VyOS - Blog

VyOS Project April 2026 Update

daniil@sentrium.io (Daniil Baturin) — Wed, 29 Apr 2026 11:17:18 GMT

Hello, Community!

Now that VyOS 1.5.0 is out of the door, it's time to share the news about new developments in VyOS rolling release that happened in March and April that either weren't included in VyOS 1.5.0 and VyOS Stream 2026.03 or didn't get a prominent mention. They include support for BGP link-state address family, post-quantum pre-shared keys in IPsec, and more.

VyOS Project January 2026 Update

daniil@sentrium.io (Daniil Baturin) — Fri, 30 Jan 2026 09:00:00 GMT

Hello, Community! The belated development update for December 2025 and January 2026 is finally here.

We are getting closer to the 1.5 release but there's also quite a bit of work towards the future. In particular, there's good progress towards replacing the old configuration command completion mechanism with a VyConf-based equivalent, which will allow us to get rid of legacy command definition files eventually.

More immediate improvements include certificate-based authentication for OpenConnect, new operational commands for VPP, support for configuring watchdog timers, and multiple bug fixes.

VyOS 1.4.3 release

daniil@sentrium.io (Daniil Baturin) — Thu, 17 Jul 2025 13:46:44 GMT

Hello, Community!

Customers and holders of contributor subscriptions can now download VyOS 1.4.3 release images and the corresponding source tarball.

This release includes fixes for CVE-2024-3596 (BlastRADIUS) — a vulnerability in the RADIUS PAM module that made it possible (even if not easy) for an attacker capable of active MitM to forge a server response and log in to a vulnerable system without valid credentials. It also fixes over seventy bugs and adds a few new features. Those features include container improvements such as options to add custom container image registries, set name servers for containers, and allow running containers in privileged mode; an option to import routes from a non-default table into the system RIB; an option to explicitly configure traffic selectors for VTI tunnels, and more.

VyOS Project June 2025 Update

daniil@sentrium.io (Daniil Baturin) — Mon, 30 Jun 2025 17:23:51 GMT

Hello, Community!

This month's update looks small but there are quite a few big things happening. Expect a few release posts in the coming weeks! But apart from that, there are big ongoing developments inside the rolling release. First, we are ironing out the remaining issues in the VPP-based accelerated dataplane and we welcome everyone to test them.

In other areas, we are making steady progress at replacing the old configuration backend. Currently the focus is on the commit algorithm, that will make commits much faster and enable long-awaited features such as commit dry run (T7427). The other big things is the operational mode command system rework that will allow us to reintroduce operator level users and improve operational command documentation. Read on for details!

VyOS 1.4.2 release

daniil@sentrium.io (Daniil Baturin) — Thu, 03 Apr 2025 16:28:13 GMT

Hello, Community! VyOS 1.4.2 release images and the corresponding source tarball are now available for download to customers and holders of contributor subscriptions.

This release includes a fix for a security issue that made console server users vulnerable to MitM attacks, over forty bug fixes, a few improvements in BRAS functionality, performance optimizations that can improve BGP convergence time by as much as 5-10 minutes in some scenarios, and other improvements. Additionally, FastNetMon is now deprecated and is scheduled to be removed in the future 1.5 release, and we are also finally phasing out legacy GnuPG signatures in favor of minisign. Read on for details!

VyOS Project March 2025 Update

daniil@sentrium.io (Daniil Baturin) — Thu, 27 Mar 2025 14:10:08 GMT

Hello, Community! It's spring in the northern hemisphere, and here's the March update. A lot of our effort is currently going into the development of the accelerated dataplane based on VPP: We added a prototype of IPsec, and we are actively working on support for NAT. But there are many other updates, including a fix for a vulnerability in service console-server, support for loading firewall groups from a URL, an option to set a custom container registry, and more. Read on for details!

VyOS Project March 2024 Update

e.altunbas@vyos.io (Erkin Batu Altunbas) — Fri, 22 Mar 2024 17:08:46 GMT

Hello, Community!
While VyOS 1.4/Sagitta has taken its final shape, and we are working to smoothen any remaining sharp edges (especially in migration scripts), the upcoming 1.5/Circinus branch is the new frontier where we can go wild and experiment freely. Safe features from the current branch are still backported to 1.4/Sagitta.

Still, we already have non-back portable features — such as improvements to the new DHCP server implementation based on Kea rather than the now-obsolete ISC DHCP server.
In the last month, there were quite a few improvements, including the ability to set multiple peer addresses for unicast VRRP (a feature by our new core team member Natalia Solomko), segment routing support for static IPv6 routes, support for SSH public keys in the PKI subsystem, and more.

VyOS Project February 2024 Update

e.altunbas@vyos.io (Erkin Batu Altunbas) — Thu, 08 Feb 2024 07:21:23 GMT

Hello, community!
Curious what we've been up to in January? Our main focus is the final stabilization of the 1.4.0/Sagitta branch, and we will soon make the first EPA (Early Production Access) release — after that point, config syntax and behavior will not change in the 1.4 LTS release lifetime, and all radical changes will go to the upcoming 1.5/Circinus branch. Quite a lot of things are happening in the development branch, and many of those improvements are also backported to 1.4, including support for Let's Encrypt (or any other ACME provider) in PKI, multiple BGP improvements, and an option to disable Spectre/Meltdown mitigations from the CLI.

VyOS 1.4.0-rc3 release candidate

daniil@sentrium.io (Daniil Baturin) — Mon, 22 Jan 2024 07:11:13 GMT

Hello, Community!

VyOS 1.4.0-rc3 image is now available for everyone to download and test. We are grateful to everyone who helped us test previously release candidate images. Thanks to your bug reports and pull requests, we fixed many bugs, including two that could cause the system to lock up at startup or shut down! We also did a lot of internal refactoring in January, but this image still has quite a few new features, including support for obtaining certificates from ACME providers (such as Let's Encrypt), IPv6 segment routing, IS-IS fast reroute, and more. We are also taking the last chance to make configuration syntax changes that will make the config look cleaner and make it easier to implement new features, so please pay attention to the config syntax and behavior changes section of this post. There's one feature from the rolling release time that we decided to remove due to its design flaws and the fact that it doesn't fit the scope of a router OS well — HTTPS virtual host configuration support.

VyOS Project November 2022 Update

daniil@sentrium.io (Daniil Baturin) — Wed, 23 Nov 2022 10:22:49 GMT

Hello, community!

If you are wondering what we've been up to — we are on track to bring the 1.4/Sagitta release to its final shape and we are pretty sure next year we'll focus on stabilizing it and preparing it to become the new LTS release.

There are still a lot of things to do and our main focus is now on the implementations of firewall and QoS and on the new-style operational mode that automatically makes all functionality available to the CLI and to the GraphQL API without any additional effort.

However, there are multiple smaller features and fixes as well — read on for details!

VyOS Project July 2022 Update

daniil@sentrium.io (Daniil Baturin) — Tue, 30 Aug 2022 05:59:08 GMT

Hello, Community!

It is time for a new update! The most important news this time includes FRR upgrade to the latest stable version 8.3, RADIUS QoS attribute support improvements, a default log option for a zone-based firewall, and more. Read on for details!

Using DMVPN and BGP to interconnect your sites

christian@poessinger.com (Christian Pössinger) — Sun, 31 Oct 2021 13:04:02 GMT

Hello, Community!

Some weeks ago a very close friend of mine approached me and asked about an issue in his VyOS installation. He is using several WireGuard tunnels in a star topology connecting his private sites with a central hub. All of his traffic is forced to traverse the hub - which adds additional latency to the connections.

He wanted to change the design so that individual spokes are able to talk to one another, directly. This requires a topology change to a full-mesh when sticking with WireGuard. A fully meshed WireGuard installation with 4 sites will require you to configure 3 WireGuard tunnels per individual site, leading to a total of 12 tunnels—too complex!

I then explained how to use DMVPN (Dynamic Multipoint Virtual Private Network) with VyOS—and as there is a new LTS release on the way, it is time for some in-depth testing of a very old feature! As DMVPN was the initial reason I choose VyOS (1.1.7, more than 5 years ago), it is fun for me to write about the same topic in 2021.

How to use AS path matching in your BGP policies

daniil@sentrium.io (Daniil Baturin) — Fri, 23 Mar 2018 11:13:47 GMT

AS path is one of the most fundamental attributes of a (e)BGP advertisments. Its length is the first parameter in the best path selection algorithm (shorter is better), and it's also the sole mechanism of loop detection (if an AS is seen twice, there's a loop). However, despite the important role it plays behind the scenes, it's rather underutilized in routing policies.

A lot of time when prefix-list or specific route-map rule options such as next-hop can do, route filtering and modification based on AS path can do it better.

Let's see how to use it.

The as-path-list construct

Just like you use a prefix-list for prefix-based filtering and a community-list for community value based filtering, AS paths have their own policy building block — as-path-list.

The basic syntax is:

set policy as-path-list Foo rule 10 description "some description"

set policy as-path-list Foo rule 10 action (permit|deny)

set policy as-path-list Foo rule 10 regex "some regex"

The action parameter has the usual pitfall: if you use it in a route-map, "permit" means "match" and "deny" means "don't match".

The most interesting part is the regex. The syntax and semantics of AS path regular expressions is a superset of POSIX 1003.2, extended with the "_" character. If you are new to regular expressions (which are not quite regular in this case — but that's another story), here's a quick reference:

Boundaries: The ^ character matches the start of the string. The $ character matches the end of the string. The expression "^$" thus matches an empty string. They can also be used for matching exact strings rather than substrings, for example, "^123 456$" will match only "123 456" but not "100 123 456 200".
Wildcard: The _ character is an extension of the normal syntax — it matches any AS path separator, most commonly a space, but aggregation adds some more. So "_123_456" would match either "123 456" or "{123,456}". It also matches the beginning and end of the path.
Character ranges and quantifiers: "[0-9]" means "any digit from 0 to 9". You can narrow that range to "[1-9]" or "[3-5]" or anything else. It can be followed by a quantifier. The following quantifiers are available: "*" (zero or more), "+" (one or more), and "?" (zero or one). Thus, "[0-9]+" will mean any AS number, and "1[0-9]+" will mean "any AS number that starts with 1".
Groups and backreferences: This is where "regular expressions" stop being regular. By enclosing an expression in parentheses, such as "([0-9]+)", you create a group. That group can later be matched with a backreference. For example, "([0-9]+)_\1" will match "123 123" or "345 345", but not "123 345".

Now let's consider common use cases.

Finding locally originated routes

It's not uncommon to see something like this:

set policy prefix-list LocalRoutes rule 10 action permit

set policy prefix-list LocalRoutes rule 10 prefix 192.168.10.0/24

set policy prefix-list LocalRoutes rule 20 action permit

set policy prefix-list LocalRoutes rule 20 prefix 192.168.20.0/24

set policy route-map Out rule 10 action permit
set policy route-map Out rule 10 match ip address prefix-list LocalRoutes

set protocols bgp 65535 network 192.168.10.0/24
set protocols bgp 65535 network 192.168.20.0/24

set protocols bgp 65535 neighbor 10.20.30.1 route-map export Out

This approach may have its merits, but if the goal is simply to allow all locally originated routes, there's a simpler way. The key idea is that locally originated routes have empty AS path, which we can match with a trivial regex for an empty string ("^$").

set policy as-path-list LocalRoutes rule 10 action permit

set policy as-path-list LocalRoutes rule 10 regex "^$"

set policy route-map Out rule 10 action permit
set policy route-map Out rule 10 match as-path LocalRoutes

Prioritizing routes from a certain AS

Suppose you are connected to multiple networks, and of all those networks, AS64555 has the best link. You want as much of outgoing traffic as possible to go through AS64555. Assuming you can't or don't want to use a dedicated route map for their sessions, how can you match those routes? Pretty simple: make an expression for a string that starts (^) with 64555 followed by a path separator (_).

set policy as-path-list FavoriteAS rule 10 action permit

set policy as-path-list FavoriteAS rule 10 regex "^64555_"

set policy route-map In rule 10 action permit
set policy route-map In rule 10 match as-path FavoriteAS

Detecting AS path prepends

Some people use AS path prepends to make their routes appear worse than they are, most commonly to avoid asymmetric routing when they don't want to route outgoing traffic through your network. Suppose you don't want to leave best path selection algorithm to its own devices and instead want to explicitly honor their request. Adding a community string for that purpose would be a better solution, but for the sake of argument let's see how we can do it.

All we know is that a prepended path is a path that contains two or more consecutive entries of the same AS, but we don't have any specific numbers to match. This is where backreferences come into play.

set policy as-path-list Prepended rule 10 action permit

set policy as-path-list Prepended rule 10 regex '([0-9]+)_\1_'

set policy route-map Test rule 10 action permit
set policy route-map Test rule 10 match as-path Prepended
set policy route-map Test rule 10 set local-preference 10

Using regular expressions for route viewing

Policy rules is not the only place where you can use regular expressions. You can also use them as filters for "run show ip bgp". Suppose you want to view all routes from AS64793. This is how you can do it:

vyos@vyos# run show ip bgp regexp "^64793_"

BGP table version is 0, local router ID is 10.217.32.254

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale, R Removed

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.91.16.0/21 10.217.15.10 0 0 64793 i
*> 10.123.124.0/24 10.217.15.10 1 50 0 64793 64793 64793 64793 i