More tunnel options #9699

New Issue

Open

opened 2025-12-29 21:21:11 +01:00 by adam · 7 comments

adam commented 2025-12-29 21:21:11 +01:00

Owner

Copy Link

Originally created by @TeroPihlaja on GitHub (May 17, 2024).

NetBox version

v4.0.2

Feature type

Data model extension

Proposed functionality

Add support for the following VPN tunnel types:

• WireGuard
• OpenVPN

Implications analysis (lifted up from comment below)
Wireguard

• Endpoints have device/interface/IP and optional port number. Although mobile endpoint IP might not be known.
• There is only one authentication, private key. It could be stored in Netbox with corresponding public key part. (Maybe Netbox could even calculated pubkey from privkey). At least public key must be stored.
• There can be multiple connections to each endpoint. Different connections are identified by their public keys
• Both sides can have list of subnets which are allowed & routed to them (AllowedIPs config)

OpenVPN
OpenVPN Static key mode is simple:

• Point-to-point. Somewhat similar to current IPsec connections and PSK.
• At least one side has known IP + port
• Ciphers + compression can be configured but not much more.
• Routing is handled outside OpenVPN. There can be scripts that are run after connection

OpenVPN TLS mode is complicated,

• Point-to-multipoint.
• SSL certificates are used for server and client authentication so there needs to be a CA.
  • I think this would require "certificate" concept in Netbox... which could then contain normal https certificates as well and handle their expiration checks etc.
• Server has IP address pool from where it assigns IPs to clients like DHCP server
• Server can push DNS/NTP configs to clients
• Server can push routes to clients (i.e. routes added to client machines)
• Server can have client-specific configs (e.g. IP address)
• Server can route subnets towards specific client.

In all cases single device can have multiple Wireguard and OpenVPN servers in different ports with different keys and different set of connected endpoints.

Use case

Currently only IPsec tunnels are supported by Netbox.

We have also OpenVPN and WireGuard tunnels in use.

Database changes

NetBox needs a bunch of changes:

• IKE/IPsec details are naturally IPsec specific and could be kept as-is.
• Tunnels can work for other types but needs new "type" field or then "encapsulation" could be reused.
• First termination would need port number
• Second termination doesn't work with point-to-multipoint connections since there can be many of them. Something different needs to be thought here.
• OpenVPN needs more configs so maybe "OpenVPN profile" entity would be good
• Wireguard needs the keys but having separate entity feels a bit excessive since only priv/pubkey is needed. Although it should not work differently than IPsec/OpenVPN.
  • Due to way wireguard uses public keys as identifiers there needs to be way from Wireguard key entity to know which device owns it.
• List of routes behind each endpoint is important. I think this is also missing from current IPsec implementation

External dependencies

No response

Originally created by @TeroPihlaja on GitHub (May 17, 2024). ### NetBox version v4.0.2 ### Feature type Data model extension ### Proposed functionality Add support for the following VPN tunnel types: - WireGuard - OpenVPN **Implications analysis** (lifted up from comment below) **Wireguard** - Endpoints have device/interface/IP and optional port number. Although mobile endpoint IP might not be known. - There is only one authentication, private key. It could be stored in Netbox with corresponding public key part. (Maybe Netbox could even calculated pubkey from privkey). At least public key must be stored. - There can be multiple connections to each endpoint. Different connections are identified by their public keys - Both sides can have list of subnets which are allowed & routed to them (AllowedIPs config) **OpenVPN** OpenVPN Static key mode is simple: - Point-to-point. Somewhat similar to current IPsec connections and PSK. - At least one side has known IP + port - Ciphers + compression can be configured but not much more. - Routing is handled outside OpenVPN. There can be scripts that are run after connection OpenVPN TLS mode is complicated, - Point-to-multipoint. - SSL certificates are used for server and client authentication so there needs to be a CA. - I think this would require "certificate" concept in Netbox... which could then contain normal https certificates as well and handle their expiration checks etc. - Server has IP address pool from where it assigns IPs to clients like DHCP server - Server can push DNS/NTP configs to clients - Server can push routes to clients (i.e. routes added to client machines) - Server can have client-specific configs (e.g. IP address) - Server can route subnets towards specific client. In all cases single device can have multiple Wireguard and OpenVPN servers in different ports with different keys and different set of connected endpoints. ### Use case Currently only IPsec tunnels are supported by Netbox. We have also OpenVPN and WireGuard tunnels in use. ### Database changes NetBox needs a bunch of changes: - IKE/IPsec details are naturally IPsec specific and could be kept as-is. - Tunnels can work for other types but needs new "type" field or then "encapsulation" could be reused. - First termination would need port number - Second termination doesn't work with point-to-multipoint connections since there can be many of them. Something different needs to be thought here. - OpenVPN needs more configs so maybe "OpenVPN profile" entity would be good - Wireguard needs the keys but having separate entity feels a bit excessive since only priv/pubkey is needed. Although it should not work differently than IPsec/OpenVPN. - Due to way wireguard uses public keys as identifiers there needs to be way from Wireguard key entity to know which device owns it. - List of routes behind each endpoint is important. I think this is also missing from current IPsec implementation ### External dependencies _No response_

adam added the type: featurenetboxstatus: backlogcomplexity: high labels 2025-12-29 21:21:11 +01:00

adam commented 2025-12-29 21:21:12 +01:00

Author

Owner

Copy Link

@jeffgdotorg commented on GitHub (May 17, 2024):

Thank you for your interest in improving NetBox. OpenVPN and WireGuard are indisputably popular tunnel technologies, and NetBox would better reflect reality if it included support for them.

Before we could proceed, though, we would need more detail than you've provided here. Please explore the ways that the requested technologies differ from IPSEC, and call out any resulting challenges that a developer implementing this feature would need to take into account. It doesn't need to be a code-level analysis; we just want to encourage you to think through the implications of what you're requesting. The maintainer team is currently quite small and so we generally must prioritize FRs that offer the biggest impact for the smallest development effort.

Please revise your issue body accordingly, and we will give it due consideration.

@jeffgdotorg commented on GitHub (May 17, 2024): Thank you for your interest in improving NetBox. OpenVPN and WireGuard are indisputably popular tunnel technologies, and NetBox would better reflect reality if it included support for them. Before we could proceed, though, we would need more detail than you've provided here. Please explore the ways that the requested technologies differ from IPSEC, and call out any resulting challenges that a developer implementing this feature would need to take into account. It doesn't need to be a code-level analysis; we just want to encourage you to think through the implications of what you're requesting. The maintainer team is currently quite small and so we generally must prioritize FRs that offer the biggest impact for the smallest development effort. Please revise your issue body accordingly, and we will give it due consideration.

adam commented 2025-12-29 21:21:12 +01:00

Author

Owner

Copy Link

@Aketzu commented on GitHub (May 23, 2024):

Current Netbox seems to be modeled pretty much around IPsec ideology but OpenVPN and Wireguard semantics don't match well with that.

Wireguard,

• Endpoints have device/interface/IP and optional port number. Although mobile endpoint IP might not be known.
• There is only one authentication, private key. It could be stored in Netbox with corresponding public key part. (Maybe Netbox could even calculated pubkey from privkey). At least public key must be stored.
• There can be multiple connections to each endpoint. Different connections are identified by their public keys
• Both sides can have list of subnets which are allowed & routed to them (AllowedIPs config)

OpenVPN Static key mode is simple,

• Point-to-point. Somewhat similar to current IPsec connections and PSK.
• At least one side has known IP + port
• Ciphers + compression can be configured but not much more.
• Routing is handled outside OpenVPN. There can be scripts that are run after connection

OpenVPN TLS mode is complicated,

• Point-to-multipoint.
• SSL certificates are used for server and client authentication so there needs to be a CA.
  • I think this would require "certificate" concept in Netbox... which could then contain normal https certificates as well and handle their expiration checks etc.
• Server has IP address pool from where it assigns IPs to clients like DHCP server
• Server can push DNS/NTP configs to clients
• Server can push routes to clients (i.e. routes added to client machines)
• Server can have client-specific configs (e.g. IP address)
• Server can route subnets towards specific client.

In all cases single device can have multiple Wireguard and OpenVPN servers in different ports with different keys and different set of connected endpoints.

Netbox needs bunch of changes:

• IKE/IPsec details are naturally IPsec specific and could be kept as-is.
• Tunnels can work for other types but needs new "type" field or then "encapsulation" could be reused.
• First termination would need port number
• Second termination doesn't work with point-to-multipoint connections since there can be many of them. Something different needs to be thought here.
• OpenVPN needs more configs so maybe "OpenVPN profile" entity would be good
• Wireguard needs the keys but having separate entity feels a bit excessive since only priv/pubkey is needed. Although it should not work differently than IPsec/OpenVPN.
  • Due to way wireguard uses public keys as identifiers there needs to be way from Wireguard key entity to know which device owns it.
• List of routes behind each endpoint is important. I think this is also missing from current IPsec implementation

@Aketzu commented on GitHub (May 23, 2024): Current Netbox seems to be modeled pretty much around IPsec ideology but OpenVPN and Wireguard semantics don't match well with that. Wireguard, - Endpoints have device/interface/IP and optional port number. Although mobile endpoint IP might not be known. - There is only one authentication, private key. It could be stored in Netbox with corresponding public key part. (Maybe Netbox could even calculated pubkey from privkey). At least public key must be stored. - There can be multiple connections to each endpoint. Different connections are identified by their public keys - Both sides can have list of subnets which are allowed & routed to them (AllowedIPs config) OpenVPN Static key mode is simple, - Point-to-point. Somewhat similar to current IPsec connections and PSK. - At least one side has known IP + port - Ciphers + compression can be configured but not much more. - Routing is handled outside OpenVPN. There can be scripts that are run after connection OpenVPN TLS mode is complicated, - Point-to-multipoint. - SSL certificates are used for server and client authentication so there needs to be a CA. - I think this would require "certificate" concept in Netbox... which could then contain normal https certificates as well and handle their expiration checks etc. - Server has IP address pool from where it assigns IPs to clients like DHCP server - Server can push DNS/NTP configs to clients - Server can push routes to clients (i.e. routes added to client machines) - Server can have client-specific configs (e.g. IP address) - Server can route subnets towards specific client. In all cases single device can have multiple Wireguard and OpenVPN servers in different ports with different keys and different set of connected endpoints. Netbox needs bunch of changes: - IKE/IPsec details are naturally IPsec specific and could be kept as-is. - Tunnels can work for other types but needs new "type" field or then "encapsulation" could be reused. - First termination would need port number - Second termination doesn't work with point-to-multipoint connections since there can be many of them. Something different needs to be thought here. - OpenVPN needs more configs so maybe "OpenVPN profile" entity would be good - Wireguard needs the keys but having separate entity feels a bit excessive since only priv/pubkey is needed. Although it should not work differently than IPsec/OpenVPN. - Due to way wireguard uses public keys as identifiers there needs to be way from Wireguard key entity to know which device owns it. - List of routes behind each endpoint is important. I think this is also missing from current IPsec implementation

adam commented 2025-12-29 21:21:12 +01:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (May 31, 2024):

This is a reminder that additional information is needed in order to further triage this issue. If the requested details are not provided, the issue will soon be closed automatically.

@github-actions[bot] commented on GitHub (May 31, 2024): This is a reminder that additional information is needed in order to further triage this issue. If the requested details are not provided, the issue will soon be closed automatically.

adam commented 2025-12-29 21:21:13 +01:00

Author

Owner

Copy Link

@TeroPihlaja commented on GitHub (Jun 6, 2024):

@jeffgdotorg Can you check the above comment?

@TeroPihlaja commented on GitHub (Jun 6, 2024): @jeffgdotorg Can you check the above comment?

adam commented 2025-12-29 21:21:13 +01:00

Author

Owner

Copy Link

@jeffgdotorg commented on GitHub (Jun 24, 2024):

@TeroPihlaja thanks for the update and apologies for the silence. I've added this issue to the agenda for a team standup this week.

@jeffgdotorg commented on GitHub (Jun 24, 2024): @TeroPihlaja thanks for the update and apologies for the silence. I've added this issue to the agenda for a team standup this week.

adam commented 2025-12-29 21:21:13 +01:00

Author

Owner

Copy Link

@chaeynz commented on GitHub (Jul 11, 2024):

links to this https://github.com/netbox-community/netbox/discussions/14683

@chaeynz commented on GitHub (Jul 11, 2024): links to this https://github.com/netbox-community/netbox/discussions/14683

adam commented 2025-12-29 21:21:13 +01:00

Author

Owner

Copy Link

@mulmat commented on GitHub (Oct 22, 2024):

I've spent some time thinking how to model Wireguard vpns in Netbox: https://github.com/netbox-community/netbox/compare/develop...351ab1ecb07e918ed032e8ebda98735b6614cf6d
I wish to get some feedback if this modelling looks like something that could be accepted.

@mulmat commented on GitHub (Oct 22, 2024): I've spent some time thinking how to model Wireguard vpns in Netbox: https://github.com/netbox-community/netbox/compare/develop...351ab1ecb07e918ed032e8ebda98735b6614cf6d I wish to get some feedback if this modelling looks like something that could be accepted.

adam referenced this issue 2025-12-29 23:19:25 +01:00

[PR #9886] [MERGED] Remove deprecated usage of prefetch_related #13533

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label complexity: high netbox status: backlog type: feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#9699