interfaces bridge br10 member interface eth2.304
set interfaces bridge br10 member interface vtun10

set interfaces ethernet eth1 address '172.16.100.1/24'
set interfaces openvpn vtun10 device-type 'tap'
set interfaces openvpn vtun10 local-host '172.16.100.1'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 openvpn-option 'cipher none'
set interfaces openvpn vtun10 openvpn-option 'comp-lzo no'
set interfaces openvpn vtun10 server bridge gateway '10.10.0.1'
set interfaces openvpn vtun10 server bridge start '10.10.0.100'
set interfaces openvpn vtun10 server bridge stop '10.10.0.200'
set interfaces openvpn vtun10 server bridge subnet-mask '255.255.255.0'
set interfaces openvpn vtun10 tls ca-certificate 'openvpn_vtun10_1'
set interfaces openvpn vtun10 tls certificate 'openvpn_vtun10'
set interfaces openvpn vtun10 tls dh-params 'openvpn_vtun10' 

check openvpn tunnel :

vyos@openvpn-server:~$ show openvpn server

OpenVPN status on vtun10

Client CN    Remote Host         Tunnel IP            Local Host         TX bytes    RX bytes    Connected Since
-----------  ------------------  -------------------  -----------------  ----------  ----------  -------------------
client2      172.16.100.2:42680  26:76:bf:4c:8d:df@0  172.16.100.1:1194  17.9 KB     17.5 KB     2024-07-31 18:13:26

traffic over br : 
 vyos@openvpn-server:~$ sudo tcpdump -nvi br10
tcpdump: listening on br10, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:14:49.944817 IP (tos 0x0, ttl 64, id 39778, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.0.100 > 10.10.0.200: ICMP echo request, id 38281, seq 1, length 64
18:14:49.945180 IP (tos 0x0, ttl 64, id 27786, offset 0, flags [none], proto ICMP (1), length 84)
    10.10.0.200 > 10.10.0.100: ICMP echo reply, id 38281, seq 1, length 64
18:14:50.946734 IP (tos 0x0, ttl 64, id 40319, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.0.100 > 10.10.0.200: ICMP echo request, id 38281, seq 2, length 64

Smoketest result

$ /usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py

test_openvpn_server_server_bridge (__main__.TestInterfacesOpenVPN.test_openvpn_server_server_bridge) ... Warning: using dh-params and EC keys simultaneously will lead to DH ciphers being used instead of ECDH
ok
......
ok

----------------------------------------------------------------------
Ran 8 tests in 53.703s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@fett0 fett0 requested a review from a team as a code owner July 31, 2024 19:10
Copy link

github-actions bot commented Jul 31, 2024

👍
No issues in PR Title / Commit Title

Copy link

github-actions bot commented Jul 31, 2024


warning: Unused Warning imported from vyos.base in src/conf_mode/vpn_ipsec.py:28.

@c-po
Copy link
Member

c-po commented Aug 1, 2024

Why not use a CLI like:

set interfaces openvpn vtun10 server bridge gateway '10.10.0.1'
set interfaces openvpn vtun10 server bridge start '10.10.0.100'
set interfaces openvpn vtun10 server bridge stop '10.10.0.200'
set interfaces openvpn vtun10 server bridge subnet-mask '255.255.255.0'

The server- part in server-bridge reads a bit redundant

@fett0
Copy link
Contributor Author

fett0 commented Aug 2, 2024

Why not use a CLI like:

set interfaces openvpn vtun10 server bridge gateway '10.10.0.1'
set interfaces openvpn vtun10 server bridge start '10.10.0.100'
set interfaces openvpn vtun10 server bridge stop '10.10.0.200'
set interfaces openvpn vtun10 server bridge subnet-mask '255.255.255.0'

The server- part in server-bridge reads a bit redundant

@c-po done!

@c-po c-po enabled auto-merge August 5, 2024 05:23
@c-po c-po merged commit aa842a6 into vyos:current Aug 5, 2024
12 of 15 checks passed
@sever-sever
Copy link
Member

@Mergifyio backport circinus

Copy link
Contributor

mergify bot commented Aug 5, 2024

backport circinus

✅ Backports have been created

c-po added a commit that referenced this pull request Aug 6, 2024
OPENVPN: T6555: add server-bridge options in mode server (backport #3920)
@sever-sever
Copy link
Member

@Mergifyio backport sagitta

Copy link
Contributor

mergify bot commented Sep 9, 2024

backport sagitta

✅ Backports have been created

dmbaturin added a commit that referenced this pull request Sep 10, 2024
OPENVPN: T6555: add server-bridge options in mode server (backport #3920)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

3 participants