| # SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) |
| # |
| # Author: Antonio Quartulli <antonio@openvpn.net> |
| # |
| # Copyright (c) 2024-2025, OpenVPN Inc. |
| # |
| --- |
| name: ovpn |
| |
| protocol: genetlink |
| |
| doc: Netlink protocol to control OpenVPN network devices |
| |
| definitions: |
| - |
| type: const |
| name: nonce-tail-size |
| value: 8 |
| - |
| type: enum |
| name: cipher-alg |
| entries: [none, aes-gcm, chacha20-poly1305] |
| - |
| type: enum |
| name: del-peer-reason |
| entries: |
| - teardown |
| - userspace |
| - expired |
| - transport-error |
| - transport-disconnect |
| - |
| type: enum |
| name: key-slot |
| entries: [primary, secondary] |
| |
| attribute-sets: |
| - |
| name: peer |
| attributes: |
| - |
| name: id |
| type: u32 |
| doc: >- |
| The unique ID of the peer in the device context. To be used to |
| identify peers during operations for a specific device |
| checks: |
| max: 0xFFFFFF |
| - |
| name: remote-ipv4 |
| type: u32 |
| doc: The remote IPv4 address of the peer |
| byte-order: big-endian |
| display-hint: ipv4 |
| - |
| name: remote-ipv6 |
| type: binary |
| doc: The remote IPv6 address of the peer |
| display-hint: ipv6 |
| checks: |
| exact-len: 16 |
| - |
| name: remote-ipv6-scope-id |
| type: u32 |
| doc: The scope id of the remote IPv6 address of the peer (RFC2553) |
| - |
| name: remote-port |
| type: u16 |
| doc: The remote port of the peer |
| byte-order: big-endian |
| checks: |
| min: 1 |
| - |
| name: socket |
| type: u32 |
| doc: The socket to be used to communicate with the peer |
| - |
| name: socket-netnsid |
| type: s32 |
| doc: The ID of the netns the socket assigned to this peer lives in |
| - |
| name: vpn-ipv4 |
| type: u32 |
| doc: The IPv4 address assigned to the peer by the server |
| byte-order: big-endian |
| display-hint: ipv4 |
| - |
| name: vpn-ipv6 |
| type: binary |
| doc: The IPv6 address assigned to the peer by the server |
| display-hint: ipv6 |
| checks: |
| exact-len: 16 |
| - |
| name: local-ipv4 |
| type: u32 |
| doc: The local IPv4 to be used to send packets to the peer (UDP only) |
| byte-order: big-endian |
| display-hint: ipv4 |
| - |
| name: local-ipv6 |
| type: binary |
| doc: The local IPv6 to be used to send packets to the peer (UDP only) |
| display-hint: ipv6 |
| checks: |
| exact-len: 16 |
| - |
| name: local-port |
| type: u16 |
| doc: The local port to be used to send packets to the peer (UDP only) |
| byte-order: big-endian |
| checks: |
| min: 1 |
| - |
| name: keepalive-interval |
| type: u32 |
| doc: >- |
| The number of seconds after which a keep alive message is sent to the |
| peer |
| - |
| name: keepalive-timeout |
| type: u32 |
| doc: >- |
| The number of seconds from the last activity after which the peer is |
| assumed dead |
| - |
| name: del-reason |
| type: u32 |
| doc: The reason why a peer was deleted |
| enum: del-peer-reason |
| - |
| name: vpn-rx-bytes |
| type: uint |
| doc: Number of bytes received over the tunnel |
| - |
| name: vpn-tx-bytes |
| type: uint |
| doc: Number of bytes transmitted over the tunnel |
| - |
| name: vpn-rx-packets |
| type: uint |
| doc: Number of packets received over the tunnel |
| - |
| name: vpn-tx-packets |
| type: uint |
| doc: Number of packets transmitted over the tunnel |
| - |
| name: link-rx-bytes |
| type: uint |
| doc: Number of bytes received at the transport level |
| - |
| name: link-tx-bytes |
| type: uint |
| doc: Number of bytes transmitted at the transport level |
| - |
| name: link-rx-packets |
| type: uint |
| doc: Number of packets received at the transport level |
| - |
| name: link-tx-packets |
| type: uint |
| doc: Number of packets transmitted at the transport level |
| - |
| name: peer-new-input |
| subset-of: peer |
| attributes: |
| - |
| name: id |
| - |
| name: remote-ipv4 |
| - |
| name: remote-ipv6 |
| - |
| name: remote-ipv6-scope-id |
| - |
| name: remote-port |
| - |
| name: socket |
| - |
| name: vpn-ipv4 |
| - |
| name: vpn-ipv6 |
| - |
| name: local-ipv4 |
| - |
| name: local-ipv6 |
| - |
| name: keepalive-interval |
| - |
| name: keepalive-timeout |
| - |
| name: peer-set-input |
| subset-of: peer |
| attributes: |
| - |
| name: id |
| - |
| name: remote-ipv4 |
| - |
| name: remote-ipv6 |
| - |
| name: remote-ipv6-scope-id |
| - |
| name: remote-port |
| - |
| name: vpn-ipv4 |
| - |
| name: vpn-ipv6 |
| - |
| name: local-ipv4 |
| - |
| name: local-ipv6 |
| - |
| name: keepalive-interval |
| - |
| name: keepalive-timeout |
| - |
| name: peer-del-input |
| subset-of: peer |
| attributes: |
| - |
| name: id |
| - |
| name: keyconf |
| attributes: |
| - |
| name: peer-id |
| type: u32 |
| doc: >- |
| The unique ID of the peer in the device context. To be used to |
| identify peers during key operations |
| checks: |
| max: 0xFFFFFF |
| - |
| name: slot |
| type: u32 |
| doc: The slot where the key should be stored |
| enum: key-slot |
| - |
| name: key-id |
| doc: >- |
| The unique ID of the key in the peer context. Used to fetch the |
| correct key upon decryption |
| type: u32 |
| checks: |
| max: 7 |
| - |
| name: cipher-alg |
| type: u32 |
| doc: The cipher to be used when communicating with the peer |
| enum: cipher-alg |
| - |
| name: encrypt-dir |
| type: nest |
| doc: Key material for encrypt direction |
| nested-attributes: keydir |
| - |
| name: decrypt-dir |
| type: nest |
| doc: Key material for decrypt direction |
| nested-attributes: keydir |
| - |
| name: keydir |
| attributes: |
| - |
| name: cipher-key |
| type: binary |
| doc: The actual key to be used by the cipher |
| checks: |
| max-len: 256 |
| - |
| name: nonce-tail |
| type: binary |
| doc: >- |
| Random nonce to be concatenated to the packet ID, in order to |
| obtain the actual cipher IV |
| checks: |
| exact-len: nonce-tail-size |
| |
| - |
| name: keyconf-get |
| subset-of: keyconf |
| attributes: |
| - |
| name: peer-id |
| - |
| name: slot |
| - |
| name: key-id |
| - |
| name: cipher-alg |
| - |
| name: keyconf-swap-input |
| subset-of: keyconf |
| attributes: |
| - |
| name: peer-id |
| - |
| name: keyconf-del-input |
| subset-of: keyconf |
| attributes: |
| - |
| name: peer-id |
| - |
| name: slot |
| - |
| name: ovpn |
| attributes: |
| - |
| name: ifindex |
| type: u32 |
| doc: Index of the ovpn interface to operate on |
| - |
| name: peer |
| type: nest |
| doc: >- |
| The peer object containing the attributed of interest for the specific |
| operation |
| nested-attributes: peer |
| - |
| name: keyconf |
| type: nest |
| doc: Peer specific cipher configuration |
| nested-attributes: keyconf |
| - |
| name: ovpn-peer-new-input |
| subset-of: ovpn |
| attributes: |
| - |
| name: ifindex |
| - |
| name: peer |
| nested-attributes: peer-new-input |
| - |
| name: ovpn-peer-set-input |
| subset-of: ovpn |
| attributes: |
| - |
| name: ifindex |
| - |
| name: peer |
| nested-attributes: peer-set-input |
| - |
| name: ovpn-peer-del-input |
| subset-of: ovpn |
| attributes: |
| - |
| name: ifindex |
| - |
| name: peer |
| nested-attributes: peer-del-input |
| - |
| name: ovpn-keyconf-get |
| subset-of: ovpn |
| attributes: |
| - |
| name: ifindex |
| - |
| name: keyconf |
| nested-attributes: keyconf-get |
| - |
| name: ovpn-keyconf-swap-input |
| subset-of: ovpn |
| attributes: |
| - |
| name: ifindex |
| - |
| name: keyconf |
| nested-attributes: keyconf-swap-input |
| - |
| name: ovpn-keyconf-del-input |
| subset-of: ovpn |
| attributes: |
| - |
| name: ifindex |
| - |
| name: keyconf |
| nested-attributes: keyconf-del-input |
| |
| operations: |
| list: |
| - |
| name: peer-new |
| attribute-set: ovpn-peer-new-input |
| flags: [admin-perm] |
| doc: Add a remote peer |
| do: |
| pre: ovpn-nl-pre-doit |
| post: ovpn-nl-post-doit |
| request: |
| attributes: |
| - ifindex |
| - peer |
| - |
| name: peer-set |
| attribute-set: ovpn-peer-set-input |
| flags: [admin-perm] |
| doc: modify a remote peer |
| do: |
| pre: ovpn-nl-pre-doit |
| post: ovpn-nl-post-doit |
| request: |
| attributes: |
| - ifindex |
| - peer |
| - |
| name: peer-get |
| attribute-set: ovpn |
| flags: [admin-perm] |
| doc: Retrieve data about existing remote peers (or a specific one) |
| do: |
| pre: ovpn-nl-pre-doit |
| post: ovpn-nl-post-doit |
| request: |
| attributes: |
| - ifindex |
| - peer |
| reply: |
| attributes: |
| - peer |
| dump: |
| request: |
| attributes: |
| - ifindex |
| reply: |
| attributes: |
| - peer |
| - |
| name: peer-del |
| attribute-set: ovpn-peer-del-input |
| flags: [admin-perm] |
| doc: Delete existing remote peer |
| do: |
| pre: ovpn-nl-pre-doit |
| post: ovpn-nl-post-doit |
| request: |
| attributes: |
| - ifindex |
| - peer |
| - |
| name: peer-del-ntf |
| doc: Notification about a peer being deleted |
| notify: peer-get |
| mcgrp: peers |
| |
| - |
| name: key-new |
| attribute-set: ovpn |
| flags: [admin-perm] |
| doc: Add a cipher key for a specific peer |
| do: |
| pre: ovpn-nl-pre-doit |
| post: ovpn-nl-post-doit |
| request: |
| attributes: |
| - ifindex |
| - keyconf |
| - |
| name: key-get |
| attribute-set: ovpn-keyconf-get |
| flags: [admin-perm] |
| doc: Retrieve non-sensitive data about peer key and cipher |
| do: |
| pre: ovpn-nl-pre-doit |
| post: ovpn-nl-post-doit |
| request: |
| attributes: |
| - ifindex |
| - keyconf |
| reply: |
| attributes: |
| - keyconf |
| - |
| name: key-swap |
| attribute-set: ovpn-keyconf-swap-input |
| flags: [admin-perm] |
| doc: Swap primary and secondary session keys for a specific peer |
| do: |
| pre: ovpn-nl-pre-doit |
| post: ovpn-nl-post-doit |
| request: |
| attributes: |
| - ifindex |
| - keyconf |
| - |
| name: key-swap-ntf |
| notify: key-get |
| doc: >- |
| Notification about key having exhausted its IV space and requiring |
| renegotiation |
| mcgrp: peers |
| - |
| name: key-del |
| attribute-set: ovpn-keyconf-del-input |
| flags: [admin-perm] |
| doc: Delete cipher key for a specific peer |
| do: |
| pre: ovpn-nl-pre-doit |
| post: ovpn-nl-post-doit |
| request: |
| attributes: |
| - ifindex |
| - keyconf |
| |
| mcast-groups: |
| list: |
| - |
| name: peers |
