Link Search Menu Expand Document
nfs-vpn

Advanced: bridge config

Not all systems can run OpenVPN. Instead, we might run them within a hypervisor and allow the host to run OpenVPN. I’ve made some general changes to nfs-vpn to allow this type of configuration, and I am experimenting by running an ONTAP simulator VM within KVM on linux. Here are some notes and definitions:

Allocate some network space for this type of configuration

Let’s reserve d51:5f56:d79b:a64e::1::/96 for this work, and slice /112 ranges out of that. I’ve assigned fd51:5f56:d79b:a64e::1:1:/112 belongs to my test host, “fs-vm”:

CLIENT[owner]="Benjamin Coddington <bcodding@redhat.com>"
CLIENT[owner_key]=bcodding@vpn.nfsv4.dev.pem
CLIENT[owner_key_hash]=6e367441cd3764891fa54f47d1bb83ed5c4576f6
CLIENT[hostname]=fs-vm.nfsv4.dev

CLIENT[registrar_key]=bcodding@vpn.nfsv4.dev.pem
CLIENT[registrar_key_hash]=6e367441cd3764891fa54f47d1bb83ed5c4576f6
CLIENT[dh_index]=11

# This system's vpn connection bridges to other systems:
CLIENT[is_bridge]=1
# You can't use short-form ipv6 here:
CLIENT[bridged_net]=fd51:5f56:d79b:a64e:0:1:1:0/112
CLIENT[ip6_addr]=fd51:5f56:d79b:a64e::1:1:1/64

Note that we can use “is_bridge” and “bridged_net” to cause the scripts to add the following to our server-ccd conf file:

iroute-ipv6 fd51:5f56:d79b:a64e:0:1:1:0/112
push "setenv-safe nfs_host_0 fd51:5f56:d79b:a64e::1"
push "setenv-safe nfs_host_1 fd51:5f56:d79b:a64e:6719:6320:7997:69b9"
...

Configure the client

This is a linux (fedora) system, to which I’ve done:

nmcli con add con-name nfsvpn-bridge ifname nfsvpn-bridge type bridge ipv4.method disabled
sysctl -w net.ipv6.conf.tun0.forwarding=1
sysctl -w net.ipv6.conf.nfsvpn-bridge.forwarding=1
 
sysctl -w net.ipv6.conf.tun0.proxy_ndp=1
sysctl -w net.ipv6.conf.nfsvpn-bridge.proxy_ndp=1

To make things easier for libvirt, I’ve also defined the bridge:

cat > bridge.xml <<EOF
<network>
    <name>nfsvpn-bridge</name>
    <forward mode="bridge"/>
    <bridge name="nfsvpn-bridge"/>
</network>
EOF
virsh net-define bridge.xml

Fixup NDP:

Now, traffic to fd51:5f56:d79b:a64e::1:1:/112 will make it to the host, but replies won’t work. The reason is that the traffic on the bridge doesn’t know how to traverse the VPN link to get to the next host. We can use proxy NDP to cause the host to answer NDP queries with the VPN connection:

ip -6 neigh add proxy fd51:5f56:d79b:a64e:64cc:5641:2916:7c4 dev nfsvpn-bridge

Since we’d need to add a proxy NDP entry for /every/ host in nfs-vpn that we want to talk to, we’ll use an up/down script on the interface to read all the active ip addresses from environment variables sent along by the server.

Here’s an example script that’s working for me (proxy.NDP):

#!/bin/bash

VPN_BRIDGE="nfsvpn-bridge"
ip="/usr/sbin/ip"

if ! ${ip} link show type bridge dev ${VPN_BRIDGE} 
then
	echo "No such bridge \"${VPN_BRIDGE}\""
	exit -1
fi

# Rmove proxy entries by default
entry_cmd="del"
[ "${script_type}" == "up" ] && entry_cmd="add"

for hostvar in $(compgen -A variable OPENVPN_nfs_host_)
do
	neigh_cmd="${ip} -6 neigh ${entry_cmd} proxy ${!hostvar} dev ${VPN_BRIDGE}"
	echo ${neigh_cmd}
	${neigh_cmd}
done