Ubuntu 24.04: Creating a management interface with a VRF assigned to it
How-To: Linux Ubuntu 24.04
Thursday 15th May 2025
In the last post I configured a OOBM network interface on a pfSense firewall appliance with appropriate rules. Now I’m going to put a linux server in that network and connect to it with SSH.
VRF Configuration
In addition to what I already configured earlier, this has been added to netplan:
vrfs:
OOBM:
table: 100
interfaces:
- br1000
# VRF OOBM
br1000:
addresses:
- FC00::4:A/64
- FE80::4:A/64
- 172.16.0.10/24
link-local: []
interfaces:
- vlan1000
accept-ra: no
routes:
- to: 0.0.0.0/0
via: 172.16.0.1
- to: ::/0
via: fc00::1
vlans:
vlan1000:
id: 1000
link: ens18Note: Not shown here but VLAN 1000 has been configured on the underlying network infrastructure. A ping command can verify layer 2 reachability:
sauna@sauna-vm1:~$ ping -I OOBM fc00::1
ping: Warning: source address might be selected on device other than: OOBM
PING fc00::1 (fc00::1) from fc00::4:a OOBM: 56 data bytes
64 bytes from fc00::1: icmp_seq=1 ttl=64 time=0.807 ms
64 bytes from fc00::1: icmp_seq=2 ttl=64 time=0.565 ms
64 bytes from fc00::1: icmp_seq=3 ttl=64 time=0.566 msEnable SSH inside the VRF
I followed this guide to make the ssh service start inside the OOBM VRF:
https://interpip.es/linux/creating-a-vrf-and-running-services-inside-it-on-linux/
Step 1: Edit the SSH service
sudo systemctl edit sshInsert this into the file:
### Editing /etc/systemd/system/ssh.service.d/override.conf
### Anything between here and the comment below will become the contents of the drop-in file
[Service]
ExecStart=
ExecStart=/bin/ip vrf exec OOBM /usr/sbin/sshd -D $SSHD_OPTS
### Edits below this comment will be discardedThis creates and override.conf file inside /etc/systemd/system/ssh.service.d/. After that, restart the systemctl daemon and SSH service:
sudo systemctl daemon-reload
sudo systemctl restart sshNow you can verify that the ssh.service is running inside the VRF. Check the “CGroup” settings:
sauna@sauna-vm1:~$ sudo systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/usr/lib/systemd/system/ssh.service; disabled; preset: enabled)
Drop-In: /etc/systemd/system/ssh.service.d
└─override.conf
Active: active (running) since Wed 2025-03-26 08:15:14 UTC; 2s ago
TriggeredBy: ● ssh.socket
Docs: man:sshd(8)
man:sshd_config(5)
Process: 3102 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 3103 (sshd)
Tasks: 1 (limit: 9441)
Memory: 1.2M (peak: 1.6M)
CPU: 20ms
CGroup: /system.slice/ssh.service
└─vrf
└─OOBM
└─3103 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"sauna@sauna-vm1:~$ ip vrf pids OOBM
3428 sshdBut why can’t I still connect on the new interface?
user@workstation:~$ ssh sauna@fc00::4:a
sss_ssh_knownhostsproxy: connect to host fc00::4:a port 22: Connection refused
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535Step 2: Disable SSH socket
It turns out that the ssh.socket interferes with the ssh.service. You may have noticed this row in the verification command above:
TriggeredBy: ● ssh.socketA socket listens for incoming connections for a specific service. If a connection is detected, the service will start automatically. I could not find an easy solution on how to make the socket listen from a specific VRF. However, it is not needed because the ssh.service is always running anyway.
To disable the ssh.socket:
sudo systemctl stop ssh.socket
sudo systemctl disable ssh.socket
sudo systemctl restart ssh.service
sudo systemctl enable ssh.serviceNow incoming SSH connections will only work on the new interface:
user@workstation:~$ ssh sauna@fc00::4:a
sauna@fc00::4:a's password:
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-56-generic x86_64)
...Special Mentions
Thank you Phil for the guide on how to enable SSH on a specific VRF. It will come in handy for the next post when I’m going to do the same but on a Debian server.
Thank you Leo, Braves AI, for helping me solve the problem with the SSH socket.