Family ovpn netlink specification¶
Summary¶
Netlink protocol to control OpenVPN network devices
Operations¶
peer-new¶
Add a remote peer
- attribute-set:
- flags:
- [ - admin-perm]
- do:
- pre
- ovpn-nl-pre-doit 
- post
- ovpn-nl-post-doit 
- request
- attributes:
- [ - ifindex,- peer]
 
 
peer-set¶
modify a remote peer
- attribute-set:
- flags:
- [ - admin-perm]
- do:
- pre
- ovpn-nl-pre-doit 
- post
- ovpn-nl-post-doit 
- request
- attributes:
- [ - ifindex,- peer]
 
 
peer-get¶
Retrieve data about existing remote peers (or a specific one)
- attribute-set:
- flags:
- [ - admin-perm]
- do:
- pre
- ovpn-nl-pre-doit 
- post
- ovpn-nl-post-doit 
- request
- attributes:
- [ - ifindex,- peer]
 
- reply
- attributes:
- [ - peer]
 
 
- dump:
- request
- attributes:
- [ - ifindex]
 
- reply
- attributes:
- [ - peer]
 
 
peer-del¶
Delete existing remote peer
- attribute-set:
- flags:
- [ - admin-perm]
- do:
- pre
- ovpn-nl-pre-doit 
- post
- ovpn-nl-post-doit 
- request
- attributes:
- [ - ifindex,- peer]
 
 
peer-del-ntf¶
Notification about a peer being deleted
- notify:
- peer-get 
- mcgrp:
- peers 
key-new¶
Add a cipher key for a specific peer
- attribute-set:
- flags:
- [ - admin-perm]
- do:
- pre
- ovpn-nl-pre-doit 
- post
- ovpn-nl-post-doit 
- request
- attributes:
- [ - ifindex,- keyconf]
 
 
key-get¶
Retrieve non-sensitive data about peer key and cipher
- attribute-set:
- flags:
- [ - admin-perm]
- do:
- pre
- ovpn-nl-pre-doit 
- post
- ovpn-nl-post-doit 
- request
- attributes:
- [ - ifindex,- keyconf]
 
- reply
- attributes:
- [ - keyconf]
 
 
key-swap¶
Swap primary and secondary session keys for a specific peer
- attribute-set:
- flags:
- [ - admin-perm]
- do:
- pre
- ovpn-nl-pre-doit 
- post
- ovpn-nl-post-doit 
- request
- attributes:
- [ - ifindex,- keyconf]
 
 
key-swap-ntf¶
Notification about key having exhausted its IV space and requiring renegotiation
- notify:
- key-get 
- mcgrp:
- peers 
key-del¶
Delete cipher key for a specific peer
- attribute-set:
- flags:
- [ - admin-perm]
- do:
- pre
- ovpn-nl-pre-doit 
- post
- ovpn-nl-post-doit 
- request
- attributes:
- [ - ifindex,- keyconf]
 
 
Multicast groups¶
- peers 
Definitions¶
nonce-tail-size¶
- type:
- const 
- value:
- 8 
cipher-alg¶
- type:
- enum 
- entries:
- none
- aes-gcm
- chacha20-poly1305
 
del-peer-reason¶
- type:
- enum 
- entries:
- teardown
- userspace
- expired
- transport-error
- transport-disconnect
 
key-slot¶
- type:
- enum 
- entries:
- primary
- secondary
 
Attribute sets¶
peer¶
id (u32)¶
- doc:
- The unique ID of the peer in the device context. To be used to identify peers during operations for a specific device 
remote-ipv4 (u32)¶
- doc:
- The remote IPv4 address of the peer 
- byte-order:
- big-endian 
- display-hint:
- ipv4 
remote-ipv6 (binary)¶
- doc:
- The remote IPv6 address of the peer 
- display-hint:
- ipv6 
remote-ipv6-scope-id (u32)¶
- doc:
- The scope id of the remote IPv6 address of the peer (RFC2553) 
remote-port (u16)¶
- doc:
- The remote port of the peer 
- byte-order:
- big-endian 
socket (u32)¶
- doc:
- The socket to be used to communicate with the peer 
socket-netnsid (s32)¶
- doc:
- The ID of the netns the socket assigned to this peer lives in 
vpn-ipv4 (u32)¶
- doc:
- The IPv4 address assigned to the peer by the server 
- byte-order:
- big-endian 
- display-hint:
- ipv4 
vpn-ipv6 (binary)¶
- doc:
- The IPv6 address assigned to the peer by the server 
- display-hint:
- ipv6 
local-ipv4 (u32)¶
- doc:
- The local IPv4 to be used to send packets to the peer (UDP only) 
- byte-order:
- big-endian 
- display-hint:
- ipv4 
local-ipv6 (binary)¶
- doc:
- The local IPv6 to be used to send packets to the peer (UDP only) 
- display-hint:
- ipv6 
local-port (u16)¶
- doc:
- The local port to be used to send packets to the peer (UDP only) 
- byte-order:
- big-endian 
keepalive-interval (u32)¶
- doc:
- The number of seconds after which a keep alive message is sent to the peer 
keepalive-timeout (u32)¶
- doc:
- The number of seconds from the last activity after which the peer is assumed dead 
del-reason (u32)¶
- doc:
- The reason why a peer was deleted 
- enum:
vpn-rx-bytes (uint)¶
- doc:
- Number of bytes received over the tunnel 
vpn-tx-bytes (uint)¶
- doc:
- Number of bytes transmitted over the tunnel 
vpn-rx-packets (uint)¶
- doc:
- Number of packets received over the tunnel 
vpn-tx-packets (uint)¶
- doc:
- Number of packets transmitted over the tunnel 
link-rx-bytes (uint)¶
- doc:
- Number of bytes received at the transport level 
link-tx-bytes (uint)¶
- doc:
- Number of bytes transmitted at the transport level 
link-rx-packets (uint)¶
- doc:
- Number of packets received at the transport level 
link-tx-packets (uint)¶
- doc:
- Number of packets transmitted at the transport level 
keyconf¶
peer-id (u32)¶
- doc:
- The unique ID of the peer in the device context. To be used to identify peers during key operations 
slot (u32)¶
- doc:
- The slot where the key should be stored 
- enum:
key-id (u32)¶
- doc:
- The unique ID of the key in the peer context. Used to fetch the correct key upon decryption 
cipher-alg (u32)¶
- doc:
- The cipher to be used when communicating with the peer 
- enum:
encrypt-dir (nest)¶
- doc:
- Key material for encrypt direction 
- nested-attributes:
decrypt-dir (nest)¶
- doc:
- Key material for decrypt direction 
- nested-attributes:
keydir¶
cipher-key (binary)¶
- doc:
- The actual key to be used by the cipher 
nonce-tail (binary)¶
- doc:
- Random nonce to be concatenated to the packet ID, in order to obtain the actual cipher IV 
ovpn¶
ifindex (u32)¶
- doc:
- Index of the ovpn interface to operate on 
peer (nest)¶
- doc:
- The peer object containing the attributed of interest for the specific operation 
- nested-attributes:
keyconf (nest)¶
- doc:
- Peer specific cipher configuration 
- nested-attributes: