SystemD: Understanding Predictable Network Interface Names

Here is an explanation of how SystemD predictable network interface names are determined.

Predictable network interface device names are based on:
– firmware/bios-provided index numbers for on-board devices
– firmware-provided pci-express hotplug slot index number
– physical/geographical location of the hardware
– the interface’s MAC address

Two character prefixes based on the type of interface:

Type of names:

All multi-function PCI devices will carry the [f] number in the device name including the function 0 device.

When using PCI geography the PCI domain is only prepended when it is not 0.

For USB devices the full chain of port numbers of hubs is composed. If the name gets longer than the maximum number of 15 characters the name is not exported.
The usual USB configuration == 1 and interface == 0 values are suppressed.

PCI ethernet card with firmware index “1”:

PCI ethernet card in hotplug slot with firmware index number:

PCI ethernet multi-function card with 2 ports:

PCI wlan card:

USB built-in 3G modem:

USB Android phone:

How to turn it off

There are 4 ways to turn it off and get back your old trusted network interface names (like ethX etc.):

Boot the kernel with net.ifnames=0 (might also need biosdevname=0)

Disable the assignment of fixed names so that the unpredictable kernel names are used again by masking udev’s rule file for the default policy:
ln -s /dev/null /etc/udev/rules.d/80-net-setup-link.rules
(since v209: this file was called 80-net-name-slot.rules in release v197 through v208)

Use your own manual naming scheme (e.g. “internet0”, “dmz0” or “lan0”) by creating your own udev rules file and set the NAME property for the devices. Make sure to order it before the default policy file, for example by naming it
/etc/udev/rules.d/70-my-net-names.rules

Alter the default policy file for picking a different naming scheme for example for naming all interface names after their MAC address by default:
cp /usr/lib/udev/rules.d/80-net-setup-link.rules /etc/udev/rules.d/80-net-setup-link.rules
Then edit the file there and change the lines as necessary.

More information here.

How to setup OpenVPN on Fedora 19

Here is a quick howto setup OpenVPN on Fedora 19. For the sake of simplicity all steps are performed as root.

Install openvpn and easy-rsa:

Create the keys/ dir:

Create empty openvpn log files:

If you already have keys then copy them to /etc/openvpn/keys. If not then you will need to generate them. Read /usr/share/doc/easy-rsa-2.2.0/doc/README-2.0 for instructions how to do that.

Also generate the dh and ta keys:

Create a configuration called my-vpn.conf which uses TLS. It’s ok to call the config file something else but make sure to replace my-vpn in further steps below with the name you have chosen for your config file:

IMPORTANT: change the following settings above for your situation:
– server 10.0.1.0 255.255.255.0
– push “dhcp-option DOMAIN example.org”
– push “dhcp-option SEARCH example.org”

Make sure ipp.txt exists:

Set proper ownership of the openvpn directory, config files and keys:

Reset the SELinux labels:

Now setup systemd so openvpn starts at boot. For background information see this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=744244

Start the openvpn my-vpn service:

And check if it started ok:

Which should say something like this:

Next copy your client1.key, client1.crt, ca.crt and ta.key to ~/.cert/ on the client box that will access the OpenVPN server. If your client is also a recent Fedora box and you use NetworkManager then you can create a small config file with the proper settings to access your OpenVPN server and import it in NetworkManager.

The client config VPN for NetworkManager looks like this:

IMPORTANT: replace the entries between < ...> with your settings:
– remote <your-openvpn-server> 1194
– ca /home/<you>/.cert/ca.crt
– cert /home/<you>/.cert/client1.crt
– key /home/<you>/.cert/client1.key

Now import this file into NetworkManager by going to:

On your OpenVPN server make sure that port 1194 (or whatever port you chose) is open in the firewall.
Finally on your client box click on the NetworkManager icon in the top menu bar and select my-vpn. Enjoy your new secure VPN connection. Comments and enhancements always welcome.