netbox icon indicating copy to clipboard operation
netbox copied to clipboard
verified publisher icon netbox-community

VPN - Allows termination over IP without specifying device

Open mlazzarotto opened this issue 1 year ago • 4 comments

NetBox version

v3.7.0

Feature type

Change to existing functionality

Proposed functionality

I open this issue to ask about allowing VPN termination on an IP address without having to specify a device and its interface.

This is a simple mockup of the UI change. image

Use case

The typical use case is where the other side of the VPN is terminated on a customer/vendor/contractor's device but the device and interface details are unknown. Also, in this way, we would not be forced to create dummy devices that would end up staying on Netbox even though they are not actually owned by us.

Database changes

No response

External dependencies

No response

mlazzarotto avatar Jan 08 '24 10:01 mlazzarotto

This is actually our use case as well: no need to save the remote-side device details, just the termination IP address because that's the remote-side detail we need when provisioning the tunnel on our side.

markkuleinio avatar Jan 08 '24 13:01 markkuleinio

This would have been a topic for discussion during the v3.7 beta valuation period last month. Unfortunately, now that v3.7 has been released we are no longer considering major changes to the VPN tunnels implementation.

However, please note that it is perfectly valid to create only one termination on a tunnel; you can use a custom field to record the IP address of the remote end for which complete termination details are unknown.

jeremystretch avatar Jan 08 '24 13:01 jeremystretch

I've been testing with custom fields with VPN tunnels but the challenge with them is that they create (as far as I see it) a one-way relationship, meaning that if I configure a custom field in the VPN tunnel with the IP address object, I cannot trace back where the IP address is used. Also search does not find IP addresses in custom fields. (The same goes with contacts that I thought using in tunnels.)

Using tags could be another option. (Edit: text custom fields instead of objects could possibly work as well in some cases)

markkuleinio avatar Jan 08 '24 14:01 markkuleinio

How about meeting halfway? Changing the termination to nullable might break something or have other consequences. But there's also the concept of circuits for external connections. Why not just add a circuit as a possible endpoint for tunnels?

alehaa avatar Apr 19 '24 16:04 alehaa

The proposal here (I believe) is to allow creating a tunnel termination with an outside IP address defined, but no termination interface.

jeremystretch avatar May 28 '24 15:05 jeremystretch