Family ovpn netlink specification¶
Summary¶
Netlink protocol to control OpenVPN network devices
Operations¶
peer-new¶
Add a remote peer
- attribute-set:
- flags:
[
admin-perm]- do:
- pre
ovpn-nl-pre-doit
- post
ovpn-nl-post-doit
- request
- attributes:
[
ifindex,peer]
peer-set¶
modify a remote peer
- attribute-set:
- flags:
[
admin-perm]- do:
- pre
ovpn-nl-pre-doit
- post
ovpn-nl-post-doit
- request
- attributes:
[
ifindex,peer]
peer-get¶
Retrieve data about existing remote peers (or a specific one)
- attribute-set:
- flags:
[
admin-perm]- do:
- pre
ovpn-nl-pre-doit
- post
ovpn-nl-post-doit
- request
- attributes:
[
ifindex,peer]
- reply
- attributes:
[
peer]
- dump:
- request
- attributes:
[
ifindex]
- reply
- attributes:
[
peer]
peer-del¶
Delete existing remote peer
- attribute-set:
- flags:
[
admin-perm]- do:
- pre
ovpn-nl-pre-doit
- post
ovpn-nl-post-doit
- request
- attributes:
[
ifindex,peer]
peer-del-ntf¶
Notification about a peer being deleted
- notify:
peer-get
- mcgrp:
peers
key-new¶
Add a cipher key for a specific peer
- attribute-set:
- flags:
[
admin-perm]- do:
- pre
ovpn-nl-pre-doit
- post
ovpn-nl-post-doit
- request
- attributes:
[
ifindex,keyconf]
key-get¶
Retrieve non-sensitive data about peer key and cipher
- attribute-set:
- flags:
[
admin-perm]- do:
- pre
ovpn-nl-pre-doit
- post
ovpn-nl-post-doit
- request
- attributes:
[
ifindex,keyconf]
- reply
- attributes:
[
keyconf]
key-swap¶
Swap primary and secondary session keys for a specific peer
- attribute-set:
- flags:
[
admin-perm]- do:
- pre
ovpn-nl-pre-doit
- post
ovpn-nl-post-doit
- request
- attributes:
[
ifindex,keyconf]
key-swap-ntf¶
Notification about key having exhausted its IV space and requiring renegotiation
- notify:
key-get
- mcgrp:
peers
key-del¶
Delete cipher key for a specific peer
- attribute-set:
- flags:
[
admin-perm]- do:
- pre
ovpn-nl-pre-doit
- post
ovpn-nl-post-doit
- request
- attributes:
[
ifindex,keyconf]
Multicast groups¶
peers
Definitions¶
nonce-tail-size¶
- type:
const
- value:
8
cipher-alg¶
- type:
enum
- entries:
noneaes-gcmchacha20-poly1305
del-peer-reason¶
- type:
enum
- entries:
teardownadmindownuserspaceexpiredtransport-errortransport-disconnect
key-slot¶
- type:
enum
- entries:
primarysecondary
Attribute sets¶
peer¶
id (u32)¶
- doc:
The unique ID of the peer in the device context. To be used to identify peers during operations for a specific device
remote-ipv4 (u32)¶
- doc:
The remote IPv4 address of the peer
- byte-order:
big-endian
- display-hint:
ipv4
remote-ipv6 (binary)¶
- doc:
The remote IPv6 address of the peer
- display-hint:
ipv6
remote-ipv6-scope-id (u32)¶
- doc:
The scope id of the remote IPv6 address of the peer (RFC2553)
remote-port (u16)¶
- doc:
The remote port of the peer
- byte-order:
big-endian
socket (u32)¶
- doc:
The socket to be used to communicate with the peer
socket-netnsid (s32)¶
- doc:
The ID of the netns the socket assigned to this peer lives in
vpn-ipv4 (u32)¶
- doc:
The IPv4 address assigned to the peer by the server
- byte-order:
big-endian
- display-hint:
ipv4
vpn-ipv6 (binary)¶
- doc:
The IPv6 address assigned to the peer by the server
- display-hint:
ipv6
local-ipv4 (u32)¶
- doc:
The local IPv4 to be used to send packets to the peer (UDP only)
- byte-order:
big-endian
- display-hint:
ipv4
local-ipv6 (binary)¶
- doc:
The local IPv6 to be used to send packets to the peer (UDP only)
- display-hint:
ipv6
local-port (u16)¶
- doc:
The local port to be used to send packets to the peer (UDP only)
- byte-order:
big-endian
keepalive-interval (u32)¶
- doc:
The number of seconds after which a keep alive message is sent to the peer
keepalive-timeout (u32)¶
- doc:
The number of seconds from the last activity after which the peer is assumed dead
del-reason (u32)¶
- doc:
The reason why a peer was deleted
- enum:
vpn-rx-bytes (uint)¶
- doc:
Number of bytes received over the tunnel
vpn-tx-bytes (uint)¶
- doc:
Number of bytes transmitted over the tunnel
vpn-rx-packets (uint)¶
- doc:
Number of packets received over the tunnel
vpn-tx-packets (uint)¶
- doc:
Number of packets transmitted over the tunnel
link-rx-bytes (uint)¶
- doc:
Number of bytes received at the transport level
link-tx-bytes (uint)¶
- doc:
Number of bytes transmitted at the transport level
link-rx-packets (u32)¶
- doc:
Number of packets received at the transport level
link-tx-packets (u32)¶
- doc:
Number of packets transmitted at the transport level
keyconf¶
peer-id (u32)¶
- doc:
The unique ID of the peer in the device context. To be used to identify peers during key operations
slot (u32)¶
- doc:
The slot where the key should be stored
- enum:
key-id (u32)¶
- doc:
The unique ID of the key in the peer context. Used to fetch the correct key upon decryption
cipher-alg (u32)¶
- doc:
The cipher to be used when communicating with the peer
- enum:
encrypt-dir (nest)¶
- doc:
Key material for encrypt direction
- nested-attributes:
decrypt-dir (nest)¶
- doc:
Key material for decrypt direction
- nested-attributes:
keydir¶
cipher-key (binary)¶
- doc:
The actual key to be used by the cipher
nonce-tail (binary)¶
- doc:
Random nonce to be concatenated to the packet ID, in order to obtain the actual cipher IV
ovpn¶
ifindex (u32)¶
- doc:
Index of the ovpn interface to operate on
ifname (string)¶
- doc:
Name of the ovpn interface
peer (nest)¶
- doc:
The peer object containing the attributed of interest for the specific operation
- nested-attributes:
keyconf (nest)¶
- doc:
Peer specific cipher configuration
- nested-attributes: