Hello everyone, I am integrating tinc. At present, I have passed the basic test in a simple virtual machine. The command line is simplified. Examples are as follows:

Thank you.
Reopen the task or create a new one if you find some problems.

I have investigated it now a bit deeper and found out that this router got migrated to VRF automatically (Our deployment stack automatically migrates upgraded/new deployed routers to VRF usage for OOB/VxLAN communication).

PR https://github.com/vyos/vyos-1x/pull/579

I think it some code like

Submitted second PR

Many thanks!

I can see a case where people deliberately do NOT want to use ISP provided DNS servers (to avoid DNS NX hijacking) (and/or lock to a major internet DNS server like google 8.8.8.8 or Quad9 9.9.9.9 or Cloudflare 1.1.1.1 for example)

This is an example scenario in which this comes handy:
You have three ethernet interfaces
Two are connected to different LANs
The third is connected to WAN (another router)
All networks offer DHCP and def gw
The LANs offer it for internet access
The WAN offers it for branch access
We want to keep def gw received for WAN and ignore internet access offered by those LANs

@Merijn Can you check the latest rolling?
Or write please which commands do you use?

@lbv2rus Can you try the latest rolling release?

Unfortunately I can not reproduce this issue on my test system and also our smoketests (https://github.com/vyos/vyos-1x/blob/current/smoketest/scripts/cli/test_interfaces_openvpn.py) do not trigger the bug when run locally on the VyOS device by calling:

@Gunni can you check the latest rolling?

@Dmitry

set interfaces ethernet eth1 address 2001:db8::2/64
set interfaces l2tpv3 l2tpeth1010 address '192.168.37.2/27'
set interfaces l2tpv3 l2tpeth1010 encapsulation 'ip'
set interfaces l2tpv3 l2tpeth1010 local-ip '2001:db8::2'
set interfaces l2tpv3 l2tpeth1010 peer-session-id '100'
set interfaces l2tpv3 l2tpeth1010 peer-tunnel-id '200'
set interfaces l2tpv3 l2tpeth1010 remote-ip '2001:db8::1'
set interfaces l2tpv3 l2tpeth1010 session-id '100'
set interfaces l2tpv3 l2tpeth1010 tunnel-id '200'

Do other vendors suppert highjacking/altering of DHCP options? I feel this kills the whole concept of DHCP.

@jjcordon can you test the latest rolling?

Just tested with:
https://github.com/vyos/vyos-1x/commit/85cc735b05be109e6daa5403efa4122b8b6e79d2

It looks like this works, but when we don't have any connected user, it listed the current directory file

vyos@RTR1:~$ touch 1.txt
vyos@RTR1:~$ reset vpn remote-access user <tab>
Possible completions:
  1.txt         Terminate specified user's current remote access VPN session(s)

After a user connected, all works properly

vyos@RTR1:~$ reset vpn remote-access user <tab>
Possible completions:
  test1         Terminate specified user's current remote access VPN session(s)

@D0peX Can you check the latest rolling?

Works as expected.

No, I'm running this commit:
https://github.com/vyos/vyos-1x/commit/029f9839c21317ec5959b331eee25da472d08dc1

There have been some deletion errors yesterday - are you running the latest rolling release? They should have been fixed in there. If noe please provide me some CLI samples to reproduce the issue.

Check out the October versions on both sides.

I spoke to soon.
The interfaces are very persistant now - when you delete the vtun interface it doesn't get taken down!

Tested in my lab and it works both during creation and reboot.

Submitted PR

Works for me!

trae@cr01b-vyos:~$ show protocols bfd peers
Session count: 11
SessionId  LocalAddress                             PeerAddress                             Status         
=========  ============                             ===========                             ======         
3776760774 192.168.253.3                            192.168.253.7                           up             
1851352402 fd52:d62e:8011:fffe:192:168:253:3        fd52:d62e:8011:fffe:192:168:253:6       up             
3344115206 192.168.253.3                            192.168.253.2                           down           
1252680903 fd52:d62e:8011:fffe:192:168:253:3        fd52:d62e:8011:fffe:192:168:253:2       down           
3664188082 192.168.253.3                            192.168.253.6                           up             
2809207409 fd52:d62e:8011:fffe:192:168:253:3        fd52:d62e:8011:fffe:192:168:253:1       up             
2086113021 192.168.253.3                            192.168.253.12                          up             
1362288442 unknown                                  fd52:d62e:8011:fffe:192:168:253:12      down           
3846665654 fd52:d62e:8011:fffe:192:168:253:3        fd52:d62e:8011:fffe:192:168:253:7       up             
276439511  fd52:d62e:8011:fffe:192:168:253:3        fd52:d62e:8011:fffe:192:168:253:12      down           
1342044518 192.168.253.3                            192.168.253.1                           up

Well spotted - i hadn't seen that option before.
I'll give it a go and see how it runs.

I agree. Therefore, if someone understands the code structure of FRR, we can modify the implementation from within FRR according to Prometheus protocol framework, implement the exporter integration, and then generate a patch file. Set the automatic compilation script and automatically package it into DEB

The best possible solution would be for FRR to support Prometheus directly, rather than require an exporter.

It seems that calling openvpn --mktun is what we need. Please try the next rolling ISO which will contain a fix for this.

It is true, but I just want to record it to avoid forgetting that another solution is to redevelop FRR and promote it in parallel with the official version of FRR (in other words, we can patch FRR or maintain a branch separately, then compile a version of our own, and get the indication directly from its code, but this work needs someone to do.)

Timeouts and SIGKILL don't always work. If process is stuck on IO, it will not exit.

I think I understand what you mean. Don't worry. I'm also a user of Prometheus. I know how Prometheus works.

I'm not sure you understand how this works.

Most of Prometheus data is generated from the exporter. It is not collected and pushed in real time. When Prometheus queries, it can query relevant indications through the port exposed by the exporter. Therefore, I don't think it is possible to create thousands of sub processes/threads. What do you think?

No, that's not the problem. The exporter itself could potentially create thousands of sub processes if something were to go wrong.

Fixup PR: https://github.com/vyos/vyos-1x/pull/578

I know, that my specific problem is related to OpenVPN, but are you saying, that this is only relevant for OpenVPN and it's not going to impact other interfaces?

PR: https://github.com/vyos/vyos-1x/pull/577

@runar Some interesting commands, such as tinc - n netname join URL, seem to be supported in tinc1.1

The frr_exporter linked uses os/exec to run an external binray, /usr/bin/vtysh. This is not a great way to build an exporter, as it can lead to a fork bomb. There is also the overhead of calling the external binary to gather data.

The frr_exporter linked uses os/exec to run an external binray, /usr/bin/vtysh. This is not a great way to build an exporter, as it can lead to a fork bomb. There is also the overhead of calling the external binary to gather data.

Tinc 1.1 supports rereading a lot of the configuration without resetarting the daemon, i've compiled a version of 1.1 for you from the debian salsa repository: https://salsa.debian.org/guus/tinc/-/tree/1.1/debian (this is whats available in the experimental debian branch) the deb is available her for now: https://borge.nu/vyos/tinc_1.1~pre17-1.1_amd64.deb. just put it in the packages directory when you're generating the iso or dpkg -i it into a image that have tinc-1.0 allready.

In T766#77850, @jack9603301 wrote:

What information do you need access to from within op-mode?

Since restarting tinc requires resetting the interface, it means that you may need to get all the configuration information to call the update function settings of the interface class

Do you know of a version of that FRR exporter that doesn't fork sub processes?

@jack9603301 Do you know of a version of that FRR exporter that doesn't fork sub processes?

What information do you need access to from within op-mode?

I hope to implement an operation mode command, but too many interface parameters are generated according to the configuration in the interface. I don't know how to call these existing configurations. Can I call the user's configuration information through config in operation mode?

It seems that we need to think about it now

You can pull the host configuration in operation mode using the following command:

generate tinc tincN host-conf <user@service:/path>

I hope to implement an operation mode command, but too many interface parameters are generated according to the configuration in the interface. I don't know how to call these existing configurations. Can I call the user's configuration information through config in operation mode?

Note: my test found that when the server is in switch mode, the client cannot Ping to the peer in routing mode (more tests may be needed)

To prevent forgetting, write the address of the exporter to task