.. SPDX-License-Identifier: GPL-2.0
.. NOTE: This document was auto-generated.


=====================================
Family ``ovpn`` netlink specification
=====================================


.. contents:: :depth: 3


-------
Summary
-------


Netlink protocol to control OpenVPN network devices

----------
Operations
----------


.. _ovpn-operation-peer-new:

peer-new
========
Add a remote peer

:attribute-set: :ref:`ovpn-attribute-set-ovpn-peer-new-input`
:flags: [``admin-perm``]
:do:
    **pre**
        ovpn-nl-pre-doit

    **post**
        ovpn-nl-post-doit

    **request**
        :attributes: [``ifindex``, ``peer``]



.. _ovpn-operation-peer-set:

peer-set
========
modify a remote peer

:attribute-set: :ref:`ovpn-attribute-set-ovpn-peer-set-input`
:flags: [``admin-perm``]
:do:
    **pre**
        ovpn-nl-pre-doit

    **post**
        ovpn-nl-post-doit

    **request**
        :attributes: [``ifindex``, ``peer``]



.. _ovpn-operation-peer-get:

peer-get
========
Retrieve data about existing remote peers (or a specific one)

:attribute-set: :ref:`ovpn-attribute-set-ovpn`
:flags: [``admin-perm``]
:do:
    **pre**
        ovpn-nl-pre-doit

    **post**
        ovpn-nl-post-doit

    **request**
        :attributes: [``ifindex``, ``peer``]

    **reply**
        :attributes: [``peer``]

:dump:
    **request**
        :attributes: [``ifindex``]

    **reply**
        :attributes: [``peer``]



.. _ovpn-operation-peer-del:

peer-del
========
Delete existing remote peer

:attribute-set: :ref:`ovpn-attribute-set-ovpn-peer-del-input`
:flags: [``admin-perm``]
:do:
    **pre**
        ovpn-nl-pre-doit

    **post**
        ovpn-nl-post-doit

    **request**
        :attributes: [``ifindex``, ``peer``]



.. _ovpn-operation-peer-del-ntf:

peer-del-ntf
============
Notification about a peer being deleted

:notify: peer-get
:mcgrp: peers


.. _ovpn-operation-key-new:

key-new
=======
Add a cipher key for a specific peer

:attribute-set: :ref:`ovpn-attribute-set-ovpn`
:flags: [``admin-perm``]
:do:
    **pre**
        ovpn-nl-pre-doit

    **post**
        ovpn-nl-post-doit

    **request**
        :attributes: [``ifindex``, ``keyconf``]



.. _ovpn-operation-key-get:

key-get
=======
Retrieve non-sensitive data about peer key and cipher

:attribute-set: :ref:`ovpn-attribute-set-ovpn-keyconf-get`
:flags: [``admin-perm``]
:do:
    **pre**
        ovpn-nl-pre-doit

    **post**
        ovpn-nl-post-doit

    **request**
        :attributes: [``ifindex``, ``keyconf``]

    **reply**
        :attributes: [``keyconf``]



.. _ovpn-operation-key-swap:

key-swap
========
Swap primary and secondary session keys for a specific peer

:attribute-set: :ref:`ovpn-attribute-set-ovpn-keyconf-swap-input`
:flags: [``admin-perm``]
:do:
    **pre**
        ovpn-nl-pre-doit

    **post**
        ovpn-nl-post-doit

    **request**
        :attributes: [``ifindex``, ``keyconf``]



.. _ovpn-operation-key-swap-ntf:

key-swap-ntf
============
Notification about key having exhausted its IV space and requiring renegotiation

:notify: key-get
:mcgrp: peers


.. _ovpn-operation-key-del:

key-del
=======
Delete cipher key for a specific peer

:attribute-set: :ref:`ovpn-attribute-set-ovpn-keyconf-del-input`
:flags: [``admin-perm``]
:do:
    **pre**
        ovpn-nl-pre-doit

    **post**
        ovpn-nl-post-doit

    **request**
        :attributes: [``ifindex``, ``keyconf``]




----------------
Multicast groups
----------------


- peers

-----------
Definitions
-----------


.. _ovpn-definition-nonce-tail-size:

nonce-tail-size
===============
:type: const
:value: 8


.. _ovpn-definition-cipher-alg:

cipher-alg
==========
:type: enum


:entries:
    - ``none``
    - ``aes-gcm``
    - ``chacha20-poly1305``


.. _ovpn-definition-del-peer-reason:

del-peer-reason
===============
:type: enum


:entries:
    - ``teardown``
    - ``userspace``
    - ``expired``
    - ``transport-error``
    - ``transport-disconnect``


.. _ovpn-definition-key-slot:

key-slot
========
:type: enum


:entries:
    - ``primary``
    - ``secondary``



--------------
Attribute sets
--------------


.. _ovpn-attribute-set-peer:

peer
====
id (``u32``)
~~~~~~~~~~~~
:doc: The unique ID of the peer in the device context. To be used to identify peers during operations for a specific device


remote-ipv4 (``u32``)
~~~~~~~~~~~~~~~~~~~~~
:doc: The remote IPv4 address of the peer
:byte-order: big-endian
:display-hint: ipv4


remote-ipv6 (``binary``)
~~~~~~~~~~~~~~~~~~~~~~~~
:doc: The remote IPv6 address of the peer
:display-hint: ipv6


remote-ipv6-scope-id (``u32``)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:doc: The scope id of the remote IPv6 address of the peer (RFC2553)


remote-port (``u16``)
~~~~~~~~~~~~~~~~~~~~~
:doc: The remote port of the peer
:byte-order: big-endian


socket (``u32``)
~~~~~~~~~~~~~~~~
:doc: The socket to be used to communicate with the peer


socket-netnsid (``s32``)
~~~~~~~~~~~~~~~~~~~~~~~~
:doc: The ID of the netns the socket assigned to this peer lives in


vpn-ipv4 (``u32``)
~~~~~~~~~~~~~~~~~~
:doc: The IPv4 address assigned to the peer by the server
:byte-order: big-endian
:display-hint: ipv4


vpn-ipv6 (``binary``)
~~~~~~~~~~~~~~~~~~~~~
:doc: The IPv6 address assigned to the peer by the server
:display-hint: ipv6


local-ipv4 (``u32``)
~~~~~~~~~~~~~~~~~~~~
:doc: The local IPv4 to be used to send packets to the peer (UDP only)
:byte-order: big-endian
:display-hint: ipv4


local-ipv6 (``binary``)
~~~~~~~~~~~~~~~~~~~~~~~
:doc: The local IPv6 to be used to send packets to the peer (UDP only)
:display-hint: ipv6


local-port (``u16``)
~~~~~~~~~~~~~~~~~~~~
:doc: The local port to be used to send packets to the peer (UDP only)
:byte-order: big-endian


keepalive-interval (``u32``)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:doc: The number of seconds after which a keep alive message is sent to the peer


keepalive-timeout (``u32``)
~~~~~~~~~~~~~~~~~~~~~~~~~~~
:doc: The number of seconds from the last activity after which the peer is assumed dead


del-reason (``u32``)
~~~~~~~~~~~~~~~~~~~~
:doc: The reason why a peer was deleted
:enum: :ref:`ovpn-definition-del-peer-reason`


vpn-rx-bytes (``uint``)
~~~~~~~~~~~~~~~~~~~~~~~
:doc: Number of bytes received over the tunnel


vpn-tx-bytes (``uint``)
~~~~~~~~~~~~~~~~~~~~~~~
:doc: Number of bytes transmitted over the tunnel


vpn-rx-packets (``uint``)
~~~~~~~~~~~~~~~~~~~~~~~~~
:doc: Number of packets received over the tunnel


vpn-tx-packets (``uint``)
~~~~~~~~~~~~~~~~~~~~~~~~~
:doc: Number of packets transmitted over the tunnel


link-rx-bytes (``uint``)
~~~~~~~~~~~~~~~~~~~~~~~~
:doc: Number of bytes received at the transport level


link-tx-bytes (``uint``)
~~~~~~~~~~~~~~~~~~~~~~~~
:doc: Number of bytes transmitted at the transport level


link-rx-packets (``uint``)
~~~~~~~~~~~~~~~~~~~~~~~~~~
:doc: Number of packets received at the transport level


link-tx-packets (``uint``)
~~~~~~~~~~~~~~~~~~~~~~~~~~
:doc: Number of packets transmitted at the transport level


.. _ovpn-attribute-set-peer-new-input:

peer-new-input
==============
id
~~


remote-ipv4
~~~~~~~~~~~


remote-ipv6
~~~~~~~~~~~


remote-ipv6-scope-id
~~~~~~~~~~~~~~~~~~~~


remote-port
~~~~~~~~~~~


socket
~~~~~~


vpn-ipv4
~~~~~~~~


vpn-ipv6
~~~~~~~~


local-ipv4
~~~~~~~~~~


local-ipv6
~~~~~~~~~~


keepalive-interval
~~~~~~~~~~~~~~~~~~


keepalive-timeout
~~~~~~~~~~~~~~~~~


.. _ovpn-attribute-set-peer-set-input:

peer-set-input
==============
id
~~


remote-ipv4
~~~~~~~~~~~


remote-ipv6
~~~~~~~~~~~


remote-ipv6-scope-id
~~~~~~~~~~~~~~~~~~~~


remote-port
~~~~~~~~~~~


vpn-ipv4
~~~~~~~~


vpn-ipv6
~~~~~~~~


local-ipv4
~~~~~~~~~~


local-ipv6
~~~~~~~~~~


keepalive-interval
~~~~~~~~~~~~~~~~~~


keepalive-timeout
~~~~~~~~~~~~~~~~~


.. _ovpn-attribute-set-peer-del-input:

peer-del-input
==============
id
~~


.. _ovpn-attribute-set-keyconf:

keyconf
=======
peer-id (``u32``)
~~~~~~~~~~~~~~~~~
:doc: The unique ID of the peer in the device context. To be used to identify peers during key operations


slot (``u32``)
~~~~~~~~~~~~~~
:doc: The slot where the key should be stored
:enum: :ref:`ovpn-definition-key-slot`


key-id (``u32``)
~~~~~~~~~~~~~~~~
:doc: The unique ID of the key in the peer context. Used to fetch the correct key upon decryption


cipher-alg (``u32``)
~~~~~~~~~~~~~~~~~~~~
:doc: The cipher to be used when communicating with the peer
:enum: :ref:`ovpn-definition-cipher-alg`


encrypt-dir (``nest``)
~~~~~~~~~~~~~~~~~~~~~~
:doc: Key material for encrypt direction
:nested-attributes: :ref:`ovpn-attribute-set-keydir`


decrypt-dir (``nest``)
~~~~~~~~~~~~~~~~~~~~~~
:doc: Key material for decrypt direction
:nested-attributes: :ref:`ovpn-attribute-set-keydir`


.. _ovpn-attribute-set-keydir:

keydir
======
cipher-key (``binary``)
~~~~~~~~~~~~~~~~~~~~~~~
:doc: The actual key to be used by the cipher


nonce-tail (``binary``)
~~~~~~~~~~~~~~~~~~~~~~~
:doc: Random nonce to be concatenated to the packet ID, in order to obtain the actual cipher IV


.. _ovpn-attribute-set-keyconf-get:

keyconf-get
===========
peer-id
~~~~~~~


slot
~~~~


key-id
~~~~~~


cipher-alg
~~~~~~~~~~


.. _ovpn-attribute-set-keyconf-swap-input:

keyconf-swap-input
==================
peer-id
~~~~~~~


.. _ovpn-attribute-set-keyconf-del-input:

keyconf-del-input
=================
peer-id
~~~~~~~


slot
~~~~


.. _ovpn-attribute-set-ovpn:

ovpn
====
ifindex (``u32``)
~~~~~~~~~~~~~~~~~
:doc: Index of the ovpn interface to operate on


peer (``nest``)
~~~~~~~~~~~~~~~
:doc: The peer object containing the attributed of interest for the specific operation
:nested-attributes: :ref:`ovpn-attribute-set-peer`


keyconf (``nest``)
~~~~~~~~~~~~~~~~~~
:doc: Peer specific cipher configuration
:nested-attributes: :ref:`ovpn-attribute-set-keyconf`


.. _ovpn-attribute-set-ovpn-peer-new-input:

ovpn-peer-new-input
===================
ifindex
~~~~~~~


peer
~~~~
:nested-attributes: :ref:`ovpn-attribute-set-peer-new-input`


.. _ovpn-attribute-set-ovpn-peer-set-input:

ovpn-peer-set-input
===================
ifindex
~~~~~~~


peer
~~~~
:nested-attributes: :ref:`ovpn-attribute-set-peer-set-input`


.. _ovpn-attribute-set-ovpn-peer-del-input:

ovpn-peer-del-input
===================
ifindex
~~~~~~~


peer
~~~~
:nested-attributes: :ref:`ovpn-attribute-set-peer-del-input`


.. _ovpn-attribute-set-ovpn-keyconf-get:

ovpn-keyconf-get
================
ifindex
~~~~~~~


keyconf
~~~~~~~
:nested-attributes: :ref:`ovpn-attribute-set-keyconf-get`


.. _ovpn-attribute-set-ovpn-keyconf-swap-input:

ovpn-keyconf-swap-input
=======================
ifindex
~~~~~~~


keyconf
~~~~~~~
:nested-attributes: :ref:`ovpn-attribute-set-keyconf-swap-input`


.. _ovpn-attribute-set-ovpn-keyconf-del-input:

ovpn-keyconf-del-input
======================
ifindex
~~~~~~~


keyconf
~~~~~~~
:nested-attributes: :ref:`ovpn-attribute-set-keyconf-del-input`

