Page MenuHomeVyOS Platform
Create Task
Maniphest T5873

ipsec remote access VPN: support VTI interfaces
Open, LowPublic
Actions

Description

VTI can be convenient for remote access usecases as well, and users are familiar with using routing rules for remote access users from OpenVPN interfaces.

Now that we use XFRM interfaces under the hood for VTI it is feasible to bind multiple remote-access tunnels to a single XFRM interface.

As part of this, we should also allow explicit IP ranges to be specified for remote-access pools as the user might want to assign the router an IP on the VTI interface.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

lucasec created this task.Dec 29 2023, 6:03 AM
lucasec created this object in space S1 VyOS Public.
lucasec updated the task description. (Show Details)
pasik added a subscriber: pasik.Dec 29 2023, 9:45 AM
GurliGebis added a subscriber: GurliGebis.Wed, Apr 3, 10:12 PM

Just wondering - is it possible to add a vti interface to a zone in the firewall?
How would one go about using this with the zone based firewall? 🙂

lucasec added a comment.Sun, Apr 7, 1:57 AM

Hi -- this works. The VTI interface is just another interface so you can add it to a firewall zone just as you would an Ethernet interface. This can be done with existing site-to-site ipsec VTIs today. I also do it with OpenVPN interfaces for remote access on some of my installations.

GurliGebis added a comment.Sun, Apr 7, 5:49 AM

Great 😃

Embezzle added a subscriber: Embezzle.Fri, Apr 12, 10:58 AM
dmbaturin edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.Fri, Apr 12, 2:46 PM