Page MenuHomeVyOS Platform

1.2.7 - OpenVPN tunnel interface disappears on virtualized VyOS router/ESXi host
Open, Requires assessmentPublicBUG

Description

I have VyOS running as a virtual router hosted on VMWare ESXi 7.0.0. An OpenVPN tunnel interface is configured:

openvpn vtun10 {
    encryption aes256
    firewall {
        in {
            name OVPN-IN
        }
    }
    hash sha512
    local-port 1194
    mode server
    persistent-tunnel
    protocol udp
    server {
        subnet 10.1.1.0/24
    }
    tls {
        ca-cert-file /config/auth/openvpn/ca.crt
        cert-file /config/auth/openvpn/ovpn.crt
        crl-file /config/auth/openvpn/crl.pem
        dh-file /config/auth/openvpn/dh.pem
        key-file /config/auth/openvpn/ovpn.key
    }
}

The above configuration loads, and works under 1.2.7 - for between one and two weeks. Sometime in that interval, the OpenVPN tunnel interface (vtun10) completely disappears from the router and I observe the following entries in the system log which seem to correspond:

May 11 15:51:18 vyos-vmware netplugd[1102]: vtun10: ignoring event
May 11 15:51:18 vyos-vmware netplugd[1102]: vtun10: ignoring event
May 11 15:51:18 vyos-vmware bgpd[1145]: [EC 100663301] INTERFACE_STATE: Cannot find IF vtun10 in VRF 0
May 11 15:51:18 vyos-vmware ripd[1153]: interface delete vtun10 vrf 0 index 12 flags 0x1090 metric 0 mtu 1500
May 11 15:51:18 vyos-vmware ripngd[1157]: interface delete vtun10 vrf 0 index 12 flags 0x1090 metric 0 mtu 1500
May 11 15:51:19 vyos-vmware ntpd[2342]: Deleting interface #21 vtun10, fe80::d187:940f:6610:ab39#123, interface stats: received=0, sent=0, dropped=0, active_time=419977 secs
May 11 15:51:19 vyos-vmware ntpd[2342]: Deleting interface #19 vtun10, 10.1.1.1#123, interface stats: received=0, sent=0, dropped=0, active_time=419985 secs
May 11 15:51:19 vyos-vmware ntpd[2342]: peers refreshed

The only way I could bring the OpenVPN vtun10 interface back online was to reboot the router (I did not) or make a minor change to my configuration and commit it (thereby re-initializing the interface).

This happened several times in the course of a month. I've since rolled the system image back to 1.2.6-S1, with the same configuration, and the problem has not reoccurred with an uptime of over a month now.

Additional notes:

  • I have not had this problem occur when running VyOS 1.2.7 and OpenVPN on bare metal, only my VMWare based VyOS router exhibits this behavior when running 1.2.7.
  • The interface would work fine/normally for a period of one-two weeks, until it mysteriously disappeared, i.e. it would not be listed on an ip a command output.
  • After rolling back to 1.2.6-S1, the issue has not reoccurred.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.7
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)